syntax = "proto2" ;
package hw . trezor.messages.management ;
// Sugar for easier handling in Java
option java_package = "com.satoshilabs.trezor.lib.protobuf" ;
option java_outer_classname = "TrezorMessageManagement" ;
option ( include_in_bitcoin_only ) = true ;
import "messages.proto" ;
/ * *
* Type of the mnemonic backup given / received by the device during reset / recovery.
* /
enum BackupType {
Bip39 = 0 ; // also called "Single Backup", see BIP-0039
Slip39_Basic = 1 ; // also called "Shamir Backup", see SLIP-0039
Slip39_Advanced = 2 ; // also called "Super Shamir" or "Shamir with Groups", see SLIP-0039#two-level-scheme
Slip39_Single_Extendable = 3 ; // extendable single-share Shamir backup
Slip39_Basic_Extendable = 4 ; // extendable multi-share Shamir backup
Slip39_Advanced_Extendable = 5 ; // extendable multi-share Shamir backup with groups
}
/ * *
* Level of safety checks for unsafe actions like spending from invalid path namespace or setting high transaction fee.
* /
enum SafetyCheckLevel {
Strict = 0 ; // disallow unsafe actions, this is the default
PromptAlways = 1 ; // ask user before unsafe action
PromptTemporarily = 2 ; // like PromptAlways but reverts to Strict after reboot
}
/ * *
* Format of the homescreen image
* /
enum HomescreenFormat {
Toif = 1 ; // full-color toif
Jpeg = 2 ; // jpeg
ToiG = 3 ; // greyscale toif
}
/ * *
* Request : Reset device to default state and ask for device details
* @ start
* @ next Features
* /
message Initialize {
optional bytes session_id = 1 ; // assumed device session id; Trezor clears caches if it is different or empty
optional bool _skip_passphrase = 2 [ deprecated = true ] ; // removed as part of passphrase redesign
optional bool derive_cardano = 3 ; // whether to derive Cardano Icarus root keys in this session
}
/ * *
* Request : Ask for device details ( no device reset )
* @ start
* @ next Features
* /
message GetFeatures {
}
/ * *
* Response : Reports various information about the device
* @ end
* /
message Features {
optional string vendor = 1 ; // name of the manufacturer, e.g. "trezor.io"
required uint32 major_version = 2 ; // major version of the firmware/bootloader, e.g. 1
required uint32 minor_version = 3 ; // minor version of the firmware/bootloader, e.g. 0
required uint32 patch_version = 4 ; // patch version of the firmware/bootloader, e.g. 0
optional bool bootloader_mode = 5 ; // is device in bootloader mode?
optional string device_id = 6 ; // device's unique identifier
optional bool pin_protection = 7 ; // is device protected by PIN?
optional bool passphrase_protection = 8 ; // is node/mnemonic encrypted using passphrase?
optional string language = 9 ; // device language
optional string label = 10 ; // device description label
optional bool initialized = 12 ; // does device contain seed?
optional bytes revision = 13 ; // SCM revision of firmware
optional bytes bootloader_hash = 14 ; // hash of the bootloader
optional bool imported = 15 ; // was storage imported from an external source?
optional bool unlocked = 16 ; // is the device unlocked? called "pin_cached" previously
optional bool _passphrase_cached = 17 [ deprecated = true ] ; // is passphrase already cached in session?
optional bool firmware_present = 18 ; // is valid firmware loaded?
optional BackupAvailability backup_availability = 19 ; // does storage need backup? is repeated backup unlocked?
optional uint32 flags = 20 ; // device flags (equals to Storage.flags)
optional string model = 21 ; // device hardware model
optional uint32 fw_major = 22 ; // reported firmware version if in bootloader mode
optional uint32 fw_minor = 23 ; // reported firmware version if in bootloader mode
optional uint32 fw_patch = 24 ; // reported firmware version if in bootloader mode
optional string fw_vendor = 25 ; // reported firmware vendor if in bootloader mode
// optional bytes fw_vendor_keys = 26; // obsoleted, use fw_vendor
optional bool unfinished_backup = 27 ; // report unfinished backup (equals to Storage.unfinished_backup)
optional bool no_backup = 28 ; // report no backup (equals to Storage.no_backup)
optional RecoveryStatus recovery_status = 29 ; // whether or not we are in recovery mode and of what kind
repeated Capability capabilities = 30 ; // list of supported capabilities
optional BackupType backup_type = 31 ; // type of device backup (BIP-39 / SLIP-39 basic / SLIP-39 advanced)
optional bool sd_card_present = 32 ; // is SD card present
optional bool sd_protection = 33 ; // is SD Protect enabled
optional bool wipe_code_protection = 34 ; // is wipe code protection enabled
optional bytes session_id = 35 ;
optional bool passphrase_always_on_device = 36 ; // device enforces passphrase entry on Trezor
optional SafetyCheckLevel safety_checks = 37 ; // safety check level, set to Prompt to limit path namespace enforcement
optional uint32 auto_lock_delay_ms = 38 ; // number of milliseconds after which the device locks itself
optional uint32 display_rotation = 39 ; // in degrees from North
optional bool experimental_features = 40 ; // are experimental message types enabled?
