Upgrade Firmware

Learn how to upgrade here >

Current Version of Coldcard Firmware — Version 4.1.1

• 2021-04-30T1748-v4.1.1-coldcard.dfu released April 30, 2021.

NOTE: Releases after 3.0.6 are NOT COMPATIBLE with Mk1 hardware. They will brick Mk1 Coldcards.

Video: How to Upgrade Firmware

Version 4.1.1 - April 30, 2021

• Bugfix/Enhancement: Unchained Capital was using the P2SH (BIP-45) value we exported in our multisig wallet file (removed in 4.1.0). So we've restored that, added BIP-45 path to our generic JSON export (if account number is zero), and added a dedicated menu item: Advanced > MicroSD > Export > Unchained Capital

Version 4.1.0 - April 29, 2021

• New feature: Seed XOR -- split your secret BIP-39 seed into 2 (or 3 or 4) new seed phrases
  • any combination of found seed word phrases is a fully working wallet (great for duress)
  • still 24 words, and can be encoded onto a SEEDPLATE
  • all parts are required to be known to get back to original seed phrase (not M of N, always N of N),
  • your existing seed can be split by Coldcard (one already in use)
  • you can do the math on paper, and it's possible to split/combine without the Coldcard
  • see docs/seed-xor.md for background
  • see wordlist-paper repo for some tools
• Enhancement: Add support for BIP-48 derivations when exporting generic JSON (including the accounts number) under Advanced > MicroSD Card > Export Wallet > Generic JSON. These are targeted towards multisig wallets, such as Sparrow
• Enhancement: Ask for account number when creating Multisig Wallets via air-gapped Coldcards. Use account zero for compatibility with previous versions. No need to use same account number on each participating Coldcard, but we recommend that. Creating new P2SH (BIP-45) type air-gapped wallets has been removed since it cannot support multiple accounts.
• Enhancement: Show new firmware version number and date before installing firmware update.
• Bugfix: Could not clear PIN codes, including the duress PIN, so was not possible to wipe the main secret, if a duress PIN had been set. 999999-999999 works again now.
• Bugfix: Deleting a multisig wallet that was identical to another wallet, except for different address type, would lead to an error.
• Bugfix: Standardize on BIP-nn in place of BIPnn in source code, messages and docs.

Version 4.0.2 - April 7, 2021

• New feature: "Countdown and Brick" (Mk3 only)
  • set a special PIN code, and when used, the Coldcard is immediately bricked while a normal-looking countdown for login is shown (default 1 hour). As an alternative to bricking, you can make it consume all but the final PIN attempt.
• Enhancements to "Login Countdown" feature:
  • turning off the Coldcard will not clear the countdown, it continues on next power-up.
  • login countdown time delays are more accurate now.
  • Important: for the first login when firmware runs (immediately after upgrade), the login countdown delay, if you had previously enabled it, will not be enforced. However, the setting is then migrated to a new spot and takes effect going forward without any action needed.
• Enhancement: Settings > Display Units: Select how to show Bitcoin amounts when displayed on-screen. Choices are BTC (default), mBTC (millibit), bits (aka uBTC), and sats (an integer).
• Enhancement: Settings > Disable USB: New setting to disable USB port if your plan is air-gap only. Default remains USB port enabled.
• Bugfix: Formating of larger SD Cards works again (FAT32 support).
• Bugfix: Reject transactions whose outputs are greater than inputs.
• Downgrades to v3 no longer supported.

Version 4.0.1 - March 29, 2021

• Fixes security issue in v4.0.0. (3.x.x Unaffected)
• Known issue: formatting of SD Card does not work and leads to a crash.

