ColdCard hardware wallet

[DaveF]

...
Dude, they literally used Trezor code themselves, so I guess it's just open source karma
Forking will cause no issue on Coldcard code, same way like changes in Coldcard does not affect original Trezor code.

I did not remember that. That's on me.

It's been a long time since I took a good look at the code and have just been verifying the posted firmware and installing it as needed.

And although, not much of an excuse for the above statement I'm still using a Mk1 for my day to day BTC transaction and that unit has not been able to be updated for a while.

-Dave

[1714954722]

1714954722

[1714954722]

1714954722

[1714954722]

1714954722

[1714954722]

1714954722

[1714954722]

1714954722

[1714954722]

1714954722

[n0nce]

I am still disappointed they decided to switch their license from Open Source to MIT+CC.
Funny thing is they first forked original Trezor wallet code that is still Open Source, but then they switched their license when someone else (read Passport) forks their code.

Most of Trezor code is GPLv3, right? That license states if you reuse the code, you have to keep it under GPLv3. By switching license, I think they are breaking this rule.
I agree, it's especially ironic that they themselves used Trezor code and went all pissed when Foundation Devices did the same thing. I was about to get a mk3, but the one thing always holding me back was that I'd need to carry around microSD card adapters all the time. Their understanding of open source put the final nail in the coffin for me not to buy it. It's a shame since I like the form factor and air gapping in general.

[dkbit98]

Most of Trezor code is GPLv3, right? That license states if you reuse the code, you have to keep it under GPLv3. By switching license, I think they are breaking this rule.
I agree, it's especially ironic that they themselves used Trezor code and went all pissed when Foundation Devices did the same thing. I was about to get a mk3, but the one thing always holding me back was that I'd need to carry around microSD card adapters all the time. Their understanding of open source put the final nail in the coffin for me not to buy it. It's a shame since I like the form factor and air gapping in general.

Yes, but Trezor was the first hardware wallet and it's normal that many other hardware wallets are using their code, either partially or fully, disclosed or undisclosed, with or without credits, I never saw SatoshiLabs complain about that.
Coldcard probably changed original code so much or rewritten it totally in other language, so they can easily skip breaking of any rules, like they did with latest MIT+CC license.
btw. Someone tested Coldcard code and found it was reproducible, funny thing is that this website bitcoinbinary.org was started and donated by Coinkite aka Coldcard

[n0nce]

Coldcard probably changed original code so much or rewritten it totally in other language, so they can easily skip breaking of any rules, like they did with latest MIT+CC license.
btw. Someone tested Coldcard code and found it was reproducible, funny thing is that this website bitcoinbinary.org was started and donated by Coinkite aka Coldcard

Alright, I see. Did anyone from the community find the builds are in fact not reproducible?

[DaveF]

Most of Trezor code is GPLv3, right? That license states if you reuse the code, you have to keep it under GPLv3. By switching license, I think they are breaking this rule.
I agree, it's especially ironic that they themselves used Trezor code and went all pissed when Foundation Devices did the same thing. I was about to get a mk3, but the one thing always holding me back was that I'd need to carry around microSD card adapters all the time. Their understanding of open source put the final nail in the coffin for me not to buy it. It's a shame since I like the form factor and air gapping in general.

Yes, but Trezor was the first hardware wallet and it's normal that many other hardware wallets are using their code, either partially or fully, disclosed or undisclosed, with or without credits, I never saw SatoshiLabs complain about that.
Coldcard probably changed original code so much or rewritten it totally in other language, so they can easily skip breaking of any rules, like they did with latest MIT+CC license.
btw. Someone tested Coldcard code and found it was reproducible, funny thing is that this website bitcoinbinary.org was started and donated by Coinkite aka Coldcard

This is where it gets kind of scummy IMO.

You have the site WalletScrutiny.com that says they can't reproduce it.

https://walletscrutiny.com/hardware/coldcardMk3/
However giszmo https://bitcointalk.org/index.php?action=profile;u=19025 either runs or is at lest the public face of walletscrutiny.com
giszomo is or was part of Mycelium.
The Mycelium that has the scam 1xbit.com baked into it. https://bitcointalk.org/index.php?topic=5350964.0
The Mycelium that ran a nice token scam: https://news.bitcoin.com/mycelium-employee-quits-after-ico-funds-was-used-for-spanish-vacation/
So you should probably not trust what is coming from walletscrutiny 100%

Now you have https://bitcoinbinary.org right there on the 1st page. A big donation from conkite. Not hidden, not buried, it's there.

