Ledger Diagnostic Toolkit

Start here: Focus on the affected account — use the Focus Investigation button on the Overview or Shift+click the account's tile in Accounts. This filters every section to that account. Check Accounts for the live on-chain balance and fiat value — compare with what the customer reports.

Look for: Mismatches between live balance and what the customer sees. If the log has no sync data, accounts show an amber "no data" badge — the live balance is your only reference. The sidebar also shows fiat values next to funded accounts for a quick scan.

For deeper investigation: Switch to Customer View → load the customer's app.json for the balances their app was displaying. Compare app.json balances with the live balances shown in Diagnostic mode.

For Bitcoin, Litecoin, Dogecoin, Bitcoin Cash, or Zcash: Open the account in Accounts — if it stores an xpub, the tool shows an Xpub Scanner. Click "Scan" to derive individual addresses and check on-chain balances. This shows exactly where funds are, even if the app's sync is wrong.

For Cardano, TON, or Stacks: The tool derives explorer-ready addresses from the raw data in the log. Look for the "Derived Address" block when you expand the account — click the explorer link to verify the balance on-chain.

In Customer View: Load the customer's app.json and go to Agent Insights. The dashboard compares what the customer sees to live on-chain balances and flags discrepancies. Check the staking card — if the customer has staked funds, the "missing" balance is likely frozen, not lost. Use the Earn tab to see their staking positions and validator details.

Start here: Switch to Customer View and load the customer's app.json. Go to Agent Insights. If accounts have been drained, a red DRAIN DETECTED or SEED COMPROMISE finding will appear at the top of the list automatically.

What you'll see: The drain finding shows total estimated loss, which accounts were emptied, and a fund flow diagram showing where the money went — victim accounts on the left, attacker addresses on the right, with transaction links between them. When multiple chains converge on the same destination address, it's highlighted as the attacker's collection wallet.

"Funds sent to" section: Lists every destination address that received the stolen funds. Each address has a copy button and a direct explorer link — click to verify on the blockchain. This is what law enforcement needs.

Copy the drain report: Click "Copy drain report for escalation" at the bottom of the drain detail panel. This produces a formatted report with: customer identity, each drained account with before/after balances, every drain transaction hash with explorer links, and all destination addresses. Paste it into your escalation ticket.

Escalation procedure: The tool provides specific guidance in the action box. For multi-chain drains (seed compromise): advise the customer to stop using the seed phrase immediately, set up a new device with a new seed, and file a police report.

Start here: Click Issues in the sidebar. Use the severity chips at the top to focus — click Critical to filter to critical errors only. Click a category chip (Hardware / Software) to narrow further.

Look for: The error strip shows where errors occurred in the session — red segments stand out against muted session context. Hover any bar for details. Click to select that error in the detail panel.

Dig deeper: In the error detail panel, expand "What happened before" to see the 5 log entries leading up to the error. This shows you what triggered it. Click "View in Timeline" to jump to that moment in the full session.

Next: Check Affected account on the error card. Check Advanced → Network for failed API calls. If the error mentions device rejection, check Advanced → APDU.

Start here: Look at the Overview. Check the Diagnostic Priority Map for a Connection or App & Updates block — a red block there is your first lead. The device status line shows model, firmware, and sync state. If it says "Device —", the device never identified itself. Check the Network stat badge — 0 failures with 0 total requests means no API activity at all.

Look for: Device model and firmware version in the device card (the expandable panel on the Overview). Check if firmware is outdated — the tool shows "FW 2.6.1 ⬆ 2.7.0 avail." when an update is needed. The Diagnostic Priority Map will also show a firmware finding in App & Updates.

Next: Check Issues for hardware/USB errors. Check Advanced → APDU for device communication. If there's zero APDU data, the device never established a connection at all.

Start here: Check the Overview. The severity and issue count in the triage row tell you how bad the session was. The Diagnostic Priority Map shows which category of problem dominates — Connection, Sync, Activity, App & Updates, or Server.