Version 4.0.0 - Mar 17, 2021

• Major internal changes.
  • now using Bitcoin Core's "libsecp256k1" for all EC crypto operations
  • super fast pure-assembly AES256-CTR code makes USB communications faster
  • newly optimized SHA256 and SHA256(SHA256) code
  • all crypto and BIP-39 related code replaced
  • huge thanks to @switck for the new library!
• Enhancement: During seed phrase import, after 23 words provided, Coldcard will calculate the correct checksum and show the valid choices for the last word (there will be 8 typically). This means you can pick seed words by drawing from a hat.
• New feature: Secure Device Cloning. Using a MicroSD card, copy your Coldcard's secrets and settings to a blank Coldcard. Very quick and easy, uses public key encryption (Diffie-Hellman key exchange) and AES-256-CBC for the transfer.
• Bugfix: CSV of addresses explorer export via Address Explorer, when account number was used, did not reflect the (non-zero) account number.
• Enhancement: Reproducible builds! Checkout code, "cd stm32; make repro" should do it all.
• Enhancement: Paper wallet feature restored as it was previously. Same cautions apply.
• Enhancement: Inside encrypted backup files (7z), the cleartext filename is no longer fixed as ckcc-backup.txt. Instead it's a random word and number. Improves plausible deniability when backup files discovered.
• Enhancement: Show a progress bar during slow parts of the login process.
• Enhancement: Long menus, like the seed-word picking system, now wrap around from top/bottom, so you can get to Z by going up from A.
• Limitation: Mk2 (older hardware, with less memory) may struggle with some of the new features, but can still run this firmware release... so you can clone it to your new Mk3!
• HSM/CKBunker mode changes:
  • IMPORTANT: users with passwords will have to be reconstructed as hash algo has changed
  • when unlocking HSM mode from "boot to HSM mode" (using secret PIN immediately after bootup) the HSM policy is no longer removed automatically.
  • time limit to escape "boot to HSM" mode has doubled from 30 seconds to 1 minute.
• Remaining GPL code has been removed, so license is now MIT+CC on everything.

Version 3.2.2 - Jan 14, 2021

• Major Address Explorer enhancements! Thanks go to @switck for this major feature bump.
  • View sub-accounts as exported, just enter the account number.
  • Multisig wallet support! (Caveat: addresses are for verification purposes and never for direct use as deposit, so they are partially redacted)
  • Enter any custom derivation path, by entering numbers directly; for gurus.
  • Warning screen can be suppressed after reading first time (press 6)
  • Export of addresses now named "addresses.csv" not ".txt"
• Bugfix: Disable a few more path derivation checks for "Skip Checks" for multisig compatibility. Handles error shown when working with previously-imported Spectre multisig wallets (ie. multisig.py: 891).
• Bugfix: Generic wallet export (JSON) name for BIP-49 wallets changed from "p2wpkh-p2sh" to "p2sh-p2wpkh". Thanks @craigraw

Version 3.2.1 - Jan 8, 2021

• Major Multisig improvements! If you are using multisig features, please backup your Coldcard before upgrade, just in case (but shouldn't be a problem).
  • Tracks derivation path for each co-signer and no longer assumes they all use a shared derivation path. Blocks multiple instances of same XFP in the wallet (not supported anymore, bad idea). Various displays updated to reflect derivation path change. Text file import: "Derivation:" line can be repeated, applies to all following xpubs.
  • Show Ypub/Zpub formated values from SLIP-132 when viewing details of wallet.
  • Standardize on "p2sh-p2wsh" nomenclature, rather than "p2wsh-p2sh", thanks to @humanumbrella. For airgaped multisig wallet creation, you must use same firmware verison on all Coldcards or this change can make trouble.
  • Address type (p2sh-p2wsh, p2sh, p2wsh) is captured from MS wallets created by PSBT file import.
  • Can now store multiple wallets involving same set of XFP values, if they have differing subkey paths and/or address formats.
  • New mode which disables certain multisig checks to assist bug compatibility.
• Enhancement: Add support for signing Payjoin PSBT files based on BIP-78.
• Enhancement: Promoted the address explorer to the main menu. It's useful! (credit to @matt_odell)
• Bugfix: zero-length BIP-39 passphrase, when saved, would cause a crash when restore attempted. We recommend longer passphrases, but fixed the issue.
• Enhancement: Move the "blockchain" setting deeper into the "Danger Zone" and add warning screen. This mitigates a concern raised by @benma (Marko Bencun) where an attacker could socially-engineer you to sign a transaction on Testnet, which corresponds to real UTXO being stolen. Only developers should be using Testnet.
• Bugfix: Display of amounts could be incorrect by a few sats in final digits.
• Bugfix: Incorrect digest method picked when P2SH-P2WSH incorrectly identified as plain P2SH.
• Bugfix: Better error reporting when importing bogus multisig wallet files.
• Enhancement: Files created on MicroSD will have date and time determined by the version of firmware that made them. Downstream systems might use this to know when the Coldcard should be upgraded, or which firmware version created the data. Idea from @sancoder
• Enhancement: Show version of secure element, under Advanced > Upgrade > Show Version.
• Enhancement: Improve 'None of the keys involved...' message to show XFP value actually found inside PSBT file.
• Enhancement: "Invalid PSBT" errors are shown with more information now.
• Paper Wallet features temporarily removed to free space; will return in future version.
• License changed from GPL to MIT+CC on files for which the GPL doesn't apply.