And then you have 2 videos one from achow101 https://bitcointalk.org/index.php?action=profile;u=290195 who is a bitcoin core contributor, works on many projects https://achow101.com/ and so on. No idea who did the 2nd video but it's there.

So, as always DYOR but know the background of who says what.

-Dave

Not relevant but I feel needs to be said and note that this has nothing to do with ColdCard / CoinKite BUT with Mycelium and the way they act.
Just about everyone says don't trust coinomi because it's closed source, a multicoin wallet, may have had issues, etc.
With coinomi you can change the ElectrumX server it connects to on the back end. With Mycelium you can only connect to their servers. Tracking me much???
To some that is more important then having public source.

[dkbit98]

...

Ok, let's see who created bitcoinbinary.org website... @nvk or DETERMINISTIC OPTIMISM on twitter.
Let's check his twitter profile...oh wait it's some ColdCard and Coinkite guy, and that appears to be self donation to me and website for contribution is literally hosted on Coinkite/Coldcard github page.
You don't have to be rocket scientist to calculate how much 2+2 really is...
https://github.com/coinkite/bitcoinbinary.org


https://twitter.com/nvk

I am well aware that achow101 participated in testing experiment like I wrote about it few days ago:

There is one alternative website I found for WalletScrutiny and it is called bitcoinbinary.org, interesting part is that one of bitcointalk moderators achow101 was testing wallets and participating in this exercise,
I don't know if this website is sponsored by Coinkite aka Coldcard, but they did receive 0.025 BTC donation from them and githuib page is posted on Coinkite github,
so it looks like ColdCard wanted to proved how their code is still reproducible even if it's not open source anymore.
Conclusion is that many wallets have bad documentation or incorrect build instructions so they couldn't be reproduced.


Github: https://github.com/coinkite/bitcoinbinary.org
Website: https://bitcoinbinary.org/

It's much easier and cheaper to return your license to open source than doing all this gimmicks.

[DaveF]

...
It's much easier and cheaper to return your license to open source than doing all this gimmicks.

I don't disagree there. However, they don't seem to want to go back to open source and that is their call.

But, what I am saying is that they are up front about who is paying for the site and, IMO they have to have the site because you have sites saying it can't be done.

After the initial discussions about the license switch they have just gone with the attitude of "if you don't like it, use another product" and as a business that is their right.
If people choose to spend their BTC on other wallets then they loose. If people don't care then it's all fine.

I feel that CoinKite / ColdCard are proud idiots for dumping open source because someone took their project and ran with it in a way they did not like.
But, I also feel that with them having people say they can't reproduce the builds when others obviously can, they did do the right thing with putting up a site to defend themselves.

You & others probably have different views.
But, in the end that is why we are here, so we can discuss our different views.

Drifting a bit OT here but:
*I* don't trust giszmo & *I* don't trust WalletScrutiny.

Outside of the coldcard that is being discussed, there is at least 1 wallet out there probably 2 other wallets that ARE reproducible by someone who can follow instructions that are available. WalletScrutiny says they can't reproduce them. Now, I don't know why they can't and *I* don't care. It's out there on github (or similar) with people being able to reproduce them. So they are either incompetent or have an agenda.

On a personal note, I tried to do a nice thing for giszmo and he (1) assumed I was trying to bribe him [I was not] because he (2) assumed I was related to a company that was producing some wallet cards [I am not now and have never had any association with said company] When I pointed that out he never replied.

And the entire 1xbit and token sale with mycelium just chaps my ass.
So I may not be 100% unbiased....

-Dave

[n0nce]

This all sounds quite confusing and unclear.
How about a new topic here on the forum where independent forum members try to reproduce builds & publish their results?

I’d be willing to give a crack at a few tomorrow and report my findings.
Of course forum members doing this can’t prove they don’t work for a hardware wallet company either.

But maybe similarly to Mr. Lopp with his steel wallet reviews, there can be someone with good reputation here who can try the builds and report their findings.

[DaveF]

Well it's been a long time but they released an update to the ColdCard. One for the 2 & 3 versions and a separate one for the 4th

https://coldcardwallet.com/docs/upgrade  <--Remember don't just trust links you see in the forum verify for yourself.

