Tous les articles

Unlocking the bootloader on Trezor Safe devices

Unlocking the bootloader on a Trezor Safe device lets you install unofficial firmware. This guide covers Trezor Safe 3, Safe 5, and Safe 7.

Most users should never do this. Unlocking is irreversible and permanently changes how Trezor Suite treats your device. The steps below are for advanced users who understand the risks.

What the bootloader does

The bootloader is the software that runs when you power on your Trezor. It checks the firmware signature and only runs firmware signed by SatoshiLabs. If the signature doesn't match, the device shows a warning on screen.

All Trezor Safe devices ship with the bootloader locked. This blocks unsigned firmware from running.

Risks of unlocking

Unlocking the bootloader is irreversible. Your device's attestation key becomes permanently inaccessible, and Trezor Suite uses this key to verify your device is genuine.

After unlocking:

  • Trezor Suite will display a non-authentic device warning every time you connect
  • Reinstalling official Trezor firmware does not restore access to the attestation key
  • The warning will persist for the lifetime of the device

The attestation key works like a factory-signed certificate of authenticity baked into your device.

For background on how this check works, see Trezor Safe device authentication check.

Before you start

  • Verify your wallet backup so you can recover your funds if anything goes wrong
  • Install trezorctl on your computer

Unlock the bootloader

  • Connect your Trezor in bootloader mode:
    • Trezor Safe 3: hold both buttons while connecting the USB cable
    • Trezor Safe 5: swipe across the touchscreen while connecting the USB cable
    • Trezor Safe 7: with the device powered off, hold down the power button until you see a blue screen, then connect via Bluetooth or USB cable
  • Run the following command in your terminal:

trezorctl device unlock-bootloader

  • Confirm the action on your Trezor device

Unlocking over Bluetooth (Trezor Safe 7)

If you're connecting your Safe 7 wirelessly, the procedure has a few extra steps:

  • On the device in bootloader mode, select Initiate connection
  • In your terminal, pair the device:

trezorctl ble connect

  • Then run the unlock command with the B flag:

trezorctl -B device unlock-bootloader

  • Confirm the action on your Trezor
Security
;