All articles

Unlocking the bootloader on Trezor Safe 3

The bootloader is a critical piece of software on your Trezor device. It provides a simple interface where you can install, update and check firmware installations.

The bootloader checks the integrity and signatures of the firmware and runs it if everything is OK. This examination occurs every time you power on the device; if the bootloader detects unofficial firmware, it displays a warning on the device screen.

All Trezor Safe 3 devices are shipped with the bootloader locked, which prevents the installation of unofficial firmware. This protects your device from malicious use or modification. If you want to install unofficial firmware you must first unlock the bootloader, allowing access to normally hidden device functions.
Unlocking the bootloader is unnecessary for most Trezor users and may cause your device to malfunction. We do not recommend performing this action unless you really know what you’re doing.

When you unlock the bootloader, you will irreversibly lose access to the attestation key stored on the Trezor device. The attestation key is used to check if the device is genuine, functioning like a “digital certificate of authenticity”.

If the attestation key is missing (most likely because you have just deleted it) then you will be warned that the device isn’t authentic, and will not be able to use Trezor Suite with the device. Even if you re-install official Trezor firmware, the attestation key will still be missing from your Trezor, and so the warning will persist.

Steps for unlocking the bootloader:

1. Before proceeding, make sure you check the validity of your backup
2. Enter the bootloader by holding down both buttons when connecting the Trezor Safe 3
3. Run the command: trezorctl device unlock-bootloader
Learn more about using trezorctl commands
a part of SatoshiLabs Group
Copyright belongs to Trezor company s.r.o. All rights reserved.