Please login or register.

Adding Monero support for Trezor

The idea of adding Monero support for Trezor reached it's funding goal of 500XMR in 2 days! That means this just got real! :)

I don't know exactly how long this will take, since I don't have a Trezor yet and it'll be difficult to estimate all of the potential problems that can arise. What I can promise is that I'll be allocating on average 10h per week (~1h/weekdays; ~5h/weekend) for this project.

I will also be posting updates to this thread about how things are progressing and potential ETA for tasks I can estimate time for. All of the updates will be done as individual posts to this thread and I will link to them from this initial post.

If you think the work I'm doing is awesome and you're satisfied with the progress, please consider donating in the initial funding thread.

Progress

Code

Replies: 53
dEBRUYNE posted 8 years ago Replies: 1 | Weight: 0 | Link [ - ]

In my opinion, these funds should go to NoodleDoodle for his hard work, which can be seen here:

https://forum.getmonero.org/4/academic-and-technical/2495/experimental-trezor-firmware-testing

Perhaps the ones that donated can give their opinion as well.

Reply to: dEBRUYNE
ferretinjapan posted 8 years ago Replies: 1 | Weight: 0 | Link [ - ]

I second this. NoodleDoodle has done an excellent job of implementing Monero transacting via Trezor and the code is quite functional and stable already. He absolutely deserves the forum funding reward.

Reply to: ferretinjapan dEBRUYNE
Gingeropolous posted 8 years ago Weight: 0 | Link [ - ]

Haven't used the trezor but it looks like it's working so I'm also a fan of moving this money.

saddam edited 7 years ago Weight: 0 | Link [ - ]

donated 50 xmr for NoodleDoodle.

palexander posted 8 years ago Weight: 0 | Link [ - ]

Just wanted to give my thumbs up as well for NoodleDoodle's great work on getting the Trezor to work with Monero. These funds are definitely well deserved.

nioc edited 8 years ago Weight: 0 | Link [ - ]

Thanks to Gingeropolous for his spark of 3 months ago and of course thanks to NoodleDoodle for picking this up. Seems to be a nobrainer to release the funds whenever it is appropriate. However I did not donate to this.

nioc posted 8 years ago Replies: 1 | Weight: -67 | Link [ - ]

Gingeropolous, I love how you think! And not just here!

I do realize that was then and this is now but we did raise over 2x the amount requested in 2 days.

Reply to: nioc
wpalczynski posted 8 years ago Weight: 0 | Link [ - ]

Maybe someone lurking here would take this on for a reasonable compensation. If that is the case please speak up and let us know how much $$$ it would take to get this done.

Thanks.

Gingeropolous posted 8 years ago Replies: 1 | Weight: -72 | Link [ - ]

So I came across this by hitting the always entertaining "show unread replies since last post" button on bitcointalk

https://bitcointalk.org/index.php?topic=870014.0;topicseen Topic: Armory Hardened: DIY Armory Hardware Wallet for $29 (Read 6413 times)

Maybe that hardware device is simpler to hack than the actual trezor.

Reply to: Gingeropolous
NoodleDoodle edited 8 years ago Replies: 2 | Weight: -71 | Link [ - ]

Is there a wide interest in adding trezor / hw wallet support to XMR? Just wondering.

Reply to: NoodleDoodle Gingeropolous
dEBRUYNE edited 8 years ago Replies: 1 | Weight: -69 | Link [ - ]

I think there is. Initially, this thread got a lot of awareness and support, but that has dwindled a bit because Roosmaa was unfortunately not able to complete the project. Also, like gingeropolous pointed out, most people in crypto prefer a hardware wallet to store large amounts of a given coin. It could be that the interest for this isn't that wide currently, but it will certainly be beneficial in the long run if Monero grows.

Reply to: dEBRUYNE NoodleDoodle Gingeropolous
Gingeropolous edited 8 years ago Weight: -69 | Link [ - ]

It's not whether monero grows, it's if ppl want to "invest" into monero they'll go "can I secure my holdings?" And we'll say no because we are waiting for demand and then chicken and egg.

