From 72da5283d48daeffe29dd86b50145be44cda7c2e Mon Sep 17 00:00:00 2001
From: lihuanhuan <lihuanhuan@onekey.so>
Date: Tue, 26 Aug 2025 22:17:25 +0800
Subject: [PATCH 1/2] feat(ble): add connection status query.

---
 core/src/trezor/uart.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/core/src/trezor/uart.py b/core/src/trezor/uart.py
index 4fc580eaa..bc5414c97 100644
--- a/core/src/trezor/uart.py
+++ b/core/src/trezor/uart.py
@@ -631,6 +631,9 @@ def fetch_ble_info():
     if BLE_ENABLED is None:
         BLE_CTRL.ctrl(0x81, b"\x04")
 
+    if utils.BLE_CONNECTED is None:
+        BLE_CTRL.ctrl(0x81, b"\x05")
+
     if utils.BLE_BUILD_ID is None:
         BLE_CTRL.ctrl(0x83, b"\x05")
 

From 5c128604bdd33a0f7c679820312c6f705f11266d Mon Sep 17 00:00:00 2001
From: lihuanhuan <lihuanhuan@onekey.so>
Date: Tue, 26 Aug 2025 22:20:17 +0800
Subject: [PATCH 2/2] feat(security): clear session when device is locked.

---
 .../modtrezorcrypto/modtrezorcrypto-se-thd89.h | 13 +++++++++++++
 core/mocks/generated/trezorcrypto/se_thd89.pyi |  7 +++++++
 core/src/apps/base.py                          |  6 ++----
 core/src/trezor/uart.py                        | 18 ++++++------------
 4 files changed, 28 insertions(+), 16 deletions(-)

diff --git a/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-se-thd89.h b/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-se-thd89.h
index d62327847..6b87230aa 100644
--- a/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-se-thd89.h
+++ b/core/embed/extmod/modtrezorcrypto/modtrezorcrypto-se-thd89.h
@@ -135,6 +135,17 @@ STATIC mp_obj_t mod_trezorcrypto_se_thd89_end_session(void) {
 STATIC MP_DEFINE_CONST_FUN_OBJ_0(mod_trezorcrypto_se_thd89_end_session_obj,
                                  mod_trezorcrypto_se_thd89_end_session);
 
+/// def clear_session() -> None:
+///     """
+///     clear all sessions.
+///     """
+STATIC mp_obj_t mod_trezorcrypto_se_thd89_clear_session(void) {
+  se_sessionClear();
+  return mp_const_none;
+}
+STATIC MP_DEFINE_CONST_FUN_OBJ_0(mod_trezorcrypto_se_thd89_clear_session_obj,
+                                 mod_trezorcrypto_se_thd89_clear_session);
+
 /// def get_session_state() -> bytes:
 ///     """
 ///     get current session secret state.
@@ -1149,6 +1160,8 @@ STATIC const mp_rom_map_elem_t mod_trezorcrypto_se_thd89_globals_table[] = {
      MP_ROM_PTR(&mod_trezorcrypto_se_thd89_start_session_obj)},
     {MP_ROM_QSTR(MP_QSTR_end_session),
      MP_ROM_PTR(&mod_trezorcrypto_se_thd89_end_session_obj)},
+    {MP_ROM_QSTR(MP_QSTR_clear_session),
+     MP_ROM_PTR(&mod_trezorcrypto_se_thd89_clear_session_obj)},
     {MP_ROM_QSTR(MP_QSTR_get_session_state),
      MP_ROM_PTR(&mod_trezorcrypto_se_thd89_get_session_state_obj)},
     {MP_ROM_QSTR(MP_QSTR_get_session_current_id),
diff --git a/core/mocks/generated/trezorcrypto/se_thd89.pyi b/core/mocks/generated/trezorcrypto/se_thd89.pyi
index 90bc0223e..8b6901166 100644
--- a/core/mocks/generated/trezorcrypto/se_thd89.pyi
+++ b/core/mocks/generated/trezorcrypto/se_thd89.pyi
@@ -46,6 +46,13 @@ def end_session() -> None:
     """
 
 
+# extmod/modtrezorcrypto/modtrezorcrypto-se-thd89.h
+def clear_session() -> None:
+    """
+    clear all sessions.
+    """
+
+
 # extmod/modtrezorcrypto/modtrezorcrypto-se-thd89.h
 def get_session_state() -> bytes:
     """
diff --git a/core/src/apps/base.py b/core/src/apps/base.py
index a096b8680..9dc9696da 100644
--- a/core/src/apps/base.py
+++ b/core/src/apps/base.py
@@ -551,6 +551,8 @@ def lock_device() -> None:
     if storage.device.is_initialized() and config.has_pin():
         from trezor.lvglui.scrs import fingerprints
 
+        se_thd89.clear_session()
+
         if fingerprints.is_available():
             fingerprints.lock()
         else:
@@ -558,10 +560,6 @@ def lock_device() -> None:
                 print(
                     f"pin locked,  finger is available: {fingerprints.is_available()} ===== finger is unlocked: {fingerprints.is_unlocked()} "
                 )
-            from apps.common import passphrase
-
-            if passphrase.is_passphrase_pin_enabled():
-                storage.cache.end_current_session()
             config.lock()
         wire.find_handler = get_pinlocked_handler
         set_homescreen()
diff --git a/core/src/trezor/uart.py b/core/src/trezor/uart.py
index bc5414c97..1ec2387ad 100644
--- a/core/src/trezor/uart.py
+++ b/core/src/trezor/uart.py
@@ -209,17 +209,13 @@ async def handle_usb_state():
                 usb_auto_lock = device.is_usb_lock_enabled()
                 if usb_auto_lock and device.is_initialized() and config.has_pin():
                     from trezor.lvglui.scrs import fingerprints
+                    from trezor.crypto import se_thd89
 
                     if config.is_unlocked():
+                        se_thd89.clear_session()
                         if fingerprints.is_available():
                             fingerprints.lock()
                         else:
-
-                            from apps.common import passphrase
-                            import storage.cache
-
-                            if passphrase.is_passphrase_pin_enabled():
-                                storage.cache.end_current_session()
                             config.lock()
                         await safe_reloop()
                         await workflow.spawn(utils.internal_reloop())
@@ -367,16 +363,14 @@ async def _deal_button_press(value: bytes) -> None:
                 from trezor.lvglui.scrs import fingerprints
 
                 if config.has_pin() and config.is_unlocked():
+                    from trezor.crypto import se_thd89
+
+                    se_thd89.clear_session()
+
                     if fingerprints.is_available():
                         if fingerprints.is_unlocked():
                             fingerprints.lock()
                     else:
-
-                        from apps.common import passphrase
-                        import storage.cache
-
-                        if passphrase.is_passphrase_pin_enabled():
-                            storage.cache.end_current_session()
                         config.lock()
                 await loop.race(safe_reloop(), loop.sleep(200))
                 await loop.sleep(300)