Pages:
Author

Topic: ColdCard hardware wallet - page 3. (Read 2559 times)

legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
January 12, 2021, 02:26:41 PM
#58
I don't think a new licence can apply to old versions of the code... you can't (or at least, you shouldn't be able to) retroactively change the rules like that. Imagine if you have a repo that people had been forking for years and then just suddenly decided "you must pay $1000 to use this code".

Anything created after the date of the licence change should be covered by the new licence... but anything that was done prior to that, should be covered by the old licence.

I agree 100%, and that seems to be the take of a lot of people.
But, there are a few lawyers out there, one of which I spoke to who think differently (old friend nothing to do with this at all). The general take is that if you don't have a commercial product out yet then yes they can change the license terms. If you were selling and delivering a product then it's a line in the sand, anything after this you can't use. No idea how accurate that is, but they do work for a major firm who deals with this stuff.

-Dave


HCP
legendary
Activity: 2086
Merit: 4363
January 12, 2021, 02:02:43 PM
#57
I don't think a new licence can apply to old versions of the code... you can't (or at least, you shouldn't be able to) retroactively change the rules like that. Imagine if you have a repo that people had been forking for years and then just suddenly decided "you must pay $1000 to use this code".

Anything created after the date of the licence change should be covered by the new licence... but anything that was done prior to that, should be covered by the old licence.
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
January 12, 2021, 04:17:37 AM
#57
--snip--
They went to the CC Commons Clause license to screw with these people: https://bitcointalksearch.org/topic/thoughts-about-passport-hardware-wallet-5265233 and were public about it.
I have no problem with them changing how they do / license stuff but it should be for all work after "X" date. If I am doing something using your code that was GPLd and then you come back and change what I can do after, it's just a dick move. Now, what the Passport people did was not cool either so there is that, I just think they could have handled it a tiny bit better.

-Dave

I'm a bit confused, does that mean they change every single git commit (which means commit hash changed) to make every single commit contain current license (GPL, MIT & CC rather than only GPL)?
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
January 12, 2021, 08:14:57 AM
#56
--snip--
They went to the CC Commons Clause license to screw with these people: https://bitcointalksearch.org/topic/thoughts-about-passport-hardware-wallet-5265233 and were public about it.
I have no problem with them changing how they do / license stuff but it should be for all work after "X" date. If I am doing something using your code that was GPLd and then you come back and change what I can do after, it's just a dick move. Now, what the Passport people did was not cool either so there is that, I just think they could have handled it a tiny bit better.

-Dave

I'm a bit confused, does that mean they change every single git commit (which means commit hash changed) to make every single commit contain current license (GPL, MIT & CC rather than only GPL)?

Depends on the lawyers Wink

But, from what was explained to me from what I posted in the other thread (and this could be 100% wrong) If you have a git repository  etfbitcoin/etfbitcoins-amazing-project and you change it from one license to another then the latest version stands across the entire project. So even if you don't change it everywhere if someplace you posted the new license it stands.

IF even in the same account you have etfbitcoin/etfbitcoins-amazing-project2 then you can fork it off and keep the old code under the old license and everything you do from there going forwards in the ...2 git is under the new.

It's also as far as she knew never been tested in court and also since they are a Canadian company and she is a US based it might be interpreted differently.

You know know as much as I do.

-Dave
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
January 11, 2021, 08:48:05 AM
#55
Paper Wallet features temporarily removed to free space; will return in future version.
License changed from GPL to MIT+CC on files for which the GPL doesn't apply.

Going to CC is BS for something like this. But whatever. Let's see if there is any backlash.
Killing the paper wallet is a bummer, I actually used it a lot.


Removing paper wallet feature doesn't make sense, but what's wrong by using multiple license when AFAIK both MIT and CC are less restrictive than GPL?

They said they needed space, I am guessing something they were doing (QR code generation?) was using a large library for something.

They went to the CC Commons Clause license to screw with these people: https://bitcointalksearch.org/topic/thoughts-about-passport-hardware-wallet-5265233 and were public about it.
I have no problem with them changing how they do / license stuff but it should be for all work after "X" date. If I am doing something using your code that was GPLd and then you come back and change what I can do after, it's just a dick move. Now, what the Passport people did was not cool either so there is that, I just think they could have handled it a tiny bit better.

-Dave
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
January 11, 2021, 07:15:47 AM
#55
Paper Wallet features temporarily removed to free space; will return in future version.
License changed from GPL to MIT+CC on files for which the GPL doesn't apply.

Going to CC is BS for something like this. But whatever. Let's see if there is any backlash.
Killing the paper wallet is a bummer, I actually used it a lot.


