Awesome
Hardware Wallets Digital Forensics List
List of Hardware Wallet vendor IDs and Product IDs to be used for Digital Forensics detection.
The below list may be used for forenscis analysis of a suspect's machine's logs of USB devices connected.
List is provided as best-effort and is not exhaustive.
Disclaimer
Prior to working on this repository and its contents, please make sure your agree to our disclaimer
Please let us know by opening an Issue if you want to suggest a new feature or device description or find an error or addition.
Vendors and Products Identifiers
Below is a list of Vendor and Product IDs as would be found in USB devices logs.
Forensics examiners may use this list to identify if such a device has been seen on the suspect's machines.
| _VID(0x) | _PID(0x) | Vendor name | Device desc. | Attribution URI |
|---|---|---|---|---|
| 03eb | 2402 | ShiftCrypto | BitBox01 (DigitalBitBox) | shiftcrypto.com |
| 03eb | 2403 | ShiftCrypto | BitBox02 | shiftcrypto.com |
| 096e | 0891 | Feitian Tech | JuBiter Blade | Github |
| 1209 | aaaa | Prokey | Optimum | Github |
| 1209 | abba | Generic | SafeWISE CoinSafe | Linux-usb.org |
| 1209 | b0b0 | Generic | Monero Hardware bootloader | Linux-usb.org |
| 1209 | c0dA | Generic | Monero Hardware | Linux-usb.org |
| 1209 | d00d | Generic | Monero Hardware developer | Linux-usb.org |
| 1209 | 53c0 | SatoshiLabs | Trezor v2 bootloader | Github |
| 1209 | 53c1 | SatoshiLabs | Trezor v2 | Github |
| 1209 | 7000 | Secalot | Secalot Dongle | secalot.com/downloads/ HID Rules |
| 1209 | 7001 | Secalot | Secalot Bootloader | secalot.com/downloads/ HID Rules |
| 1209 | 7551 | Generic | OpenDime DAFU bootloader | Github |
| 1209 | 9998 | Opolo | Cosmos Bootloader | pid.codes |
| 1209 | 9999 | Opolo | Cosmos Firmware | pid.codes |
| 2341 | 003d | Bitlox | Ultimate aka lockbox 3A8C | Github |
| 2341 | 003e | Bitlox | Ultimate aka lockbox | Github |
| 2581 | 1807 | Ledger | HW1 | Github |
| 2581 | 1808 | Ledger | HW1 | Github |
| 2581 | 1b7c | Ledger | HW1 | Github |
| 2581 | 2b7c | Ledger | HW1 | Github |
| 2581 | 3b7c | Ledger | HW1 | Github |
| 2581 | 4b7c | Ledger | HW1 | Github |
| 2581 | f1d1 | Ledger | HW1? Or Ledger Nano S Plus | Github |
| 2b24 | All | KeepKey | Bitcoin Wallet | Linux-usb.org |
| 2c97 | All | Ledger | Ledger HW2, Nano S, Aramis, X and Blue | Linux-usb.org and Github |
| 2c97 | 1000 | Ledger | Ledger Nano S | Github |
| 2c97 | 3000 | Ledger | Ledger HW2 | Github |
| 2c97 | 4000 | Ledger | Ledger Nano X | Github |
| 2c97 | 5000 | Ledger | Ledger Nano S Plus | Github |
| 2c97 | 6000 | Ledger | Ledger Nano Stax | Github |
| 2c97 | 7000 | Ledger | Ledger Nano Flex | Github |
| 2f48 | 2130 | D'CENT | Biometric Wallet | Github |
| 534c | 0001 | SatoshiLabs | Trezor v1 | Github |
| 0483 | 5740 | Open Source | Open Source Trezor | ST Electronics driver recomendations |
| d13e | cc10 | CoinKite | ColdCard | Github |
Missing or further research required
- SafePal Ltd. Officially backed-up by Binance. Product: SFP SafePal S1.
- SecuX Technology Inc., Taiwan. Products: W10, W20 and V20 Stone.
- Opolo Inc., Hong-Kong and Opolo SARL, Luxembourg. Product: Cosmos. May appear as Interbiometrics (_VID 1209 and _PID 0x1000 to 0x1FFF).
- Ngrave.IO NV, Belgium. Product: Zero. Is air-gapped but does have a USB-C for charging and firmware update.
