The OneKey hardware wallet features fully open source firmware. You can view the open source firmware code for relevant products on OneKey's GitHub repository. Before the firmware files intended for mass production are officially released, the OneKey team uses GitHub's Build Automation tools (GitHub CI) to compile and build the firmware source code from the respective firmware repositories. The files are then signed by the OneKey team before being officially released.
This article provides a self-verification method, by comparing the checksums of files before and after the official team's multi-sig, to verify the consistency between the firmware files and the open source code.
For methods on how to verify the consistency of different files' source data using the SHA-256 cryptographic hash function (comparing Checksums), refer to this article.
Open Source Firmware Repositories
- Bluetooth Firmware: github.com/OneKeyHQ/bluetooth-firmware-pro
- Bluetooth Firmware: github.com/OneKeyHQ/bluetooth-firmware-classic1s
- ⚙ System Firmware: github.com/OneKeyHQ/firmware/tree/bixin_dev
- Bluetooth Firmware: github.com/OneKeyHQ/bluetooth-firmware-classic
- ⚙ System Firmware: github.com/OneKeyHQ/firmware (branch: touch)
- Bluetooth Firmware: github.com/OneKeyHQ/bluetooth-firmware-touch
- ⚙ System Firmware: github.com/OneKeyHQ/firmware/tree/mini
Firmware Release Process
When the official standard firmware or the Bluetooth firmware is ready for release, the OneKey team will execute the corresponding repository's Action to compile the open source code. After successful compilation, the files are uploaded to GitHub Artifacts storage, awaiting the team's completion of the internal multi-sig before being placed on OneKey's CDN. After updating the config.json file, update notifications are pushed through the OneKey App and the OneKey firmware update website, prompting users to upgrade their firmware. Refer to the diagram below for the specific process.
Targets
- Verify that the "OneKey Team Signed Firmware File" is derived from the "GitHub CI Pre-Signed Firmware File" in the OneKey open source repository.
- Verify the consistency between the "OneKey Team Signed Firmware File" and the "OneKey Official CDN Stored Firmware File."
Prerequisites
- Navigate to the official OneKey hardware firmware GitHub Release: https://github.com/OneKeyHQ/firmware/releases
- Find the firmware version you want to verify and click the GitHub Action link.
- Click on the firmware name under Artifacts to download (login to GitHub required).
- Navigate to the official OneKey hardware firmware GitHub Release: https://github.com/OneKeyHQ/firmware/releases
- Find the firmware version you want to verify.
- Click to download the bin file under Assets.
- Navigate to the OneKey CDN file: https://data.onekey.so/config.json
- Find the firmware version you want to verify.
- Copy the link under the "url" field.
- Open in a new browser window for automatic download of the bin file.
- Navigate to the official OneKey bluetooth firmware GitHub Release
- OneKey Classic & Classic 1S: https://github.com/OneKeyHQ/bluetooth-firmware-classic/releases
- OneKey Pro: https://github.com/OneKeyHQ/bluetooth-firmware-pro/releases
- OneKey Touch: https://github.com/OneKeyHQ/bluetooth-firmware-touch/releases
- Find the firmware version you want to verify and click the GitHub Action link.
- Click on the firmware name under Artifacts to download (login to GitHub required).
- Navigate to the official OneKey bluetooth firmware GitHub Release
- OneKey Classic & Classic 1S: https://github.com/OneKeyHQ/bluetooth-firmware-classic/releases
- OneKey Pro: https://github.com/OneKeyHQ/bluetooth-firmware-pro/releases
- OneKey Touch: https://github.com/OneKeyHQ/bluetooth-firmware-touch/releases
- Find the firmware version you want to verify.
- Click to download the bin file under Assets.
- Navigate to the OneKey CDN file: https://data.onekey.so/config.json
- Find the firmware version you want to verify.
- Copy the link under the "ble" - "webUpdate" field.
- Open in a new browser window for automatic download of the bin file.
- Navigate to: https://www.python.org/downloads/
- Download and install the latest version of Python.
Steps
Below are the verification steps for the two targets set previously:
- Open the Terminal.
- Run the command below (OneKey Team Signed Firmware File):
-
tail -c +1024 /path/to/(file path) | shasum -a 256
-
- Run the command below (GitHub CI Pre-Signed Firmware File):
-
tail -c +1024 /path/to/(file path) | shasum -a 256
-
- Compare the Checksums generated by the two commands. If the results match, it can be confirmed that the "OneKey Team Signed Firmware File" is derived from the "GitHub CI Pre-Signed Firmware File" in the OneKey open-source repository.
For system firmware, a 1024-byte signature result is added to the CI version of the firmware, which is verified by the bootloader at device startup.
- Open the Terminal.
- Run the command below (OneKey Team Signed Firmware File):
-
shasum -a 256 (file path)
-
- Run the command below (OneKey Official CDN Stored Firmware File):
-
shasum -a 256 (file path)
-
- Compare the Checksums generated by the two commands. If the results match, the code consistency of the two firmware files is confirmed.
- Find the ota.bin file in your downloaded GitHub CI Pre-Signed Bluetooth firmware folder.
- Open a terminal in the same folder with ota.bin.
- Invoke Python with the command: python3
- Run the command below to get the checksum of GitHub CI Pre-Signed Bluetooth firmware.
exec("""\nimport struct, hashlib\nwith open("ota.bin", mode="br") as f:\n f.seek(0x0C)\n codelen = struct.unpack("i", f.read(4))[0] - 512\n f.seek(0x600)\n print("".join(format(x, "02x") for x in hashlib.sha256(f.read(codelen)).digest()))\n""")
- Run the same command with OneKey Team Signed Bluetooth Firmware File.
- Note: please change ota.bin in the command to the name of OneKey Team Signed Bluetooth Firmware File.
- Compare the Checksums generated by the two commands. If the results match, it can be confirmed that the "OneKey Team Signed Firmware File" is derived from the "GitHub CI Pre-Signed Firmware File" in the OneKey open-source repository.
- Open a terminal in the same folder with OneKey Team Signed Bluetooth Firmware File.
- Invoke Python with the command: python3
- Copy the command below:
exec("""\nimport struct, hashlib\nwith open("ota.bin", mode="br") as f:\n f.seek(0x0C)\n codelen = struct.unpack("i", f.read(4))[0] - 512\n f.seek(0x600)\n print("".join(format(x, "02x") for x in hashlib.sha256(f.read(codelen)).digest()))\n""")
- Change ota.bin to the name of your downloaded OneKey Team Signed Bluetooth Firmware File.
- Run the command to get the checksum.
- Repeat the above steps with your downloaded OneKey Official CDN Stored Bluetooth Firmware File.
- Compare the Checksums generated by the two commands. If the results match, the code consistency of the two firmware files is confirmed.