Removing paper wallet feature doesn't make sense, but what's wrong by using multiple license when AFAIK both MIT and CC are less restrictive than GPL?
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
January 10, 2021, 08:55:59 PM
#54
So after 5 months we get an update.

https://coldcardwallet.com/docs/upgrade <-- Don't trust my link verify.

Quote
Version 3.2.1 - Jan 8, 2021
Major Multisig improvements! If you are using multisig features, please backup your Coldcard before upgrade, just in case (but shouldn't be a problem).
Tracks derivation path for each co-signer and no longer assumes they all use a shared derivation path. Blocks multiple instances of same XFP in the wallet (not supported anymore, bad idea). Various displays updated to reflect derivation path change. Text file import: "Derivation:" line can be repeated, applies to all following xpubs.
Show Ypub/Zpub formated values from SLIP-132 when viewing details of wallet.
Standardize on "p2sh-p2wsh" nomenclature, rather than "p2wsh-p2sh", thanks to @humanumbrella. For airgaped multisig wallet creation, you must use same firmware verison on all Coldcards or this change can make trouble.
Address type (p2sh-p2wsh, p2sh, p2wsh) is captured from MS wallets created by PSBT file import.
Can now store multiple wallets involving same set of XFP values, if they have differing subkey paths and/or address formats.
New mode which disables certain multisig checks to assist bug compatibility.
Enhancement: Add support for signing Payjoin PSBT files based on BIP-78.
Enhancement: Promoted the address explorer to the main menu. It's useful! (credit to @matt_odell)
Bugfix: zero-length BIP39 passphrase, when saved, would cause a crash when restore attempted. We recommend longer passphrases, but fixed the issue.
Enhancement: Move the "blockchain" setting deeper into the "Danger Zone" and add warning screen. This mitigates a concern raised by @benma (Marko Bencun) where an attacker could socially-engineer you to sign a transaction on Testnet, which corresponds to real UTXO being stolen. Only developers should be using Testnet.
Bugfix: Display of amounts could be incorrect by a few sats in final digits.
Bugfix: Incorrect digest method picked when P2SH-P2WSH incorrectly identified as plain P2SH.
Bugfix: Better error reporting when importing bogus multisig wallet files.
Enhancement: Files created on MicroSD will have date and time determined by the version of firmware that made them. Downstream systems might use this to know when the Coldcard should be upgraded, or which firmware version created the data. Idea from @sancoder
Enhancement: Show version of secure element, under Advanced > Upgrade > Show Version.
Enhancement: Improve 'None of the keys involved...' message to show XFP value actually found inside PSBT file.
Enhancement: "Invalid PSBT" errors are shown with more information now.
Paper Wallet features temporarily removed to free space; will return in future version.
License changed from GPL to MIT+CC on files for which the GPL doesn't apply.

Not real happy about these 2:

Paper Wallet features temporarily removed to free space; will return in future version.
License changed from GPL to MIT+CC on files for which the GPL doesn't apply.

Going to CC is BS for something like this. But whatever. Let's see if there is any backlash.
Killing the paper wallet is a bummer, I actually used it a lot.


Bugfix: Display of amounts could be incorrect by a few sats in final digits.
I really though it was me just not paying attention when an amount looked wrong. Heh, should have mentioned it.

-Dave
HCP
legendary
Activity: 2086
Merit: 4363
August 10, 2020, 03:57:56 PM
#53
Seems a bit "overkill"... it also makes it a bit difficult for someone to memorise that "passphrase"...

I know humans are generally pretty terrible at creating good passwords etc and picking a strong random password is not a "Bad Thing"™ per se, but forcing a 12 word password onto someone doesn't seem like the most user friendly approach. The end user is then left with the problems of:

1. Remembering the 12 word password
2. Securing the 12 word password

It's a tricky problem I guess... don't want a user to compromise themselves by having a stupid password like "password123" encrypting their backup... but don't want to make it overly complex and onerous... Undecided
legendary
Activity: 1624
Merit: 2481
August 10, 2020, 07:40:00 AM
#52
It makes perfect sense since it adds a level of security, if your seed is compromised your funds are gone unless you use a passphrase, the passphrase for the backup is not your seed it is to decrypt the backup which has your seed, if the attacker gets access to your backup passphrase but not to the backup itself you are still safe. Of course you would never have the backup and the passphrase for the backup in the same location.

You understood correctly, but in this case the passphrase to restore the backup it is 12 words, the backup I believe it also includes the pin, duress pin, and brick pin.

