Merge branch 'master' into secfix/23.03

Conflicts:
	core/Makefile
	core/SConscript.firmware
	core/embed/firmware/bootloader.bin
	core/embed/firmware/bootloaders/bootloader_T.bin
	core/embed/firmware/bootloaders/bootloader_T2T1.bin
	python/src/trezorlib/firmware/core.py
	python/src/trezorlib/firmware/models.py

.gitlab-ci.yml

@@ -19,6 +19,9 @@ variables:
 
   # No need for TLS because everything runs on the same machine
   DOCKER_TLS_CERTDIR: ""
+
+  NIX_SHELL: "nix-shell"
+
 stages:
   - environment
   - prebuild
@@ -29,9 +32,9 @@ stages:
 
 before_script:
   - . /nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh || true
-  - nix-shell --run "poetry install --remove-untracked"
-  - export LEGACY_VERSION=$(nix-shell --run "./tools/version.sh legacy/firmware/version.h")
-  - export CORE_VERSION=$(nix-shell --run "./tools/version.sh core/embed/firmware/version.h")
+  - $NIX_SHELL --run "poetry install --remove-untracked"
+  - export LEGACY_VERSION=$($NIX_SHELL --run "./tools/version.sh legacy/firmware/version.h")
+  - export CORE_VERSION=$($NIX_SHELL --run "./tools/version.sh core/embed/firmware/version.h")
 
 include:
   - ci/environment.yml

README.md

@@ -29,7 +29,7 @@ Also please have a look at the docs, either in the `docs` folder or at  [docs.tr
 
 ## Security vulnerability disclosure
 
-Please report suspected security vulnerabilities in private to [security@satoshilabs.com](mailto:security@satoshilabs.com), also see [the disclosure section on the Trezor.io website](https://trezor.io/security/). Please do NOT create publicly viewable issues for suspected security vulnerabilities.
+Please report suspected security vulnerabilities in private to [security@satoshilabs.com](mailto:security@satoshilabs.com), also see [the disclosure section on the Trezor.io website](https://trezor.io/support/a/how-to-report-a-security-issue). Please do NOT create publicly viewable issues for suspected security vulnerabilities.
 
 ## Documentation
 

build-docker.sh

@@ -32,6 +32,7 @@ if [ -z "$ALPINE_CHECKSUM" ]; then
  fi
 
 
+DOCKER=${DOCKER:-docker}
 CONTAINER_NAME=${CONTAINER_NAME:-trezor-firmware-env.nix}
 ALPINE_CDN=${ALPINE_CDN:-https://dl-cdn.alpinelinux.org/alpine}
 ALPINE_RELEASE=${ALPINE_RELEASE:-3.15}
@@ -137,7 +138,13 @@ echo
 echo ">>> DOCKER BUILD ALPINE_VERSION=$ALPINE_VERSION ALPINE_ARCH=$ALPINE_ARCH NIX_VERSION=$NIX_VERSION -t $CONTAINER_NAME"
 echo
 
-docker build --build-arg ALPINE_VERSION="$ALPINE_VERSION" --build-arg ALPINE_ARCH="$ALPINE_ARCH" --build-arg NIX_VERSION="$NIX_VERSION" -t "$CONTAINER_NAME" ci/
+$DOCKER build \
+  --network=host \
+  --build-arg ALPINE_VERSION="$ALPINE_VERSION" \
+  --build-arg ALPINE_ARCH="$ALPINE_ARCH" \
+  --build-arg NIX_VERSION="$NIX_VERSION" \
+  -t "$CONTAINER_NAME" \
+  ci/
 
 # stat under macOS has slightly different cli interface
 USER=$(stat -c "%u" . 2>/dev/null || stat -f "%u" .)
@@ -179,7 +186,10 @@ EOF
   echo ">>> DOCKER RUN core BITCOIN_ONLY=$BITCOIN_ONLY PRODUCTION=$PRODUCTION"
   echo
 
-  docker run -it --rm \
+  $DOCKER run \
+    --network=host \
+    -it \
+    --rm \
     -v "$DIR:/local" \
     -v "$DIR/build/core$DIRSUFFIX":/build:z \
     --env BITCOIN_ONLY="$BITCOIN_ONLY" \
@@ -225,7 +235,10 @@ EOF
   echo ">>> DOCKER RUN legacy BITCOIN_ONLY=$BITCOIN_ONLY PRODUCTION=$PRODUCTION"
   echo
 
-  docker run -it --rm \
+  $DOCKER run \
+    --network=host \
+    -it \
+    --rm \
     -v "$DIR:/local" \
     -v "$DIR/build/legacy$DIRSUFFIX":/build:z \
     --env BITCOIN_ONLY="$BITCOIN_ONLY" \
@@ -233,7 +246,6 @@ EOF
     --init \
     "$CONTAINER_NAME" \
     /nix/var/nix/profiles/default/bin/nix-shell --run "bash /local/build/$SCRIPT_NAME"
-
 done
 
 # all built, show fingerprints

ci/build.yml

@@ -22,17 +22,17 @@ core fw regular build:
   <<: *gitlab_caching
   needs: []
   script:
-    - nix-shell --run "poetry run make -C core build_boardloader"
-    - nix-shell --run "poetry run make -C core build_bootloader"
-    - nix-shell --run "poetry run make -C core build_bootloader_ci"
-    - nix-shell --run "poetry run make -C core build_prodtest"
-    - nix-shell --run "poetry run make -C core build_firmware"
-    - nix-shell --run "poetry run make -C core sizecheck"
-    - cp core/build/firmware/firmware.bin trezor-fw-regular-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
+    - $NIX_SHELL --run "poetry run make -C core build_boardloader"
+    - $NIX_SHELL --run "poetry run make -C core build_bootloader"
+    - $NIX_SHELL --run "poetry run make -C core build_bootloader_ci"
+    - $NIX_SHELL --run "poetry run make -C core build_prodtest"
+    - $NIX_SHELL --run "poetry run make -C core build_firmware"
+    - $NIX_SHELL --run "poetry run make -C core sizecheck"
+    - cp core/build/firmware/firmware.bin firmware-T2T1-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
-      - trezor-fw-regular-*.*.*-$CI_COMMIT_SHORT_SHA.bin
+      - firmware-T2T1-*.*.*-$CI_COMMIT_SHORT_SHA.bin
     expire_in: 1 week
 
 # Build of Core into firmware with enabled _debug_ mode. In debug mode you can
@@ -43,12 +43,12 @@ core fw regular debug build:
   <<: *gitlab_caching
   needs: []
   script:
-    - nix-shell --run "PYOPT=0 poetry run make -C core build_firmware"
-    - cp core/build/firmware/firmware.bin trezor-fw-regular-debug-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
+    - $NIX_SHELL --run "PYOPT=0 poetry run make -C core build_firmware"
+    - cp core/build/firmware/firmware.bin firmware-T2T1-debug-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
-      - trezor-fw-regular-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin
+      - firmware-T2T1-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin
     expire_in: 1 week
 
 core fw regular production build:
@@ -60,17 +60,17 @@ core fw regular production build:
   variables:
     PRODUCTION: "1"
   script:
-    - nix-shell --run "poetry run make -C core build_boardloader"
-    - nix-shell --run "poetry run make -C core build_bootloader"
-    - nix-shell --run "poetry run make -C core build_bootloader_ci"
-    - nix-shell --run "poetry run make -C core build_prodtest"
-    - nix-shell --run "poetry run make -C core build_firmware"
-    - nix-shell --run "poetry run make -C core sizecheck"
-    - cp core/build/firmware/firmware.bin trezor-fw-regular-production-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
+    - $NIX_SHELL --run "poetry run make -C core build_boardloader"
+    - $NIX_SHELL --run "poetry run make -C core build_bootloader"
+    - $NIX_SHELL --run "poetry run make -C core build_bootloader_ci"
+    - $NIX_SHELL --run "poetry run make -C core build_prodtest"
+    - $NIX_SHELL --run "poetry run make -C core build_firmware"
+    - $NIX_SHELL --run "poetry run make -C core sizecheck"
+    - cp core/build/firmware/firmware.bin firmware-T2T1-production-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
-      - trezor-fw-regular-production-*.*.*-$CI_COMMIT_SHORT_SHA.bin
+      - firmware-T2T1-production-*.*.*-$CI_COMMIT_SHORT_SHA.bin
     expire_in: 1 week
 
 # Build of Core into firmware. Bitcoin-only version.
@@ -81,14 +81,14 @@ core fw btconly build:
   variables:
     BITCOIN_ONLY: "1"
   script:
-    - nix-shell --run "poetry run make -C core build_firmware"
+    - $NIX_SHELL --run "poetry run make -C core build_firmware"
     - mv core/build/firmware/firmware.bin core/build/firmware/firmware-bitcoinonly.bin
-    - nix-shell --run "poetry run ./tools/check-bitcoin-only core/build/firmware/firmware-bitcoinonly.bin"
-    - cp core/build/firmware/firmware-bitcoinonly.bin trezor-fw-btconly-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
+    - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only core/build/firmware/firmware-bitcoinonly.bin"
+    - cp core/build/firmware/firmware-bitcoinonly.bin firmware-T2T1-btconly-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
-      - trezor-fw-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
+      - firmware-T2T1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
     expire_in: 1 week
 
 core fw btconly debug build:
@@ -99,8 +99,8 @@ core fw btconly debug build:
     BITCOIN_ONLY: "1"
     PYOPT: "0"
   script:
-    - nix-shell --run "poetry run make -C core build_firmware"
-    - cp core/build/firmware/firmware.bin trezor-fw-btconly-debug-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
+    - $NIX_SHELL --run "poetry run make -C core build_firmware"
+    - cp core/build/firmware/firmware.bin firmware-T2T1-btconly-debug-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
   only:  # currently used only for HW tests and deploys
     - schedules  # nightly build
     - /^legacy\//
@@ -111,7 +111,7 @@ core fw btconly debug build:
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
-      - trezor-fw-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
+      - firmware-T2T1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
     expire_in: 1 week
 
 core fw btconly production build:
@@ -124,29 +124,13 @@ core fw btconly production build:
     PRODUCTION: "1"
     BITCOIN_ONLY: "1"
   script:
-    - nix-shell --run "poetry run make -C core build_firmware"
-    - nix-shell --run "poetry run ./tools/check-bitcoin-only core/build/firmware/firmware.bin"
-    - cp core/build/firmware/firmware.bin trezor-fw-btconly-production-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
+    - $NIX_SHELL --run "poetry run make -C core build_firmware"
+    - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only core/build/firmware/firmware.bin"
+    - cp core/build/firmware/firmware.bin firmware-T2T1-btconly-production-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
-      - trezor-fw-btconly-production-*.*.*-$CI_COMMIT_SHORT_SHA.bin
-    expire_in: 1 week
-
-core fw btconly t1 build:
-  stage: build
-  <<: *gitlab_caching
-  needs: []
-  variables:
-    BITCOIN_ONLY: "1"
-    TREZOR_MODEL: "1"
-  script:
-    - nix-shell --run "poetry run make -C core build_firmware"
-    - cp core/build/firmware/firmware.bin trezor-fw-btconly-t1-$CORE_VERSION-$CI_COMMIT_SHORT_SHA.bin
-  artifacts:
-    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - trezor-fw-btconly-t1-*.*.*-$CI_COMMIT_SHORT_SHA.bin
+      - firmware-T2T1-btconly-production-*.*.*-$CI_COMMIT_SHORT_SHA.bin
     expire_in: 1 week
 
 # Non-frozen emulator build. This means you still need Python files
@@ -156,7 +140,7 @@ core unix regular build:
   <<: *gitlab_caching
   needs: []
   script:
-    - nix-shell --run "poetry run make -C core build_unix"
+    - $NIX_SHELL --run "poetry run make -C core build_unix"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -172,7 +156,7 @@ core unix regular asan build:
   variables:
     ADDRESS_SANITIZER: "1"
   script:
-    - nix-shell --run "poetry run make -C core build_unix"
+    - $NIX_SHELL --run "poetry run make -C core build_unix"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -187,7 +171,7 @@ core unix frozen regular build:
   <<: *gitlab_caching
   needs: []
   script:
-    - nix-shell --run "poetry run make -C core build_unix_frozen"
+    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -207,7 +191,7 @@ core unix frozen btconly debug build:
     PYOPT: "0"
     BITCOIN_ONLY: "1"
   script:
-    - nix-shell --run "poetry run make -C core build_unix_frozen"
+    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
     - mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-bitcoinonly
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -226,7 +210,7 @@ core unix frozen btconly debug asan build:
     BITCOIN_ONLY: "1"
     ADDRESS_SANITIZER: "1"
   script:
-    - nix-shell --run "poetry run make -C core build_unix_frozen"
+    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
     - mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-bitcoinonly
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -245,7 +229,7 @@ core unix frozen debug build:
   variables:
     PYOPT: "0"
   script:
-    - nix-shell --run "poetry run make -C core build_unix_frozen"
+    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     untracked: true
@@ -261,7 +245,7 @@ core unix frozen debug asan build:
     PYOPT: "0"
     ADDRESS_SANITIZER: "1"
   script:
-    - nix-shell --run "poetry run make -C core build_unix_frozen"
+    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     untracked: true
@@ -280,7 +264,7 @@ core unix frozen debug build arm:
   variables:
     PYOPT: "0"
   script:
-    - nix-shell --run "poetry run make -C core build_unix_frozen"
+    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen"
     - mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-arm
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -289,22 +273,6 @@ core unix frozen debug build arm:
   tags:
     - docker_darwin_arm
 
-core unix frozen btconly debug t1 build:
-  stage: build
-  <<: *gitlab_caching
-  needs: []
-  variables:
-    BITCOIN_ONLY: "1"
-    TREZOR_MODEL: "1"
-  script:
-    - nix-shell --run "poetry run make -C core build_unix_frozen"
-    - mv core/build/unix/trezor-emu-core core/build/unix/trezor-emu-core-bitcoinonly
-  artifacts:
-    name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
-    paths:
-      - core/build/unix  # most of it needed by test_rust
-    expire_in: 1 week
-
 core macos frozen regular build:
   stage: build
   <<: *gitlab_caching
@@ -313,7 +281,7 @@ core macos frozen regular build:
   tags:
     - darwin_arm
   script:
-    - nix-shell --option system x86_64-darwin --run "poetry run make -C core build_unix_frozen"
+    - $NIX_SHELL --option system x86_64-darwin --run "poetry run make -C core build_unix_frozen"
     - export NAME="trezor-emu-core.darwin"
     - cp -v core/build/unix/trezor-emu-core ./$NAME
     - chmod +x $NAME
@@ -343,8 +311,8 @@ crypto build:
       - crypto/**
   script:
     - cp -r crypto crypto_noasan
-    - nix-shell --run "poetry run make -C crypto"
-    - nix-shell --run "export ADDRESS_SANITIZER=0; poetry run make -C crypto_noasan"
+    - $NIX_SHELL --run "poetry run make -C crypto"
+    - $NIX_SHELL --run "export ADDRESS_SANITIZER=0; poetry run make -C crypto_noasan"
     - mv crypto_noasan/tests/test_check crypto/tests/test_check_noasan
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -364,15 +332,15 @@ legacy fw regular build:
   <<: *gitlab_caching
   needs: []
   script:
-    - nix-shell --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
-    - nix-shell --run "poetry run legacy/script/setup"
-    - nix-shell --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
-    - nix-shell --run "poetry run make -C legacy/demo"
-    - mv legacy/firmware/trezor.bin trezor-fw-regular-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
+    - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "poetry run legacy/script/setup"
+    - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "poetry run make -C legacy/demo"
+    - mv legacy/firmware/trezor.bin firmware-T1B1-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
-      - trezor-fw-regular-*.*.*-$CI_COMMIT_SHORT_SHA.bin
+      - firmware-T1B1-*.*.*-$CI_COMMIT_SHORT_SHA.bin
     expire_in: 1 week
 
 legacy fw regular debug build:
@@ -382,14 +350,14 @@ legacy fw regular debug build:
   variables:
     DEBUG_LINK: "1"
   script:
-    - nix-shell --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
-    - nix-shell --run "poetry run legacy/script/setup"
-    - nix-shell --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
-    - mv legacy/firmware/trezor.bin trezor-fw-regular-debug-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
+    - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "poetry run legacy/script/setup"
+    - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
+    - mv legacy/firmware/trezor.bin firmware-T1B1-debug-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
-      - trezor-fw-regular-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin
+      - firmware-T1B1-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin
     expire_in: 1 week
 
 legacy fw btconly build:
@@ -399,16 +367,16 @@ legacy fw btconly build:
   variables:
     BITCOIN_ONLY: "1"
   script:
-    - nix-shell --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
-    - nix-shell --run "poetry run legacy/script/setup"
-    - nix-shell --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "poetry run legacy/script/setup"
+    - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
     - mv legacy/firmware/trezor.bin legacy/firmware/trezor-bitcoinonly.bin
-    - nix-shell --run "poetry run ./tools/check-bitcoin-only legacy/firmware/trezor-bitcoinonly.bin"
-    - mv legacy/firmware/trezor-bitcoinonly.bin trezor-fw-btconly-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
+    - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only legacy/firmware/trezor-bitcoinonly.bin"
+    - mv legacy/firmware/trezor-bitcoinonly.bin firmware-T1B1-btconly-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
-      - trezor-fw-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
+      - firmware-T1B1-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
     expire_in: 1 week
 
 legacy fw btconly debug build:
@@ -419,15 +387,15 @@ legacy fw btconly debug build:
     BITCOIN_ONLY: "1"
     DEBUG_LINK: "1"
   script:
-    - nix-shell --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
-    - nix-shell --run "poetry run legacy/script/setup"
-    - nix-shell --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
-    - nix-shell --run "poetry run ./tools/check-bitcoin-only legacy/firmware/trezor.bin"
-    - mv legacy/firmware/trezor.bin trezor-fw-btconly-debug-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
+    - $NIX_SHELL --run "export PRODUCTION=1 && poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "poetry run legacy/script/setup"
+    - $NIX_SHELL --run "export PRODUCTION=0 && poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "poetry run ./tools/check-bitcoin-only legacy/firmware/trezor.bin"
+    - mv legacy/firmware/trezor.bin firmware-T1B1-btconly-debug-$LEGACY_VERSION-$CI_COMMIT_SHORT_SHA.bin
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
-      - trezor-fw-btconly-*.*.*-$CI_COMMIT_SHORT_SHA.bin
+      - firmware-T1B1-btconly-debug-*.*.*-$CI_COMMIT_SHORT_SHA.bin
     expire_in: 1 week
 
 # Regular version (not only Bitcoin) of above.
@@ -440,7 +408,7 @@ legacy emu regular debug build:
     DEBUG_LINK: "1"
     EMULATOR: "1"
   script:
-    - nix-shell --run "poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "poetry run legacy/script/cibuild"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -458,7 +426,7 @@ legacy emu regular debug asan build:
     EMULATOR: "1"
     ADDRESS_SANITIZER: "1"
   script:
-    - nix-shell --run "poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "poetry run legacy/script/cibuild"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -479,7 +447,7 @@ legacy emu regular debug build arm:
     DEBUG_LINK: "1"
     EMULATOR: "1"
   script:
-    - nix-shell --run "poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "poetry run legacy/script/cibuild"
     - mv legacy/firmware/trezor.elf  legacy/firmware/trezor-arm.elf
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -500,7 +468,7 @@ legacy emu btconly debug build:
     DEBUG_LINK: "1"
     EMULATOR: "1"
   script:
-    - nix-shell --run "poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "poetry run legacy/script/cibuild"
     - mv legacy/firmware/trezor.elf legacy/firmware/trezor-bitcoinonly.elf
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -520,7 +488,7 @@ legacy emu btconly debug asan build:
     EMULATOR: "1"
     ADDRESS_SANITIZER: "1"
   script:
-    - nix-shell --run "poetry run legacy/script/cibuild"
+    - $NIX_SHELL --run "poetry run legacy/script/cibuild"
     - mv legacy/firmware/trezor.elf legacy/firmware/trezor-bitcoinonly.elf
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"

