1. Ledger Wallet 1 - 1.0 ("Ledger" release - 30th of March 2015)
-
[enh] New unified multiplatform / multibearer firmware
-
[bev] Update GET FIRMWARE VERSION to return device features
-
[bev] Replace wipe PIN by random seed PIN
-
[bev] Add an option to use the second factor permanently on SET OPERATION MODE and retrieve the second factor in use on GET OPERATION MODE (Ledger Wallet mode)
-
[enh] Rename SET KEYMAP to SET KEYBOARD CONFIGURATION and configure typing parameters
-
[sec] Erase the dongle after 30 invalids second factor attempts
-
[enh] Optional OP_RETURN payload in UNTRUSTED HASH TRANSACTION INPUT FINALIZE
-
[enh] Alternate coin versions : SET ALTERNATE COIN VERSIONS
-
[enh] Alternate second factor updates : SET USER KEYCARD APDU, SETUP SECURE SCREEN APDU
-
[enh] Personal BIP 70 certificates : STORE TRUST ROOT BIP 70, CREATE CERTIFICATE BIP 70, CREATE PAYMENT REQUEST BIP 70, PROCESS CERTIFICATE BIP 70, PARSE PAYMENT REQUEST BIP 70, UNTRUSTED HASH TRANSACTION INPUT FINALIZE FULL BIP 70, FACTORY INITIALIZE BIP 70 TRUST ROOT
2. 1.4.13 ("Ledger is coming" release - 17th of November 2014)
-
[bev] Modify the keycard second factor to only check the address
-
[bev] Enable the keycard second factor with a specific APDU at boot time
3. 1.4.12 ("Speedy Rabbit Hotfix 1" release - 28th of October 2014)
-
[bug] Fix canonical signatures, buggy since 1.4.9, as per https://github.com/bitcoin/bips/blob/master/bip-0062.mediawiki
4. 1.4.11 ("Speedy Rabbit" release - 27th of October 2014)
-
[enh] Improve SHA 512 and modular multiplication speed
-
[enh] Modify SETUP to include a One Time Pad generated by the customer
-
[enh] Let Windows users replay a second factor by triggering num lock or scroll lock
-
[sec] Verify that the provided SETUP FORWARD ECDH public key belongs to the curve
5. 1.4.10 ("Battleship 2" release - 8th of September 2014)
-
[bug] Fix second factor spurious trigger bug added in 1.4.9
6. 1.4.9 ("Battleship" release - 27th of August 2014)
-
[enh] Provide an option to replace the second factor by a key card
-
[enh] Add supported and current operation modes in firmware attestation
-
[enh] Dump the seed on every other insertion until the PIN is entered
-
[enh] Add number of remaining attempts on VERIFY PIN
-
[enh] Return Y parity on signature to save key recovery time (as per FSV https://github.com/antonio-fr/Fast_Sign_Verify - Antoine Ferron)
-
[enh] Make sure that the returned signatures are canonical (as per https://ripple.com/wiki/Transaction_Malleability)
-
[sec] Only dump the trusted input and developer wrapping keys in SETUP if developer mode is supported
-
[tmp] Temporarily disable the COMPOSE M OF N ADDRESS command due to lack of space
7. 1.4.8 ("Greenaddress" release - 05th of August 2014)
-
[enh] Allow 64 bytes seed in SETUP (BIP39 compliance)
-
[enh] Return the BIP32 chain code along with the public key in GET WALLET PUBLIC KEY
-
[enh] Add 0xB11E derivation path allowing a message signature without second factor and without power cycling, scan the low end word of derivation path components only
-
[bug] Remove user entropy in SETUP (not used properly and no buffer space left to type it along with a 64 bytes seed)
-
[bug] Allow 0 derivations in BIP32 derivation path
8. 1.4.7 (private release, open second factor - 23rd of July 2014)
-
[enh] Add a mode to skip the second factor if consuming from P2SH inputs
-
[enh] Allow derivation from an arbitrary BIP 32 path
-
[enh] Return Loader ID in firmware information
9. 1.4.6 ("Maison du Bitcoin" hackathon - 15th of June 2014)
-
[enh] Point Of Sale mode for setup and seed recovery
-
[enh] Allow message signature without confirmation for arbitrary BitID chain
10. 1.4.5 ("Maison du Bitcoin" meetup - 4th of June 2014)
-
[bug] Fix keyboard LED detection on OSX (infinite waiting loop)
-
[bug] Fix firmware diversification
-
[bug] Fix generic HID transport
11. 1.4.4 ("Maison du Bitcoin" opening release - 13th of May 2014)
-
[bug] Fix BIP32 implementation regarding hardneded / non hardened keys
-
[enh] Implement missing 1.4.3 features
-
[enh] Type the seed using the second factor
-
[enh] Add firmware version in attestation
-
[enh] Restrict signature hashtypes on setup
-
[enh] Provide forward setup for prepaid dongles scenarios
-
[enh] Secure screen mode for Prismicide prototype
12. 1.4.3 (30c3 failed release :p - 20th of March 2014 Paymium Meetup release)
-
[enh] full redesign : HD Wallet (BIP 32), Keyboard confirmation, server and partial transactions APIs
13. 1.4.2 (Bitcoin 2013 release)
-
[enh] New security rules & operation modes
14. 1.4.1 (private release)
-
[enh] ECC operations speed-up
-
[bug] Private key are now paired to their curve parameters (cheers Jix :p)
15. 1.4.0 (29c3 release)
-
Initial release
16. About
This specification describes the common functionalities of Ledger applications dedicated to secure bitcoin transactions. Such application performs all sensitive cryptographic operations related to a bitcoin transaction (key generation & signature) onboard, and helps protecting against malware in an untrusted environment by controlling the signed data.
The first supported device is Ledger Wallet, a USB smartcard/dongle.
Other devices can offer additional functionalities, such as a screen, buttons, different transport bearers or split functionalities between different hardware components leading to some differences in commands processing. Those differences are highlited in this common document and described more specifically in the dedicated device specification.
17. User validation mode
Ledger Wallet allows you to validate what you sign - i.e. check that you are paying the right amount to the right destination. The following User validation methods are available
17.1. Keyboard User validation
This method is the original scheme introduced in version 1.4.3 - it is the default method available when operating in legacy BTChip mode
User validation is performed as follows :
-
A specific status is returned to inform the user that a validation is pending
-
The user unplugs the dongle
-
The user plugs the dongle back into the computer (or a different computer / smartphone, tablet with USB host support, depending on how confident you are about the first computer integrity)
-
The dongle "types" (as a keyboard) a summary of the action to be validated and a 4 digits PIN to be entered, which is unique to the transaction
-
The user plugs the dongle back into the first computer (or just unplugs / plugs it again)
-
The user enters the PIN to confirm user validation
Note
|
Devices offering a screen and buttons do not support this validation mode |
17.2. Security Card User validation
This user validation mode has been introduced in version 1.4.9 and provides an option to validate a transaction destination using a printed card for easier validation.
User validation is performed as follows :
-
A specific status is returned to inform the user that a validation is pending. This request includes random indexes in the address to match against the printed card
-
The user types the result matching the random indexes in the printed card to confirm user validation
This user validation method should be used with caution as a malware would be able to gather information from each unique Security Card after enough transactions are signed. It is recommended to only use it to pair an secure screen as described later or to print a new card after a few (around 10) transactions have been performed.
Note
|
Devices offering a screen and buttons do not support this validation mode |
17.3. Secure Screen User validation
This user validation mode has been introduced in version LW1-1.0 and provides an option to validate a transaction destination and amount using a paired device with a screen
User validation is performed as follows :
-
A specific status is returned to inform the user that a validation is pending. This request includes an encrypted summary of the transaction and a nonce. The symmetric encryption keys are shared when the Ledger Wallet and the remote device are paired. A Security Card challenge is requested to pair the remote device
-
The user verifies the transaction summary on the remote device
-
The remote device generates a signed version of the nonce which is sent to the Ledger Wallet to confirm user validation
Note
|
Devices offering a screen and buttons managed by the secure part of the device do not support this validation mode |
17.4. Personal BIP 70 Certificates User validation
This user validation mode has been introduced in version LW-1.0 and provides an option to validate a transaction destination and amount against a BIP 70 request.