Of course this makes sense. But using 12 words as a passphrase to encrypt the mnemonic code can be quite irritating. Especially for new user.
The passphrase can be chosen freely. Everyone can be free to chose 12 words or 11 or no words at all to encrypt it.

But generating a 12 word "mnemonic" to decrypt the actual mnemonic code is a not that smart approach IMO. Rather let the user set any passphrase.
sr. member
Activity: 313
Merit: 258
August 09, 2020, 07:40:33 AM
#51
[...]
I wonder how long before someone figures out a way to update the firmware so that it creates an unencrypted backup of your seed on the microSD card Tongue

I have tried the backup option. It creates a 12 word mnemonic that acts as the pass phrase to decrypt it.

Huh ?

What kind of backup is being generated if you still need your 12 word mnemonic ?

Are you sure that you need your mnemonic seed to decrypt the backup file ??
IMO, this wouldn't make much sense. The mnemonic seed should be the backup itself.


As i have understood it, it generates a backup (= encrypted mnemonic seed) which needs a password(?) to be decrypted.

It makes perfect sense since it adds a level of security, if your seed is compromised your funds are gone unless you use a passphrase, the passphrase for the backup is not your seed it is to decrypt the backup which has your seed, if the attacker gets access to your backup passphrase but not to the backup itself you are still safe. Of course you would never have the backup and the passphrase for the backup in the same location.

You understood correctly, but in this case the passphrase to restore the backup it is 12 words, the backup I believe it also includes the pin, duress pin, and brick pin.

The only thing that is missing is a timer lockdown to view the seed, it should only show the seed after a given period of time set by the user, this way if you are not very careful with the wallet while using it on a public place you are still safe.

The seed has to be backed up somewhere, having it on a piece of paper has a higher risk than storing it on an encrypted file, and a hardware wallet is the perfect device for doing the encryption.
 
member
Activity: 158
Merit: 10
August 04, 2020, 04:20:00 PM
#50
coinkite guys lost my 1 btc, claiming somebody got my api keys. i really wanted to get this coldcard but once i got to check out and saw it was coinkite i dont think i trust them
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
July 31, 2020, 08:06:09 PM
#49
but are they completely open-source
Not for long. They are scared of Passport wallet forking them, so now they are changing the license from open source to creative commons.
Silly people Smiley

Yeah, I posted the twitter link in the other thread and saw their reply that you posted.
I wonder if it they are really going to do it, or if it was just a knee jerk reaction to seeing the passport out there and they will mellow out.

I love their products, but if they turn into jerks, I'm looking elsewhere.

-Dave
legendary
Activity: 2212
Merit: 7064
July 31, 2020, 05:32:19 PM
#48
but are they completely open-source
Not for long. They are scared of Passport wallet forking them, so now they are changing the license from open source to creative commons.
Silly people Smiley

....googling (duck duck go)
We need a new word for internet search without using google.... duckling  Grin
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
July 31, 2020, 12:25:44 PM
#47
The design of the wallet isn't of primary concern to me. I wouldn't care if it was shaped like a pineapple. Grin
I would be fine with using a USB stick type of device or a simple calculator lookalike.

ColdCard uses a secure element just like Ledger. They are open-sourced, but are they completely open-source, is the code for the secure element also open source or closed source?   

From what I can see it's closed.
https://news.ycombinator.com/item?id=22301327

There are other links that say the same thing, that you need to sign an NDA.
With the being said, it's out there if you look hard enough. Well above what I understand in both programming and function but with some googling (duck duck go) it's out there.


-Dave
legendary
Activity: 2730
Merit: 7065
July 31, 2020, 11:24:52 AM
#46
The design of the wallet isn't of primary concern to me. I wouldn't care if it was shaped like a pineapple. Grin
I would be fine with using a USB stick type of device or a simple calculator lookalike.

ColdCard uses a secure element just like Ledger. They are open-sourced, but are they completely open-source, is the code for the secure element also open source or closed source?   
legendary
Activity: 2212
Merit: 7064
July 31, 2020, 11:03:10 AM
#45
I checked his twitter profile to see if there are any recent tweets in which he was shilling ColdCard in any other capacity. But at least for July there wasn't a single mention. So I guess that recommendation of his is genuine.
Yes I think so. But he is shilling his own company Casa Smiley
Call me old fashion but I like old calculator style of ColdCard wallet, but I don't like price that is more expensive compared to other HW competition.
legendary
Activity: 2730
Merit: 7065
July 31, 2020, 10:53:01 AM
#44
Snip
I checked his twitter profile to see if there are any recent tweets in which he was shilling ColdCard in any other capacity. But at least for July there wasn't a single mention. So I guess that recommendation of his is genuine.
legendary
Activity: 2212
Merit: 7064
July 31, 2020, 09:40:09 AM
#43
Interesting thing I found that Jameson Lopp (Casa co-founder) is recommending ColdCard as hardware wallet of his choice.
He also conducted testing of many metal seed backups and many other useful things can be found on his website:
https://www.lopp.net/bitcoin-information/recommended-wallets.html
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
June 14, 2020, 03:30:01 PM
#42
Separate post then the one above (I'll combine it later) but 3.1.6 just came out.
Has some minor changes from 3.1.5 that came out yesterday.
If you applied the update from yesterday, you still should do this one.