Reply to: NoodleDoodle Gingeropolous
Gingeropolous posted 8 years ago Replies: 1 | Weight: -71 | Link [ - ]

Dunno. At some point some bitcoiner expressed that they would only consider another crypto if trezor style transaction signing was possible

Reply to: Gingeropolous NoodleDoodle Gingeropolous
NoodleDoodle posted 8 years ago Replies: 1 | Weight: -70 | Link [ - ]

It's very much possible to do this, however, it takes some effort to do so. There shouldn't be any need to strip out the bitcoin support and start from scratch. This also makes the scope of work smaller as you can stick with the current marshalling framework. There has to be need for this of course, otherwise it's a considerable amount of effort all for naught.

Reply to: NoodleDoodle Gingeropolous NoodleDoodle Gingeropolous
Gingeropolous posted 8 years ago Weight: -69 | Link [ - ]

Well, could you make an argument that there's not a need?

I mean, one of the main reasons ppl adhere to Bitcoin maximalism is due to the extensive ecosystem. And now there are expectations when moving from Bitcoin to another crypto. So while there may not be active demand now, a noob coming to the space that expects this functionality probably wouldn't be satisfied knowing that it's waiting for demand.

Gingeropolous posted 8 years ago Weight: -89 | Link [ - ]

Are these funds still available? Would it be worth advertising to try and find someone to go at this again?

roosmaa edited 8 years ago Replies: 4 | Weight: -332 | Link [ - ]

15th of July - Failed promises and broken dreams

Hey everyone.

It is time for me to admit that I have utterly failed to keep my promise of dedicating my time to this project. I have made absolutely no progress for nearly 1.5 months now. This is very bad and I feel horrible for not keeping my word. I am sorry.

It has become crystal clear to me that I don't have the stamina to code anything after my 8 hours at the office. For the near future, I don't plan on taking any time off either. That means, there is very little chance of me being able to deliver anything in an acceptable timeframe.

I'm hereby giving up my claim on the Moneros that were raised for this project. I would very much like to see someone pick up this initiative and carry it to the finish line. If there is no one, then the funds raised shall be donated to Monero project (as was promised in the original fund raising thread).

Again. I am very sorry to let everyone down like this.

Mart

Reply to: roosmaa
hillbilly posted 8 years ago Weight: -325 | Link [ - ]

Also if you could share the work / ideas you had while on the project in a cohesive form, it would be helpful, even if it was only sketches, it would be appreciated by the community. No pressure.

Reply to: roosmaa
dEBRUYNE posted 8 years ago Weight: -330 | Link [ - ]

Thank you for your efforts to date and being honest! If I may advice, perhaps (if funding is not yet completed) donate the XMR to MoneroMooo? Perhaps he can continue this thing, if not atleast we got a part time developer for the upcoming 6 months :)

Info here -> https://forum.getmonero.org/8/funding-required/334/fund-a-developer-moneromoo-will-work-part-time-on-monero-for-260-hours-over-approx-6-months?sort=date_desc

Reply to: roosmaa
Lloydimiller4 posted 8 years ago Weight: -331 | Link [ - ]

Thank you for being honest and giving us an update. It is entirely understandable that your full-time job is preventing you from working on outside projects.

Hopefully we can get somebody to take over your work, I think this project is important for helping to secure XMR from potential attackers.

I wish you well and hope that you consider working with Monero again in the future if your work situation allows for it.

Reply to: roosmaa
XMRChina posted 8 years ago Weight: -333 | Link [ - ]

Thank you for your best efforts. We understand that your full time job requires lots of energy and your time is limited. I hope that someone can continue working on this at some point.

roosmaa edited 8 years ago Replies: 2 | Weight: -391 | Link [ + ]

16th of June - Under the Weather

Just wanted to let everyone know that I’m still here. But for past two weeks I have made almost zero progress. :( I’ve managed to catch something and whenever I’m home from work, resting has been getting a higher priority than coding.

