Custom firmware on Trezor Safe 5 - is bootloader unlock needed?

Hello everyone.

I’d like to install custom-built firmware and have a few questions.

  1. According to this comment by matejcik - Self signed firmware on Trezor Safe 5 - #2 by matejcik - “Trezor Safe 5 can flash custom firmware without an unlocking step”.
    However, when I try doing it I get a red screen saying that “Installation of custom firmware is currently restricted” and directing me to Unlocking the bootloader on Trezor Safe devices.
    So, is the comment wrong? Or are there different Safe 5’s, some of which requiring the unlock and some not?
    Or am I doing something wrong? (what I did is run make upload while the device was in the bootloader mode and then I tried it again after resetting the device from the bootloader menu, with the same result).

  2. Assuming that I do need to unlock the bootloader. What confuses me then is this paragraph on the “Unlocking the bootloader” page:

    When you unlock the bootloader, you will irreversibly lose access to the attestation key… If the attestation key is missing … then you will be warned that the device isn’t authentic, and will not be able to use Trezor Suite with the device. Even if you re-install official Trezor firmware, the attestation key will still be missing from your Trezor, and so the warning will persist.

    Is this just a badly formulated sentence, or will I indeed lose the ability to use Trezor Suite after bootloader unlock? I mean, I can probably also have a custom-built Trezor Suite with some checks disabled, but that’s not something I’d like to do.

  3. The device with the custom firmware is supposed to be for everyday use. So now I’m wondering whether I use the right model.
    E.g. is there a difference, security-wise, between bootloader-unlocked Safe 5 and Safe 3 (I also own the latter, so maybe I should unlock that one instead).
    Or maybe I should have bought Model T, which apparently doesn’t require unlocking. Would Model T would be more secure than unlocked Safe 3/5 in this scenario?

Thanks in advance.

that comment is outdated. bootloader locking was introduced on the TS5 too in one of the more recent firmware versions

I believe that this text is also outdated – there is an option in Suite settings to disable the authenticity check

this is not a great idea, because anyone who steals your device can flash a custom firmware without erasing your seed and e.g. install a PIN stealer

(we were considering adding an option for “self-signed” firmware, but that is not currently on the roadmap)

The security levels are identical wrt device authenticity – after unlocking, the TS5 and TS3 degrade to Trezor T level.

It is still much better to use one of the Trezor Safe family devices, where an attacker still needs your PIN to extract the seed from the Secure Element. Again, it’s possible to install a PIN stealer firmware, then pick up the device later to grab the seed – however, such attack requires a better level of access than Trezor T “grab it, extract the seed, then brute-force the pin”

@matejcik, thanks for your reply.

I went with unlocking my Safe 3 instead and can confirm that I’m still able to use Trezor Suite with it (after disabling the device and firmware checks).

this is not a great idea, because anyone who steals your device can flash a custom firmware without erasing your seed and e.g. install a PIN stealer

That’s a bummer, but I don’t think I have a choice - I need the custom firmware for its support of a coin that is not officially supported by Trezor.

(we were considering adding an option for “self-signed” firmware, but that is not currently on the roadmap)

Keeping my fingers crossed that this will be implemented some day.

1 Like