https://coldcardwallet.com/docs/upgrade <-- Don't trust my link verify.

-Dave
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
June 14, 2020, 07:59:58 AM
#41
Cleaning up the thread a bit. Putting all the firmware update posts I have made for a while into 1 big post.
You can always get the latest at
https://coldcardwallet.com/docs/upgrade   <-- Remember don't just trust my links verify for yourself.


I just figure having 1 thread with all the updates on it will make it a bit easier for people to know what changed when.

Latest update on the bottom.
Some dates go back to 2019.


2.0.4 came out on May 13th

From ColdCard:
Release Notes (v2.0.3 – 2.0.4)

Quote
   Transaction signing speed improved by about 3X.
    Will warn if miner's fee is over 5% of txn amount (was 1% before). Hard limit remains 10% (configurable, can be disabled completely).
    Robustness: Tighten stack-depth checking, increase heap size, shuffle some memory.
    Bugfix: Transactions with more than 10 outputs were not summarized correctly.
    Bugfix: Consolidating transactions that move UTXO within same wallet are shown better.
    Bugfix: Better recovery from too-complex transaction errors.
    "Don't forget your PIN" warning message is more bold now.
    (in 2.0.4) Bugfix: Clearing duress PIN would lead to a error screen.
    (in 2.0.4) Bugfix: Advanced > "Lock Down Seed" command didn't work correctly.
    (in 2.0.4) Bugfix: Importing seed words manually didn't work on second try (thanks @duck1123)

-Dave




Firmware v2.1 is out

https://coldcardwallet.com/docs/upgrade

Quote
2019-06-26T1317-v2.1.0-coldcard.dfu released June 26, 2019.

    Major release with Multisig support!
        New menu under: Settings > Multisig Wallets
        Lists all imported M-of-N wallets already setup
        Export, import for air-gapped creation
        Related settings and more
    Broad change: extended public key finger (XFP) values used to be shown in the wrong endian (byte swapped), and prefixed with 0x to indicate they were a number. In fact, they are a byte string and should be shown in network order. Everywhere you might be used to seeing your XFP value has been switched, so 0x0f056943 becomes 4369050F (all caps, no 0x prefix). Affected areas include:
        BIP39 password confirmation screen
        Advanced > View Identity screen
        Electrum skeleton wallet export (label of wallet)
        Dump public data file (text in file header)
        xfp command in ckcc CLI helper (can show opposite endian, if needed)
    Export skeleton wallets for Wasabi Wallet https://wasabiwallet.io/ to support air-gapped use.
    Summary file (public.txt) has been reworked to include more XPUB values and a warning about using addresses your blockchain-monitoring wallet might not be ready for.
    When BIP39 passphrase is given over USB, and approved, the new XFP is shown on-screen for reference.
    Use with Electrum will require our updated plugin changes.


-Dave



2.1.1 came out a few weeks ago.

https://coldcardwallet.com/docs/upgrade

Quote
    Major release with Multisig support!
        New menu under: Settings > Multisig Wallets
        Lists all imported M-of-N wallets already setup
        Export, import for air-gapped creation
        Related settings and more
    Broad change: extended public key finger (XFP) values used to be shown in the wrong endian (byte swapped), and prefixed with 0x to indicate they were a number. In fact, they are a byte string and should be shown in network order. Everywhere you might be used to seeing your XFP value has been switched, so 0x0f056943 becomes 4369050F (all caps, no 0x prefix). Affected areas include:
        BIP39 password confirmation screen
        Advanced > View Identity screen
        Electrum skeleton wallet export (label of wallet)
        Dump public data file (text in file header)
        xfp command in ckcc CLI helper (can show opposite endian, if needed)
    v2.1.1: New feature: Create seed words from D6 dice rolls:
        under "Import Existing > Dice Rolls"
        just keep pressing 1 - 6 as you roll. At least 99 rolls are required for 256-bit security
        seed is sha256(over all rolls, as ascii string)
        normal seed words are shown so you can write those down instead of the rolls
        can also "mix in" dice rolls: after Coldcard picks the seed words and shows them, press 4 and you can then do some dice rolls (as many or as few as desired) and get a new set of words, which adds those rolls as additional entropy.
    Export skeleton wallets for Wasabi Wallet https://wasabiwallet.io/ to support air-gapped use.
    Summary file (public.txt) has been reworked to include more XPUB values and a warning about using addresses your blockchain-monitoring wallet might not be ready for.
    When BIP39 passphrase is given over USB, and approved, the new XFP is shown on-screen for reference.
    v2.1.1: Wasabi wallet support: remove extra info from skeleton file, change XFP endian, add version field.
    Use with Electrum will require our updated plugin changes.

