arno/trezor-firmware
1
0
Fork 0
mirror of https://github.com/trezor/trezor-firmware.git synced 2024-11-20 14:39:22 +00:00
Code Issues Releases Wiki Activity
571bb79e33
trezor-firmware/legacy/debug_signing/firmware_hash_sign_trezor.py
Ondrej Mikle e2abd2a9ad feat(legacy): bootloader with v3 SignMessage signatures + signatures debug 
Removed oldest v1 style of firmware signature and presence checks.
Added debug helpers for T1 signatures.
Support for v2 and v3 signatures, but can only update FW to v3-style signed.
Support for debugging T1 signatures.
Scripts and README for debugging v2/v3 FW signing scheme.
Firmware in GetFeatures counts only v3 signatures as signed.
Add documentation and comments about signing schemes like a sane person
2022-11-22 15:00:19 +01:00

52 lines
1.6 KiB
Python
Executable File
Raw Blame History

#!/usr/bin/env python3
import sys
from fill_t1_fw_signatures import Signatures
from trezorlib.btc import get_public_node, sign_message
from trezorlib.client import get_default_client
from trezorlib.tools import parse_path
# arg1 is input trezor.bin filename to be signed
# arg2 is output filename, if omitted, will use input file + ".signed"
client = get_default_client()
in_fw_fname = sys.argv[1]
try:
out_fw_fname = sys.argv[2]
except IndexError:
out_fw_fname = in_fw_fname + ".signed"
# These 3 keys will be used in this order to sign the FW
# each index can be >= 1 and <= 5
sig_indices = [1, 2, 3]
print(f"Input trezor.bin file: {in_fw_fname}")
print(f"Output signed trezor.bin file: {out_fw_fname}")
signatures = Signatures(in_fw_fname)
digest = signatures.header_hash
assert len(digest) == 32
for i in sig_indices:
index = i - 1 # in FW indices are indexed from 1, 0 means none
print(f"--- Key {index}, sigindex {i}")
path_text = f"m/44'/0'/{index}'/0/0"
ADDRESS_N = parse_path(path_text)
print("Addres_n", path_text, ADDRESS_N)
node = get_public_node(client, ADDRESS_N)
print("Public key:", node.node.public_key.hex())
print("xpub:", node.xpub)
signature = sign_message(client, "Bitcoin", ADDRESS_N, digest)
sig_64bytes = signature.signature[
1:
] # first byte stripped to match normal secp256k1
assert len(sig_64bytes) == 64
print("Signature:", sig_64bytes.hex())
print("=================================")
signatures.signature_pairs.append((i, sig_64bytes))
signatures.patch_signatures()
signatures.write_output_fw(out_fw_fname)
Reference in New Issue View Git Blame Copy Permalink