ci/deploy.yml

@@ -12,7 +12,7 @@ release core fw regular deploy:
     - core fw regular build
   script:
     - export VERSION=$(./tools/version.sh core/embed/firmware/version.h)
-    - export NAME="trezor-fw-regular-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
+    - export NAME="firmware-T2T1-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
     - echo "Deploying to ${DEPLOY_DIRECTORY}/$NAME"
     - mkdir -p "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}"
     - rsync --delete -va $NAME "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}/$NAME"
@@ -33,7 +33,7 @@ release core fw btconly deploy:
     - core fw btconly build
   script:
     - export VERSION=$(./tools/version.sh core/embed/firmware/version.h)
-    - export NAME="trezor-fw-btconly-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
+    - export NAME="firmware-T2T1-btconly-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
     - echo "Deploying to ${DEPLOY_DIRECTORY}/$NAME"
     - mkdir -p "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}"
     - rsync --delete -va $NAME "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}/$NAME"
@@ -54,7 +54,7 @@ release core fw regular debug deploy:
     - core fw regular debug build
   script:
     - export VERSION=$(./tools/version.sh core/embed/firmware/version.h)
-    - export NAME="trezor-fw-regular-debug-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
+    - export NAME="firmware-T2T1-debug-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
     - echo "Deploying to ${DEPLOY_DIRECTORY}/$NAME"
     - mkdir -p "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}"
     - rsync --delete -va $NAME "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}/$NAME"
@@ -75,7 +75,7 @@ release core fw btconly debug deploy:
     - core fw btconly debug build
   script:
     - export VERSION=$(./tools/version.sh core/embed/firmware/version.h)
-    - export NAME="trezor-fw-btconly-debug-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
+    - export NAME="firmware-T2T1-btconly-debug-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
     - echo "Deploying to ${DEPLOY_DIRECTORY}/$NAME"
     - mkdir -p "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}"
     - rsync --delete -va $NAME "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}/$NAME"
@@ -98,7 +98,7 @@ release legacy fw regular deploy:
     - legacy fw regular build
   script:
     - export VERSION=$(./tools/version.sh legacy/firmware/version.h)
-    - export NAME="trezor-fw-regular-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
+    - export NAME="firmware-T1B1-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
     - echo "Deploying to ${DEPLOY_DIRECTORY}/$NAME"
     - mkdir -p "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}"
     - rsync --delete -va $NAME "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}/$NAME"
@@ -119,7 +119,7 @@ release legacy fw btconly deploy:
     - legacy fw btconly build
   script:
     - export VERSION=$(./tools/version.sh legacy/firmware/version.h)
-    - export NAME="trezor-fw-btconly-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
+    - export NAME="firmware-T1B1-btconly-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
     - echo "Deploying to ${DEPLOY_DIRECTORY}/$NAME"
     - mkdir -p "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}"
     - rsync --delete -va $NAME "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}/$NAME"
@@ -140,7 +140,7 @@ release legacy fw regular debug deploy:
     - legacy fw regular debug build
   script:
     - export VERSION=$(./tools/version.sh legacy/firmware/version.h)
-    - export NAME="trezor-fw-regular-debug-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
+    - export NAME="firmware-T1B1-debug-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
     - echo "Deploying to ${DEPLOY_DIRECTORY}/$NAME"
     - mkdir -p "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}"
     - rsync --delete -va $NAME "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}/$NAME"
@@ -161,7 +161,7 @@ release legacy fw btconly debug deploy:
     - legacy fw btconly debug build
   script:
     - export VERSION=$(./tools/version.sh legacy/firmware/version.h)
-    - export NAME="trezor-fw-btconly-debug-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
+    - export NAME="firmware-T1B1-btconly-debug-$VERSION-$CI_COMMIT_SHORT_SHA.bin"
     - echo "Deploying to ${DEPLOY_DIRECTORY}/$NAME"
     - mkdir -p "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}"
     - rsync --delete -va $NAME "${DEPLOY_BASE_DIR}/${DEPLOY_DIRECTORY}/$NAME"
@@ -188,8 +188,8 @@ release core unix debug deploy:
     - DEST="$DEPLOY_PATH/trezor-emu-core-v$VERSION"
     - DEST_ARM="$DEPLOY_PATH/arm/trezor-emu-core-v$VERSION-arm"
     - echo "Deploying to $DEST and $DEST_ARM"
-    - nix-shell -p patchelf --run "patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 core/build/unix/trezor-emu-core"
-    - nix-shell -p patchelf --run "patchelf --set-interpreter /lib/ld-linux-aarch64.so.1 core/build/unix/trezor-emu-core-arm"
+    - $NIX_SHELL -p patchelf --run "patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 core/build/unix/trezor-emu-core"
+    - $NIX_SHELL -p patchelf --run "patchelf --set-interpreter /lib/ld-linux-aarch64.so.1 core/build/unix/trezor-emu-core-arm"
     - rsync --delete -va core/build/unix/trezor-emu-core "$DEST"
     - rsync --delete -va core/build/unix/trezor-emu-core-arm "$DEST_ARM"
   only:
@@ -213,8 +213,8 @@ release legacy unix debug deploy:
     - DEST="$DEPLOY_PATH/trezor-emu-legacy-v$VERSION"
     - DEST_ARM="$DEPLOY_PATH/arm/trezor-emu-legacy-v$VERSION-arm"
     - echo "Deploying to $DEST and $DEST_ARM"
-    - nix-shell -p patchelf --run "patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 legacy/firmware/trezor.elf"
-    - nix-shell -p patchelf --run "patchelf --set-interpreter /lib/ld-linux-aarch64.so.1 legacy/firmware/trezor-arm.elf"
+    - $NIX_SHELL -p patchelf --run "patchelf --set-interpreter /lib64/ld-linux-x86-64.so.2 legacy/firmware/trezor.elf"
+    - $NIX_SHELL -p patchelf --run "patchelf --set-interpreter /lib/ld-linux-aarch64.so.1 legacy/firmware/trezor-arm.elf"
     - rsync --delete -va legacy/firmware/trezor.elf "$DEST"
     - rsync --delete -va legacy/firmware/trezor-arm.elf "$DEST_ARM"
   only:
@@ -234,6 +234,7 @@ ui tests fixtures deploy:
     GIT_SUBMODULE_STRATEGY: "none"
   before_script: []  # no poetry
   needs:
+    - core click test
     - core device test
     - legacy device test
   script:

ci/hardware_tests/t1_hw_test.sh

@@ -17,5 +17,5 @@ set +a
 ./record_video.sh ${T1_CAMERA} ${CI_COMMIT_SHORT_SHA} start
 (cd ../.. && poetry install)
 poetry run python bootstrap.py t1
-poetry run python bootstrap.py t1 ../../trezor-*.bin
+poetry run python bootstrap.py t1 ../../firmware-T1*.bin
 poetry run pytest ../../tests/device_tests

ci/posttest.yml

@@ -13,12 +13,13 @@ core unix coverage posttest:
     COVERAGE_THRESHOLD: "78"
   <<: *gitlab_caching
   needs:
+    - core click test
     - core device test
     - core monero test
     - core u2f test
     - core fido2 test
   script:
-    - nix-shell --run "poetry run make -C core coverage"
+    - $NIX_SHELL --run "poetry run make -C core coverage"
   coverage: '/COVERAGE: \d+%/'
   artifacts:
     name: core-unix-coverage-posttest
@@ -34,11 +35,12 @@ unix ui changes:
     - master
   <<: *gitlab_caching
   needs:
+    - core click test
     - core device test
     - legacy device test
   script:
-    - nix-shell --run "cd tests/ui_tests ; poetry run python reporting/report_master_diff.py TT_ T1_"
-    - mv tests/ui_tests/reporting/reports/master_diff/ .
+    - $NIX_SHELL --run "poetry run python -m tests.ui_tests.reporting master-diff"
+    - mv tests/ui_tests/reports/master_diff .
   artifacts:
     name: core-unix-ui-changes
     paths:

ci/prebuild.yml

@@ -19,35 +19,28 @@ style prebuild:
     GIT_SUBMODULE_STRATEGY: "none"
   <<: *gitlab_caching
   script:
-    - nix-shell --run "poetry run make -j1 style_check"
+    - $NIX_SHELL --run "poetry run make -j1 style_check"
 
 # Check validity of coin definitions and protobuf files.
 common prebuild:
   stage: prebuild
   <<: *gitlab_caching
   script:
-    - nix-shell --run "poetry run make defs_check"
+    - $NIX_SHELL --run "poetry run make defs_check"
 
 # Check validity of auto-generated files.
 gen prebuild:
   stage: prebuild
   <<: *gitlab_caching
   script:
-    - nix-shell --run "poetry run make -j1 gen_check"
+    - $NIX_SHELL --run "poetry run make -j1 gen_check"
 
 # Checking format of .editorconfig files.
 editor prebuild:
   stage: prebuild
   <<: *gitlab_caching
   script:
-    - nix-shell --run "make editor_check"
-
-# All .yml/.yaml files are checked for syntax validity and other correctness.
-yaml prebuild:
-  stage: prebuild
-  <<: *gitlab_caching
-  script:
-    - nix-shell --run "poetry run make yaml_check"
+    - $NIX_SHELL --run "make editor_check"
 
 # Checking the format of release commit messages.
 release commit messages prebuild:
@@ -63,7 +56,7 @@ release commit messages prebuild:
       # We want this to run on gitlab.com/satoshilabs/trezor/trezor-firmware only.
       - $CI_PROJECT_PATH_SLUG == 'satoshilabs-trezor-trezor-firmware'
   script:
-    - nix-shell --run "ci/check_release_commit_messages.sh"
+    - $NIX_SHELL --run "ci/check_release_commit_messages.sh"
 
 # Verifying that all commits changing some functionality have a changelog entry
 # or contain `[no changelog]` in the commit message.
@@ -76,4 +69,4 @@ changelog prebuild:
     GIT_SUBMODULE_STRATEGY: "none"
     GIT_STRATEGY: clone
   script:
-    - nix-shell --run "ci/check_changelog.sh"
+    - $NIX_SHELL --run "ci/check_changelog.sh"

ci/prepare_ui_artifacts.py

@@ -5,24 +5,24 @@ from pathlib import Path
 ROOT = Path(__file__).resolve().parent.parent
 sys.path.insert(0, str(ROOT))
 # Needed for setup purposes, filling the FILE_HASHES dict
-from tests.ui_tests import read_fixtures  # isort:skip
+from tests.ui_tests.common import TestResult, _hash_files, get_fixtures  # isort:skip
 
-read_fixtures()
-from tests.ui_tests import _hash_files, FILE_HASHES, SCREENS_DIR  # isort:skip
 
-# As in CI we are running T1 and TT tests separately, there will
-# always be the other model missing.
-# Therefore, choosing just the cases for our model.
-if len(sys.argv) > 1 and sys.argv[1].upper() == "T1":
-    model = "T1"
-else:
-    model = "TT"
-model_file_hashes = {k: v for k, v in FILE_HASHES.items() if k.startswith(f"{model}_")}
+FIXTURES = get_fixtures()
 
-for test_case, expected_hash in model_file_hashes.items():
-    recorded_dir = SCREENS_DIR / test_case / "recorded"
-    actual_hash = _hash_files(recorded_dir)
+for result in TestResult.recent_results():
+    if not result.passed or result.expected_hash != result.actual_hash:
+        print("WARNING: skipping failed test", result.test.id)
+        continue
+
+    actual_hash = _hash_files(result.test.actual_dir)
+    expected_hash = (
+        FIXTURES.get(result.test.model, {})
+        .get(result.test.group, {})
+        .get(result.test.fixtures_name)
+    )
+    assert result.expected_hash == actual_hash
     assert expected_hash == actual_hash
     shutil.make_archive(
-        str(ROOT / "ci/ui_test_records" / actual_hash), "zip", recorded_dir
+        str(ROOT / "ci/ui_test_records" / actual_hash), "zip", result.test.actual_dir
     )

ci/test-hw.yml

@@ -41,9 +41,9 @@ hardware core regular device test:
     - set -a
     - source hardware.cfg
     - set +a
-    - nix-shell --run "cd ../.. && poetry install"
-    - nix-shell --run "poetry run python bootstrap.py tt ../../trezor-*.bin | ts -s"
-    - nix-shell --run "poetry run pytest ../../tests/device_tests | ts -s"
+    - $NIX_SHELL --run "cd ../.. && poetry install"
+    - $NIX_SHELL --run "poetry run python bootstrap.py tt ../../firmware-T2*.bin | ts -s"
+    - $NIX_SHELL --run "poetry run pytest ../../tests/device_tests | ts -s"
   timeout: 6h
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -71,9 +71,9 @@ hardware core btconly device test:
     - set -a
     - source hardware.cfg
     - set +a
-    - nix-shell --run "cd ../.. && poetry install"
-    - nix-shell --run "poetry run python bootstrap.py tt ../../trezor-*.bin | ts -s"
-    - nix-shell --run "poetry run pytest ../../tests/device_tests | ts -s"
+    - $NIX_SHELL --run "cd ../.. && poetry install"
+    - $NIX_SHELL --run "poetry run python bootstrap.py tt ../../firmware-T2*.bin | ts -s"
+    - $NIX_SHELL --run "poetry run pytest ../../tests/device_tests | ts -s"
   timeout: 4h
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -98,9 +98,9 @@ hardware core monero test:
     - set -a
     - source hardware.cfg
     - set +a
-    - nix-shell --run "cd ../.. && poetry install"
-    - nix-shell --run "poetry run python bootstrap.py tt ../../trezor-*.bin | ts -s"
-    - nix-shell --arg fullDeps true --run "cd ../../core/tests && ./run_tests_device_emu_monero.sh $TESTOPTS | ts -s"
+    - $NIX_SHELL --run "cd ../.. && poetry install"
+    - $NIX_SHELL --run "poetry run python bootstrap.py tt ../../firmware-T2*.bin | ts -s"
+    - $NIX_SHELL --arg fullDeps true --run "cd ../../core/tests && ./run_tests_device_emu_monero.sh $TESTOPTS | ts -s"
   timeout: 1h
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -124,7 +124,7 @@ hardware legacy regular device test:
     - legacy fw regular debug build
   script:
     - cd ci/hardware_tests
-    - nix-shell --run "./t1_hw_test.sh | ts -s"
+    - $NIX_SHELL --run "./t1_hw_test.sh | ts -s"
   timeout: 1h10m
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -150,7 +150,7 @@ hardware legacy btconly device test:
     - legacy fw btconly debug build
   script:
     - cd ci/hardware_tests
-    - nix-shell --run "./t1_hw_test.sh | ts -s"
+    - $NIX_SHELL --run "./t1_hw_test.sh | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:

ci/test.yml

@@ -18,7 +18,7 @@ core unit python test:
   needs:
     - core unix regular build
   script:
-    - nix-shell --run "poetry run make -C core test | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test | ts -s"
 
 # Rust unit tests.
 core unit rust test:
@@ -27,8 +27,8 @@ core unit rust test:
   needs:
     - core unix frozen debug build
   script:
-    - nix-shell --run "poetry run make -C core clippy | ts -s"
-    - nix-shell --run "poetry run make -C core test_rust | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core clippy | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_rust | ts -s"
 
 core unit asan test:
   stage: test
@@ -43,20 +43,9 @@ core unit asan test:
     ADDRESS_SANITIZER: "1"
     LSAN_OPTIONS: "suppressions=../../asan_suppressions.txt"
   script:
-    - nix-shell --run "poetry run make -C core test | ts -s"
-    - nix-shell --run "poetry run make -C core clean build_unix | ts -s"
-    - nix-shell --run "poetry run make -C core test_rust | ts -s"
-
-core unit t1 test:
-  stage: test
-  <<: *gitlab_caching
-  needs:
-    - core unix frozen btconly debug t1 build
-  variables:
-    BITCOIN_ONLY: "1"
-    TREZOR_MODEL: "1"
-  script:
-    - nix-shell --run "poetry run make -C core test_rust | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core clean build_unix | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_rust | ts -s"
 
 # Device tests for Core. Running device tests and also comparing screens
 # with the expected UI result.
@@ -70,12 +59,12 @@ core device test:
   variables:
     TREZOR_PROFILING: 1
   script:
-    - nix-shell --run "poetry run make -C core test_emu_ui | ts -s"
-    - mv core/src/.coverage core/.coverage.test_emu
+    - $NIX_SHELL --run "poetry run make -C core test_emu_ui | ts -s"
   after_script:
-    - mv tests/ui_tests/reporting/reports/test/ test_ui_report
-    - nix-shell --run "poetry run python ci/prepare_ui_artifacts.py TT | ts -s"
-    - diff tests/ui_tests/fixtures.json tests/ui_tests/fixtures.suggestion.json
+    - mv core/src/.coverage core/.coverage.test_emu
+    - mv tests/ui_tests/reports/test/ test_ui_report
+    - $NIX_SHELL --run "poetry run python ci/prepare_ui_artifacts.py | ts -s"
+    - diff -u tests/ui_tests/fixtures.json tests/ui_tests/fixtures.suggestion.json
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -101,7 +90,7 @@ core device asan test:
   variables:
     PYTEST_TIMEOUT: "600"
   script:
-    - nix-shell --run "poetry run make -C core test_emu | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_emu | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -119,7 +108,7 @@ core btconly device test:
     MICROPYTHON: "build/unix/trezor-emu-core-bitcoinonly"
     TREZOR_PYTEST_SKIP_ALTCOINS: 1
   script:
-    - nix-shell --run "poetry run make -C core test_emu | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_emu | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -142,7 +131,7 @@ core btconly device asan test:
     TREZOR_PYTEST_SKIP_ALTCOINS: 1
     PYTEST_TIMEOUT: "600"
   script:
-    - nix-shell --run "poetry run make -C core test_emu | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_emu | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -159,7 +148,7 @@ core monero test:
   variables:
     TREZOR_PROFILING: 1
   script:
-    - nix-shell --arg fullDeps true --run "poetry run make -C core test_emu_monero | ts -s"
+    - $NIX_SHELL --arg fullDeps true --run "poetry run make -C core test_emu_monero | ts -s"
     - mv core/src/.coverage core/.coverage.test_emu_monero
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -180,7 +169,7 @@ core monero asan test:
   variables:
     TREZOR_PROFILING: 1
   script:
-    - nix-shell --arg fullDeps true --run "poetry run make -C core test_emu_monero | ts -s"
+    - $NIX_SHELL --arg fullDeps true --run "poetry run make -C core test_emu_monero | ts -s"
     - mv core/src/.coverage core/.coverage.test_emu_monero
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -200,8 +189,8 @@ core u2f test:
   variables:
     TREZOR_PROFILING: 1
   script:
-    - nix-shell --run "poetry run make -C tests/fido_tests/u2f-tests-hid | ts -s"
-    - nix-shell --run "poetry run make -C core test_emu_u2f | ts -s"
+    - $NIX_SHELL --run "poetry run make -C tests/fido_tests/u2f-tests-hid | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_emu_u2f | ts -s"
     - mv core/src/.coverage core/.coverage.test_emu_u2f
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -219,8 +208,8 @@ core u2f asan test:
   only:
     - schedules  # nightly build
   script:
-    - nix-shell --run "poetry run make -C tests/fido_tests/u2f-tests-hid | ts -s"
-    - nix-shell --run "poetry run make -C core test_emu_u2f | ts -s"
+    - $NIX_SHELL --run "poetry run make -C tests/fido_tests/u2f-tests-hid | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_emu_u2f | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -238,7 +227,7 @@ core fido2 test:
     TREZOR_PROFILING: 1
   script:
     - pgrep trezor-emu-core || true
-    - nix-shell --run "poetry run make -C core test_emu_fido2 | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_emu_fido2 | ts -s"
     - pgrep trezor-emu-core || true
     - mv core/src/.coverage core/.coverage.test_emu_fido2
   artifacts:
@@ -261,7 +250,7 @@ core fido2 asan test:
     - schedules  # nightly build
   script:
     - pgrep trezor-emu-core || true
-    - nix-shell --run "poetry run make -C core test_emu_fido2 | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_emu_fido2 | ts -s"
     - pgrep trezor-emu-core || true
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
@@ -277,11 +266,22 @@ core click test:
   <<: *gitlab_caching
   needs:
     - core unix frozen debug build
+  variables:
+    TREZOR_PROFILING: 1
   script:
-    - nix-shell --run "poetry run make -C core test_emu_click | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_emu_click_ui | ts -s"
+  after_script:
+    - mv core/src/.coverage core/.coverage.test_click
+    - mv tests/ui_tests/reports/test/ test_ui_report
+    - $NIX_SHELL --run "poetry run python ci/prepare_ui_artifacts.py | ts -s"
+    - diff -u tests/ui_tests/fixtures.json tests/ui_tests/fixtures.suggestion.json
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
+      - ci/ui_test_records/
+      - test_ui_report
+      - tests/ui_tests/screens/
+      - tests/ui_tests/fixtures.suggestion.json
       - tests/trezor.log
       - tests/junit.xml
     reports:
@@ -297,7 +297,7 @@ core click asan test:
   only:
     - schedules  # nightly build
   script:
-    - nix-shell --run "poetry run make -C core test_emu_click | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_emu_click | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -318,8 +318,8 @@ core upgrade test:
   variables:
     TREZOR_UPGRADE_TEST: "core"
   script:
-    - nix-shell --run "tests/download_emulators.sh"
-    - nix-shell --run "poetry run pytest --junitxml=tests/junit.xml tests/upgrade_tests | ts -s"
+    - $NIX_SHELL --run "tests/download_emulators.sh"
+    - $NIX_SHELL --run "poetry run pytest --junitxml=tests/junit.xml tests/upgrade_tests | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -339,8 +339,8 @@ core upgrade asan test:
   variables:
     TREZOR_UPGRADE_TEST: "core"
   script:
-    - nix-shell --run "tests/download_emulators.sh"
-    - nix-shell --run "poetry run pytest --junitxml=tests/junit.xml tests/upgrade_tests | ts -s"
+    - $NIX_SHELL --run "tests/download_emulators.sh"
+    - $NIX_SHELL --run "poetry run pytest --junitxml=tests/junit.xml tests/upgrade_tests | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -357,7 +357,7 @@ core persistence test:
   needs:
     - core unix frozen debug build
   script:
-    - nix-shell --run "poetry run pytest --junitxml=tests/junit.xml tests/persistence_tests | ts -s"
+    - $NIX_SHELL --run "poetry run pytest --junitxml=tests/junit.xml tests/persistence_tests | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -375,7 +375,7 @@ core persistence asan test:
   only:
     - schedules  # nightly build
   script:
-    - nix-shell --run "poetry run pytest --junitxml=tests/junit.xml tests/persistence_tests | ts -s"
+    - $NIX_SHELL --run "poetry run pytest --junitxml=tests/junit.xml tests/persistence_tests | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -392,8 +392,8 @@ core hwi test:
     - core unix frozen debug build
   allow_failure: true
   script:
-    - nix-shell --run "git clone https://github.com/bitcoin-core/HWI.git"
-    - nix-shell --arg fullDeps true --run "cd HWI && poetry install && poetry run ./test/test_trezor.py --model_t ../core/build/unix/trezor-emu-core bitcoind"
+    - $NIX_SHELL --run "git clone https://github.com/bitcoin-core/HWI.git"
+    - $NIX_SHELL --arg fullDeps true --run "cd HWI && poetry install && poetry run ./test/test_trezor.py --model_t ../core/build/unix/trezor-emu-core bitcoind"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -420,8 +420,8 @@ crypto test:
     - ./crypto/tests/aestst
     - ./crypto/tests/test_check
     - ./crypto/tests/test_openssl 1000
-    - nix-shell --run "cd crypto && ITERS=10 poetry run pytest --junitxml=tests/junit.xml tests | ts -s"
-    - nix-shell --run "CK_TIMEOUT_MULTIPLIER=20 valgrind -q --error-exitcode=1 ./crypto/tests/test_check_noasan | ts -s"
+    - $NIX_SHELL --run "cd crypto && ITERS=10 poetry run pytest --junitxml=tests/junit.xml tests | ts -s"
+    - $NIX_SHELL --run "CK_TIMEOUT_MULTIPLIER=20 valgrind -q --error-exitcode=1 ./crypto/tests/test_check_noasan | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -442,11 +442,11 @@ legacy device test:
   variables:
     EMULATOR: "1"
   script:
-    - nix-shell --run "poetry run make -C legacy test_emu_ui | ts -s"
+    - $NIX_SHELL --run "poetry run make -C legacy test_emu_ui | ts -s"
   after_script:
-    - mv tests/ui_tests/reporting/reports/test/ test_ui_report
-    - nix-shell --run "poetry run python ci/prepare_ui_artifacts.py T1 | ts -s"
-    - diff tests/ui_tests/fixtures.json tests/ui_tests/fixtures.suggestion.json
+    - mv tests/ui_tests/reports/test/ test_ui_report
+    - $NIX_SHELL --run "poetry run python ci/prepare_ui_artifacts.py | ts -s"
+    - diff -u tests/ui_tests/fixtures.json tests/ui_tests/fixtures.suggestion.json
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -471,7 +471,7 @@ legacy asan test:
   variables:
     EMULATOR: "1"
   script:
-    - nix-shell --run "poetry run make -C legacy test_emu | ts -s"
+    - $NIX_SHELL --run "poetry run make -C legacy test_emu | ts -s"
 