Older releases and their changes are listed here, the source code, and much more be found in our repository on github.



Version 2.1.2 released today.
https://coldcardwallet.com/docs/upgrade

All new firmware since 2.1 have multisig support.

https://coldcardwallet.com/docs/multisig

All changes in 2.1.2

Quote
    Add extra warning screen added about forgetting your PIN.
    Remove warning screen about Testnet vs Mainnet.
    Bugfix: Change for XFP endian display introduced in 2.0.0 didn't actually correct endian display and it was still showing values in LE32. Correctly corrected now.
        now showing both values in "Advanced > View Identity screen".
        some matching changes to ckcc-protocol (CLI tool)
        when making multisig wallets in airgap mode, you must use latest firmware on all the units
    Bugfix: Error messages would sometimes disappear off the screen quickly. Now they stay up until OK pressed. Text of certain messages also improved.
    Bugfix: Show a nicer message when given a PSBT with corrupted UTXO values.
    Bugfix: Block access to multisig menu when no seed phrase yet defined.
    Bugfix: Any command on multisig menu that used the MicroSD card would crash, if card was not present.
    Bugfix: When offline multisig signing sometimes tried to finalize PSBT, but we can't.
    Bugfix: For multi-pass-multisig signing, handle filenames better (end in -part, not -signed).

-Dave



Version 2.1.2 released today.
https://coldcardwallet.com/docs/upgrade

All new firmware since 2.1 have multisig support.

https://coldcardwallet.com/docs/multisig

All changes in 2.1.2

Quote
    Add extra warning screen added about forgetting your PIN.
    Remove warning screen about Testnet vs Mainnet.
    Bugfix: Change for XFP endian display introduced in 2.0.0 didn't actually correct endian display and it was still showing values in LE32. Correctly corrected now.
        now showing both values in "Advanced > View Identity screen".
        some matching changes to ckcc-protocol (CLI tool)
        when making multisig wallets in airgap mode, you must use latest firmware on all the units
    Bugfix: Error messages would sometimes disappear off the screen quickly. Now they stay up until OK pressed. Text of certain messages also improved.
    Bugfix: Show a nicer message when given a PSBT with corrupted UTXO values.
    Bugfix: Block access to multisig menu when no seed phrase yet defined.
    Bugfix: Any command on multisig menu that used the MicroSD card would crash, if card was not present.
    Bugfix: When offline multisig signing sometimes tried to finalize PSBT, but we can't.
    Bugfix: For multi-pass-multisig signing, handle filenames better (end in -part, not -signed).

-Dave



Version 2.1.3 was released Sep 6, 2019.
This is why I love my ColdCard, they keep working on it, releasing new features and fixes.
Not letting it sit out there like some other wallets.
-Dave

Quote
Code:
    Major release with Multisig support!
        New menu under: Settings > Multisig Wallets
        Lists all imported M-of-N wallets already setup
        Export, import for air-gapped creation
        Related settings and more
    Broad change: extended public key finger (XFP) values used to be shown in the wrong endian (byte swapped), and prefixed with 0x to indicate they were a number. In fact, they are a byte string and should be shown in network order. Everywhere you might be used to seeing your XFP value has been switched, so 0x0f056943 becomes 4369050F (all caps, no 0x prefix). Affected areas include:
        BIP39 password confirmation screen
        Advanced > View Identity screen
        Electrum skeleton wallet export (label of wallet)
        Dump public data file (text in file header)
        xfp command in ckcc CLI helper (can show opposite endian, if needed)
    New feature: Create seed words from D6 dice rolls (v2.1.1):
        under "Import Existing > Dice Rolls"
        just keep pressing 1 - 6 as you roll. At least 99 rolls are required for 256-bit security
        seed is sha256(over all rolls, as ascii string)
        normal seed words are shown so you can write those down instead of the rolls
        can also "mix in" dice rolls: after Coldcard picks the seed words and shows them, press 4 and you can then do some dice rolls (as many or as few as desired) and get a new set of words, which adds those rolls as additional entropy.
    Export skeleton wallets for Wasabi Wallet https://wasabiwallet.io/ to support air-gapped use.
    Summary file (public.txt) has been reworked to include more XPUB values and a warning about using addresses your blockchain-monitoring wallet might not be ready for.
    When BIP39 passphrase is given over USB, and approved, the new XFP is shown on-screen for reference.
    Use with Electrum will require our updated plugin changes.