optional bool busy = 41 ; // is the device busy, showing "Do not disconnect"?
optional HomescreenFormat homescreen_format = 42 ; // format of the homescreen, 1 = TOIf, 2 = jpg, 3 = TOIG
optional bool hide_passphrase_from_host = 43 ; // should we hide the passphrase when it comes from host?
optional string internal_model = 44 ; // internal model name
optional uint32 unit_color = 45 ; // color of the unit/device
optional bool unit_btconly = 46 ; // unit/device is intended as bitcoin only
optional uint32 homescreen_width = 47 ; // homescreen width in pixels
optional uint32 homescreen_height = 48 ; // homescreen height in pixels
optional bool bootloader_locked = 49 ; // bootloader is locked
optional bool language_version_matches = 50 [ default = true ] ; // translation blob version matches firmware version
optional uint32 unit_packaging = 51 ; // unit/device packaging version
optional bool haptic_feedback = 52 ; // haptic feedback is enabled
optional RecoveryType recovery_type = 53 ; // what type of recovery we are in. NB: this works in conjunction with recovery_status
optional uint32 optiga_sec = 54 ; // Optiga's security event counter.
enum BackupAvailability {
/// Device is already backed up, or a previous backup has failed.
NotAvailable = 0 ;
/// Device is not backed up. Backup is required.
Required = 1 ;
/// Device is already backed up and can be backed up again.
Available = 2 ;
}
enum RecoveryStatus {
Nothing = 0 ; // we are not in recovery mode
Recovery = 1 ; // we are in "Normal" or "DryRun" recovery
Backup = 2 ; // we are in repeated backup mode
}
enum Capability {
option ( has_bitcoin_only_values ) = true ;
Capability_Bitcoin = 1 [ ( bitcoin_only ) = true ] ;
Capability_Bitcoin_like = 2 ; // Altcoins based on the Bitcoin source code
Capability_Binance = 3 ;
Capability_Cardano = 4 ;
Capability_Crypto = 5 [ ( bitcoin_only ) = true ] ; // generic crypto operations for GPG, SSH, etc.
Capability_EOS = 6 ;
Capability_Ethereum = 7 ;
Capability_Lisk = 8 [ deprecated = true ] ;
Capability_Monero = 9 ;
Capability_NEM = 10 ;
Capability_Ripple = 11 ;
Capability_Stellar = 12 ;
Capability_Tezos = 13 ;
Capability_U2F = 14 ;
Capability_Shamir = 15 [ ( bitcoin_only ) = true ] ;
Capability_ShamirGroups = 16 [ ( bitcoin_only ) = true ] ;
Capability_PassphraseEntry = 17 [ ( bitcoin_only ) = true ] ; // the device is capable of passphrase entry directly on the device
Capability_Solana = 18 ;
Capability_Translations = 19 [ ( bitcoin_only ) = true ] ;
Capability_Brightness = 20 [ ( bitcoin_only ) = true ] ;
Capability_Haptic = 21 [ ( bitcoin_only ) = true ] ;
}
}
/ * *
* Request : soft - lock the device. Following actions will require PIN. Passphrases remain cached.
* @ start
* @ next Success
* /
message LockDevice {
}
/ * *
* Request : Show a "Do not disconnect" dialog instead of the standard homescreen.
* @ start
* @ next Success
* /
message SetBusy {
optional uint32 expiry_ms = 1 ; // The time in milliseconds after which the dialog will automatically disappear. Overrides any previously set expiry. If not set, then the dialog is hidden.
}
/ * *
* Request : end the current sesson. Following actions must call Initialize again.
* Cache for the current session is discarded , other sessions remain intact.
* Device is not PIN - locked.
