This article will guide you through the process of verifying that the firmware installed on your OneKey Pro hardware wallet matches the open-source firmware released on the official OneKey GitHub repository. By comparing the SHA-256 Checksum, you can ensure the firmware comes from a reliable source and guarantee the security of your device.
What is a Checksum?
A Checksum is a method of verifying data integrity. It calculates a fixed-length alphanumeric sequence from a file, which can then be used to confirm whether the file has been altered.
⚠️ Important Notes
The secure element chip inside every OneKey hardware wallet is preloaded at the factory with official multi-signature verification.
If the device is flashed with unofficial firmware, the device will display “Unofficial Firmware” at startup.
This article provides additional steps to confirm whether the current firmware exactly matches the version released on GitHub.
Verification Process
Step 1: Download and Install the Latest Official Firmware
Visit the OneKey official firmware update site.
Connect your OneKey hardware wallet to your computer using a USB cable.
The website will automatically detect your device information. You can then select and install the latest firmware.
Follow the on-screen instructions and confirm the installation on your hardware wallet.
Step 2: Retrieve the Device Firmware Checksum
On your hardware wallet, navigate to System Settings → About Device.
In the firmware information section, you will see the firmware version and its Checksum.
Example:
4.9.0[fccbac8-5ff2c88]fccbac8→ Firmware version ID5ff2c88→ First seven characters of the firmware Checksum
Step 3: Calculate the Firmware Checksum from GitHub
Go to the OneKey Pro GitHub firmware releases page.
Locate the firmware version that matches your device, and download the
.binfile under Assets.
⚠️ Note: The .bin file contains multiple parts:
MCU (main controller firmware)
One or more Secure Element (SE) firmwares
Signature information
For verification, you need to extract the MCU firmware only.
Extracting the Firmware
Save the following script as split_firmware.sh (for macOS/Linux):
#!/bin/bash
if [ $# -ne 1 ]; then
echo "Usage: $0 <binary_file>"
exit 1
fi
INPUT_FILE="$1"
TOTAL_FILE_SIZE=$(stat -f %z "$INPUT_FILE")
MAGIC=$(dd if="$INPUT_FILE" bs=1 count=4 2>/dev/null)
calculate_total_size() {
local offset=$1
local size_bytes=$(dd if="$INPUT_FILE" bs=1 skip="$offset" count=4 2>/dev/null | od -An -tu4)
echo $((size_bytes + 1024))
}
if [[ "$MAGIC" == "TRZF" ]]; then
TOTAL_SIZE=$(calculate_total_size 12)
elif [[ "$MAGIC" == "OKTV" ]]; then
HEAD1_SIZE=$(dd if="$INPUT_FILE" bs=1 skip=4 count=4 2>/dev/null | od -An -tu4)
HEAD1_SIZE=$(echo $HEAD1_SIZE)
FILE_SIZE_BYTES=$(dd if="$INPUT_FILE" bs=1 skip=$((HEAD1_SIZE + 12)) count=4 2>/dev/null | od -An -tu4)
TOTAL_SIZE=$((HEAD1_SIZE + 1024 + FILE_SIZE_BYTES))
else
echo "Unknown file format"
exit 1
fi
dd if="$INPUT_FILE" bs=1 count="$TOTAL_SIZE" of=firmware.bin 2>/dev/null
REMAINING_SIZE=$((TOTAL_FILE_SIZE - TOTAL_SIZE))
if [ $REMAINING_SIZE -gt 0 ]; then
SECOND_HEADER=$(dd if="$INPUT_FILE" bs=1 skip="$TOTAL_SIZE" count=4 2>/dev/null)
if [[ "$SECOND_HEADER" == "TF89" ]]; then
dd if="$INPUT_FILE" bs=1 skip="$TOTAL_SIZE" of=se.bin 2>/dev/null
echo "Split successfully: firmware.bin and se.bin extracted."
else
echo "Extra data exists but second file header is not 'TF89'. Only firmware.bin is extracted."
fi
else
echo "No extra data, only firmware.bin extracted."
fi
Run the script:
chmod +x split_firmware.sh ./split_firmware.sh onekey-firmware.bin
After execution, you will get firmware.bin (the MCU firmware body).
Calculate the Checksum
Run the following command in your terminal:
tail -c +2561 firmware.bin | shasum -a 256 -b
This will output a long SHA-256 hash, e.g.:
abcdef1234567890... -
Take the first seven characters, e.g. abcdef1.
Step 4: Compare the Results
Compare the first seven characters of the calculated Checksum with the Checksum displayed on your device.
If they match, it means your firmware is identical to the open-source code released on GitHub.
✅ Why This Matters
You can be sure that your device is running firmware built directly from OneKey’s official open-source repository.
Along with the secure element’s built-in multi-signature verification, this ensures the integrity and security of your hardware wallet firmware.