/* Messages for TREZOR communication Author: Marek Palatinus Version: 0.6 */ import "google/protobuf/descriptor.proto"; extend google.protobuf.FieldOptions { optional bool binary = 50001; // message field has binary payload } extend google.protobuf.EnumValueOptions { optional bool wire_in = 50002; // message can be transmitted via wire from PC to TREZOR optional bool wire_out = 50003; // message can be transmitted via wire from TREZOR to PC optional bool wire_debug_in = 50004; // message can be transmitted via debug wire from PC to TREZOR optional bool wire_debug_out = 50005; // message can be transmitted via debug wire from TREZOR to PC } /* Mapping between Trezor wire identifier (int) and protobuf message */ enum MessageType { MessageType_Initialize = 0 [(wire_in) = true]; MessageType_Ping = 1 [(wire_in) = true]; MessageType_Success = 2 [(wire_out) = true]; MessageType_Failure = 3 [(wire_out) = true]; MessageType_ChangePin = 4 [(wire_in) = true]; MessageType_WipeDevice = 5 [(wire_in) = true]; MessageType_FirmwareErase = 6 [(wire_in) = true]; MessageType_FirmwareUpload = 7 [(wire_in) = true]; MessageType_GetEntropy = 9 [(wire_in) = true]; MessageType_Entropy = 10 [(wire_out) = true]; MessageType_GetPublicKey = 11 [(wire_in) = true]; MessageType_PublicKey = 12 [(wire_out) = true]; MessageType_LoadDevice = 13 [(wire_in) = true]; MessageType_ResetDevice = 14 [(wire_in) = true]; MessageType_SignTx = 15 [(wire_in) = true]; MessageType_SimpleSignTx = 16 [(wire_in) = true]; MessageType_Features = 17 [(wire_out) = true]; MessageType_PinMatrixRequest = 18 [(wire_out) = true]; MessageType_PinMatrixAck = 19 [(wire_in) = true]; MessageType_PinMatrixCancel = 20 [(wire_in) = true]; MessageType_TxRequest = 21 [(wire_out) = true]; MessageType_TxInput = 23 [(wire_in) = true]; MessageType_TxOutput = 24 [(wire_in) = true]; MessageType_ApplySettings = 25 [(wire_in) = true]; MessageType_ButtonRequest = 26 [(wire_out) = true]; MessageType_ButtonAck = 27 [(wire_in) = true]; MessageType_ButtonCancel = 28 [(wire_in) = true]; MessageType_GetAddress = 29 [(wire_in) = true]; MessageType_Address = 30 [(wire_out) = true]; MessageType_SettingsType = 31; MessageType_HDNodeType = 32; // BIP32 structure, what a funny coincidence :-) MessageType_CoinType = 33; MessageType_TxOutputBin = 34; MessageType_EntropyRequest = 35 [(wire_out) = true]; MessageType_EntropyAck = 36 [(wire_in) = true]; MessageType_TransactionType = 37; MessageType_SignMessage = 38 [(wire_in) = true]; MessageType_VerifyMessage = 39 [(wire_in) = true]; MessageType_MessageSignature = 40 [(wire_out) = true]; MessageType_PassphraseRequest = 41 [(wire_out) = true]; MessageType_PassphraseAck = 42 [(wire_in) = true]; MessageType_PassphraseCancel = 43 [(wire_in) = true]; MessageType_DebugLinkDecision = 100 [(wire_debug_in) = true]; MessageType_DebugLinkGetState = 101 [(wire_debug_in) = true]; MessageType_DebugLinkState = 102 [(wire_debug_out) = true]; MessageType_DebugLinkStop = 103 [(wire_debug_in) = true]; } // **************************************************************************** // // Definition of custom field types // enum FailureType { Failure_UnexpectedMessage = 1; Failure_ButtonExpected = 2; Failure_SyntaxError = 3; Failure_ActionCancelled = 4; Failure_PinExpected = 5; Failure_PinCancelled = 6; Failure_PinInvalid = 7; Failure_InvalidSignature = 8; Failure_FirmwareError = 99; } // Specifies which script will be used for given transaction output. enum ScriptType { PAYTOADDRESS = 0; PAYTOSCRIPTHASH = 1; } // Specifies which kind of information is required by transaction signing process enum RequestType { TXINPUT = 0; TXOUTPUT = 1; } // Structure of BIP32 (hierarchical deterministic) node // Used for imports of private key into the device and exporting public key out of device message HDNodeType { required uint32 version = 1; required uint32 depth = 2; required uint32 fingerprint = 3; required uint32 child_num = 4; required bytes chain_code = 5 [(binary) = true]; optional bytes private_key = 6 [(binary) = true]; optional bytes public_key = 7 [(binary) = true]; optional bytes address = 8; } message CoinType { optional bytes coin_name = 1; optional bytes coin_shortcut = 2; optional uint32 address_type = 3; optional uint64 maxfee_kb = 4; } message SettingsType { optional bytes language = 1; // Trezor uses 'english' as default optional CoinType coin = 2; optional bytes label = 3; // Human readable wallet name } // **************************************************************************** // // Basic message // // Reset device to default state and ask for device details // // Response: Features message Initialize { } // Response object for Initialize. message Features { optional bytes vendor = 1; // Name of the manufacturer, e.g. "bitcointrezor.com" optional uint32 major_version = 2; // Major version of the device, e.g. 1 optional uint32 minor_version = 3; // Minor version of the device, e.g. 0 optional uint32 bugfix_version = 4; optional bool bootloader_mode = 5; optional SettingsType settings = 6; // User-level settings of the device optional bytes device_id = 7 [(binary) = true]; // Device's unique identifier optional bool