The process is initiated as follows when performed between two Ledger Wallet users :
-
A dedicated identity is created by the sender using the CREATE CERTIFICATE BIP 70 APDU, bound to a BIP 32 derivation path. This certificate is signed by a root certificate set at personalization time using the FACTORY INITIALIZE BIP 70 TRUST ROOT APDU or at runtime using the STORE TRUST ROOT BIP 70 APDU. All Ledger Wallet dongles are factory initialized with a shared root certificate in slot 0.
-
This identity is shared with the receiver, which validates it using its provided checksum and accepts it using the PROCESS CERTIFICATE BIP 70 APDU.
A transaction is processed as follows :
-
The sender creates a BIP 70 Payment Request associated to an identity and a BIP 32 derivation path related to this identity using the CREATE PAYMENT REQUEST BIP 70 APDU.
-
The payment request is processed by the receiver using the PARSE PAYMENT REQUEST BIP 70 APDU and a transaction is formatted using the regular methods, then finalized with the UNTRUSTED HASH TRANSACTION INPUT FINALIZE FULL BIP 70 APDU.
External consumers of this BIP 70 Payment Request can choose to trust its destination request if signed by the Ledger Wallet shared root certificate.
Note
|
Currently the certificates and BIP 70 Payment Request are generated over secp256k1, which is not compatible with BitcoinJ |
18. Operation modes
Operation modes define which operations are allowed given the security environment the dongle is operating in.
Four operation modes are defined :
-
standard-wallet mode, managing an HD Wallet (BIP 32) with multiple accounts, supporting payments to a single address and enforcing user validation of the full transaction (unless the wallet is setup as a second factor for P2SH transactions). This mode is intended for all bitcoin users.
-
relaxed-wallet mode, managing an HD Wallet with multiple accounts, supporting arbitrary payments and enforcing user validation of the amount spent. This mode is intended for bitcoin users interested in drafting custom transactions with some level of control.
-
server mode, managing an HD Wallet with multiple accounts, supporting arbitrary payments and enforcing pre defined limits on the amount spent. This mode is intended for server operators using one or several Ledger Wallet dongles to secure their hot wallets.
-
developer mode, managing BIP 32 or regular private keys and allowing to sign arbitrary data. This mode is intended for bitcoin power users drafting custom transactions and only interested in private keys protection.
The dongle initally operates in standard-wallet mode when received (if this mode is enabled). The last chosen mode is restored when the dongle is powered on.
18.1. standard-wallet mode
Only a single point-to-point output (i.e. the standard script or a P2SH script) along with one change address is authorized.
All transaction inputs are controlled by the dongle.
The change address index is automatically handled by the dongle and increased for each transaction to prevent address reuse. The change address index is shared for all accounts.
The standard script is coded as
OP_DUP OP_HASH160 [pubKeyHash] OP_EQUALVERIFY OP_CHECKSIG
A P2SH script is coded as
OP_HASH160 [script hash] OP_EQUAL
Transaction are controlled by the user validation process. The following data will be prompted to the user :
-
Amount to pay
-
Change amount
-
Fees
18.2. relaxed-wallet mode
Arbitrary output is authorized
Transaction inputs are only controlled if they use a key actually belonging to a wallet account.
Transaction are controlled by the user validation process. The following data will be prompted to the user :
-
Amount to pay
-
A large warning that relaxed-wallet mode is in use
18.3. server mode
Arbitrary output is authorized
Transaction inputs are only controlled if they use a key actually belonging to a wallet account.
Transactions are controlled given user parameters and automatically signed if accepted.
Transactions can be controlled on a combination of the following parameters :
-
A cumulative maximum amount used in transactions
-
A maximum number of consecutive transactions before the dongle is removed
18.4. developer mode
Arbitrary data can be signed in this mode
Keys used in developer mode cannot be used in a different mode
19. Lifecycle management APDUs
19.1. SETUP
19.1.1. Description
This command is used to setup the dongle when received, or pre-issuance when using the forward setup mode. It must be executed on a trusted computer as security critical data is exchanged.
For a new dongle not used as a backup device, a regular user will create a new random seed for a HD wallet and a PIN.
The PIN is used to perform a new payment transaction - it is sent as cleartext to the dongle and is not intended to be used as a malware protection method, only as an anti theft security. When generating a new seed in regular setup mode, the dongle types it on every other powerup until the PIN is entered, finishing with an X to mark the end of the seed. It is recommended to do this on a different computer / device for maximum security before backing it up.
Warning
|
When getting the seed backup, the string must begin with "Seed ", end with an X and be exactly 128 hexadecimal digits long (64 bytes). If not, you’re missing either the beginning or the end of the seed and should retry until you see the whole seed. |
In Point Of Sale setup mode, a PIN is exchanged between the user and the dongle. The seed is generated but not typed, and can be recovered through GET POINT OF SALE SEED commands. Until the encrypted seed is recovered, GET WALLET PUBLIC KEY is enabled without needing to enter the PIN. This mode is typically used for a service (such as a physical counter) offering prepaid dongles with KYC procedures and wanting to deliver a physical backup of the seed.
In forward setup mode, a secret PIN and a secret One Time Pad are exchanged between the user and the dongle. The seed is generated but not typed, and only GET WALLET PUBLIC KEY is enabled, without needing to enter the PIN. It is returned encrypted by the One Time Pad, so that only the user who generated the One Time Pad can decrypt it, and also typed after the first PIN entry. This mode is typically used for a service (such as a web shop or a vending machine) offering prepaid dongles and willing to provide the seed to the end user without compromising the security of the transactions.
After SETUP is performed, the dongle has to be reset to wipe out all parameters and start again - this can be achieved by entering the wrong PIN 3 times in a row.
A secondary PIN can be provided for plausible deniability - when entered instead of the regular user PIN, a random seed generated during setup is used for this session. This seed should not be used to store any important amount as it is erased when the dongle is reset.
It is recommended to store the BIP32 seed returned in the output of the SETUP command in a safe location for backup purposes - typically GPG encrypt it to yourself and store it on multiple storage devices / clouds.
During setup, two random BIP 70 3DES-2 encryption and signature keys are generated.
The coin regular version and P2SH versions can be changed dynamically during a card session. They are initialized with the versions provided in the setup command at boot time.
