Topic: About BitBox (Read 397 times)

IMO it's not that hard. But if you don't have tool to remove the antenna by hardware, you could use follow the guide to disable it on User space and Kernel level instead. Since it's airgapped device, there's small security difference unless the thief have physical access to install malware and re-enable networking.


Source: https://github.com/DesobedienteTecnologico/rpi_disable_wifi_and_bt_by_hardware#new-scheme-with-examples-to-disable-wifi-and-bluetooth-from-different-layers

I have no idea how to remove the antenna, but I guess following this tutorial won't make it so hard. This is what air-gap feels like. Confirm me that it isn't hard. 

BTW, I'll order RPi Zero 2W.

Thanks a lot, but I'll just buy it from the internet. Isn't it the 1.3inch LCD HAT 240x240?

This gobrrr.me shop is legit and owner is actually active in bitcointalk forum so you can ask him any questions you have, but I think he is currently on vacation and orders could be with shipping delays currently.
Member GoBrrr.me even has ANN topic Gobrrrrrr created, I think he really has good prices for everything he is offering, and his other account AlpenCoin has a good trust in our community.

It does matter what LCD screen you purchase, and its not only size and pixels but also cable connectors.
I would buy exact screen model and other parts they are saying, and don't experiment if you want everything to work.
If you want to be exactly sure, you can ask SeedSigner community, I think telegram group is very active:
https://seedsigner.com/get-in-touch/


PS
Small suggestion, I wouldn't order anything from China right now.

Wait, what, the BitBox01 is still being sold?

Yes, it is open-source, yes, I tried it, yes, it's a fine device for the price and the build quality is better than the 02.

But I wouldn't recommend it in 2022. Due to the lack of a screen, you cannot verify the recipient's address, and that's quite the deal-breaker for me today. There was some sort of companion app (not sure if it still exists? ... that's why I don't like companion apps - they have an expiry date sooner or later) that can show you the recipient address, but I'm not sure that it's as secure and good as having a screen directly connected to the electronics.

I'd currently mostly recommend Passport and BitBox02; if you have a local vendor for the 01, he might more easily be able to procure you a 02 instead of a Passport that would also need to be imported from across the pond.

Otherwise, for ordering online, if you can get a PO box under a fake name, ordering the Passport v2 could be an option. You could even wait a few more weeks until I get mine and can provide a review of it first.

Instead of going without HW, I'd rather build a SeedSigner from off-the-shelf components (can be ordered or bought in store) and remove the antenna.

AOPP has no effect on the quality of the wallet. Shift is a Switzerland-based company and due to regulations they have no influence on, Swiss users (who seem to be their main customer base) need to sign a message with their receiving address when using a centralized exchange. Shift Crypto then brought forward the idea of AOPP to facilitate / automate the process so the users don't have to do the process manually.
I do get that it's a step of 'giving an inch' (and then they take a mile), but it has no influence on the wallet itself, as I said. Just good to know in case it's a moral issue for you to support a company who presumably aids in reducing users' privacy.

Yes, it's just a legal thing, that without signing, you could e.g. provide someone else's address, but after the legal changes, since you sign, you really testify that that address is yours. Something like this.

Well, the whole project is open-source, and it should be relatively easy to modify the code in a way that larger screens just have black bars on either side. I could have a crack at it if you really can't find something in Zero form-factor with the right pixel count. It would likely be a little back-and-forth in DM since I don't have the hardware on hand.

Actually, if you get pure displays, not as HAT, you will lose the buttons that are needed for it to function and it will also not all snap together as intended.
Here is the full documentation of the HAT: https://www.waveshare.com/wiki/1.3inch_LCD_HAT
Waveshare products are often found on Amazon and since it's off-the-shelf stuff, you don't need to use a PO box when ordering online.

