Most of the hardware wallets have a github give at lease a basic way of compiling their firmware.
Picking on foundation devices
https://github.com/Foundation-Devices/passport2
That will get you to the point that you can see what you are installing on your hardware wallet IS what they are giving you.
As for what the firmware itself does. You would have to dive into a lot of programming knowledge to see exactly what it is doing.
That is actually more difficult because what might be seemingly benign code may actually be doing something subtly wrong.
If it is an actual mistake or deliberate is for another discussion.
-Dave
Topic: Hardware Wallets, Open Sourcing, and Firmware (Read 69 times)
how to effectively carry out this verification and scrutiny process and any other thing I should know about this?
If you want to manually scrutinize the source code of firmware then you need to have a deep understanding of cryptography, and programming skills and you need to go through all the codes by yourself to find out is there any vulnerability is present in the provided code. If you know then probably know how to do that so I just assume that you haven't so just rely on the community feedback about the code.
I don't mean to assume, but it doesn't seem like you have much background in software and firmware development, coding, hardware architecture or general security principles. If you did, you probably wouldn't be asking such basic questions. There are people who specialize in these fields that have spent years building expertise, and I don't want to discourage you, but it's best not to take on more than you can handle when tackling complex topics.
I'm interested in understanding of hardware wallets, open sourcing, and firmware, especially from those technical guys here who are have more knowledge about it than myself. Through my readings, I have come to understand that open sourcing the code is beneficial but only a part of the overall solution. To verify that the firmware image aligns with the published code, one needs reproducible builds and the ability to manually scrutinize the installed firmware. If you are reading this, can you help me with a good explanation to assist me understand how to effectively carry out this verification and scrutiny process and any other thing I should know about this?
Jump to: