TREZOR One Open Source Hardware Reference Documentation

• https://github.com/trezor/trezor-hw
• BOM
• Schematic

Kit Contents: v0 (the breadboard version)

• 1 x Waveshare Core405R Dev Board
• 1 x ST-LINK V2 STM32 USB Debug Adapter
• 1 x 7-pin SPI 128x64 0.96 inch SSD1306 driven OLED Display Module
• 2 x 12mm x 12mm x 5mm tactile momentary switches
• 1 x half-size solderless breadboard
• 1 x USB Cable Type A Plug/Male to Type Mini-B Plug/Male
• Female to male jumper wires with 0.1" header contacts
• Female to female jumper wires with 0.1" header contacts
• 22 AWG solid-core copper wire

Kit Contents: v1 (the first printed wiring board [PWB] version)

• 1 x Waveshare Core405R Dev Board
• 1 x ST-LINK V2 STM32 USB Debug Adapter
• 1 x 7-pin SPI 128x64 1.54 inch SSD1309 driven OLED Display Module (Note: The SSD1309 is compatible with the SSD1306. The v0 kit display is interchangeable with this display.)
• 1 x PWB (schematic and board files available here)
• 2 x 12mm x 12mm x 5mm tactile momentary switches
• 1 x USB Cable Type A Plug/Male to Type Mini-B Plug/Male
• 1 x 2.54mm Pitch, Single Row, 7 Position, Female/Socket Header (preci-dip 801-87-007-10-001101 works well)
• 2 x 2.54mm Pitch, Double Row, 16 Position, Female/Socket Header (preci-dip 803-87-016-10-001101 works well)
• Solder and Soldering Tools

Kit Contents: v2 (the second printed wiring board [PWB] version)

• 1 x Waveshare Core405R Dev Board
• 1 x ST-LINK V2 STM32 USB Debug Adapter
• 1 x 7-pin SPI 128x64 1.54 inch SSD1309 driven OLED Display Module (Note: The SSD1309 is compatible with the SSD1306. The v0 kit display is interchangeable with this display.)
• 1 x PWB (schematic and board files available here)
• 2 x 12mm x 12mm x 5mm tactile momentary switches
• 1 x USB Cable Type A Plug/Male to Type Mini-B Plug/Male
• 1 x 2.54mm Pitch, Single Row, 7 Position, Female/Socket Header (preci-dip 801-87-007-10-001101 works well)
• 4 x 2.54mm Pitch, Double Row, 16 Position, Female/Socket Header (preci-dip 803-87-016-10-001101 works well)
  -OR-
  2 x 2.54mm Pitch, Double Row, 32 Position, Female/Socket Header (Samtec SSQ-116-03-T-D works well and has long leads for easy testing)
• Solder and Soldering Tools

About the Kits

One key difference between these kits and production hardware is the microcontroller (MCU) used. Production hardware uses the STM32F205RET6 (and more recently, the STM32F205RGT6) MCU and these kits use the STM32F405RGT6 MCU. Note: the STM32F205RET6 is documented to have 512KB of flash memory, but it actually has 1MB. Apparently, it is more cost efficient for ST to not develop different chip-wafers. The former is an ARM® Cortex®-M3 and the latter is an ARM® Cortex®-M4. The Cortex-M4 architecture is a backwards compatible superset of Cortex-M3. The additional features, like hard float capability, do not matter for this project. The STM32F405RGT6 has 1MB of flash memory, a core clock frequency adjustable up to 168MHz (including the 205's 120MHz; with matching clock tree), and 128KB of SRAM (same as the 205; the 405 has an additional 64KB of CCMRAM, giving it 192KB of usable RAM). The STM32F405RGT6 is pin-to-pin compatible with the STM32F205RET6/STM32F205RGT6 and uses the same TRNG (reference: STM32F405xx datasheet section 2.1, and AN4230 section 1.2.1).

The Waveshare Core405R dev board has an 8MHz high-speed external (HSE) crystal (matching the reference hardware), a STM32F405RGT6 MCU, a USB connector, power circuitry, SWD debug interface, boot mode select switch, and all the pins needed, broken out and available for use.