I seriously hope this thing will blow over soon and I can start showing progress again.

Reply to: roosmaa
XMRChina posted 8 years ago Weight: -335 | Link [ - ]

Hopefully you are well rested and feeling better. Any updates you are able to share?

Reply to: roosmaa
Lloydimiller4 edited 8 years ago Weight: -373 | Link [ + ]

Feel better roosmaa, being under the weather is not fun. Rest and recovery are important :)

dnaleor edited 8 years ago Replies: 1 | Weight: -394 | Link [ + ]

A small question: Would it be possible to create a seperate bootloader for "monezor" so that it recognises your firmware? This is why I ask: Black Arrow released a Trezor copy (eWallet) and they offer the devices without bootloader if requested by the costumer. I think it would be great to have a signed firmware running on a device.

And about the fact that it's a trezor ripp-off: yeah, that's true, but you are basically rewriting the firmware, so I don't see any harm in using the eWallet for Monezor.

Thoughts?

Reply to: dnaleor
roosmaa edited 8 years ago Weight: -392 | Link [ + ]

I have been thinking of the same thing. Basically when the software is done, I plan on getting in touch with Trezor to see if they would be interested in selling a version of their device with software signed by me. Though this Black Arrow product looks nice as well! :)

roosmaa edited 8 years ago Replies: 1 | Weight: -422 | Link [ + ]

31st of May - Communicating with Trezor

Last week has been pretty crazy. I managed to launch my other Monero related project (CryptoName) on Tuesday and then accepted a full-time job on Thursday. Time commitment wise there will be no changes for this project, 10h/week should still be doable.

I now have a pretty good idea how I want to approach developing Monezor. The short version of the plan is as follows:

  • Reorganise trezor-mcu project, removing Bitcoin crypto code and changing the protobuf communication API to suite Monezor.
  • Port over Monero crypto to Trezor.
  • Implement actual Monezor features: wallet generation, PIN protection, key image generation, mnemonic seed displaying/restoring.
  • Library for communicating with Monezor (which will also be used by the wallet app later on).

I’ve created a little tool for myself to communicate with Trezor and will use that to verify that Monezor works when I'm doing the firmware changes. This tool will later be refactored into the library that anyone can use.

Reply to: roosmaa
Lloydimiller4 edited 8 years ago Weight: -409 | Link [ + ]

Congrats to your other projects/full time job. Glad to have you helping us, I know Monezor will be extremely useful for protecting funds with people who have a tough time creating safe offline wallets. Happy to hear you will still have time to keep working on this project. :D

roosmaa edited 8 years ago Replies: 1 | Weight: -438 | Link [ + ]

24th of May - Navigating the Trezor codebase

I have been studying the Trezor code in detail. It has become clear that the right course of action for our project is to throw out most of the Bitcoin related functionality and create a “Monezor”. Basically a completely different firmware specialised for Monero. All of the low-level USB, proto-buf RPC and UI code can be reused.

I have been trying to come up with some sort of a plan on how to approach this. But progress has been slow on that front sadly. Ideally I’d like to include only really basic functionality (ie authorising payments), but there are a lot of “extra” functionality that is implicitly required to be implemented: generating a new wallet, recovering a wallet, etc.

Hopefully by next time I have come up with the concept of what I want the device usage to be like and started reorganising trezor-mcu code for our needs. If you have any suggestions for the name of the Trezor-specialized-for-Monero project, let me know. Otherwise I’ll just go with Monezor.

