Proof of concept for Ledger MCU exploit
Switch branches/tags
Nothing to show
Clone or download

README.md

Ledger MCU Backdoor

Proof-of-concept exploit for the Ledger Nano S that hides the non-genuine user interface confirmation. Intentionally unreliable to avoid weaponization.

It should be trivial to adapt to the Ledger Blue.

More information

Install UX application

  1. Set up the ARM toolchain

  2. Build the modified application (nanos-131 is for firmware 1.3.1)

git clone https://github.com/LedgerHQ/nanos-ui.git -b nanos-131
cd nanos-ui
git apply ../backdoor-recovery-seed-generation.patch
make
  1. Turn on the Ledger Nano S with the right button held until "Recovery" is displayed

  2. Install the modified application

make load
  1. (To remove the modified application)
make delete

Install MCU firmware

  1. Set up the ARM toolchain

  2. Turn on the Ledger Nano S with the left button held until "Bootloader" is displayed

  3. Build and install the modified firmware

make vendor
make load
  1. (To restore the official firmware)
make delete