Strategy for brand new but old Trezor One

I have a trezor one that I bought sometime in 2016-2018. I’ve had it in a drawer in its closed box for years and now I’m in need to migrate my old wallet to a new one (new seed needed).

The thing is: I don’t remember where I bought it. It very well could have been from the official store but I don’t really remember so I’m now wondering of a method to ensure my funds are not at risk when using it.

First, the checks:

  • Physical box in perfect state
  • Wrapping plastic intact
  • Holograms intact
  • Physical device doesn’t seem tampered at all
  • Firmware generation without issues or alerts
  • Generation of seed phrase normal

Now, I’ve read about fake Trezors having pre-defined seeds and shortening passphrases to 1 digit to give the impression of it working normally, now, my question is:

If I generate multiple passphrases, say 20 character long with only the last few 2 or 3 characters changing and I can generate working hidden wallets with those long passphrases, would that ensure that my Trezor works and is secure?

Because even if the seed was pre-planted maliciously, the long passphases would secure each wallet, right?
And given that only 2 or 3 characters at the end change from each passphrase, it would make it impossible (or at least impractically difficult) for an attacker to discover the passphrases?

Thank you in advance for any help and orientation with this. BTW, I’m fairly technical so if there are any other tests I can perform please let me know.

So, I’ve created wallets with passphrases, for example:


Being the X’x the common long prefix and the a,b,c the last few chars that change (meaning the shortened passphrase attack doesn’t seem to happen in the hardware)

And they effectively open a different wallet each.

Would this mean the hardware is not corrupted? Or at least, if it is, the funds are protected by the passphrases?

Any input is appreciated.

1 Like

You should generate a throw-away seed, pick a passphrase or two, copy down the receiving addresses.

Then input the same seed + passphrase into BIP39 - Mnemonic Code, or any other way to generate addresses, and check that they are the same.

If they come out the same, that means that the passphrase is applied the correct way, and that means that, if the hypothetical attacker has your seed, the passphrase is definitely applied on top and your funds are safe.

With that said, if you’re skilled enough for it, the strongest check you can do is build your own firmware with some sort of modification. E.g., make it so that the default label is “Colder Trezor” instead of “My Trezor”. Then install the firmware and check that the modification is there.

If this works, then you can be fairly confident that the device is running the code that you are submitting. You can then install the official firmware and use the device as normal.

1 Like

Amazing reply, thank you for your help @matejcik , I’ll try these methods.

1 Like

Hi again @matejcik I tried both methods and the results were:

1.- Multiple combinations of seed + passphrases give the same addresses as the provided web page does.

2.- I downloaded the Trezor git repo, and changed the string for “Please enter your passphrase” to “xxxxx enter your passphrase” in file “legacy->firmware->protect.c” which correctly displayed the new string in the Trezor device.

However, as for your specific recommendation (changing the default label) I changed it in the file core->translations->en.json and apparently it also changed it automatically in the files: core/embed/rust/src/translations/generated/, core/mocks/generated/trezortranslate_keys.pyi, core/mocks/trezortranslate_keys.pyi but the trezor continues displaying “My Trezor” instead of my custom label.

Could it be that something is compromised in the device or it’s simply that I’m not doing the correct changes to modify the label? If so, can you provide orientation about the file I need to change for the label?

Thank you in advance for your valuable help.