Using The Ledger Nano S With MyEtherWallet, Go Ethereum and Parity, Without Chrome

Originally written Mar 10 2017 with title “Can I Use The Ledger Nano S Without Chrome?”. Updated Mar 11 2017, renamed to “Using The Ledger Nano S With MyEtherWallet And Go Ethereum, Without Chrome”). Updated Mar 12 2017 with Parity testing. The associated reddit post is Can I Use The Ledger Nano S Without Chrome?. Updated Mar 15 2017 with more information on Parity and renamed to “Using The Ledger Nano S With MyEtherWallet, Go Ethereum and Parity, Without Chrome”. Updated Mar 18 2017 with the same mnemonic key derivation in MyEtherWallet. Updated Mar 31 2017 with info on ERC20 tokens. Updated Apr 17 2017 – latest stable geth 1.6.0 works well with the Nano S. Updated Apr 18 2017 with comparison of key derivation with the Trezor.

Summary

MyEtherWallet With Firefox
The Ledger Nano S works well with Firefox with the U2F addon and MyEtherWallet without having to use Chrome for any configuration. You need Browser support enabled to use the Nano S with MyEtherWallet.

geth 1.5.9 1.6.0, Install Nano S 1.3.1 Firmware
geth (Go Ethereum) v1.5.9 did not recognise the Nano S correctly, so I had to install the developer v1.6.0 version and the Nano S was then recognised. The next problem was that I had to install a new version 1.3.1 firmware on the Nano S in order to authorise EIP155 (replay protection) transactions in geth. I had to install the open source Chromium (not the proprietary Chrome) on my Linux machine to update the firmware, and had to set some udev rules to enable connectivity with the Nano S. You need Browser support disabled to use the Nano S with geth.

Testing The Mnemonic Key Derivation
I tested the Nano S mnemonic key derivation against two HTML/JavaScript software implementations. The first failed and the second passed. I am now comfortable using the Nano S as the same derived Ethereum private keys can be generated through the HTML/JavaScript page from the same mnemonic phrase. My ethers and ERC20 tokens will be much safer using the hardware wallet.

I used the same mnemonic phrase into MEW’s Mnemonic Phrase wallet and selected the m/44’/60’/0′ (Ledger) HD derivation path and MEW produced the same set of keys as the Nano S. You can therefore access all your accounts from MEW using the same seed phrases – only use this method if you are on a secure offline computer.

Parity 1.6.2
Parity 1.6.2 recognises the Nano S hardware account, but only the first account currently. Hopefully support for more than the first account will be available soon.

ERC20 Tokens
The Ledger Nano S works well with ERC20 tokens on geth (1.6.0 develop) with or without Ethereum Wallet / Mist, MyEtherWallet and Parity (limited to one account currently). You will need the Contract data setting to be switched on to be able to transfer ERC20 tokens from the Nano S account.


Table of contents


Ledger Nano S. The supplied lanyard is too flimsy, so my Nano S is attached to a 7 core paracord with a 200+ kg minimum breaking strength. I have tied a figure-of-eight knot in the middle of the lanyard as it is not intended to be worn around necks, being stronger than the standard human neck.

The Ledger Nano S by default requires Chrome to interact with the Ledger apps and https://www.myetherwallet.com.

I avoid using Chrome as I don’t want to give any more data to Google than I have to.

From the post Is Ledger Nano S reliable?, u/btchip suggests using a Firefox U2F addon https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/.

Based on the information in the Reddit post above, I ordered 2 x Nano S via the affiliate link on https://www.myetherwallet.com. One device for use and one device for a backup. Ordering the Nano S through the affiliate link is a painless way to support the MEW team with a few additional keystrokes and clicks. My order was placed on Mar 8 2017.

It is still the morning of Mar 10 2017 in Sydney and I received a surprise package delivered to my doorstep. It was my 2 x Nano S from Ledger’s Fulfilment Center in Sydney, in 2 days. The housing is sturdy, the two buttons are crisp to click, and it does not have the loose swivel cap reported by some people on the Reddit forums.


