wallet-scan is a low-cost, fully automated, and reproducible hardware wallet analysis platform. It enables precise and repeatable testing of cryptocurrency hardware wallets (HWWs) by simulating human interaction—such as button presses and screen reading—without compromising cryptographic security assumptions.
Cryptocurrency hardware wallets (HWWs) store cryptographic keys offline and require physical user interactions to perform sensitive operations like signing. This makes them secure, but also difficult to analyze automatically. wallet-scan bridges that gap by providing:
- Servo-controlled hardware interaction (e.g., button presses)
- OCR-based screen content extraction
- Timing and metadata logging
The system supports testing across a wide variety of HWW models, enabling large-scale evaluation of wallet firmware over time.
- Automated physical interaction via Arduino-controlled servos
- OCR-based display capture using Tesseract
- Webcam support for screen digitization
- Command protocol for simple integration with analysis scripts
- Data collection framework for timing and screen content
Install the following system packages:
sudo apt install -y \
tesseract-ocr \
tesseract-ocr-eng \
libtesseract-dev \
python3-pytesseract \
python3-opencvAny USB or Pi-compatible camera should work. The system was tested primarily with:
- Arducam
- RaspiCam
- Connect the servo controller board (e.g., Arduino) to the testing rig.
- Position servos over wallet device buttons.
- Mount the camera to capture the wallet’s display.
- Ensure all required Python and system dependencies are installed.
A single-servo press command begins with P and is formatted as:
P <servo_number> [hold_time]
examples:
"P 2\n" - press servo 2
"P 2 3\n" - hold servo 2 for 3 seconds
A multi-servo press command begins with M and is formatted as:
M <servo1,servo2,...> [hold_time]
examples:
"M 1,4,7 2\n" - hold servos 1, 4, 7 for 2 seconds