Setup

Wiring the Debug Adapter to the Dev Board

Pay attention to the pinout that is specified on the debug adapter. Also, pay attention to the location of the notch on the header housing. Note that the white rectangle printed next to pin 5 on the pinout specification in Figure H20 denotes the notch.

Connect the Debug Adapter's SWDIO, SWCLK, and GND pins (any one of the ground pins is sufficient) to the corresponding pins on the Dev Board's SWD connector.

Note: Instead of using the JTAG/SWD connector, the debug adapter's SWDIO, SWCLK, and GND pins may also be connected to the dev board's PA13, PA14, and GND pins, respectively.

Setting Dev Board Jumpers and Switches

Set the Dev Board jumpers and switches as shown in Figure H29.

Wiring the Dev Board to the Breadboard Display and Switches

Use the following table to wire between the dev board and appropriate tie points on your breadboard. The following pictures are also helpful if you don't quite understand.

Pins on the dev board are documented by the silkscreen on the other side of the board. Pins on the display module are also documented by silkscreen.

Dev Board Pin	Breadboard Pin	Alternate Name	Comment
PC5	Button 2		Either button pin; connect GND to the other button pin; button is Active-Low
PA4	CS	Chip Select	Pin 7 on Pictured Display
PB0	DC	Data/Command	Pin 6 on Pictured Display
PB1	RES	Reset	Pin 5 on Pictured Display
PA7	SDA	MOSI	Pin 4 on Pictured Display
PA5	SCK	SCLK	Pin 3 on Pictured Display
3.3V	VDD	3V3	Pin 2 on Pictured Display
GND	GND	Ground	Pin 1 on Pictured Display
PC2	Button 1		Either button pin; connect GND to the other button pin; button is Active-Low

TREZOR One Open Source Software Main Repository

• https://github.com/trezor/trezor-mcu

Setup

This setup process comprises steps to install development and debugging tools on a temporary computer, then build and install a bootloader and firmware on the kit's MCU.
The following setup process was documented while running an Ubuntu 18.04 LTS Desktop (Bionic Beaver) Live CD as user ubuntu.

1. Connect to the Internet
2. cd /tmp/
3. Install required software packages
   
   • sudo add-apt-repository universe
   • sudo apt-get update
   • sudo apt-get -y install git openocd make protobuf-compiler libprotobuf-dev python-pip
   • sudo -H pip install ecdsa protobuf
   • sudo apt-get -y install python3-dev python3-pip cython3 libusb-1.0-0-dev libudev-dev libssl-dev (note: required for python-trezor testing)
   • sudo -H pip3 install trezor[ethereum,hidapi] (note: required for python-trezor testing)
   • sudo apt-get -y install openjdk-8-jdk (note: at least a Java SE 8 JRE is required for the eclipse GUI)
4. Download tools
   
   • GNU ARM Embedded Toolchain
     
     • wget https://developer.arm.com/-/media/Files/downloads/gnu-rm/7-2018q2/gcc-arm-none-eabi-7-2018-q2-update-linux.tar.bz2
   • Eclipse IDE for C/C++ Developers (get the latest 64-bit Linux version available; Eclipse Photon R (4.8.0) or newer)
     
     • wget http://mirror.math.princeton.edu/pub/eclipse/technology/epp/downloads/release/photon/R/eclipse-cpp-photon-R-linux-gtk-x86_64.tar.gz
5. Extract tools
   
   • tar xjf gcc-arm-none-eabi-7-2018-q2-update-linux.tar.bz2
6. Add extracted tool binaries to PATH environment variable
   
   • /bin/echo 'export PATH="/tmp/gcc-arm-none-eabi-7-2018-q2-update/bin:$PATH"' >> ~/.bashrc
   • source ~/.bashrc
7. Setup udev rules to make the USB devices available to non-root users
   