Note
|
Devices offering a screen and buttons will override the seed backup and PIN parameters to let the user enter it directly on device. Dummy values should be used from the caller. |
19.1.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
20 |
00 : regular setup 02 : Point Of Sale setup 80 : forward setup |
00 : when used in forward setup mode, type the seed on the first successful PIN entry 01 : when used in forward setup, do not type the seed on the first successful PIN entry |
var |
var |
Input data (regular setup)
Description |
Length |
Bitflag of supported operation modes 0x01 : wallet mode 0x02 : relaxed wallet mode 0x04 : server mode 0x08 : developer mode |
1 |
Bitflag of features 0x01 : use uncompressed public keys in addresses (otherwise compress them) 0x02 : enable RFC 6979 deterministic signatures (otherwise use a random K) 0x04 : authorize all signature hashtypes (otherwise only authorize SIGHASH_ALL) 0x08 : skip second factor, allow relaxed inputs and arbitrary ouput scripts if consuming P2SH inputs in a transaction |
1 |
Coin version accepted for regular addresses |
1 |
Coin version accepted for Pay To Script Hash Addresses (BIP 16), or 0x00 if disabled |
1 |
User PIN length (from 0x04 up to 0x20) |
1 |
User PIN |
var |
Secondary PIN length (from 0x00 up to 0x04) |
1 |
Secondary PIN |
var |
BIP32 Seed size (0x00 to generate a new 64 bytes seed, size between 32 and 64 to restore a seed backup) |
1 |
BIP32 Seed if restoring a seed backup |
variable |
3DES-2 key wrapping key length for developer mode (0x00 to generate a new key, 0x10 to set up a backup) |
1 |
3DES-2 key wrapping key for developer mode |
null or 16 |
Input data (Point Of Sale setup)
Description |
Length |
Bitflag of supported operation modes 0x01 : wallet mode 0x02 : relaxed wallet mode 0x04 : server mode 0x08 : developer mode |
1 |
Bitflag of features 0x01 : use uncompressed public keys in addresses (otherwise compress them) 0x02 : enable RFC 6979 deterministic signatures (otherwise use a random K) 0x04 : authorize all signature hashtypes (otherwise only authorize SIGHASH_ALL) 0x08 : skip second factor if consuming only P2SH inputs in a transaction |
1 |
Coin version accepted for regular addresses |
1 |
Coin version accepted for Pay To Script Hash Addresses (BIP 16), or 0x00 if disabled |
1 |
User PIN length (from 0x04 up to 0x20) |
1 |
User PIN |
var |
Secondary PIN length (from 0x00 up to 0x04) |
1 |
Secondary PIN |
var |
BIP32 Seed size (0x00 to generate a new 64 bytes seed, 64 to restore a seed backup) |
1 |
BIP32 Seed if restoring a seed backup |
variable |
0x00 or 0x10 if restoring a seed backup |
1 |
3DES-2 seed backup wrapping key wrapping key if restoring a seed backup |
null or 16 |
Input data (forward setup)
Description |
Length |
Bitflag of supported operation modes 0x01 : wallet mode 0x02 : relaxed wallet mode |
1 |
Bitflag of features 0x01 : use uncompressed public keys in addresses (otherwise compress them) 0x02 : enable RFC 6979 deterministic signatures (otherwise use a random K) 0x04 : authorize all signature hashtypes (otherwise only authorize SIGHASH_ALL) 0x08 : skip second factor if consuming only P2SH inputs in a transaction |
1 |
Coin version accepted for regular addresses |
1 |
Coin version accepted for Pay To Script Hash Addresses (BIP 16), or 0x00 if disabled |
1 |
User public key length |
1 |
User public key |
var |
Password blob |
40 |
BIP32 Seed size (0x00 to generate a new seed) |
1 |
3DES-2 key wrapping key length for developer mode (0x00 to generate a new key) |
1 |
The password blob is generated as follows :
-
An ECDH key exchange is performed on the user side using a newly generated keypair on the Bitcoin curve and the dongle Attestation public key - a 32 bytes secret is obtained, split into two 16 bytes components S1 and S2
-
S1 and S2 are XORed to produce a 16 bytes 3DES-2 session key
-
The following data is encrypted using 3DES CBC and the generated session key, and sent as password blob
Description |
Length |
User PIN length (from 0x04 up to 0x20) |
1 |
User PIN (padded with random) |
32 |
Secondary PIN length (from 0x00 up to 0x04) |
1 |
Secondary PIN (padded with random) |
4 |
Random data used as a XOR One Time Pad to mask the seed |
64 |
CRC-16 of the previous data |
2 |
Additional description of setup parameters
When enabled, RFC 6979 deterministic signatures will be used for all operations in wallet, relaxed wallet and server modes. RFC 6979 deterministic signatures are always available in developer mode.
Note
|
Using deterministic signatures will make the signing process slower and could possibly create a larger side channel attack surface due to the way private keys are handled during the computation of the random value. We suggest to only enable this mode if you don’t trust the chip hardware Random Number Generator or are sure of understanding the risks. |
The following sample Coin versions are defined for regular addresses
Network |
Version (dec) |
Bitcoin (main network) |
0 |
Bitcoin (test network) |
111 |
Litecoin (main network) |
48 |
Litecoin (test network) |
111 |
Dogecoin (main network) |
30 |
Dogecoin (test network) |
113 |
The following sample Coin version are defined for Pay To Script Hash addresses
Network |
Version (dec) |
Bitcoin (main network) |
5 |
Bitcoin (test network) |
196 |
Litecoin (main network) |
5 |
Litecoin (test network) |
196 |
Dogecoin (main network) |
22 |
Dogecoin (test network) |
196 |
If generating a new seed, the dongle generates a 64 bytes random number from its hardware Random Number Generator
A keymap encoding is a set of Keyboard HID Usage IDs mapping the keyboard layout of the computer on which the user validation is performed. It can be updated later using the SET KEYBOARD CONFIGURATION command.
Keymap encoding is coded as follows
Description |
Length |
ALT-GR usage keymap |
12 |
Shift usage keymap |
12 |
HID page table for ASCII codes from 0x20 to 0x7e |
95 |
ALT-GR & Shift usage keymaps are coded as a set of flags indicating if the ALT-GR / Shift key should be pushed for the given mapping. First byte codes shift flags from keycode 0x20 (LSB) to 0x27 (MSB) and so on.
The default QWERTY Keymap Encoding is
00 00 00 00 00 00 00 00 00 00 00 00 76 0f 00 d4 ff ff ff c7 00 00 00 78 2c 1e 34 20 21 22 24 34 26 27 25 2e 36 2d 37 38 27 1e 1f 20 21 22 23 24 25 26 33 33 36 2e 37 38 1f 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 2f 31 30 23 2d 35 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 2f 31 30 35
Output data (if developer mode is supported)
Description |
Length |
Seed return flag 0x00 : seed is not typed to the user 0x01 : seed typed to the user |
1 |
3DES-2 trusted input key |
16 |
3DES-2 key wrapping key for developer mode |
16 |
Output data (if developer mode is not supported)
Description |
Length |
Seed return flag 0x00 : seed is not typed to the user 0x01 : seed typed to the user |
1 |
Output data (if using forward setup)
Description |
Length |
Seed return flag 0x00 : seed is not typed to the user |
1 |
Seed XORed by the provided One Time Pad |
64 |
Availability
This function is only available before the dongle is set up (either when received or following a dongle reset)
19.2. SET USER KEYCARD
19.2.1. Description
This command is used to replace the keyboard second factor by a printed keycard for regular (non relaxed) transactions.
The keycard associates each ASCII character between 0x30 and 0x7a (included) to an hexadecimal digit, obtained by encrypting 00..50 by the 3DES-2 keycard seed key using CBC encryption, and considering each digit as an exclusive OR of both nibbles of each element
When using the keycard second factor, the user needs to provide as authentication code random A characters of the destination address (up to 10)
This command allows the user to set a new keycard, similar to [Keycard]. This keycard will replace the system keycard if a system keycard was defined, until the dongle is reset.
If no previous keycard was set, this command is confirmed by the standard keyboard second factor. After issuing it, the user needs to confirm it using the unique PIN displayed by the second factor. Otherwise it is confirmed by a 4 bytes challenge with the previous keycard. The dongle must be power cycled if the challenge is not correct.
Note
|
This command is not supported by devices offering a screen and buttons |
19.2.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
10 |
01 : set keycard 02 : confirm keycard |
00 |
11 |
var |
Input data (set keycard)
Description |
Length |
Number of random address characters to provide |
1 |
Keycard seed |
16 |
Input data (confirm keycard)
Description |
Length |
Confirmation PIN or challenge |
4 |
Output data (set keycard)
Description |
Length |
Confirmation mode 01 : keyboard second factor 02 : previous keycard challenge |
01 |
If a previous keycard was set, challenge to match |
04 |
Output data (confirm keycard)
None
Availability
This function is always available following dongle setup, and is protected by the user PIN.
19.3. SETUP SECURE SCREEN
19.3.1. Description
This command is used to replace a printed keycard second factor by a transaction summary displayed on a remote screen. A printed keycard must be set up before issuing this command.
