Developers guide:Deterministic firmware build

From Trezor Wiki
Jump to: navigation, search
Trezor Wiki/Developer/Developers guide/ Deterministic firmware build


We want to invite the wider community to participate in the verification of the firmware built by SatoshiLabs. To do this, one has to check the source code of the particular tag and compare the fingerprints of the built firmware with the fingerprints of the official firmware.

Trezor One firmware[edit]

  1. install Docker
  2. clone the firmware repository: git clone https://github.com/trezor/trezor-firmware.git
  3. go into the firmware folder: cd trezor-firmware
  4. checkout the release tag: git checkout legacy/v1.9.4 (where 1.9.4 is the firmware version you want to build)
  5. run bash build-docker.sh legacy/v1.9.4 (where 1.9.4 is the firmware version you want to build)
  6. download the official firmware from https://data.trezor.io/firmware/1/trezor-1.9.4.bin (where 1.9.4 is the firmware version you want to check against)

The firmware headers have changed in firmware 1.8.0, so if you are building firmware >= 1.8.0 you need to strip those. You can download the official firmware and then run:

# the following two lines print out the hashes of the firmwares
tail -c +1281 trezor-1.9.4.bin | shasum -a 256
tail -c +1025 build/legacy/firmware/firmware/bin | shasum -a 256

Those two hashes should equal. See this issue for more details.

Trezor Model T firmware[edit]

  1. install Docker
  2. clone the firmware repository: git clone https://github.com/trezor/trezor-firmware.git
  3. go into the firmware folder: cd trezor-firmware
  4. checkout the release tag: git checkout core/v2.3.6 (where 2.3.6 is the firmware version you want to build)
  5. run bash build-docker.sh core/v2.3.6 (where 2.3.6 is the firmware version you want to build)
  6. download the official firmware from https://data.trezor.io/firmware/2/trezor-2.3.6.bin (where 2.3.6 is the firmware version you want to check against)
# the following line removes 65 bytes of signature data from the official firmware
dd if=/dev/zero of=trezor-2.3.6.bin bs=1 seek=5567 count=65 conv=notrunc

# the following two lines print out the hashes of the firmwares
shasum -a 256 trezor-2.3.6.bin
shasum -a 256 build/core/firmware/firmware.bin

Those two hashes should equal.

Like Trezor? Get one here!