Changes in version 2.1.3:

    Visual change: unknown components of multsig co-signer derivation paths used to be shown as m/?/?/0/1 but will now be shown as m/_/_/0/1. The blank indicates better that we can't prove what is in that spot, not that we don't know what value is claimed.
    Bugfix: Some backup files would hit an error during restore (random, less than 6%). Those existing backup files will be read correctly by this new version of firmware.
    Bugfix: P2SH-P2WPKH change outputs incorrectly flagged as fraudulent (regression from v1.1.0)
    Bugfix: Wanted redeem script, but should be witness script for P2WSH change outputs.




2.1.5 came out the 17-September-2019
There was also a 2.1.4 that was released just after 2.1.3 to fix a small bug

https://coldcardwallet.com/docs/upgrade


Quote
Changes in version 2.1.5:

Bugfix: Changes to redeem vs. witness script content in PSBTs. Affects multisig change outputs, primarily.
Bugfix: Import of multisig wallet from xpubs in PSBT could fail if attempted from SD Card.
Bugfix: Improved message shown if import of multsig wallet was refused during PSBT signing.

Changes in version 2.1.4:
Bugfix: For multisig change outputs, many cases were incorrected flagged as fraudulent.

This is why everyone should use a coldcard, they keep working on it with regular updates.
It does not just sit there in limbo with no development.

-Dave




New firmware came out yesterday 2.1.6:
https://coldcardwallet.com/docs/upgrade

Quote
Changes in version 2.1.6:

NEW for 2.1.6: "Address Explorer": view receive addresses on the screen of the Coldcard, so you can be certain your funds are going to the right place. Can also write first 250 addresses onto the SDCard in a simple text (CSV) format. Special thanks go to @hodlwave for creating this feature.

    NEW: "Address Explorer" feature (see above)
    Bugfix: Improve error message shown when depth of XPUB of multisig cosigner conflicts with path details provided in PSBT or USB 'show address' command.
    Bugfix: When we don't know derivation paths for a multisig wallet, or when all do not share a common path-prefix, don't show anything.

Just did a test myself with the write receive address to the SD card and it worked.
So that is a cool new feature. Not really sure how many people will use it.

Was thinking creating jpgs with QR codes might be nice. Not sure if it can be done with the hardware.

-Dave



New firmware out as of 1-Nov-2019
Instructions and link to firmware are at https://coldcardwallet.com/docs/upgrade as always.

Quote
Version 3.0.2 - Nov 1, 2019
New command in Danger Zone menu to view the seed words on-screen, so you can make another on-paper backup as needed.
Robustness: Analyse paths used for change outputs and show a warning if they are not similar in structure to the inputs of that same transaction. These are imperfect heuristics and if you receive a false positive, or are doing weird things that don't suit the rules below, please send an example PSBT to support and we'll see if we can handle it better:
same derivation path length
shared pattern of hardened/not path components
2nd-last position is one or zero (change/not change convention)
last position within 200 units of highest value observed on inputs
Robustness: Improve checking on key path derivations when we encounter them as text.
accept 10h and 10p as if they are 10' (alternative syntax)
define a max depth (12) for all derivations
thanks to @TheCharlatan
Security Improvement: during secure logout, wipe entire contents of serial flash, which might contain PSBT, signed or unsigned (for more privacy, deniability)

-Dave



New firmware out as of 1-Nov-2019
Instructions and link to firmware are at https://coldcardwallet.com/docs/upgrade as always.