The pairing process is performed as follows :
-
An ECDH key exchange is performed on the remote screen side side using a newly generated keypair on the Bitcoin curve and the dongle Attestation public key - a 32 bytes secret is obtained, split into two 16 bytes components S1 and S2
-
S1 and S2 are XORed to produce a 16 bytes 3DES-2 session key
-
The remote screen public key is sent to the dongle, which generates a cleartext random 8 bytes nonce, a 4 bytes challenge on the printed keycard and a random 16 bytes 3DES-2 pairing key, concatenated and encrypted using 3DES CBC and the generated session key
-
This message is decrypted on the remote screen side and the user is prompted for the printed card challenge, which is returned concatenated with the nonce, encrypted using 3DES CBC and the generated session key
-
The pairing process is completed on the dongle side if the challenge is correct, otherwise the dongle must be power cycled.
Note
|
This command is not supported by devices offering a screen and buttons managed by the secure part of the device |
19.3.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
12 |
01 : initiate pairing 02 : confirm pairing |
00 |
var |
00 |
Input data (initiate pairing)
Description |
Length |
Remote screen uncompressed public key |
65 |
Input data (confirm pairing)
Description |
Length |
Encrypted nonce and challenge response + padding |
16 |
Output data (initiate pairing)
Description |
Length |
Pairing blob : 8 bytes random nonce and (4 bytes keycard challenge + 16 bytes pairing key) encrypted by the session key |
32 |
Output data (confirm keycard)
None
Availability
This function is always available following dongle setup, and is protected by the user PIN.
19.4. SET ALTERNATE COIN VERSIONS
19.4.1. Description
This command allows you to change the current coin version & P2SH version for the current session, until the dongle is reset.
It can be used to support several coin types in the derivation scheme using the same seed
19.4.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
14 |
00 |
00 |
02 |
00 |
Input data
Description |
Length |
Coin version accepted for regular addresses |
1 |
Coin version accepted for Pay To Script Hash Addresses (BIP 16), or 0x00 if disabled |
1 |
Output data
None
Availability
This function is always available following dongle setup, and is protected by the user PIN.
19.5. VERIFY PIN
19.5.1. Description
This command is used to unlock the dongle using the PIN provided during setup.
If forward setup mode was used, the seed will be typed to the user on the first PIN entry and signature operations are enabled if a keymap was set. Otherwise the command will be denied.
The dongle must be physically reset after each invalid PIN to issue a new command.
After 3 invalid PIN submitted in a row, the dongle data is erased and it must be setup again.
If the secondary PIN is entered instead of the user PIN, a random seed generated when the dongle is setup is used.
If P1 is set to 0x80, the dongle returns the number of remaining attempts. Arbitrary data must still be sent (f.e. 1 byte)
Note
|
Devices offering a screen and buttons will override the PIN parameters to let the user enter it directly on device. Dummy values should be used from the caller. |
19.5.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
22 |
00 : verify PIN 80 : get number of remaining attempts |
00 |
var |
00 |
Input data
Description |
Length |
PIN |
var |
Output data
Description |
Length |
PIN validation flags 0x01 : dongle was initialized in forward setup mode and needs to be power cycled to read the seed |
1 |
Availability
This function is always available following dongle setup.
Specific Status Words
SW |
Description |
63Cx |
Invalid PIN, x remaining attempts |
19.6. GET OPERATION MODE
19.6.1. Description
This command returns the current operation mode used by the dongle
The forward setup mask is present if a forward setup mode was performed and the seed has not been redeemed by the end user yet.
19.6.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
24 |
00 : query the dongle operation mode 01 : query the second factor currently used |
00 |
00 |
01 |
Input data
None
Output data (dongle operation mode)
Description |
Length |
Operation Mode 0x01 : standard wallet 0x02 : relaxed wallet 0x04 : server 0x08 : developer 0x80 : mask added if forward setup mode was used and the seed has not been redeemed yet |
1 |
Output data (second factor in use)
Description |
Length |
Operation Mode 0x11 : original second factor (keyboard validation method) 0x12 : secondary second factor (security card) 0x13 : secondary second factory (security card and secure screen) |
1 |
Availability
This function is always available following dongle setup.
19.7. SET OPERATION MODE
19.7.1. Description
This command sets the operation mode that will be used by the dongle after the next power up.
The dongle must be physically reset following this command if switching to a different mode than the current mode.
If a keycard or a secure screen have been provisioned, they can be enabled with this command. The alternate second factor is only enabled until the dongle is power cycled.
If the requested mode has been disabled on setup, an error will be returned.
19.7.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
26 |
00 : do not enable the alternate second factor (only valid if switching to standard operation mode) 01 : enable the alternate second factor until the dongle is power cycled (only valid if switching to standard operation mode) 02 : enable the alternate second factor permanently, until the seed is erased (only valid if switching to standard operation mode) |
00 |
01 |
00 |
Input data
Description |
Length |
Operation Mode 0x01 : standard wallet 0x02 : relaxed wallet 0x04 : server 0x08 : developer |
1 |
Output data
None
Availability
This function is always available following dongle setup, and is protected by the user PIN.
19.8. SET KEYBOARD CONFIGURATION
19.8.1. Description
This command sets or modifies the keymap and typing behaviour following dongle setup.
The keymap is encoded as in [KeymapEncoding]
Note
|
This command is not supported by devices offering a screen and buttons |
19.8.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
28 |
00 : set keymap 01 : set typing behaviour |
00 |
var |
00 |
Input data (set keymap)
Description |
Length |
ALT-GR usage keymap |
12 |
Shift usage keymap |
12 |
HID page table for ASCII codes from 0x20 to 0x7e |
95 |
Input data (set typing behaviour)
Description |
Length |
Unit delay before starting to type (in CPU cycles, big endian) |
4 |
Number of unit delay to wait before starting to type (big endian) |
4 |
Unit delay between each key (in CPU cycles, big endian) |
4 |
Number of unit delay to wait between each key (big endian) |
4 |
Output data
None
Availability
This function is always available following dongle setup, and is protected by the user PIN if not operating in forward setup mode.
20. Wallet usage APDUs
20.1. GET WALLET PUBLIC KEY
20.1.1. Description
This command returns the public key and Base58 encoded address for the given BIP 32 path.
20.1.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
40 |
00 |
00 |
variable |
variable |
Input data
Description |
Length |
Number of BIP 32 derivations to perform (max 10) |
1 |
First derivation index (big endian) |
4 |
… |
4 |
Last derivation index (big endian) |
4 |
Output data
Description |
Length |
Public Key length |
1 |
Uncompressed Public Key |
var |
Base58 bitcoin address length |
1 |
Base58 encoded bitcoin address |
var |
BIP32 Chain code |
32 |
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet and server operation modes, and is protected by the user PIN.
20.2. GET TRUSTED INPUT
20.2.1. Description
This command is used to extract a Trusted Input (encrypted transaction hash, output index, output amount) from a transaction.
The transaction data to be provided should be encoded using bitcoin standard raw transaction encoding. Scripts can be sent over several APDUs. Other individual transaction elements split over different APDUs will be rejected. 64 bits varints are rejected.
20.2.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
42 |
00 : first transaction data block 80 : subsequent transaction data block |
00 |
var |
var |
Input data (first block)
Description |
Length |
Input index to lookup (big endian) |
4 |
Transaction data |
var |
Input data (next block)
Description |
Length |
Transaction data |
var |
Output data (non last block)
None
Output data (last block)
Description |
Length |
Trusted Input |
56 |
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet and server operation modes.
20.3. UNTRUSTED HASH TRANSACTION INPUT START
20.3.1. Description
This command is used to compose an opaque SHA-256 hash for a new transaction.
This transaction can be verified by the user and using transaction rules according to the current dongle operation mode.
If a new transaction is started, a VERIFY PIN command shall have been issued previously to unlock the dongle at least once following the dongle power up
The transaction data to be provided should be encoded using bitcoin standard raw transaction encoded as follows :
-
A 1 byte flag is added before each input in the transaction - if the input is passed as a Trusted Input, this flag is set to 0x01 - otherwise, it is set to 0x00. Non Trusted Inputs can be used in relaxed mode for inputs that are not signed, or for all P2SH inputs when the dongle has been setup to skip the second factor when dealing with P2SH inputs.
