cobovault / cobo-vault-cold Goto Github PK

Could it be that moving to a passphrase switched it to bech32?

https://twitter.com/CoboVault/status/1341083550196621314

Video doesn't show how to access that feature, it's nowhere to be found at initial setup.

Building latest commit for generating apk fail with error:

Could not determine the dependencies of task ':app:compileVault_v2ReleaseJavaWithJavac'.
> Could not resolve all task dependencies for configuration ':app:vault_v2ReleaseCompileClasspath'.
   > Could not resolve com.github.CoboVault:bc32-java:v0.0.6-alpha.
     Required by:
         project :app
      > Could not resolve com.github.CoboVault:bc32-java:v0.0.6-alpha.
         > Could not get resource 'https://dl.bintray.com/novacrypto/BIP/com/github/CoboVault/bc32-java/v0.0.6-alpha/bc32-java-v0.0.6-alpha.pom'.
            > Could not GET 'https://dl.bintray.com/novacrypto/BIP/com/github/CoboVault/bc32-java/v0.0.6-alpha/bc32-java-v0.0.6-alpha.pom'. Received status code 403 from server: Forbidden
      > Could not resolve com.github.CoboVault:bc32-java:v0.0.6-alpha.
         > Could not get resource 'https://jitpack.io/com/github/CoboVault/bc32-java/v0.0.6-alpha/bc32-java-v0.0.6-alpha.pom'.
            > Could not GET 'https://jitpack.io/com/github/CoboVault/bc32-java/v0.0.6-alpha/bc32-java-v0.0.6-alpha.pom'. Received status code 401 from server: Unauthorized

To reproduce run:
podman build --rm -t cobo_build_apk -f Containerfile

FROM debian:sid-slim

RUN set -ex; \
    mkdir -p /usr/share/man/man1/; \
    apt-get update; \
    apt-get install --yes --no-install-recommends openjdk-8-jdk git wget; \
    rm -rf /var/lib/apt/lists/*; \
    useradd -ms /bin/bash appuser;

USER appuser

ENV ANDROID_SDK_ROOT="/home/appuser/app/sdk" \
    ANDROID_HOME="/home/appuser/app/sdk"

RUN set -ex; \
    mkdir -p "/home/appuser/app/sdk/licenses" "/home/appuser/app/cobo/"; \
    printf "\n24333f8a63b6825ea9c5514f83c2829b004d1fee" > "/home/appuser/app/sdk/licenses/android-sdk-license"; \
    cd /home/appuser/app/cobo/; \
    git clone --depth 1 https://github.com/CoboVault/cobo-vault-cold.git; \
    cd cobo-vault-cold; \
    sed -i 's/[email protected]:/https:\/\/github.com\//g' .gitmodules; \
    git submodule init; \
    git submodule update; 

WORKDIR /home/appuser/app/cobo/cobo-vault-cold

RUN set -ex; \
    ./gradlew assembleVault_v2Release

Hi

I know that you guys using the same method to get binary entropy from dice rolls as https://github.com/iancoleman/bip39

Recently, a serious flaw was found in this approach. I think you should also revise the entropy generation algorithm.

Here is a guide how to get back you bitcoins: https://coin.space/get-your-bitcoins-back-from-cobo-vault/

Starting from multi-coin 2.1.5

I tried latest BTC-ONLY

Wiped device,

Tried the V1.2.1.BTC-Only

The Vault doesn't seems to be responding at all to what I put on the SD card.

There should be a button within the update section of the app to force read the SD card for firmware and give a feedback.

Your wallet pretend to know how much the fee will cost before knowing anything about the transaction.

This makes it impossible to accurately type a precise amount that would empty the wallet.

I managed to empty it by typing amount satoshi by satoshi, but the fee paid ended up being 18.7sat/B instead of the 13 I selected.

transparency is very nice, I have decoded (base64 + gz) the first 3 qrcode on vault setup, I see they contains xpub for all the crypto but there is some code at the beginning like 6d89bc8.... :
����cobo vault qrcode��
���@6d89bc8ff1c17025e889ddfc347...............
��
�BTC�����
�M/49'/0'/0'�oxpub6CzqM1v4SX67Bbgc.......
I would like to know (or be documented) what this first code is and how I can recalculate it? I would like to be sure it is not some encoding of the seed ...
It has 32 bytes, enough to store 256 bits of entropy of 24 mnemonic words...

When selecting Blue or BTCPAY the option to use Nested Segwit is not offered while both wallet supports it.

Cobo Vault needs doco on how to securely download firmware for upgrades & patching

Hello friends, while I am sure that Cobo and everyone involved has this right it is concerning to me that
when qr pasting Flare memo ID into ToolKit from Cobo, it is a different string than if I used the Eth address on device and pasted into the commonly used flare memo tool.
Would like to verify that they are same essentially.
Also that that key translates back into my Eth address on wallet without trusting blindly.
Thanks!

Scrambled PIN is superior to pattern when used in semi-public spaces.

pattern also require wiping the screen thoroughly after every uses, very few people will think of doing that, making this wallet one of the least secure I've seen.

It's also nor a format compatible with anything else that could parse it in a human readable format.

There is no possible verification of what data is coming out of the vault QR code. IMO this is worst than a having it communicate over bluetooth or USB.

I have coins coming at low fee and would have liked to spend them to do the equivalent of a CPFP.

When binding a Vault with an older version there's a popup with two button, the 2nd one is "How to upgrade"

The words are off so that part of it is off the button and taping the button doesn't do anything.

Hi

So I have upgraded to the latest Bitcoin-Only firmware version 1.2.0 and tried to bind the device with Blue Wallet 5.4.1 on Andoird. I tried enabling advanced mode and ensuring that I was using the right address type.

