TEESimulator: Emulate Android TEE for Key Attestation

TEESimulator is an open‑source Android system module that emulates a hardware Trusted Execution Environment (TEE) to produce software-backed key attestation for rooted devices, it’s actively maintained, GPL‑3.0 licensed, and intended for Android 10+ devices.

TEESimulator is a developer and researcher tool that creates virtual, stateful cryptographic keys so apps that check for hardware-backed attestation see valid responses even on modified or rooted devices. This post explains what TEESimulator does, why people use it, how to install it, and common troubleshooting tips.

TEESimulator
TEESimulator

What is TEESimulator?

TEESimulator is a full TEE emulation framework that intercepts keystore requests and either forges attestation certificates or generates fully software-based keys that behave like hardware keys. It aims to be more robust than simple certificate patching by maintaining consistent virtual keys and responses. 

Key features

  • Stateful emulation: virtual keys are managed consistently across requests. 
  • Binder IPC interception: hooks low‑level keystore calls to redirect requests. 
  • Per‑app configuration: target lists, multiple keybox files, and per‑package patch level overrides. 
  • Active development & releases: regular releases and hotfixes addressing stability and detection vectors. 

Requirements

  • Android 10 or newer
  • Rooted device with a module loader such as Magisk, KernelSU, or APatch
  • Optional: a hardware-backed keybox.xml to act as a root of trust for signing simulated attestations. 

Why use TEESimulator?

  • Testing and development: validate attestation flows without relying on specific hardware. 
  • Recovery for broken TEEs: helps devices with damaged hardware TEEs by providing software emulation. 
  • Research and debugging: study how apps verify device integrity and how attestation works. 

Download

  • Source and releases are on GitHub under JingMatrix/TEESimulator. Download the latest release artifact from the Releases page. 

Install

  1. Download the module release for your device from the GitHub Releases page. 
  2. Flash via Magisk / KernelSU / APatch and reboot
  3. (Optional) Place /data/adb/tricky_store/keybox.xml to provide a root key. 
  4. Edit target.txt and security_patch.txt to control which apps are simulated and what patch levels are reported. 

How to use (basic)

  • Add package names to /data/adb/tricky_store/target.txt to target apps. Use mode suffixes (! force generation, ?leaf hacking, none = automatic). 
  • Save config files – TEESimulator watches them and applies changes immediately. 

Credits

  • Author / maintainer: JingMatrix and contributors on GitHub. Project is GPL‑3.0 licensed. 

Troubleshooting & FAQs

  • App still detects device: check target list, ensure module loaded, and verify keybox.xml presence. 
  • Crashes or log spam: update to latest release; recent hotfixes addressed GMS log flooding and binder leaks. 
  • Is this legal? Use responsibly: bypassing attestation can violate app terms or local laws; use for testing and research only.

Ending

TEESimulator is a powerful, actively maintained tool for emulating Android TEEs on rooted devices. If you plan to use it, read the README and release notes on GitHub, follow safety and legal guidelines, and test carefully on non‑production devices. 

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top