-
When using a Trusted Input, each input outpoint is replaced by the Trusted Input length (1 byte) and the Trusted Input data
-
The input scripts shall be prepared by the host for the transaction signing process as per bitcoin rules : the current input script being signed shall be the previous output script (or the redeeming script when consuming a P2SH output), and other input script shall be null.
-
The encoded transaction data shall be provided up to (and not including) the number of outputs.
-
Scripts can be sent over several APDUs. Other individual transaction elements split over different APDUs will be rejected. 64 bits varints are rejected.
20.3.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
44 |
00 : first transaction data block 80 : subsequent transaction data block |
00 : start signing a new transaction 80 : continue signing another input of the current transaction |
var |
var |
Input data
Description |
Length |
Transaction data |
var |
Output data
None
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet and server operation modes, and is protected by the user PIN when starting to sign a new transaction (P1 and P2 set to 0x00)
20.4. UNTRUSTED HASH TRANSACTION INPUT FINALIZE
20.4.1. Description
This command is used to compose an opaque SHA-256 hash for the transaction outputs
This command is rejected if all inputs advertised at the beginning of the transaction have not been processed first.
The generated script will be the standard script coded as below given the address for a non script address
OP_DUP OP_HASH160 [pubKeyHash] OP_EQUALVERIFY OP_CHECKSIG
For a P2SH script address the generated script will be
OP_HASH160 [script hash] OP_EQUAL
The output amount, fees and change will be validated by the user in wallet or relaxed wallet modes.
A maximum 80 bytes OP_RETURN output script payload can be provided - it will be added to the transaction with a null amount
The generated transaction output data contains in pre-serialized form the number of outputs (target & optionally change) and each output data
If a keycard seed has been provided, and the wallet is operating in standard mode with the alternate second factor activated, an alternate second factor validation scheme is used, see [Keycard]
After 30 invalid second factor challenges submitted in a row, the dongle data is erased and it must be setup again.
Note
|
On a device offering a screen and buttons, the confirmation will be prompted immediately and returned with code 0x00 (no confirmation requested) to the caller |
20.4.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
46 |
01 : output address provided as version byte + binary hash160 02 : output address provided as base58 string |
00 |
var |
var |
Input data
Description |
Length |
Length of the Output Address |
1 |
Output Address (base58 or hash160) |
var |
Amount (big endian) |
8 |
Fees (big endian) |
8 |
Number of BIP 32 derivations to perform (max 10) |
1 |
First derivation index for the internal change address (big endian) |
4 |
… |
4 |
Last derivation index for the internal change address (big endian) |
4 |
Optional OP_RETURN output payload length |
1 |
Optional OP_RETURN output payload |
var |
Output data (if no keycard seed is set)
Description |
Length |
Generated transaction output data length |
1 |
Generated transaction output data |
var |
Transaction user validation flag 0x00 : no user validation requested 0x01 : user validation requested with keyboard confirmation |
1 |
Output data (if keycard seed is set and no secure screen is paired)
Description |
Length |
Generated transaction output data length |
1 |
Generated transaction output data |
var |
Transaction user validation flag 0x02 : user validation requested with keycard |
1 |
Indexes of variable positions in the address to check |
var |
Output data (if keycard seed is set and a secure screen is paired)
Description |
Length |
Generated transaction output data length |
1 |
Generated transaction output data |
var |
Transaction user validation flag 0x03 : user validation requested with secure screen or keycard |
1 |
Number of variable positions in the address to check |
1 |
Indexes of variable positions in the address to check |
var |
Second factor data 3DES-CBC encrypted by the pairing key |
var |
The second factor data is coded as follows
Description |
Length |
Unique PIN |
4 |
Output amount (satoshis, big endian) |
8 |
Fees (satoshis, big endian) |
8 |
Change (satoshis, big endian) |
8 |
Output address length |
1 |
Output address |
var |
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet and server operation modes.
20.5. UNTRUSTED HASH SIGN
20.5.1. Description
This command is used to sign a given secure hash using a private key (after re-hashing it following the standard Bitcoin signing process) to finalize a transaction input signing process.
This command will be rejected if the transaction signing state is not consistent or if a user validation is required and the provided user validation code is not correct.
20.5.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
48 |
00 |
00 |
var |
var |
Input data
Description |
Length |
Number of BIP 32 derivations to perform (max 10) |
1 |
First derivation index for the private key to use (big endian) |
4 |
… |
4 |
Last derivation index for the private key to use (big endian) |
4 |
User validation code length (or 0x00) |
1 |
User validation code |
var |
Lock Time (big endian) |
4 |
SigHashType |
1 |
Output data
Description |
Length |
Signed hash, as ASN-1 encoded R & S components. Mask first byte with 0xFE |
var |
SigHashType |
1 |
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet and server operation modes.
20.6. UNTRUSTED HASH TRANSACTION INPUT FINALIZE FULL
20.6.1. Description
This command is used to compose an opaque SHA-256 hash for the transaction outputs
This command is rejected if all inputs advertised at the beginning of the transaction have not been processed first.
Output data can be split arbitrarily.
Note
|
On a device offering a screen and buttons, the confirmation will be prompted immediately and returned with code 0x00 (no confirmation requested) to the caller |
20.6.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
4A |
00 : more input data to be sent 80 : last input data block to be sent |
00 |
var |
var |
Input data (first block)
Description |
Length |
Start of output data, containing the number of outputs encoded as a Bitcoin varint |
var |
Input data (optional next blocks)
Description |
Length |
Output data continued |
var |
Output data (not last block)
None
Output data (last block)
Description |
Length |
Transaction user validation flag 0x00 : no user validation requested 0x01 : user validation requested |
1 |
Availability
This function is available following dongle setup in standard wallet mode when the dongle has been setup to skip the second factor when dealing with P2SH inputs and the current transaction is consuming P2SH inputs, or always available following dongle setup in relaxed wallet and server operation modes.
20.7. SIGN MESSAGE
20.7.1. Description
This command is used to sign a maximum 140 bytes long text message using a private key. The message must be ASCII printable (each byte of the message must be between 0x20 and 0x7e, both included)
The message is provided to the dongle, which types it along with a single usage transaction PIN when it’s power cycled.
The transaction PIN is then sent back to this command to retrieve the message signature
The signature is performed as follows :
-
The data to sign is the magic "\x18Bitcoin Signed Message:\n" - followed by the length of the message to sign on 1 byte (if requested) followed by the binary content of the message
-
The signature is performed on a double SHA-256 hash of the data to sign using the selected private key
The signature is returned using the standard ASN-1 encoding. To convert it to the proprietary Bitcoin-QT format, the host has to :
-
Get the parity of the first byte (sequence) : P
-
Add 27 to P if the public key is not compressed, otherwise add 31 to P
-
Return the Base64 encoded version of P || r || s
If the low end word of one component of the BIP 32 derivation path includes 0xB11D or 0xB11E the message is immediately signed without confirmation (typically used for BitID). The dongle must be powercycled after signing with a derivation path containing 0xB11D.
Note
|
On a device offering a screen and buttons, the confirmation will be prompted immediately and returned with code 0x00 (no confirmation requested) to the caller. Limitations regarding the message content and length can be different. |
20.7.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
4E |
00 : prepare message 80 : sign message |
00 |
var |
var |
Input data in prepare mode
Description |
Length |
Number of BIP 32 derivations to perform (max 10) |
1 |
First derivation index of the private key to use (big endian) |
4 |
… |
4 |
Last derivation index of the private key to use (big endian) |
4 |
Message length (max 140) |
1 |
Message |
var |
Input data in sign mode
Description |
Length |
User validation code length (or 00 in server mode) |
1 |
User validation code |
var |
Output data in prepare mode
Description |
Length |
Transaction user validation flag 0x00 : no user validation requested 0x01 : user validation requested |
1 |
Output data in sign mode
Description |
Length |
ASN-1 encoded message signature with Y parity indicated in the first (sequence) byte |
variable |
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet and server operation modes and is protected by the user PIN when preparing a message to sign (P1 set to 0x00)
21. Personal BIP 70 Certificates APDUs
21.1. STORE TRUST ROOT BIP 70
21.1.1. Description
This command is used to store a user controlled trust root private key in a slot (3 slots are defined). It must be executed in a secure environment.
