Bitpie
Published in

Bitpie

How to Verify BitHD Wallet Firmware Source Code?

“Don’t trust. Verify.”

The best way to prove you didn`t has a backdoor of your product is to make it Open Source. It doesn`t means that will be 100% safe but means we can work with the whole geek community to avoid any attack.

Open Source means any users can compile the firmware by themselves. Therefore, BitHD hardware wallet team prepared this tutorial to guide you to verify the consistency of the codes between the firmware on GitHub and the actual firmware on the BitHD hardware wallet product being sold on Amazon and eBay.

Before We Start:

  • This tutorial is based on mac system operation, windows system users can download linux system to complete the operation process.
  • During the compilation process, please do not close the terminal program.
  1. Open Terminal

You can find Terminal by search ‘Terminal’ in the Launchpad.

2. Install the compilation environment

2.1 Install Docker

2.2 Input the following command in the terminal and hit ‘enter’ to install homebrew

ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

2.3 Paste the following command in the terminal to install python3 and pipenv through homebrew

brew install python3 pipenv

Get BITHD firmware open source code

  1. Create a new folder on the desktop and name it “BITHD”

2. Open terminal and input the following command to enter the folder directory

cd ./Desktop/BITHD/

3. Continue to input the following command in the terminal to get the open source code on GitHub

git clone https://github.com/bithd/bithd-mcu.git

4. After successful acquisition, a BITHD-mcu folder will be generated in the BITHD file

This folder is the open source BITHD firmware code on GitHub, and subsequent compilation operations will be performed in this file directory.

Compilation

  • This step requires high computer performance, and some steps will take a long time. Please do not close the terminal before the terminal completes the operation, and wait patiently for the terminal to finish compiling.
  1. Input the following command in the terminal to enter the firmware code root directory

cd bithd-mcu

2. Input the following command in the terminal to compile the corresponding version firmware.

export TAG=v2.7.4; ./build-firmware.sh $TAG

After the compilation is completed, the compiled firmware file will be generated in the BITHD / BITHD-mcu / build folder. At this time, the compilation steps for the GitHub open source code have been completed.

Sign the compiled firmware

  1. Input the following command to install designated python environment.

pipenv — python 3 install

2. Input the following command to generate a bin file to sign

pipenv run ./script/prepare_firmware.py -f ./build/bithd-$TAG-unsigned.bin

A file named bithd-v2.7.4-prepared.bin will be created in the folder BITHD/BITHD-mcu/build.

3. Input the following command at the terminal. Sign this file with the signing file provided by BITHD official.

  • The signing file is saved in the folder BITHD/BITHD-mcu/signatures

export TAG=v2.7.4

pipenv run ./script/build_signed_firmware.py -f ./build/bithd-$TAG-prepared.bin -s . signatures/$TAG.csv

After signing, a new file bithd-v2.7.4-signed will be generated in BITHD/BITHD-mcu/build. This file is the firmware we compiled and signed with the GitHub source coded and official signing file.

So far, we have completed all the steps of getting code from GitHub, compiling and signing. Then, we will verify the firmware.

Firmware Verification

  1. Connect BITHD, choose to export the firmware in Bitpie APP. Tip: this exporting is only about firmware information and has nothing to do with your assets.

2. Through comparison, verify the consistency between the firmware in your hardware and the GitHub open-source firmware.

Input the following command in the terminal, and the comparison result will be shown as export

TAG=v2.7.4diff <(xxd build/bithd-$TAG-prepared.bin) <(xxd build/bithd-$TAG-firmware.bin)

Tip: please move the exported firmware file into folder BITHD/BITHD-mcu/build and edit the file name as same as the name in the command. E.g. the exported file name is bithd-wallet-firmware, we need to rename it as bithd-v2.7.4-firmware and put it into folder “build”. Otherwise the command would report an error.

By comparing the compiled firmware and the exported firmware, we can find the only difference is the first 256 signing information is different. Apart from that, all the remaining codes are all idential. That’s proved the two firmwares are totally the same.

3. Through Hash computing, verify the consistency between the firmware in hardware and the open-source firmware codes on GitHub.

3.1 Input the following command to compute the hash value of the exported firmware file.

shasum -a 256 ./build/bithd-$TAG-firmware.bin

3.2 Compare the hash value with the firmware codes on GitHub.

GitHud Address:https://github.com/bithd/bithd-mcu/releases

We can find the two hash values are identical. That demonstrates that the two firmwares are exactly the same.

Find us on:

👉Twitter ; 👉Facebook; 👉Telegram Channel

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Bitpie Wallet

Bitpie Wallet

332 Followers

Manage and trade multichain assets & utilize Dapps with ease and safety. bitpie.com