Topic: Coldcard Mk4 NFC Spec for developers (Read 521 times)

Why don't you say what exactly was this ''lot of wrong information'' posted in this thread?
You can't consider that only your links should be  reliable and true source of information for Coldcard wallet.
I wonder what are you going to say if or when Mk4 gets exploited like ALL your previous devices... maybe again ''very exoteric/hard to pull off''  

Just adding a note, alot of wrong information in this thread.

Mostly addressed in these links https://bitcointalksearch.org/topic/m.60216709

Coldcard Mk4 version not officially released yet, you can only reserve it aka pre-order it... and it's been like this for a long time.
I don't think there are much concerns because they finally decided to be honest and admit their firmware is not open source anymore, but you can still verify it and see what it does.
Not sure what you mean when you said ''software'' but I suspect that new version will only have similar and improved code like previous versions.
Colrcard is not my favorite hardware wallet, but I consider it much better option than ledger, safepal and similar junkware closed source devices.

Are there any news regarding the security concerns of the software, now that the MK4 is released?

That's not entirely correct. They would have to keep your license and also reference to your source. They would be allowed to sell it, but that's normal.
For instance, they started with a Trezor codebase and then sold their own modified version of it; similarly, Foundation sell devices running modified Coldcard software. That's all fine.

If Coldcard were to understand open source properly, they would look into working together with Foundation, sharing bug fixes and improvements amongst each other; that's how open source usually works - everyone benefits. Unfortunately, Coldcard doesn't want anything to do with this. It's their decision, but it's not very logical, to be honest.

Interesting; when we first heard about this '2 secure elements' idea, there were two options: they are storing the secret key material twice (hence 'halving' security - have to trust 2 manufacturers) or they are splitting it; in this case you could say the security is 'doubled', because both manufacturers would need to be malicious and build backdoors into their secure chips.
Now, it does sound cool to hear they went for the second method, but I'm interested to see if that's true (through code) and how the two pieces are combined. Lots of implementations are possible for this; some could be extremely insecure (such as loading both keys into memory and combining them) - potentially less secure than a single secure element that doesn't need to combine its key material with another one.

It's also worth remembering that the code means nothing if something else is running on the device. Last I checked, the firmware builds that Coldcard offers to flash to your devices, don't match the source code they publish. In that case, it's easily possible that the wallet is less secure than what the code makes you believe.

Of course, I wouldn't try to sell something that is available for free because it'd be rather a scammy behavior than a good business strategy, but... I could, for example, improve the original non-licensed source code, add the features Coldcard wallets lack, or remove features that annoy people and make them think Coldcard is no longer a good choice. Maybe I would fix some bugs and patch different vulnerabilities, I'd make it more air-gapped or more friendly to bitcoin and open source principles. I don't know... If I made my version of source code that attractive, Coldcard developers could take it (because it is FOSS), commercialize it, sell it as their own.

Bitcoin Magazine has obtained "exclusive access" to the details of the new version of ColdCard hardware wallet, and made a small review, which can be found here: https://bitcoinmagazine.com/business/inside-the-new-coldcard-mk4

Frankly speaking, I learned nothing new from the details they provided, except for this part:

Sounds kinda cool.

You can fork latest open source version released by coldcard, but why would you want to sell something that is free already, and nobody would buy that shit anyway.
Forking their new common clause license you could get sued by one and only developer they have, but you could just use Passport wallet code by Foundation that continued using open source code.
For me coldcard is now dead and stuck in the mud, and Passport moved on in right direction.

Yes. But it's a fine line to walk.
You take their old code and produce something.

They make an update to the code to do something / fix something.
You want to do / fix the same thing, but the way they did it was the best way and through your testing you came up with the same code to do it.

Can you prove that you did not take their code from ColcCardfile.py and just copy it to witcher_sensefile.py to fix an issue but developed it on your own?
Might me a rabbit hole you don't want to go down.

-Dave

Just to clarify, the Commons Clause license means you can freely access, modify and distribute modified and original software on which this license applies, but you cannot sell it or use this software for commercial purposes. If you are using licensed software, you must include a copyright notice, retain the original copyright and also include the "NOTICE" text file which usually contains some attribution notes. Interestingly, on the page describing what the Commons Clause license is, it is said that "when the Commons Clause is applied to an existing open-source project, it only affects code moving forward -- meaning no existing users are immediately affected. Licenses applied to previous versions are not revoked, so the Clause will only apply to future releases." Does it mean I can take previous versions of ColdCard source code, fork or modify them and then sell to whoever I want?

Finally I see some changes today on ColdCard wallet website after they confirmed they are NOT open source anymore, but they switched to Commons Clause Verifiable Source Code.
Maybe they cracked in last few days after Luke Dashjr said that verifiable source does not mean that code is open source at all, but we already knew that.
You can clearly see on their website how they made changes, but maybe they are preparing some public apology because they lied everyone for months.

