The X1Wallet ships with a minimal funtionality (allowing for device authentication and setup process) and later updates to a fully-functional firmware (go through feature list) via the desktop application which communicates with the secure servers.
At Cypherock, we believe that coordinated vulnerability disclosure is the right approach to better protect users. Please go through the bug bounty page on the Cypherock website to learn about the process to be followed when submitting a vulnerability report. Please report suspected vulnerabilities in private to bounty@cypherock.com.
The X1Wallet ships with a firmware to take the user through the device setup flow. The device setup flow includes following steps:
- Some introductory instructions and information about basic operations of the device (such as operating the joystick to navigate, tap cards with device NFC).
- Next comes the setup screen where user is supposed to open the Desktop application to continue the setup process of a new device. The further process involves following operations:
- The device is verified with the Cypherock servers for its authenticity.
- Upon successful device verification, next comes the card verification process. The desktop application performs the verification of cards with the servers for their authenticity as well. This process happens one-by-one for each of the four cards (each card needs to be verified individually).
- Upon successful verification, each card is then paired with the device individually. The pairing between a card and the devices establishes a mutual authentication and encryption schemes between the components. This ensures that any data exchange happens securely via NFC eliminating any risks of NFC spoofing.
Website link for getting started with new device: cypherock.com/gs
After the device is setup (steps to setup device), the X1Wallet is ready to use by the end-users. To use the functionality, the user must have access to the X1Wallet and CyCards; cySync is required for on-chain operations such as send operations and balance viewing.
This is the most secure way (and recommended option) for users to create and own a wallet. If this method is used for creating a wallet for storing funds, users can rest assured that none of the private (or citical) information leaves the secure operating environment of the X1Wallet ever (provided that the user does not knowingly/unknowingly exposes the private information).
The X1Wallet can create a wallet from scratch and set it up for the user. The entire process of creating a wallet is as follows:
- From the main menu, choose "Create wallet" -> "Generate new wallet"
- In next steps, user is asked for basic wallet configurations (name, PIN, passphrase, etc.)
- After processing, user is expected to go through list of mnemonics and cross-verify with 3 words.
- Upon success, the wallet is supposed to saved on CyCards (NOTE: User will need all the 4 CyCards to successfully complete the step.)
- As the final step of wallet creation, user is asked to tap all the CyCards one-by-one (this is a mandatory step before the new wallet is ready to use). Once the data on CyCards is verified to be correct, the wallet is ready for normal use.
This is not a recommended method to own a wallet on X1Wallet because it is possible that the menmonics are already spoofed.
X1Wallet supports the feature to import any BIP39 compliant wallets that have been created at other places (such as Hot wallets like MEW/Metamask, Cold wallets like Coldcard, etc.). The supported method of import is via BIP39 mnemonic word list of the wallet that is to be imported. X1Wallet allows importing a mnemonic with word list count of 12, 18 & 24. The complete process of restoring a wallet is as follows:
- From the main menu, choose "Create wallet" -> "Generate new wallet"
- In next steps, user is asked for basic wallet configurations (name, PIN, passphrase, etc.)
- Now, user is expected to enter the list of words on-by-one and go through the entered word-list.
- Upon success, the wallet is supposed to saved on CyCards (NOTE: User will need all the 4 CyCards to successfully complete the step.)
- As the final step of wallet creation, user is asked to tap all the CyCards one-by-one (this is a mandatory step before the new wallet is ready to use). Once the data on CyCards is verified to be correct, the wallet is ready for normal use.
A user or owner of X1Wallet has an option to view the critical information of their wallet (the mnemonic word list). Since, the word list is a very sensitive piece of information, it is important that the end user handles it accordingly. With the wordlist, user has the flexibility to export their wallet to a new X1Wallet (or other platforms if the need be; it is not recommended to use the wallet on any other platform for users benefit).
To view the word-list, a user needs to have one CyCard (and knowledge of PIN, if the wallet is PIN protected).
Since, the X1Wallet is a cold storage, it cannot directly interact with Blockchain on the internet to view the balances. To facilitate this, the desktop application, enables users to view their account balances and funds on their wallet/accounts. In order to enable the tracking of funds for any particular wallet (for a particular type of crypto), users have to sync their X1Wallet with cySync and then enable coin support of that particular cryptocurrency. To sync a wallet with cySync, user will trigger the request via cySync and confirm the request on the X1Wallet.