 legacy btconly test:
   stage: test
@@ -483,7 +483,7 @@ legacy btconly test:
     EMULATOR_BINARY: "firmware/trezor-bitcoinonly.elf"
     TREZOR_PYTEST_SKIP_ALTCOINS: 1
   script:
-    - nix-shell --run "poetry run make -C legacy test_emu | ts -s"
+    - $NIX_SHELL --run "poetry run make -C legacy test_emu | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -505,7 +505,7 @@ legacy btconly asan test:
     EMULATOR_BINARY: "firmware/trezor-bitcoinonly.elf"
     TREZOR_PYTEST_SKIP_ALTCOINS: 1
   script:
-    - nix-shell --run "poetry run make -C legacy test_emu | ts -s"
+    - $NIX_SHELL --run "poetry run make -C legacy test_emu | ts -s"
 
 
 legacy upgrade test:
@@ -516,8 +516,8 @@ legacy upgrade test:
   variables:
     TREZOR_UPGRADE_TEST: "legacy"
   script:
-    - nix-shell --run "tests/download_emulators.sh"
-    - nix-shell --run "poetry run pytest --junitxml=tests/junit.xml tests/upgrade_tests | ts -s"
+    - $NIX_SHELL --run "tests/download_emulators.sh"
+    - $NIX_SHELL --run "poetry run pytest --junitxml=tests/junit.xml tests/upgrade_tests | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -537,8 +537,8 @@ legacy upgrade asan test:
   variables:
     TREZOR_UPGRADE_TEST: "legacy"
   script:
-    - nix-shell --run "tests/download_emulators.sh"
-    - nix-shell --run "poetry run pytest --junitxml=tests/junit.xml tests/upgrade_tests | ts -s"
+    - $NIX_SHELL --run "tests/download_emulators.sh"
+    - $NIX_SHELL --run "poetry run pytest --junitxml=tests/junit.xml tests/upgrade_tests | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -557,8 +557,8 @@ legacy hwi test:
     EMULATOR: "1"
   allow_failure: true
   script:
-    - nix-shell --run "git clone https://github.com/bitcoin-core/HWI.git"
-    - nix-shell --arg fullDeps true --run "cd HWI && poetry install && poetry run ./test/test_trezor.py --model_1 ../legacy/firmware/trezor.elf bitcoind"
+    - $NIX_SHELL --run "git clone https://github.com/bitcoin-core/HWI.git"
+    - $NIX_SHELL --arg fullDeps true --run "cd HWI && poetry install && poetry run ./test/test_trezor.py --model_1 ../legacy/firmware/trezor.elf bitcoind"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -584,14 +584,14 @@ python test:
     # See also:
     # https://github.com/NixOS/nixpkgs/blob/b00c7c2d1d905eb63c81a0917f1a94b763a7843b/pkgs/development/interpreters/python/cpython/default.nix#L103
     # https://github.com/NixOS/nixpkgs/pull/98915
-    - nix-shell --arg fullDeps true --run "unset _PYTHON_SYSCONFIGDATA_NAME && cd python && poetry run tox | ts -s"
+    - $NIX_SHELL --arg fullDeps true --run "unset _PYTHON_SYSCONFIGDATA_NAME && cd python && poetry run tox | ts -s"
 
 python support test:
   stage: test
   <<: *gitlab_caching
   needs: []
   script:
-    - nix-shell --run "poetry run make python_support_check | ts -s"
+    - $NIX_SHELL --run "poetry run make python_support_check | ts -s"
 
 
 # Storage
@@ -607,8 +607,8 @@ storage test:
   needs: []
   script:
     - unset PYTEST_TIMEOUT
-    - nix-shell --run "poetry run make -C storage/tests build | ts -s"
-    - nix-shell --run "poetry run make -C storage/tests tests_all | ts -s"
+    - $NIX_SHELL --run "poetry run make -C storage/tests build | ts -s"
+    - $NIX_SHELL --run "poetry run make -C storage/tests tests_all | ts -s"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -630,10 +630,10 @@ core unix memory profiler:
     TREZOR_MEMPERF: "1"
     PYTEST_TIMEOUT: "900"
   script:
-    - nix-shell --run "poetry run make -C core build_unix_frozen | ts -s"
-    - nix-shell --run "poetry run make -C core test_emu | ts -s"
-    - nix-shell --run "mkdir core/prof/memperf-html"
-    - nix-shell --run "poetry run core/tools/alloc.py --alloc-data=core/src/alloc_data.txt html core/prof/memperf-html"
+    - $NIX_SHELL --run "poetry run make -C core build_unix_frozen | ts -s"
+    - $NIX_SHELL --run "poetry run make -C core test_emu | ts -s"
+    - $NIX_SHELL --run "mkdir core/prof/memperf-html"
+    - $NIX_SHELL --run "poetry run core/tools/alloc.py --alloc-data=core/src/alloc_data.txt html core/prof/memperf-html"
   artifacts:
     name: "$CI_JOB_NAME-$CI_COMMIT_SHORT_SHA"
     paths:
@@ -647,6 +647,7 @@ core unix memory profiler:
 connect test core:
   image: ghcr.io/trezor/trezor-user-env
   stage: test
+  when: manual
   tags:
     - runner-internal
   needs:
@@ -656,10 +657,10 @@ connect test core:
   before_script:
     - cp /builds/satoshilabs/trezor/trezor-firmware/core/build/unix/trezor-emu-core /trezor-user-env/src/binaries/firmware/bin/trezor-emu-core-v2.99.99
     - chmod +x /trezor-user-env/src/binaries/firmware/bin/trezor-emu-core-v2.99.99
-    - nix-shell --run "autoPatchelf /trezor-user-env/src/binaries/firmware/bin/trezor-emu-core-v2.99.99"
+    - $NIX_SHELL --run "autoPatchelf /trezor-user-env/src/binaries/firmware/bin/trezor-emu-core-v2.99.99"
   script:
     - /trezor-user-env/run-nix.sh &
-    - nix-shell --run "tests/connect_tests/connect_tests.sh 2.99.99"
+    - $NIX_SHELL --run "tests/connect_tests/connect_tests.sh 2.99.99"
   after_script:
     - cp /trezor-user-env/logs/debugging.log trezor-user-env-debugging.log
     - cp /trezor-user-env/logs/emulator_bridge.log tenv-emulator-bridge-debugging.log

common/defs/blockchain_link.json

@@ -143,7 +143,7 @@
   "bitcoin:SYS": {
     "type": "blockbook",
     "url": [
-      "https://sys1.bcfn.ca"
+      "https://blockbook.elint.services"
     ]
   },
   "bitcoin:TEST": {
@@ -267,7 +267,7 @@
   "misc:tADA": {
     "type": "blockfrost",
     "url": [
-      "wss://trezor-cardano-testnet.blockfrost.io"
+      "wss://trezor-cardano-preview.blockfrost.io"
     ]
   }
 }

common/defs/ethereum/chains

@@ -1 +1 @@
-Subproject commit 4ba4ca129c4d8b1b01179bfa50ad74c2a5b51b72
+Subproject commit 805ae42ecc53aa6493949b1e9c1da41e036c1845

common/defs/ethereum/tokens

@@ -1 +1 @@
-Subproject commit 6a7ec4967b797f90e024296ef27c58480bf1b8ca
+Subproject commit 0eeaf9b9f13b5e6538da26d079e2b968dc8bb23f

common/defs/fido/apple.json

@@ -0,0 +1,5 @@
+{
+  "name": "Apple",
+  "webauthn": ["apple.com"],
+  "use_self_attestation": false
+}

common/defs/fido/google.json

@@ -6,5 +6,6 @@
       "label": "google.com"
     }
   ],
-  "webauthn": ["google.com"]
+  "webauthn": ["google.com"],
+  "use_self_attestation": false
 }

common/defs/misc/misc.json

@@ -87,7 +87,7 @@
         }
     },
     {
-        "name": "Cardano Testnet",
+        "name": "Cardano Preview Testnet",
         "shortcut": "tADA",
         "slip44": 1815,
         "curve": "ed25519",

common/protob/messages-management.proto

@@ -27,6 +27,15 @@ enum SafetyCheckLevel {
     PromptTemporarily = 2;  // like PromptAlways but reverts to Strict after reboot
 }
 
+
+/**
+ * Format of the homescreen image
+ */
+enum HomescreenFormat {
+    Toif144x144 = 1;
+    Jpeg240x240 = 2;
+}
+
 /**
  * Request: Reset device to default state and ask for device details
  * @start
@@ -112,6 +121,8 @@ message Features {
     optional uint32 display_rotation = 39;      // in degrees from North
     optional bool experimental_features = 40;   // are experimental message types enabled?
     optional bool busy = 41;                    // is the device busy, showing "Do not disconnect"?
+    optional HomescreenFormat homescreen_format = 42;   // format of the homescreen, 1 = TOIf 144x144, 2 = jpg 240x240
+    optional bool hide_passphrase_from_host = 43;   // should we hide the passphrase when it comes from host?
 }
 
 /**
@@ -158,6 +169,7 @@ message ApplySettings {
     optional bool passphrase_always_on_device = 8;  // do not prompt for passphrase, enforce device entry
     optional SafetyCheckLevel safety_checks = 9;  // Safety check level, set to Prompt to limit path namespace enforcement
     optional bool experimental_features = 10;  // enable experimental message types
+    optional bool hide_passphrase_from_host = 11;  // do not show passphrase coming from host
 }
 
 /**

common/tests/fixtures/ethereum/sign_tx_eip1559.json

@@ -139,6 +139,25 @@
                 "sig_r": "3a5e8fa47bfdb758837643485b2951f6c54894996f124dce6282662289ebcf79",
                 "sig_s": "5b5b9e0f9af273466cc1e991cb86fadb2abedeb4de150163a8dbf348422b5fe2"
             }
+        },
+        {
+            "name": "long_fees",
+            "parameters": {
+                "data": "",
+                "path": "m/44'/60'/0'/0/0",
+                "to_address": "0x1d1c328764a41bda0492b66baa30c4a339ff85ef",
+                "chain_id": 1,
+                "nonce": "0x0",
+                "gas_limit": "0x141414141414141414",
+                "max_gas_fee": "0x14141414141414141414",
+                "max_priority_fee": "0x11111111111111111",
+                "value": "0xa"
+            },
+            "result": {
+                "sig_v": 0,
+                "sig_r": "3f3bfa6762b33819f268a98744803e1876aa440a6fd2ebef90cfd606bb893429",
+                "sig_s": "241e1128a715a5386c3b6d0998f9f42c21ee080568fbf2c642a05916c30737e2"
+            }
         }
     ]
 }

common/tests/fixtures/ethereum/signmessage.json

@@ -83,6 +83,16 @@
                 "address": "0x73d0385F4d8E00C5e6504C6030F47BF6212736A8",
                 "sig": "fa9d60644436f27eb88956a50893e9a47f67c42fb1b57a44bde4c6e127ab777e0c23b234b6ec9327ffd0620daaa514243ebb5a3652a1bac2d720e0f5555b2e071c"
             }
+        },
+        {
+            "parameters": {
+                "msg": "This is an example of a signed message at a different path.",
+                "path": "m/45'/60/2/1/1"
+            },
+            "result": {
+                "address": "0x3beC5F707Ef56057354f4c062C53cd089E8Ea02C",
+                "sig": "27c75ccd53136ef1c470784d16440c798effbff4928fcee36a9080c2e929ce3f727aabcd4a0de88881ae02003bd16bc9d3f199d78266c41596db14fac134b44f1c"
+            }
         }
     ]
 }

common/tools/cointool.py

@@ -329,10 +329,11 @@ def check_dups(buckets: CoinBuckets, print_at_level: int = logging.WARNING) -> b
             and not coin_info.is_token(coin)
         ]  # we do not count override-marked coins as duplicates here
         cleared = not any(coin.get("duplicate") for coin in bucket)
+        eth_testnet = symbol == "teth"
 
         # string generation
         dup_str = ", ".join(coin_str(coin) for coin in bucket)
-        if len(nontokens) > 1:
+        if len(nontokens) > 1 and not eth_testnet:
             # Two or more colliding nontokens. This is always fatal.
             # XXX consider allowing two nontokens as long as only one is supported?
             level = logging.ERROR

core/.changelog.d/1922.changed

@@ -0,0 +1 @@
+Switched to redesigned, Rust-based user interface.

core/.changelog.d/2205.changed

@@ -0,0 +1 @@
+Ignore channel ID in U2F.

core/.changelog.d/2611.changed

@@ -0,0 +1 @@
+Updated FAT FS library to R0.15

core/.changelog.d/2623.added

@@ -0,0 +1 @@
+Add model info to image and check when installing bootloader, prevent bootloader downgrade

core/.changelog.d/2682.added

@@ -0,0 +1 @@
+Allow proposed Casa m/45' multisig paths for Bitcoin and Ethereum.

core/.changelog.d/2746.changed

@@ -0,0 +1 @@
+Ethereum's EIP-712 signing no longer restricts the maximum field size to 1024 bytes.

core/.changelog.d/2818.added

@@ -0,0 +1 @@
+Add address confirmation screen to EIP712 signing flow

core/.changelog.d/2834.changed

@@ -0,0 +1 @@
+Force basic attestation in FIDO2 for google.com

core/.changelog.d/2841.added

@@ -0,0 +1 @@
+Add the possibility of rebooting the device into bootloader mode

core/.changelog.d/450.added

@@ -0,0 +1 @@
+CoSi collective signatures on Model T.

core/.changelog.d/noissue.security

@@ -0,0 +1 @@
+Match and validate script type of change-outputs in Bitcoin signing.

core/.gitignore

@@ -8,3 +8,5 @@ tests/trezor_monero_tests*
 .coverage.*
 htmlcov/
 mypy_report
+/CMakeLists.txt
+/cmake-build-debug/

core/Makefile

@@ -25,7 +25,7 @@ BOOTLOADER_QA ?= 0
 TREZOR_MODEL ?= T
 TREZOR_MEMPERF ?= 0
 ADDRESS_SANITIZER ?= 0
-UI2 ?= 0
+CMAKELISTS ?= 0
 
 # OpenOCD interface default. Alternative: ftdi/olimex-arm-usb-tiny-h
 OPENOCD_INTERFACE ?= stlink
@@ -107,17 +107,28 @@ test_emu_fido2: ## run fido2 device tests
 test_emu_click: ## run click tests
 	$(EMU_TEST) $(PYTEST) $(TESTPATH)/click_tests $(TESTOPTS)
 
+test_emu_click_ui: ## run click tests with UI testing
+	$(EMU_TEST) $(PYTEST) $(TESTPATH)/click_tests --ui=test --ui-check-missing $(TESTOPTS)
+
 test_emu_ui: ## run ui integration tests
-	$(EMU_TEST) $(PYTEST) $(TESTPATH)/device_tests --ui=test --ui-check-missing $(TESTOPTS)
+	$(EMU_TEST) $(PYTEST) $(TESTPATH)/device_tests $(TESTOPTS) \
+		--ui=test --ui-check-missing --record-text-layout
 
 test_emu_ui_multicore: ## run ui integration tests using multiple cores
-	$(PYTEST) -n auto $(TESTPATH)/device_tests $(TESTOPTS) --ui=test --ui-check-missing --control-emulators --model=core --random-order-seed=$(shell echo $$RANDOM)
+	$(PYTEST) -n auto $(TESTPATH)/device_tests $(TESTOPTS) \
+		--ui=test --ui-check-missing --record-text-layout \
+		--control-emulators --model=core --random-order-seed=$(shell echo $$RANDOM)
 
 test_emu_ui_record: ## record and hash screens for ui integration tests
-	$(EMU_TEST) $(PYTEST) $(TESTPATH)/device_tests --ui=record --ui-check-missing $(TESTOPTS)
+	$(EMU_TEST) $(PYTEST) $(TESTPATH)/device_tests $(TESTOPTS) \
+		--ui=record --ui-check-missing
 
-test_emu_ui_record_multicore: ## record and hash screens for ui integration tests using multiple cores
-	$(PYTEST) -n auto $(TESTPATH)/device_tests $(TESTOPTS) --ui=record --ui-check-missing --control-emulators --model=core --random-order-seed=$(shell echo $$RANDOM)
+test_emu_ui_record_multicore: ## quickly record all screens
+	make test_emu_ui_multicore || echo "All errors are recorded in fixtures.json"
+	make test_emu_accept_fixtures
+
+test_emu_accept_fixtures:  # accept UI fixtures from the last run of UI tests
+	../tests/update_fixtures.py
 
 pylint: ## run pylint on application sources and tests
 	pylint -E $(shell find src tests -name *.py)
@@ -149,33 +160,33 @@ build: build_boardloader build_bootloader build_firmware build_prodtest build_un
 build_embed: build_boardloader build_bootloader build_firmware # build boardloader, bootloader, firmware
 
 build_boardloader: ## build boardloader
-	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" $(BOARDLOADER_BUILD_DIR)/boardloader.bin
+	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" CMAKELISTS="$(CMAKELISTS)" $(BOARDLOADER_BUILD_DIR)/boardloader.bin
 
 build_bootloader: ## build bootloader
-	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" $(BOOTLOADER_BUILD_DIR)/bootloader.bin
+	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" CMAKELISTS="$(CMAKELISTS)" $(BOOTLOADER_BUILD_DIR)/bootloader.bin
 
 build_bootloader_ci: ## build CI device testing bootloader
-	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" $(BOOTLOADER_CI_BUILD_DIR)/bootloader.bin
+	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" CMAKELISTS="$(CMAKELISTS)" $(BOOTLOADER_CI_BUILD_DIR)/bootloader.bin
 
 build_prodtest: ## build production test firmware
-	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" $(PRODTEST_BUILD_DIR)/prodtest.bin
+	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" CMAKELISTS="$(CMAKELISTS)" $(PRODTEST_BUILD_DIR)/prodtest.bin
 
 build_reflash: ## build reflash firmware + reflash image
-	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" $(REFLASH_BUILD_DIR)/reflash.bin
+	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" CMAKELISTS="$(CMAKELISTS)" $(REFLASH_BUILD_DIR)/reflash.bin
 	dd if=build/boardloader/boardloader.bin of=$(REFLASH_BUILD_DIR)/sdimage.bin bs=1 seek=0
 	dd if=build/bootloader/bootloader.bin of=$(REFLASH_BUILD_DIR)/sdimage.bin bs=1 seek=49152
 
 build_firmware: templates build_cross ## build firmware with frozen modules
-	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" PYOPT="$(PYOPT)" BITCOIN_ONLY="$(BITCOIN_ONLY)" BOOTLOADER_QA="$(BOOTLOADER_QA)" $(FIRMWARE_BUILD_DIR)/firmware.bin
+	$(SCONS) CFLAGS="$(CFLAGS)" PRODUCTION="$(PRODUCTION)" TREZOR_MODEL="$(TREZOR_MODEL)" CMAKELISTS="$(CMAKELISTS)" PYOPT="$(PYOPT)" BITCOIN_ONLY="$(BITCOIN_ONLY)" BOOTLOADER_QA="$(BOOTLOADER_QA)" $(FIRMWARE_BUILD_DIR)/firmware.bin
 
 build_unix: templates ## build unix port
-	$(SCONS) CFLAGS="$(CFLAGS)" $(UNIX_BUILD_DIR)/trezor-emu-core $(UNIX_PORT_OPTS) TREZOR_MODEL="$(TREZOR_MODEL)" PYOPT="0" BITCOIN_ONLY="$(BITCOIN_ONLY)" TREZOR_EMULATOR_ASAN="$(ADDRESS_SANITIZER)"
+	$(SCONS) CFLAGS="$(CFLAGS)" $(UNIX_BUILD_DIR)/trezor-emu-core $(UNIX_PORT_OPTS) TREZOR_MODEL="$(TREZOR_MODEL)" CMAKELISTS="$(CMAKELISTS)" PYOPT="0" BITCOIN_ONLY="$(BITCOIN_ONLY)" TREZOR_EMULATOR_ASAN="$(ADDRESS_SANITIZER)"
 
 build_unix_frozen: templates build_cross ## build unix port with frozen modules
-	$(SCONS) CFLAGS="$(CFLAGS)" $(UNIX_BUILD_DIR)/trezor-emu-core $(UNIX_PORT_OPTS) TREZOR_MODEL="$(TREZOR_MODEL)" PYOPT="$(PYOPT)" BITCOIN_ONLY="$(BITCOIN_ONLY)" TREZOR_EMULATOR_ASAN="$(ADDRESS_SANITIZER)" TREZOR_MEMPERF="$(TREZOR_MEMPERF)" TREZOR_EMULATOR_FROZEN=1
+	$(SCONS) CFLAGS="$(CFLAGS)" $(UNIX_BUILD_DIR)/trezor-emu-core $(UNIX_PORT_OPTS) TREZOR_MODEL="$(TREZOR_MODEL)" CMAKELISTS="$(CMAKELISTS)" PYOPT="$(PYOPT)" BITCOIN_ONLY="$(BITCOIN_ONLY)" TREZOR_EMULATOR_ASAN="$(ADDRESS_SANITIZER)" TREZOR_MEMPERF="$(TREZOR_MEMPERF)" TREZOR_EMULATOR_FROZEN=1
 
 build_unix_debug: templates ## build unix port
-	$(SCONS) --max-drift=1 CFLAGS="$(CFLAGS)" $(UNIX_BUILD_DIR)/trezor-emu-core $(UNIX_PORT_OPTS) TREZOR_MODEL="$(TREZOR_MODEL)" BITCOIN_ONLY="$(BITCOIN_ONLY)" TREZOR_EMULATOR_ASAN=1 TREZOR_EMULATOR_DEBUGGABLE=1
+	$(SCONS) --max-drift=1 CFLAGS="$(CFLAGS)" $(UNIX_BUILD_DIR)/trezor-emu-core $(UNIX_PORT_OPTS) TREZOR_MODEL="$(TREZOR_MODEL)" CMAKELISTS="$(CMAKELISTS)" BITCOIN_ONLY="$(BITCOIN_ONLY)" TREZOR_EMULATOR_ASAN=1 TREZOR_EMULATOR_DEBUGGABLE=1
 
 build_cross: ## build mpy-cross port
 	$(MAKE) -C vendor/micropython/mpy-cross $(CROSS_PORT_OPTS)
@@ -309,5 +320,8 @@ upload: ## upload firmware using trezorctl
 upload_prodtest: ## upload prodtest using trezorctl
 	trezorctl firmware_update -f $(PRODTEST_BUILD_DIR)/prodtest.bin
 