Look for: Critical errors (red). In the Issues section, check for repeating pattern badges at the top — "↻ Unexpected error ×6" means the same error is looping. The error strip shows whether problems are clustered (cascade) or spread across the session.

Next: Check Advanced → Network for server errors (5xx). Timeouts or connectivity failures point to a server-side issue, not the app. Check the Overview device card's Environment section for OS and platform — some issues are platform-specific.

Start here: Switch to Customer View using the prominent toggle in the top bar.

Load app.json: Upload the customer's app.json via the banner. This populates all tabs with the customer's actual data — balances, transactions, staking positions, device info, and app versions.

Walk the tabs: Portfolio shows their total value and asset allocation. Accounts shows every account with full transaction history. Earn shows staking positions. My Ledger shows device storage and installed apps. Agent Insights compares their data to live on-chain reality.

Key investigation flows:

• Balance dispute → Agent Insights → click the flagged account → see comparison + action
• Staking issue → Earn tab → expand the position → check validator + operation timeline
• Missing transactions → Accounts → click the account → scroll operations timeline
• App/firmware issue → My Ledger → check versions, storage, installed apps

Start here: Read the Overview for the overall picture — triage row (severity, stat badges), and the Diagnostic Priority Map below it. The map shows every finding sized by severity and organized by category. Click any block to jump to the relevant section. Filter by category (Connection, Sync, Activity, App & Updates, Server) to focus on a specific area.

Recommended flow:

Overview → device health + big picture
Issues → what went wrong and when
Accounts → what exists
Timeline → what happened in sequence
Advanced → deeper data if needed

Big picture first, problems second, context third.

The Diagnostic Priority Map is the main content area of the Overview. It shows every finding from the current session as a treemap — blocks sized by severity weight, colored red to amber to green. The biggest, reddest block is always your starting point.

Multi-source findings: The map aggregates from seven data sources — log errors, firmware update status, desktop app version, device app status (missing/outdated), no-sync flag, network failures, and incomplete swaps — into one unified view. Errors are the dominant input on most sessions, but system-level findings surface in the same map so nothing is missed.

Workflow categories: Every block is classified into one of five investigation categories:

🔌 Connection — device hardware errors, USB/Bluetooth issues
🔄 Sync — balance sync failures, price data, bridge issues
⚡ Activity — failed transactions, user rejections, swap failures
📱 App & Updates — outdated firmware, missing/outdated device apps, app version
☁️ Server — Ledger server errors, API failures

Interacting with the map:

Click any block — jumps to the relevant section (Issues for errors, Accounts for account findings)
Category chips above the map — click to filter to one category. Click again to clear.
Focus Mode — when an account is focused, blocks linked to other accounts dim. System-wide findings stay visible.

The Timeline header shows a stacked bar chart of the entire session. Bar height = event density. Bar color = event type, using the same colors as the type badges on every row. You read the session left to right: "gray startup, purple analytics, gold price fetching, orange sync burst, blue network calls, red errors at the end."

Legend chips below the strip show every event type with its color and count. Hover a chip to highlight matching segments — everything else dims. Click to filter the row list. Click again to clear. The type dropdown and chips share state.

Error dots sit on a baseline below the bars — click any dot to scroll to that error entry.

Smart grouping: Bursts of same-type events (40 bridge events during sync) collapse into expandable group headers. Toggle with the Grouped/Flat button. Errors never collapse.

Account filtering: When Focus Mode is active (Shift+click a tile, or use the Focus Investigation button), Timeline automatically filters to that account's events. A banner shows which account is focused with a "Show all" option to clear. You can also click the Timeline button on any account card for a quick filter.

Filter chips: Severity chips (Critical Warning Info) and category chips (Hardware, Software, Server) at the top of Issues. Click to filter. Hover to highlight matching errors on the strip. Combine them: Critical + Hardware = only critical hardware errors.

Error strip: Same color-coded session bars as the Timeline, but error segments are prominent (full opacity) while context is muted. Hover any bar for a tooltip showing what errors occurred at that moment. Click to select that error.

