Add OneKey Pro to wallet list

[Shoyo1024]

Adds OneKey Pro to the hardware wallet list, completing the OneKey listing effort started in #4439 and continued in #4655.

Context:

• Add OneKey Pro and OneKey Classic 1S wallet to the wallet list #4439 originally added both OneKey Pro and OneKey Classic 1S in February 2026, but the merge did not preserve the file changes. Per reviewer guidance, the work was resubmitted as separate PRs for each device.
• Add OneKey Classic 1S to wallet list #4655 added OneKey Classic 1S and was merged on 2026-04-20.
• This PR adds OneKey Pro and concludes the listing effort.

Hardware features: open source firmware (https://github.com/OneKeyHQ/firmware-pro), four EAL 6+ certified secure elements, color touchscreen, fingerprint unlock, and air-gapped signing via QR codes (fresh address support landed in firmware v4.20.0 and OneKey App v6.2.0).

Reproducible builds verified by Wallet Scrutiny.

Transparency rating: Basic, consistent with Classic 1S, since the secure element firmware is vendor-supplied and not open source.

Closed-source fingerprint module (Pro-only):

The Pro firmware includes libFpalgorithm.a, the sensor vendor's matching algorithm. The Classic 1S has no fingerprint sensor and is unaffected. The binary is vendor IP and is not available for open-sourcing on their end.

Three properties characterize the binary's role in the device:

• Narrow, well-defined surface. Two operations only (enrollment, matching). Input: sensor image. Output: a secbool match result (0x5a5a5a5a for true, any other value for false; resists single-bit-flip fault injection), plus template bytes during enrollment. Hardware drivers, image acquisition, and template storage are open source.
• Outside the authentication root. PIN is verified inside the SE with a 10-attempt hard limit and full wipe on exhaustion. Fingerprint is convenience unlock layered on top, not a PIN replacement. Compromise or removal of the fingerprint module does not affect the signing security model.
• Industry baseline. No production-grade open-source matching library exists for this class of capacitive sensor; every fingerprint vendor treats the matching algorithm as core IP.

Verifiable from open code: the full wrapper is in core/embed/fp_sensor_wrapper/; the API surface is declared in fpalgorithm_interface.h; nm on the .a confirms exports.

Also updating the Classic 1S entry:

• Description rewritten for clarity.
• "View website" link updated from the product page to the brand homepage (https://onekey.so/), aligning with the convention used by Trezor, Ledger, KeepKey, and Coldcard listings.

[crwatkins]

Thanks for all the updates and the new submission!

The most significant issue to be addressed from #4439 was:

The MCU source is not totally open source. It contains a closed source fingerprint module. Potential resolution could involve replacement or removal of this closed source module. Alternatively, there could be changes proposed to the listing criteria to make specific allowances for some closed source modules, although the community has been fairly adamant about this requirement in the past.

Has that been addressed?

[devdavidejesus]

@Shoyo1024 ?

[Shoyo1024]

@crwatkins Apologies for the slow reply.

On the omission first: we read the closed-source MCU module question as being on a separate community / policy track (your Feb email mentioned working on a precedent for it), not as a per-PR item. That was the wrong call. I'll update the PR description shortly to make our position explicit.

The binary in question is libFpalgorithm.a, the vendor-supplied fingerprint matching algorithm, used only on the Pro (Classic 1S has no fingerprint sensor). It is the sensor vendor's core IP and not available for open-sourcing on their end. Three properties of the binary's role in the device:

• Narrow surface. The sensor has no firmware; the algorithm runs on the MCU as a static library. Two operations only, enrollment and matching. Input: sensor image. Output: a secbool match result (0x5a5a5a5a for true, any other value for false, to resist single-bit-flip fault injection), plus template bytes during enrollment. Drivers, image acquisition, and template storage are open source.
• Outside the authentication root. PIN is verified inside the SE with a 10-attempt hard limit and full wipe on exhaustion. Fingerprint is convenience unlock on top, not a replacement. Removing or compromising the fingerprint module does not affect the signing security model.
• Industry baseline. To our knowledge there is no production-grade open-source matching library for this class of capacitive sensor; every vendor treats the matching algorithm as core IP.

The full wrapper is in core/embed/fp_sensor_wrapper/ (any reviewer can read what crosses the binary boundary), the API surface is declared in fpalgorithm_interface.h, and nm on the .a confirms what is exported.