I was perusing the Trezor code and noticed this function:

This is called early in the bootloader and checks if the memory protections have been set, and if they are have not been, then it sets them.

The setting is permanent and the code will only be hit once -- the first time the chip powers up into application mode after the bootloader has been written to the chip.

But has this happened before or after the wallet has been put into the retail packaging?

Lets find out!

First, lets make sure we have a valid way of testing by using a fresh factory blank chip:

With the factory fresh chip in this rig and the boot pins in this configuration, I can verify that the chip boots into DFU mode via JTAG and openOCD.

So lets sacrifice a factory sealed wallet.  For Science!

Apply tools:

Extracted safely:

Now the sad conclusion: when testing this chip in the test rig, openOCD would not communicate with the chip.  This implies that BWallet powers up each unit in the factory in application mode, executing the code that trips the memory protection fuses.

I'd like to test a Trezor in a similar way.  Donate if you are interested!