Pattern badges: "↻ Price data unavailable ×4" — click to filter to just that repeating pattern. Cascades become obvious.

Breadcrumbs: In the error detail panel, expand "What happened before" to see the 5 entries leading up to the error — type badges, messages, and relative timestamps. Click "View in Timeline" to jump to that moment in the full session.

Diagnostic Pathways: Below the breadcrumbs, a Related Evidence section shows correlated events from the seconds before the error: network failures, APDU rejections, sync activity. Each link navigates directly to the relevant section (Network, APDU, or Timeline) so you can trace cause and effect without manual searching.

At the top of Accounts, colored tiles give you a quick visual map. Each tile = one account, colored by chain, showing a chain icon or 3-letter ticker label as fallback.

Corner dots: Red (top-right) = errors for this account. Purple (bottom-right) = xpub/scannable. ? = unsupported for live balance.

Hover any tile for a popover: chain name, address, live balance + fiat, status, error count, and xpub/explorer flags.

Click to filter the account list to that chain. Shift+click to activate Focus Mode — every section filters to that account, non-focused elements dim, and a Context Ribbon appears at the top of the content area.

Portfolio ▸ button opens a proportional overlay — bigger tile = more value. Click any tile to filter and close.

EVM grouping: Accounts sharing the same 0x address (Ethereum + L2 chains) are grouped with a shared header, combined fiat, and a copy button.

Focus Mode is your primary investigation tool. Most tickets center on one account — focus on it and every section becomes relevant to that account.

How to activate:

Shift+click any health tile in Accounts
Focus button in the tile hover popover
Affected account link on any error card in Issues
Focus Investigation dropdown button on the Overview
Diagnostic Priority Map block, when linked to an account

What happens: A purple indicator appears in the sidebar showing which account is focused. The content area gets a colored left border matching the account's chain. A Context Ribbon appears at the top of the content area showing your investigation thread — click any segment to navigate (account → Accounts, error title → Issues, timestamp → Timeline). Every section filters to that account: Issues shows only related errors, Timeline shows only that account's events, and the sidebar account list highlights the focused row.

Adaptive Dimming: Everything not related to your focused account dims — tiles, account cards, sidebar rows, error strip segments. Blocks in the Diagnostic Priority Map that are linked to other accounts dim; system-wide findings (firmware, app version, etc.) stay fully visible. Your investigation path stays bright. The focused tile gently pulses so you always know which account you're looking at.

EVM precision: For EVM chains sharing the same address (Ethereum + L2s like Polygon, Arbitrum, Base), focus is chain-specific. Focusing Ethereum shows only Ethereum activity — Polygon and Arbitrum stay dim even though they share the address.

How to clear: Click the ✕ on the sidebar focus indicator, press Escape, click ✕ on the Context Ribbon, or Shift+click the same tile again.

When you expand an account that stores an extended public key (xpub, ypub, or zpub), the tool shows a Scan button. Clicking it derives individual addresses from the key, queries the blockchain for each one, and shows the balance and transaction count per address.

This is your most powerful tool for "my balance is wrong" on UTXO chains. It shows exactly which addresses hold funds — even addresses the app's sync may have missed.

The scanner walks the derivation path (receive and change chains), stopping when it hits a gap of unused addresses. Each address gets an explorer link so you can verify on-chain.

Derived addresses: Some chains store raw credentials in logs that aren't directly searchable on an explorer. The tool converts them automatically:

Cardano — hex credential → stake1... bech32 address
TON — 32-byte hash → UQ... user-friendly address
Stacks — compressed pubkey → SP... c32check address

Look for the blue "Derived Address" block when you expand one of these accounts. It includes a copy button and an explorer link. Always verify derived addresses with the customer — they're computed from log data, not confirmed on-chain.

Token tiles with live balance: When you expand an EVM account, each ERC-20 token sub-account renders as a tile showing the ticker, live on-chain balance (one Multicall3 call per chain), and live USD value (DexScreener). Tiles are clickable and link to the token on the correct block explorer. Coverage is broad across 19 EVM chains; tokens on Lukso, Moonbeam, and Kaia render with "no live price" because those chains lack DexScreener coverage. If a customer reports "my tokens are missing," the tile shows the on-chain truth — not what their cached app data says.

