How to Verify BitHD Wallet Firmware Source Code?
“Don’t trust. Verify.”
The best way to prove you didn`t has a backdoor of your product is to make it Open Source. It doesn`t means that will be 100% safe but means we can work with the whole geek community to avoid any attack.
Open Source means any users can compile the firmware by themselves. Therefore, BitHD hardware wallet team prepared this tutorial to guide you to verify the consistency of the codes between the firmware on GitHub and the actual firmware on the BitHD hardware wallet product being sold on Amazon and eBay.
Before We Start:
- This tutorial is based on mac system operation, windows system users can download linux system to complete the operation process.
- During the compilation process, please do not close the terminal program.
- Open Terminal
You can find Terminal by search ‘Terminal’ in the Launchpad.
2. Install the compilation environment
2.1 Install Docker
Docker Engine overview
Docker Engine is an open source containerization technology for building and containerizing your applications. Docker…
2.2 Input the following command in the terminal and hit ‘enter’ to install homebrew
ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"
2.3 Paste the following command in the terminal to install python3 and pipenv through homebrew
brew install python3 pipenv
Get BITHD firmware open source code
- Create a new folder on the desktop and name it “BITHD”
2. Open terminal and input the following command to enter the folder directory
3. Continue to input the following command in the terminal to get the open source code on GitHub
git clone https://github.com/bithd/bithd-mcu.git
4. After successful acquisition, a BITHD-mcu folder will be generated in the BITHD file
This folder is the open source BITHD firmware code on GitHub, and subsequent compilation operations will be performed in this file directory.
- This step requires high computer performance, and some steps will take a long time. Please do not close the terminal before the terminal completes the operation, and wait patiently for the terminal to finish compiling.
- Input the following command in the terminal to enter the firmware code root directory
2. Input the following command in the terminal to compile the corresponding version firmware.
export TAG=v2.7.4; ./build-firmware.sh $TAG
After the compilation is completed, the compiled firmware file will be generated in the BITHD / BITHD-mcu / build folder. At this time, the compilation steps for the GitHub open source code have been completed.
Sign the compiled firmware
- Input the following command to install designated python environment.
pipenv — python 3 install
2. Input the following command to generate a bin file to sign
pipenv run ./script/prepare_firmware.py -f ./build/bithd-$TAG-unsigned.bin
A file named bithd-v2.7.4-prepared.bin will be created in the folder BITHD/BITHD-mcu/build.
3. Input the following command at the terminal. Sign this file with the signing file provided by BITHD official.
- The signing file is saved in the folder BITHD/BITHD-mcu/signatures
pipenv run ./script/build_signed_firmware.py -f ./build/bithd-$TAG-prepared.bin -s . signatures/$TAG.csv
After signing, a new file bithd-v2.7.4-signed will be generated in BITHD/BITHD-mcu/build. This file is the firmware we compiled and signed with the GitHub source coded and official signing file.
So far, we have completed all the steps of getting code from GitHub, compiling and signing. Then, we will verify the firmware.
- Connect BITHD, choose to export the firmware in Bitpie APP. Tip: this exporting is only about firmware information and has nothing to do with your assets.
2. Through comparison, verify the consistency between the firmware in your hardware and the GitHub open-source firmware.
Input the following command in the terminal, and the comparison result will be shown as export
TAG=v2.7.4diff <(xxd build/bithd-$TAG-prepared.bin) <(xxd build/bithd-$TAG-firmware.bin)
Tip: please move the exported firmware file into folder BITHD/BITHD-mcu/build and edit the file name as same as the name in the command. E.g. the exported file name is bithd-wallet-firmware, we need to rename it as bithd-v2.7.4-firmware and put it into folder “build”. Otherwise the command would report an error.
By comparing the compiled firmware and the exported firmware, we can find the only difference is the first 256 signing information is different. Apart from that, all the remaining codes are all idential. That’s proved the two firmwares are totally the same.
3. Through Hash computing, verify the consistency between the firmware in hardware and the open-source firmware codes on GitHub.
3.1 Input the following command to compute the hash value of the exported firmware file.
shasum -a 256 ./build/bithd-$TAG-firmware.bin
3.2 Compare the hash value with the firmware codes on GitHub.
We can find the two hash values are identical. That demonstrates that the two firmwares are exactly the same.