A keyboard second factor validation is required to proceed.
Note
|
On a device offering a screen and buttons, the confirmation will be prompted immediately. |
21.1.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
30 |
01 : prepare trust root 80 : confirm trust root |
00 |
var |
var |
Input data (prepare trust root)
Description |
Length |
Trust root slot (0 to 2) |
1 |
Trust root identity length |
1 |
Trust root identity (max 20 bytes) |
var |
Private key value |
32 |
Input data (confirm trust root)
Description |
Length |
User validation code |
var |
Output data (prepare trust root)
None
Output data (confirm trust root)
Description |
Length |
Self signed certificate for this identity and trust root |
var |
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet and is protected by the user PIN
21.2. CREATE CERTIFICATE BIP 70
This command is used to create a new BIP 70 certificate associating an identity to a BIP 32 key path for the current seed and signed by the given Trusted Root. All children of this path can be certified by this certificate.
The dongle returns a private part, wrapped for this dongle, containing the certificate private key, the BIP 32 path and the checksum of the public key at this root path, a certificate signed by the given Trust Root, and a checksum of the certificate that can be passed to the client through a second channel for validation.
21.2.1. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
32 |
00 : generate the certificate 80 : retrieve the second part of the certificate |
00 |
var |
var |
Input data (first part)
Description |
Length |
Trust root slot (0 to 2) |
1 |
Number of BIP 32 derivations to perform (max 9) |
1 |
First derivation index (big endian) |
4 |
… |
4 |
Last derivation index (big endian) |
4 |
Subject Common Name length |
1 |
Subject Common Name (max 20 bytes) |
var |
Validity start as UTC time |
13 |
Validity end as UTC time |
13 |
Input data (second part)
None
Output data (first part)
Description |
Length |
Certificate private part length |
1 |
Certificate private part blob |
var |
Certificate public part checksum length |
1 |
Certificate public part checksum |
var |
DER encoded certificate (first part) |
var |
Output data (second part)
Description |
Length |
DER encoded certificate (second part) |
var |
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet and is protected by the user PIN
21.3. CREATE PAYMENT REQUEST BIP 70
This command is used to create a new signed PaymentRequest with the provided certificate, validating that the address belongs to the user by checking that the provided BIP 32 derivation path is a child of the BIP 32 derivation path associated to the certificate.
The PaymentRequest is prepared by the host and passed to the dongle for validation and signature. Elements serialized as Protocol Buffers wire types other than 2 shall be provided in a single APDU. The tag and length of elements serialized as Protocol Buffer wire type 2 shall be provided in a single APDU. The output script and pki_type shall be provided as a single APDU.
The following elements of the PaymentRequest are validated by the dongle :
-
PaymentRequest.pki_type is set to x509+sha256
-
PaymentDetails.outputs has a single element
-
Output.script contains a simple transfer to the given derived address
After validating the PaymentRequest, the dongle returns its signature.
21.3.1. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
34 |
00 : initialization 80 : PaymentRequest chunk |
00 : more PaymentRequest chunks expected 80 : last PaymentRequest chunk |
var |
var |
Input data (initialization)
Description |
Length |
Certificate private part length |
1 |
Certificate private part |
var |
Number of BIP 32 derivations to perform (max 10) |
1 |
First derivation index (big endian) |
4 |
… |
4 |
Last derivation index (big endian) |
4 |
Input data (next payment request chunk)
Description |
Length |
Serialized PaymentRequest chunk |
var |
Output data (initialization)
Description |
Length |
Output script length |
1 |
Output script |
var |
Output data (last PaymentRequest chunk)
Description |
Length |
PaymentRequest signature |
var |
Output data (other)
None
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet and is protected by the user PIN
21.4. PROCESS CERTIFICATE BIP 70
This command is used to approve the future use of an external BIP 70 Certificate by a dongle.
After submitting the request, the certificate checksum is typed by the second factor. If validated and confirmed by the user, the encoded certificate valid for this dongle is returned.
Note
|
On a device offering a screen and buttons, the confirmation will be prompted immediately. |
21.4.1. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
36 |
00 : prepare certificate 80 : confirm certificate |
00 : when preparing, first certificate block 01 : when preparing, more certificate blocks expected 80 : when preparing, last certificate block |
var |
var |
Input data (prepare certificate, first block)
Description |
Length |
Trust root slot (0 to 2) |
1 |
BIP 70 Certificate part |
var |
Input data (prepare certificate, next block or last block)
Description |
Length |
BIP 70 Certificate part |
var |
Input data (confirm certificate)
Description |
Length |
User validation code |
var |
Output data (prepare certificate)
None
Output data (confirm certificate)
Description |
Length |
Encoded BIP 70 Certificate for this dongle |
var |
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet and is protected by the user PIN
21.5. PARSE PAYMENT REQUEST BIP 70
This command is used to approve the future use of an external BIP 70 Payment Request by a dongle.
The serialzied PaymentRequest is passed to the dongle for validation. Elements serialized as Protocol Buffers wire types other than 2 shall be provided in a single APDU. The tag and length of elements serialized as Protocol Buffer wire type 2 shall be provided in a single APDU.
If the PaymentRequest is successfully validated, an encoded PaymentRequest valid for this dongle is returned
21.5.1. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
38 |
00 : initialization 80 : PaymentRequest chunk |
00 : more PaymentRequest chunks expected 80 : last PaymentRequest chunk |
var |
var |
Input data (first payment request chunk)
Description |
Length |
Encoded certificate length |
1 |
Encoded certificate |
var |
Input data (next payment request chunk)
Description |
Length |
Serialized PaymentRequest chunk |
var |
Output data (last PaymentRequest chunk)
Description |
Length |
Encoded PaymentRequest for this dongle |
var |
Output data (other)
None
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet and is protected by the user PIN
21.6. UNTRUSTED HASH TRANSACTION INPUT FINALIZE BIP 70
21.6.1. Description
This command is used to compose an opaque SHA-256 hash for the transaction outputs
This command is rejected if all inputs advertised at the beginning of the transaction have not been processed first.
The output address and amount are provided by a previously encoded PaymentRequest
21.6.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
3A |
00 |
00 |
var |
var |
Input data
Description |
Length |
Length of encoded PaymentRequest |
1 |
Encoded PaymentRequest |
var |
Fees (big endian) |
8 |
Number of BIP 32 derivations to perform (max 10) |
1 |
First derivation index for the internal change address (big endian) |
4 |
… |
4 |
Last derivation index for the internal change address (big endian) |
4 |
Output data
Description |
Length |
Availability
This function is always available following dongle setup in standard wallet, relaxed wallet modes.
22. Server mode APDUs
22.1. GET TRANSACTION LIMIT
22.1.1. Description
This command returns the current cumulative amount limit and the number of transactions remaining
Warning
|
This function is not supported in this version |
22.1.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
A0 |
00 |
00 |
00 |
0C |
Input data
None
Output data
Description |
Length |
Remaining cumulative amount (big endian) |
8 |
Remaining number of transactions |
4 |
Availability
This function is always available following dongle setup in server operation modes.
22.2. SET TRANSACTION LIMIT
22.2.1. Description
This command sets the current cumulative amount limit and the number of transactions remaining.
This command is protected by the HOTP server key. If the OTP is correct, the command is executed, the transaction limit is updated immediately and the OTP sequence counter is increased.
Warning
|
This function is not supported in this version |
22.2.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
A2 |
00 |
00 |
10 |
var |
Input data
Description |
Length |
8 digits HOTP code |
8 |
Cumulative amount (big endian) |
8 |
Number of transactions after power up |
4 |
Output data
None
Availability
This function is always available following dongle setup in server operation modes.
23. Developer mode APDUs
23.1. IMPORT PRIVATE KEY
23.1.1. Description
This command imports a regular private key, a BIP32 private key or a BIP32 seed and returns an encrypted version of the private key that this dongle can use for future operations.
