The OneKey hardware wallet features fully open source firmware. You can view the open source firmware code for relevant products on OneKey's GitHub repository. Before the firmware files intended for mass production are officially released, the OneKey team uses GitHub's Build Automation tools (GitHub CI) to compile and build the firmware source code from the respective firmware repositories. The files are then signed by the OneKey team before being officially released.
This article provides a self-verification method, by comparing the checksums of files before and after the official team's multi-sig, to verify the consistency between the firmware files and the open source code.
For methods on how to verify the consistency of different files' source data using the SHA-256 cryptographic hash function (comparing Checksums), refer to this article.
Open Source Firmware Repositories
OneKey Pro
⚙ System Firmware: github.com/OneKeyHQ/firmware-pro
Bluetooth Firmware: github.com/OneKeyHQ/bluetooth-firmware-pro
OneKey Classic 1S
⚙ System Firmware: github.com/OneKeyHQ/firmware-classic1s
Bluetooth Firmware: github.com/OneKeyHQ/bluetooth-firmware-classic
OneKey Classic
⚙ System Firmware: github.com/OneKeyHQ/firmware/tree/bixin_dev
Bluetooth Firmware: github.com/OneKeyHQ/bluetooth-firmware-classic
OneKey Touch
⚙ System Firmware: github.com/OneKeyHQ/firmware (branch: touch)
Bluetooth Firmware: github.com/OneKeyHQ/bluetooth-firmware-touch
OneKey Mini
⚙ System Firmware: github.com/OneKeyHQ/firmware/tree/mini
Firmware Release Process
When the official standard firmware or the Bluetooth firmware is ready for release, the OneKey team will execute the corresponding repository's Action to compile the open source code. After successful compilation, the files are uploaded to GitHub Artifacts storage, awaiting the team's completion of the internal multi-sig before being placed on OneKey's CDN. After updating the config.json file, update notifications are pushed through the OneKey App and the OneKey firmware update website, prompting users to upgrade their firmware. Refer to the diagram below for the specific process.
Targets
Verify that the "OneKey Team Signed Firmware File" is derived from the "GitHub CI Pre-Signed Firmware File" in the OneKey open source repository.
Verify the consistency between the "OneKey Team Signed Firmware File" and the "OneKey Official CDN Stored Firmware File."
Prerequisites
System Firmware Bluetooth Firmware
✔ Download GitHub CI Pre-Signed Firmware File (Unsigned)
Navigate to the official OneKey hardware firmware GitHub Release: https://github.com/OneKeyHQ/firmware/releases
Find the firmware version you want to verify and click the GitHub Action link.
Click on the firmware name under Artifacts to download (login to GitHub required).
✔ Download OneKey Team Signed Firmware File (Signed)
Navigate to the official OneKey hardware firmware GitHub Release: https://github.com/OneKeyHQ/firmware/releases
Find the firmware version you want to verify.
Click to download the bin file under Assets.
✔ Download OneKey Official CDN Stored Firmware File (Signed)
Navigate to the OneKey CDN file: https://data.onekey.so/config.json
Find the firmware version you want to verify.
Copy the link under the "url" field.
Open in a new browser window for automatic download of the bin file.
✔ Download GitHub CI Pre-Signed Bluetooth Firmware File (Unsigned)
Navigate to the official OneKey bluetooth firmware GitHub Release
OneKey Classic & Classic 1S: https://github.com/OneKeyHQ/bluetooth-firmware-classic/releases
Find the firmware version you want to verify and click the GitHub Action link.
Click on the firmware name under Artifacts to download (login to GitHub required).
✔ Download OneKey Team Signed Bluetooth Firmware File (Signed)
Navigate to the official OneKey bluetooth firmware GitHub Release
OneKey Classic & Classic 1S: https://github.com/OneKeyHQ/bluetooth-firmware-classic/releases
Find the firmware version you want to verify.
Click to download the bin file under Assets.
✔ Download OneKey Official CDN Stored Bluetooth Firmware File (Signed)
Navigate to the OneKey CDN file: https://data.onekey.so/config.json
Find the firmware version you want to verify.
Copy the link under the "ble" - "webUpdate" field.
Open in a new browser window for automatic download of the bin file.
✔ Download and Install Python
Navigate to: https://www.python.org/downloads/
Download and install the latest version of Python.
Steps
Below are the verification steps for the two targets set previously:
System Firmware Bluetooth Firmware
Verification Process with GitHub CI pre-signed firmware (System)
Open the Terminal.
Run the command below (OneKey Team Signed Firmware File):
tail -c +1024 /path/to/(file path) | shasum -a 256
Run the command below (GitHub CI Pre-Signed Firmware File):
tail -c +1024 /path/to/(file path) | shasum -a 256
Compare the Checksums generated by the two commands. If the results match, it can be confirmed that the "OneKey Team Signed Firmware File" is derived from the "GitHub CI Pre-Signed Firmware File" in the OneKey open-source repository.
For system firmware, a 1024-byte signature result is added to the CI version of the firmware, which is verified by the bootloader at device startup.
Verification Process with OneKey Official CDN Stored Firmware File (System)
Open the Terminal.
Run the command below (OneKey Team Signed Firmware File):
shasum -a 256 (file path)
Run the command below (OneKey Official CDN Stored Firmware File):
shasum -a 256 (file path)
Compare the Checksums generated by the two commands. If the results match, the code consistency of the two firmware files is confirmed.
Verification Process with GitHub CI pre-signed firmware (Bluetooth)
Find the ota.bin file in your downloaded GitHub CI Pre-Signed Bluetooth firmware folder.
Open a terminal in the same folder with ota.bin.
Invoke Python with the command: python3
Run the command below to get the checksum of GitHub CI Pre-Signed Bluetooth firmware.
exec("""\nimport struct, hashlib\nwith open("ota.bin", mode="br") as f:\n f.seek(0x0C)\n codelen = struct.unpack("i", f.read(4))[0] - 512\n f.seek(0x600)\n print("".join(format(x, "02x") for x in hashlib.sha256(f.read(codelen)).digest()))\n""")
Run the same command with OneKey Team Signed Bluetooth Firmware File.
Note: please change ota.bin in the command to the name of OneKey Team Signed Bluetooth Firmware File.
Compare the Checksums generated by the two commands. If the results match, it can be confirmed that the "OneKey Team Signed Firmware File" is derived from the "GitHub CI Pre-Signed Firmware File" in the OneKey open-source repository.
Verification Process with OneKey Official CDN Stored Firmware File (Bluetooth)
Open a terminal in the same folder with OneKey Team Signed Bluetooth Firmware File.
Invoke Python with the command: python3
Copy the command below:
exec("""\nimport struct, hashlib\nwith open("ota.bin", mode="br") as f:\n f.seek(0x0C)\n codelen = struct.unpack("i", f.read(4))[0] - 512\n f.seek(0x600)\n print("".join(format(x, "02x") for x in hashlib.sha256(f.read(codelen)).digest()))\n""")
Change ota.bin to the name of your downloaded OneKey Team Signed Bluetooth Firmware File.
Run the command to get the checksum.
Repeat the above steps with your downloaded OneKey Official CDN Stored Bluetooth Firmware File.
Compare the Checksums generated by the two commands. If the results match, the code consistency of the two firmware files is confirmed.