This approach is fairly manual, requires the command line, and requires a patched version of Bitcoin Core.
Note: For this guide, code lines prefixed with $
means that the command is typed in the terminal. Lines without $
are output of the commands.
I am not liable for any coins that may be lost through this method. The software mentioned may have bugs. Use at your own risk.
This method of using hardware wallets uses Bitcoin Core as the wallet for monitoring the blockchain. It allows a user to use their own full node instead of relying on an SPV wallet or vendor provided software.
However, Bitcoin Core needs a few changes for this work. PRs #14689, #14565, #14491, #14021, and #14075 are required in order for this to work. Since these PRs are still unmerged, I have created a branch with them merged here.
A set of scripts that I have called Hardware Wallet Interaction Scripts (HWI) is necessary for this. These scripts are a driver for using hardware wallets. The scripts can be found here.
Clone the modified Bitcoin Core and build it. Clone HWI.
$ git clone https://github.com/achow101/bitcoin.git -b hww
$ cd bitcoin
$ ./autogen.sh
$ ./configure
$ make
$ src/bitcoind -daemon -addresstype=legacy -changetype=legacy
$ cd ..
$ git clone https://github.com/achow101/HWI.git
$ python3 setup.py install
We will do most of our work from HWI, so go there
$ cd hwi
Now we need to find our hardware wallet. We do this using:
$ ./hwi.py enumerate
[{"fingerprint": "8038ecd9", "serial_number": "205A32753042", "type": "coldcard", "path": "0001:0005:00"}]
For this example, we will use the Coldcard. As we can see, the device path is 0003:0001:00
. The fingerprint of the master key is 8038ecd9
. Now that we have the device, we can issue commands to it. So now we want to get some keys and import them into Core.
We will be fetching keys at the BIP 84 default.
$ ./hwi.py -f 8038ecd9 getkeypool --bech32 --keypool 0 100
[{"desc": "wpkh([8038ecd9/84h/0h/0h]xpub6DR4rqx16YnCcfwFqgwvJdKiWrjDRzqxYTY44aoyHwZDSeSB5n2tqt42aYr9qPKhSKUdftPdTjhHrKKD6WGKVbuyhMvGH76VyKKZubg8o4P/0/*)", "internal": false, "range": [0, 100], "timestamp": "now", "keypool": true}]
We now createa a new Bitcoin Core wallet and import the keys into Bitcoin Core. The output is formatted properly for Bitcoin Core so it can be copy and pasted.
$ ../bitcoin/src/bitcoin-cli createwallet "coldcard" true
{
"name": "coldcard",
"warning": ""
}
$ ../bitcoin/src/bitcoin-cli -rpcwallet=coldcard importmulti '[{"desc": "wpkh([8038ecd9/84h/0h/0h]xpub6DR4rqx16YnCcfwFqgwvJdKiWrjDRzqxYTY44aoyHwZDSeSB5n2tqt42aYr9qPKhSKUdftPdTjhHrKKD6WGKVbuyhMvGH76VyKKZubg8o4P/0/*)", "internal": false, "range": [0, 100], "timestamp": "now", "keypool": true}]
'
[
{
"success": true
}
]
Now we repeat the getkeypool
and importmulti
steps but set a --internal
flag and use the change keypath (m/44h/0h/0h/1
) in getkeypool
to generate change keys.
$ ./hwi.py -f 8038ecd9 getkeypool --bech32 --keypool --internal 0 100
[{"internal": true, "timestamp": "now", "desc": "wpkh([8038ecd9/84h/0h/0h]xpub6DR4rqx16YnCcfwFqgwvJdKiWrjDRzqxYTY44aoyHwZDSeSB5n2tqt42aYr9qPKhSKUdftPdTjhHrKKD6WGKVbuyhMvGH76VyKKZubg8o4P/1/*)", "keypool": true, "range": [0, 100]}]
$ ../bitcoin/src/bitcoin-cli -rpcwallet=coldcard importmulti '[{"internal": true, "timestamp": "now", "desc": "wpkh([8038ecd9/84h/0h/0h]xpub6DR4rqx16YnCcfwFqgwvJdKiWrjDRzqxYTY44aoyHwZDSeSB5n2tqt42aYr9qPKhSKUdftPdTjhHrKKD6WGKVbuyhMvGH76VyKKZubg8o4P/1/*)", "keypool": true, "range": [0, 100]}]
'
[
{
"success": true
}
]
The Bitcoin Core wallet is now setup to watch a two hundred keys (100 normal, 100 change) from your hardware wallet and you can use it to track your balances and create transactions. The transactions will need to be signed through HWI.