The closest that I got was to import the zpub from the generic wallet type, but doing so meant that the Cobo Vault didn't support any of the PSBT files or QR codes produced by this watch-only wallet.

End up on a forever spin load screen and need to be rebooted.

As it stands, the device generates standard "legacy" style Bitcoin addresses. It would be safer for BCH users if it were to support the cashaddress format.

How do you create additional wallets?
It seems that only derivation path M/84'/0'/0' is available.
How do I create additional wallet with derivation paths M/84'/0'/1', M/84'/0'/2', etc?
I tested with bitcoin only firmware 2.6.1, but cannot find the option to create additional wallet.

I understand why this is an issue in terms of being newbie friendly, but it would be great if this were possible on the device for BTC-Only firmware, even if not supported in the Cobo app. (eg: required Electrum, Bluewallet, Wasabi to use)

When I was first playing around with the device, I was surprised that the option to import/initialise a new seed on an existing device didn't resent any sort of warning that doing so would replace the seed that was already in the device. (I was basically curious as to whether it would allow me to have multiple seeds)

just a safety feature that could do with an extra acknowledgement step...

Not sure exactly which repo is the right one for the Android/iOS app.... But anyway...

Basically the transaction view will always use the default RMB currency, regardless of which currency has been selected in-app. The total value for each coin will be correctly displayed in the selected currency, just not transaction details.

It is currently possible to do a "dry-run recovery" style of workflow on the Cobo Vault via the "forgot password" button when unlocking the device. Ideally this is something that should also be accessible for users via the system menu. (Just for the situation where a user may have lost track of which seed is currently initialised in the Vault)

Using BTC-ONLY firmware, I can't scan either the "Device PSBT" or "Standard PSBT"

On Vault I get this
Scan failed, Invalid QR code, Check and retry

As part of my testing for the device, I imported a few seeds which already had a number of transactions associated with them. What I observed was that all of these transactions were listed in the Cobo app as having occured at the time that I imported the seed, as opposed to when they occured onchain. (sometimes months earlier)

To confuse things more, this also resulted in these transactions being presented in a random order.

Surely there has to be some sort of localization that detect I'm not in China.

Like downloading from the play store.

I'm not familiar with java. please refer to polkdot proxy . this also help a lot

As it stands, the device generates Litecoin addresses that start with a "3", not an "M". While these are technically valid, some LTC wallets no longer support accepting these addresses to send Litcoin. (As a way to prevent users from sending Litcoin to a Bitcoin Address) If the user is in such a situation, they will need to use an address converter before they are able to send funds to the Cobo Vault.

I think this is a very basic and essential feature and should be on both firmware.

Cobo Vault displays a series of QR codes to the Cobo App during pairing. These QR codes could in theory be used to share a user's secret keys (and thus access to their cryptocurrency) with the app.

It would be beneficial to allow users to independently verify that the QR codes displayed do not contain any secret information. To that end, I've created a python script for doing so, found here.

While most of the content of the QR codes displayed by the Cobo Vault looks fine, there is a suspicious alleged "UUID" present that could be leaking secrets. It isn't actually a UUID, both in format and in length - in fact, it is plenty long enough to carry a secret in it.

Issue 14 previously raised this, and the submitter eventually included instructions for how they successfully verified the UUID was not leaking secrets, however, I am unable to follow their directions successfully. I've used Ian Coleman's BIP39 tool as suggested in that issue but cannot find a match anywhere to the contents of the UUID that is displayed in Cobo Vault's QR codes.

Cobo team, please provide clear instructions how to take the UUID and prove it contains no secrets. Either that, or change the UUID to something that is much shorter and thus cannot leak secrets - e.g. a CRC32 of the first xpub or something like that.

I want to make it clear that I am doing this because I think Cobo Vault is one of the best solutions out there in terms of security, except for this one issue around the UUID. I'd like to be able to tell my friends and others that Cobo Vault is the best solution, but can't do so as long as I cannot validate this UUID.

I would be happy to work with the Cobo team to answer any questions, including providing the BIP39 seed I used as a test vector as it is an empty wallet that is only used for the present case, as well as the QR codes the Cobo Vault showed, etc.

The current suggested fee is 138sat/byte while the mempool is almost completely empty.

Average fee over the last two weeks is about 20sat

The highest it's been is about 140sat for about 1h yesterday.

This 138 sat is almost completely to the left side,

Right side, Fast, is 1382 sat/bytes, about 100$ in fees.

My transaction is confirmed but the app doesn't let me use the funds until I have a 2nd confirmation.

https://youtu.be/CsZ_cQVTuvQ

As this video shows during the demonstrative set-up of the device, while there is a warning about being aware of your surroundings, that comes at least a few frames too late as the words are visible before the warning appears.

Either make sure to not display the words before the warning, or which might be even better (and was suggested by crypto-guide, the maker of this video) would be to tell the user about this beforejand at the start of it all.

Hi guys,

I would really like to add compatibility to Gordian Wallet, Gordian Signer and Fully Noded for your animated psbt QR codes.

I have never touched an android app, is there a way I can build a simulator on macOS? Or better yet do you have a spec or example of the animated QR format you are using to save me from having to download an entire IDE that is foreign to me :)

It was brought to my attention you guys and Specter are using the outdated UR standard?

I have implemented crypto-psbt UR airgapped signing for Gordian apps and Fully Noded as it is the updated standard which Sparrow is also following.

https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-006-urtypes.md#partially-signed-bitcoin-transaction-psbt-crypto-psbt

Would be nice to be able to import directly on the cobo vault paper wallet ( also with bip38 password). That would allow people to be able to import their old paper wallet with maximum security. Cobo vault can already read qrcodes :-)