diff --git a/apex/com.android.threadnetwork-file_contexts b/apex/com.android.threadnetwork-file_contexts
index 1aabee9bc..45d9bffa2 100644
--- a/apex/com.android.threadnetwork-file_contexts
+++ b/apex/com.android.threadnetwork-file_contexts
@@ -1,4 +1,3 @@
 (/.*)?                         u:object_r:system_file:s0
 /bin/otbr-agent                u:object_r:ot_daemon_exec:s0
 /bin/ot-ctl                    u:object_r:ot_ctl_exec:s0
-/bin/ot-rcp                    u:object_r:ot_rcp_exec:s0
diff --git a/build/soong/service_fuzzer_bindings.go b/build/soong/service_fuzzer_bindings.go
index 4147bd14e..b73db7ecf 100644
--- a/build/soong/service_fuzzer_bindings.go
+++ b/build/soong/service_fuzzer_bindings.go
@@ -119,6 +119,7 @@ var (
 		"android.hardware.soundtrigger3.ISoundTriggerHw/default":                  EXCEPTION_NO_FUZZER,
 		"android.hardware.tetheroffload.IOffload/default":                         EXCEPTION_NO_FUZZER,
 		"android.hardware.thermal.IThermal/default":                               EXCEPTION_NO_FUZZER,
+		"android.hardware.threadnetwork.IThreadChip/chip0":                        []string{"android.hardware.threadnetwork-service.fuzzer"},
 		"android.hardware.tv.hdmi.cec.IHdmiCec/default":                           EXCEPTION_NO_FUZZER,
 		"android.hardware.tv.hdmi.connection.IHdmiConnection/default":             EXCEPTION_NO_FUZZER,
 		"android.hardware.tv.hdmi.earc.IEArc/default":                             EXCEPTION_NO_FUZZER,
diff --git a/private/compat/34.0/34.0.ignore.cil b/private/compat/34.0/34.0.ignore.cil
index 0ea386303..aae1ac184 100644
--- a/private/compat/34.0/34.0.ignore.cil
+++ b/private/compat/34.0/34.0.ignore.cil
@@ -7,4 +7,5 @@
   ( new_objects
     ota_build_prop
     snapuserd_log_data_file
+    hal_threadnetwork_service
   ))
diff --git a/private/ot_daemon.te b/private/ot_daemon.te
index 98e1a0ad4..b22ff90fb 100644
--- a/private/ot_daemon.te
+++ b/private/ot_daemon.te
@@ -17,8 +17,4 @@ allow ot_daemon threadnetwork_data_file:dir rw_dir_perms;
 allow ot_daemon threadnetwork_data_file:file create_file_perms;
 allow ot_daemon threadnetwork_data_file:sock_file {create unlink};
 
-# used for simulation
-userdebug_or_eng(`
-create_pty(ot_daemon);
-domain_auto_trans(ot_daemon, ot_rcp_exec, ot_rcp);
-')
+hal_client_domain(ot_daemon, hal_threadnetwork)
diff --git a/private/ot_rcp.te b/private/ot_rcp.te
deleted file mode 100644
index 0f6f1d328..000000000
--- a/private/ot_rcp.te
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# ot_rcp is the simulated Thread Radio Coprocessor device which is used by ot_daemon.
-#
-
-type ot_rcp, domain, coredomain;
-type ot_rcp_exec, exec_type, file_type, system_file_type;
-
-userdebug_or_eng(`
-allow ot_rcp ot_daemon:fd use;
-allow ot_rcp ot_daemon:fifo_file rw_file_perms;
-allow ot_rcp ot_daemon_devpts:chr_file {read write};
-allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
-allow ot_rcp port:udp_socket name_bind;
-allow ot_rcp node:udp_socket node_bind;
-')
diff --git a/private/service_contexts b/private/service_contexts
index 6d48a7414..a731dfdaf 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -94,6 +94,7 @@ android.hardware.sensors.ISensors/default                            u:object_r:
 android.hardware.soundtrigger3.ISoundTriggerHw/default               u:object_r:hal_audio_service:s0
 android.hardware.tetheroffload.IOffload/default                      u:object_r:hal_tetheroffload_service:s0
 android.hardware.thermal.IThermal/default                            u:object_r:hal_thermal_service:s0
+android.hardware.threadnetwork.IThreadChip/chip0                     u:object_r:hal_threadnetwork_service:s0
 android.hardware.tv.hdmi.cec.IHdmiCec/default                        u:object_r:hal_tv_hdmi_cec_service:s0
 android.hardware.tv.hdmi.connection.IHdmiConnection/default          u:object_r:hal_tv_hdmi_connection_service:s0
 android.hardware.tv.hdmi.earc.IEArc/default                          u:object_r:hal_tv_hdmi_earc_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index d30f657df..006caf737 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -333,6 +333,7 @@ hal_client_domain(system_server, hal_rebootescrow)
 hal_client_domain(system_server, hal_sensors)
 hal_client_domain(system_server, hal_tetheroffload)
 hal_client_domain(system_server, hal_thermal)
+hal_client_domain(system_server, hal_threadnetwork)
 hal_client_domain(system_server, hal_tv_cec)
 hal_client_domain(system_server, hal_tv_hdmi_cec)
 hal_client_domain(system_server, hal_tv_hdmi_connection)