-coverage:  # generate coverage report
+coverage:  ## generate coverage report
 	./tools/coverage-report
+
+unused:  ## find unused micropython code
+	vulture src src/_vulture_ignore.txt --exclude "messages.py,*/enums/*"

core/SConscript.boardloader

@@ -4,6 +4,7 @@ import os
 import tools
 
 TREZOR_MODEL = ARGUMENTS.get('TREZOR_MODEL', 'T')
+CMAKELISTS = int(ARGUMENTS.get('CMAKELISTS', 0))
 
 if TREZOR_MODEL in ('1', ):
     # skip boardloader build
@@ -104,13 +105,16 @@ env = Environment(ENV=os.environ, CFLAGS='%s -DPRODUCTION=%s' % (ARGUMENTS.get('
 tools.configure_board(TREZOR_MODEL, env, CPPDEFINES_MOD, SOURCE_TREZORHAL)
 
 env.Replace(
+    CP='cp',
     AS='arm-none-eabi-as',
     AR='arm-none-eabi-ar',
     CC='arm-none-eabi-gcc',
     LINK='arm-none-eabi-gcc',
     SIZE='arm-none-eabi-size',
     STRIP='arm-none-eabi-strip',
-    OBJCOPY='arm-none-eabi-objcopy', )
+    OBJCOPY='arm-none-eabi-objcopy',
+    PYTHON='python',
+    MAKECMAKELISTS='$PYTHON tools/make_cmakelists.py',)
 
 env.Replace(
     TREZOR_MODEL=TREZOR_MODEL, )
@@ -133,7 +137,7 @@ env.Replace(
     '-fstack-protector-all '
     + CPU_CCFLAGS + CCFLAGS_MOD,
     CCFLAGS_QSTR='-DNO_QSTR -DN_X64 -DN_X86 -DN_THUMB',
-    LINKFLAGS='-T embed/boardloader/memory.ld -Wl,--gc-sections -Wl,-Map=build/boardloader/boardloader.map -Wl,--warn-common',
+    LINKFLAGS='-T embed/boardloader/memory.ld -Wl,--gc-sections -Wl,-Map=build/boardloader/boardloader.map -Wl,--warn-common  -Wl,--print-memory-usage',
     CPPPATH=[
         'embed/boardloader',
         'embed/trezorhal',
@@ -153,6 +157,16 @@ env.Replace(
     ASFLAGS=CPU_ASFLAGS,
     ASPPFLAGS='$CFLAGS $CCFLAGS', )
 
+env.Replace(
+    ALLSOURCES=SOURCE_MOD + SOURCE_BOARDLOADER + SOURCE_STMHAL + SOURCE_TREZORHAL,
+    ALLDEFS=tools.get_defs_for_cmake(env['CPPDEFINES']))
+
+cmake_gen = env.Command(
+    target='CMakeLists.txt',
+    source='',
+    action='$MAKECMAKELISTS --sources $ALLSOURCES --dirs $CPPPATH --defs $ALLDEFS',
+)
+
 #
 # Program objects
 #
@@ -170,8 +184,20 @@ program_elf = env.Command(
     '$LINK -o $TARGET $CCFLAGS $CFLAGS $LINKFLAGS $SOURCES -lc_nano -lgcc',
 )
 
+BINARY_NAME = f"build/boardloader/boardloader-{tools.get_model_identifier(TREZOR_MODEL)}"
+BINARY_NAME += "-" + tools.get_version('embed/boardloader/version.h')
+BINARY_NAME += "-" + tools.get_git_revision_short_hash()
+BINARY_NAME += "-dirty" if tools.get_git_modified() else ""
+BINARY_NAME += ".bin"
+
+if CMAKELISTS != 0:
+    env.Depends(program_elf, cmake_gen)
+
 program_bin = env.Command(
     target='boardloader.bin',
     source=program_elf,
-    action='$OBJCOPY -O binary $SOURCE $TARGET',
+    action=[
+        '$OBJCOPY -O binary $SOURCE $TARGET',
+        '$CP $TARGET ' + BINARY_NAME,
+    ],
 )

core/SConscript.bootloader

@@ -4,6 +4,7 @@ import os
 import tools
 
 TREZOR_MODEL = ARGUMENTS.get('TREZOR_MODEL', 'T')
+CMAKELISTS = int(ARGUMENTS.get('CMAKELISTS', 0))
 DMA2D = False
 
 if TREZOR_MODEL in ('1', ):
@@ -157,13 +158,16 @@ env = Environment(ENV=os.environ, CFLAGS='%s -DPRODUCTION=%s' % (ARGUMENTS.get('
 tools.configure_board(TREZOR_MODEL, env, CPPDEFINES_MOD, SOURCE_TREZORHAL)
 
 env.Replace(
+    CP='cp',
     AS='arm-none-eabi-as',
     AR='arm-none-eabi-ar',
     CC='arm-none-eabi-gcc',
     LINK='arm-none-eabi-gcc',
     SIZE='arm-none-eabi-size',
     STRIP='arm-none-eabi-strip',
-    OBJCOPY='arm-none-eabi-objcopy', )
+    OBJCOPY='arm-none-eabi-objcopy',
+    PYTHON='python',
+    MAKECMAKELISTS='$PYTHON tools/make_cmakelists.py', )
 
 env.Replace(
     TREZOR_MODEL=TREZOR_MODEL, )
@@ -192,7 +196,7 @@ env.Replace(
     '-fstack-protector-all '
     + CPU_CCFLAGS + CCFLAGS_MOD,
     CCFLAGS_QSTR='-DNO_QSTR -DN_X64 -DN_X86 -DN_THUMB',
-    LINKFLAGS='-T embed/bootloader/memory.ld -Wl,--gc-sections -Wl,-Map=build/bootloader/bootloader.map -Wl,--warn-common',
+    LINKFLAGS='-T embed/bootloader/memory.ld -Wl,--gc-sections -Wl,-Map=build/bootloader/bootloader.map -Wl,--warn-common -Wl,--print-memory-usage',
     CPPPATH=[
         'embed/rust',
         'embed/bootloader',
@@ -222,6 +226,17 @@ env.Replace(
     HEADERTOOL='tools/headertool.py',
 )
 
+env.Replace(
+    ALLSOURCES=SOURCE_MOD + SOURCE_BOOTLOADER + SOURCE_NANOPB + SOURCE_STMHAL + SOURCE_TREZORHAL,
+    ALLDEFS=tools.get_defs_for_cmake(env['CPPDEFINES']))
+
+cmake_gen = env.Command(
+    target='CMakeLists.txt',
+    source='',
+    action='$MAKECMAKELISTS --sources $ALLSOURCES --dirs $CPPPATH --defs $ALLDEFS',
+)
+
+
 #
 # Program objects
 #
@@ -240,10 +255,20 @@ program_elf = env.Command(
     '$LINK -o $TARGET $CCFLAGS $CFLAGS $LINKFLAGS $SOURCES -lc_nano -lgcc',
 )
 
+BINARY_NAME = f"build/bootloader/bootloader-{tools.get_model_identifier(TREZOR_MODEL)}"
+BINARY_NAME += "-" + tools.get_version('embed/bootloader/version.h')
+BINARY_NAME += "-" + tools.get_git_revision_short_hash()
+BINARY_NAME += "-dirty" if tools.get_git_modified() else ""
+BINARY_NAME += ".bin"
+
+if CMAKELISTS != 0:
+    env.Depends(program_elf, cmake_gen)
+
 program_bin = env.Command(
     target='bootloader.bin',
     source=program_elf,
     action=[
         '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
         '$HEADERTOOL $TARGET ' + ('-D' if ARGUMENTS.get('PRODUCTION', '0') == '0' else ''),
+        '$CP $TARGET ' + BINARY_NAME,
     ], )

core/SConscript.bootloader_ci

@@ -4,6 +4,7 @@ import os
 import tools
 
 TREZOR_MODEL = ARGUMENTS.get('TREZOR_MODEL', 'T')
+CMAKELISTS = int(ARGUMENTS.get('CMAKELISTS', 0))
 
 if TREZOR_MODEL in ('1', ):
     # skip bootloader_ci build
@@ -140,13 +141,16 @@ env = Environment(ENV=os.environ, CFLAGS='%s -DPRODUCTION=%s' % (ARGUMENTS.get('
 tools.configure_board(TREZOR_MODEL, env, CPPDEFINES_MOD, SOURCE_TREZORHAL)
 
 env.Replace(
+    CP='cp',
     AS='arm-none-eabi-as',
     AR='arm-none-eabi-ar',
     CC='arm-none-eabi-gcc',
     LINK='arm-none-eabi-gcc',
     SIZE='arm-none-eabi-size',
     STRIP='arm-none-eabi-strip',
-    OBJCOPY='arm-none-eabi-objcopy', )
+    OBJCOPY='arm-none-eabi-objcopy',
+    PYTHON='python',
+    MAKECMAKELISTS='$PYTHON tools/make_cmakelists.py',)
 
 env.Replace(
     TREZOR_MODEL=TREZOR_MODEL, )
@@ -191,12 +195,24 @@ env.Replace(
         'PB_VALIDATE_UTF8',
     ] + CPPDEFINES_MOD,
     ASFLAGS=CPU_ASFLAGS,
-    ASPPFLAGS='$CFLAGS $CCFLAGS', )
+    ASPPFLAGS='$CFLAGS $CCFLAGS',
+    ALLSOURCES=SOURCE_MOD + SOURCE_BOOTLOADER + SOURCE_STMHAL + SOURCE_TREZORHAL+ SOURCE_NANOPB, )
 
 env.Replace(
     HEADERTOOL='tools/headertool.py',
 )
 
+env.Replace(
+    ALLSOURCES=SOURCE_MOD + SOURCE_BOOTLOADER + SOURCE_NANOPB + SOURCE_STMHAL + SOURCE_TREZORHAL,
+    ALLDEFS=tools.get_defs_for_cmake(env['CPPDEFINES']))
+
+cmake_gen = env.Command(
+    target='CMakeLists.txt',
+    source='',
+    action='$MAKECMAKELISTS --sources $ALLSOURCES --dirs $CPPPATH --defs $ALLDEFS',
+)
+
+
 #
 # Program objects
 #
@@ -215,10 +231,20 @@ program_elf = env.Command(
     '$LINK -o $TARGET $CCFLAGS $CFLAGS $LINKFLAGS $SOURCES -lc_nano -lgcc',
 )
 
+BINARY_NAME = f"build/bootloader_ci/bootloader_ci-{tools.get_model_identifier(TREZOR_MODEL)}"
+BINARY_NAME += "-" + tools.get_version('embed/bootloader_ci/version.h')
+BINARY_NAME += "-" + tools.get_git_revision_short_hash()
+BINARY_NAME += "-dirty" if tools.get_git_modified() else ""
+BINARY_NAME += ".bin"
+
+if CMAKELISTS != 0:
+    env.Depends(program_elf, cmake_gen)
+
 program_bin = env.Command(
     target='bootloader.bin',
     source=program_elf,
     action=[
         '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
         '$HEADERTOOL $TARGET ' + ('-D' if ARGUMENTS.get('PRODUCTION', '0') == '0' else ''),
+        '$CP $TARGET ' + BINARY_NAME,
     ], )

core/SConscript.firmware

@@ -10,6 +10,7 @@ BOOTLOADER_QA = ARGUMENTS.get('BOOTLOADER_QA', '0') == '1'
 EVERYTHING = BITCOIN_ONLY != '1'
 TREZOR_MODEL = ARGUMENTS.get('TREZOR_MODEL', 'T')
 DMA2D = TREZOR_MODEL in ('T', )
+CMAKELISTS = int(ARGUMENTS.get('CMAKELISTS', 0))
 
 if PRODUCTION != '1' and BOOTLOADER_QA:
     raise ValueError('Firmware variant for bootloader upgrade testing must be done with PRODUCTION=1')
@@ -188,6 +189,7 @@ SOURCE_MOD += [
     'vendor/micropython/lib/uzlib/crc32.c',
     'vendor/micropython/lib/uzlib/tinflate.c',
 ]
+
 CPPDEFINES_MOD += [
     'TREZOR_UI2',
     'USE_RUST_LOADER'
@@ -445,6 +447,7 @@ env.Tool('micropython')
 env.Replace(
     CAT='cat',
     DD='dd',
+    CP='cp',
     SED='sed',
     AS='arm-none-eabi-as',
     AR='arm-none-eabi-ar',
@@ -483,7 +486,7 @@ env.Replace(
     '-fstack-protector-all '
     + CPU_CCFLAGS + CCFLAGS_MOD,
     CCFLAGS_QSTR='-DNO_QSTR -DN_X64 -DN_X86 -DN_THUMB',
-    LINKFLAGS='-T embed/firmware/memory_${TREZOR_MODEL}%s.ld -Wl,--gc-sections -Wl,-Map=build/firmware/firmware.map -Wl,--warn-common' % LD_VARIANT,
+    LINKFLAGS='-T embed/firmware/memory_${TREZOR_MODEL}%s.ld -Wl,--gc-sections  -Wl,--print-memory-usage -Wl,-Map=build/firmware/firmware.map -Wl,--warn-common' % LD_VARIANT,
     CPPPATH=[
         '.',
         'embed/rust',
@@ -511,6 +514,7 @@ env.Replace(
     MAKEQSTRDATA='$PYTHON vendor/micropython/py/makeqstrdata.py',
     MAKEVERSIONHDR='$PYTHON vendor/micropython/py/makeversionhdr.py',
     MAKEMODULEDEFS='$PYTHON vendor/micropython/py/makemoduledefs.py',
+    MAKECMAKELISTS='$PYTHON tools/make_cmakelists.py',
     MPY_TOOL='$PYTHON vendor/micropython/tools/mpy-tool.py',
     MPY_CROSS='vendor/micropython/mpy-cross/mpy-cross -O' + PYOPT,
     PB2PY='$PYTHON ../common/protob/pb2py',
@@ -575,18 +579,19 @@ if FROZEN:
     SOURCE_PY = Glob(SOURCE_PY_DIR + '*.py')
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/*.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/crypto/*.py'))
-    SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/res/*.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/*.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/components/*.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/components/common/*.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/__init__.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/common.py'))
+    SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/homescreen.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/reset.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/recovery.py'))
     if EVERYTHING:
         SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/fido.py'))
     if TREZOR_MODEL in ('T',):
         SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/tt_v2/__init__.py'))
+        SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/tt_v2/homescreen.py'))
         SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/tt_v2/reset.py'))
         SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/tt_v2/recovery.py'))
         if EVERYTHING:
@@ -717,7 +722,9 @@ def cargo_build():
     else:
         profile = ''
 
-    features = ['micropython', 'protobuf', f'model_t{TREZOR_MODEL.lower()}']
+    # T1 does not have its own Rust feature, it shares it with TR
+    model_feature = 'model_tr' if TREZOR_MODEL == '1' else f'model_t{TREZOR_MODEL.lower()}'
+    features = ['micropython', 'protobuf', model_feature]
     if BITCOIN_ONLY == '1':
         features.append('bitcoin_only')
     features.append('ui')
@@ -752,10 +759,12 @@ env.Append(LINKFLAGS=f' -l{RUST_LIB}')
 # Program objects
 #
 
+source_files = SOURCE_MOD + SOURCE_FIRMWARE + SOURCE_MICROPYTHON + SOURCE_MICROPYTHON_SPEED + SOURCE_STMHAL + SOURCE_TREZORHAL
 obj_program = []
 obj_program.extend(env.Object(source=SOURCE_MOD))
 if FEATURE_FLAGS["SECP256K1_ZKP"]:
     obj_program.extend(env.Object(source=SOURCE_MOD_SECP256K1_ZKP, CCFLAGS='$CCFLAGS -Wno-unused-function'))
+    source_files.extend(SOURCE_MOD_SECP256K1_ZKP)
 obj_program.extend(env.Object(source=SOURCE_FIRMWARE))
 obj_program.extend(env.Object(source=SOURCE_MICROPYTHON))
 obj_program.extend(env.Object(source=SOURCE_MICROPYTHON_SPEED, COPT='-O3'))
@@ -764,6 +773,18 @@ obj_program.extend(env.Object(source=SOURCE_TREZORHAL))
 if FROZEN:
     obj_program.extend(env.Object(source=source_mpyc))
 
+env.Replace(
+    ALLSOURCES=source_files,
+    ALLDEFS=tools.get_defs_for_cmake(env['CPPDEFINES']))
+
+
+cmake_gen = env.Command(
+    target='CMakeLists.txt',
+    source='',
+    action='$MAKECMAKELISTS --sources $ALLSOURCES --dirs $CPPPATH --defs $ALLDEFS',
+)
+
+
 VENDORHEADER = 'embed/vendorheader/vendorheader_' + ('unsafe_signed_prod.bin' if ARGUMENTS.get('PRODUCTION', '0') == '0' else 'satoshilabs_signed_prod.bin')
 
 obj_program.extend(
@@ -775,7 +796,7 @@ obj_program.extend(
         ' $SOURCE $TARGET', ))
 
 
-BOOTLOADER_SUFFIX =  TREZOR_MODEL + ('_QA' if BOOTLOADER_QA else '')
+BOOTLOADER_SUFFIX =  tools.get_model_identifier(TREZOR_MODEL) + ('_QA' if BOOTLOADER_QA else '')
 
 obj_program.extend(
     env.Command(
@@ -797,8 +818,19 @@ program_elf = env.Command(
     '$LINK -o $TARGET $CCFLAGS $CFLAGS $SOURCES $LINKFLAGS -lc_nano -lm -lgcc',
 )
 
+if CMAKELISTS != 0:
+    env.Depends(program_elf, cmake_gen)
 env.Depends(program_elf, rust)
 
+BINARY_NAME = f"build/firmware/firmware-{tools.get_model_identifier(TREZOR_MODEL)}"
+if not EVERYTHING:
+    BINARY_NAME += "-btconly"
+BINARY_NAME += "-" + tools.get_version('embed/firmware/version.h')
+BINARY_NAME += "-" + tools.get_git_revision_short_hash()
+BINARY_NAME += "-dirty" if tools.get_git_modified() else ""
+BINARY_NAME += ".bin"
+
+
 if TREZOR_MODEL in ('T', 'R'):
     action_bin=[
         '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data --pad-to 0x08100000 $SOURCE ${TARGET}.p1',
@@ -806,11 +838,13 @@ if TREZOR_MODEL in ('T', 'R'):
         '$CAT ${TARGET}.p1 ${TARGET}.p2 > $TARGET',
         '$HEADERTOOL -h $TARGET ' + ('-D' if ARGUMENTS.get('PRODUCTION', '0') == '0' else ''),
         '$DD if=$TARGET of=${TARGET}.p1 skip=0 bs=128k count=6',
+        '$CP $TARGET ' + BINARY_NAME,
     ]
 elif TREZOR_MODEL in ('1',):
     action_bin=[
         '$OBJCOPY -O binary -j .header -j .flash -j .data $SOURCE $TARGET',
         '../legacy/bootloader/firmware_sign.py -f $TARGET',
+        '$CP $TARGET ' + BINARY_NAME,
     ]
 else:
     raise ValueError('Unknown Trezor model')

core/SConscript.prodtest

@@ -4,6 +4,7 @@ import os
 import tools
 
 TREZOR_MODEL = ARGUMENTS.get('TREZOR_MODEL', 'T')
+CMAKELISTS = int(ARGUMENTS.get('CMAKELISTS', 0))
 
 CCFLAGS_MOD = ''
 CPPPATH_MOD = []
@@ -109,13 +110,16 @@ env = Environment(ENV=os.environ, CFLAGS='%s -DPRODUCTION=%s' % (ARGUMENTS.get('
 tools.configure_board(TREZOR_MODEL, env, CPPDEFINES_MOD, SOURCE_TREZORHAL)
 
 env.Replace(
+    CP='cp',
     AS='arm-none-eabi-as',
     AR='arm-none-eabi-ar',
     CC='arm-none-eabi-gcc',
     LINK='arm-none-eabi-gcc',
     SIZE='arm-none-eabi-size',
     STRIP='arm-none-eabi-strip',
-    OBJCOPY='arm-none-eabi-objcopy', )
+    OBJCOPY='arm-none-eabi-objcopy',
+    PYTHON='python',
+    MAKECMAKELISTS='$PYTHON tools/make_cmakelists.py',)
 
 env.Replace(
     TREZOR_MODEL=TREZOR_MODEL, )
@@ -164,6 +168,18 @@ env.Replace(
     HEADERTOOL='tools/headertool.py',
 )
 
+
+env.Replace(
+    ALLSOURCES=SOURCE_MOD + SOURCE_PRODTEST + SOURCE_STMHAL + SOURCE_TREZORHAL,
+    ALLDEFS=tools.get_defs_for_cmake(env['CPPDEFINES']))
+
+cmake_gen = env.Command(
+    target='CMakeLists.txt',
+    source='',
+    action='$MAKECMAKELISTS --sources $ALLSOURCES --dirs $CPPPATH --defs $ALLDEFS',
+)
+
+
 #
 # Program objects
 #
@@ -191,10 +207,20 @@ program_elf = env.Command(
     '$LINK -o $TARGET $CCFLAGS $CFLAGS $LINKFLAGS $SOURCES -lc_nano -lgcc',
 )
 
+BINARY_NAME = f"build/prodtest/prodtest-{tools.get_model_identifier(TREZOR_MODEL)}"
+BINARY_NAME += "-" + tools.get_version('embed/prodtest/version.h')
+BINARY_NAME += "-" + tools.get_git_revision_short_hash()
+BINARY_NAME += "-dirty" if tools.get_git_modified() else ""
+BINARY_NAME += ".bin"
+
+if CMAKELISTS != 0:
+    env.Depends(program_elf, cmake_gen)
+
 program_bin = env.Command(
     target='prodtest.bin',
     source=program_elf,
     action=[
         '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
         '$HEADERTOOL $TARGET ' + ('-D' if ARGUMENTS.get('PRODUCTION', '0') == '0' else ''),
+        '$CP $TARGET ' + BINARY_NAME,
     ], )

core/SConscript.reflash

@@ -4,6 +4,7 @@ import os
 import tools
 
 TREZOR_MODEL = ARGUMENTS.get('TREZOR_MODEL', 'T')
+CMAKELISTS = int(ARGUMENTS.get('CMAKELISTS', 0))
 