* @ start
* @ next Success
* /
message EndSession {
}
/ * *
* Request : change some property of the device , e.g. label or homescreen
* @ start
* @ next Success
* @ next Failure
* /
message ApplySettings {
optional string language = 1 [ deprecated = true ] ;
optional string label = 2 ;
optional bool use_passphrase = 3 ;
optional bytes homescreen = 4 ;
optional uint32 _passphrase_source = 5 [ deprecated = true ] ; // ASK = 0; DEVICE = 1; HOST = 2;
optional uint32 auto_lock_delay_ms = 6 ;
optional uint32 display_rotation = 7 ; // in degrees from North
optional bool passphrase_always_on_device = 8 ; // do not prompt for passphrase, enforce device entry
optional SafetyCheckLevel safety_checks = 9 ; // Safety check level, set to Prompt to limit path namespace enforcement
optional bool experimental_features = 10 ; // enable experimental message types
optional bool hide_passphrase_from_host = 11 ; // do not show passphrase coming from host
optional bool haptic_feedback = 13 ; // enable haptic feedback
}
/ * *
* Request : change the device language via translation data.
* Does not send the translation data itself , as they are too large for one message.
* Device will request the translation data in chunks.
* @ start
* @ next TranslationDataRequest
* @ next Failure
* /
message ChangeLanguage {
// byte length of the whole translation blob (set to 0 for default language - english)
required uint32 data_length = 1 ;
// Prompt the user on screen.
// In certain conditions (such as freshly installed device), the confirmation prompt
// is not mandatory. Setting show_display=false will skip the prompt if that's
// the case. If the device does not allow skipping the prompt, a request with
// show_display=false will return a failure. (This way the host can safely try
// to change the language without invoking a prompt.)
// Setting show_display to true will always show the prompt.
// Leaving the option unset will show the prompt only when necessary.
optional bool show_display = 2 ;
}
/ * *
* Response : Device asks for more data from transaction payload.
* @ end
* @ next TranslationDataAck
* /
message TranslationDataRequest {
required uint32 data_length = 1 ; // Number of bytes being requested
required uint32 data_offset = 2 ; // Offset of the first byte being requested
}
/ * *
* Request : Translation payload data.
* @ next TranslationDataRequest
* @ next Success
* /
message TranslationDataAck {
required bytes data_chunk = 1 ; // Bytes from translation payload
}
/ * *
* Request : set flags of the device
* @ start
* @ next Success
* @ next Failure
* /
message ApplyFlags {
required uint32 flags = 1 ; // bitmask, can only set bits, not unset
}
/ * *
* Request : Starts workflow for setting / changing / removing the PIN
* @ start
* @ next Success
* @ next Failure
* /
message ChangePin {
optional bool remove = 1 ; // is PIN removal requested?
}
/ * *
* Request : Starts workflow for setting / removing the wipe code
* @ start
* @ next Success
* @ next Failure
* /
message ChangeWipeCode {
optional bool remove = 1 ; // is wipe code removal requested?
}
/ * *
* Request : Starts workflow for enabling / regenerating / disabling SD card protection
* @ start
* @ next Success
* @ next Failure
* /
message SdProtect {
required SdProtectOperationType operation = 1 ;
/ * *
* Structure representing SD card protection operation
* /
enum SdProtectOperationType {
DISABLE = 0 ;
ENABLE = 1 ;
REFRESH = 2 ;
}
}
/ * *
* Request : Test if the device is alive , device sends back the message in Success response
* @ start
* @ next Success
* /
message Ping {
optional string message = 1 [ default = "" ] ; // message to send back in Success message
optional bool button_protection = 2 ; // ask for button press
}
/ * *
* Request : Abort last operation that required user interaction
* @ start
* @ next Failure
* /
message Cancel {
}
/ * *
* Request : Request a sample of random data generated by hardware RNG. May be used for testing.
* @ start
* @ next Entropy
* @ next Failure
* /
message GetEntropy {
required uint32 size = 1 ; // size of requested entropy
}
/ * *
* Response : Reply with random data generated by internal RNG
* @ end
* /
message Entropy {
required bytes entropy = 1 ; // chunk of random generated bytes
}
/ * *
* Request : Get a hash of the installed firmware combined with an optional challenge.
* @ start
* @ next FirmwareHash
* @ next Failure
* /
message GetFirmwareHash {
optional bytes challenge = 1 ; // Blake2s key up to 32 bytes in length.