23.1.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
B0 |
Import method 0x01 : Base58 encoded private key or BIP32 private key 0x02 : BIP32 seed |
00 |
var |
var |
Input data
Description |
Length |
Base58 private key or seed |
var |
Output data
Description |
Length |
Encoded private key |
var |
Availability
This function is always available following dongle setup in developer operation mode.
23.2. GET PUBLIC KEY
23.2.1. Description
This command returns the public key or the extended public key for an encoded private key
23.2.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
B2 |
00 |
00 |
var |
var |
Input data
Description |
Length |
Encoded private key length |
1 |
Encoded private key |
var |
Output data (non HD key)
Description |
Length |
Flag : 0x01 |
1 |
Public key length |
1 |
Public key |
var |
Output data (HD key)
Description |
Length |
Flag : 0x02 |
1 |
Public key length |
1 |
Public key |
var |
Chain code |
32 |
Depth |
1 |
Parent fingerprint |
4 |
Child number (big endian) |
4 |
Availability
This function is always available following dongle setup in developer operation mode, and is protected by the user PIN.
23.3. DERIVE BIP32 KEY
23.3.1. Description
This command derives a BIP32 key to return a child key.
This command returns an error if operating on a non BIP32 key
Both hardened and non hardened derivation modes are supported.
23.3.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
B4 |
00 |
00 |
var |
var |
Input data
Description |
Length |
Encoded private key length |
1 |
Encoded private key |
var |
Child index (big endian) |
4 |
Output data
Description |
Length |
Encoded private key |
var |
Availability
This function is always available following dongle setup in developer operation mode.
23.4. ECDSA SIGN/VERIFY IMMEDIATE
23.4.1. Description
This command is used to sign a given hash using an encoded private key or verify a given signature using a public key
23.4.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
B6 |
00 : sign 80 : verify |
00 : sign with random K 80 : sign with deterministic K |
var |
var |
Input data (sign mode)
Description |
Length |
Length of encoded private key |
1 |
Encoded private key |
var |
Length of hash to sign (up to 32 bytes) |
1 |
Hash to sign |
var |
Input data (verify mode)
Description |
Length |
Length of uncompressed public key |
1 |
Uncompressed Public key |
var |
Length of hash to verify (up to 32 bytes) |
1 |
Hash to verify |
var |
Signature |
var |
Output data (sign mode)
Description |
Length |
Signed hash, as ASN-1 encoded R & S components. Mask first byte with 0xFE |
var |
Output data (verify mode)
None
Availability
This function is always available following dongle setup in developer operation mode, and is protected by the user PIN
24. Test and utility APDUs
24.1. GET RANDOM
24.1.1. Description
This command returns random bytes from the dongle hardware random number generator
24.1.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
C0 |
00 |
00 |
00 |
variable |
Input data
None
Output data
Description |
Length |
Random bytes |
variable |
Availability
This function is always available.
24.2. GET DEVICE ATTESTATION
24.2.1. Description
This command returns a signature of the 6 bytes current firmware version concatenated to the given blob by the attestation key.
24.2.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
C2 |
00 |
00 |
08 |
variable |
Input data
Description |
Length |
Blob to sign |
8 |
Output data
Description |
Length |
Attestation key batch ID |
04 |
Attestation key derivation index ID |
04 |
Supported operation modes bitflag |
01 |
Current operation mode |
01 |
Firmware major version |
02 |
Firmware minor version |
01 |
Firmware patch version |
01 |
Loader ID major version |
01 |
Loader ID minor version |
01 |
Signature of 8 previous bytes + blob |
variable |
Availability
This function is always available.
24.3. GET FIRMWARE VERSION
24.3.1. Description
This command returns the firmware version of the dongle and additional features supported
24.3.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
C4 |
00 |
00 |
00 |
07 |
Input data
None
Output data
Description |
Length |
Features flag 0x01 : public keys are compressed (otherwise not compressed) 0x02 : implementation running with screen + buttons handled by the Secure Element 0x04 : implementation running with screen + buttons handled externally 0x08 : NFC transport and payment extensions supported 0x10 : BLE transport and low power extensions supported 0x20 : implementation running on a Trusted Execution Environment |
01 |
Architecture (only since Ledger Wallet, or RFU) |
01 |
Firmware major version |
01 |
Firmware minor version |
01 |
Firmware patch version |
01 |
Loader ID major version (if applicable) |
01 |
Loader ID minor version (if applicable) |
01 |
Availability
This function is always available.
24.4. COMPOSE M OF N ADDRESS
24.4.1. Description
This command is used to create and check on the fly a P2SH payment address to an M of N transaction, according to BIP 16 and BIP 11.
Each public key address is prompted to the user and validated by entering a PIN code as per the second factor mechanism.
After all public key addresses have been provided, the final address is typed to the user using the second factor mechanism.
Public keys can be provided in compressed or uncompressed format.
Warning
|
This function is not supported in this version |
24.4.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
C6 |
00 : start composing a new address 80 : continue composing an address with a new public key |
00 |
variable |
variable |
Input data (for a new address)
Description |
Length |
M (number of signatures to provide to redeem the transaction, must be smaller than or equal to N) |
01 |
N (total number of public keys provided, must be smaller than or equal to 3) |
01 |
Public key |
var |
Input data (to keep on submitting a new key)
Description |
Length |
Authorization length |
1 |
Authorization |
var |
Optional Public key, ignored for the last one |
var |
Output data
Description |
Length |
User validation flag 0x01 : user validation requested |
1 |
Availability
This function is always available following dongle setup (but is not usable in server mode)
24.5. GET POINT OF SALE SEED
24.5.1. Description
This command is used to retrieve the seed backup if the dongle was set up in Point Of Sale mode.
The seed backup is split into 2 components :
-
A seed 3DES encryption key, randomly generated by the dongle
-
The encrypted seed
It is recommended to retrieve each seed component on a different host.
The dongle must be powercycled after processing this command.
24.5.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
E0 |
CA |
01 : request seed encryption key 02 : request encrypted seed |
00 |
variable |
variable |
Input data
None
Output data (for seed encryption key)
Description |
Length |
Seed encryption key |
16 |
Output data (for encrypted seed)
Description |
Length |
Encrypted seed |
64 |
Availability
This function is available after setup in Point Of Sale mode and is disabled after the encrypted seed is retrieved once
25. Vendor management APDUs
These APDUs are used for factory setup and firmware updates.
25.1. FACTORY INITIALIZE KEYS
25.1.1. Description
This command is used to derive the factory update, attestation storage, and optional BIP 70 initial Trust Root storage from the shared rom key before issuance.
25.1.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
D0 |
20 |
00 |
00 |
28 or 38 |
00 |
Input data
Description |
Length |
Firmware update ID |
08 |
Attestation storage key diversifier |
10 |
Firmware update key diversifier |
10 |
BIP 70 Trust Root key diversifier |
10 |
Output data
None
Availability
This function is only available pre issuance
25.2. FACTORY INITIALIZE ATTESTATION
25.2.1. Description
This command sets up the attestation private key used to authenticate the device.
The dongle switches to post-issuance mode once this APDU is received and handled successfully.
25.2.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
D0 |
22 |
00 |
00 |
2B |
00 |
Input data
Description |
Length |
Attestation key batch ID |
04 |
Attestation key derivation index ID |
04 |
Wrapped attestation private key |
35 |
Output data
None
Availability
This function is only available pre issuance
25.3. GET FIRMWARE UPDATE ID
25.3.1. Description
This command returns the firmware update ID of this dongle.
