Verification of firmware update #114
Comments
|
Of course you are free to use That said, I'll take your suggestion on board and tweak it to create the build dir if not present, thanks. NOTE: (*) again because of its history/intended use, the script assumes it should upload the fw to jade by default. If you also pass '--skipserial --skipble' it will just save the fw locally and not try to upload/update jade. |
|
Ok, to answer your actual question ;-) :
The former is a compressed 'full' firmware image binary - ie. the entirety of the '1.0.27 noradio' fw. Should you run the If you go ahead, the compressed firmware (or delta patch) is uploaded to Jade. When complete, Jade checks the hash of the final firmware image it now has ready to boot matches that uploaded/inspected/confirmed by you (if mismatch, the fw is discarded and not finalised for booting). If you have downloaded a full firmware image, such as you have above, you can uncompress it and check the hash matches that in the file (ofc this doesn't work for deltas, which need to be applied to a base as well as being uncompressed). (because of the compression used, I don't think normal 'gzip -d' works ... although pigz wants the file suffixed .gz ... odd ... might depend on your version of gzip, might need additional arguments, not sure ...) At that point the sha should match (and uncomp[ressed file size should be that in the original filename - in this case 1118208). We (Blockstream) really ought to provide a signed file of fw hashes, or secure web page with them listed, or something similar. This is something we are aware of. NOTE: a firmware image won't update/boot/run on an official Jade device unless it has been signed by Blockstream. |
|
Also, if you want to go the whole hog, and verify that the fw image you have download indeed corresponds to the source code in this repo at the 1.0.27 tag - see REPRODUCIBLE.md |
|
Thanks Jamie that was very helpful. I had difficulties executing these scripts on Windows but they ran successfully on Mac OS and I was able to download the firmware upgrade files and verify the hash. I executed the following command to upgrade the firmware : python3 ./jade_ota.py --fwfile build/1.0.27_noradio_1118208_fw.bin However, the following exception was thrown: File "/Library/Frameworks/Python.framework/Versions/3.11/lib/python3.11/subprocess.py", line 1026, in init I tried to manually create the directory '/usr/bin/bt-agent' in the root of the cloned repository and execute the script again but this was unsuccessful. Also, can you please confirm whether the Jade must be unlocked to execute a firmware upgrade? |
|
I inadvertently closed the ticket... |
|
Ahh sorry, try: An uninitialised Jade does not need to be unlocked - ota upgrade can just run. If the jade is initialised with a PIN-protected wallet, it will need to be unlocked with pin first - but the jade_ota.py script should handle that ... |
|
I executed the following script:
The following exception was thrown: jade_ota.py: error: unrecognized arguments: --no-ble |
|
NOTE: |
|
I disconnected my Mac from the network, connected the Jade and executed the following script:
This invoked the Jade which displayed the following screen:
I entered the PIN and the following displayed:
Clicking on "Yes" just looped back to the same error. I then entered QR mode, performed a blind oracle PIN unlock and then executed the script again and the same sequence repeated with the following displaying on the Jade:
As you previously indicated: "If the jade is initialised with a PIN-protected wallet, it will need to be unlocked with pin first - but the jade_ota.py script should handle that ..." Unlocking the Jade before executing the script did not resolve the issue. What is the process of the script unlocking the Jade? |
|
As it says, that first error suggests networking errors - ie. it cannot reach the blind oracle to unlock the wallet. If you have a Jade with a PIN-protected wallet, you cannot update the firmware without first entering the PIN and unlocking the wallet (otherwise an attacker could temporarily take your jade, upload malicious firmware, and put it back where they found it ...). If you unlock Jade using QR codes this is only unlocked for 'QR - mode' - ie you cannot send it data over USB. tl;dr: However, while you can 'mix and match' to some degree, once you've opted for PIN-protection several features will require the PIN to be entered correctly before they are allowed to run. Specifically, in the PIN-protected model you must unlock with PIN before you can update the firmware. NOTE (*): by default Jade will use a blind oracle server hosted by Blockstream, but you can if you prefer run your own server - see https://help.blockstream.com/hc/en-us/articles/12800132096793-Set-up-a-personal-blind-oracle |
|
I have only used the QR PIN unlock method to date so I am unfamiliar with other mechanisms of unlocking the Jade. If "Unlock Jade" is selected, a message displays "Connect via USB/BLE to a companion app and select your Jade to unlock with your PIN". Can any of the companion apps listed in the following article be used to unlock the Jade with its PIN or does this require the Blockstream Green app? https://help.blockstream.com/hc/en-us/articles/9601453403801-Download-a-companion-app-for-Jade |
|
