Topic: Ledger Nano S Plus - page 2. (Read 1382 times)

It must be a bug. I understand you use LL from mobile. I've never tried this from mobile, maybe you can install LL to PC and try from there?
What version of firmware you have now?


2.43.1 is the version of LL, not of the firmware. Your S+ firmware should be 1.0.3, I think.

But about version differences, I've seen that in many occasions for coin apps, don't be too worried about it. The git releases tend to be a little step farther than what published on LL. Why? There can be many reasons, I don't want to guess. You can ask for official info from their support (and that may or may not be the real cause, you know..)

IIRC, someone else also reported that issue on their subreddit last week, but I'm curious to know if the following issue also applies to you: Ledger Wallet won't connect to anything besides Ledger Live
^{- Don't forget to verify them first!}

I'm not a LL user, but have you tried downloading it directly from their website?

You're probably viewing the "deprecated" one!
^{- There's a "new" one but at the moment, it doesn't have anything in it.}

Just bought new device. Being plugged with original cable it hasn't shown any sign of life that  disappointed  me for a couple of minutes. Then I have tried the different cable from  my mobile and, lo and behold, it came to life!

Nevertheless  there are some surprises for me.

Ledger Life has indicated that firmware of the device  is outdated but it doesn't allow me to upgrade it. Why?

More of that, it said that 2.43.1 version is available but the latest release  on   the official github is 2.42.0. Why?

I just checked for Passport (not to shill it again; it's just what I have handy right now and most of the time); it has a screen with amount and destination, another with change amount and change address and on a third screen, it shows the total network fee. After passing those 3 screens, you can sign it and get the moving, resizable QR codes to scan back into phone / laptop / whatever.

Since you mention BitBox02, if memory serves correct, it also shows change address and change amount.

If I am not mistaken, this only applies for ledger and trezor devices, that is why they are very bad when used in multisig setup, because you can't even verify receiving address in multisig setup for ledger.
I think that Bitbox02 and Keystone don't have this flaw, but I am not sure for other hardware wallets... maybe someone can check how it works for them.
This could be interesting discussion for some new topic, and it needs more research and investigation.

AFAICR, I haven't seen a hardware wallet that "directly" validates change addresses, so I guess that's the norm.

There was also a report about "boot problems" but for some reason, he/she deleted its content ^{[here's the "archived" version]}. Honestly, I'm a bit surprised at how much of a difference it has made when they took the battery ^{[and the Bluetooth]} out of the equation.

You mean the change address is never displayed on the hardware wallet's screen? I never paid attention to that while transferring Bitcoin, but I think the Nano S also doesn't display the change addresses, does it? When you are working with Ledger Live, you don't even have access to change addresses. In Electrum, you see them when you construct your transaction, but you have to check yourself that it matches one of your change addresses from the Addressees tab.

The on-screen verification is only for the receiving address and the fees.

Maybe I'm just a person who takes special care about words, but to me it's clear that 'assembled' doesn't imply security benefits. I do like to see less overseas production (even if it's just assembly) since in theory it could help with supply chain issues / allow to be more independent and it preserves local jobs. If however someone claims the whole device is made in the US or EU, someone might actually think there's less risk of getting hacked on hardware level.

There's also the aspect that the devices need to be flashed with a secret key to later be able to verify the authenticity of flashed firmwares and such. Since the assembly is in the US, this eliminates the risk that a Chinese bad actor forces the workers to flash a malicious key or otherwise compromises the security of the device software-wise.

It's also a bit a matter of principle for me. As I said before, if someone claims 'made in EU', but it's just assembled there; how much trust can I have in their other claims? How can I trust they treat my customer data safely? How can I trust the source code is secure (especially if it's a wallet with closed source code)?

Thanks for keeping us updated! Happy to see they are having less software issues finally...

Guys I think it's time to get back on Ledger Nano S Plus topic, and there are other topics for china/other hardware wallets

I found several reviews for this model S plus, and I don't know how independent they are, but it's worth checking them out.
There are some youtube videos avout S plus, but most of them are paid shillers so I don't consider them seriously enough.
First review was made and updated on 11th May 2022, and it's good to remember that this device doesn't validate change addresses on the device itself, same like ledger nono X.
https://privacypros.io/ledger/nano-s-plus-review/

Second review was made in April and I like their comparison table, you can clearly see size comparison with older devices.
https://www.laptopmag.com/reviews/ledger-nano-s-plus

I keep seeing people report many issues with crazy behavior and glitches for model X, but there are no such reports for S plus model.
Only thing I saw was dust and dirt below screen that can't be cleaned, and few people reporting restarting or shutdown issues with some coins, but nothing major so far.

I agree with you, but does it solve the underlying problem?

Let us assume that China is manufacturing backdoored components that are part of hardware wallets, and 99% of all hardware parts are delivered from China. You now have hardware wallet vendors who claim two different things. One group says made in and the other says assembled in . The way they explain the manufacturing process doesn't change the fact they are using backdoored Chinese hardware (let's still assume they are backdoored). If the end-users loss their money to a backdoor, it makes no difference what the website and the wallets' official documentation claimed.

He's not arguing that making a device in some country makes it more secure than another; but that they're being a little bit dishonest. For example, if you say 'Designed in California, Made in China' like Apple, you just state the facts. But claiming it was 'made' in XY and then arguing semantics ('technically, we made it here'), is a small sign of dishonesty. This, combined with other questionable statements and actions makes you wonder about the trustworthiness of the company and by extension the security of source code.

I keep bringing up this company (while also criticizing what they're doing wrong), since they do a lot of good stuff:

It's only assembled in the US, so it's the honest and right thing to do to write 'assembled' and not 'made'.

"Made in Canada" should be taken as a marketing gimmick and ignored. And in general, it is better to distrust any loud statement of hardware manufacturers. Most often, this is aimed at drawing attention to their products and increasing sales. For the sake of profit, you can say anything. Each company is trying to "stick out" the nuances of their devices. A simple example, Ledger is "proud" of their closed source code and presents it as the best protection for hardware wallets. Trezor emphasizes open source, also trying to attract buyers, with the feature that it is safer. One way or another, each of these two companies is trying to convince us that it is their device that has the best protection in order to sell exactly their products.

As I said, for a simple user, both options are the same:

Even if hardware wallets in Canada are produced entirely from their own components and assembled there, does this guarantee that there are no malicious programs in the devices? Of course not. Any "Made in Any Country in the World" device can have a backdoor regardless of the place of production.

If you are worried that Coldcard says the device is "Made in Canada" but the components are from China, then this is just a marketing gimmick, nothing more. Such lies are found at every turn.

Posting this here although it's not related to Ledger but to Coldcard. It can still serve the purpose of proving how companies claim one thing, lie, and/or deliberately don't show the whole picture.

So, the new Coldcard Mk4 is out and this is what the manufacturer says about it. "Made in Canada". I actually don't know if it is or isn't, but I doubt the hardware components are made in Canada. We already had that discussion when Ledger claimed something similarly. Just below that, there is a sentence that says, "Lovingly soldered in Toronto, Canada". Soldered and made in are two different concepts. The question is, where do they get their hardware components from that are then soldered onto the board in Toronto? Also from Canada or maybe China or some other country?



https://coldcard.com/

While I was roaming around in their subreddit earlier, I noticed the following issues with the device in question:

• Misaligned USB-C port - I'm not an expert on this field, but it seems that it wasn't soldered properly to the PCB and AFAIK, there's little to no chance of this happening from the shipping alone ^[CMIIW]!
• Boot problem

---

Minor issue:

• Turns Off When I Try To Withdraw in zillet.io
• screen goes black when I try to collect my rewards or make a transaction while using the zilliqa app
  

As of today, I think the chances of getting a computer virus that infect secure-element-less hardware wallets through USB and then extract your seed, are very slim. The main benefit of such a storage chip is still against physical attacks, since it's obviously trivial to read off of a memory chip on a PCB in- or out-of-circuit.
One pretty big mitigation against this is using an airgapped hardware wallet instead.

Of course, if you input your xpub into a wallet application on a compromised 'China-made blackbox', the xpub could be stolen through some CPU backdoor. It won't mean a loss of funds but it would hurt your privacy and anonymity.

It's not true though that 'no one knows what it [secure element chip] does'. I noticed a few years ago, more sophisticated secure chips were more 'en vogue'; getting not only the task of secure storage but also being used for seed generation and such. These days, e.g. Foundation Passport, uses a more simple chip that just stores data and nothing else. The RNG is completely open-source on the PCB.

But I digress; for life-changing amounts of money, always feel free to go more paranoid (I don't intend to discredit / discourage when using this word), roll dice, use minimal, open-source software that runs on a RISC-V CPU, and store everything on paper!

The more paranoid we are, the safer it will be for us. Relaxing and taking words on faith, we become vulnerable. Therefore, it seems to me that a certain amount of paranoia will not be superfluous. It will be better if we count and prepare for the situation (take all possible steps to minimize negative consequences) that Chinese or not-Chinese backdoors will be found in the Ledger's devices than if it turns out that we thought that everything was in order with this HW, but it contained backdoor, which caused us financial damage.

But for some reason, when device manufacturers are discussed, Ledger turns out to be the champion among them in lies. This leads to some considerations about them and about what level of paranoia the users of their products should be. Their closest competitor is Trezor, which has been around for as long as Ledger, but their lies have not been as widely publicized.
 

My point was that the computer, laptop, or phone you are using was made in China including all of its hardware components. You connect your hardware wallet to this China-made blackbox, access your financial, private data, work-related data, etc. You have a choice to connect a hardware wallet without a secure element that has vulnerabilities, which those with a secure element don't have, or use one with a secure element, which is probably again manufactured in China and closed-source. And no one knows what it does.   

It's not just China that has problem, other government parasites are also working on backdoors, so I don't trust any of them.
Fact is that most electronics are now made in China and they have one of the crazy totalitarian ruling system, so that is why I mentioned them previously.

Are you keeping money and keys for your money in monitors, mouses and chairs or not?
It's known fact that smart tv monitors have been used for spying people, same as smartphones and other stupidly smart devices, but I guess people don't have anything to hide and they just shit with toilet door open.
We are talking about sensitive financial information here and yes I don't fully trust any electronics that is coming from China, and from other countries.

If we start getting paranoid about everything that can have Chinese backdoors, we shouldn't buy 90% of the things we own. That includes the monitor you will read this post on, the mouse you open the thread with, and the chair you are sitting in.

All companies lie to protect their business interests and to increase their profits. When they get caught, they will lie about why they were lying. Even when they are not lying, they are intentionally withholding the truth or parts of the truth from their users to protect themselves and their profit margins. And yes, that goes for Ledger's biggest competitor as well.     

I don't trust that myself; I'm just saying, if we assume it's actually assembled in France, and they only get bare PCBs from China, the devices can't have 'Chinese backdoors' on them. Except if they buy backdoored components of course, but as you said, everyone gets their components from China.