- Cobo Global Ltd, Cayman Islands. Products: Keystone Essential and Keystone Pro - Cobo Vault is an open source air-gapped HD wallet. It uses USB ONLY for Firmware updates. Cobo Vault uses QRcodes only. The Cobo Hardware is essentially an Android mobile phone based on an ARM Cortex A7 processor. Hardware schematics show that the Keystone device is built on component U201, an MTK processor model MT6580A/WM (same as the Ulefone Note 7). A firmware update using USB would likely leave traces as _VID=0x0D28 but this trace could be left by any other hardware based on the MTK ARM Cortex-A7. The Cobo firmware update code uses the Keil MDK and does not seem to be programmed to check the _PID & _VID combination. Considering this, digital forensics exploitation of this hardware wallet via JTAG and with OpenOCD could proove interesting.
Specific no-USB HD Wallets
-
Embedded Agency LLC, Canada and USA. Product: Husky HDW20 - This HD Wallet is only using Wifi, including for OTA Firmware update (Over-The-Air)
-
Ellipal Ltd., Hong-Kong. Products: EC01, Titan Mini Cold Wallet and Titan Cold Wallet. This is an air-gapped wallet. The Firmware update is done via micro SD card inserted in a seperate "security module". The micro-USB port of the security module is only for charging
-
C∞lBitX (CoolBitx), Taiwan. Products: CoolWallet S and CoolWallet Pro. These are Bluetooth only cards, uses NFC to charge. CoolBitX is also the creator of the Sygna Bridge, a compliance tool used as a gateway for the exchange and querying of data accross Financial actors
-
CoinKite Inc., Canada. Products: OpenDime and ColdCard. Although these are air-gapped cards, the ColdCard Firmware update is done in DFU mode via USB
Related hardware
- Axell Corporation, Japan. Product: VIPPool Wallet. Sometimes mentioned as "a cold wallet for transfers" but our research tends to show theses are not cold wallets but licensing USB sticks also manufactured by Axell Corporation, Japan as product "Shalo". _VID and _PID information not found.
Pictures
The below are images from the manufacturers' websites (links below). Provided here for examiners who may have to search a scene for exhibits.
| Brand | Model |
|---|---|
| Bitlox |  <br/> Ultimate |
| Cobo Global |  <br/> Cobo Vault Pro and Essential (aka Keystone Pro) |
| Coinkite |  <br/> Coldcard |
| Coinkite |  <br/> OpenDime |
| CoolBitX |  <br/> CoolWallet Pro (Crypto.com branded) |
| CoolBitX |  <br/> CoolWallet S (OKEX branded but could be Binance and others) |
| Ellipal |  <br/> EC01 |
| Ellipal |  <br/> Titane Mini |
| Ellipal |  <br/> Titane |
| Feitian |  <br/> JuBiter Blade |
| LEDGER |  <br/> HW1 |
| LEDGER |  <br/> Nano Blue |
| LEDGER |  <br/> Nano S |
| LEDGER |  <br/> Nano X |
| LEDGER |  <br/> Nano S Plus |
| LEDGER |  <br/> Flex |
| LEDGER |  <br/> Stax |
| NGRAVE |  <br/> NGrave Zero |
| Prokey |  <br/> Optimum |
| Secalot |  <br/> Dongle (discontinued) |
| SecuX |  <br/> V20 Front <br/>  <br/> V20 Back |
| SecuX |  <br/> W10 |
| SecuX |  <br/> W20 |
| ShapeShift |  <br/> KeepKey |
| ShiftCrypto |  <br/> BitBox 01 aka Digital BitBox |
| ShiftCrypto |  <br/> BitBox 02 |
| TREZOR |  <br/> Model One |
| TREZOR |  <br/> Model T or "v2" |
| Open Source TREZOR Dev Kit |   <br/> Open Source Dev Kit |
Sources
A list of Hardware wallets is available at https://en.bitcoin.it
Ledger https://www.ledger.com/
Trezor https://trezor.io/
Open Source Trezor Dev Kit https://mcudev.github.io/trezor-model-t-dev-kit/
Shapeshift Keepkey https://shapeshift.com/keepkey
Shiftcrypto BitBox https://shiftcrypto.ch/
C∞lWallet (CoolWallet) https://www.coolwallet.io/
Cobo Vault (Keystone) https://cobo.com/about?locale=en or https://keyst.one
Cold Card Wallet https://coldcardwallet.com/
Ellipal https://www.ellipal.com/
JuBiter Blade https://www.ftsafe.com/store/product/cryptocurrency-wallet/
SafeWize CoinSafe https://safewise.io/#/home
Husky HDW20 https://www.huskywallet.com
SFP SafePal https://safepal.io
D'CENT https://dcentwallet.com
Cosmos https://opolo.io
VIPPool Wallet https://www.axell.co.jp
Zero https://www.ngrave.io
W10, W20, V20 Stone https://secuxtech.com
Ultimate https://www.bitlox.com
Optimum https://prokey.io
Dongle https://www.secalot.com