Woo-hoo, look what I just found! 
https://www.skroutz.gr/s/35488390/Raspberry-Pi-Zero-2W-Barebone-Cortex-A53-512-MB-RAM.html

Okay, so increased difficulty now: There's no Waveshare 1.3" 240x240. I've only found a Wareshare 240x135 which isn't sufficient. In Github, it says that the pixel count is important.

I've found a 240x240 (Adafruit Screen LCD 1.54" 240x240 with MicroSD (3787)), but it's not Waveshare and I wonder if it matters. What I'm also concerned is: Does it matter if I buy one with greater pixel count? For example, 320x240; there are so many.

This camera must be fine: https://grobotronics.com/raspberry-pi-zero-camera-module-160-variable-focus.html

I went to https://www.gobrrr.me/ and I've seen that I can buy the full SeedSigner kit at 69 EUR + 11 EUR shipping to Romania with Austrian Post; I'd expect the price is not much different for Greece and it seems to be in stock.
I don't know the shop though, so I cannot vouch for it (although I like that they advertise they use BTCPay server and even seem offer a discount if paid by Bitcoin). I went there from SeedSigner website.

(Of course, with this we're back to PO Box story)

It makes no difference to how you buy the hardware wallet.

AOPP was designed to make it easier for users to prove to centralized exchanges the addresses they are withdrawing to are owned by them. It is essentially KYC but for your own addresses and your own wallet. By doing this, you essentially have to ask permission from the exchange to be allowed to withdraw your coins to your own wallet. And any time permission has to be asked it can be refused, and you can be censored. This is the exact opposite of what bitcoin stands for, namely self custody and censorship resistance. By implementing and supporting AOPP, then you are anti-privacy and pro-censorship as far as I am concerned. And BitBox don't just implement it - they developed it.

There is a good Twitter thread from Samourai about it here: https://nitter.net/SamouraiWallet/status/1486771410949357571

It has no major implications for the security of a BitBox, but it certainly has big implications for your privacy, and it says a lot about the principles of the company. Just as I'm never going to use Wasabi again since they started coordinating with blockchain analysis even if the wallet itself still works fine, I'm never going to use a hardware wallet which is complicit in undermining the very principles of bitcoin.

You can't use Rpi Pico for anything serious, but keep an eye on local shops that could re-stock supplies from time to time.
I don't see big problem with ordering online adding alternative address, some shops even sell whole kits and they have option for paying with Bitcoin or Lightning.
Raspberry Pi is universal device and it's not directly connected with bitcoin, so you don't have to think if scammers or regulators will target you in future.

Is there any of the products in this link (check "Availability") that satisfies the needs for SeedSigner? The only Pi that I've found available in my country is the one I have, RPi 4, which is a little bit pricey.

RPi Pico is micro controller (similar with some Arduino). You can't run linux on it since it has 264 KB RAM.


Most RPi should be fine (unless it's very old type), although faster device is not necessary when you only run linux + Bitcoin wallet (which only used for signing transaction).

I see the problem. It's out of stock in Greece. What if I buy a RPi Pico? Does it have to be strictly zero?

One small problem is that raspberry pi zero is not always easy to find now due to chain supply issues, and even if you find them price probably won't be so cheap like it was before.
You can use rpilocator.com website with filter zero to find best deals on this devices and you can find, download and print SeedSigner .stl file cases for free on gobrrr.me, or similar websites.
More information about SeedSigner with instructions can be found on their website and github page:
https://seedsigner.com/
https://github.com/SeedSigner/seedsigner

How didn't I think of buying a Pi and do this myself, privately? Thanks dkbit98!

I would not buy that old outdated version of BitBox wallet and I think this is a bad idea.
It is inferior in every way compared to most hardware wallets that exist today and I don't think it's supported by Shiftcrypto anymore.