pin_protection = 8; // True if Trezor is covered by PIN optional bool passphrase_protection = 9; // True if Trezor seed is covered by passphrase } // Overwrites only filled fields of the structure message ApplySettings { optional bytes language = 1; optional bytes coin_shortcut = 2; optional bytes label = 3; } // Starts workflow for setting/changing the PIN // Response: ButtonRequest, PinMatrixRequest message ChangePin { optional bool remove = 1; // Set True if want to remove PIN protection } // Test if device is live, device will send back the message on success // // Response: None or Success message Ping { optional bytes message = 1; // Message will be sent back in Success message } // Response object defining success of the previous request message Success { optional bytes message = 1; // May contain human readable description of the action or request-specific payload } // Response object defining failure of the previous request message Failure { optional FailureType code = 1; // May contain computer-readable definition of the error state optional bytes message = 2; // May contain human-readable message of the error state } // Message can be sent by the *device* as a resopnse to any request. // Device is waiting for HW button press. No action is required from computer // Computer should respond with ButtonAck message or ButtonCancel to cancel // the original request. message ButtonRequest { } // Computer agrees to wait for HW button press. message ButtonAck { } // Computer want to cancel current action (don't wait to HW button press) message ButtonCancel { } // Message can be sent by the *device* as a response to any request. // Message asks computer to send back PinMatrixAck with the password encoded in pin matrix scheme. // // Response: PinMatrixAck, PinMatrixCancel message PinMatrixRequest { optional bytes message = 1; // Human readable message } // Message is sent by the computer as a response to PinMatrixRequest previously sent by the device. message PinMatrixAck { required bytes pin = 1; // User must write down the password for accessing the device. } // Message is sent as a response to PinMatrixRequest by the computer, asking the device to cancel // pending action and reset to the default state. message PinMatrixCancel { } // Device request encryption passphrase message PassphraseRequest { } // Computer sends passphrase to device. message PassphraseAck { required bytes passphrase = 1 [(binary) = true]; } // Computer want to cancel current action message PassphraseCancel { } // Request a sample of random data generated by hardware RNG. May be used // for tests of internal RNG. // // Response: PinMatrixRequest, Entropy, Failure message GetEntropy { required uint32 size = 1; // Size of randomly generated buffer } // Response to GetEntropy request contains random data generated by internal HRNG. message Entropy { required bytes entropy = 1 [(binary) = true]; // Stream of generated bytes } // Ask device for public key corresponding of address_n path. This may be used for generating // public keys on the computer independently to the device. // // Response: PublicKey, Failure message GetPublicKey { repeated uint32 address_n = 1; } // Contains public key derived from device's seed. message PublicKey { required HDNodeType node = 1; // BIP32 node public key + chaincode } message GetAddress { repeated uint32 address_n = 1; // Parameter for address generation algorithm to derive the address from the master node } message Address { required bytes address = 1; // Bitcoin address in base58 encoding corresponding to GetAddress(n) call } // Request device to wipe all sensitive data and settings. // Device will be turned to uninitialized state. // // Response: ButtonRequest message WipeDevice { } // Load seed and related internal settings from computer to the device. Existing seed is overwritten. // // Response: Success, ButtonRequest, PinMatrixRequest, Failure message LoadDevice { optional bytes seed = 1; // Seed encoded as a mnemonic (12 english words) optional HDNodeType node = 2; optional bytes pin = 3; // Set PIN protection for important actions } // Request device to do full-reset, to generate new seed // and ask user for new settings (PIN). // Workflow is splitted into ResetDevice/EntropyRequest to be sure // that entropy provided by device isn't calculated on base of computer provided // entropy. // // // Response: EntropyRequest, PinMatrixRequest, Failure message ResetDevice { optional bool display_random = 1; // If set, displays entropy generated by the device used // for generating the seed *before* asking // for additional entropy from computer } // Asks for additional Entropy from host computer message EntropyRequest { } // Provide additional entropy for seed generation function. message EntropyAck { optional bytes entropy = 1 [(binary) = true]; // Recommended to provide 256 bytes of random data. } // **************************************************************************** // // Messages related to transaction signing // message SignMessage { repeated uint32 address_n = 1; required bytes message = 2 [(binary) = true]; } message VerifyMessage { optional bytes