Trezor Model T
Our wallet review process
We examine wallets starting at the code level and continue all the way up to the finished app that lives on your device. Provided below is an outline of each of these steps along with security tips for you and general test results.
Application build test result
With our test script this is the result:
$ ./scripts/test/hardware/trezorT.sh 2.6.0 ... Fingerprints: 1b4845b2d2869eece07c3b287ad0acf036f7ba61efc39acb2cc01ed45490d2c6 build/core/bootloader/bootloader.bin 050526db604b9acceef2a5a8561bc99ecbe337909283ebb927b556d8e9b13872 build/core/firmware/firmware.bin 1b4845b2d2869eece07c3b287ad0acf036f7ba61efc39acb2cc01ed45490d2c6 build/core-bitcoinonly/bootloader/bootloader.bin 54f084dab4be1e64dc2cb970a6de87969407e4d6c48d79acdcf5d374ec0f29d6 build/core-bitcoinonly/firmware/firmware.bin Hash of non-signature parts downloaded/compiled standard: 65+0 records in 65+0 records out 65 bytes copied, 0.00025086 s, 259 kB/s c33e336869964cfb1ef193195894e8b6667955b4ea3044558c380b1787168e38 trezor-2.6.0.bin.zeroed c33e336869964cfb1ef193195894e8b6667955b4ea3044558c380b1787168e38 build/core/firmware/firmware.bin Hash of non-signature parts downloaded/compiled bitcoinonly: 65+0 records in 65+0 records out 65 bytes copied, 0.000205475 s, 316 kB/s c0b7696ce45ac9fe593eb9af1eb561f66cdf8be4d6a6bea6e538e252843e8a2f trezor-2.6.0-bitcoinonly.bin.zeroed c0b7696ce45ac9fe593eb9af1eb561f66cdf8be4d6a6bea6e538e252843e8a2f build/core-bitcoinonly/firmware/firmware.bin Hash of the signed firmware: e5560b40a9fc470fc9f9552baed65241cb0496c5896c6336e2422b50ddf7cada trezor-2.6.0.bin c6fe574b2348beb45abb62d38bbf09b032a5082900667b6892218903aadf856f trezor-2.6.0-bitcoinonly.bin
This looks good. The compiled versions only differ in 64 bytes - the signature - from the downloaded version. This firmware is reproducible.
Tests performed by Leo Wandersleb, Mohammad
Previous application build tests
|5th December 2022||2.5.3|
|7th August 2022||2.4.3|
|16th October 2021||2.4.2|
|18th July 2021||2.3.6|
Our Analysis is not a full code review! We plan to make code reviews available in the future but even then it will never be a stamp of approval but rather a list of incidents and questionable coding practice. Nasa sends probes to space that crash due to software bugs despite a huge budget and stringent scrutiny.
Do your own research
In addition to reading our analysis, it is important to do your own checks. Before transferring any bitcoin to your wallet, look up reviews for the wallet you want to use. They should be easy to find. If they aren't, that itself is a reason to be extra careful.