Replace Blockstream Jade listing with Jade Classic, Jade Plus, and Jade Core#4728
Replace Blockstream Jade listing with Jade Classic, Jade Plus, and Jade Core#4728bitcoinhelp wants to merge 2 commits into
Conversation
Blockstream now sells three distinct hardware wallet products. This replaces the single Jade entry with individual listings for each device, with updated descriptions, product images, and translation entries. Closes bitcoin-dot-org#4683
|
LGTM |
|
@bitcoinhelp, I'm working with @crwatkins on the bitcoin.org wallet reviews. One remaining step on our side is a hands-on physical test of the three Jade models. I can send the shipping details by email. |
|
@devdavidejesus happy to get you some units! just sent over an email |
Thanks! Just replied to the email. |
Blockstream Jade (Classic · Plus · Core) — Review for bitcoin.org listing (PR #4728)Wallet family: Blockstream Jade — three models: Classic, Plus, Core Changes from @crwatkins's feedback (updated 2026-06-24)This review was originally posted on 2026-06-23. After @crwatkins's feedback on this PR
Why a single review for the three modelsThis review covers all three products in PR #4728 in one document because the source-code PR #4728 is, in practice, a 1→3 split of the existing Method
Scope (precedent from PR #4000, @crwatkins): as a hardware wallet, only Verdict per model
As reviewer, I recommend Jade Classic and Jade Plus for listing, with no technical Basic Requirements (shared — identical firmware/company)Reviewer's organizational numbering.
For hardware wallets (shared — identical firmware)
Conditional criteria that do not apply (N/A): the Genuine Check / attestation (shared)On first connection the app requires a Genuine Check (mandatory), confirmed on the Features (shared)
Taproot — feature confirmed (send + receive of bc1p, proven by code)Initially this review left
Both send and receive are therefore demonstrated in source, satisfying the criterion's Note on the tested app vs. capability: in the Blockstream/Green app flow we exercised This is a change from master: the original Score decisions (shared — identical to master's
|
| Classic | Plus | Core | |
|---|---|---|---|
| Board config | JADE / JADE_V1_1 |
JADE_V2 |
JADE_V2C |
| USB string | — | "Jade Plus" | "Jade Core" |
| Camera (HAS_CAMERA) | ✅ select (JADE:53 / V1_1:60) |
✅ select (V2:67) |
❌ not selected (V2C:71-75) |
| Battery (HAS_BATTERY) | ✅ | ✅ (Kconfig:68) | ❌ |
| QR / air-gapped signing | ✅ (tested OK) | ✅ (tested OK) | N/A (no camera) |
| SD card / JadeLink | ❌ | ✅ (JadeLink tested OK) | ❌ |
| Hardware origin | Original Jade (2021) | advanced model | simplified model (2026-04-28) |
| Platforms tested | iOS + Android | iOS + macOS + Android | macOS |
| Screenshot | RGB | RGB | grayscale (jadecore.png confirmed by file as 8-bit grayscale, mode L; Classic/Plus are RGB. The screen shows no visible content and the body is dark, so no practical visual impact; reason for the grayscale encoding not determined — not verified, non-blocking) |
| ≥3-month requirement | passes (2021) | passes | see below |
All three use the same power file (main/power/jadev20.inc via BOARD_TYPE_JADE_V2_ANY);
camera/battery are gated by #ifdef CONFIG_HAS_CAMERA/HAS_BATTERY, so the code for those
features simply does not compile on the Core.
Literal proof in code: Kconfig.projbuild:72 describes the Core board textually as
"Blockstream Jade Core (Jade v2, no camera, no battery)" — and the BOARD_TYPE_JADE_V2C
block (lines 71-75) selects only HAS_AXP, BOARD_TYPE_JADE_ANY and BOARD_TYPE_JADE_V2_ANY,
without select HAS_CAMERA or select HAS_BATTERY (which V2/Plus has, lines 67-68).
This is not inference: it is Blockstream itself declaring in the code that the Core is the
V2 without camera and without battery.
Jade Core — the 3-month requirement (maintainer's decision)
The Core was publicly launched on 2026-04-28, confirmed by the URL of the official
press release itself (blockstream.com/press-releases/2026-04-28-blockstream-introduces-jade-core/).
As of 2026-06-23 that is ~8 weeks — below the 3-month minimum if the criterion is
applied to the individual model. If applied to the Jade line (since 2021), it passes.
Reviewer's recommendation: apply the criterion to the line. Technical basis (proven in
this audit): the Core runs identical firmware to Plus/Classic (same tag 1.0.40, same
audited security files); it differs only in physical I/O. No new security code is
introduced by the model, so the line's maturity covers the Core. Official confirmation
from Blockstream itself: the blog "The Jade Lineup, Reimagined" states verbatim that
"every device runs identical open-source firmware and the same Blind Oracle security
model"; and the launch press release (2026-04-28) describes the Core as "built on the
same open-source security foundation as the company's existing Jade product line" — i.e.,
the firmware/security equivalence we proved by code is also a public statement by the
manufacturer, across two distinct official documents. Final decision deferred to Cobra
(maintainer) — it is repo policy, not audit.