The Raw JSON viewer (under Advanced) has a search that works like Chrome DevTools. As you type, the tree automatically expands to reveal matching nodes and scrolls to the first one.

Navigation: The counter shows 1/47 — your position in the results. Use the ▲▼ buttons or press Enter to jump to the next match. Shift+Enter goes backward. The current match is highlighted with a purple left border; other matches have a subtle tint.

The expand/collapse buttons (Collapse, Level 1/2/3, All) still work independently. Clearing the search collapses the tree back to its previous state.

The tool automatically fetches live blockchain balances for every account in the log — no app.json needed. As soon as you load a file, balances start appearing on each account card in the Accounts section with a green dollar value.

Coverage: 40+ chains including all EVM chains (Ethereum, Polygon, BSC, Arbitrum, etc.), Bitcoin, Litecoin, Dogecoin, Bitcoin Cash, Zcash, Solana, Tezos, XRP, Cardano, NEAR, Tron, TON, Cosmos, and more.

Portfolio total: The sidebar shows fiat values next to funded accounts for a quick scan. The Accounts section header shows the total funded/empty split. For a full portfolio view, use the Portfolio ▸ overlay on the Accounts health tiles.

Copy exports: All copy formats (Summary, Full, Customer) now include live balances and fiat values per account, plus a PORTFOLIO total line.

Balances are fetched from public blockchain APIs and priced via CoinGecko. No API keys required. Accounts that show "live ···" are still loading. Xpub accounts (Bitcoin-family) use the existing Xpub Scanner for balance — live fetch doesn't apply to those.

The tool supports logs from Ledger Wallet Mobile (iOS and Android). When a mobile log is loaded, a solid purple MOBILE badge appears next to the file name in the header — bold and unmissable.

What's different about mobile logs: They don't include sync data (operation counts, log balances, or sync duration). All accounts show "no data" badges instead of operation counts. The tool compensates by showing live blockchain balances for every account.

What works the same: Error detection, device info (when available), timeline, network requests, copy exports. The Overview and Issues section work identically.

When a log has accounts but no sync data (common with mobile logs and some short sessions), the tool shows amber warnings everywhere so you don't mistake "no data" for "empty account."

What you'll see: An amber banner on the Overview, amber ⚠ next to the Accounts count in the sidebar, amber borders on account cards, and "no data" badges instead of "empty." Live blockchain balances are fetched automatically — the sidebar shows fiat values where available. Accounts that show a green fiat value are confirmed live-funded; use the live balance as your reference even without sync data.

Copy exports include a "⚠ NO SYNC DATA" warning at the top so recipients know the data source.

Small hint text appears below interactive elements to show available interactions:

Health tiles: "hover for details · click to filter · shift+click to focus"
Timeline legend: "click to filter · hover to highlight"
Issues chips: "click to filter · hover to preview on strip"

These hints are always visible but unobtrusive (9px, muted, 50% opacity). New agents learn the interactions; experienced agents stop noticing them.

Customer View replicates the Ledger Wallet interface so you can see exactly what the customer sees. Switch to it using the Customer View toggle in the top bar. Load the customer's app.json via the upload banner for full data.

Five tabs in the left sidebar, matching the real Ledger Wallet layout:

• Portfolio — total balance, asset allocation table (Asset, Price, Allocation bar, Balance, Value), recent dApp activity. Click any asset row to jump to that account.
• Accounts — all accounts in a horizontal grid: icon, chain name, account name, ✓ checkmark, crypto balance, fiat value, star. Click any row to see account detail with full operations timeline, token balances, swap history, and staking split.
• Earn — staking positions, deposited amounts, estimated APY, rewards earned, validator names, and liquid staking tokens (stETH, JupSOL, LBTC, etc.). Two sub-tabs: "My rewards" and "Earn opportunities."
• My Ledger — device model, firmware version, storage bar showing app sizes, app catalog with version checks (installed, outdated, missing).
• Agent Insights — diagnostic dashboard comparing what the customer sees to what's actually on-chain. Fixed-viewport master-detail layout. This is your primary investigation tool for balance and sync tickets.