Latest screenshot from Coldcard website:


https://coldcard.com/
(archive)

You can check older version of their website in my previous post of this topic above, and there is also saved archived version from yesterday.

I would conclude and say that this was a good decision from NVK, and even if it's not open source it is better than being closed source enigma like Safepal or Ledger.
However, reputation is lost with this changes and lies so I won't recommend Coldcard devices to anyone, not only because of this childish behavior but because they are adding NFC chips in their new devices.
Maybe they will have to remove True Air-Gap statement as well soon.

Dang, even deleted it! Fortunately, someone archived it. Maybe someone could create a NVK archive.org bot for the future.. Should be a few lines of code in Python.

I find it just a bit sad. Coinkite started to build a pretty good reputation from what I was seeing, also with very popular OpenDime and everything; and then we see them starting to fight with other companies over FOSS codebase. This shows they haven't understood anything about open source. Open source is not about grabbing free code, then changing the license to disallow anyone to benefit from your changes. Instead, it's more about working together on one codebase to make it as good as possible.

I would have really liked to see them actually collaborate. While making two pretty different devices they could have basically doubled the size of the software team. By working on the same codebase, there was a chance to maybe create the next-gen 'state-of-the-art' go-to Bitcoin hardware wallet firmware that then others could also use and also help improve.

Well of course it's not official stores but nobody can prevent them to make their own prices as they like, same thing I saw in official resellers, very much different prices from one store to another.

Back on Coldcard topic,I have to say that I am amazed by crazy behavior of NKV coldcard developer, he is blocking and banning people all over, ranting against Foundation Passport and all other hardware wallets.
He is spending way to much time on twitter, and he is still making fake claims on their website that coldcard is open source (I will write big report about that in future).

He is now claiming that Foundation violated their license that is not open source (he indirectly admitted)
https://twitter.com/nvk/status/1486063736247001090

Foundation replied later:
https://twitter.com/FOUNDATIONdvcs/status/1486085925885161480

Here is Vlad Costea saying that he submitted a pull request to Coldcard's repo to suggest them to change the product's description from "Open Source" to "Source Available".
The PR was taken down in 5 minutes.
If you read connected tweets you will see why Coldcard is not open source, and why you will get sued if you use their code.
https://twitter.com/TheVladCostea/status/1486135832641744898?s=20


https://commonsclause.com/


https://coldcard.com/

All in all I would stay away from coldcard mambo jumbo wallet and their egoistic freak NVK.
I am thinking of tagging NVK for making repeated fake claims on their website and everywhere online.
It's decision tactics used only by scammers.

You're meant not to trust them! You're meant to verify..
That's why for me and my loved ones personally, I consider only open-source (hardware + software) wallets with reproducible builds. That's like the #1 requirement. But not the only one.
Since I don't have the time to go through the whole code of every new wallet, I am delighted when trusted and verified codebase is used (in true open-source spirit) just as Foundation did it and improved upon.

I don't think that's allowed in 'official stores'. What you're seeing are extortionist prices from scalpers (can even be private people on eBay) that similarly to the GPU market, scoop up everything from the official stores and then resell anywhere.
This happens any time a product is highly sought after and production can't keep up.

I think that Coldcard created some weird eco chamber and they started with all this crazy decision making, but some people may like this idk, but they are looking more and more like ledger every day.
Thing is that more I learn about hardware wallets in general, less I have trust in them, and I more thinking of going back using air-gapped laptop.
There is still place for using hardware wallets but you really need to think good about security, and look inside all of this devices... I mean they all use same microchips and ''secure'' elements.

That is probably true, and if it is than I would like to have Raspberry Pi Zeor 2 without wi-fi connection, I see some people are removing in manually on hardware level.

I did simple math, all those prices you wrote are just in theory, in real life Pi zero was recently around $20 and I can find it now locally for more than $30 , same as Rpi 2 W (that is also out of stock in many places).
Some dedicated stores stocked up and they are selling all parts for around $80, and they can even send you pre-assembled version:

- https://www.gobrrr.me/produkt-kategorie/kits/
- https://btc-hardware-solutions.square.site/product/orange_pill_kit/6?cs=true&cst=custom
- https://diynodes.com/product/preassembled-seedsigner-in-open-pill-case/

And yes I know that case be printed locally with .STL files

That is only for version with pre soldered header, and official Rasberry website didn't say anything about this.
Like I said, I canstill find them in local shops with 6 or 7 times higher price.

Interestingly, official Raspberry seller says it's discontinued:
https://thepihut.com/products/raspberry-pi-zero-1-3-with-pre-soldered-header-no-wifi-or-bluetooth
However, the SeedSigner guys seem to be able to get their hands on a lot of 1.3's, so maybe they order in bulk directly from Raspberry.