 CCFLAGS_MOD = ''
 CPPPATH_MOD = []
@@ -37,7 +38,7 @@ SOURCE_MOD += [
     'embed/extmod/modtrezorui/display.c',
     'embed/extmod/modtrezorui/colors.c',
     'embed/extmod/modtrezorui/fonts/fonts.c',
-    'embed/extmod/modtrezorui/font_bitmap.c',
+    'embed/extmod/modtrezorui/fonts/font_bitmap.c',
     'vendor/micropython/lib/uzlib/adler32.c',
     'vendor/micropython/lib/uzlib/crc32.c',
     'vendor/micropython/lib/uzlib/tinflate.c',
@@ -102,13 +103,16 @@ env = Environment(ENV=os.environ, CFLAGS='%s -DPRODUCTION=%s' % (ARGUMENTS.get('
 tools.configure_board(TREZOR_MODEL, env, CPPDEFINES_MOD, SOURCE_TREZORHAL)
 
 env.Replace(
+    CP='cp',
     AS='arm-none-eabi-as',
     AR='arm-none-eabi-ar',
     CC='arm-none-eabi-gcc',
     LINK='arm-none-eabi-gcc',
     SIZE='arm-none-eabi-size',
     STRIP='arm-none-eabi-strip',
-    OBJCOPY='arm-none-eabi-objcopy', )
+    OBJCOPY='arm-none-eabi-objcopy',
+    PYTHON='python',
+    MAKECMAKELISTS='$PYTHON tools/make_cmakelists.py',)
 
 env.Replace(
     TREZOR_MODEL=TREZOR_MODEL, )
@@ -157,6 +161,16 @@ env.Replace(
     HEADERTOOL='tools/headertool.py',
 )
 
+env.Replace(
+    ALLSOURCES=SOURCE_MOD + SOURCE_REFLASH + SOURCE_STMHAL + SOURCE_TREZORHAL,
+    ALLDEFS=tools.get_defs_for_cmake(env['CPPDEFINES']))
+
+cmake_gen = env.Command(
+    target='CMakeLists.txt',
+    source='',
+    action='$MAKECMAKELISTS --sources $ALLSOURCES --dirs $CPPPATH --defs $ALLDEFS',
+)
+
 #
 # Program objects
 #
@@ -184,10 +198,20 @@ program_elf = env.Command(
     '$LINK -o $TARGET $CCFLAGS $CFLAGS $LINKFLAGS $SOURCES -lc_nano -lgcc',
 )
 
+BINARY_NAME = f"build/reflash/reflash-{tools.get_model_identifier(TREZOR_MODEL)}"
+BINARY_NAME += "-" + tools.get_version('embed/reflash/version.h')
+BINARY_NAME += "-" + tools.get_git_revision_short_hash()
+BINARY_NAME += "-dirty" if tools.get_git_modified() else ""
+BINARY_NAME += ".bin"
+
+if CMAKELISTS != 0:
+    env.Depends(program_elf, cmake_gen)
+
 program_bin = env.Command(
     target='reflash.bin',
     source=program_elf,
     action=[
         '$OBJCOPY -O binary -j .vendorheader -j .header -j .flash -j .data $SOURCE $TARGET',
         '$HEADERTOOL $TARGET ' + ('-D' if ARGUMENTS.get('PRODUCTION', '0') == '0' else ''),
+        '$CP $TARGET ' + BINARY_NAME,
     ], )

core/SConscript.unix

@@ -8,6 +8,7 @@ BITCOIN_ONLY = ARGUMENTS.get('BITCOIN_ONLY', '0')
 EVERYTHING = BITCOIN_ONLY != '1'
 TREZOR_MODEL = ARGUMENTS.get('TREZOR_MODEL', 'T')
 DMA2D =  TREZOR_MODEL in ('T', )
+CMAKELISTS = int(ARGUMENTS.get('CMAKELISTS', 0))
 
 FEATURE_FLAGS = {
     "SECP256K1_ZKP": True,  # required for trezor.crypto.curve.bip340 (BIP340/Taproot)
@@ -460,6 +461,7 @@ env.Replace(
     MAKEQSTRDATA='$PYTHON vendor/micropython/py/makeqstrdata.py',
     MAKEVERSIONHDR='$PYTHON vendor/micropython/py/makeversionhdr.py',
     MAKEMODULEDEFS='$PYTHON vendor/micropython/py/makemoduledefs.py',
+    MAKECMAKELISTS='$PYTHON tools/make_cmakelists.py',
     MPY_TOOL='$PYTHON vendor/micropython/tools/mpy-tool.py',
     MPY_CROSS='vendor/micropython/mpy-cross/mpy-cross -O' + PYOPT,
     PB2PY='$PYTHON ../common/protob/pb2py',
@@ -524,18 +526,19 @@ if FROZEN:
     SOURCE_PY = Glob(SOURCE_PY_DIR + '*.py')
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/*.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/crypto/*.py'))
-    SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/res/*.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/*.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/components/*.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/components/common/*.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/__init__.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/common.py'))
+    SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/homescreen.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/reset.py'))
     SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/recovery.py'))
     if EVERYTHING:
         SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/fido.py'))
     if TREZOR_MODEL in ('T',):
         SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/tt_v2/__init__.py'))
+        SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/tt_v2/homescreen.py'))
         SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/tt_v2/reset.py'))
         SOURCE_PY.extend(Glob(SOURCE_PY_DIR + 'trezor/ui/layouts/tt_v2/recovery.py'))
         if EVERYTHING:
@@ -666,7 +669,9 @@ RUST_LIB = 'trezor_lib'
 RUST_LIBPATH = f'{RUST_LIBDIR}/lib{RUST_LIB}.a'
 
 def cargo_build():
-    features = ['micropython', 'protobuf', f'model_t{TREZOR_MODEL.lower()}']
+    # T1 does not have its own Rust feature, it shares it with TR
+    model_feature = 'model_tr' if TREZOR_MODEL == '1' else f'model_t{TREZOR_MODEL.lower()}'
+    features = ['micropython', 'protobuf', model_feature]
     if BITCOIN_ONLY == '1':
         features.append('bitcoin_only')
     features.append('ui')
@@ -694,14 +699,28 @@ env.Append(LINKFLAGS=f'-l{RUST_LIB}')
 #
 
 obj_program = []
+source_files = SOURCE_MOD + SOURCE_MICROPYTHON + SOURCE_UNIX
 obj_program.extend(env.Object(source=SOURCE_MOD))
 if FEATURE_FLAGS["SECP256K1_ZKP"]:
     obj_program.extend(env.Object(source=SOURCE_MOD_SECP256K1_ZKP, CCFLAGS='$CCFLAGS -Wno-unused-function'))
+    source_files.extend(SOURCE_MOD_SECP256K1_ZKP)
 obj_program.extend(env.Object(source=SOURCE_MICROPYTHON))
 obj_program.extend(env.Object(source=SOURCE_UNIX))
 if FROZEN:
     obj_program.extend(env.Object(source=source_mpyc))
 
+env.Replace(
+    ALLSOURCES=source_files,
+    ALLDEFS=tools.get_defs_for_cmake(env['CPPDEFINES']))
+
+
+cmake_gen = env.Command(
+    target='CMakeLists.txt',
+    source='',
+    action='$MAKECMAKELISTS --sources $ALLSOURCES --dirs $CPPPATH --defs $ALLDEFS',
+)
+
+
 env.Depends(obj_program, qstr_generated)
 
 program = env.Command(
@@ -709,4 +728,6 @@ program = env.Command(
     source=obj_program,
     action='$CC -o $TARGET $SOURCES $_LIBDIRFLAGS $_LIBFLAGS $LINKFLAGS', )
 
+if CMAKELISTS != 0:
+    env.Depends(program, cmake_gen)
 env.Depends(program, rust)

core/embed/boardloader/.changelog.d/2623.added

@@ -0,0 +1 @@
+Check image model when replacing bootloader

core/embed/boardloader/main.c

@@ -53,14 +53,8 @@ struct BoardCapabilities capablities
     __attribute__((section(".capabilities_section"))) = {
         .header = CAPABILITIES_HEADER,
         .model_tag = MODEL_NAME,
-        .model_length = MODEL_NAME_MAX_LENGTH,
-#if defined TREZOR_MODEL_T
-        .model_name = "TREZORT",
-#elif defined TREZOR_MODEL_R
-        .model_name = "TREZORR",
-#else
-#error Unknown model
-#endif
+        .model_length = sizeof(uint32_t),
+        .model_name = HW_MODEL,
         .version_tag = BOARDLOADER_VERSION,
         .version_length = sizeof(struct BoardloaderVersion),
         .version = {.version_major = VERSION_MAJOR,
@@ -93,17 +87,29 @@ static uint32_t check_sdcard(void) {
 
   sdcard_power_off();
 
-  image_header hdr;
+  if (sectrue == read_status) {
+    const image_header *hdr =
+        read_image_header((const uint8_t *)sdcard_buf, BOOTLOADER_IMAGE_MAGIC,
+                          BOOTLOADER_IMAGE_MAXSIZE);
 
-  if ((sectrue == read_status) &&
-      (sectrue ==
-       load_image_header((const uint8_t *)sdcard_buf, BOOTLOADER_IMAGE_MAGIC,
-                         BOOTLOADER_IMAGE_MAXSIZE, BOARDLOADER_KEY_M,
-                         BOARDLOADER_KEY_N, BOARDLOADER_KEYS, &hdr))) {
-    return hdr.codelen;
-  } else {
-    return 0;
+    if (hdr != (const image_header *)sdcard_buf) {
+      return 0;
+    }
+
+    if (sectrue != check_image_model(hdr)) {
+      return 0;
+    }
+
+    if (sectrue != check_image_header_sig(hdr, BOARDLOADER_KEY_M,
+                                          BOARDLOADER_KEY_N,
+                                          BOARDLOADER_KEYS)) {
+      return 0;
+    }
+
+    return hdr->codelen;
   }
+
+  return 0;
 }
 
 static void progress_callback(int pos, int len) { display_printf("."); }
@@ -220,18 +226,21 @@ int main(void) {
   }
 #endif
 
-  image_header hdr;
+  const image_header *hdr =
+      read_image_header((const uint8_t *)BOOTLOADER_START,
+                        BOOTLOADER_IMAGE_MAGIC, BOOTLOADER_IMAGE_MAXSIZE);
 
-  ensure(load_image_header((const uint8_t *)BOOTLOADER_START,
-                           BOOTLOADER_IMAGE_MAGIC, BOOTLOADER_IMAGE_MAXSIZE,
-                           BOARDLOADER_KEY_M, BOARDLOADER_KEY_N,
-                           BOARDLOADER_KEYS, &hdr),
+  ensure(hdr == (const image_header *)BOOTLOADER_START ? sectrue : secfalse,
          "invalid bootloader header");
 
+  ensure(check_image_header_sig(hdr, BOARDLOADER_KEY_M, BOARDLOADER_KEY_N,
+                                BOARDLOADER_KEYS),
+         "invalid bootloader signature");
+
   const uint8_t sectors[] = {
       FLASH_SECTOR_BOOTLOADER,
   };
-  ensure(check_image_contents(&hdr, IMAGE_HEADER_SIZE, sectors, 1),
+  ensure(check_image_contents(hdr, IMAGE_HEADER_SIZE, sectors, 1),
          "invalid bootloader hash");
 
   ensure_compatible_settings();

core/embed/bootloader/.changelog.d/2623.added

@@ -0,0 +1 @@
+Add model info to image and check when installing/running firmware

core/embed/bootloader/bootui.c

@@ -215,31 +215,6 @@ void ui_screen_firmware_info(const vendor_header *const vhdr,
   display_refresh();
 }
 
-void ui_screen_firmware_fingerprint(const image_header *const hdr) {
-  display_bar(0, 0, DISPLAY_RESX, DISPLAY_RESY, COLOR_BL_BG);
-  display_text(16, 32, "Firmware fingerprint", -1, FONT_NORMAL, COLOR_BL_FG,
-               COLOR_BL_BG);
-  display_bar(16, 44, DISPLAY_RESX - 14 * 2, 1, COLOR_BL_FG);
-
-  static const char *hexdigits = "0123456789abcdef";
-  char fingerprint_str[64];
-  for (int i = 0; i < 32; i++) {
-    fingerprint_str[i * 2] = hexdigits[(hdr->fingerprint[i] >> 4) & 0xF];
-    fingerprint_str[i * 2 + 1] = hexdigits[hdr->fingerprint[i] & 0xF];
-  }
-  for (int i = 0; i < 4; i++) {
-    display_text_center(120, 70 + i * 25, fingerprint_str + i * 16, 16,
-                        FONT_MONO, COLOR_BL_FG, COLOR_BL_BG);
-  }
-
-  display_bar_radius(9, 184, 222, 50, COLOR_BL_DONE, COLOR_BL_BG, 4);
-  display_icon(9 + (222 - 19) / 2, 184 + (50 - 16) / 2, 20, 16,
-               toi_icon_confirm + 12, sizeof(toi_icon_confirm) - 12,
-               COLOR_BL_BG, COLOR_BL_DONE);
-  PIXELDATA_DIRTY();
-  display_refresh();
-}
-
 // install UI
 
 void ui_screen_install_confirm_upgrade(const vendor_header *const vhdr,

core/embed/bootloader/bootui.h

@@ -34,7 +34,6 @@ void ui_screen_welcome_third(void);
 
 void ui_screen_firmware_info(const vendor_header* const vhdr,
                              const image_header* const hdr);
-void ui_screen_firmware_fingerprint(const image_header* const hdr);
 
 void ui_screen_install_confirm_upgrade(const vendor_header* const vhdr,
                                        const image_header* const hdr);

core/embed/bootloader/header.S

@@ -10,7 +10,11 @@
 g_header:
     .byte 'T','R','Z','B'            // magic
     .word g_header_end - g_header    // hdrlen
+#ifdef TREZOR_MODEL_T
     .word 0                          // expiry
+#else
+    .word 1                          // expiry
+#endif
     .word _codelen                   // codelen
     .byte VERSION_MAJOR              // vmajor
     .byte VERSION_MINOR              // vminor
@@ -20,7 +24,10 @@ g_header:
     .byte FIX_VERSION_MINOR          // fix_vminor
     .byte FIX_VERSION_PATCH          // fix_vpatch
     .byte FIX_VERSION_BUILD          // fix_vbuild
-    . = . + 8                        // reserved
+    .word HW_MODEL                   // type of the designated hardware
+    .byte HW_REVISION                // revision of the designated hardware
+    .byte VERSION_MONOTONIC          // monotonic version of the binary
+    . = . + 2                        // reserved
     . = . + 512                      // hash1 ... hash16
     . = . + 415                      // reserved
     .byte 0                          // sigmask

core/embed/bootloader/main.c

@@ -159,7 +159,7 @@ static secbool bootloader_usb_loop(const vendor_header *const vhdr,
         break;
       case 7:  // FirmwareUpload
         r = process_msg_FirmwareUpload(USB_IFACE_NUM, msg_size, buf);
-        if (r < 0 && r != -4) {  // error, but not user abort (-4)
+        if (r < 0 && r != UPLOAD_ERR_USER_ABORT) {  // error, but not user abort
           ui_fadeout();
           ui_screen_fail();
           ui_fadein();
@@ -193,10 +193,9 @@ static secbool bootloader_usb_loop(const vendor_header *const vhdr,
   }
 }
 
-secbool load_vendor_header_keys(const uint8_t *const data,
-                                vendor_header *const vhdr) {
-  return load_vendor_header(data, BOOTLOADER_KEY_M, BOOTLOADER_KEY_N,
-                            BOOTLOADER_KEYS, vhdr);
+secbool check_vendor_header_keys(const vendor_header *const vhdr) {
+  return check_vendor_header_sig(vhdr, BOOTLOADER_KEY_M, BOOTLOADER_KEY_N,
+                                 BOOTLOADER_KEYS);
 }
 
 static secbool check_vendor_header_lock(const vendor_header *const vhdr) {
@@ -303,23 +302,40 @@ int main(void) {
   }
 #endif
 
+  const image_header *hdr = NULL;
   vendor_header vhdr;
-  image_header hdr;
-  // detect whether the devices contains a valid firmware
+  // detect whether the device contains a valid firmware
+  secbool firmware_present = sectrue;
+
+  if (sectrue != read_vendor_header((const uint8_t *)FIRMWARE_START, &vhdr)) {
+    firmware_present = secfalse;
+  }
+
+  if (sectrue == firmware_present) {
+    firmware_present = check_vendor_header_keys(&vhdr);
+  }
 
-  secbool firmware_present =
-      load_vendor_header_keys((const uint8_t *)FIRMWARE_START, &vhdr);
   if (sectrue == firmware_present) {
     firmware_present = check_vendor_header_lock(&vhdr);
   }
+
   if (sectrue == firmware_present) {
-    firmware_present = load_image_header(
-        (const uint8_t *)(FIRMWARE_START + vhdr.hdrlen), FIRMWARE_IMAGE_MAGIC,
-        FIRMWARE_IMAGE_MAXSIZE, vhdr.vsig_m, vhdr.vsig_n, vhdr.vpub, &hdr);
+    hdr = read_image_header((const uint8_t *)(FIRMWARE_START + vhdr.hdrlen),
+                            FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE);
+    if (hdr != (const image_header *)(FIRMWARE_START + vhdr.hdrlen)) {
+      firmware_present = secfalse;
+    }
+  }
+  if (sectrue == firmware_present) {
+    firmware_present = check_image_model(hdr);
   }
   if (sectrue == firmware_present) {
     firmware_present =
-        check_image_contents(&hdr, IMAGE_HEADER_SIZE + vhdr.hdrlen,
+        check_image_header_sig(hdr, vhdr.vsig_m, vhdr.vsig_n, vhdr.vpub);
+  }
+  if (sectrue == firmware_present) {
+    firmware_present =
+        check_image_contents(hdr, IMAGE_HEADER_SIZE + vhdr.hdrlen,
                              FIRMWARE_SECTORS, FIRMWARE_SECTORS_COUNT);
   }
 
@@ -357,26 +373,35 @@ int main(void) {
   // ... or we have stay_in_bootloader flag to force it
   if (touched || stay_in_bootloader == sectrue) {
     // no ui_fadeout(); - we already start from black screen
-    ui_screen_firmware_info(&vhdr, &hdr);
+    ui_screen_firmware_info(&vhdr, hdr);
     ui_fadein();
 
     // and start the usb loop
-    if (bootloader_usb_loop(&vhdr, &hdr) != sectrue) {
+    if (bootloader_usb_loop(&vhdr, hdr) != sectrue) {
       return 1;
     }
   }
 
-  ensure(load_vendor_header_keys((const uint8_t *)FIRMWARE_START, &vhdr),
+  ensure(read_vendor_header((const uint8_t *)FIRMWARE_START, &vhdr),
          "invalid vendor header");
 
+  ensure(check_vendor_header_keys(&vhdr), "invalid vendor header signature");
+
   ensure(check_vendor_header_lock(&vhdr), "unauthorized vendor keys");
 
-  ensure(load_image_header((const uint8_t *)(FIRMWARE_START + vhdr.hdrlen),
-                           FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE,
-                           vhdr.vsig_m, vhdr.vsig_n, vhdr.vpub, &hdr),
+  hdr = read_image_header((const uint8_t *)(FIRMWARE_START + vhdr.hdrlen),
+                          FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE);
+
+  ensure(hdr == (const image_header *)(FIRMWARE_START + vhdr.hdrlen) ? sectrue
+                                                                     : secfalse,
          "invalid firmware header");
 
-  ensure(check_image_contents(&hdr, IMAGE_HEADER_SIZE + vhdr.hdrlen,
+  ensure(check_image_model(hdr), "wrong firmware model");
+
+  ensure(check_image_header_sig(hdr, vhdr.vsig_m, vhdr.vsig_n, vhdr.vpub),
+         "invalid firmware signature");
+
+  ensure(check_image_contents(hdr, IMAGE_HEADER_SIZE + vhdr.hdrlen,
                               FIRMWARE_SECTORS, FIRMWARE_SECTORS_COUNT),
          "invalid firmware hash");
 
@@ -384,7 +409,7 @@ int main(void) {
 
   if ((vhdr.vtrust & VTRUST_ALL) != VTRUST_ALL) {
     // ui_fadeout();  // no fadeout - we start from black screen
-    ui_screen_boot(&vhdr, &hdr);
+    ui_screen_boot(&vhdr, hdr);
     ui_fadein();
 
     int delay = (vhdr.vtrust & VTRUST_WAIT) ^ VTRUST_WAIT;

core/embed/bootloader/messages.c

@@ -403,8 +403,7 @@ static bool _read_payload(pb_istream_t *stream, const pb_field_t *field,
   return true;
 }
 
-secbool load_vendor_header_keys(const uint8_t *const data,
-                                vendor_header *const vhdr);
+secbool check_vendor_header_keys(const vendor_header *const vhdr);
 
 static int version_compare(uint32_t vera, uint32_t verb) {
   int a, b;
@@ -422,8 +421,8 @@ static int version_compare(uint32_t vera, uint32_t verb) {
   return a - b;
 }
 