Usage of this primarily involves Bitcoin Core. This may be possible to do through the GUI (once all of the keys are imported) but this guide will only cover the command line.
Note: The following was done in a regtest environment. For the purposes of this guide, the --regtest
s and --testnet
s that were necessary have been removed and addresses converted to mainnet format.
From the folder containing bitcoin
and HWI
, go into bitcoin
. We will be doing most of the commands here.
$ cd bitcoin
To get a new address, use getnewaddress
as you normally would
$ src/bitcoin-cli -rpcwallet=coldcard getnewaddress
3LsU2FHhtasF8V9RT3tfZnEMUExF7JBrME
This address belongs to your hardware wallet. You can check this by doing getaddressinfo
:
$ src/bitcoin-cli -rpcwallet=coldcard getaddressinfo 3LsU2FHhtasF8V9RT3tfZnEMUExF7JBrME
{
"address": "3LsU2FHhtasF8V9RT3tfZnEMUExF7JBrME",
"scriptPubKey": "a914d26455d65ed73e9260f2730183dbbc2e8383f23687",
"ismine": false,
"iswatchonly": true,
"isscript": true,
"iswitness": false,
"script": "witness_v0_keyhash",
"hex": "001452ca3e3ceb53aeb17d9d9280a0293cf73f7e9e43",
"pubkey": "02cd81dda2797578f927344d6654b12418de39c5057545af4629410320d5143195",
"embedded": {
"isscript": false,
"iswitness": true,
"witness_version": 0,
"witness_program": "52ca3e3ceb53aeb17d9d9280a0293cf73f7e9e43",
"pubkey": "02cd81dda2797578f927344d6654b12418de39c5057545af4629410320d5143195",
"address": "bcrt1q2t9ru08t2whtzlvaj2q2q2fu7ulha8jrvnp4dw",
"scriptPubKey": "001452ca3e3ceb53aeb17d9d9280a0293cf73f7e9e43"
},
"label": "",
"timestamp": 0,
"hdkeypath": "m/44h/0h/0h/0/0",
"hdseedid": "0000000000000000000000000000000000000000",
"hdmasterkeyid": "00000000000000000000000000000000d9ec3880",
"labels": [
{
"name": "",
"purpose": "receive"
}
]
}
Notice how the pubkey is the one that was specified as the very first thing being imported to your wallet.
You can give this out to people as you normally would. When coins are sent to it, you will see them in your Bitcoin Core wallet as watch-only.
To send Bitcoin, we will use walletcreatefundedpsbt
. This will create a Partially Signed Bitcoin Transaction which is funded by inputs from the wallets (i.e. your watching only inputs selected with Bitcoin Core's coin selection algorithm).
This PSBT can be used with HWI to produce a signed PSBT which can then be finalized and broadcast.