address = 1; optional bytes signature = 2; optional bytes message = 3 [(binary) = true]; } message MessageSignature { optional bytes address = 1; optional bytes signature = 2; } // Request the device to sign the transaction // // Response: TxRequest, PinMatrixRequest, Failure message SignTx { required uint32 outputs_count = 3; // Count of outputs of the transaction required uint32 inputs_count = 5; // Count of inputs of the transaction } // Request a simplified workflow of signing. // This method doesn't support streaming, // so there may be hardware limits // in number of inputs and outputs. // // This simplified workflow should not be used // in production, it is designed mainly for debug purposes. // // When everything is fine, Success.message contains // serialized transaction. // // Response: Success, PinMatrixRequest, Failure message SimpleSignTx { repeated TxInput inputs = 1; repeated TxOutput outputs = 2; } // Sent by the device as a response for SignTx. Device asks for information for signing transaction. // If request_index is set, device asks for TxInput/TxOutput message (depends on request_type) // with details of index's input. // If signed_index is set, 'signature' contains signed input of signed_index's input. message TxRequest { optional int32 request_index = 1; // If >=0, device expects TxInput/TxOutput message from the computer optional RequestType request_type = 2; // Ask for TxInput or TxOutput? optional int32 signed_index = 3; // If >=0, 'signature' contains signed input of this input optional bytes signature = 4 [(binary) = true]; // If signed_index>=0, represent signature of the signed_index input optional bytes serialized_tx = 5 [(binary) = true]; // Part of serialized and signed transaction } // Transaction onput for SignTx workflow. It is response to TxRequest message sent by device. // // Response: TxRequest, Failure message TxInput { // required uint32 index = 1; // Position of input in proposed transaction // required uint64 amount = 3; // Amount to spend in satoshis. The rest will be used for transaction fees repeated uint32 address_n = 1; // Parameter for address generation algorithm to derive the address from the master node required bytes prev_hash = 2 [(binary) = true]; // Hash of previous transaction output to spend by this input required uint32 prev_index = 3; // Index of previous output to spend optional bytes script_sig = 4 [(binary) = true]; // Script signature optional uint32 sequence = 5 [default=0xffffffff]; } // Transaction output for SignTx workflow. It is response to TxRequest message sent by the device. // This contains all data necessary to build transaction output (script_pubkey). message TxOutput { // required uint32 index = 1; // Position of output in proposed transaction required bytes address = 1; // Target bitcoin address in base58 encoding repeated uint32 address_n = 2; // Has higher priority than "address". required uint64 amount = 3; // Amount to send in satoshis required ScriptType script_type = 4; // Select output script type repeated bytes script_args = 5 [(binary) = true]; // Provide additional parameters for the script (its script-depended) } // Transaction output with script pubkey in binary form. // This is used for obtaining hashes of existing transactions // and for compiling TxOutput for signing. message TxOutputBin { required uint64 amount = 1; required bytes script_pubkey = 2 [(binary) = true]; } message TransactionType { optional uint32 version = 1 [default=1]; repeated TxInput inputs = 2; repeated TxOutputBin outputs = 3; optional uint32 lock_time = 4 [default=0]; } // **************************************************************************** // // Bootloader messages // message FirmwareErase { } message FirmwareUpload { required bytes payload = 1 [(binary) = true]; // Firmware to flash into device } // **************************************************************************** // // Debug* messages are used only on DebugLink interface (separated from USB HID) // // Virtually "press" the button on the device. // Message is available only on debugging connection and device must support "debug_link" feature. // // Response: Success message DebugLinkDecision { required bool yes_no = 1; // True for "confirm", False for "cancel" } // When sent over debug link connection, computer asks for some internal information of the device. // // Response: DebugLinkState message DebugLinkGetState { optional bool layout = 1; // Request raw buffer of display optional bool pin = 2; // Request current pin optional bool matrix = 3; // Request current pin matrix optional bool seed = 4; // Request current seed // optional bool state = 5; } // Response object reflecting device's current state. It can be received only over debug link connection. message DebugLinkState { optional bytes layout = 1 [(binary) = true]; // Raw buffer of display optional bytes pin = 2; // Current PIN, blank if PIN is not set/enabled optional bytes matrix = 3; // Current PIN matrix optional bytes seed = 4; // Current seed (in mnemonic format) // optional bytes state = 5 [(binary) = true]; } // Ask device to shutdown/restart message DebugLinkStop { }