-static void detect_installation(vendor_header *current_vhdr,
-                                image_header *current_hdr,
+static void detect_installation(const vendor_header *current_vhdr,
+                                const image_header *current_hdr,
                                 const vendor_header *const new_vhdr,
                                 const image_header *const new_hdr,
                                 secbool *is_new, secbool *is_upgrade,
@@ -431,16 +430,17 @@ static void detect_installation(vendor_header *current_vhdr,
   *is_new = secfalse;
   *is_upgrade = secfalse;
   *is_downgrade_wipe = secfalse;
-  if (sectrue !=
-      load_vendor_header_keys((const uint8_t *)FIRMWARE_START, current_vhdr)) {
+  if (sectrue != check_vendor_header_keys(current_vhdr)) {
     *is_new = sectrue;
     return;
   }
-  if (sectrue !=
-      load_image_header((const uint8_t *)FIRMWARE_START + current_vhdr->hdrlen,
-                        FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE,
-                        current_vhdr->vsig_m, current_vhdr->vsig_n,
-                        current_vhdr->vpub, current_hdr)) {
+  if (sectrue != check_image_model(current_hdr)) {
+    *is_new = sectrue;
+    return;
+  }
+  if (sectrue != check_image_header_sig(current_hdr, current_vhdr->vsig_m,
+                                        current_vhdr->vsig_n,
+                                        current_vhdr->vpub)) {
     *is_new = sectrue;
     return;
   }
@@ -472,7 +472,7 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
     MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
     MSG_SEND_ASSIGN_STRING(message, "Invalid chunk size");
     MSG_SEND(Failure);
-    return -1;
+    return UPLOAD_ERR_INVALID_CHUNK_SIZE;
   }
 
   static image_header hdr;
@@ -483,29 +483,81 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
     if (headers_offset == 0) {
       // first block and headers are not yet parsed
       vendor_header vhdr;
-      if (sectrue != load_vendor_header_keys(CHUNK_BUFFER_PTR, &vhdr)) {
+
+      if (sectrue != read_vendor_header(CHUNK_BUFFER_PTR, &vhdr)) {
         MSG_SEND_INIT(Failure);
         MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
         MSG_SEND_ASSIGN_STRING(message, "Invalid vendor header");
         MSG_SEND(Failure);
-        return -2;
+        return UPLOAD_ERR_INVALID_VENDOR_HEADER;
       }
-      if (sectrue != load_image_header(CHUNK_BUFFER_PTR + vhdr.hdrlen,
-                                       FIRMWARE_IMAGE_MAGIC,
-                                       FIRMWARE_IMAGE_MAXSIZE, vhdr.vsig_m,
-                                       vhdr.vsig_n, vhdr.vpub, &hdr)) {
+
+      if (sectrue != check_vendor_header_keys(&vhdr)) {
+        MSG_SEND_INIT(Failure);
+        MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
+        MSG_SEND_ASSIGN_STRING(message, "Invalid vendor header signature");
+        MSG_SEND(Failure);
+        return UPLOAD_ERR_INVALID_VENDOR_HEADER_SIG;
+      }
+
+      const image_header *received_hdr =
+          read_image_header(CHUNK_BUFFER_PTR + vhdr.hdrlen,
+                            FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE);
+
+      if (received_hdr !=
+          (const image_header *)(CHUNK_BUFFER_PTR + vhdr.hdrlen)) {
         MSG_SEND_INIT(Failure);
         MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
         MSG_SEND_ASSIGN_STRING(message, "Invalid firmware header");
         MSG_SEND(Failure);
-        return -3;
+        return UPLOAD_ERR_INVALID_IMAGE_HEADER;
       }
 
+      if (sectrue != check_image_model(received_hdr)) {
+        MSG_SEND_INIT(Failure);
+        MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
+        MSG_SEND_ASSIGN_STRING(message, "Wrong firmware model");
+        MSG_SEND(Failure);
+        return UPLOAD_ERR_INVALID_IMAGE_MODEL;
+      }
+
+      if (sectrue != check_image_header_sig(received_hdr, vhdr.vsig_m,
+                                            vhdr.vsig_n, vhdr.vpub)) {
+        MSG_SEND_INIT(Failure);
+        MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
+        MSG_SEND_ASSIGN_STRING(message, "Invalid firmware signature");
+        MSG_SEND(Failure);
+        return UPLOAD_ERR_INVALID_IMAGE_HEADER_SIG;
+      }
+
+      memcpy(&hdr, received_hdr, sizeof(hdr));
+
       vendor_header current_vhdr;
-      image_header current_hdr;
+
       secbool is_new = secfalse;
-      detect_installation(&current_vhdr, &current_hdr, &vhdr, &hdr, &is_new,
-                          &is_upgrade, &is_downgrade_wipe);
+
+      if (sectrue !=
+          read_vendor_header((const uint8_t *)FIRMWARE_START, &current_vhdr)) {
+        is_new = sectrue;
+      }
+
+      const image_header *current_hdr = NULL;
+
+      if (is_new == secfalse) {
+        current_hdr = read_image_header(
+            (const uint8_t *)FIRMWARE_START + current_vhdr.hdrlen,
+            FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE);
+
+        if (current_hdr !=
+            (const image_header *)(FIRMWARE_START + current_vhdr.hdrlen)) {
+          is_new = sectrue;
+        }
+      }
+
+      if (is_new == secfalse) {
+        detect_installation(&current_vhdr, current_hdr, &vhdr, &hdr, &is_new,
+                            &is_upgrade, &is_downgrade_wipe);
+      }
 
       int response = INPUT_CANCEL;
       if (sectrue == is_new) {
@@ -528,10 +580,10 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
 
       if (INPUT_CANCEL == response) {
         ui_fadeout();
-        ui_screen_firmware_info(&current_vhdr, &current_hdr);
+        ui_screen_firmware_info(&current_vhdr, current_hdr);
         ui_fadein();
         send_user_abort(iface_num, "Firmware install cancelled");
-        return -4;
+        return UPLOAD_ERR_USER_ABORT;
       }
 
       headers_offset = IMAGE_HEADER_SIZE + vhdr.hdrlen;
@@ -572,7 +624,7 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
     MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
     MSG_SEND_ASSIGN_STRING(message, "Firmware too big");
     MSG_SEND(Failure);
-    return -5;
+    return UPLOAD_ERR_FIRMWARE_TOO_BIG;
   }
 
   if (sectrue != check_single_hash(hdr.hashes + firmware_block * 32,
@@ -591,7 +643,7 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
     MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
     MSG_SEND_ASSIGN_STRING(message, "Invalid chunk hash");
     MSG_SEND(Failure);
-    return -6;
+    return UPLOAD_ERR_INVALID_CHUNK_HASH;
   }
 
   ensure(flash_unlock_write(), NULL);
@@ -654,11 +706,11 @@ int process_msg_WipeDevice(uint8_t iface_num, uint32_t msg_size, uint8_t *buf) {
     MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
     MSG_SEND_ASSIGN_STRING(message, "Could not erase flash");
     MSG_SEND(Failure);
-    return -1;
+    return WIPE_ERR_CANNOT_ERASE;
   } else {
     MSG_SEND_INIT(Success);
     MSG_SEND(Success);
-    return 0;
+    return WIPE_OK;
   }
 }
 

core/embed/bootloader/messages.h

@@ -29,6 +29,24 @@
 
 #define FIRMWARE_UPLOAD_CHUNK_RETRY_COUNT 2
 
+enum {
+  UPLOAD_OK = 0,
+  UPLOAD_ERR_INVALID_CHUNK_SIZE = -1,
+  UPLOAD_ERR_INVALID_VENDOR_HEADER = -2,
+  UPLOAD_ERR_INVALID_VENDOR_HEADER_SIG = -3,
+  UPLOAD_ERR_INVALID_IMAGE_HEADER = -4,
+  UPLOAD_ERR_INVALID_IMAGE_MODEL = -5,
+  UPLOAD_ERR_INVALID_IMAGE_HEADER_SIG = -6,
+  UPLOAD_ERR_USER_ABORT = -7,
+  UPLOAD_ERR_FIRMWARE_TOO_BIG = -8,
+  UPLOAD_ERR_INVALID_CHUNK_HASH = -9,
+};
+
+enum {
+  WIPE_OK = 0,
+  WIPE_ERR_CANNOT_ERASE = -1,
+};
+
 secbool msg_parse_header(const uint8_t *buf, uint16_t *msg_id,
                          uint32_t *msg_size);
 

core/embed/bootloader_ci/.changelog.d/2623.added

@@ -0,0 +1 @@
+Add model info to image and check when installing/running firmware

core/embed/bootloader_ci/header.S

@@ -10,7 +10,11 @@
 g_header:
     .byte 'T','R','Z','B'            // magic
     .word g_header_end - g_header    // hdrlen
+#ifdef TREZOR_MODEL_T
     .word 0                          // expiry
+#else
+    .word 1                          // expiry
+#endif
     .word _codelen                   // codelen
     .byte VERSION_MAJOR              // vmajor
     .byte VERSION_MINOR              // vminor
@@ -20,7 +24,10 @@ g_header:
     .byte FIX_VERSION_MINOR          // fix_vminor
     .byte FIX_VERSION_PATCH          // fix_vpatch
     .byte FIX_VERSION_BUILD          // fix_vbuild
-    . = . + 8                        // reserved
+    .word HW_MODEL                   // type of the designated hardware
+    .byte HW_REVISION                // revision of the designated hardware
+    .byte VERSION_MONOTONIC          // monotonic version
+    . = . + 2                        // reserved
     . = . + 512                      // hash1 ... hash16
     . = . + 415                      // reserved
     .byte 0                          // sigmask

core/embed/bootloader_ci/main.c

@@ -134,7 +134,7 @@ static secbool bootloader_usb_loop(const vendor_header *const vhdr,
         break;
       case 7:  // FirmwareUpload
         r = process_msg_FirmwareUpload(USB_IFACE_NUM, msg_size, buf);
-        if (r < 0 && r != -4) {  // error, but not user abort (-4)
+        if (r < 0 && r != UPLOAD_ERR_USER_ABORT) {  // error, but not user abort
           ui_screen_fail();
           usb_stop();
           usb_deinit();
@@ -163,10 +163,9 @@ static secbool bootloader_usb_loop(const vendor_header *const vhdr,
   }
 }
 
-secbool load_vendor_header_keys(const uint8_t *const data,
-                                vendor_header *const vhdr) {
-  return load_vendor_header(data, BOOTLOADER_KEY_M, BOOTLOADER_KEY_N,
-                            BOOTLOADER_KEYS, vhdr);
+secbool check_vendor_header_keys(vendor_header *const vhdr) {
+  return check_vendor_header_sig(vhdr, BOOTLOADER_KEY_M, BOOTLOADER_KEY_N,
+                                 BOOTLOADER_KEYS);
 }
 
 static secbool check_vendor_header_lock(const vendor_header *const vhdr) {
@@ -227,24 +226,40 @@ int main(void) {
 
   display_clear();
 
+  const image_header *hdr = NULL;
   vendor_header vhdr;
-  image_header hdr;
+  // detect whether the device contains a valid firmware
+  secbool firmware_present = sectrue;
 
-  // detect whether the devices contains a valid firmware
+  if (sectrue != read_vendor_header((const uint8_t *)FIRMWARE_START, &vhdr)) {
+    firmware_present = secfalse;
+  }
+
+  if (sectrue == firmware_present) {
+    firmware_present = check_vendor_header_keys(&vhdr);
+  }
 
-  secbool firmware_present =
-      load_vendor_header_keys((const uint8_t *)FIRMWARE_START, &vhdr);
   if (sectrue == firmware_present) {
     firmware_present = check_vendor_header_lock(&vhdr);
   }
+
   if (sectrue == firmware_present) {
-    firmware_present = load_image_header(
-        (const uint8_t *)(FIRMWARE_START + vhdr.hdrlen), FIRMWARE_IMAGE_MAGIC,
-        FIRMWARE_IMAGE_MAXSIZE, vhdr.vsig_m, vhdr.vsig_n, vhdr.vpub, &hdr);
+    hdr = read_image_header((const uint8_t *)(FIRMWARE_START + vhdr.hdrlen),
+                            FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE);
+    if (hdr != (const image_header *)(FIRMWARE_START + vhdr.hdrlen)) {
+      firmware_present = secfalse;
+    }
+  }
+  if (sectrue == firmware_present) {
+    firmware_present = check_image_model(hdr);
   }
   if (sectrue == firmware_present) {
     firmware_present =
-        check_image_contents(&hdr, IMAGE_HEADER_SIZE + vhdr.hdrlen,
+        check_image_header_sig(hdr, vhdr.vsig_m, vhdr.vsig_n, vhdr.vpub);
+  }
+  if (sectrue == firmware_present) {
+    firmware_present =
+        check_image_contents(hdr, IMAGE_HEADER_SIZE + vhdr.hdrlen,
                              FIRMWARE_SECTORS, FIRMWARE_SECTORS_COUNT);
   }
 
@@ -260,17 +275,26 @@ int main(void) {
     return 1;
   }
 
-  ensure(load_vendor_header_keys((const uint8_t *)FIRMWARE_START, &vhdr),
+  ensure(read_vendor_header((const uint8_t *)FIRMWARE_START, &vhdr),
          "invalid vendor header");
 
+  ensure(check_vendor_header_keys(&vhdr), "invalid vendor header signature");
+
   ensure(check_vendor_header_lock(&vhdr), "unauthorized vendor keys");
 
-  ensure(load_image_header((const uint8_t *)(FIRMWARE_START + vhdr.hdrlen),
-                           FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE,
-                           vhdr.vsig_m, vhdr.vsig_n, vhdr.vpub, &hdr),
+  hdr = read_image_header((const uint8_t *)(FIRMWARE_START + vhdr.hdrlen),
+                          FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE);
+
+  ensure(hdr == (const image_header *)(FIRMWARE_START + vhdr.hdrlen) ? sectrue
+                                                                     : secfalse,
          "invalid firmware header");
 
-  ensure(check_image_contents(&hdr, IMAGE_HEADER_SIZE + vhdr.hdrlen,
+  ensure(check_image_model(hdr), "wrong firmware model");
+
+  ensure(check_image_header_sig(hdr, vhdr.vsig_m, vhdr.vsig_n, vhdr.vpub),
+         "invalid firmware signature");
+
+  ensure(check_image_contents(hdr, IMAGE_HEADER_SIZE + vhdr.hdrlen,
                               FIRMWARE_SECTORS, FIRMWARE_SECTORS_COUNT),
          "invalid firmware hash");
 

core/embed/bootloader_ci/messages.c

@@ -401,8 +401,7 @@ static bool _read_payload(pb_istream_t *stream, const pb_field_t *field,
   return true;
 }
 
-secbool load_vendor_header_keys(const uint8_t *const data,
-                                vendor_header *const vhdr);
+secbool check_vendor_header_keys(const vendor_header *const vhdr);
 
 static int version_compare(uint32_t vera, uint32_t verb) {
   int a, b;
@@ -420,8 +419,8 @@ static int version_compare(uint32_t vera, uint32_t verb) {
   return a - b;
 }
 
-static void detect_installation(vendor_header *current_vhdr,
-                                image_header *current_hdr,
+static void detect_installation(const vendor_header *current_vhdr,
+                                const image_header *current_hdr,
                                 const vendor_header *const new_vhdr,
                                 const image_header *const new_hdr,
                                 secbool *is_new, secbool *is_upgrade,
@@ -429,16 +428,17 @@ static void detect_installation(vendor_header *current_vhdr,
   *is_new = secfalse;
   *is_upgrade = secfalse;
   *is_downgrade_wipe = secfalse;
-  if (sectrue !=
-      load_vendor_header_keys((const uint8_t *)FIRMWARE_START, current_vhdr)) {
+  if (sectrue != check_vendor_header_keys(current_vhdr)) {
     *is_new = sectrue;
     return;
   }
-  if (sectrue !=
-      load_image_header((const uint8_t *)FIRMWARE_START + current_vhdr->hdrlen,
-                        FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE,
-                        current_vhdr->vsig_m, current_vhdr->vsig_n,
-                        current_vhdr->vpub, current_hdr)) {
+  if (sectrue != check_image_model(current_hdr)) {
+    *is_new = sectrue;
+    return;
+  }
+  if (sectrue != check_image_header_sig(current_hdr, current_vhdr->vsig_m,
+                                        current_vhdr->vsig_n,
+                                        current_vhdr->vpub)) {
     *is_new = sectrue;
     return;
   }
@@ -470,7 +470,7 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
     MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
     MSG_SEND_ASSIGN_STRING(message, "Invalid chunk size");
     MSG_SEND(Failure);
-    return -1;
+    return UPLOAD_ERR_INVALID_CHUNK_SIZE;
   }
 
   static image_header hdr;
@@ -481,29 +481,80 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
     if (headers_offset == 0) {
       // first block and headers are not yet parsed
       vendor_header vhdr;
-      if (sectrue != load_vendor_header_keys(chunk_buffer, &vhdr)) {
+
+      if (sectrue != read_vendor_header(chunk_buffer, &vhdr)) {
         MSG_SEND_INIT(Failure);
         MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
         MSG_SEND_ASSIGN_STRING(message, "Invalid vendor header");
         MSG_SEND(Failure);
-        return -2;
+        return UPLOAD_ERR_INVALID_VENDOR_HEADER;
       }
-      if (sectrue != load_image_header(chunk_buffer + vhdr.hdrlen,
-                                       FIRMWARE_IMAGE_MAGIC,
-                                       FIRMWARE_IMAGE_MAXSIZE, vhdr.vsig_m,
-                                       vhdr.vsig_n, vhdr.vpub, &hdr)) {
+
+      if (sectrue != check_vendor_header_keys(&vhdr)) {
+        MSG_SEND_INIT(Failure);
+        MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
+        MSG_SEND_ASSIGN_STRING(message, "Invalid vendor header signature");
+        MSG_SEND(Failure);
+        return UPLOAD_ERR_INVALID_VENDOR_HEADER_SIG;
+      }
+
+      const image_header *received_hdr =
+          read_image_header(chunk_buffer + vhdr.hdrlen, FIRMWARE_IMAGE_MAGIC,
+                            FIRMWARE_IMAGE_MAXSIZE);
+
+      if (received_hdr != (const image_header *)chunk_buffer + vhdr.hdrlen) {
         MSG_SEND_INIT(Failure);
         MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
         MSG_SEND_ASSIGN_STRING(message, "Invalid firmware header");
         MSG_SEND(Failure);
-        return -3;
+        return UPLOAD_ERR_INVALID_IMAGE_HEADER;
       }
 
+      if (sectrue != check_image_model(received_hdr)) {
+        MSG_SEND_INIT(Failure);
+        MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
+        MSG_SEND_ASSIGN_STRING(message, "Wrong firmware model");
+        MSG_SEND(Failure);
+        return UPLOAD_ERR_INVALID_IMAGE_MODEL;
+      }
+
+      if (sectrue != check_image_header_sig(received_hdr, vhdr.vsig_m,
+                                            vhdr.vsig_n, vhdr.vpub)) {
+        MSG_SEND_INIT(Failure);
+        MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
+        MSG_SEND_ASSIGN_STRING(message, "Invalid firmware signature");
+        MSG_SEND(Failure);
+        return UPLOAD_ERR_INVALID_IMAGE_HEADER_SIG;
+      }
+
+      memcpy(&hdr, received_hdr, sizeof(hdr));
+
       vendor_header current_vhdr;
-      image_header current_hdr;
+
       secbool is_new = secfalse;
-      detect_installation(&current_vhdr, &current_hdr, &vhdr, &hdr, &is_new,
-                          &is_upgrade, &is_downgrade_wipe);
+
+      if (sectrue !=
+          read_vendor_header((const uint8_t *)FIRMWARE_START, &current_vhdr)) {
+        is_new = sectrue;
+      }
+
+      const image_header *current_hdr = NULL;
+
+      if (is_new == secfalse) {
+        current_hdr = read_image_header(
+            (const uint8_t *)FIRMWARE_START + current_vhdr.hdrlen,
+            FIRMWARE_IMAGE_MAGIC, FIRMWARE_IMAGE_MAXSIZE);
+
+        if (current_hdr !=
+            (const image_header *)(FIRMWARE_START + current_vhdr.hdrlen)) {
+          is_new = sectrue;
+        }
+      }
+
+      if (is_new == secfalse) {
+        detect_installation(&current_vhdr, current_hdr, &vhdr, &hdr, &is_new,
+                            &is_upgrade, &is_downgrade_wipe);
+      }
 
       // no user confirmations, go directly to upload
 
@@ -539,7 +590,7 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
     MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
     MSG_SEND_ASSIGN_STRING(message, "Firmware too big");
     MSG_SEND(Failure);
-    return -5;
+    return UPLOAD_ERR_FIRMWARE_TOO_BIG;
   }
 
   if (sectrue != check_single_hash(hdr.hashes + firmware_block * 32,
@@ -558,7 +609,7 @@ int process_msg_FirmwareUpload(uint8_t iface_num, uint32_t msg_size,
     MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
     MSG_SEND_ASSIGN_STRING(message, "Invalid chunk hash");
     MSG_SEND(Failure);
-    return -6;
+    return UPLOAD_ERR_INVALID_CHUNK_HASH;
   }
 
   ensure(flash_unlock_write(), NULL);
@@ -621,11 +672,11 @@ int process_msg_WipeDevice(uint8_t iface_num, uint32_t msg_size, uint8_t *buf) {
     MSG_SEND_ASSIGN_VALUE(code, FailureType_Failure_ProcessError);
     MSG_SEND_ASSIGN_STRING(message, "Could not erase flash");
     MSG_SEND(Failure);
-    return -1;
+    return WIPE_ERR_CANNOT_ERASE;
   } else {
     MSG_SEND_INIT(Success);
     MSG_SEND(Success);
-    return 0;
+    return WIPE_OK;
   }
 }
 

core/embed/bootloader_ci/messages.h

@@ -29,6 +29,24 @@
 
 #define FIRMWARE_UPLOAD_CHUNK_RETRY_COUNT 2
 
+enum {
+  UPLOAD_OK = 0,
+  UPLOAD_ERR_INVALID_CHUNK_SIZE = -1,
+  UPLOAD_ERR_INVALID_VENDOR_HEADER = -2,
+  UPLOAD_ERR_INVALID_VENDOR_HEADER_SIG = -3,
+  UPLOAD_ERR_INVALID_IMAGE_HEADER = -4,
+  UPLOAD_ERR_INVALID_IMAGE_MODEL = -5,
+  UPLOAD_ERR_INVALID_IMAGE_HEADER_SIG = -6,
+  UPLOAD_ERR_USER_ABORT = -7,
+  UPLOAD_ERR_FIRMWARE_TOO_BIG = -8,
+  UPLOAD_ERR_INVALID_CHUNK_HASH = -9,
+};
+
+enum {
+  WIPE_OK = 0,
+  WIPE_ERR_CANNOT_ERASE = -1,
+};
+
 secbool msg_parse_header(const uint8_t *buf, uint16_t *msg_id,
                          uint32_t *msg_size);
 

core/embed/extmod/modtrezorcrypto/modtrezorcrypto-bip39.h

@@ -25,41 +25,6 @@
 
 /// package: trezorcrypto.bip39
 
-/// def complete_word(prefix: str) -> str | None:
-///     """
-///     Return the first word from the wordlist starting with prefix.
-///     """
-STATIC mp_obj_t mod_trezorcrypto_bip39_complete_word(mp_obj_t prefix) {
-  mp_buffer_info_t pfx = {0};
-  mp_get_buffer_raise(prefix, &pfx, MP_BUFFER_READ);
-  if (pfx.len == 0) {
-    return mp_const_none;
-  }
-  const char *word = mnemonic_complete_word(pfx.buf, pfx.len);
-  if (word) {
-    return mp_obj_new_str(word, strlen(word));
-  } else {
-    return mp_const_none;
-  }
-}
-STATIC MP_DEFINE_CONST_FUN_OBJ_1(mod_trezorcrypto_bip39_complete_word_obj,
-                                 mod_trezorcrypto_bip39_complete_word);
-
-/// def word_completion_mask(prefix: str) -> int:
-///     """
-///     Return possible 1-letter suffixes for given word prefix.
-///     Result is a bitmask, with 'a' on the lowest bit, 'b' on the second
-///     lowest, etc.
-///     """
-STATIC mp_obj_t mod_trezorcrypto_bip39_word_completion_mask(mp_obj_t prefix) {
-  mp_buffer_info_t pfx = {0};
-  mp_get_buffer_raise(prefix, &pfx, MP_BUFFER_READ);
-  return mp_obj_new_int(mnemonic_word_completion_mask(pfx.buf, pfx.len));
-}
-STATIC MP_DEFINE_CONST_FUN_OBJ_1(
-    mod_trezorcrypto_bip39_word_completion_mask_obj,
-    mod_trezorcrypto_bip39_word_completion_mask);
-
 /// def generate(strength: int) -> str:
 ///     """
 ///     Generate a mnemonic of given strength (128, 160, 192, 224 and 256 bits).
@@ -148,10 +113,6 @@ STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(mod_trezorcrypto_bip39_seed_obj, 2,
 