1. Ledger Nano S Setup Without Chrome

I open one of the boxes, and connect the Nano S to my Macbook Air (yeah, I’ve got privacy issues with this too) with the supplied USB cable.

Using one or both of the two buttons on the side of the Nano S I:

  • Enter my 4 digit PIN – 1234. From https://www.ledgerwallet.com/start/ledger-nano-s, 3 successive wrong PINs will wipe the dongle.
  • Write down my 24 word recovery phrase, in the correct order.
  • Confirm that I have written down my 24 word recovery phrase.

I then selected the Ethereum icon on the Nano S screen and changed the following settings:

  • Contract data – Enabled
  • Browser support – Enabled

2. MyEtherWallet

I installed the U2F addon https://addons.mozilla.org/en-US/firefox/addon/u2f-support-add-on/ into my Firefox browser. From the U2F addon Github repository, the U2F addon should work with OS/X, Linux and Windows.

Without restarting Firefox, I navigated to https://www.myetherwallet.com/#send-transaction. I selected the Ledger Nano S on the left hand of the screen and clicked on the Connect to Ledger Nano S button:

And got the following screen that gives me a scrollable list of Ethereum accounts secured by the 24 word HD mnemonic phrase on the Nano S:

I selected one of the accounts, and it seems to be working.


3. geth 1.5.9 1.6.0

I upgraded geth, my Go Ethereum client, via Homebrew to Davy Jones’ Locker (v1.5.9). I restarted geth and got the following error:

I0310 10:42:43.508836 cmd/geth/main.go:275] Failed to open wallet ledger://020:005: ledger wallet [ledger://020:005] input open failed: usb: claim: libusb: bad access [code -3]

Based on Update: macOS users reported permission issues where the kernel denied Geth accessing the Ledger., I downloaded geth v1.6.0 for the macOS from https://geth.ethereum.org/downloads/. I then got a message that seems to imply that the connection to the Nano S was successful:

INFO [03-10|13:15:18] Old wallet dropped  url=ledger://IOService:/AppleACPIPl…
...
> INFO [03-10|14:40:38] Ledger discovered new account  url=ledger://IOService:/AppleACPIPl… address=0x00???????????????????????????????????9af path=m/44'/60'/0'/0 balance=0 nonce=0

When I tried to send a transaction from the HD account, I got the following error:

eth.sendTransaction({from: "0x00???????????????????????????????????9af", to:"0x11???????????????????????????????????8be", value: 100000000});
Error: Ledger v1.0.2 doesn't support signing this transaction, please update to v1.0.3 at least
    at web3.js:3104:20
    at web3.js:6191:15
    at web3.js:5004:36
    at :1:1

The Nano S 1.3.1 firmware and the Ethereum app 1.0.3 need to be loaded on the Nano S to sign the geth transactions. And this requires the Ledger Manager application that runs in Chrome or Chromium.

Update: u/btchip has provided the procedures to upgrade the Nano S firmware using Python scripts.


4. Chrome In A Virtual Machine To Upgrade The Firmware

So I really have to run Chrome to run the Ledger app to update the firmware from v1.0.2 to v1.0.3? I fired up a Windows XP VM in a VirtualBox host running on Ubuntu Linux. But the USB device was not recognised by the VM host, so I skipped this VM Chrome installation option.


5. Ledger Manager In Chromium In Ubuntu

I then tried installing Chromium (the open source version on which the proprietary Chrome is based on) in Linux to run the Ledger Manager.

I installed Chromium using the commands

sudo apt-get install chromium-browser

In Chromium, I loaded the Ledger Manager from https://chrome.google.com/webstore/detail/ledger-manager/beimhnaefocolcplfimocfiaiefpkgbf.

But the following screen was displayed. Unplugging, plugging and entering the PIN did not resolve the issue.