   • /bin/echo -e '# 0483:df11 STMicroelectronics STM Device in DFU Mode' > /tmp/99-dev-kit.rules
   • /bin/echo -e 'SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="df11", MODE="0666"' >> /tmp/99-dev-kit.rules
   • /bin/echo -e '# 0483:3748 STMicroelectronics ST-LINK/V2' >> /tmp/99-dev-kit.rules
   • /bin/echo -e 'SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="3748", MODE="0666"' >> /tmp/99-dev-kit.rules
   • /bin/echo -e '# 0483:374b STMicroelectronics ST-LINK/V2.1 (Nucleo-F103RB)' >> /tmp/99-dev-kit.rules
   • /bin/echo -e 'SUBSYSTEM=="usb", ATTR{idVendor}=="0483", ATTR{idProduct}=="374b", MODE="0666"' >> /tmp/99-dev-kit.rules
   • /bin/echo -e '# 534c:0001 SatoshiLabs Bitcoin Wallet [TREZOR]' >> /tmp/99-dev-kit.rules
   • /bin/echo -e 'SUBSYSTEM=="usb", ATTR{idVendor}=="534c", ATTR{idProduct}=="0001", MODE="0666"' >> /tmp/99-dev-kit.rules
   • /bin/echo -e 'KERNEL=="hidraw*", ATTRS{idVendor}=="534c", ATTRS{idProduct}=="0001", MODE="0666"' >> /tmp/99-dev-kit.rules
   • /bin/echo -e '# 1209:53c0 SatoshiLabs TREZOR Model T Bootloader' >> /tmp/99-dev-kit.rules
   • /bin/echo -e 'SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c0", MODE="0666"' >> /tmp/99-dev-kit.rules
   • /bin/echo -e 'KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c0", MODE="0666"' >> /tmp/99-dev-kit.rules
   • /bin/echo -e '# 1209:53c1 SatoshiLabs TREZOR Model T' >> /tmp/99-dev-kit.rules
   • /bin/echo -e 'SUBSYSTEM=="usb", ATTR{idVendor}=="1209", ATTR{idProduct}=="53c1", MODE="0666"' >> /tmp/99-dev-kit.rules
   • /bin/echo -e 'KERNEL=="hidraw*", ATTRS{idVendor}=="1209", ATTRS{idProduct}=="53c1", MODE="0666"' >> /tmp/99-dev-kit.rules
   • sudo cp /tmp/99-dev-kit.rules /etc/udev/rules.d/
8. Download, build, and package the TREZOR One bootloader and firmware from source code
   Note: The "export MEMORY_PROTECT=0" is what controls the code that locks the bootloader's flash memory on your dev board.
   Warning: If you compile with MEMORY_PROTECT=1 (the default if not set as directed below), and run it on your dev board, you will lock your MCU's bootloader flash memory sectors and permanently disable debug capabilities.
   
   • git clone https://github.com/trezor/trezor-mcu.git
   • cd trezor-mcu/
   • git submodule update --init --recursive
   • make -C vendor/libopencm3/ lib/stm32/f2
   • export MEMORY_PROTECT=0
   • make
   • make -C bootloader/ align
   • make -C vendor/nanopb/generator/proto/
   • make -C firmware/protob/
   • make -C firmware/ sign
   • cp bootloader/bootloader.bin bootloader/combine/bl.bin
   • cp firmware/trezor.bin bootloader/combine/fw.bin
   • cd bootloader/combine/ && ./prepare.py
9. Plug both the dev board and the debug adapter into your computer's USB ports.
10. openocd -f interface/stlink-v2.cfg -f target/stm32f4x.cfg
11. Open another terminal, then connect gdb to the OpenOCD process that was started in the previous step, and send OpenOCD the flash command to write the combined bootloader and firmware binary to MCU flash memory:
    arm-none-eabi-gdb --nx -ex 'set remotetimeout unlimited' -ex 'set confirm off' -ex 'target remote 127.0.0.1:3333' -ex 'monitor reset halt' -ex 'monitor flash write_image erase /tmp/trezor-mcu/bootloader/combine/combined.bin 0x08000000' -ex 'monitor reset halt' /tmp/trezor-mcu/bootloader/bootloader.elf
12. Flash has now been written. Set some test breakpoints and practice debugging code:
    
    • (gdb) b *reset_handler
    • (gdb) b *memory_protect
    • (gdb) b *load_app
    • (gdb) layout regs
    • (gdb) si
    • (gdb) c
    • (gdb) c
    • (gdb) d
    • (gdb) file ../../firmware/trezor.elf
    • (gdb) b *main
    • (gdb) c
    • (gdb) c
    • (gdb) Press Ctrl + C to interrupt software execution
    • (gdb) quit

    Note that the symbol files were changed above at a point in the debugging process near bootloader-exit/firmware-entry. This was done in order to add breakpoints based on symbols relevant to the code being executed.

