All articles

Unlocking the bootloader on Trezor Safe devices

The bootloader is a critical piece of software on your Trezor. It provides a simple interface where you can install, update and check firmware installations.

The bootloader checks the integrity and signatures of the firmware and runs it if everything is OK. This examination occurs every time you power on the device; if the bootloader detects unofficial firmware, it displays a warning on the device screen.

All Trezor Safe devices are shipped with the bootloader locked, which prevents the installation of unofficial firmware. This protects your device from malicious use or modification. If you want to install unofficial firmware you must first unlock the bootloader, allowing access to normally hidden device functions.
 
Unlocking the bootloader is unnecessary for most Trezor users and may cause your device to malfunction. We do not recommend performing this action unless you really know what you’re doing.

When you unlock the bootloader, you will irreversibly lose access to the attestation key stored on your Trezor. The attestation key is used to check if the device is genuine, functioning like a “digital certificate of authenticity”.

If the attestation key is missing (most likely because you have just deleted it) then you will be warned that the device isn’t authentic, and will not be able to use Trezor Suite with the device. Even if you re-install official Trezor firmware, the attestation key will still be missing from your Trezor, and so the warning will persist.


Steps for unlocking the bootloader:

1. Before proceeding, make sure you check the validity of your backup on your Trezor Safe 3 or Trezor Safe 5
2. Enter the bootloader by holding down both buttons when connecting a Trezor Safe 3, or by swiping across the screen while connecting a Trezor Safe 5
3. Run the command: trezorctl device unlock-bootloader
 
Learn more about using trezorctl commands