Reply to: roosmaa
Lloydimiller4 edited 8 years ago Replies: 1 | Weight: -438 | Link [ + ]

Monezor sounds pretty cool to me or maybe Trozero lol, and as always, I'm very grateful for your work on this much needed project. :D

Reply to: Lloydimiller4 roosmaa
dnaleor edited 8 years ago Weight: -408 | Link [ + ]

Monezor sounds awesome indeed. About "trozero"... Maybe "Trezero" ? Could have the meaning of 'trust zero' (zero trust / trust no one)

Also, you could make a difference between the firmware of the device and software to communicate with the device. (With trezor, some people are confused that their trezor device can speak with other software and not only mytrezor.com) So you could for example call the firmware/device 'Monezor' and call the software/website 'Trezero'

Anyway, do what you want. Name isn't important ;)

roosmaa edited 8 years ago Weight: -464 | Link [ + ]

11th of May - Intimate weekend with crypto

Past weeks I’ve been prototyping things in Go, to see if it would be feasible to implement the PC side wallet application in Go. I had already got serialization and deserialization of various Monero data types working. This weekend I spent porting Moneros crypto functions to Go.

Though the work I’ve done did stop being a prototype and started resembling a real library a long time ago, but now all of the basic things to interact with Monero are there: binary serialization, portable storage binary serialisation and cryptographic functionality.

The code lives on Github and I will be basing future developments on that, instead of trying to refactor simplewallet into something usable for this project.

Next, I’ll (finally) start hacking away at Trezor’s code.

roosmaa edited 8 years ago Replies: 2 | Weight: -482 | Link [ + ]

2nd of May - Trezor has arrived!

Just a quick update. On the PC side, still working on the prototyping the required functionality in Go.

The Trezor rottenchris sent, has arrived! I’ve tested out compiling the official firmware and installing it with non-SatoshiLab signatures. Minor annoyance with custom firmwares (like the one I’ll be making) is that Trezor prompts the user on every startup if they want to continue with the potentially unsafe firmware.

That’s it for now. Hopefully next time I’ll have a Go prototype which can sign and verify ring signatures and communicate with monerod using binary serialisation formats.

Reply to: roosmaa
Lloydimiller4 edited 8 years ago Replies: 1 | Weight: -479 | Link [ + ]

Do you have an estimate for approximately how long this project will take you? If we are able to raise more Monero as a bounty, would you be willing/able to devote more time to the project?

Reply to: Lloydimiller4 roosmaa
roosmaa edited 8 years ago Weight: -477 | Link [ + ]

No estimates yet, but the timescale will be in months. Wishful thinking: maybe in 2 months time there will be something unstable that people can start experimenting with.

Unless we could raise enough Moneros to compensate for all of my time (near market price), I don't see any way I would be able to promise more time to this project. So I'm afraid we just have to be patient.

Reply to: roosmaa
Lloydimiller4 edited 8 years ago Replies: 1 | Weight: -481 | Link [ + ]

I am incredibly excited about this project. Once it is finished you can expect a hefty tip from me for making it easier to secure my Monero :D

Reply to: Lloydimiller4 roosmaa
Kazuki edited 8 years ago Weight: -480 | Link [ + ]

word.

roosmaa edited 8 years ago Replies: 2 | Weight: -502 | Link [ + ]

21st of April - Trezor on it’s way!

Christoph (rottenchris) has mailed me one of his spare Trezors - thank you very much! I’ll be flying to Estonia for a week tomorrow. Unless the package reaches me today, I won’t be able to play around with it until I’m back.

Progress This Week

I spent the better part of last week getting to know Monero wallet better: how it works behind the scenes, what is the code like, etc.

What I learned is that view key can only be used to detect outputs in a transaction which belong to the account. It cannot be used to detect when said output was spent.

The way simplewallet detects outgoing payments is by generating a key image for each of the transaction outputs belonging to the account and monitors the blockchain for usage of that key image. The only way to generate such key image is to have access to the private spend key.

Having Trezor generate key images for each of those outputs would defeat the purpose of a hardware security module. Having access to those key images means it is possible to spend that output.

See my notes below on outgoing payment detection for more information about this.

To get spend detection working for Monero I need to extend the public Trezor communication protocol with Monero specific features. This will decrease the chance of this work getting merged back upstream into official Trezor firmware.