}
/ * *
* Response : Hash of the installed firmware combined with the optional challenge.
* @ end
* /
message FirmwareHash {
required bytes hash = 1 ;
}
/ * *
* Request : Request a signature of the provided challenge.
* @ start
* @ next AuthenticityProof
* @ next Failure
* /
message AuthenticateDevice {
required bytes challenge = 1 ; // A random challenge to sign.
}
/ * *
* Response : Signature of the provided challenge along with a certificate issued by the Trezor company.
* @ end
* /
message AuthenticityProof {
repeated bytes certificates = 1 ; // A certificate chain starting with the device certificate, followed by intermediate CA certificates, the last of which is signed by Trezor company's root CA.
required bytes signature = 2 ; // A DER-encoded signature of "\0x13AuthenticateDevice:" + length-prefixed challenge that should be verified using the device certificate.
}
/ * *
* Request : Request device to wipe all sensitive data and settings
* @ start
* @ next Success
* @ next Failure
* /
message WipeDevice {
}
/ * *
* Request : Load seed and related internal settings from the computer
* @ start
* @ next Success
* @ next Failure
* /
message LoadDevice {
repeated string mnemonics = 1 ; // seed encoded as mnemonic (12, 18 or 24 words for BIP39, 20 or 33 for SLIP39)
optional string pin = 3 ; // set PIN protection
optional bool passphrase_protection = 4 ; // enable master node encryption using passphrase
optional string language = 5 [ deprecated = true ] ; // deprecated (use ChangeLanguage)
optional string label = 6 ; // device label
optional bool skip_checksum = 7 ; // do not test mnemonic for valid BIP-39 checksum
optional uint32 u2f_counter = 8 ; // U2F counter
optional bool needs_backup = 9 ; // set "needs backup" flag
optional bool no_backup = 10 ; // indicate that no backup is going to be made
}
/ * *
* Request : Ask device to do initialization involving user interaction
* @ start
* @ next EntropyRequest
* @ next Failure
* /
message ResetDevice {
reserved 1 ; // unused display_random
optional uint32 strength = 2 [ default = 256 ] ; // strength of seed in bits
optional bool passphrase_protection = 3 ; // enable master node encryption using passphrase
optional bool pin_protection = 4 ; // enable PIN protection
optional string language = 5 [ deprecated = true ] ; // deprecated (use ChangeLanguage)
optional string label = 6 ; // device label
optional uint32 u2f_counter = 7 ; // U2F counter
optional bool skip_backup = 8 ; // postpone seed backup to BackupDevice workflow
optional bool no_backup = 9 ; // indicate that no backup is going to be made
optional BackupType backup_type = 10 [ default = Bip39 ] ; // type of the mnemonic backup
}
/ * *
* Request : Perform backup of the device seed if not backed up using ResetDevice
* @ start
* @ next Success
* /
message BackupDevice {
optional uint32 group_threshold = 1 ;
message Slip39Group {
required uint32 member_threshold = 1 ;
required uint32 member_count = 2 ;
}
repeated Slip39Group groups = 2 ;
}
/ * *
* Response : Ask for additional entropy from host computer
* @ next EntropyAck
* /
message EntropyRequest {
}
/ * *
* Request : Provide additional entropy for seed generation function
* @ next Success
* /
message EntropyAck {
required bytes entropy = 1 ; // 256 bits (32 bytes) of random data
}
/ * *
* Request : Start recovery workflow asking user for specific words of mnemonic
* Used to recovery device safely even on untrusted computer.
* @ start
* @ next WordRequest
* /
message RecoveryDevice {
optional uint32 word_count = 1 ; // number of words in BIP-39 mnemonic (T1 only)
optional bool passphrase_protection = 2 ; // enable master node encryption using passphrase
optional bool pin_protection = 3 ; // enable PIN protection
optional string language = 4 [ deprecated = true ] ; // deprecated (use ChangeLanguage)
optional string label = 5 ; // device label
optional bool enforce_wordlist = 6 ; // enforce BIP-39 wordlist during the process (T1 only)
reserved 7 ; // unused recovery method
optional RecoveryDeviceInputMethod input_method = 8 ; // supported recovery input method (T1 only)
optional uint32 u2f_counter = 9 ; // U2F counter
optional RecoveryType type = 10 [ default = NormalRecovery ] ; // the type of recovery to perform
/ * *
* Type of recovery procedure. These should be used as bitmask , e.g. ,
* ` RecoveryDeviceInputMethod_ScrambledWords | RecoveryDeviceInputMethod_Matrix `
* listing every method supported by the host computer.
