How to check Trezor T for malware


How to check Trezor T for malware
25.05.2023 10:17

First, I will dispel the common myth that the Trezor Suite app somehow checks the originality of the device. Unfortunately, this is not the case. There are two entities in Trezor chip: bootloader and firmware. The bootloader is installed at the factory (you need a programmer for this), but the firmware is installed by the user. During the boot process bootloader checks the signature of the firmware and if it does not belong to SatoshiLabs then it will display warning that the firmware is not original. And vice versa, the official firmware will not run on the non-original bootloader, but will display an error "unknown bootloader detected".

Everything seems nice, but there is a third option, which is used by scammers - they solder the chip, install their bootloader and their malicious hidden firmware. That is, to the user it looks as if there is no firmware in the device.

These fakes are of excellent quality - holograms, packaging, everything as from the factory, there are no signs of tampering on the case. These wallets are usually sold at unrealistically low prices for Trezor T, the price of the original wallet on official website is $219. Logically, it makes no economic sense to resell it for $100.

Unfortunately, I can't describe exactly how the scam firmware works, since I didn't hold the fake device in my hands. But some facts are known, from which you can make a plan to check your device.

1. The fakes I know have the bootloader version 2.0.5 and the firmware version 2.5.3 installed. How to enter boot loader mode? Just move your finger on the screen and connect the wallet to the USB port.

If you see such a picture, it is a very bad sign:

According to the official documentation, the bootloader version 2.0.5 did not exist

2. It is necessary to check the firmware data via the official trezorctl utility. Installation instructions:

For Linux:

* Install Trezor Bridge

* pip3 install trezor

Connect the device and enter a command:

trezorctl get-features

Do the same in bootloader mode.

This is what it looks like on the real device with the latest firmware installed:

And this is what it looks like on scam device:

Note on fw_vendor, but at the same time on the device itself there are naturally no warnings.

3. It is logical to assume that scammers can use other version numbers, and even output get-features as on original firmware. It is known that the scam firmware does not allow you to update to the original. So we install the latest firmware and check if the firmware/loader version has changed. Luckily for us, Trezor recently upgraded firmware to 2.6.0 and bootloader to 2.1.0. Also the bootloader mode was redesigned. Now all information is displayed with blue background. If the firmware successfully completed, but the version was not updated - you are facing a fraudulent device.

4. Scam devices are known to produce a limited list of seed phrases, and passphrase function does not work correctly - only the first character is used.

Read more about passphrases and hidden wallets:

* You can generate a seed 20-30-40 times and write it down each time, if the seed repeats, it's a scam. This, of course, is quite difficult.

* The second option is to generate a seed, add a long passphrase (hidden wallet), get a bitcoin address and check the result with Ian Coleman's utility In the utility, you must use the seed (BIP39 Mnemonic) and the passphrase (BIP39 Passphrase) to get the same bitcoin address in the BIP84 tab.

* The third option is to enter to two hidden wallets using passphrases that begin with the same letter. The bitcoin addresses must be different.

5. Scam devices do not have working function of generating 24 word seed. This function can be turned on using trezorctl:

trezorctl device setup -t 256

If the device still generates 12 words - you have the scam firmware.

And a little scolding for SatoshiLabs. These scam devices have been known for a long time. So why the hell is the instructions for checking the device written by a noname from Internet, and not by company officials?

The article will be supplemented if I learn or remember anything else. I will not advise to buy the device only from the manufacturer or resellers, no one guarantees the absence of device tampering or its replacement on the way to the consumer. Moreover, you can not buy Trezor from the official site, if you are in Russia.

Do not trust - verify!

Post earned 0.00 UFO