Did a few small things on the older units and the one for the Mk4 is technically the 1st public production release so it should be what is on the units that they are shipping.

Wonder how long they will keep the older versions going.

-Dave

[dkbit98]

Wonder how long they will keep the older versions going.

Interesting thing is they are preparing for Taproot support with this release, BUT it's not really operational and you can't use it as signing device :/
New version Mk4 is not officially released yet, they are currently only accepting reservations, and I remember they said that older version Mk3 will not going to stop any time soon.
I think they decided to keep both of them alive because they are targeting different type of customers with NFC

[nvK]

There is a lot of misinterpretation on the Mk4's Dual SE on this thread, I highly recommend reading these two docs:

• Security model https://raw.githubusercontent.com/Coldcard/firmware/master/docs/mk4-security-model.md
• Dual SE design https://raw.githubusercontent.com/Coldcard/firmware/master/docs/mk4-secure-elements.md

[dkbit98]

There is a lot of misinterpretation on the Mk4's Dual SE on this thread, I highly recommend reading these two docs:

Thank you for posting this update nvK.
We had to speculate a bit how everything works with two secure elements, and you guys didn't exactly released any documentations until recently.
Can you tell us the reason why exactly did you chose second secure element model Maxim DS28C36B instead of other alternative options?

From what I see this Maxim DS28C36B is Secure Authenticator mostly used in equipment like:

- IP Protection
- Medical Consumable ID
- Medical Sensor Authentication and Calibration
- PCB ID and Authentication
- Print Cartridge Authentication
- Printer Cartridge Configuration and Monitoring
- Rack Card Security
Source:
https://www.maximintegrated.com/en/products/embedded-security/secure-authenticators/DS28C36.html

[dkbit98]

Beware!
I don't remember that I saw anyone posting this before, but if you already own ColdCard Mk3 hardware wallet you may want to check this out.
This was first posted on twitter by LazyNinja and it reveal big security flaw with ColdCard Mk3 PIN Replacement Attack.
He was able to bypass MK3 security feature and after second attack he was able to perform seed extraction from ColdCard device (passphrase was not extracted).
If you are using Bootloader v2.0.0 or older than you are vulnerable to this attack, due to flaw in Mk3 architecture discovered by LazyNinja, that enabled PIN replacement.
This was later fixed by ColdCard developers but you can't fix it yourself if you already own this device.
Maybe this was the main reason for ColdCard decision to release Mk4 device with two secure elements, but I someone will try to find flaws in that system as well.


More details with videos:
https://threadreaderapp.com/thread/1377362927729082368.html

Solution for anyone who owns Mk3 device is to add mandatory passphrase and move funds to new address or use some other better hardware wallet.
I have to say that I don't trust this new invention from ColdCard and they are only hardware wallet with secure element that got hacked, that is bad advertisment.

[DaveF]

Beware!
I don't remember that I saw anyone posting this before, but if you already own ColdCard Mk3 hardware wallet you may want to check this out.
This was first posted on twitter by LazyNinja and it reveal big security flaw with ColdCard Mk3 PIN Replacement Attack.
He was able to bypass MK3 security feature and after second attack he was able to perform seed extraction from ColdCard device (passphrase was not extracted).
If you are using Bootloader v2.0.0 or older than you are vulnerable to this attack, due to flaw in Mk3 architecture discovered by LazyNinja, that enabled PIN replacement.
This was later fixed by ColdCard developers but you can't fix it yourself if you already own this device.
Maybe this was the main reason for ColdCard decision to release Mk4 device with two secure elements, but I someone will try to find flaws in that system as well.


More details with videos:
https://threadreaderapp.com/thread/1377362927729082368.html

Solution for anyone who owns Mk3 device is to add mandatory passphrase and move funds to new address or use some other better hardware wallet.
I have to say that I don't trust this new invention from ColdCard and they are only hardware wallet with secure element that got hacked, that is bad advertisment.

Uhhhh -->You<-- posted it before.....in this thread...about a year ago.
Things we learned today....dkbit98 is an true American and was drinking way to much at the Memorial Day BBQ and erased the last year of his memories.

Important update for Coldcard hardware wallet and not so secure Secure Elements!