*
* Note that ScrambledWords must be supported by every implementation
* for backward compatibility ; there is no way to not support it.
* /
enum RecoveryDeviceInputMethod {
// use powers of two when extending this field
ScrambledWords = 0 ; // words in scrambled order
Matrix = 1 ; // matrix recovery type
}
}
enum RecoveryType {
NormalRecovery = 0 ; // recovery from seedphrase on an uninitialized device
DryRun = 1 ; // mnemonic validation
UnlockRepeatedBackup = 2 ; // unlock SLIP-39 repeated backup
}
/ * *
* Response : Device is waiting for user to enter word of the mnemonic
* Its position is shown only on device ' s internal display.
* @ next WordAck
* /
message WordRequest {
required WordRequestType type = 1 ;
/ * *
* Type of Recovery Word request
* /
enum WordRequestType {
WordRequestType_Plain = 0 ;
WordRequestType_Matrix9 = 1 ;
WordRequestType_Matrix6 = 2 ;
}
}
/ * *
* Request : Computer replies with word from the mnemonic
* @ next WordRequest
* @ next Success
* @ next Failure
* /
message WordAck {
required string word = 1 ; // one word of mnemonic on asked position
}
/ * *
* Request : Set U2F counter
* @ start
* @ next Success
* /
message SetU2FCounter {
required uint32 u2f_counter = 1 ;
}
/ * *
* Request : Set U2F counter
* @ start
* @ next NextU2FCounter
* /
message GetNextU2FCounter {
}
/ * *
* Request : Set U2F counter
* @ end
* /
message NextU2FCounter {
required uint32 u2f_counter = 1 ;
}
/ * *
* Request : Ask device to prepare for a preauthorized operation.
* @ start
* @ next PreauthorizedRequest
* @ next Failure
* /
message DoPreauthorized {
}
/ * *
* Request : Device awaits a preauthorized operation.
* @ start
* @ next SignTx
* @ next GetOwnershipProof
* /
message PreauthorizedRequest {
}
/ * *
* Request : Cancel any outstanding authorization in the current session.
* @ start
* @ next Success
* @ next Failure
* /
message CancelAuthorization {
}
/ * *
* Request : Reboot firmware to bootloader
* @ start
* @ next Success
* /
message RebootToBootloader {
// Action to be performed after rebooting to bootloader
optional BootCommand boot_command = 1 [ default = STOP_AND_WAIT ] ;
// Firmware header to be flashed after rebooting to bootloader
optional bytes firmware_header = 2 ;
// Length of language blob to be installed before upgrading firmware
optional uint32 language_data_length = 3 [ default = 0 ] ;
enum BootCommand {
// Go to bootloader menu
STOP_AND_WAIT = 0 ;
// Connect to host and wait for firmware update
INSTALL_UPGRADE = 1 ;
}
}
/ * *
* Request : Ask device to generate a random nonce and store it in the session ' s cache
* @ start
* @ next Nonce
* /
message GetNonce {
option ( experimental_message ) = true ;
}
/ * *
* Response : Contains a random nonce
* @ end
* /
message Nonce {
option ( experimental_message ) = true ;
required bytes nonce = 1 ; // a 32-byte random value generated by Trezor
}
/ * *
* Request : Ask device to unlock a subtree of the keychain.
* @ start
* @ next UnlockedPathRequest
* @ next Failure
* /
message UnlockPath {
repeated uint32 address_n = 1 ; // prefix of the BIP-32 path leading to the account (m / purpose')
optional bytes mac = 2 ; // the MAC returned by UnlockedPathRequest
}
/ * *
* Request : Device awaits an operation.
* @ start
* @ next SignTx
* @ next GetPublicKey
* @ next GetAddress
* /
message UnlockedPathRequest {
optional bytes mac = 1 ; // authentication code for future UnlockPath calls
}
/ * *
* Request : Show tutorial screens on the device
* @ start
* @ next Success
* /
message ShowDeviceTutorial {
}
/ * *
* Request : Unlocks bootloader , ! irreversible !
* @ start
* @ next Success
* @ next Failure
* /
message UnlockBootloader {
}
/ * *
* Request : Set device brightness
* @ start
* @ next Success
* /
message SetBrightness {
optional uint32 value = 1 ; // if not specified, let the user choose
}