 STATIC const mp_rom_map_elem_t mod_trezorcrypto_bip39_globals_table[] = {
     {MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_bip39)},
-    {MP_ROM_QSTR(MP_QSTR_complete_word),
-     MP_ROM_PTR(&mod_trezorcrypto_bip39_complete_word_obj)},
-    {MP_ROM_QSTR(MP_QSTR_word_completion_mask),
-     MP_ROM_PTR(&mod_trezorcrypto_bip39_word_completion_mask_obj)},
     {MP_ROM_QSTR(MP_QSTR_generate),
      MP_ROM_PTR(&mod_trezorcrypto_bip39_generate_obj)},
     {MP_ROM_QSTR(MP_QSTR_from_data),

core/embed/extmod/modtrezorcrypto/modtrezorcrypto-slip39.h

@@ -24,47 +24,6 @@
 
 /// package: trezorcrypto.slip39
 
-/// def word_completion_mask(prefix: int) -> int:
-///     """
-///     Calculates which buttons still can be pressed after some already were.
-///     Returns a 9-bit bitmask, where each bit specifies which buttons
-///     can be further pressed (there are still words in this combination).
-///     LSB denotes first button.
-///
-///     Example: 110000110 - second, third, eighth and ninth button still can be
-///     pressed.
-///     """
-STATIC mp_obj_t mod_trezorcrypto_slip39_word_completion_mask(mp_obj_t _prefix) {
-  uint16_t prefix = mp_obj_get_int(_prefix);
-
-  if (prefix < 1 || prefix > 9999) {
-    mp_raise_ValueError(
-        "Invalid button prefix (range between 1 and 9999 is allowed)");
-  }
-  return mp_obj_new_int_from_uint(slip39_word_completion_mask(prefix));
-}
-STATIC MP_DEFINE_CONST_FUN_OBJ_1(
-    mod_trezorcrypto_slip39_word_completion_mask_obj,
-    mod_trezorcrypto_slip39_word_completion_mask);
-
-/// def button_sequence_to_word(prefix: int) -> str:
-///     """
-///     Finds the first word that fits the given button prefix.
-///     """
-STATIC mp_obj_t
-mod_trezorcrypto_slip39_button_sequence_to_word(mp_obj_t _prefix) {
-  uint16_t prefix = mp_obj_get_int(_prefix);
-
-  const char *word = button_sequence_to_word(prefix);
-  if (word == NULL) {
-    mp_raise_ValueError("Invalid button prefix");
-  }
-  return mp_obj_new_str_copy(&mp_type_str, (const uint8_t *)word, strlen(word));
-}
-STATIC MP_DEFINE_CONST_FUN_OBJ_1(
-    mod_trezorcrypto_slip39_button_sequence_to_word_obj,
-    mod_trezorcrypto_slip39_button_sequence_to_word);
-
 /// def word_index(word: str) -> int:
 ///     """
 ///     Finds index of given word.
@@ -104,10 +63,6 @@ STATIC MP_DEFINE_CONST_FUN_OBJ_1(mod_trezorcrypto_slip39_get_word_obj,
 
 STATIC const mp_rom_map_elem_t mod_trezorcrypto_slip39_globals_table[] = {
     {MP_ROM_QSTR(MP_QSTR___name__), MP_ROM_QSTR(MP_QSTR_slip39)},
-    {MP_ROM_QSTR(MP_QSTR_word_completion_mask),
-     MP_ROM_PTR(&mod_trezorcrypto_slip39_word_completion_mask_obj)},
-    {MP_ROM_QSTR(MP_QSTR_button_sequence_to_word),
-     MP_ROM_PTR(&mod_trezorcrypto_slip39_button_sequence_to_word_obj)},
     {MP_ROM_QSTR(MP_QSTR_word_index),
      MP_ROM_PTR(&mod_trezorcrypto_slip39_word_index_obj)},
     {MP_ROM_QSTR(MP_QSTR_get_word),

core/embed/extmod/modtrezorio/ff.h

@@ -1,10 +1,10 @@
 // clang-format off
 
 /*----------------------------------------------------------------------------/
-/  FatFs - Generic FAT Filesystem module  R0.14                               /
+/  FatFs - Generic FAT Filesystem module  R0.15                               /
 /-----------------------------------------------------------------------------/
 /
-/ Copyright (C) 2019, ChaN, all right reserved.
+/ Copyright (C) 2022, ChaN, all right reserved.
 /
 / FatFs module is an open source software. Redistribution and use of FatFs in
 / source and binary forms, with or without modification, are permitted provided
@@ -22,7 +22,7 @@
 
 
 #ifndef FF_DEFINED
-#define FF_DEFINED	86606	/* Revision ID */
+#define FF_DEFINED	80286	/* Revision ID */
 
 #ifdef __cplusplus
 extern "C" {
@@ -37,10 +37,14 @@ extern "C" {
 
 /* Integer types used for FatFs API */
 
-#if defined(_WIN32)	/* Main development platform */
+#if defined(_WIN32)		/* Windows VC++ (for development only) */
 #define FF_INTDEF 2
 #include <windows.h>
 typedef unsigned __int64 QWORD;
+#include <float.h>
+#define isnan(v) _isnan(v)
+#define isinf(v) (!_finite(v))
+
 #elif (defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L) || defined(__cplusplus)	/* C99 or later */
 #define FF_INTDEF 2
 #include <stdint.h>
@@ -50,6 +54,7 @@ typedef uint16_t		WORD;	/* 16-bit unsigned integer */
 typedef uint32_t		DWORD;	/* 32-bit unsigned integer */
 typedef uint64_t		QWORD;	/* 64-bit unsigned integer */
 typedef WORD			WCHAR;	/* UTF-16 character type */
+
 #else  	/* Earlier than C99 */
 #define FF_INTDEF 1
 typedef unsigned int	UINT;	/* int must be 16-bit or 32-bit */
@@ -60,53 +65,6 @@ typedef WORD			WCHAR;	/* UTF-16 character type */
 #endif
 
 
-/* Definitions of volume management */
-
-#if FF_MULTI_PARTITION		/* Multiple partition configuration */
-typedef struct {
-	BYTE pd;	/* Physical drive number */
-	BYTE pt;	/* Partition: 0:Auto detect, 1-4:Forced partition) */
-} PARTITION;
-extern PARTITION VolToPart[];	/* Volume - Partition mapping table */
-#endif
-
-#if FF_STR_VOLUME_ID
-#ifndef FF_VOLUME_STRS
-extern const char* VolumeStr[FF_VOLUMES];	/* User defied volume ID */
-#endif
-#endif
-
-
-
-/* Type of path name strings on FatFs API */
-
-#ifndef _INC_TCHAR
-#define _INC_TCHAR
-
-#if FF_USE_LFN && FF_LFN_UNICODE == 1 	/* Unicode in UTF-16 encoding */
-typedef WCHAR TCHAR;
-#define _T(x) L ## x
-#define _TEXT(x) L ## x
-#elif FF_USE_LFN && FF_LFN_UNICODE == 2	/* Unicode in UTF-8 encoding */
-typedef char TCHAR;
-#define _T(x) u8 ## x
-#define _TEXT(x) u8 ## x
-#elif FF_USE_LFN && FF_LFN_UNICODE == 3	/* Unicode in UTF-32 encoding */
-typedef DWORD TCHAR;
-#define _T(x) U ## x
-#define _TEXT(x) U ## x
-#elif FF_USE_LFN && (FF_LFN_UNICODE < 0 || FF_LFN_UNICODE > 3)
-#error Wrong FF_LFN_UNICODE setting
-#else									/* ANSI/OEM code in SBCS/DBCS */
-typedef char TCHAR;
-#define _T(x) x
-#define _TEXT(x) x
-#endif
-
-#endif
-
-
-
 /* Type of file size and LBA variables */
 
 #if FF_FS_EXFAT
@@ -129,14 +87,57 @@ typedef DWORD LBA_t;
 
 
 
+/* Type of path name strings on FatFs API (TCHAR) */
+
+#if FF_USE_LFN && FF_LFN_UNICODE == 1 	/* Unicode in UTF-16 encoding */
+typedef WCHAR TCHAR;
+#define _T(x) L ## x
+#define _TEXT(x) L ## x
+#elif FF_USE_LFN && FF_LFN_UNICODE == 2	/* Unicode in UTF-8 encoding */
+typedef char TCHAR;
+#define _T(x) u8 ## x
+#define _TEXT(x) u8 ## x
+#elif FF_USE_LFN && FF_LFN_UNICODE == 3	/* Unicode in UTF-32 encoding */
+typedef DWORD TCHAR;
+#define _T(x) U ## x
+#define _TEXT(x) U ## x
+#elif FF_USE_LFN && (FF_LFN_UNICODE < 0 || FF_LFN_UNICODE > 3)
+#error Wrong FF_LFN_UNICODE setting
+#else									/* ANSI/OEM code in SBCS/DBCS */
+typedef char TCHAR;
+#define _T(x) x
+#define _TEXT(x) x
+#endif
+
+
+
+/* Definitions of volume management */
+
+#if FF_MULTI_PARTITION		/* Multiple partition configuration */
+typedef struct {
+	BYTE pd;	/* Physical drive number */
+	BYTE pt;	/* Partition: 0:Auto detect, 1-4:Forced partition) */
+} PARTITION;
+extern PARTITION VolToPart[];	/* Volume - Partition mapping table */
+#endif
+
+#if FF_STR_VOLUME_ID
+#ifndef FF_VOLUME_STRS
+extern const char* VolumeStr[FF_VOLUMES];	/* User defied volume ID */
+#endif
+#endif
+
+
+
 /* Filesystem object structure (FATFS) */
 
 typedef struct {
 	BYTE	fs_type;		/* Filesystem type (0:not mounted) */
-	BYTE	pdrv;			/* Associated physical drive */
+	BYTE	pdrv;			/* Volume hosting physical drive */
+	BYTE	ldrv;			/* Logical drive number (used only when FF_FS_REENTRANT) */
 	BYTE	n_fats;			/* Number of FATs (1 or 2) */
-	BYTE	wflag;			/* win[] flag (b0:dirty) */
-	BYTE	fsi_flag;		/* FSINFO flags (b7:disabled, b0:dirty) */
+	BYTE	wflag;			/* win[] status (b0:dirty) */
+	BYTE	fsi_flag;		/* FSINFO status (b7:disabled, b0:dirty) */
 	WORD	id;				/* Volume mount ID */
 	WORD	n_rootdir;		/* Number of root directory entries (FAT12/16) */
 	WORD	csize;			/* Cluster size [sectors] */
@@ -149,9 +150,6 @@ typedef struct {
 #if FF_FS_EXFAT
 	BYTE*	dirbuf;			/* Directory entry block scratchpad buffer for exFAT */
 #endif
-#if FF_FS_REENTRANT
-	FF_SYNC_t	sobj;		/* Identifier of sync object */
-#endif
 #if !FF_FS_READONLY
 	DWORD	last_clst;		/* Last allocated cluster */
 	DWORD	free_clst;		/* Number of free clusters */
@@ -165,10 +163,10 @@ typedef struct {
 #endif
 #endif
 	DWORD	n_fatent;		/* Number of FAT entries (number of clusters + 2) */
-	DWORD	fsize;			/* Size of an FAT [sectors] */
+	DWORD	fsize;			/* Number of sectors per FAT */
 	LBA_t	volbase;		/* Volume base sector */
 	LBA_t	fatbase;		/* FAT base sector */
-	LBA_t	dirbase;		/* Root directory base sector/cluster */
+	LBA_t	dirbase;		/* Root directory base sector (FAT12/16) or cluster (FAT32/exFAT) */
 	LBA_t	database;		/* Data base sector */
 #if FF_FS_EXFAT
 	LBA_t	bitbase;		/* Allocation bitmap base sector */
@@ -183,7 +181,7 @@ typedef struct {
 
 typedef struct {
 	FATFS*	fs;				/* Pointer to the hosting volume of this object */
-	WORD	id;				/* Hosting volume mount ID */
+	WORD	id;				/* Hosting volume's mount ID */
 	BYTE	attr;			/* Object attribute */
 	BYTE	stat;			/* Object chain status (b1-0: =0:not contiguous, =2:contiguous, =3:fragmented in this session, b2:sub-directory stretched) */
 	DWORD	sclust;			/* Object data start cluster (0:no cluster or root directory) */
@@ -300,8 +298,10 @@ typedef enum {
 
 
 
+
+/*--------------------------------------------------------------*/
+/* FatFs Module Application Interface                           */
 /*--------------------------------------------------------------*/
-/* FatFs module application interface                           */
 
 FRESULT f_open (FIL* fp, const TCHAR* path, BYTE mode);				/* Open or create a file */
 FRESULT f_close (FIL* fp);											/* Close an open file object */
@@ -338,6 +338,8 @@ int f_puts (const TCHAR* str, FIL* cp);								/* Put a string to the file */
 int f_printf (FIL* fp, const TCHAR* str, ...);						/* Put a formatted string to the file */
 TCHAR* f_gets (TCHAR* buff, int len, FIL* fp);						/* Get a string from the file */
 
+/* Some API fucntions are implemented as macro */
+
 #define f_eof(fp) ((int)((fp)->fptr == (fp)->obj.objsize))
 #define f_error(fp) ((fp)->err)
 #define f_tell(fp) ((fp)->fptr)
@@ -347,46 +349,47 @@ TCHAR* f_gets (TCHAR* buff, int len, FIL* fp);						/* Get a string from the fil
 #define f_rmdir(path) f_unlink(path)
 #define f_unmount(path) f_mount(0, path, 0)
 
-#ifndef EOF
-#define EOF (-1)
-#endif
-
 
 
 
 /*--------------------------------------------------------------*/
-/* Additional user defined functions                            */
+/* Additional Functions                                         */
+/*--------------------------------------------------------------*/
 
-/* RTC function */
+/* RTC function (provided by user) */
 #if !FF_FS_READONLY && !FF_FS_NORTC
-DWORD get_fattime (void);
+DWORD get_fattime (void);	/* Get current time */
 #endif
 
-/* LFN support functions */
-#if FF_USE_LFN >= 1						/* Code conversion (defined in unicode.c) */
+
+/* LFN support functions (defined in ffunicode.c) */
+
+#if FF_USE_LFN >= 1
 WCHAR ff_oem2uni (WCHAR oem, WORD cp);	/* OEM code to Unicode conversion */
 WCHAR ff_uni2oem (DWORD uni, WORD cp);	/* Unicode to OEM code conversion */
 DWORD ff_wtoupper (DWORD uni);			/* Unicode upper-case conversion */
 #endif
-#if FF_USE_LFN == 3						/* Dynamic memory allocation */
-void* ff_memalloc (UINT msize);			/* Allocate memory block */
-void ff_memfree (void* mblock);			/* Free memory block */
-#endif
 
-/* Sync functions */
-#if FF_FS_REENTRANT
-int ff_cre_syncobj (BYTE vol, FF_SYNC_t* sobj);	/* Create a sync object */
-int ff_req_grant (FF_SYNC_t sobj);		/* Lock sync object */
-void ff_rel_grant (FF_SYNC_t sobj);		/* Unlock sync object */
-int ff_del_syncobj (FF_SYNC_t sobj);	/* Delete a sync object */
+
+/* O/S dependent functions (samples available in ffsystem.c) */
+
+#if FF_USE_LFN == 3		/* Dynamic memory allocation */
+void* ff_memalloc (UINT msize);		/* Allocate memory block */
+void ff_memfree (void* mblock);		/* Free memory block */
+#endif
+#if FF_FS_REENTRANT	/* Sync functions */
+int ff_mutex_create (int vol);		/* Create a sync object */
+void ff_mutex_delete (int vol);		/* Delete a sync object */
+int ff_mutex_take (int vol);		/* Lock sync object */
+void ff_mutex_give (int vol);		/* Unlock sync object */
 #endif
 
 
 
 
 /*--------------------------------------------------------------*/
-/* Flags and offset address                                     */
-
+/* Flags and Offset Address                                     */
+/*--------------------------------------------------------------*/
 
 /* File access mode and open method flags (3rd argument of f_open) */
 #define	FA_READ				0x01

core/embed/extmod/modtrezorio/ffconf.h

@@ -1,10 +1,10 @@
 // clang-format off
 
 /*---------------------------------------------------------------------------/
-/  FatFs Functional Configurations
+/  Configurations of FatFs Module
 /---------------------------------------------------------------------------*/
 
-#define FFCONF_DEF	86606	/* Revision ID */
+#define FFCONF_DEF	80286	/* Revision ID */
 
 /*---------------------------------------------------------------------------/
 / Function Configurations
@@ -27,14 +27,6 @@
 /   3: f_lseek() function is removed in addition to 2. */
 
 
-#define FF_USE_STRFUNC	0
-/* This option switches string functions, f_gets(), f_putc(), f_puts() and f_printf().
-/
-/  0: Disable string functions.
-/  1: Enable without LF-CRLF conversion.
-/  2: Enable with LF-CRLF conversion. */
-
-
 #define FF_USE_FIND		0
 /* This option switches filtered directory read functions, f_findfirst() and
 /  f_findnext(). (0:Disable, 1:Enable 2:Enable with matching altname[] too) */
@@ -66,6 +58,30 @@
 /* This option switches f_forward() function. (0:Disable or 1:Enable) */
 
 
+#define FF_USE_STRFUNC	0
+#define FF_PRINT_LLI	1
+#define FF_PRINT_FLOAT	1
+#define FF_STRF_ENCODE	3
+/* FF_USE_STRFUNC switches string functions, f_gets(), f_putc(), f_puts() and
+/  f_printf().
+/
+/   0: Disable. FF_PRINT_LLI, FF_PRINT_FLOAT and FF_STRF_ENCODE have no effect.
+/   1: Enable without LF-CRLF conversion.
+/   2: Enable with LF-CRLF conversion.
+/
+/  FF_PRINT_LLI = 1 makes f_printf() support long long argument and FF_PRINT_FLOAT = 1/2
+/  makes f_printf() support floating point argument. These features want C99 or later.
+/  When FF_LFN_UNICODE >= 1 with LFN enabled, string functions convert the character
+/  encoding in it. FF_STRF_ENCODE selects assumption of character encoding ON THE FILE
+/  to be read/written via those functions.
+/
+/   0: ANSI/OEM in current CP
+/   1: Unicode in UTF-16LE
+/   2: Unicode in UTF-16BE
+/   3: Unicode in UTF-8
+*/
+
+
 /*---------------------------------------------------------------------------/
 / Locale and Namespace Configurations
 /---------------------------------------------------------------------------*/
@@ -139,19 +155,6 @@
 /  on character encoding. When LFN is not enabled, these options have no effect. */
 
 
-#define FF_STRF_ENCODE	3
-/* When FF_LFN_UNICODE >= 1 with LFN enabled, string I/O functions, f_gets(),
-/  f_putc(), f_puts and f_printf() convert the character encoding in it.
-/  This option selects assumption of character encoding ON THE FILE to be
-/  read/written via those functions.
-/
-/   0: ANSI/OEM in current CP
-/   1: Unicode in UTF-16LE
-/   2: Unicode in UTF-16BE
-/   3: Unicode in UTF-8
-*/
-
-
 #define FF_FS_RPATH		0
 /* This option configures support for relative path.
 /
@@ -177,7 +180,7 @@
 /  logical drives. Number of items must not be less than FF_VOLUMES. Valid
 /  characters for the volume ID strings are A-Z, a-z and 0-9, however, they are
 /  compared in case-insensitive. If FF_STR_VOLUME_ID >= 1 and FF_VOLUME_STRS is
-/  not defined, a user defined volume string table needs to be defined as:
+/  not defined, a user defined volume string table is needed as:
 /
 /  const char* VolumeStr[FF_VOLUMES] = {"ram","flash","sd","usb",...
 */
@@ -196,7 +199,7 @@
 #define FF_MAX_SS		512
 /* This set of options configures the range of sector size to be supported. (512,
 /  1024, 2048 or 4096) Always set both 512 for most systems, generic memory card and
-/  harddisk. But a larger value may be required for on-board flash memory and some
+/  harddisk, but a larger value may be required for on-board flash memory and some
 /  type of optical media. When FF_MAX_SS is larger than FF_MIN_SS, FatFs is configured
 /  for variable sector size mode and disk_ioctl() function needs to implement
 /  GET_SECTOR_SIZE command. */
@@ -207,8 +210,8 @@
 /  To enable the 64-bit LBA, also exFAT needs to be enabled. (FF_FS_EXFAT == 1) */
 
 
-#define FF_MIN_GPT		0x100000000
-/* Minimum number of sectors to switch GPT format to create partition in f_mkfs and
+#define FF_MIN_GPT		0x10000000
+/* Minimum number of sectors to switch GPT as partitioning format in f_mkfs and
 /  f_fdisk function. 0x100000000 max. This option has no effect when FF_LBA64 == 0. */
 