Ah ok, so you usually use QR unlock - cool beans. Aside: You'll be pleased to know that in the next release we plan to improve that to only being one QR scan each way (rather than the existing two-each-way) - ie webapp scans jade, jade scans webapp, done. And the QR codes will be fewer frames each, so all in all should be much easier/quicker than it is today. Ok, the ota script will handle the pin-unlocking of Jade - I don't understand why you are getting these network errors - I assume you could reach the network in order to download the firmware in the first place ? While any Green app (or Sparrow, Specter, Electrum, HWI ...) can unlock Jade, they will all need access to the internet and be able to reach the blind oracle. But you don't need them, the ota script should be able to do it itself. Or try In any case, if you disconnect Jade from the USB, it will lock itself again (again, to prevent an attacker grabbing it from your machine and plugging it into their own and using it). So you need to unlock jade on the same machine you are going to use to upgrade it. The issue here is those network errors when you try to unlock. |
|
Thanks for the update on QR unlock. That is a good improvement. I have deliberately disconnected the machine from the internet. What I am trying to achieve is to upgrade Jade's firmware without connecting it to an internet connected device. I have succeeded to download an offline copy of the latest firmware. The next challenge is how to unlock the Jade and install the offline firmware onto it without connecting the machine to the internet and without factory resetting the Jade. |
|
It is not possible to unlock a PIN-protected Jade wallet without connecting to the blind oracle server - in theory you could run your own server and plug Jade physically into that machine (or at least into the same LAN) to do the fw upgrade (telling jade it's blind oracle was at a 'localhost' url). [ But this would involve resetting the wallet on Jade, as you can't move from one blind oracle server to another without re-creating the wallet (so it persists the oracle secret to the new oracle). ] If you do not want Jade connected to the machine at the same time that the machine is connected to the internet, but at the same time use a PIN-(and hence remote-server)-protected wallet ... you're a bit stuck re: fw updates atm I'm afraid. In a future version of the hw, we plan to to able to use SD-cards and other USB storage devices for fw updates (and psbt signing etc), which should satisfy your use-case. But I'm afraid that won't be workable on the existing hw. (We have also considered transferring the fw via QRs - but it will take a very long time to transfer across and it has yet to be decided whether it's practically viable). In the interim, you could:
Disconnect the machine from the internet
OR (assuming you have an easily-scanned qr code backup of your seed data, or don't mind typing the words again...)
I know, both of these options are what you would rather avoid ... Atm we deliberately disallow unlocking with QRs and then going ahead and accepting messages over USB, as (most?) QR users want to be reassured that if they unlock via QR, the only way to meaningfully interact with Jade is via QRs. |
|
The absolute best (air-gapped) practice is for the hardware wallet to never connect to an internet connected device. Coldcard supports this using a micro SD card and a verifiable firmware update file downloaded from their website. I think this is the best way to achieve air-gapped firmware updates. With updating Jade's firmware, I might need to either just connect to an internet connected device, perform a factory reset or wait for future developments. Another workaround might be to block all internet traffic but allow access to required sites while the Jade is connected for the firmware update. Is it just jadefw.blockstream.com and jadepin.blockstream.com for which access is required for unlocking and updating firmware via the Blockstream Green app? Thank you for the detailed information. It has been very helpful and is appreciated. |
|
Agree with you re: 'best practice' and as I say we are looking at the usb-storage (eg. micro-sd reader) for the next iteration of the hw.
jadefw.blockstream.com - firmware images hosted here These should be all that is required. NOTE: the reason we use a remote blind oracle to assist in decrypting the wallet, is that jade has no 'secure element' hw on board. The reason jade has no 'secure element' on board, is that these use 'closed source' software, and we are committed to keeping jade based on open source libraries. It's all about the tradeoffs .. 🙃 |
|
In the end I decided to factory reset my Jades, upgrade firmware using Blockstream Green and restore. I understand the importance of supporting open source Bitcoin only projects. I found out about Jade from the following YouTube channel that promotes Jade and Coldcard as the premier (Bitcoin) hardware wallets: https://www.youtube.com/@Bitcoin_University I'll be happy to upgrade my Jade hardware as new features such as support for SD cards is released. Keep up the good work. |
|
Many thanks for your comments and the useful discussion! 🚀 |
I downloaded the latest Jade firmware update using the following Python script:
./jade_ota.py --download-firmware --hw-target jade1.1 --release stable --write-compressed
I managed to download the following files:
1.0.27_noradio_1118208_fw.bin
1.0.27_noradio_1118208_fw.bin.hash
Note that the download fails unless the “build” directory exists. I would suggest that the script create the “build” directory.
The SHA256 hash of “1.0.27_noradio_1118208_fw.bin” doesn’t match the contents of “1.0.27_noradio_1118208_fw.bin.hash”:
b2b67f5943ca4c1ae0c7fc3733352dbb4b644add5a174111547e5bd7f77d7171
Can you please clarify how to verify “1.0.27_noradio_1118208_fw.bin” and whether the hash itself can be separately verified?
The text was updated successfully, but these errors were encountered: