Wallet Logo

Blockstream Jade

Latest release: 0.1.34 ( 27th May 2022 ) 🔍 Last analysed 7th August 2022 . Not reproducible from source provided Review might be outdated
1st January 2021

Jump to verdict 

Help spread awareness for build reproducibility

Please help us spread the word, asking Blockstream Jade to support reproducible builds  via their Twitter!

Do your own research!

Try out searching for "lost bitcoins", "stole my money" or "scammers" together with the wallet's name, even if you think the wallet is generally trustworthy. For all the bigger wallets you will find accusations. Make sure you understand why they were made and if you are comfortable with the provider's reaction.

If you find something we should include, you can create an issue or edit this analysis yourself and create a merge request for your changes.

The Analysis 

Update 2022-03-08: On March 3rd version 0.1.33 was released. If you are running version 0.1.32 which was released December 23rd, you might or might not be able to verify what you are updating to, depending on the companion app being updated, too or not. Check this issue for details.

Update 2021-11-02: We are in touch with the provider and while the firmware was updated two weeks ago already, their latest comment on the issue was a day after the last release, so we assume the problem persists.

Original Analysis

Blockstream Jade is one of the newer hardware wallets but provided by Blockstream which is a very well known player in this space.

On the product website, the Blockstream Jade is advertised as

The first purpose-built hardware wallet for Liquid.
Blockstream Jade is a purely open-source hardware wallet for the storage of bitcoin and Liquid assets.

Liquid is a sidechain developed by Blockstream, mostly used for quick settlement between centralized exchanges with some advanced features like “confidential transactions”.

This hardware wallet works with Green: Bitcoin Wallet Reproducible Review Old! and its iPhone and desktop counterparts as its companion app.

The provider makes no claims about the firmware being reproducible and neither can we find the binaries for download. Given the companion app does have a good track record of being reproducible, we assume this issue to be resolved quickly and being more about documentation but as with half an hour of searching we could not find the answers to these questions:

  • Where can I download the firmware binary?
  • Does the Jade display the binary’s hash prior to installation?

the firmware of this device is currently not verifiable.

Code and Reproducible Builds

So as we learned in this issue, the provider doesn’t easily offer the firmware for download but we came up with a convenient script to download the latest version. As there are two slightly different versions of the Blockstream Jade and the firmware comes in two flavors - with or without radio - this script downloads four firmware binaries:

withoutWheel="jade1.1"
withWheel="jade"
for model in $withoutWheel $withWheel; do
	files=$( wget --output-document=- https://jadefw.blockstream.com/bin/$model/index.json | jq '.stable.full[].filename' --raw-output )
	for file in $files; do
		wget https://jadefw.blockstream.com/bin/$model/$file
	done
done

So we have something to check. On to compilation:

As always we prefer compilation in containers, so we go with the Use docker instructions:

$ git clone --recursive https://github.com/Blockstream/Jade.git
$ cd Jade
$ docker-compose up -d
$ docker-compose exec dev bash

From here, the Build the firmware part should work, right?

root@5d8f6ff15ec2:/jade# git clone --recursive https://github.com/Blockstream/Jade.git $HOME/jade
root@5d8f6ff15ec2:/jade# cd $HOME/jade
root@5d8f6ff15ec2:~/jade# cp configs/sdkconfig_jade.defaults sdkconfig.defaults
root@5d8f6ff15ec2:~/jade# idf.py flash monitor
...
-- Configuring done
-- Generating done
-- Build files have been written to: /root/jade/build
Serial port /dev/ttyS0
Connecting.......................
/dev/ttyS0 failed to connect: Failed to connect to Espressif device: No serial data received.
For troubleshooting steps visit: https://github.com/espressif/esptool#troubleshooting
No serial ports found. Connect a device, or use '-p PORT' option to set a specific port.
root@5d8f6ff15ec2:~/jade#

The error doesn’t come as a surprise as we have no Blockstream Jade connected. But -- Build files have been written to: /root/jade/build looks promising.

Sadly this is “Build files” not “Built files”. None of the 769 files contains “firmware” and the two “.bin” files “build/CMakeFiles/3.18.4/CMakeDetermineCompilerABI_C*.bin” don’t look promising neither.

So what’s probably going on is that the above command idf.py flash monitor would determine the configuration of a connected Blockstream Jade to then compile exactly for this device.

Under Build configurations they explain:

The menuconfig tool can also be used to adjust the build settings.

idf.py menuconfig

Running this command, we get a huge menu with tons of sub-menus allowing to configure what exactly to compile which is where we give up for now and hope to get easy steps on how to reproduce exactly the four files we downloaded above. In the mean time, this remains not verifiable for us.

(ml, lw)

Verdict Explained

We could not verify that the provided code matches the binary!

As part of our Methodology, we ask:

Is the published binary matching the published source code? If not, we tag it Unreproducible!

Published code doesn’t help much if it is not what the published binary was built from. That is why we try to reproduce the binary. We

  1. obtain the binary from the provider
  2. compile the published source code using the published build instructions into a binary
  3. compare the two binaries
  4. we might spend some time working around issues that are easy to work around

If this fails, we might search if other revisions match or if we can deduct the source of the mismatch but generally consider it on the provider to provide the correct source code and build instructions to reproduce the build, so we usually open a ticket in their code repository.

In any case, the result is a discrepancy between the binary we can create and the binary we can find for download and any discrepancy might leak your backup to the server on purpose or by accident.

As we cannot verify that the source provided is the source the binary was compiled from, this category is only slightly better than closed source but for now we have hope projects come around and fix verifiability issues.

But we also ask:

Does our review and verdict apply to their latest release? If not, we tag it Review Old!

Verdicts apply to very specific releases of products and never to the product as a whole. A new release of a product can change the product completely and thus also the verdict. This product remains listed according to its latest verdict but readers are advised to do their own research as this product might have changed for the better or worse.

This meta verdict is applied manually in cases of reviews that we identify as requiring an update.

This meta verdict applies to all products with verdict “reproducible” as soon as a new version is released until we test that new version, too. It also applies in cases where issues we opened are marked as resolved by the provider.

If we had more resources, we would update reviews more timely instead of assigning this meta verdict ;)