Agent Insights is a fixed-viewport dashboard at the bottom of the Customer View nav. It compares the customer's app.json data to live blockchain balances and flags discrepancies.

Layout: Stat cards across the top (Portfolio delta, Device, Data confidence, Customer settings), then a master-detail split below. Compact findings list on the left, full detail panel on the right.

How to use it:

• Load app.json + wait for live balances — the tool fetches on-chain balances automatically. Agent Insights populates as data arrives.
• Read top to bottom — red findings first, then amber, then green. The first red finding is auto-selected and its detail appears on the right.
• Click any finding — the right panel shows the comparison grid (Customer sees vs On-chain), the recommended action, evidence trail, and copy button.
• "View in Customer View ↗" — navigates to the specific account in the Accounts tab for deeper investigation.
• "Copy to clipboard" — copies a formatted summary for pasting into your ticket.

Drain detection: When an account's balance has dropped more than 90% and was worth real money, Agent Insights classifies it as DRAINED instead of "Balance changed." If two or more accounts are drained, a SEED COMPROMISE alert appears at the top of the findings list with a fund flow diagram, attacker addresses, and a one-click drain report for escalation. See the playbook entry "My account was drained" for the investigation workflow.

Many customers have staked or frozen funds. The tool detects this automatically when balance ≠ spendableBalance in the app.json and adjusts the comparison accordingly.

What you'll see: A purple 🥩 staking card in the Agent Insights detail panel showing "Total: 276.34 SOL · Staked: 276.12 SOL · Available: 0.21 SOL." The comparison uses the available balance (not total) against the live balance — preventing false alarms on staked funds.

Chain-specific labels:

• SOL, ATOM, DOT, NEAR, ADA, ALGO — "Staked / Delegated"
• TRX — "Frozen (bandwidth/energy)"
• XRP, XLM — "Network reserve" (not staking — these are protocol-required minimums)

Solana note: Solana staking uses separate stake accounts. The live balance only reflects the main account, not stake accounts. The tool notes this explicitly so you don't mistake staked SOL for missing SOL.

The Earn tab shows all staking positions from the customer's app.json. Use it for "my staking isn't working," "I can't unstake," or "my rewards are wrong" tickets.

"My rewards" sub-tab: Total deposited (fiat + allocation bar), total rewards earned, and a table of deposited assets with account name, invested amount, estimated APY, and rewards.

Click any staking position to expand: validator names (NEAR shows readable names like "ledgerbyfigment.poolv1.near"), balance breakdown, and a timeline of staking operations (delegated, undelegated, withdrawn, rewards claimed).

Liquid staking tokens section below the table shows stETH, JupSOL, LBTC, cbETH and other LSTs the customer holds, with the provider name and parent account.

"Earn opportunities" sub-tab: Lists the staking providers available in Ledger Wallet (Ledger by Figment, Kiln, Lido, Coinbase, Yield.xyz) with which chains each supports.

Four formats

Quick Summary Quick ticket note. Device info, top accounts with live balances, top errors, portfolio total. Paste into your support ticket.

Full Export Complete data dump. All accounts with live balances and fiat values, all errors, device apps. For escalation to Tier 2 or engineering.

Copy Customer Summary Account-focused. Live balances, fiat values, and portfolio total. For describing what the wallet looks like. Available in the Overview action bar and as a button in Customer View.

Copy Errors All errors with severity, action items, and common causes. Available at the top of the Issues section. Great for tickets focused on error investigation.

All four formats are in the 📋 Copy report ▾ dropdown in the Overview triage row. Copy Errors is also available as a standalone button in the Issues section header. Each format is color-coded: purple for Quick Summary/Full Export, orange for customer, red for errors.