Assets and PR structure (#4728) — audited on the branch
Structure confirmed on the PR branch (local clone, not web_fetch): jade.md → jadecore.md
and jade.png → jadeclassic.png via git rename; 3 new .md files (level 2, same features
and scores); descriptions in _translations/en.yml:308-310; total diff 11 files,
+62/−6. The 3 .md files have identical content except for id/title/screenshot/text key.
| File | Spec | Status |
|---|---|---|
img/wallet/jadeclassic.png |
144×144, 4-bit colormap (575 B) | OK |
img/wallet/jadeplus.png |
144×144, 4-bit colormap (575 B) | OK |
img/wallet/jadecore.png |
144×144, 4-bit colormap (575 B) | OK |
img/screenshots/jadeclassic.png |
250×350, RGB (28,771 B) | OK |
img/screenshots/jadeplus.png |
250×350, RGB (30,694 B) | OK |
img/screenshots/jadecore.png |
250×350, 8-bit grayscale (11,355 B; confirmed by file) |
Compliant in dimensions and optimized. The file is grayscale (mode L) while Classic/Plus are RGB. The screen shows no visible content in any of the three screenshots and the Core body is dark, so a grayscale encoding has no practical visual impact here. The exact reason for the grayscale encoding was not determined (could be the photo itself or the export); not verified, and not a blocking issue either way. |
optipng -o7 (required by the criteria): the three screenshots pass — optipng -o7 -simulate
reports each as "already optimized". Dimensions (250×350) and icon size (144×144) also conform.
Note on the en.yml descriptions — character-limit violation (author must fix):
The criteria require each description to be < 320 characters. Measured against the PR
branch:
walletjadeclassic: 336 chars — exceeds by 16 ❌walletjadeplus: 332 chars — exceeds by 12 ❌walletjadecore: 314 chars — OK ✓
Two of the three descriptions are over the limit and must be shortened by the author. No
prohibited superlatives were found, and the content (promoting use with Sparrow/Specter/
Nunchuk via QR; see the Taproot discussion above) is otherwise consistent in style. This is
a concrete non-conformance with managing-wallets.md, not a style preference.
PR merge state
Verified via GitHub API and local merge simulation (reconfirmed on 2026-06-23): the PR is
mergeable: false / mergeable_state: dirty — cannot be merged as-is. The branch
is 67 commits behind master (2 ahead) and has not been updated since 2026-05-28.
_translations/en.yml— auto-merge resolves (no real conflict)._wallets/jadecore.md— content CONFLICT requiring manual resolution. Likely cause:
it is the file renamed fromjade.md, which was touched on master in those 67 commits;
Git does not auto-reconcile rename + edit.
CI (Travis): the PR build passes — Travis CI - Pull Request → completed / success
(head commit 52ffe443, verified 2026-06-19 via GitHub API). The content is valid for CI.
(The API's "combined status: pending" is merely an artifact of GitHub's two APIs —
statuses vs check-runs — not a failure; the actual check is in success.)
Forwarding: the PR content is technically correct (fully audited in this review) and
passes CI, but the author (@bitcoinhelp) needs to rebase onto current master and resolve
the conflict in jadecore.md before any merge. The technical approval in this review
should not be confused with merge-readiness — they are distinct: the code is valid (CI
green), but the merge is blocked by the conflict (dirty state).
Open items and suggestions
Author must fix (concrete non-conformance with managing-wallets.md):
- Description character limit (< 320):
walletjadeclassicis 336 chars and
walletjadeplusis 332 chars — both over the limit (walletjadecore314, OK). The
author must shorten the two descriptions. Measured on the PR branch on 2026-06-23.
Per @crwatkins's review: shorten by removing the reference to Liquid (no other
non-Bitcoin chain is referenced in any wallet description) and removing references to
companion wallets other than the native app (Sparrow/Specter/Nunchuk have not been
reviewed; for consistency other listings don't name them, and naming them could imply a
recommendation). This both fixes the length and improves consistency. - PR in
dirtystate (merge conflict): the branch is 67 commits behind master;
_wallets/jadecore.mdhas a content conflict. The author needs to rebase and resolve
before the merge. Reconfirmed on 2026-06-23 (mergeable: false, branch unchanged since 05-28).