    Also, be sure to check the display module and progress past the unofficial firmware warning message by pressing the appropriate buttons. Otherwise, it will seem as though your debugging session has simply stopped working. In fact, the code is just waiting for your user input.

13. Done flashing the software to the dev board and debugging. Kill the OpenOCD process and unplug the debug adapter and dev board.
14. Test the bootloader and firmware just loaded onto the dev board:
    
    • Plug-in the dev board and progress past the unofficial firmware warnings (if you are running the firmware that was compiled earlier and not an officially signed firmware).
    • cd /tmp/
    • git clone https://github.com/trezor/python-trezor.git
    • cd python-trezor/
    • git submodule update --init --recursive
    • python3 setup.py prebuild
    • ./trezorctl wipe_device
    • ./trezorctl load_device -m 'fun fun fun fun fun fun fun fun fun fun fun fun fun fun fun fun fun fun fun fun fun fun fun agent'
    • ./trezorctl get_address -c Bitcoin -t address -n "m/44'/0'/0'/0/0"
      (note: this is a legacy base58 encoded p2pkh)
    • ./trezorctl get_address -c Bitcoin -t p2shsegwit -n "m/49'/0'/0'/0/0"
      (note: this is a base58 encoded p2wpkh-p2sh)
    • ./trezorctl get_address -c Bitcoin -t segwit -n "m/84'/0'/0'/0/0"
      (note: this is a bech32 encoded p2wpkh)
    • ./trezorctl get_address -c Litecoin -t address -n "m/44'/2'/0'/0/0"
    • ./trezorctl get_address -c Litecoin -t p2shsegwit -n "m/49'/2'/0'/0/0"
    • ./trezorctl get_address -c Litecoin -t segwit -n "m/84'/2'/0'/0/0"
    • ./trezorctl get_address -c Namecoin -t address -n "m/44'/7'/0'/0/0"
15. Install eclipse so that a graphical environment can be used for debugging:
    
    • cd /tmp/
    • tar xzf eclipse-cpp-photon-R-linux-gtk-x86_64.tar.gz
    • mkdir -p /tmp/eclipse-workspace
16. Start OpenOCD and eclipse. Setup a debug configuration and debug graphically.
    The full process to setup graphical debugging is shown in the video in Figure S1.
    

Loading and Running an Officially Signed Firmware

UPDATE: Loading officially signed firmware versions 1.6.1 and later onto your dev kit is NOT recommended. Doing so, risks your bootloader flash memory sectors being locked. For more info, see this and this.

In the setup process, a self-built bootloader and firmware was compiled, combined, and then loaded onto the MCU flash. To use an officially signed firmware, simply replace fw.bin in the setup process above before running prepare.py. Then run the prepare.py and load the newly created combined.bin onto the MCU.

An officially signed firmware can be downloaded with:
wget -O fw.bin https://wallet.trezor.io/data/firmware/trezor-1.5.2.bin

Running Standalone

These kits can be used in a standalone configuration; without the debug adapter connected. Simply unplug and/or detach the debug adapter from the dev board and plug the dev board into your computer's USB port.

Flashing in DFU mode with dfu-util instead of flashing with OpenOCD

The setup process used OpenOCD to flash code into the MCU's flash memory and was done in non-Device Firmware Upgrade (DFU) mode. DFU mode can be used instead. Doing so just requires using different tools, moving a switch, and unplugging and replugging the dev board a couple of times. Using DFU mode is a little less convenient when compared to the flash process used above.

To use DFU mode

• Unplug the dev board and debug adapter if either is plugged into your computer's USB port(s)
• Flip the Boot Config switch to System/DFU mode (Number 2 in Figure H29 above)
• Plug the dev board into your computer's USB port
• Verify with:
  lsusb | grep 'STMicroelectronics STM Device in DFU Mode'
  You'll see something like:
  0483:df11 STMicroelectronics STM Device in DFU Mode
• cd /tmp/
• sudo apt-get -y install dfu-util
• dfu-util -a 0 -s 0x8000000 -D /tmp/trezor-mcu/bootloader/combine/combined.bin
• Wait until finished and then unplug the dev board
• Flip the Boot Config switch back to Flash mode (Number 2 in Figure H29 above)
• Plug the dev board into your computer's USB port. You're now running the code that you just stored into the MCU's flash memory.