NOTE: This process only sends the public information about the wallet. No private critical information leaves the X1Wallet.
X1Wallet allows tracking a cryptocurrency balances linked to a users wallet. This is possible via cySync interface. To enable a coin tracking support, the user will require to have one CyCard with the wallet. To enable coin tracking support (make sure that the desired wallet is synced with cySync), user will trigger the request via cySync and confirm the request on the X1Wallet.
NOTE: This process only sends the public information about the accounts for the selected crypto. No private critical information leaves the X1Wallet.
To receive funds into their X1Wallet, first the user must have at least one active wallet on their X1Wallet device (create a wallet if you do not have one). If you already have a wallet, then make sure to have access to one CyCard for receiving funds. Now make sure the wallet is synced with cySync and coin tracking support is enabled for the preferred coin.
Trigger the request to generate a receiving public address for your wallet. It is recommended to verify the address on the X1Wallet and never skip this step for security reasons.
To enable transfer of funds from user's wallet to a different wallet, following things are necessary:
- Correct knowledge of receiver's public address for that particular crypto
- Access to one CyCard
- Wallets with sufficient funds (create a wallet if you do not have one and receive funds before proceeding)
- Knowledge of PIN in case of PIN protected wallets
- Wallet synced with cySync (sync wallet with cySync) and coin tracking support enabled on cySync (enabled coin tracking support)
The operation can be started from cySync and confirm the request on X1Wallet to continue. The user is expected to verify the transaction details such as receiver's address and amount being transferred along with a required fee used by the network for processing the transaction. If any descrepancy is observed by the user, the transaction should not be signed and cancelled immediately.
NOTE: The transaction signing starts once the user has tapped the CyCard. It is recommended to not tap the CyCard if any descrepancy is observed by the user.
- Install the required build tools
- arm-none-eabi-gcc
- git
- ninja or make
- cmake
- Issue the following commands to get the build ready (can use Git bash on windows)
mkdir -p build/Debug
cd build/Debug
cmake -DCMAKE_BUILD_TYPE:STRING="Debug" -DCMAKE_EXPORT_COMPILE_COMMANDS:BOOL=OFF -DCMAKE_BUILD_PLATFORM:STRING=Device -G "Unix Makefiles" ../../
make all
- Find the binary file (Cypherock.bin) generated in the
build/Debug
folder.
NOTE: This is an unsinged binary. You need to generate a signed binary using the cli-tool.
NOTE: In the cmake command the value for -G switch can be one of following:
- Ninja
- Unix Makefiles
- MinGW Makefiles
This method uses the build script for generating a signed binary of the firmware.
- Install the required build tools
- arm-none-eabi-gcc
- git
- ninja or make
- cmake
- Start the build process by calling the build script as
./utilities/build.sh
- Visit https://cmake.org/download/ and download the latest universal dmg. Double click on the dmg to mount it and drag the CMake app to your Applications folder.
- Add CMake to your path by adding the following to your
~/.zshrc
or~/.bashrc
file:
export PATH="/Applications/CMake.app/Contents/bin:$PATH"
- Restart your terminal and run
cmake --version
to verify that it is installed.
- Visit https://developer.arm.com/downloads/-/gnu-rm and download the latest version of the GNU Arm Embedded Toolchain for macOS.
- Unzip the tarball and move the
gcc-arm-none-eabi-10-2020-q4-major
folder to your home directory.
tar -xjf gcc-arm-none-eabi-10.3-2021.10-mac.tar.bz2
mv gcc-arm-none-eabi-10.3-2021.10 ~/
- Add the toolchain to your path by adding the following to your
~/.zshrc
or~/.bashrc
file:
export PATH="$HOME/gcc-arm-none-eabi-10.3-2021.10/bin:$PATH"
- Then run the following commands:
cd ~/gcc-arm-none-eabi-10.3-2021.10
xattr -r -d com.apple.quarantine arm-none-eabi
xattr -r -d com.apple.quarantine bin
xattr -r -d com.apple.quarantine lib
xattr -r -d com.apple.quarantine share
After this you should be able to run the build script /utilities/build.sh
without any issues.