Maintainer's decision (Cobra) — non-technical:
- Jade Core ≥3-month requirement — reviewer's recommendation: list all three and waive
the minimum-time criterion on the newest device (Core), since the firmware is identical
across the line. @crwatkins concurs and cites the Coldcard Q precedent. Verified
againstmaster:_wallets/coldcardq.md: the Coldcard Q kept the full
checkgoodtransparencydeterministicscore (same as the mature Coldcard), with the
"public ≥6 months" time sub-clause effectively waived because it runs the same auditable
open-source base. So the precedent is to keep the good/deterministic transparency score
on the Core and waive the time clause, not to lower the score. The original Jade scores
(verified identical across the three PR files) already use
checkgoodtransparencydeterministic, so the Core should keep it. Final decision rests
with the maintainer.
Improvement suggestions for Blockstream (non-blocking):
- Publish a formal specification of the PIN/blind-oracle protocol (a direct
continuation of Craig's observation in Add Blockstream Jade as HWW #4000). - Pursue a published independent security audit of the blind-oracle protocol.
- Better document the
SECURE_BOOT_V2_ALLOW_EFUSE_RD_DISflag in the production README
(avoids misunderstanding by those who read the config without the context ofmain.c). - Expose the secure-boot/anti-rollback status visibly in the UI to the end user.
Appendix — code anchors (tag 1.0.40, commit 6f858f39)
| Topic | File:line |
|---|---|
| Hardware mapping (camera/battery) | main/Kconfig.projbuild:50-75 (JADE:50, V1_1:57, V2:64, V2C:71) |
| USB string per model | configs/sdkconfig_dev_jade_v2.defaults:84 (Plus), _v2c:84 (Core) |
| Secure Boot v2 + Flash Encryption | production/sdkconfig_jade_{v2,v2c,v1_1}_prod.defaults:73-78 |
| Firmware signing | REPRODUCIBLE.md:65 (espsecure.py sign_data --version 2) |
| Anti-rollback | production/*_prod.defaults (BOOTLOADER_APP_ANTI_ROLLBACK, SECURE_VERSION=2); main/process/ota_util.c:427 |
| Secure provisioning / eFuse flag | main/main.c:87-99 |
| RFC6979 / anti-exfil | main/wallet.c:1144-1147; sign_tx.c:557-578 |
| Anti-brute-force PIN | main/keychain.c:502,523,677; auth_user.c:66 |
| Blind-oracle PIN protocol | main/process/pinclient.c (ECDH/generate_ske:150, AES :218, pubkey :163) |
| PIN server change | update_pinserver, storage.c:30-31, reset_pinserver |
| Taproot — receive (P2TR scriptpubkey) | main/wallet.c:61 (VARIANT_P2TR), :936, :286-287, :298 |
| Taproot — send (sign P2TR input, BIP-341) | main/process/sign_tx.c:539,797-819 |
| Taproot via QR (xpub export) | main/qrmode.c:207 (returns P2TR), :137 (rotation includes taproot) |
| Companion integration (Sparrow/Specter) | main/selfcheck.c:411, main/qrmode.c:996, main/process/sign_message.c:160 |
| Address type comes from companion | main/process/get_receive_address.c:138 |
| BIP39 seed import | main/process/mnemonic.c:84,81,85,377 |
| Multisig | main/ui/multisig.c, main/process/register_multisig.c |
| Attestation (genuine check) | main/process/register_attestation.c; main/attestation/attestation.c (mbedtls RSA, ESP-DS, ESP_DS_RSA_4096) |
| Reproducible build | CONFIG_APP_REPRODUCIBLE_BUILD=y, REPRODUCIBLE.md, Dockerfile |
|
@devdavidejesus Thanks for the extremely comprehensive review. In the descriptions (and particularly because they are too long) I would recommend removing the reference to Liquid since no other non-Bitcoin blockchains are referenced in any of the other wallet descriptions. I would also remove references to compatible companion wallets (other than perhaps the native app), especially those that have not been reviewed. We don't want to deny existence, but for consistency other wallets don't list them, and we don't want to imply a recommendation currently or in the future. Since the firmware is the same on all devices, I would recommend we list all three devices and waive the minimum time criterion (along with the transparency score) on the newest device, as we did on the Coldcard Q for similar reasons. I also recommend that if the devices can sign Taproot transactions they be listed with the Taproot feature. While criteria are judged based on the default configuration of the device, feature selection is not and should not depend on the review methodology. |
|
@crwatkins Thanks, you're right on all four points, and I've updated the review above accordingly. Credit for these corrections is yours:
@bitcoinhelp — based on the review and Craig's feedback, a few changes are needed on the PR:
@Cobra-Bitcoin, the only non-technical open item is the 3-month waiver on the Jade Core (launched 2026-04-28). Craig and I both recommend listing all three and waiving the time criterion on the Core, following the Coldcard Q precedent (identical firmware across the line). That decision is yours. |
Blockstream now sells three distinct Jade hardware wallet products. This PR replaces the single "Blockstream Jade" listing with individual entries for each device.
Changes
_translations/en.ymlwith descriptions for all three productsoptipng -o7)Closes #4683