Getting Info About and Erasing MCU Flash

• Retrieve info about current state of the flash memory sectors
  (gdb) monitor flash info 0
• Erase all flash memory sectors
  (gdb) monitor flash erase_sector 0 0 last

Compiling and Using the Latest Version of OpenOCD

• Reference Info
• git clone https://git.code.sf.net/p/openocd/code openocd-code
• sudo apt-get -y install libtool autoconf automake texinfo libusb-0.1-4 libusb-1.0-0 pkg-config
• cd openocd-code/
• ./bootstrap
• ./configure
• make
• sudo make install

Upgrading ST-LINK USB Debug Adapter Firmware

• Reference Info
• cd /tmp/
• sudo apt-get -y install libusb-1.0-0 openjdk-8-jdk
• wget https://www.st.com/content/ccc/resource/technical/software/firmware/08/ac/de/f3/b0/d9/46/c7/stsw-link007.zip/files/stsw-link007.zip/_jcr_content/translations/en.stsw-link007.zip
  (note: This downloads STLinkUpgrade tool version 3.2.11. Visit the Reference Info to download the latest version [and thus the latest firmware upgrade.])
• unzip en.stsw-link007.zip
• cd stsw-link007/AllPlatforms/
• Perform the steps in section "Setup udev rules to make the USB devices available to non-root users", if you have not already done so.
• java -jar STLinkUpgrade.jar
• Plug USB debug adapter into host computer, refresh the device list, then select the device and click the button to open in update mode. Click the button to upgrade when it becomes enabled.

Questions

• Q: How can I verify that the code I built will not lock the bootloader flash memory sectors?
  A: Before flashing the code, you can check with: arm-none-eabi-objdump -d /tmp/trezor-mcu/bootloader/bootloader.elf | less
  You can use that to search for the memory_protect function to make sure that the generated code does not perform the steps to enable memory protection.
• Q: How can I build a specific version of the firmware?
  A: Checkout the firmware's tag to a new branch and update the submodules. For example, to work on the version 1.6.2 firmware:
  
  • git checkout -b example tags/v1.6.2
  • git submodule update
• Q: How can I use the debugger to find all occurences of a string in memory?
  A: find 0x20000000,0x2001ffff,"123456789"
• Q: How can I use the debugger to watch a specific string in memory?
  A: display /s (char *) 0x20001000
• Q: How can I veriy that the udev rules applied correctly to my USB device?
  A: To verify, for example, that your dev kit (running TREZOR firmware) configured properly:
  > lsusb | grep '534c:0001'
  Bus 002 Device 007: ID 534c:0001 SatoshiLabs Bitcoin Wallet [TREZOR]
  > ls -al /dev/bus/usb/002/007
  crw-rw-rw- 1 root root ...
  If the last line of your output matches the line above, then the udev rules are working.
  
• Q: How can I disassemble a binary ".bin" file?
  A: arm-none-eabi-objdump -b binary -D -marm -M force-thumb trezor-1.5.2.bin
• Q: How can I write to a specific memory location while debugging?
  A: set *(unsigned int *)0x20010000 = 0x11223344

More Open Source TREZOR Related Work

• I built my own Trezor clone: DINOSAUR HIPHOP ZERO
• DINOSAUR HIPHOP ZERO alpha/prototype dev kits for sale
• Breakout Board
• http://dinosaur.hiphop/
• Trezor DIY Development Board
• DEF CON 25 - Breaking Bitcoin Hardware
• EEVblog #1006 - Trezor Bitcoin Hardware Wallet Teardown
• Bitcoin Hardware Wallet Wiki
• Saleem Rashid - Extracting TREZOR secrets from SRAM
• Research Paper: Shedding too much Light on a Microcontroller's Firmware Protection
• TREZOR Blog: TREZOR One: Firmware Update 1.6.1 - vulnerability disclosure