Older releases and their changes are listed here, the full source code, hardware details, and much more can be found in our repository on github.

Mark 1 Hardware (late 2017 / early 2018)

The Mk1 hardware is obsolete and no further updates will be made. The final version of firmware for the Mk1 is 3.0.6 (2019-12-19T1623-v3.0.6). Do not load any newer firmware version, as it will brick the device.

How To Upgrade

Upgrading Step By Step

Video: How to Verify COLDCARD's Firmware

1. Download and verify the latest firmware release.
2. Save the 20...-coldcard.dfu firmware file onto a SD card.
3. Power up your ColdCard and unlock it with your PIN.
4. Go to the Advanced > Upgrade menu and click on From SD Card.
5. After the confirmation dialog, ColdCard will upgrade and reboot (slow).
6. Type in your PIN again. Verify new version running with:
   Advanced > Upgrade > Show Version
7. If you powered down during this process, to get a green light again, you may need to use: Bless Firmware in that menu.

Advanced: Verify Your Downloads

The release binaries may be verified using this clear-signed text file and GPG. The commands are:

curl "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0xA3A31BAD5A2A5B10" | gpg --import
gpg --verify signatures.txt

The first command imports the public key 4589779ADFC14F3327534EA8A3A31BAD5A2A5B10 and the second verifies the file's signature vs. file contents.

Don't forget to run SHA256 over the DFU files themselves, because that compares the actual file contents to what we have signed.

sha256sum 2019-12-19T1623-v3.0.6-coldcard.dfu

Github.com is also protecting us because it verifies on all commits against the developer's public keys, and keeps a history of changes.

Background

The upgrade menu allows you to load updated firmware onto the Coldcard.

The menu allows loading an upgrade file from a MicroSD card, but it can also be done using the command line tool, or from the Electrum plugin.

How to Upgrade

Show Version

Displays the version numbers that you have already.

From MicroSD

Select an upgrade file from MicroSD card and start the process.

Bless Firmware

Mark the contents of flash memory as "approved" and light the green "Genuine" light.

Upgrade Files

You need a DFU file for upgrades. It's about 690k in size and should have the extension .dfu.

The latest firmware can always be build from sources on Github:

github.com/Coldcard/.../releases

All upgrade files must be signed by a Coinkite Inc. approved key, or the Coldcard will refuse to load and run them.

Bless Firmware

This command is not typically needed, but can be used to set the genuine/caution lights to green. Note that only the main PIN holder can do this. A normal firmware upgrade sequence does not require this action, but if the unit is powered down between installing the upgrade and the first successful login, then the light will be red, and will stay red until this command is used.

Downgrade Protection

In general, it may not be advisable to downgrade (return to an older release). Some releases will set a "high water mark" so the bootloader that will block any downgrade to earlier versions. We will do this if a bug or security problem with an obsolete release is identifed.

Need extra help?

Watch this Video: Secure Upgrade Firmware of ColdCard Mark 2 - Max Hillebrand