@LazyNinja managed to find a flaw in architecture and bypass ColdCard MK3 security feature by opening hardware wallet, removing secure element and replacing device PIN with his own PIN code, and then he returned altered secure element and gained full access to device.
Reminder that ColdCard is using ATECC608B secure element and this attack was possible with bootloader v2.0.0, and to fix this you need to have new updated bootloader v2.0.1

Similar pin replace attack could happen for ledger and other hardware wallet devices, but he said that hardware wallets are still 100x safer then using regular PC, however they are not invincible.

Check out his thread and video procedure:
https://threadreaderapp.com/thread/1377362927729082368.html

[dkbit98]

Uhhhh -->You<-- posted it before.....in this thread...about a year ago.
Things we learned today....dkbit98 is an true American and was drinking way to much at the Memorial Day BBQ and erased the last year of his memories.

Yes, I think I might be genuine redneck, born and raised bud drinker suffering from amnesia.
A lot can happen in one year (just rewind crazy last few years), but I totally forgot that I wrote about this before, and I got confused by dates on twitter  
I will now crawl back to my hole and hide, but at least my post served as reminder for anyone who owns mk3 coldcard.
I found this (yet again) by researching newly released coldcard mk4 device with two secure elements.
 

[nvK]

A few big reasons:

- Capability, gave us room and functions for the new Trick PINs to be inside the SE.
- Different vendors, different attacks. Multi-vendor helps with increasing attack time/cost/rate.
- Availability.

There is a lot of misinterpretation on the Mk4's Dual SE on this thread, I highly recommend reading these two docs:

Thank you for posting this update nvK.
We had to speculate a bit how everything works with two secure elements, and you guys didn't exactly released any documentations until recently.
Can you tell us the reason why exactly did you chose second secure element model Maxim DS28C36B instead of other alternative options?

From what I see this Maxim DS28C36B is Secure Authenticator mostly used in equipment like:

- IP Protection
- Medical Consumable ID
- Medical Sensor Authentication and Calibration
- PCB ID and Authentication
- Print Cartridge Authentication
- Printer Cartridge Configuration and Monitoring
- Rack Card Security
Source:
https://www.maximintegrated.com/en/products/embedded-security/secure-authenticators/DS28C36.html

Beware!
I don't remember that I saw anyone posting this before, but if you already own ColdCard Mk3 hardware wallet you may want to check this out.
This was first posted on twitter by LazyNinja and it reveal big security flaw with ColdCard Mk3 PIN Replacement Attack.
He was able to bypass MK3 security feature and after second attack he was able to perform seed extraction from ColdCard device (passphrase was not extracted).
If you are using Bootloader v2.0.0 or older than you are vulnerable to this attack, due to flaw in Mk3 architecture discovered by LazyNinja, that enabled PIN replacement.
This was later fixed by ColdCard developers but you can't fix it yourself if you already own this device.
Maybe this was the main reason for ColdCard decision to release Mk4 device with two secure elements, but I someone will try to find flaws in that system as well.


More details with videos:
https://threadreaderapp.com/thread/1377362927729082368.html

Solution for anyone who owns Mk3 device is to add mandatory passphrase and move funds to new address or use some other better hardware wallet.
I have to say that I don't trust this new invention from ColdCard and they are only hardware wallet with secure element that got hacked, that is bad advertisment.

This was fixed in sub sequent boot loader releases, also very exoteric/hard to pull off.

[dkbit98]

ColdCard Mk4 is now available for purchase directly, without reservations and extra waiting time.
Price is around $158 plus shipping, but I think you can get free shipping if you spend $499 or more in Coinkite shop.
There is %5 discount with promo code CKBTC, and it would be interesting to see some independent reviews for this new mk4 Coldcard.
I think there are better hardware wallets than Coldcard Mk4 in market today for this price, but others like ledger or safepal are worse and inferior in my opinion.
https://store.coinkite.com/store/mk4

[nvK]

ColdCard Mk4 is now available for purchase directly, without reservations and extra waiting time.
Price is around $158 plus shipping, but I think you can get free shipping if you spend $499 or more in Coinkite shop.
There is %5 discount with promo code CKBTC, and it would be interesting to see some independent reviews for this new mk4 Coldcard.
I think there are better hardware wallets than Coldcard Mk4 in market today for this price, but others like ledger or safepal are worse and inferior in my opinion.
https://store.coinkite.com/store/mk4

$149 and in colors too