CoboVault/cobo-vault-cold

first qrcode

Closed this issue · 2 comments

jpph commented

transparency is very nice, I have decoded (base64 + gz) the first 3 qrcode on vault setup, I see they contains xpub for all the crypto but there is some code at the beginning like 6d89bc8.... :
����cobo vault qrcode��
���@6d89bc8ff1c17025e889ddfc347...............
��
�BTC�����
�M/49'/0'/0'�oxpub6CzqM1v4SX67Bbgc.......
I would like to know (or be documented) what this first code is and how I can recalculate it? I would like to be sure it is not some encoding of the seed ...
It has 32 bytes, enough to store 256 bits of entropy of 24 mnemonic words...

jpph commented

ok, I have found it how to verify myself. For the paranoid like me :-)
so the first 32 byte hex id is uuid and is calculated by derivating the mnemonic with path m/44'/1131373167'/0'

here the howto verify by yourself using ian coleman bip39 webpage. https://iancoleman.io/bip39/
(preferably done on a pc without hd, booted with a live cd, no network, with ian colman html on a usb stick)

  • reset vault, generate seed using ian coleman bip39 webpage (roling dice is cool)

  • import the mnemonic in cobo vault

  • start a sync and scan the qrcode yourself, they need to be base64 decoded and ungziped
    (you can do that on an online pc with a qrcode reader and http://www.txtwizard.net/compression )

  • extract the uuid 2nd line after the @ , this is uuid from the vault.

  • on the ian coleman webpage go to bip32 derivation key and put m/44'/1131373167' as derivation path, check the box 'use hardeness address', remove the 2 first char from the first publick key. this is your other uuid from ian coleman script.

Both uuid should match !!
That means you are secure, only uuid and xpub keys for several crypto are sent during initial setup.

  • 👍2
aaronisme commented

@jpph Thanks for this issue. yes we use a public key derived by a custom path (m/44'/1131373167'/0', 1131373167 is the int represent of 'Cobo' ) as the wallet describer. and the xpub keys are sending to the wallet only wallet (our companion app ) to watch the transaction on the blockchain.

Currently, we believe there are a better way to work as the wallet describer, like master fingerprint. in our future btc-only firmware, we will use master fingerprint as the wallet describer.

I think we do need better developer documens to show this detail, but it needs some time. we are working some more detail doucments for our qr codes.

Thanks these questions and if you have any concerns or questions, just create the issue on GitHub or reach out to me on twitter.

Enjoying your Cobo Vault.

  • 👍1