Quote
Version 3.0.2 - Nov 1, 2019
New command in Danger Zone menu to view the seed words on-screen, so you can make another on-paper backup as needed.
Robustness: Analyse paths used for change outputs and show a warning if they are not similar in structure to the inputs of that same transaction. These are imperfect heuristics and if you receive a false positive, or are doing weird things that don't suit the rules below, please send an example PSBT to support and we'll see if we can handle it better:
same derivation path length
shared pattern of hardened/not path components
2nd-last position is one or zero (change/not change convention)
last position within 200 units of highest value observed on inputs
Robustness: Improve checking on key path derivations when we encounter them as text.
accept 10h and 10p as if they are 10' (alternative syntax)
define a max depth (12) for all derivations
thanks to @TheCharlatan
Security Improvement: during secure logout, wipe entire contents of serial flash, which might contain PSBT, signed or unsigned (for more privacy, deniability)

-Dave



And another new version yesterday:
Login Countdown looks interesting.
As always available here: https://coldcardwallet.com/docs/upgrade

Quote
Version 3.0.3 - Nov 6, 2019

    Add "Login Countdown" feature: once enabled, you must enter you PIN correctly, and then wait out a forced delay (of minutes/hours/days) while a count down is shown on-screen. Then enter your PIN correctly, a second time, to get in. You must provide continuous power to the Coldcard during this entire period! Go to Settings > "Login Countdown" for the time intervals to pick from. Thanks to @JurrienSaelens for this feature suggestion.
    Nickname feature: Enter a short text name for your personal Coldcard. It's displayed at startup time before PIN is entered. Try it out in Settings > "Set Nickname"
    Bugfix: Adding a second signature (multisig) onto a PSBT already signed by a different Coldcard could fail with "psbt.py:351" error.

-Dave



Version 3.0.5 out today 25-Nov-2019
As always available here: https://coldcardwallet.com/docs/upgrade

Another great feature PAPER WALLETS that are unrelated to your seed words
Think about that you know you want one.

Going to be playing with that a lot over Thanksgiving.

Quote
Address explorer can show QR code for any address (Mk3 only). Press 4 to view. Once shown, press 1 to invert image, and 5/8 for next address. Successful scanning requires the best phone camera, and some patience, due to limited screen size.

Export a command file for Bitcoin Core to create an air-gapped, watch-only wallet. Requires v0.18 or higher of Bitcoin Core. docs/bitcoin-core-usage.md has been updated. Thanks to @Sjors for creating this new feature!

Paper Wallets! Creates random private key (Dice feature available too), unrelated to your seed words, and saves deposit address and private key (WIF format) into a text file on MicroSD. If you have a Mk3, it will also add a QR code inside the text file, and if you provide a special PDF-like template file (example in paperwallet.pdf) then it will superimpose the QR codes into the template, and save the resulting ready-to-print PDF to MicroSD. CAUTION: Paper wallets carry MANY RISKS and should only be used for SMALL AMOUNTS.

Adds a "Format Card" command for erasing MicroSD contents and reformatting (FAT32).

Bugfix: Idle-timeout setting should only take effect after the login countdown. Thanks to @aoeui21 for reporting this.



There is a new firmware out as of the 19th.
https://coldcardwallet.com/docs/upgrade

  Version 3.0.6

Security Bugfix: Fixed a multisig PSBT-tampering issue, that could allow a MitM to steal funds. Please upgrade ASAP.

The usual other changes:

Quote
Enhancement: Sign a text file from MicroSD. Input file must have extension .TXT and contain a single line of text. Signing key subpath can also provided on the second line.
Enhancement: Now shows the change outputs of the transaction during signing process. This additional data can be ignored, but it is useful for those who wish to verify all parts of the new transaction.
Enhancement: PSBT files on MicroSD can now be provided in base64 or hex encodings. Resulting (signed) PSBT will be written in same encoding as the input PSBT.
Bugfix: crashed on entry into the Address Explorer (some users, sometimes).
Bugfix: add blank line between addresses shown if sending to multiple destinations.
Bugfix: multisig outputs were not checked to see if they are change (would have been shown as regular outputs), if the PSBT did not have XPUB data in globals section.

-Dave



There is a new firmware out as of 20-Feb
Something they have at the bottom but should be listed 1st:

Quote
IMPORTANT: This release is NOT COMPATIBLE with Mk1 hardware. It will brick Mk1 Coldcards.

A few other updates and additions:


Quote
HSM (Hardware Security Module) mode: give Coldcard spending rules, including whitelisted addresses, velocity limits, subsets of authorizing users ... and Coldcard can sign with no human present. Requires companion software to setup (ckbunker or ckcc-protocol), and disabled by default, with multi-step on-screen confirmation required to enable. Mk3 only.

Enhancement: New "user management" menu. Advanced > User Management shows a menu with usernames, some details and a 'delete user' command. USB commands must be used to create user accounts and they are only used to authenticate txn approvals in HSM mode.

Dropping support for the 1st gen and adding a feature that only works on the 3rd gen is not cool IMO, but I understand that hardware evolves and sometimes has to be replaced.