 
@@ -240,9 +243,9 @@
 #define FF_NORTC_MON	1
 #define FF_NORTC_MDAY	1
 #define FF_NORTC_YEAR	2019
-/* The option FF_FS_NORTC switches timestamp functiton. If the system does not have
-/  any RTC function or valid timestamp is not needed, set FF_FS_NORTC = 1 to disable
-/  the timestamp function. Every object modified by FatFs will have a fixed timestamp
+/* The option FF_FS_NORTC switches timestamp feature. If the system does not have
+/  an RTC or valid timestamp is not needed, set FF_FS_NORTC = 1 to disable the
+/  timestamp feature. Every object modified by FatFs will have a fixed timestamp
 /  defined by FF_NORTC_MON, FF_NORTC_MDAY and FF_NORTC_YEAR in local time.
 /  To enable timestamp function (FF_FS_NORTC = 0), get_fattime() function need to be
 /  added to the project to read current time form real-time clock. FF_NORTC_MON,
@@ -252,7 +255,7 @@
 
 #define FF_FS_NOFSINFO	0
 /* If you need to know correct free space on the FAT32 volume, set bit 0 of this
-/  option, and f_getfree() function at first time after volume mount will force
+/  option, and f_getfree() function at the first time after volume mount will force
 /  a full FAT scan. Bit 1 controls the use of last allocated cluster number.
 /
 /  bit0=0: Use free cluster count in the FSINFO if available.
@@ -274,26 +277,21 @@
 /      lock control is independent of re-entrancy. */
 
 
-/* #include <somertos.h>	// O/S definitions */
 #define FF_FS_REENTRANT	0
 #define FF_FS_TIMEOUT	1000
-#define FF_SYNC_t		HANDLE
 /* The option FF_FS_REENTRANT switches the re-entrancy (thread safe) of the FatFs
 /  module itself. Note that regardless of this option, file access to different
 /  volume is always re-entrant and volume control functions, f_mount(), f_mkfs()
 /  and f_fdisk() function, are always not re-entrant. Only file/directory access
-/  to the same volume is under control of this function.
+/  to the same volume is under control of this featuer.
 /
-/   0: Disable re-entrancy. FF_FS_TIMEOUT and FF_SYNC_t have no effect.
+/   0: Disable re-entrancy. FF_FS_TIMEOUT have no effect.
 /   1: Enable re-entrancy. Also user provided synchronization handlers,
-/      ff_req_grant(), ff_rel_grant(), ff_del_syncobj() and ff_cre_syncobj()
-/      function, must be added to the project. Samples are available in
-/      option/syscall.c.
+/      ff_mutex_create(), ff_mutex_delete(), ff_mutex_take() and ff_mutex_give()
+/      function, must be added to the project. Samples are available in ffsystem.c.
 /
-/  The FF_FS_TIMEOUT defines timeout period in unit of time tick.
-/  The FF_SYNC_t defines O/S dependent sync object type. e.g. HANDLE, ID, OS_EVENT*,
-/  SemaphoreHandle_t and etc. A header file for O/S definitions needs to be
-/  included somewhere in the scope of ff.h. */
+/  The FF_FS_TIMEOUT defines timeout period in unit of O/S time tick.
+*/
 
 
 

core/embed/extmod/modtrezorio/ffunicode.c

@@ -1,15 +1,15 @@
 // clang-format off
 
 /*------------------------------------------------------------------------*/
-/* Unicode handling functions for FatFs R0.13+                            */
+/* Unicode Handling Functions for FatFs R0.13 and Later                   */
+/*------------------------------------------------------------------------*/
+/* This module will occupy a huge memory in the .rodata section when the  */
+/* FatFs is configured for LFN with DBCS. If the system has a Unicode     */
+/* library for the code conversion, this module should be modified to use */
+/* it to avoid silly memory consumption.                                  */
 /*------------------------------------------------------------------------*/
-/* This module will occupy a huge memory in the .const section when the    /
-/  FatFs is configured for LFN with DBCS. If the system has any Unicode    /
-/  utilitiy for the code conversion, this module should be modified to use /
-/  that function to avoid silly memory consumption.                        /
-/-------------------------------------------------------------------------*/
 /*
-/ Copyright (C) 2014, ChaN, all right reserved.
+/ Copyright (C) 2022, ChaN, all right reserved.
 /
 / FatFs module is an open source software. Redistribution and use of FatFs in
 / source and binary forms, with or without modification, are permitted provided
@@ -27,7 +27,7 @@
 
 #include "ff.h"
 
-#if FF_USE_LFN	/* This module will be blanked if non-LFN configuration */
+#if FF_USE_LFN != 0	/* This module will be blanked if in non-LFN configuration */
 
 #define MERGE2(a, b) a ## b
 #define CVTBL(tbl, cp) MERGE2(tbl, cp)
@@ -56,8 +56,8 @@ static const WCHAR uc437[] = {	/*  CP437(U.S.) to Unicode conversion table */
 
 
 /*------------------------------------------------------------------------*/
-/* OEM <==> Unicode conversions for static code page configuration        */
-/* SBCS fixed code page                                                   */
+/* OEM <==> Unicode Conversions for Static Code Page Configuration with   */
+/* SBCS Fixed Code Page                                                   */
 /*------------------------------------------------------------------------*/
 
 WCHAR ff_uni2oem (	/* Returns OEM code character, zero on error */
@@ -66,7 +66,7 @@ WCHAR ff_uni2oem (	/* Returns OEM code character, zero on error */
 )
 {
 	WCHAR c = 0;
-	const WCHAR *p = CVTBL(uc, FF_CODE_PAGE);
+	const WCHAR* p = CVTBL(uc, FF_CODE_PAGE);
 
 
 	if (uni < 0x80) {	/* ASCII? */
@@ -88,7 +88,7 @@ WCHAR ff_oem2uni (	/* Returns Unicode character in UTF-16, zero on error */
 )
 {
 	WCHAR c = 0;
-	const WCHAR *p = CVTBL(uc, FF_CODE_PAGE);
+	const WCHAR* p = CVTBL(uc, FF_CODE_PAGE);
 
 
 	if (oem < 0x80) {	/* ASCII? */
@@ -105,24 +105,8 @@ WCHAR ff_oem2uni (	/* Returns Unicode character in UTF-16, zero on error */
 
 
 
-
 /*------------------------------------------------------------------------*/
-/* OEM <==> Unicode conversions for static code page configuration        */
-/* DBCS fixed code page                                                   */
-/*------------------------------------------------------------------------*/
-
-
-
-
-/*------------------------------------------------------------------------*/
-/* OEM <==> Unicode conversions for dynamic code page configuration       */
-/*------------------------------------------------------------------------*/
-
-
-
-
-/*------------------------------------------------------------------------*/
-/* Unicode up-case conversion                                             */
+/* Unicode Up-case Conversion                                             */
 /*------------------------------------------------------------------------*/
 
 DWORD ff_wtoupper (	/* Returns up-converted code point */
@@ -254,4 +238,4 @@ DWORD ff_wtoupper (	/* Returns up-converted code point */
 }
 
 
-#endif /* #if FF_USE_LFN */
+#endif /* #if FF_USE_LFN != 0 */

core/embed/extmod/modtrezorui/buffers.c

@@ -22,17 +22,12 @@
 #include "fonts/fonts.h"
 #include "memzero.h"
 
-#if USE_DMA2D
-
-#if defined BOOTLOADER
-#define BUFFER_SECTION __attribute__((section(".buf")))
-#else
-#define BUFFER_SECTION
-#endif
-
 #define BUFFERS_16BPP 3
 #define BUFFERS_4BPP 3
 #define BUFFERS_TEXT 1
+#define BUFFERS_JPEG 1
+#define BUFFERS_JPEG_WORK 1
+#define BUFFERS_BLURRING 1
 
 const int32_t text_buffer_height = FONT_MAX_HEIGHT;
 const int32_t buffer_width = DISPLAY_RESX;
@@ -40,6 +35,9 @@ const int32_t buffer_width = DISPLAY_RESX;
 BUFFER_SECTION line_buffer_16bpp_t line_buffers_16bpp[BUFFERS_16BPP];
 BUFFER_SECTION line_buffer_4bpp_t line_buffers_4bpp[BUFFERS_4BPP];
 BUFFER_SECTION buffer_text_t text_buffers[BUFFERS_TEXT];
+NODMA_BUFFER_SECTION buffer_jpeg_t jpeg_buffers[BUFFERS_JPEG];
+NODMA_BUFFER_SECTION buffer_jpeg_work_t jpeg_work_buffers[BUFFERS_JPEG_WORK];
+NODMA_BUFFER_SECTION buffer_blurring_t blurring_buffers[BUFFERS_BLURRING];
 
 line_buffer_16bpp_t* buffers_get_line_buffer_16bpp(uint16_t idx, bool clear) {
   if (idx >= BUFFERS_16BPP) {
@@ -71,4 +69,35 @@ buffer_text_t* buffers_get_text_buffer(uint16_t idx, bool clear) {
   return &text_buffers[idx];
 }
 
-#endif
+buffer_jpeg_t* buffers_get_jpeg_buffer(uint16_t idx, bool clear) {
+  if (idx >= BUFFERS_JPEG) {
+    return NULL;
+  }
+
+  if (clear) {
+    memzero(&jpeg_buffers[idx], sizeof(jpeg_buffers[idx]));
+  }
+  return &jpeg_buffers[idx];
+}
+
+buffer_jpeg_work_t* buffers_get_jpeg_work_buffer(uint16_t idx, bool clear) {
+  if (idx >= BUFFERS_JPEG_WORK) {
+    return NULL;
+  }
+
+  if (clear) {
+    memzero(&jpeg_work_buffers[idx], sizeof(jpeg_work_buffers[idx]));
+  }
+  return &jpeg_work_buffers[idx];
+}
+
+buffer_blurring_t* buffers_get_blurring_buffer(uint16_t idx, bool clear) {
+  if (idx >= BUFFERS_BLURRING) {
+    return NULL;
+  }
+
+  if (clear) {
+    memzero(&blurring_buffers[idx], sizeof(blurring_buffers[idx]));
+  }
+  return &blurring_buffers[idx];
+}

core/embed/extmod/modtrezorui/buffers.h

@@ -27,15 +27,33 @@
 
 #define BUFFER_PIXELS DISPLAY_RESX
 
-#define TEXT_BUFFER_HEIGHT 24
+#define TEXT_BUFFER_HEIGHT 32
 
 #if TEXT_BUFFER_HEIGHT < FONT_MAX_HEIGHT
 #error Text buffer height is too small, please adjust to match used fonts
 #endif
 
-#define LINE_BUFFER_16BPP_SIZE BUFFER_PIXELS * 2
-#define LINE_BUFFER_4BPP_SIZE BUFFER_PIXELS / 2
-#define TEXT_BUFFER_SIZE (BUFFER_PIXELS * TEXT_BUFFER_HEIGHT) / 2
+#define LINE_BUFFER_16BPP_SIZE (BUFFER_PIXELS * 2)
+#define LINE_BUFFER_4BPP_SIZE (BUFFER_PIXELS / 2)
+#define TEXT_BUFFER_SIZE ((BUFFER_PIXELS * TEXT_BUFFER_HEIGHT) / 2)
+#define JPEG_BUFFER_SIZE (BUFFER_PIXELS * 16)
+
+// 3100 is needed according to tjpgd docs,
+// 256 because we need non overlapping memory in rust
+// 6 << 10 is for huffman decoding table
+#define JPEG_WORK_SIZE (3100 + 256 + (6 << 10))
+
+#if defined BOOTLOADER
+#define BUFFER_SECTION __attribute__((section(".buf")))
+#else
+#define BUFFER_SECTION
+#endif
+
+#if defined BOOTLOADER || defined TREZOR_EMULATOR
+#define NODMA_BUFFER_SECTION
+#else
+#define NODMA_BUFFER_SECTION __attribute__((section(".no_dma_buffers")))
+#endif
 
 typedef __attribute__((aligned(4))) struct {
   uint8_t buffer[LINE_BUFFER_16BPP_SIZE];
@@ -49,11 +67,26 @@ typedef __attribute__((aligned(4))) struct {
   uint8_t buffer[TEXT_BUFFER_SIZE];
 } buffer_text_t;
 
+typedef __attribute__((aligned(4))) struct {
+  uint16_t buffer[JPEG_BUFFER_SIZE];
+} buffer_jpeg_t;
+
+typedef __attribute__((aligned(4))) struct {
+  uint8_t buffer[JPEG_WORK_SIZE];
+} buffer_jpeg_work_t;
+
+typedef __attribute__((aligned(4))) struct {
+  uint16_t buffer[10][3][BUFFER_PIXELS];
+} buffer_blurring_t;
+
 extern const int32_t text_buffer_height;
 extern const int32_t buffer_width;
 
 line_buffer_16bpp_t* buffers_get_line_buffer_16bpp(uint16_t idx, bool clear);
 line_buffer_4bpp_t* buffers_get_line_buffer_4bpp(uint16_t idx, bool clear);
 buffer_text_t* buffers_get_text_buffer(uint16_t idx, bool clear);
+buffer_jpeg_t* buffers_get_jpeg_buffer(uint16_t idx, bool clear);
+buffer_jpeg_work_t* buffers_get_jpeg_work_buffer(uint16_t idx, bool clear);
+buffer_blurring_t* buffers_get_blurring_buffer(uint16_t idx, bool clear);
 
 #endif  // _BUFFERS_H

core/embed/extmod/modtrezorui/display.c

@@ -149,6 +149,45 @@ void display_bar_radius(int x, int y, int w, int h, uint16_t c, uint16_t b,
   PIXELDATA_DIRTY();
 }
 
+void display_bar_radius_buffer(int x, int y, int w, int h, uint8_t r,
+                               buffer_text_t *buffer) {
+  if (h > 32) {
+    return;
+  }
+  if (r != 2 && r != 4 && r != 8 && r != 16) {
+    return;
+  } else {
+    r = 16 / r;
+  }
+  int x0 = 0, y0 = 0, x1 = 0, y1 = 0;
+  clamp_coords(x, y, w, h, &x0, &y0, &x1, &y1);
+  for (int j = y0; j <= y1; j++) {
+    for (int i = x0; i <= x1; i++) {
+      int rx = i - x;
+      int ry = j - y;
+      int p = j * DISPLAY_RESX + i;
+      uint8_t c = 0;
+      if (rx < CORNER_RADIUS / r && ry < CORNER_RADIUS / r) {
+        c = cornertable[rx * r + ry * r * CORNER_RADIUS];
+      } else if (rx < CORNER_RADIUS / r && ry >= h - CORNER_RADIUS / r) {
+        c = cornertable[rx * r + (h - 1 - ry) * r * CORNER_RADIUS];
+      } else if (rx >= w - CORNER_RADIUS / r && ry < CORNER_RADIUS / r) {
+        c = cornertable[(w - 1 - rx) * r + ry * r * CORNER_RADIUS];
+      } else if (rx >= w - CORNER_RADIUS / r && ry >= h - CORNER_RADIUS / r) {
+        c = cornertable[(w - 1 - rx) * r + (h - 1 - ry) * r * CORNER_RADIUS];
+      } else {
+        c = 15;
+      }
+      int b = p / 2;
+      if (p % 2) {
+        buffer->buffer[b] |= c << 4;
+      } else {
+        buffer->buffer[b] |= (c);
+      }
+    }
+  }
+}
+
 #define UZLIB_WINDOW_SIZE (1 << 10)
 
 static void uzlib_prepare(struct uzlib_uncomp *decomp, uint8_t *window,

core/embed/extmod/modtrezorui/display.h

@@ -61,6 +61,8 @@ void display_clear(void);
 void display_bar(int x, int y, int w, int h, uint16_t c);
 void display_bar_radius(int x, int y, int w, int h, uint16_t c, uint16_t b,
                         uint8_t r);
+void display_bar_radius_buffer(int x, int y, int w, int h, uint8_t r,
+                               buffer_text_t *buffer);
 
 bool display_toif_info(const uint8_t *buf, uint32_t len, uint16_t *out_w,
                        uint16_t *out_h, toif_format_t *out_format);

core/embed/extmod/modtrezorui/display_interface.h

@@ -43,6 +43,7 @@ int display_backlight(int val);
 
 void display_init(void);
 void display_reinit(void);
+void display_sync(void);
 void display_refresh(void);
 const char *display_save(const char *prefix);
 void display_clear_save(void);

core/embed/firmware/bl_check.c

@@ -20,12 +20,14 @@
 #include <stdint.h>
 #include <string.h>
 #include "blake2s.h"
+#include "board_capabilities.h"
 #include "common.h"
 #include "flash.h"
+#include "image.h"
 
 // symbols from bootloader.bin => bootloader.o
-extern const uint32_t _binary_embed_firmware_bootloader_bin_start;
-extern const uint32_t _binary_embed_firmware_bootloader_bin_size;
+extern const void _binary_embed_firmware_bootloader_bin_start;
+extern const void _binary_embed_firmware_bootloader_bin_size;
 
 /*
 static secbool known_bootloader(const uint8_t *hash, int len) {
@@ -97,6 +99,48 @@ void check_and_replace_bootloader(void) {
       (const uint32_t *)&_binary_embed_firmware_bootloader_bin_start;
   const uint32_t len =
       (const uint32_t)&_binary_embed_firmware_bootloader_bin_size;
+
+  const image_header *new_bld_hdr = read_image_header(
+      (uint8_t *)data, BOOTLOADER_IMAGE_MAGIC, BOOTLOADER_IMAGE_MAXSIZE);
+
+  ensure(new_bld_hdr == (const image_header *)data ? sectrue : secfalse,
+         "Invalid embedded bootloader");
+
+  ensure(check_image_model(new_bld_hdr), "Incompatible embedded bootloader");
+
+  const image_header *current_bld_hdr = read_image_header(
+      bl_data, BOOTLOADER_IMAGE_MAGIC, BOOTLOADER_IMAGE_MAXSIZE);
+
+  // cannot find valid header for current bootloader, something is wrong
+  ensure(current_bld_hdr == (const image_header *)bl_data ? sectrue : secfalse,
+         "Invalid bootloader header");
+
+  ensure(check_image_model(current_bld_hdr), "Incompatible bootloader found");
+
+  if (new_bld_hdr->monotonic < current_bld_hdr->monotonic) {
+    // reject downgrade
+    return;
+  }
+
+  uint32_t board_name = get_board_name();
+  if (board_name == 0 || strncmp((const char *)&board_name, "T2T1", 4) == 0) {
+    // no board capabilities, assume Model T
+    if ((strncmp((const char *)&new_bld_hdr->hw_model, "T2T1", 4) != 0) &&
+        (new_bld_hdr->hw_model != 0)) {
+      // reject non-model T bootloader
+      // 0 represents pre-model check bootloader
+      ensure(secfalse, "Incompatible embedded bootloader");
+    }
+  }
+  // at this point, due to the previous check_image_model call, we know that the
+  // new_bld_hdr is
+  //  meant for the same model as this firmware, so we can check the board name
+  //  against the firmware hw_model.
+  else if (board_name != HW_MODEL) {
+    // reject incompatible bootloader
+    ensure(secfalse, "Incompatible embedded bootloader");
+  }
+
   ensure(flash_erase(FLASH_SECTOR_BOOTLOADER), NULL);
   ensure(flash_unlock_write(), NULL);
   for (int i = 0; i < len / sizeof(uint32_t); i++) {

core/embed/firmware/header.S

@@ -13,7 +13,11 @@
 g_header:
     .byte 'T','R','Z','F'            // magic
     .word g_header_end - g_header    // hdrlen
+#ifdef TREZOR_MODEL_T
     .word 0                          // expiry
+#else
+    .word 1                          // expiry
+#endif
     .word _codelen                   // codelen
     .byte VERSION_MAJOR              // vmajor
     .byte VERSION_MINOR              // vminor
@@ -23,7 +27,10 @@ g_header:
     .byte FIX_VERSION_MINOR          // fix_vminor
     .byte FIX_VERSION_PATCH          // fix_vpatch
     .byte FIX_VERSION_BUILD          // fix_vbuild
-    . = . + 8                        // reserved
+    .word HW_MODEL                   // type of the designated hardware
+    .byte HW_REVISION                // revision of the designated hardware
+    .byte VERSION_MONOTONIC          // monotonic version of the binary
+    . = . + 2                        // reserved
     . = . + 512                      // hash1 ... hash16
 
 #if !defined TREZOR_MODEL_1

core/embed/firmware/main.c

@@ -87,6 +87,8 @@ int main(void) {
   enable_systemview();
 #endif
 
+  display_reinit();
+
 #if !defined TREZOR_MODEL_1
   parse_boardloader_capabilities();
 
@@ -109,8 +111,6 @@ int main(void) {
   SCB->SHCSR |= (SCB_SHCSR_USGFAULTENA_Msk | SCB_SHCSR_BUSFAULTENA_Msk);
 #endif
 
-  display_reinit();
-
 #if defined TREZOR_MODEL_1
   button_init();
 #endif

core/embed/firmware/memory_T.ld

@@ -83,4 +83,9 @@ SECTIONS {
     . = 37K; /* this acts as a build time assertion that at least this much memory is available for heap use */
     . = ABSOLUTE(sram_end); /* this explicitly sets the end of the heap */
   } >SRAM
+
+  .data_ccm : ALIGN(4) {
+    *(.no_dma_buffers*);
+    . = ALIGN(4);
+  } >CCMRAM
 }

core/embed/firmware/version.h

@@ -7,3 +7,5 @@
 #define FIX_VERSION_MINOR 4
 #define FIX_VERSION_PATCH 0
 #define FIX_VERSION_BUILD 0
+
+#define VERSION_MONOTONIC 1

core/embed/prodtest/header.S

@@ -10,7 +10,11 @@
 g_header:
     .byte 'T','R','Z','F'            // magic
     .word g_header_end - g_header    // hdrlen
+#ifdef TREZOR_MODEL_T
     .word 0                          // expiry
+#else
+    .word 1                          // expiry
+#endif
     .word _codelen                   // codelen
     .byte VERSION_MAJOR              // vmajor
     .byte VERSION_MINOR              // vminor
@@ -20,7 +24,10 @@ g_header:
     .byte FIX_VERSION_MINOR          // fix_vminor
     .byte FIX_VERSION_PATCH          // fix_vpatch
     .byte FIX_VERSION_BUILD          // fix_vbuild
-    . = . + 8                        // reserved
+    .word HW_MODEL                   // type of the designated hardware
+    .byte HW_REVISION                // revision of the designated hardware
+    .byte VERSION_MONOTONIC          // monotonic version of the binary
+    . = . + 2                        // reserved
     . = . + 512                      // hash1 ... hash16
     . = . + 415                      // reserved
     .byte 0                          // sigmask

core/embed/prodtest/version.h

@@ -7,3 +7,5 @@
 #define FIX_VERSION_MINOR 1
 #define FIX_VERSION_PATCH 0
 #define FIX_VERSION_BUILD 0
+
+#define VERSION_MONOTONIC 1