Blockstream JadeLatest release: 0.1.30 ( 19th October 2021 ) 🔍 Last analysed 24th March 2022 . Not reproducible from source provided
Help spread awareness for build reproducibility
Please help us spread the word, asking Blockstream Jade to support reproducible builds via their Twitter!
Do your own research!
Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.
The Analysis ¶
Update 2022-03-08: On March 3rd version 0.1.33 was released. If you are running version 0.1.32 which was released December 23rd, you might or might not be able to verify what you are updating to, depending on the companion app being updated, too or not. Check this issue for details.
Update 2021-11-02: We are in touch with the provider and while the firmware was updated two weeks ago already, their latest comment on the issue was a day after the last release, so we assume the problem persists.
Blockstream Jade is one of the newer hardware wallets but provided by Blockstream which is a very well known player in this space.
On the product website, the Blockstream Jade is advertised as
The first purpose-built hardware wallet for Liquid.
Blockstream Jade is a purely open-source hardware wallet for the storage of bitcoin and Liquid assets.
Liquid is a sidechain developed by Blockstream, mostly used for quick settlement between centralized exchanges with some advanced features like “confidential transactions”.
This hardware wallet works withand its iPhone and desktop counterparts as its companion app.
The provider makes no claims about the firmware being reproducible and neither can we find the binaries for download. Given the companion app does have a good track record of being reproducible, we assume this issue to be resolved quickly and being more about documentation but as with half an hour of searching we could not find the answers to these questions:
- Where can I download the firmware binary?
- Does the Jade display the binary’s hash prior to installation?
the firmware of this device is currently not verifiable.
Code and Reproducible Builds
So as we learned in this issue, the provider doesn’t easily offer the firmware for download but we came up with a convenient script to download the latest version. As there are two slightly different versions of the Blockstream Jade and the firmware comes in two flavors - with or without radio - this script downloads four firmware binaries:
withoutWheel="jade1.1" withWheel="jade" for model in $withoutWheel $withWheel; do files=$( wget --output-document=- https://jadefw.blockstream.com/bin/$model/index.json | jq '.stable.full.filename' --raw-output ) for file in $files; do wget https://jadefw.blockstream.com/bin/$model/$file done done
So we have something to check. On to compilation:
As always we prefer compilation in containers, so we go with the Use docker instructions:
$ git clone --recursive https://github.com/Blockstream/Jade.git $ cd Jade $ docker-compose up -d $ docker-compose exec dev bash
From here, the Build the firmware part should work, right?
root@5d8f6ff15ec2:/jade# git clone --recursive https://github.com/Blockstream/Jade.git $HOME/jade root@5d8f6ff15ec2:/jade# cd $HOME/jade root@5d8f6ff15ec2:~/jade# cp configs/sdkconfig_jade.defaults sdkconfig.defaults root@5d8f6ff15ec2:~/jade# idf.py flash monitor ... -- Configuring done -- Generating done -- Build files have been written to: /root/jade/build Serial port /dev/ttyS0 Connecting....................... /dev/ttyS0 failed to connect: Failed to connect to Espressif device: No serial data received. For troubleshooting steps visit: https://github.com/espressif/esptool#troubleshooting No serial ports found. Connect a device, or use '-p PORT' option to set a specific port. root@5d8f6ff15ec2:~/jade#
The error doesn’t come as a surprise as we have no Blockstream Jade connected.
-- Build files have been written to: /root/jade/build looks promising.
Sadly this is “Build files” not “Built files”. None of the 769 files contains “firmware” and the two “.bin” files “build/CMakeFiles/3.18.4/CMakeDetermineCompilerABI_C*.bin” don’t look promising neither.
So what’s probably going on is that the above command
idf.py flash monitor
would determine the configuration of a connected Blockstream Jade to then
compile exactly for this device.
Under Build configurations they explain:
The menuconfig tool can also be used to adjust the build settings.
Running this command, we get a huge menu with tons of sub-menus allowing to configure what exactly to compile which is where we give up for now and hope to get easy steps on how to reproduce exactly the four files we downloaded above. In the mean time, this remains not verifiable for us.
We could not verify that the provided code matches the binary!
As part of our Methodology, we ask:Is the published binary matching the published source code? If not, we tag it Unreproducible!
Published code doesn’t help much if it is not what the published binary was built from. That is why we try to reproduce the binary. We
- obtain the binary from the provider
- compile the published source code using the published build instructions into a binary
- compare the two binaries
- we might spend some time working around issues that are easy to work around
If this fails, we might search if other revisions match or if we can deduct the source of the mismatch but generally consider it on the provider to provide the correct source code and build instructions to reproduce the build, so we usually open a ticket in their code repository.
In any case, the result is a discrepancy between the binary we can create and the binary we can find for download and any discrepancy might leak your backup to the server on purpose or by accident.
As we cannot verify that the source provided is the source the binary was compiled from, this category is only slightly better than closed source but for now we have hope projects come around and fix verifiability issues.
Share onTwitter Facebook LinkedIn
Or embed a widget in your website
<iframe src="https://walletscrutiny.com/widget/#appId=hardware/blockstreamjade&theme=auto&style=short" name="_ts" style="min-width:180px;border:0;border-radius:10px;max-width:280px;min-height:30px;"> </iframe>
<iframe src="https://walletscrutiny.com/widget/#appId=hardware/blockstreamjade&theme=auto&style=long" style="max-width:100%;width:342px;border:0;border-radius:10px;min-height:290px;"> </iframe>