On the vert very slight chance there is a security issue in the 1st gens that comes out it's going to be interesting to see their reaction.
Will they fix it or will they just say get a new one?

-Dave



Another update as of today 27-Feb-2020:

Version 3.1.2 - Feb 27, 2020

Quote
    Enhancement: New setting to enable a scrambled numeric keypad during PIN login.
    Enhancement: Press 4 when viewing a payment address (triggered by USB command) to see the QR code on-screen (Mk3 only).
    Enhancement: Can enter non-zero account numbers when exporting wallet files for Electrum and Bitcoin Core. This makes importing seeds from other systems easier and safer.
    Enhancement: Dims the display when entering HSM Mode.
    Bugfix: Trust PSBT setting (for multisig wallets) was being ignored. Thanks to @CasaHODL for reporting this.
    Bugfix: XPUB values volunteered in the global section of a PSBT for single-signer files would cause errors (but ok in multisig). Coldcard will now handle this, although it doesn't need them.
    Bugfix: 3.1.1 had a bug which broke the new "non-zero account export" feature.

Since the Mk1 are no longer supported if you contact them at [email protected] with your original Coinkite order ID they are offering 25% off a new one.
I feel it should be more but that's just me.

-Dave



The I am talking to myself in this thread post about new firmware.
Version 3.1.3 is now out.

https://coldcardwallet.com/docs/upgrade   <-- Remember don't just trust my links verify for yourself.

Quote

Version 3.1.3 - April 30, 2020

    Enhancement: Save your BIP39 passphrases, encrypted, onto a specific SDCard, if desired. Passphrases are encrypted with AES-256 (CTR mode) using a key derived from the master secret and hash of the serial number of the SDCard. You cannot copy the file to another card. To use this feature, press (1) after you've successfully entered your passphrase. 'Restore Saved' menu item will appear at top of passphrase-entry menu, when correctly-encrypted file is detected.
    Enhancement: Export a generic JSON skeleton file, not aligned with any particular desktop/mobile wallet, but useful for any such integrations. Includes XPUB (and associated data) needed for P2PKH, P2WPKH (segwit) and P2WPKH-P2SH wallets, which conform to BIP44, BIP84, and BIP49 respectively. Thanks to @craigraw the idea.
    Enhancement: when signing a text file from MicroSD card, if you specify a derivation path that starts with m/84'/... indicating that you are following BIP84 for segwit addresses, the resulting signature will be formatted as P2WPKH in Bech32.
    Minor code cleanups and optimizations.

Looks like some minor stuff, but they keep developing and updating unlike some other hardware wallet people.

And remember V1 hardware is no longer supported Sad

Stay safe.

-Dave




And the latest one:

Current Version of Coldcard Firmware — Version 3.1.5
2020-06-13T1928-v3.1.5-coldcard.dfu released June 13, 2020.

NOTE: Releases 3.1.0 and later are NOT COMPATIBLE with Mk1 hardware. They will brick Mk1 Coldcards.

https://coldcardwallet.com/docs/upgrade   <-- Remember don't just trust my links verify for yourself.

Quote
Version 3.1.5 - June 13, 2020
Enhancement: Detect, report and block the recently reported type of attack against BIP-143 (replay of segwit inputs) with an error message. No changes needed to your input PBST files. Will show errors similar to: "Input#0: Expected 15 but PSBT claims 5.00001 BTC"
Enhancement: When the Coldcard is finalizing the transaction, we show the TXID (hex transaction ID) of the transaction on the screen.
Enhancement: Export deterministically-derived entropy in the form of seed phrases (BIP39), XPRV, private key (WIF), or hex digits using new BIP-85 standard. Useful for seeding other wallets from your Coldcard, so you don't need to backup "yet another" seed phrase. Derived values (all types) can be easly recreated from Coldcard later, or the backup of the Coldcard. Does not expose the Coldcard's master secret, should new wallet be compromised.
Bugfix: When scrambled keypad used with the login delay feature, the PIN-entry sequence was not scrambled after the forced delay was complete. Thanks to an anon customer for reporting this.
Bugfix: Scrambled keypad didn't change between PIN prefix and suffix.
Enhancement: QR Code rendering improved. Should be more readable in more cases. Faster.
Enhancement: View percent consumed of the settings flash space (just for debug)
Enhancement: New command to clear the UTXO history, in rare case of false positive.
(v3.1.5) Bugfix: Signing PSBT with finalization from MicroSD card, did not work. Error about "HexWriter" was shown.

Pages:
Jump to: