Check the hardware integrity of your Ledger Nano S to check that the Ledger Nano S has not been tampered with. This article contains detailed technical information about the security of your device.
Caution
Please handle the Ledger Nano S device with high care while you proceed. Be aware that once opened, your device will not be refundable or exchangeable.
Microcontroller (MCU)
The Secure Element checks the full microcontroller flash at boot, as described in this blog post. If it has been modified, you'll get a warning at boot. As an additional check, you can open the device to verify that no additional chip has been added (referring to the attached picture) and that the MCU is an stm2f042k6 (with 32 Kb flash, as a bigger flash could contain code fooling the Secure Element validation). Markings on the chip can vary but you should see the string "042K6".
Hardware revisions
Revision 1
- Blue PCB
- Black glue
Revision 2
- Green PCB
- Black or transparent glue [not pictured].
Revision 3
- Blue PCB
- Black glue
Revision 4
- Blue PCB
- Hole in the PCB
Revision 5
- Blue PCB
Revision 5 bis
- Blue PCB
Revision 6
- Blue PCB
Revision 7
- Blue PCB
- Thin display cable
Secure Element attestation
The Secure Element itself is personalized at factory with an attestation proving that it has been created by us. You can verify it by running
pip install --no-cache-dir ledgerblue Then on firmware 1.3.1 or below python -m ledgerblue.checkGenuine --targetId 0x31100002 Or on firmware 1.4.1 and above python -m ledgerblue.checkGenuine --targetId 0x31100003
The source code is available here.
Application verification
When opening an application, a Non Genuine warning is displayed if it is not signed by Ledger. A modified User Interface (as found in https://github.com/LedgerHQ/nanos-ui) will also display a warning message on boot.
Root of trust
The root of trust for the current batch is the following secp256k1 public key :
0490f5c9d15a0134bb019d2afd0bf297149738459706e7ac5be4abc350a1f818057224fce12ec9a65de18ec34d6e8c24db927835ea1692b14c32e9836a75dad609
- as checked here Genuine.py