25.3.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
D0 |
24 |
00 |
00 |
00 |
08 |
Input data
None
Output data
Description |
Length |
Firmware update ID |
08 |
Availability
This function is only available before the dongle is set up (either when received or following a dongle reset)
25.4. FACTORY INITIALIZE KEYCARD SEED
25.4.1. Description
This command is used to replace the keyboard second factor by a printed keycard for regular (non relaxed) transactions
The keycard associates each ASCII character between 0x30 and 0x7a (included) to an hexadecimal digit, obtained by encrypting 00..50 by the 3DES-2 keycard seed key using CBC encryption, and considering each digit as an exclusive OR of both nibbles of each element
When using the keycard second factor, the user needs to provide as authentication code random A characters of the destination address (up to 10)
25.4.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
D0 |
26 |
00 |
00 |
11 |
00 |
Input data
Description |
Length |
Number of random address characters to provide |
1 |
Keycard seed |
16 |
Output data
None
Availability
This function is only available pre issuance
25.5. FACTORY INITIALIZE BIP 70 TRUST ROOT
25.5.1. Description
This command sets up an initial BIP 70 Trust Root
25.5.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
D0 |
28 |
00 |
00 |
var |
00 |
Input data
Description |
Length |
Wrapped (slot index + Trust root identity length + Trust root identity (max 20 bytes) + BIP 70 Trust Root private key) |
var |
Output data
None
Availability
This function is only available pre issuance
25.6. FIRMWARE UPDATE
25.6.1. Description
This command is used to update the dongle firmware.
The dongle must not been set up to issue this command - if the dongle is set up, first wipe the user data by issuing the wrong user PIN 3 times.
Note
|
Support of this APDU is device dependent. |
25.6.2. Coding
Command
CLA |
INS |
P1 |
P2 |
Lc |
Le |
D0 |
42 |
03 : start bootloader 06 : load bootloader |
00 |
variable |
00 |
Input data
Description |
Length |
Firmware blob |
variable |
Output data
None
Availability
This function is only available before the dongle is set up (either when received or following a dongle reset)
26. Transport protocol
26.1. General transport description
Ledger APDUs requests and responses are encapsulated using a flexible protocol allowing to fragment large payloads over different underlying transport mechanisms.
The common transport header is defined as follows :
Description |
Length |
Communication channel ID (big endian) |
2 |
Command tag |
1 |
Packet sequence index (big endian) |
2 |
Payload |
var |
The Communication channel ID allows commands multiplexing over the same physical link. It is not used for the time being, and should be set to 0101 to avoid compatibility issues with implementations ignoring a leading 00 byte.
The Command tag describes the message content. Use TAG_APDU (0x05) for standard APDU payloads, or TAG_PING (0x02) for a simple link test.
The Packet sequence index describes the current sequence for fragmented payloads. The first fragment index is 0x00.
26.2. APDU Command payload encoding
APDU Command payloads are encoded as follows :
Description |
Length |
APDU length (big endian) |
2 |
APDU CLA |
1 |
APDU INS |
1 |
APDU P1 |
1 |
APDU P2 |
1 |
APDU length |
1 |
Optional APDU data |
var |
APDU payload is encoded according to the APDU case
Case Number |
Lc |
Le |
Case description |
1 |
0 |
0 |
No data in either direction - L is set to 00 |
2 |
0 |
!0 |
Input Data present, no Output Data - L is set to Lc |
3 |
!0 |
0 |
Output Data present, no Input Data - L is set to Le |
4 |
!0 |
!0 |
Both Input and Output Data are present - L is set to Lc |
26.3. APDU Response payload encoding
APDU Response payloads are encoded as follows :
Description |
Length |
APDU response length (big endian) |
2 |
APDU response data and Status Word |
var |
26.4. USB mapping
Messages are exchanged with the dongle over HID endpoints over interrupt transfers, with each chunk being 64 bytes long. The HID Report ID is ignored.
27. Status Words
The following standard Status Words are returned for all APDUs - some specific Status Words can be used for specific commands and are mentioned in the command description.
Status Words
SW |
Description |
6700 |
Incorrect length |
6982 |
Security status not satisfied (Bitcoin dongle is locked or invalid access rights) |
6A80 |
Invalid data |
6A82 |
File not found |
6B00 |
Incorrect parameter P1 or P2 |
6Fxx |
Technical problem (Internal error, please report) |
9000 |
Normal ending of the command |
28. Data structures
The format of the data structures is provided for interoperability and validation purposes. A typical user will not need to manipulate them directly.
28.1. Encoded private key in developer mode
An encoded private key is stored internally as follow. The private key component (S) and optional chain are triple DES encrypted by the developer mode wrapping key in CBC mode with a null IV (as S alone or S concatenated to the chain code)
Description |
Length |
Magic version (01) |
1 |
Private key type 0x01 : standard private key 0x02 : BIP32 private key |
1 |
Version |
1 |
Private key component (S) |
32 |
If BIP32, chain code |
32 |
If BIP32, depth |
1 |
If BIP32, parent fingerprint |
4 |
If BIP32, child number (big endian) |
4 |
28.2. Encoded trusted input
An encoded trusted input is stored internally as follow. The signature is the last block of a Triple DES CBC encryption of the previous data by the trusted input encryption key.
Description |
Length |
Magic version (32) |
1 |
Flags RFU |
1 |
Nonce |
2 |
Associated transaction hash |
32 |
Index in associated transaction |
4 |
Associated amount |
8 |
Signature |
8 |
28.3. Encoded private part of a BIP 70 Personal Certificate
An encoded private part of a BIP 70 Personal Certificate is stored internally as follow. The private key component is triple DES encrypted by the BIP 70 encryption key in CBC mode with a null IV. The signature is the last block of a Triple DES CBC encryption of the previous data by the BIP 70 signature key.
Description |
Length |
Magic version (03) |
1 |
Flags RFU |
1 |
Encrypted certificate private key |
32 |
Associated public key checksum |
4 |
Number of BIP 32 derivations to perform (max 9) |
1 |
First derivation index (big endian) |
4 |
… |
4 |
Last derivation index (big endian) |
4 |
Nonce |
var |
Signature |
8 |
28.4. Encoded BIP 70 Personal Certificate for dongle consumption
An encoded BIP 70 Personal Certificate for dongle consumption is stored internally as follow. The signature is the last block of a Triple DES CBC encryption of the previous data by the BIP 70 signature key.
Description |
Length |
Magic version (04) |
1 |
Flags RFU |
1 |
Certificate public key |
65 |
Subject Common Name length |
1 |
Subject Common Name |
var |
Nonce |
var |
Signature |
8 |
28.5. Encoded BIP 70 PaymentRequest for dongle consumption
An encoded BIP 70 PaymentRequest for dongle consumption is stored internally as follow. The signature is the last block of a Triple DES CBC encryption of the previous data by the BIP 70 signature key.
Description |
Length |
Magic version (05) |
1 |
Flags RFU |
1 |
Amount |
8 |
Output script length |
1 |
Output script |
var |
Nonce |
var |
28.6. Specific data transport for firmware update or private key attestation storage
Data sent for firmware update or private key attestation storage is formatted as follows, encrypted by either the diversified firmware update key or the diversified attestation storage key
Description |
Length |
Data size without padding |
01 |
3DES-CBC encrypted data with a null IV |
variable |
Padding |
variable |
CRC-16 of the cleartext data block |
02 |
The target key is disabled after 10 invalid CRC-16 have been received in sequence.
After each invalid CRC-16, the dongle has to be power cycled before accepting another command.
29. Attestation keys
The following Attestation keys are used for production versions :
-
Batch ID 01, Derivation Index ID 01 (pre 1.4.11) : 04223314cdffec8740150afe46db3575fae840362b137316c0d222a071607d61b2fd40abb2652a7fea20e3bb3e64dc6d495d59823d143c53c4fe4059c5ff16e406
-
Batch ID 02, Derivation Index ID 01 (post 1.4.11) : 04c370d4013107a98dfef01d6db5bb3419deb9299535f0be47f05939a78b314a3c29b51fcaa9b3d46fa382c995456af50cd57fb017c0ce05e4a31864a79b8fbfd6
The following Attestation key is used for test versions :
04e69fd3c044865200e66f124b5ea237c918503931bee070edfcab79a00a25d6b5a09afbee902b4b763ecf1f9c25f82d6b0cf72bce3faf98523a1066948f1a395f