Title: How to Verify BitHD Wallet Firmware Source Code? Post by: Bitpie Wallet on March 27, 2020, 10:09:11 AM “Don’t trust. Verify.”
https://i.imgur.com/X5RewuH.jpg The best way to prove you didn`t has a backdoor of your product is to make it Open Source. It doesn`t means that will be 100% safe but means we can work with the whole geek community to avoid any attack. Open Source means any users can compile the firmware by themselves. Therefore, BitHD hardware wallet team prepared this tutorial to guide you to verify the consistency of the codes between the firmware on GitHuband the actual firmware on the BitHD hardware wallet product being sold on Amazon and eBay. Before We Start: This tutorial is based on mac system operation, windows system users can download linux system to complete the operation process. During the compilation process, please do not close the terminal program. https://i.imgur.com/gx5bwHu.png Open Terminal You can find Terminal by search ‘Terminal’ in the Launchpad. https://i.imgur.com/5VBFMSc.png 2. Install the compilation environment 2.1 Install Docker https://docs.docker.com/install/ https://i.imgur.com/XRlU0SH.png 2.2 Input the following command in the terminal and hit ‘enter’ to install homebrew ruby -e “$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" https://i.imgur.com/A6hTimf.png 2.3 Paste the following command in the terminal to install python3 and pipenv through homebrew brew install python3 pipenv https://i.imgur.com/d3sRsYh.png Get BITHD firmware open source code Create a new folder on the desktop and name it “BITHD” https://i.imgur.com/Foh1eOQ.png 2. Open terminal and input the following command to enter the folder directory cd ./Desktop/BITHD/ https://i.imgur.com/Een1liF.png 3. Continue to input the following command in the terminal to get the open source code on GitHub git clone https://github.com/bithd/bithd-mcu.git https://i.imgur.com/dh8DEFO.png 4. After successful acquisition, a BITHD-mcu folder will be generated in the BITHD file https://i.imgur.com/YL9hnJG.png This folder is the open source BITHD firmware code on GitHub, and subsequent compilation operations will be performed in this file directory. Compilation This step requires high computer performance, and some steps will take a long time. Please do not close the terminal before the terminal completes the operation, and wait patiently for the terminal to finish compiling. Input the following command in the terminal to enter the firmware code root directory cd bithd-mcu https://i.imgur.com/42GfDTa.png 2. Input the following command in the terminal to compile the corresponding version firmware. export TAG=v2.7.4; ./build-firmware.sh $TAG https://i.imgur.com/MVelnNj.png After the compilation is completed, the compiled firmware file will be generated in the BITHD / BITHD-mcu / build folder. At this time, the compilation steps for the GitHub open source code have been completed. Sign the compiled firmware Input the following command to install designated python environment. pipenv — python 3 install https://i.imgur.com/PpblKFS.png 2. Input the following command to generate a bin file to sign pipenv run ./script/prepare_firmware.py -f ./build/bithd-$TAG-unsigned.bin https://i.imgur.com/MjqMJLP.png A file named bithd-v2.7.4-prepared.bin will be created in the folder BITHD/BITHD-mcu/build. 3. Input the following command at the terminal. Sign this file with the signing file provided by BITHD official. The signing file is saved in the folder BITHD/BITHD-mcu/signatures export TAG=v2.7.4 pipenv run ./script/build_signed_firmware.py -f ./build/bithd-$TAG-prepared.bin -s . signatures/$TAG.csv https://i.imgur.com/zk1Ylsi.png After signing, a new file bithd-v2.7.4-signed will be generated in BITHD/BITHD-mcu/build. This file is the firmware we compiled and signed with the GitHub source coded and official signing file. So far, we have completed all the steps of getting code from GitHub, compiling and signing. Then, we will verify the firmware. Firmware Verification Connect BITHD, choose to export the firmware in Bitpie APP. Tip: this exporting is only about firmware information and has nothing to do with your assets. https://i.imgur.com/f83GFK8.jpg 2. Through comparison, verify the consistency between the firmware in your hardware and the GitHub open-source firmware. Input the following command in the terminal, and the comparison result will be shown as export TAG=v2.7.4diff <(xxd build/bithd-$TAG-prepared.bin) <(xxd build/bithd-$TAG-firmware.bin) Tip: please move the exported firmware file into folder BITHD/BITHD-mcu/build and edit the file name as same as the name in the command. E.g. the exported file name is bithd-wallet-firmware, we need to rename it as bithd-v2.7.4-firmware and put it into folder “build”. Otherwise the command would report an error. https://i.imgur.com/AQGugkt.png By comparing the compiled firmware and the exported firmware, we can find the only difference is the first 256 signing information is different. Apart from that, all the remaining codes are all idential. That’s proved the two firmwares are totally the same. 3. Through Hash computing, verify the consistency between the firmware in hardware and the open-source firmware codes on GitHub. 3.1 Input the following command to compute the hash value of the exported firmware file. shasum -a 256 ./build/bithd-$TAG-firmware.bin https://i.imgur.com/8ItkU6i.png 3.2 Compare the hash value with the firmware codes on GitHub. https://i.imgur.com/rpK7wqO.png GitHud Address:https://github.com/bithd/bithd-mcu/releases We can find the two hash values are identical. That demonstrates that the two firmware are exactly the same. Find us on: 👉Twitter 👉 Telegram 👉Facebook 👉 Telegram HK 👉 News Title: Re: How to Verify BitHD Wallet Firmware Source Code? Post by: dkbit98 on March 27, 2020, 11:44:13 PM Is it possible to sign/verify message from BitHD wallet?