For example, suppose I am sending to 1 BTC to 3GvEUZ2JqrFo6uhNGCjbdg3sApySkTMujr. First I create a funded psbt with BIP 32 derivation paths to be included:
$ src/bitcoin-cli -rpcwallet=coldcard walletcreatefundedpsbt '[]' '[{"3GvEUZ2JqrFo6uhNGCjbdg3sApySkTMujr":1}]' 0 '{"includeWatching":true}' true
{
"psbt": "cHNidP8BAJwCAAAAAqrTvFDJIB7BMQ6v1JV++whUvSJ5DaopzPiUS57IhpqsAAAAAAD+////gCNlEeDC6AKFmzkj8U5pGCw456y+KSRCkSoIiqW5yxIAAAAAAP7///8CAOH1BQAAAAAXqRSnCcWkpvzrusDkAnyU78ttq97WkIfsRWICAAAAABepFPvg1/XvXM6FnYAASQHHLYnmnSOThwAAAAAAAQEgAOH1BQAAAAAXqRTSZFXWXtc+kmDycwGD27wug4PyNocBBBYAFFLKPjzrU66xfZ2SgKApPPc/fp5DIgYCzYHdonl1ePknNE1mVLEkGN45xQV1Ra9GKUEDINUUMZUYgDjs2SwAAIAAAACAAAAAgAAAAAAAAAAAAAEBIABaYgIAAAAAF6kU0mRV1l7XPpJg8nMBg9u8LoOD8jaHAQQWABRSyj4861OusX2dkoCgKTz3P36eQyIGAs2B3aJ5dXj5JzRNZlSxJBjeOcUFdUWvRilBAyDVFDGVGIA47NksAACAAAAAgAAAAIAAAAAAAAAAAAAAAQAWABTKdepF6iymQU24SJq9wMt6KANZYyICA/Nl+tzKhNtMvx2oPJHMEqtMriyzKIyTP9Z9RWcCl2mkGIA47NksAACAAAAAgAAAAIABAAAAAQAAAAA=",
"fee": 0.00005140,
"changepos": 1
}
Now I take the updated psbt and inspect it with decodepsbt
:
$ src/bitcoin-cli decodepsbt cHNidP8BAJwCAAAAAqrTvFDJIB7BMQ6v1JV++whUvSJ5DaopzPiUS57IhpqsAAAAAAD+////gCNlEeDC6AKFmzkj8U5pGCw456y+KSRCkSoIiqW5yxIAAAAAAP7///8CAOH1BQAAAAAXqRSnCcWkpvzrusDkAnyU78ttq97WkIfsRWICAAAAABepFPvg1/XvXM6FnYAASQHHLYnmnSOThwAAAAAAAQEgAOH1BQAAAAAXqRTSZFXWXtc+kmDycwGD27wug4PyNocBBBYAFFLKPjzrU66xfZ2SgKApPPc/fp5DIgYCzYHdonl1ePknNE1mVLEkGN45xQV1Ra9GKUEDINUUMZUYgDjs2SwAAIAAAACAAAAAgAAAAAAAAAAAAAEBIABaYgIAAAAAF6kU0mRV1l7XPpJg8nMBg9u8LoOD8jaHAQQWABRSyj4861OusX2dkoCgKTz3P36eQyIGAs2B3aJ5dXj5JzRNZlSxJBjeOcUFdUWvRilBAyDVFDGVGIA47NksAACAAAAAgAAAAIAAAAAAAAAAAAAAAQAWABTKdepF6iymQU24SJq9wMt6KANZYyICA/Nl+tzKhNtMvx2oPJHMEqtMriyzKIyTP9Z9RWcCl2mkGIA47NksAACAAAAAgAAAAIABAAAAAQAAAAA=
{
"tx": {
"txid": "a2cb39e3ef95bb8ca7bbc9e66ba8e26d8f1a24ac0b1d9b937e4aedcdbe3cd781",
"hash": "a2cb39e3ef95bb8ca7bbc9e66ba8e26d8f1a24ac0b1d9b937e4aedcdbe3cd781",
"version": 2,
"size": 156,
"vsize": 156,
"weight": 624,
"locktime": 0,
"vin": [
{
"txid": "ac9a86c89e4b94f8cc29aa0d7922bd5408fb7e95d4af0e31c11e20c950bcd3aa",
"vout": 0,
"scriptSig": {
"asm": "",
"hex": ""
},
"sequence": 4294967294
},
{
"txid": "12cbb9a58a082a91422429beace7382c18694ef123399b8502e8c2e011652380",
"vout": 0,
"scriptSig": {
"asm": "",
"hex": ""
},
"sequence": 4294967294
}
],
"vout": [
{
"value": 1.00000000,
"n": 0,
"scriptPubKey": {
"asm": "OP_HASH160 a709c5a4a6fcebbac0e4027c94efcb6dabded690 OP_EQUAL",
"hex": "a914a709c5a4a6fcebbac0e4027c94efcb6dabded69087",
"reqSigs": 1,
"type": "scripthash",
"addresses": [
"3GvEUZ2JqrFo6uhNGCjbdg3sApySkTMujr"
]
}