diff --git a/public/attributes b/public/attributes
index 16a8e66af..cb46856f7 100644
--- a/public/attributes
+++ b/public/attributes
@@ -378,6 +378,7 @@ hal_attribute(sensors);
 hal_attribute(telephony);
 hal_attribute(tetheroffload);
 hal_attribute(thermal);
+hal_attribute(threadnetwork);
 hal_attribute(tv_cec);
 hal_attribute(tv_hdmi_cec);
 hal_attribute(tv_hdmi_connection);
diff --git a/public/hal_threadnetwork.te b/public/hal_threadnetwork.te
new file mode 100644
index 000000000..1f0745bc0
--- /dev/null
+++ b/public/hal_threadnetwork.te
@@ -0,0 +1,7 @@
+binder_call(hal_threadnetwork_client, hal_threadnetwork_server)
+binder_call(hal_threadnetwork_server, hal_threadnetwork_client)
+
+hal_attribute_service(hal_threadnetwork, hal_threadnetwork_service)
+
+binder_call(hal_threadnetwork_server, servicemanager)
+binder_call(hal_threadnetwork_client, servicemanager)
diff --git a/public/service.te b/public/service.te
index 27403ca2c..fc966b1c8 100644
--- a/public/service.te
+++ b/public/service.te
@@ -320,6 +320,7 @@ type hal_tv_hdmi_cec_service, protected_service, hal_service_type, service_manag
 type hal_tv_hdmi_connection_service, protected_service, hal_service_type, service_manager_type;
 type hal_tv_hdmi_earc_service, protected_service, hal_service_type, service_manager_type;
 type hal_tv_input_service, protected_service, hal_service_type, service_manager_type;
+type hal_threadnetwork_service, protected_service, hal_service_type, service_manager_type;
 type hal_tv_tuner_service, protected_service, hal_service_type, service_manager_type;
 type hal_usb_service, protected_service, hal_service_type, service_manager_type;
 type hal_usb_gadget_service, protected_service, hal_service_type, service_manager_type;
diff --git a/vendor/file_contexts b/vendor/file_contexts
index a2e460d27..80dfbdc23 100644
--- a/vendor/file_contexts
+++ b/vendor/file_contexts
@@ -101,6 +101,7 @@
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tetheroffload-service\.example u:object_r:hal_tetheroffload_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal-service\.example       u:object_r:hal_thermal_default_exec:s0
+/(vendor|system/vendor)/bin/hw/android\.hardware\.threadnetwork-service(\.sim)?  u:object_r:hal_threadnetwork_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service        u:object_r:hal_tv_cec_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.cec-service           u:object_r:hal_tv_hdmi_cec_default_exec:s0
 /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.hdmi.connection-service    u:object_r:hal_tv_hdmi_connection_default_exec:s0
@@ -124,6 +125,7 @@
 /(vendor|system/vendor)/bin/hw/hostapd                                        u:object_r:hal_wifi_hostapd_default_exec:s0
 /(vendor|system/vendor)/bin/hw/wpa_supplicant                                 u:object_r:hal_wifi_supplicant_default_exec:s0
 /(vendor|system/vendor)/bin/install-recovery\.sh                              u:object_r:vendor_install_recovery_exec:s0
+/(vendor|system/vendor)/bin/ot-rcp                                            u:object_r:ot_rcp_exec:s0
 /(vendor|system/vendor)/bin/vndservicemanager                                 u:object_r:vndservicemanager_exec:s0
 
 #############################
diff --git a/vendor/hal_threadnetwork_default.te b/vendor/hal_threadnetwork_default.te
new file mode 100644
index 000000000..3a24269f7
--- /dev/null
+++ b/vendor/hal_threadnetwork_default.te
@@ -0,0 +1,5 @@
+type hal_threadnetwork_default, domain;
+hal_server_domain(hal_threadnetwork_default, hal_threadnetwork)
+
+type hal_threadnetwork_default_exec, exec_type, vendor_file_type, file_type;
+init_daemon_domain(hal_threadnetwork_default)
diff --git a/vendor/ot_rcp.te b/vendor/ot_rcp.te
new file mode 100644
index 000000000..0da517a2e
--- /dev/null
+++ b/vendor/ot_rcp.te
@@ -0,0 +1,17 @@
+#
+# ot_rcp is the simulated Thread Radio Coprocessor device which is used by
+# Thread Network HAL for simulating the Thread radio chip.
+#
+type ot_rcp, domain;
+type ot_rcp_exec, exec_type, vendor_file_type, file_type;
+
+userdebug_or_eng(`
+domain_auto_trans(hal_threadnetwork_default, ot_rcp_exec, ot_rcp)
+allow hal_threadnetwork_default devpts:chr_file {open read write ioctl};
+allow ot_rcp hal_threadnetwork_default:fd use;
+allow ot_rcp hal_threadnetwork_default:fifo_file rw_file_perms;
+allow ot_rcp devpts:chr_file {read write};
+allow ot_rcp self:udp_socket create_socket_perms_no_ioctl;
+allow ot_rcp node:udp_socket node_bind;
+allow ot_rcp port:udp_socket name_bind;
+')