So I was just about to add a public key of my Trezor device to the Rabby extension and I got a popup telling me that there’s an update for my Trezor 3. I went back to the Trezor Suite, but it says that my device (2.8.7) is up to date. Is this normal or is something fishy going on?
The Trezor device only accept updates if their are signed by the Trezor developers.
If you lookup on Trezor learn portal page:
Firmware changelog
You will see, that currently there is v2.8.7 for TS3. But if you check Trezor’s github, there is already v2.8.9 with released in future date 
(March 19th 2025, i.e. in 3days now).
Various software is released in phases, in early access for experienced users or testers etc.
Hi, Can you please share a screenshot of this?
Here you go (I can’t upload pictures for some reason):
i.postimg.cc/WpxPR7c4/2346.png
I tried to use Thorswap to switch BTC → ETH
I used the official website and validated multiple time.
When I connect by Trezor, I get this popup on this URL:
https://connect.trezor.io/9/popup.html?version=9.5.1&env=web
I can’t trust this URL honestly, I already checked my Trezor suite is a the latest version. so I don’t understand why I get this message there, how can I make sure this URL is not a scam? Why don’t the popup goes into Trezor suite app instead of some random pop up like this? Any help appreciated. I did not click on update, since I don’t trust it.
1 Like
I am on version 2.8.7 of the firmware (as shown in trezor suite) and using latest firefox on Ubuntu.
I tried the same on Windows computer and Firefox and got the same message.
Also on a side note, why is there no hash or md5 on the download page (github and official site) ? I want to validate I got a good version of the app, but the signature thing is OK, I would still like to validate the md5 of the download match the one listed of github for example.
Hi @randomnUsernamenoKYC,
v2.8.9 was officially released today. You can check “Firmware changelog” on Trezor’s learn portal page.
And yes, you can find fingerprint for your TS3 on GitHub in …t3b1/releases.json:
"version": [2, 8, 9],
"url": "data/firmware/t3b1/trezor-t3b1-2.8.9.bin",
"fingerprint": "5b3a639c5b6423d87f4c0a3855dc4be8ad7e5be6d6b1b33f93ab1a54f3f36a91",
"url_bitcoinonly": "data/firmware/t3b1/trezor-t3b1-2.8.9-bitcoinonly.bin",
"fingerprint_bitcoinonly": "d3905f15221f7b2733e5496986ceb1a3b39f390c4439e2d3cc89d5f3b7423278",
To verify these fingerprints against downloaded firmware, you can use trezorctl:
trezorctl firmware verify c:\temp\fw\trezor-t3b1-2.8.9.bin
trezorctl firmware verify c:\temp\fw\trezor-t3b1-2.8.9-bitcoinonly.bin
If you don’t have trezorctl here are simple SHA2’s:
44db2aeecb5de890d10294258d5203be43c8a21789b668dca8c507f406c1e282 *trezor-t3b1-2.8.9.bin
b0b162d339cbc3a2395b4ba98c7de69a4154ed73d38d0c62aab28140abccff36 *trezor-t3b1-2.8.9-bitcoinonly.bin
Anyway, the firmware itself is signed for secure boot purposes. But there are even more validations, when Trezor Suite application is used. You can find more on Trezor learn portal:
Trezor Firmware hash check
Trezor firmware authenticity check
1 Like
Is there a reason my Trezor suite app is not picking up the update? I prefer not to update anything outside of the suite, for safety reasons.
Installing firmware
Your device is already updated to the latest firmware. You may reinstall the firmware if needed.
Current version
Universal 2.8.7
Latest version
Universal 2.8.7
In my case Trezor Suite application offered me new firmware version already on Sunday, i.e. few days before official release. Maybe it is because i chose in Trezor Suite settings -> Application -> Experimental -> Early Access Program opted in.
Maybe it is released in waves for different parts of the world/users. I’m not sure and i can be wrong. Anyway, i guess it won’t take long and you will be offered new Trezor Suite & Trezor Firmware. 
Thanks for the help, will check with this checkbox.
Still it is bad UX to be proposed an upgrade on a web popup (I would never trust that) when the Trezor suite says you are up to date.
With what happened with Safe wallet, I would hope you they go away from web stuff and learn from previous hack/scam to avoid this type of integration.
Cheers
@randomnUsernamenoKYC @Tampering this message was displayed since there was an update available in Early access program, which you are most likely not part of hence the Suite did not offer this update, the public update is gradually release so yo should see the prompt in Suite too.
So Rabby needs the latest “experimental” firmware? From the warning next to this checkbox in Trezor Suite, I am not sure I want to turn this on, is it safe to use and will it stop these annoying popup? Cheers
No, it does not, It is simply informing you there is an update. Also, this popup is not related to rabby, this is Trezor Connect used for connection with third party apps.
You can use your wallet the same way as before.
1 Like
Thanks for the insight.
Just maybe a feature request, but could the approval and typing of passphrase (25 words) be done in Trezor suite, and not in some Htlm popup? I personally never trust this type of integration, it seems really shaky and bad UX, almost similar to what a scam site would do. Just my 2cents
The seedphrase (the words) are never typed in this popup, or any other website that prompts you to do so. Only on Trezor device or in case of Model One in Trezor Suite software in case of recovery (in the random order that Suite tells you)
If you are referring to the picture below, that is a passphrase, not to be confused with the seed. If you are typing your words here you are not using it correctly, this is only for the additional passphrase (like an extra word to your seed) that creates a hidden wallet.
Please make sure you learn about passphrase because if yo are doing what I described above it would be very easy to create a passphrase by mistake that you will not get into again.
If you want to use the passphrase and type it on the device you can do so as highlighted above.
Sorry I meant the secret passphrase, it is often referred as the “25 words”. I am not typing my seed.
Just saying, a popup that trigger the trezor app suite to open and do the approval in there would be much better UX and more reliable, to avoid people getting scammed, since the real flow looks like a scammer flow and can be easily be mocked.
As mentioned you have an option to type on the device.
All final approvals are made on the device too not in the app.
typing the passphrase on the device is a pain and not good UX.
The thing I don’t trust is the web page, I trust my computer. Allright I wont argue with you, but if you guys want crypto adoption, we need better UX than that.
We definitely appreciate your feedback and we are already looking into different ways how Trezor can be used with 3rd party wallets.
1 Like