After I’ve played around with the Trezor I’ll know more or less what kind of changes I need to do in the firmware. If they are fairly extensive, then it will make more sense to have Monero specific alternative firmware for Trezor.

Adding Trezor support directly to simplewallet would unnecessarily complicate usage of that tool and it would definitely not be a simplewallet anymore. I think the best option is to create a separate wallet tool for Trezor, dealing with just payments (no RPC for instance).

To do that I have three options:

  1. The easiest would be to copy-paste most of the existing wallet code into a new directory, make changes to add Trezor support and delete code (RPC, etc) that isn’t useful for the new tool. I don’t see such code being merged into Monero upstream nor anybody wanting to maintain this hack in the future. So this option isn’t really an option.
  2. The better option would be to refactor the existing wallet code extensively, in a way that would make it to be possible to build a second wallet utility with Trezor support on top it. It would be a fairly big undertaking with a lot of swearing involved and a chance of breaking existing simplewallet functionality.
  3. Or implement the Trezor wallet in Go, from scratch. This would probably take slightly more time, but it wouldn’t break any existing functionality nor would it have to be merged upstream. It would also mean in the future there would be solid building blocks for people wanting to build something on top of Monero using Go.

Out of the three options I prefer the last one as it would mean less swearing and more fun. I’ve started prototyping various required functionality (encoding/decoding Monero binary formats, generation & verification of ring signatures) to see if they can be implemented using the Go standard library & existing 3rd party libraries already out there.

Plan for Next Week

I am going to continue prototyping the Go wallet implementation idea. I will also be taking a more in depth look at trezor-mcu source code to get a better idea about how I would approach adding Monero support there.

Notes

Outgoing Payment Detection

View key only allows us to detect incoming payments for the address. So far I haven’t found a way to detect with view key if the key image was generated by the spend key holder.

That means detecting when the user has spent some of their money is tricky. The official wallet uses spend key to generate key images for each of the incoming payments. Then it compares those with all key images in the blockchain to see if it has been spent. If the spend key is not available this is not an option.

Hashed Key Images

To sign a transaction the user needs to interact with Trezor. We could however, implement a new API in Trezor which would output the hash of the key image. This would allow us to hash all seen key images and see if the users output was spent.

Educated Guessing

We could attempt to guess spend transactions. This would involve checking if all of the inputs in a transactions contain at least one of transaction output we know is ours. If there are change outputs we can be 99% certain this was an outgoing transaction.

There is an edge case which is difficult to detect using this approach: single input and single output, no change outputs. There just isn’t enough information to be 100% certain these outputs were spent by the user.

This also breaks bad when the transaction contains funds from several accounts. Thus the hashed key images would be a more foolproof way to monitor this.

Reply to: roosmaa
luigi1111 edited 8 years ago Replies: 1 | Weight: -413 | Link [ + ]

"Having access to those key images means it is possible to spend that output."

This isn't true, unless you mean "having access to generate those key images". You need the output private key to create a valid ring signature. A key image is another public key of the output private key using a different base. Unless i'm missing something, I'm not sure why you'd use a hash instead of the actual key image.

Keep up the good work!

Reply to: luigi1111 roosmaa
roosmaa edited 8 years ago Weight: -412 | Link [ + ]

Thanks for the support luigi1111! :)

And it seems you are right - I missed the fact (back in April) that you need to have access to the output-specific private key as well in addition to the key image. No need to hash them.

Reply to: roosmaa
arnuschky edited 8 years ago Replies: 1 | Weight: -484 | Link [ + ]

Thanks for the update, roosmaa! Did you find a way to handle the spent outputs by now?

Reply to: arnuschky roosmaa
roosmaa edited 8 years ago Weight: -482 | Link [ + ]

Most likely will go down the route of letting Trezor return a hashed key-image for all the detected spendable outputs. That way the wallet software on PC can detect when the (hashed) key-image was used in the blockchain and mark the output as used.