},
{
"value": 0.39994860,
"n": 1,
"scriptPubKey": {
"asm": "OP_HASH160 fbe0d7f5ef5cce859d80004901c72d89e69d2393 OP_EQUAL",
"hex": "a914fbe0d7f5ef5cce859d80004901c72d89e69d239387",
"reqSigs": 1,
"type": "scripthash",
"addresses": [
"3Qept6m9fFbJsxDC4MeTfTZ9t5aufqAE78"
]
}
}
]
},
"unknown": {
},
"inputs": [
{
"witness_utxo": {
"amount": 1.00000000,
"scriptPubKey": {
"asm": "OP_HASH160 d26455d65ed73e9260f2730183dbbc2e8383f236 OP_EQUAL",
"hex": "a914d26455d65ed73e9260f2730183dbbc2e8383f23687",
"type": "scripthash",
"address": "3LsU2FHhtasF8V9RT3tfZnEMUExF7JBrME"
}
},
"redeem_script": {
"asm": "0 52ca3e3ceb53aeb17d9d9280a0293cf73f7e9e43",
"hex": "001452ca3e3ceb53aeb17d9d9280a0293cf73f7e9e43",
"type": "witness_v0_keyhash"
},
"bip32_derivs": [
{
"pubkey": "02cd81dda2797578f927344d6654b12418de39c5057545af4629410320d5143195",
"master_fingerprint": "8038ecd9",
"path": "m/44'/0'/0'/0/0"
}
]
},
{
"witness_utxo": {
"amount": 0.40000000,
"scriptPubKey": {
"asm": "OP_HASH160 d26455d65ed73e9260f2730183dbbc2e8383f236 OP_EQUAL",
"hex": "a914d26455d65ed73e9260f2730183dbbc2e8383f23687",
"type": "scripthash",
"address": "3LsU2FHhtasF8V9RT3tfZnEMUExF7JBrME"
}
},
"redeem_script": {
"asm": "0 52ca3e3ceb53aeb17d9d9280a0293cf73f7e9e43",
"hex": "001452ca3e3ceb53aeb17d9d9280a0293cf73f7e9e43",
"type": "witness_v0_keyhash"
},
"bip32_derivs": [
{
"pubkey": "02cd81dda2797578f927344d6654b12418de39c5057545af4629410320d5143195",
"master_fingerprint": "8038ecd9",
"path": "m/44'/0'/0'/0/0"
}
]
}
],
"outputs": [
{
},
{
"redeem_script": {
"asm": "0 ca75ea45ea2ca6414db8489abdc0cb7a28035963",
"hex": "0014ca75ea45ea2ca6414db8489abdc0cb7a28035963",
"type": "witness_v0_keyhash"
},
"bip32_derivs": [
{
"pubkey": "03f365fadcca84db4cbf1da83c91cc12ab4cae2cb3288c933fd67d4567029769a4",
"master_fingerprint": "8038ecd9",
"path": "m/44'/0'/0'/1/1"
}
]
}
],
"fee": 0.00005140
}
Once the transaction has been inspected and everything looks good, the transaction can now be signed using HWI.
$ cd ../HWI
$ ./hwi.py -t coldcard -d 0003:0057:00 signtx cHNidP8BAJwCAAAAAqrTvFDJIB7BMQ6v1JV++whUvSJ5DaopzPiUS57IhpqsAAAAAAD+////gCNlEeDC6AKFmzkj8U5pGCw456y+KSRCkSoIiqW5yxIAAAAAAP7///8CAOH1BQAAAAAXqRSnCcWkpvzrusDkAnyU78ttq97WkIfsRWICAAAAABepFPvg1/XvXM6FnYAASQHHLYnmnSOThwAAAAAAAQEgAOH1BQAAAAAXqRTSZFXWXtc+kmDycwGD27wug4PyNocBBBYAFFLKPjzrU66xfZ2SgKApPPc/fp5DIgYCzYHdonl1ePknNE1mVLEkGN45xQV1Ra9GKUEDINUUMZUYgDjs2SwAAIAAAACAAAAAgAAAAAAAAAAAAAEBIABaYgIAAAAAF6kU0mRV1l7XPpJg8nMBg9u8LoOD8jaHAQQWABRSyj4861OusX2dkoCgKTz3P36eQyIGAs2B3aJ5dXj5JzRNZlSxJBjeOcUFdUWvRilBAyDVFDGVGIA47NksAACAAAAAgAAAAIAAAAAAAAAAAAAAAQAWABTKdepF6iymQU24SJq9wMt6KANZYyICA/Nl+tzKhNtMvx2oPJHMEqtMriyzKIyTP9Z9RWcCl2mkGIA47NksAACAAAAAgAAAAIABAAAAAQAAAAA=