Shiftcrypto is Swiss based company, that is country called Switzerland, not Sweden  

If you really want to buy hardware with cash you can visit some country that is bordering with Greece, like Bulgaria for example and buy BitBox02 there for cash.
You can find Bitbox02 in many other shops in Europe, Croatia, Slovenia, Germany, Romania, Netherlands, etc.
Find all official resellers on shiftcrypto website:
https://shiftcrypto.ch/buy/

I don't know if you want to use hardware wallet just for Bitcoin or for other shitcoins, but if it's only for good old BTC than you can buy Raspberry Pi zero locally and make your own SeedSigner signing device.
For ordering stuff online you should always use PO Boxes, alternative addresses/names/phone numbers.

In order to rent/open a PO box in your post office, of course you have to give them your personal data, but when ordering online, you only give the seller information about your PO box without your name and address. In theory, this is how things should work, but before any order, you should ask for an official opinion from the seller.

Specifically, if you want to buy Trezor, send them an inquiry whether they support sending the device to the PO box - in which case you have a PO box + TOR + payment with BTC = the best anonymity you can get online.

Alternatively, you have at least two other options:

- Find the nearest location outside your country where it is possible to buy the HW you want for cash, and then go there on vacation and buy HW
- Find someone trusted on the forum you trust to buy HW for you and send it to your home address.

If wallet developers decide to support what the government can use to effectively invade people's privacy, normally bitcoin community will not support that, they support what will help achieving privacy. If done in a country successfully, other countries may also make it a law, making their custizens to prove the ownership of external wallet addresses.

This (AOPP) has nothing to do with purchase of hardware wallet, if Shiftcrypto handle customers data appropriately and not sell it or give it out to third party, or not breached, then the data are in safe hand, but we could not even conclude this as mentioned above because we do not know which one would be the next to Ledger data leak.

Exactly. But if you do not want to support AOPP, you should also not support any wallet that supports it. Only Switzerland supports AOPP for now, but there is possibility other countries will start making it mandatory, the reason bitcoin community should neither support it nor support any wallet that supports it.

Me neither. If you buy the hardware wallet without giving the required info during the purchase, as they ask, there is nothing wrong with it, neither with Trezor. At least that's how I understand it.

From what I see in aopp.group, though, your wallet sends a signed message to the exchange, which doesn't make any sense.

Thanks for that link, it helped me understand what AOPP is a little better.  What I don't understand is what it has to do with BitBox being a decent HW wallet or not.  Are they (or Shift Crypto) keeping records of who's purchased them or something?  Even if they are, that doesn't even sound like what the AOPP thing is all about.  I'm still a bit confused (but that's a normal state for me anyhow).

There was an article about AOPP by Bitcoinmagazine

Why implementing AOPP could pose a risk to bitcoin long term

In Switzerland, anyone that uses custodial exchanges have to get verified, if users are verified and want to send bitcoin to external wallet address, AOPP helps in a way the user of the exchange that have been verified can be able to provide prove that he/she is the owner of an external wallet address.

I do not know the principle behind it, but I know there has even been a way this can be done which is signing a message with an address but which is not a good way either because it is a mean the government are invading privacy. There is nothing worse than wallet developers providing this in my opinion as the government are having means (provided by wallet developers) to invade privacy.

I just like that few wallets that were supporting AOPP before are no more supporting it. Without AOPP, there has always been data leak on exchanges, with AOPP, the severity of exchange data leak might be worse on bitcoin users as privacy is becoming impossible.

Huh.  I had (and still have) no idea what that's all about, and I'll have to look into it--unless someone cares to explain it to me here as if I'm a 5-year old.  

Unless there's some factor I'm unaware of, I don't think the fact that a manufacturer is discontinuing one of their hardware wallets should count as a strike against them, and I thought the BitBox02 was one of the better HW wallets on the market--or at least better than the Ledger.  Someone correct me if I'm wrong on that point as well, because I'm in the same boat as OP.  Ledger's data leak soured me on them completely.

I'm not sure how that works, as I've never gone through a KYC procedure successfully in the past few years.  I've tried, but the pics I've submitted were never good enough, but that's another story.