From here: https://btc-hardware-solutions.square.site/product/orange_pill_kit/

$35 is a lot for this. Material cost on the 3D printer (FDM) is in the low single-digits.

To be honest, I see more variety in the interfaces, for example SatoChip with smart card chip and interface, we see Bluetooth for a few years being around and lately NFC. A few years back, the only option was really USB and to this date many still only have USB.

It's necessary to have a variety on the market, because some people may be fine with a less secure but more practical device, while others want only one interface. The choice there differs again. Some will prefer a device with only microSD, some want only USB or some would prefer only QR codes.
In general, it would be preferable that devices aren't a 'jack of all trades, master of none'. Hence, I tend to agree that it's best to have a device with only one means of communication for higher security (alone by shrinking the codebase).

Sadly I think the $5 zero is not coming back soon. I see the W and the 2W at a lot of places but no longer the original zero.
Could just be that a lot of retailers are looking at the small amount they can make on it and just not ordering.

Not sure where you got the $80 price
But is you can find it, the PI is $5 but lets say you get the $15 2W
The GPIO pins are $2
The camera is $10
The LCD is $12
So $40 and it is good to go.

But....
The case becomes the problem, If you can find an original zero you can get the 3D printed case from them for $35 or you can just print your own or find someone to print it for you for a lot less: https://github.com/SeedSigner/seedsigner/tree/main/enclosures/open_pill

---

Back to the coldcard, I think more and more we are seeing tons of things being added to HW wallets more for marketing and to justify price.
Not saying it's good. Just that it is.

-Dave

Great discussion, guys! I learned a lot, and also I am very disappointed in Coldcard. It seems to me that Coldcard devices are becoming more and more unsuitable for securing large amounts of money. Closed-source secure elements, non-reproducibility of builds, adding more layers of trust, decreasing the air-gapness of devices and increasing the attack surface due to implementing questionable features, and also controversial marketing are the reasons I wouldn't switch from my Trezor to a Coldcard device. They are now more oriented towards people who wish to make everyday small transactions with their mobile phones rather than those who care about the security of their holdings. That is not to say that there is something wrong with using mobile wallets in combination with hardware wallets, but if I were to choose, I would consider fully open-source and more cheap devices.

Wait, STM32 are the microcontrollers, not the secure element chips. But from your list, it seems some are like combo-chips, especially the NXP ones. I don't think an STM32 has a built-in security chip or similar. But it does seem likely that MK4 will use NXP chip for NFC, which as a side effect has a builtin second secure element.

I saw the kits go for pretty high prices, yes! But that's with profit. When I first looked into it, sourcing materials myself would have been more like 50 bucks. If you go for budget though, sure, there are many options. I'm generally a friend of reusing old hardware rather than throwing it away (as seen in my $50 full node guide). It's just less convenient really.

Exactly.
Two secure elements is just a side effect, and not by design of NKV or smart coldcard developers, and I am sure about this.
I recently revised the list of secure elements used in hardware wallets, and you can see that most wallets use same STM32 chips (this is security risk), but some of them use NXP chips and it's mostly with NFC cards format (Satochip/Satodime, CoolWallet, KeyPal, Opolo, D'CENT).

I like the idea of Seedsigner, but you know that cost of purchasing and assembling it now is around $80, and for that money you can buy used old but still good Thinkpad laptop.
That is if you managed to buy it anywhere, I looked all over the internet and Raspberry Pi Zero is mostly out of stock.
Seedsigner is also loading and starting very slow... no wonder when it has linux os in that small device

It depends on the implementation. If both elements have full access to the seed, then you have to trust twice, that's correct. If you do it right and split the seed or maybe have 2 different seeds that make a 2-out-of-2 multisig internally, it would be less trust than a single chip. Not sure how exactly they will implement though, for sure. For now, just marketing claims and no code as proof.

Oh, that's interesting. The NFC chip has a built-in secure element... then let's see if it even works as suggested with something like 2-out-of-2 or if the second chip is maybe simply used for NFC functionality..

We talk about fully cold storage and paper wallets a lot here; it's possible and made a bit more user-friendly by the SeedSigner project. That's basically it: a linux computer, booted with live OS and without persistent storage, importing seed every time you want to sign a transaction. Just in a more practical package than 'old thinkpad'. But none of these are as practical.

I mean, 'manually plugging in a microSD card' can also be seen as a kind of protocol that enables communication between devices. But due to the need of heavy user interaction (except the virus attack explained earlier), you need to physically steal the microSD and replace it without user noticing for example, to make them sign a bad PSBT. Even harder with QR codes since a QR code on the screen is less easy to extract / modify than a file on an external storage medium.

But I get what you're saying. Especially since you can wormhole NFC. You can also increase the range simply using high-power antennas; it's just radio-waves, not much unlike WiFi, Bluetooth or 4G and 5G networks after all.