6. Nano S Not Recognised In Linux

First I checked if the USB device was recognised. From /var/log/syslog:

Mar 10 16:15:41 Kumquat kernel: [ 1102.250594] usb 1-1.1: new full-speed USB device number 13 using ehci-pci
Mar 10 16:15:41 Kumquat kernel: [ 1102.354086] usb 1-1.1: New USB device found, idVendor=2c97, idProduct=0001
Mar 10 16:15:41 Kumquat kernel: [ 1102.354094] usb 1-1.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
Mar 10 16:15:41 Kumquat kernel: [ 1102.354098] usb 1-1.1: Product: Nano S
Mar 10 16:15:41 Kumquat kernel: [ 1102.354101] usb 1-1.1: Manufacturer: Ledger
Mar 10 16:15:41 Kumquat kernel: [ 1102.359914] hid-generic 0003:2C97:0001.0008: hiddev0,hidraw1: USB HID v1.11 Device [Ledger Nano S] on usb-0000:00:1a.0-1.1/input0
Mar 10 16:15:41 Kumquat mtp-probe: checking bus 1, device 13: "/sys/devices/pci0000:00/0000:00:1a.0/usb1/1-1/1-1.1"
Mar 10 16:15:41 Kumquat mtp-probe: bus: 1, device: 13 was not an MTP device

I then checked the USB device list:

bok@Kumquat:~/Ledger$ lsusb | grep -i 2c97
Bus 001 Device 013: ID 2c97:0001

From What if Ledger Wallet is not recognized on Linux?, I would need to create a set of udev rules to allow access to the device on Linux:

wget -q -O - https://www.ledgerwallet.com/support/add_udev_rules.sh | sudo bash

I would need to add my user to the plugdev group using the command:

sudo usermod -a -G plugdev bok

Unplugged, plugged, entered the PIN but Ledger Manager was still not recognising the Nano S.

So I added the following two statements to /etc/udev/rules.d/20-hw1.rules:

KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="plugdev", ATTRS{idVendor}=="2c97"
KERNEL=="hidraw*", SUBSYSTEM=="hidraw", MODE="0660", GROUP="plugdev", ATTRS{idVendor}=="2581"

Success! After unplugging and plugging back the Nano S, the Ledger Manager application now recognises the Nano S:

Unfortunately, updating the firmware requires the recovery phrase to be entered again:

I clicked on the Install button, and the following screen was displayed:

After many minutes, I got a failure message. How tedious.

Ok. I saw what needed to be done. The Nano S device was prompting for a confirmation to install the new firmware. I clicked the second button on the device, and there was a message “Update” displayed on the Nano S screen. The device displayed a “Processing” message, then finally a message “Press both buttons to begin”.

After 10 minutes of entering in my PIN and the 24 word recovery phrase, I got the message “Your device is now ready”. Phew.

No. It’s not quite over yet. I tried to install all the application available in the Ledger Manager screen, but the Nano S ran out of space.

Back in geth, after setting Browser support to false, I tried sending a transaction:

eth.sendTransaction({from: "0x00???????????????????????????????????9af", to:"0x11???????????????????????????????????8be", value: 100000000});

And I got the messages “Amount ETH 0.0000…01”, “Address 0x00…9af”, “Maximum Fees 0.0018”, “Confirm transaction” on the Nano S screen. Success!!!


7. First Mnemonic Key Derivation Test – Fail

I wanted to test that I could recover my derived keys using the same mnemonic phrase in case I lose my Nano S or decide not to use it.

I downloaded the Mnemonic Code Converter software from https://iancoleman.github.io/bip39 onto my computer (IMPORTANT: only use on a secure and offline computer), loaded the software into my browser and pasted my 24 word mnemonic phrase license diagram pelican spy monitor convince damage script wall hockey goose month popular swamp sugar rose mystery gap regular acquire bottom sea modify eyebrow and selected the Ethereum coin to check the derived keys:

The following screen shows the derivation path:

And the following screen shows the derived keys that DO NOT MATCH MyEtherWallet’s derived keys and geth:

The following screen shows the keys derived by MyEtherWallet:

And geth shows that the first key matches MyEtherWallet’s first key:

INFO [03-11|17:30:03] Ledger discovered new account            url=ledger://IOService:/AppleACPIPl… address=0x98cf7199f4e0c977196aafa64c6a240febb7b73e path=m/44'/60'/0'/0 balance=0 nonce=0

Note that geth only reports the first unused derived key.


8. Second Mnemonic Key Derivation Test – Pass

To have the confidence when using my Nano S, I need to know that the keys can be derived by a separate process.

I searched the net and from Restoring your Ethers (ETH or ETC) without a Ledger Nano S, I got the link to https://github.com/btchip/bip39/tree/ledger-ethereum. So I cloned the repository, selected the correct branch and compiled the code:

Iota:Downloads bok$ git clone https://github.com/btchip/bip39/tree/ledger-ethereum
Iota:Downloads bok$ cd bip39
# You will have to switch to the correct branch or the key derivation will not match
Iota:bip39 bok$ git checkout ledger-ethereum
Branch ledger-ethereum set up to track remote branch ledger-ethereum from origin.
Switched to a new branch 'ledger-ethereum'
Iota:bip39 bok$ python compile.py 
2017-03-11 17:09:15.580966 - DONE

(IMPORTANT: Only use the following on a secure and offline computer, or for testing with throwaway mnemonic phrases.)

I then loaded the file bip39-standalone.html into my browser and pasted the 24 word mnemonic phrase license diagram pelican spy monitor convince damage script wall hockey goose month popular swamp sugar rose mystery gap regular acquire bottom sea modify eyebrow and selected the Ethereum coin:

The following screen shows the derivation path:

And the following screen shows the derived keys that MATCHES MyEtherWallet’s derived keys and geth:

The following screen shows the keys derived by MyEtherWallet:

And geth‘s first key that matches the software above and MyEtherWallet’s first key:

INFO [03-11|17:30:03] Ledger discovered new account            url=ledger://IOService:/AppleACPIPl… address=0x98cf7199f4e0c977196aafa64c6a240febb7b73e path=m/44'/60'/0'/0 balance=0 nonce=0

Here are the main differences between the failing first https://iancoleman.github.io/bip39 and passing second https://github.com/btchip/bip39/tree/ledger-ethereum repositories.


9. MyEtherWallets Mnemonic Phrase Key Derivation Test – Pass

I entered the same mnemonic phrase into MEW’s Mnemonic Phrase wallet:

And I then selected the m/44’/60’/0′ (Ledger) HD derivation path, and MEW generated the same set of keys as the Nano S:

I am now comfortable using the Nano S as the same derived Ethereum private keys can be generated through the HTML/JavaScript page in 8. above and MEW from the same mnemonic phrase. My ethers and ERC20 tokens will be much safer using the hardware wallet.

Nice work Ledger, the MyEtherWallet team and the geth team!!!


10. Comparing The Key Derivation With The Trezor, Using MyEtherWallet

A user on a forum asked whether the seed from the Nano S can be restored onto the Trezor. So I used MyEtherWallet to test this, using the 24 word mnemonic phrase license diagram pelican spy monitor convince damage script wall hockey goose month popular swamp sugar rose mystery gap regular acquire bottom sea modify eyebrow.

Here is the screen from MyEtherWallet showing the addresses derived using the Trezor:

And here is the screen from MyEtherWallet showing the addresses derived using the Nano S:

So you cannot use the Nano S seed with the Trezor to derive the same accounts.


11. Parity 1.7.0

I wanted to see if Parity supports the Nano S, so I downloaded and compiled the new version of Parity 1.7.0 on my Macbook using the following instructions:

Iota:chains bok$ cargo install --git https://github.com/ethcore/parity.git parity

After the compilation, I ran parity on the Ropsten testnet using the following command:

Iota:chains bok$ parity --chain ropsten --warp

I opened up the Parity browser page on localhost:8080 and navigated to the ACCOUNTS tab and found my NANO S hardware account on the page:

A good start. I transferred some testnet ethers to my Nano S account.

While waiting for Parity to sync, I transferred 10 Ropsten ETH to my first Nano S account, and found it using MyEtherWallet on the Ropsten network:


11. Some Further Info

This entry was posted in Blog and tagged , , . Bookmark the permalink.