Trezor wallet have this option and from desktop wallets Electrum also have this option Title: Re: How to Verify BitHD Wallet Firmware Source Code? Post by: Rath_ on March 28, 2020, 12:09:19 AM Is it possible to sign/verify message from BitHD wallet? You can sign a message using the bitpie app (https://play.google.com/store/apps/details?id=com.bitpie&hl=pl) which is also used for device management. As for verifying a signed message, I think you have to use some third-party software. I received a BitHD Razor for a review so I can answer your further questions. Title: Re: How to Verify BitHD Wallet Firmware Source Code? Post by: BITHD Cold Wallet on March 30, 2020, 02:04:20 AM Is it possible to sign/verify message from BitHD wallet? Trezor wallet have this option and from desktop wallets Electrum also have this option Yes, BitHD products can sign&verify message. you can find in Me-Setting-Message Title: Re: How to Verify BitHD Wallet Firmware Source Code? Post by: Bitpie Wallet on March 30, 2020, 02:05:12 AM Title: Re: How to Verify BitHD Wallet Firmware Source Code? Post by: BITHD Cold Wallet on March 30, 2020, 02:06:50 AM Is it possible to sign/verify message from BitHD wallet? You can sign a message using the bitpie app (https://play.google.com/store/apps/details?id=com.bitpie&hl=pl) which is also used for device management. As for verifying a signed message, I think you have to use some third-party software. I received a BitHD Razor for a review so I can answer your further questions. Nice try. Title: Re: How to Verify BitHD Wallet Firmware Source Code? Post by: dkbit98 on March 30, 2020, 11:38:37 PM Thank you for answering.
I would also like to see Bitpie wallet for desktop with Widnows and LInux support, and not just mobile. Title: Re: How to Verify BitHD Wallet Firmware Source Code? Post by: Bitpie Wallet on March 31, 2020, 03:08:02 AM Thank you for answering. I would also like to see Bitpie wallet for desktop with Widnows and LInux support, and not just mobile. Interesting, seems people like to use desktop than mobile App. But, why? Isn`t mobile App much more easy to use? Title: Re: How to Verify BitHD Wallet Firmware Source Code? Post by: dkbit98 on March 31, 2020, 08:59:48 AM Interesting, seems people like to use desktop than mobile App. But, why? Isn`t mobile App much more easy to use? Give people more options to choose. Some prefer mobile, but others like to use desktop and PC, maybe they are thinking that it is easier to lose mobile than pc :) Title: Re: How to Verify BitHD Wallet Firmware Source Code? Post by: CucakRowo on April 03, 2020, 05:49:31 AM Interesting, seems people like to use desktop than mobile App. But, why? Isn`t mobile App much more easy to use? Agree with @dkbit98 suggestion, give more option for people to choose. I will choose the desktop apps rather than mobile tbh. I'm not comfortable for using mobile phone for crypto things.Title: Re: How to Verify BitHD Wallet Firmware Source Code? Post by: dkbit98 on April 03, 2020, 05:57:53 PM Agree with @dkbit98 suggestion, give more option for people to choose. I will choose the desktop apps rather than mobile tbh. I'm not comfortable for using mobile phone for crypto things. You are not using any cable for connecting, and you use your mobile only for confirming things and for interface. Crypto and private key is not stored on your mobile device. Just use some old smartphone. |