Follow the onscreen instructions, check everything, and approve the transaction. The result will look like:
{"psbt": "cHNidP8BAJwCAAAAAqrTvFDJIB7BMQ6v1JV++whUvSJ5DaopzPiUS57IhpqsAAAAAAD+////gCNlEeDC6AKFmzkj8U5pGCw456y+KSRCkSoIiqW5yxIAAAAAAP7///8CAOH1BQAAAAAXqRSnCcWkpvzrusDkAnyU78ttq97WkIfsRWICAAAAABepFPvg1/XvXM6FnYAASQHHLYnmnSOThwAAAAAAAQEgAOH1BQAAAAAXqRTSZFXWXtc+kmDycwGD27wug4PyNociAgLNgd2ieXV4+Sc0TWZUsSQY3jnFBXVFr0YpQQMg1RQxlUcwRAIgO3nKk5HUyDZpGbW+zSZm8aQdXhjcMK35nNlUTVQHWFICIFvwyqMVc2RlCum4S24BSsmCl7max+VvvN12WjRv4eDaAQEDBAEAAAAiBgLNgd2ieXV4+Sc0TWZUsSQY3jnFBXVFr0YpQQMg1RQxlRiAOOzZLAAAgAAAAIAAAACAAAAAAAAAAAABBBYAFFLKPjzrU66xfZ2SgKApPPc/fp5DAAEBIABaYgIAAAAAF6kU0mRV1l7XPpJg8nMBg9u8LoOD8jaHIgICzYHdonl1ePknNE1mVLEkGN45xQV1Ra9GKUEDINUUMZVIMEUCIQCtkaylA/FmMiJf0VTBuLJUNICgcu4EfPCJmBJiar/PmQIgKN3cDzquInPhB/MxQVxOljiypTwpLwtD2h2I+7r+GaMBAQMEAQAAACIGAs2B3aJ5dXj5JzRNZlSxJBjeOcUFdUWvRilBAyDVFDGVGIA47NksAACAAAAAgAAAAIAAAAAAAAAAAAEEFgAUUso+POtTrrF9nZKAoCk89z9+nkMAACICA/Nl+tzKhNtMvx2oPJHMEqtMriyzKIyTP9Z9RWcCl2mkGIA47NksAACAAAAAgAAAAIABAAAAAQAAAAEAFgAUynXqReospkFNuEiavcDLeigDWWMA"}
We can now take the PSBT, finalize it, and broadcast it with Bitcoin Core
$ cd ../bitcoin
$ src/bitcoin-cli finalizepsbt cHNidP8BAJwCAAAAAqrTvFDJIB7BMQ6v1JV++whUvSJ5DaopzPiUS57IhpqsAAAAAAD+////gCNlEeDC6AKFmzkj8U5pGCw456y+KSRCkSoIiqW5yxIAAAAAAP7///8CAOH1BQAAAAAXqRSnCcWkpvzrusDkAnyU78ttq97WkIfsRWICAAAAABepFPvg1/XvXM6FnYAASQHHLYnmnSOThwAAAAAAAQEgAOH1BQAAAAAXqRTSZFXWXtc+kmDycwGD27wug4PyNociAgLNgd2ieXV4+Sc0TWZUsSQY3jnFBXVFr0YpQQMg1RQxlUcwRAIgO3nKk5HUyDZpGbW+zSZm8aQdXhjcMK35nNlUTVQHWFICIFvwyqMVc2RlCum4S24BSsmCl7max+VvvN12WjRv4eDaAQEDBAEAAAAiBgLNgd2ieXV4+Sc0TWZUsSQY3jnFBXVFr0YpQQMg1RQxlRiAOOzZLAAAgAAAAIAAAACAAAAAAAAAAAABBBYAFFLKPjzrU66xfZ2SgKApPPc/fp5DAAEBIABaYgIAAAAAF6kU0mRV1l7XPpJg8nMBg9u8LoOD8jaHIgICzYHdonl1ePknNE1mVLEkGN45xQV1Ra9GKUEDINUUMZVIMEUCIQCtkaylA/FmMiJf0VTBuLJUNICgcu4EfPCJmBJiar/PmQIgKN3cDzquInPhB/MxQVxOljiypTwpLwtD2h2I+7r+GaMBAQMEAQAAACIGAs2B3aJ5dXj5JzRNZlSxJBjeOcUFdUWvRilBAyDVFDGVGIA47NksAACAAAAAgAAAAIAAAAAAAAAAAAEEFgAUUso+POtTrrF9nZKAoCk89z9+nkMAACICA/Nl+tzKhNtMvx2oPJHMEqtMriyzKIyTP9Z9RWcCl2mkGIA47NksAACAAAAAgAAAAIABAAAAAQAAAAEAFgAUynXqReospkFNuEiavcDLeigDWWMA
{
