Skip to content

saleemrashid/ledger-mcu-backdoor

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
vendor
 
 
.gitignore
 
 
.gitmodules
 
 
LICENSE
 
 
Makefile
 
 
Makefile.include
 
 
README.md
 
 
backdoor-recovery-seed-generation.patch
 
 
main.c
 
 
nanos.h
 
 
script.ld.S
 
 
stub.c
 
 
unsec.h
 
 
util.h
 
 
Ledger MCU Backdoor Install UX application Install MCU firmware

README.md

Ledger MCU Backdoor

Proof-of-concept exploit for the Ledger Nano S that hides the non-genuine user interface confirmation. Intentionally unreliable to avoid weaponization.

It should be trivial to adapt to the Ledger Blue.

More information

Install UX application

  1. Set up the ARM toolchain

  2. Build the modified application (nanos-131 is for firmware 1.3.1)

git clone https://github.com/LedgerHQ/nanos-ui.git -b nanos-131
cd nanos-ui
git apply ../backdoor-recovery-seed-generation.patch
make

  1. Turn on the Ledger Nano S with the right button held until "Recovery" is displayed

  2. Install the modified application

make load
  1. (To remove the modified application)
make delete

Install MCU firmware

  1. Set up the ARM toolchain

  2. Turn on the Ledger Nano S with the left button held until "Bootloader" is displayed

  3. Build and install the modified firmware

make vendor
make load
  1. (To restore the official firmware)
make delete

About

Proof of Concept for Ledger Nano S MCU exploit

saleemrashid.com/2018/03/20/breaking-ledger-security-model/

Resources

Readme

License

MIT license
Activity

Stars

166 stars

Watchers

13 watching

Forks

38 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages