Version 4.0.0 Released (Major Internal Improvements)
All New Code, Same Great Features
Major internal changes, which don’t really change features:
Now using Bitcoin Core’s “libsecp256k1” for all EC crypto operations. This is the very same code used by Bitcoin Core for your Bitcoins on-chain.
Super fast pure-assembly AES256-CTR code makes USB communications faster.
Newly optimized SHA256 and SHA256(SHA256) code.
All crypto and BIP39 related code has been replaced with new equivalents.
Huge thanks to @switck for the new source code library!
New: 24th Seed Word Calculated
During seed phrase import, after 23 words are provided, Coldcard will calculate the correct checksum and show the valid choices for the last word (there will be 8 typically). This means you can pick seed words by drawing from a hat, and it saves some time and effort during normal seed restore, since the searching for the final word is reduced.
This does not replace dice-rolling, and we still recommend that over this “hat” approach, because it includes whitening (SHA256 over your random numbers).
New: Secure Coldcard Cloning
Secure Device Cloning: Using just a MicroSD card, copy your Coldcard’s secrets and settings to a blank Coldcard. Very quick and easy because it uses public key encryption (Diffie-Hellman key exchange) and AES-256-CBC for the transfer itself.
Read more here in the docs.
New: Reproducible Builds
Reproducible builds! Checkout code, “cd stm32; make repro” will do everything to rebuild the entire project from scratch and compare it to the current release.
We’re planning another blog post on this important subject, including why you’d want to be able to do this.
HSM/CKBunker Mode Changes
These changes come for our loyal users who have been using HSM mode (and CKBunker) for their own applications:
when unlocking HSM mode from “boot to HSM mode” (using secret PIN immediately after boot-up), the existing HSM policy is no longer removed automatically.
time limit to escape “boot to HSM” mode has doubled from 30 seconds to 1 minute.
IMPORTANT: Users with passwords (not 2FA method) will have to be reconstructed as hash algo has changed in this version.
Enhancement: Paper wallet feature restored as it was in previous versions. Same cautions apply.
Enhancement: Inside encrypted backup files (7z), the cleartext filename is no longer fixed as
ckcc-backup.txt. Instead it’s a random word and number. Improves plausible deniability when backup files discovered.
Bugfix: CSV of addresses explorer export via Address Explorer, when account number was used, did not reflect the (non-zero) account number.
Enhancement: Show a progress bar during slow parts of the login process.
Enhancement: Long menus, like the seed-word picking system, now wrap around from top/bottom, so you can get to Z by going up from A.
Limitation: Mk2 (older hardware, with less memory) may struggle with some of the new features, but can still run this firmware release… so you can clone it to your new Mk3!
We have a growing library of video tutorials on Youtube … and we’re still adding more!