"hex": "02000000000102aad3bc50c9201ec1310eafd4957efb0854bd22790daa29ccf8944b9ec8869aac000000001716001452ca3e3ceb53aeb17d9d9280a0293cf73f7e9e43feffffff80236511e0c2e802859b3923f14e69182c38e7acbe292442912a088aa5b9cb12000000001716001452ca3e3ceb53aeb17d9d9280a0293cf73f7e9e43feffffff0200e1f5050000000017a914a709c5a4a6fcebbac0e4027c94efcb6dabded69087ec4562020000000017a914fbe0d7f5ef5cce859d80004901c72d89e69d2393870247304402203b79ca9391d4c8366919b5becd2666f1a41d5e18dc30adf99cd9544d5407585202205bf0caa3157364650ae9b84b6e014ac98297b99ac7e56fbcdd765a346fe1e0da012102cd81dda2797578f927344d6654b12418de39c5057545af4629410320d514319502483045022100ad91aca503f16632225fd154c1b8b2543480a072ee047cf0899812626abfcf99022028dddc0f3aae2273e107f331415c4e9638b2a53c292f0b43da1d88fbbafe19a3012102cd81dda2797578f927344d6654b12418de39c5057545af4629410320d514319500000000",
"complete": true
}
$ src/bitcoin-cli sendrawtransaction 02000000000102aad3bc50c9201ec1310eafd4957efb0854bd22790daa29ccf8944b9ec8869aac000000001716001452ca3e3ceb53aeb17d9d9280a0293cf73f7e9e43feffffff80236511e0c2e802859b3923f14e69182c38e7acbe292442912a088aa5b9cb12000000001716001452ca3e3ceb53aeb17d9d9280a0293cf73f7e9e43feffffff0200e1f5050000000017a914a709c5a4a6fcebbac0e4027c94efcb6dabded69087ec4562020000000017a914fbe0d7f5ef5cce859d80004901c72d89e69d2393870247304402203b79ca9391d4c8366919b5becd2666f1a41d5e18dc30adf99cd9544d5407585202205bf0caa3157364650ae9b84b6e014ac98297b99ac7e56fbcdd765a346fe1e0da012102cd81dda2797578f927344d6654b12418de39c5057545af4629410320d514319502483045022100ad91aca503f16632225fd154c1b8b2543480a072ee047cf0899812626abfcf99022028dddc0f3aae2273e107f331415c4e9638b2a53c292f0b43da1d88fbbafe19a3012102cd81dda2797578f927344d6654b12418de39c5057545af4629410320d514319500000000
c3c2ea18cf63bc076196b5a525243523ea067328ebb8b8c7d266494875d41ef3
When the keypools run out, they can be refilled by using the getkeypool
commands as done in the beginning, but with different starting and ending indexes. For example, to refill my keypools, I would use the following getkeypool
commands:
$ ./hwi.py -f 8038ecd9 getkeypool --bech32 --keypool --internal 100 200
$ ./hwi.py -f 8038ecd9 getkeypool --bech32 --keypool --internal 100 200
The output can be imported with importmulti
as shown in the Setup steps.
The instructions above use legacy addresses (P2PKH) at the BIP 44 derivation paths.
If you want to use P2SH-segwit addresses (P2SH-P2WPKH) at the BIP 49 default, use a derivation path of m/49h/0h/0h/0
for normal receiving keys and m/49h/0h/0h/1
for change keys. Additionally, you will need to set -addresstype=p2sh-segwit
and -changetype=p2sh-segwit
. This can be set in the command line (as shown in the example) or in your bitcoin.conf file.
"Missing required fields" When using Importmulti
I have done several trials in regtest but the format of the output of
getkeypool --keypool m/44h/0h/0h/0 0 2
is not accepted in
bitcoin-cli importmulti
. the answer is: