Pages:
Author

Topic: Jade DIY hardware wallet - page 3. (Read 1226 times)

legendary
Activity: 2730
Merit: 7065
April 05, 2024, 09:15:47 AM
#51
the address generation process is a core process, which, I hope, has been tested by both software unit tests and human tests. I can't believe that there will be a flaw in such an important aspect of the software.
I didn't mean there would be flaws in it b default. I am sure we would have heard about it by now. The Jade doesn't have the userbase of Trezor or Ledger, but whatever it's got, we would have heard about something like that.

The bugs I was speculating about could perhaps be the result of certain software/hardware issues and not a scenario you would see if everything was working top-notch.

I checked Jade's github repository a little bit. It doesn't use libsecp256k1 as the library for performing elliptic curve operations, at least as far as I can see. It isn't a very good sign, considering that it's the most tested library for that sensitive purpose, and used by the most reputable pieces of software like Bitcoin Core.

To me the portion of the project that is cryptography-related is the most crucial. I wouldn't care if the UI had a bug. However, if there's a bug in cryptography like a non-random R-value in a signature, that can be catastrophic. But, again, I'm not totally sure they use another reputable library for EC operations.
This is a question and topic that should be directed to their customer service team, instructing them to push it further to their development team to clarify. I will do it during the weekend if I don't forget. Feel free to add something more if you want to.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
April 05, 2024, 08:50:08 AM
#50
It is a realistic scenario, but not a likely to happen scenario. I mean, bugs can be found in the code, but the address generation process is a core process, which, I hope, has been tested by both software unit tests and human tests. I can't believe that there will be a flaw in such an important aspect of the software.
I checked Jade's github repository a little bit. It doesn't use libsecp256k1 as the library for performing elliptic curve operations, at least as far as I can see. It isn't a very good sign, considering that it's the most tested library for that sensitive purpose, and used by the most reputable pieces of software like Bitcoin Core.

To me the portion of the project that is cryptography-related is the most crucial. I wouldn't care if the UI had a bug. However, if there's a bug in cryptography like a non-random R-value in a signature, that can be catastrophic. But, again, I'm not totally sure they use another reputable library for EC operations.
hero member
Activity: 560
Merit: 1060
April 05, 2024, 01:53:33 AM
#49
This is how I would approach the question.
Also, I am irrationally risk-averse when it comes to losing Bitcoin (I said irrationally!) so I would further lower that threshold.

Some bad feeling likely remains with a device that showed signs of unreliability. A one-time bad day I would brush off, kind of.

You are both correct. And since I have been asked the question a lot, about why I keep trusting the device and why I still use it, I want to make something clear.

1. I can read and understand C, so I feel confident reading the code. Which is important for me.
2. My usage is pretty limited. Once a month, I scan a private key QR code, I sign a transaction (usually a pretty small one), I erase the memory of the device (using temporary signer option).
3. Blockstream doesn't know my address, nor my name, since I received the product elsewhere, where I don't have the ability to access now, so if I request a change, or buy a new one, I will need to use my real name and address.
4. I own other devices that I use for more frequent transactions.
5. I always know that my backups are safe.
6. I always use QR codes, which is safer than USB cables. Still, QR codes are not a panacea, but, you know, I feel more confident.
7. The Jade is a reputable device.

Warning:
Finally, always be very cautious when it comes to using browser-based products (software & updates). Always verify what you download. Always think twice before downloading something.
legendary
Activity: 2268
Merit: 16328
Fully fledged Merit Cycler - Golden Feather 22-23
April 05, 2024, 01:26:51 AM
#48
I still don’t get it.

What is the risk of a fatal hardware malfunction once you have witnessed something like that one apogio experienced? 0.1%?
1 BTC is 70,000 USD.
1 Jade costs roughly 100 USD.

So 100 USD /0.001/70,000 USDBTC≈1.42 BTC

Ok, then it is not worth handling UTXO bigger than 1.42 BTC with such an hardware.
Provided you already have a functioning backup of the seed phrase (Master key).

This is how I would approach the question.
Also, I am irrationally risk-averse when it comes to losing Bitcoin (I said irrationally!) so I would further lower that threshold.
hero member
Activity: 560
Merit: 1060
April 05, 2024, 01:24:42 AM
#47
The worst thing I can think of from the top of my head is that it somehow starts generating addresses whose coins you can never spend (sign) because of a serious bug. Of course, I am just throwing ideas out there, and I don't think it's a realistic scenario.

It is a realistic scenario, but not a likely to happen scenario. I mean, bugs can be found in the code, but the address generation process is a core process, which, I hope, has been tested by both software unit tests and human tests. I can't believe that there will be a flaw in such an important aspect of the software.

What can happen though, is that someone can use a fake website to update their firmware and that the installed software can be malicious. This is a huge problem if it happens... I hope that the device won't work with the fake website, but since I am a developer and not a security person, I don't know how easy this scenario is.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
April 04, 2024, 03:44:44 PM
#46
The worst thing I can think of from the top of my head is that it somehow starts generating addresses whose coins you can never spend (sign) because of a serious bug.

Something of that category came to my mind, too. I don't say lightly, I'm not scared or not concerned. I would mostly assume, if a device starts to act wonky, it would produce enough garbage that errors creep in quickly that the network would simply reject a funky transaction, hopefully! But your described nightmare may still be possible if things go when Murphy takes over as he always does.

Some bad feeling likely remains with a device that showed signs of unreliability. A one-time bad day I would brush off, kind of.
legendary
Activity: 2730
Merit: 7065
April 04, 2024, 10:34:49 AM
#45
I know, that's the purpuse and part of the security model of those signing devices. You still want to be sure that after you re-instantiate your wallet, everything from that point of usage of the device is working reliably.
He can always fall back on his backup phrase in case the device starts acting up or becomes unusable for the purpose it was designed for (signing transactions). The worst thing I can think of from the top of my head is that it somehow starts generating addresses whose coins you can never spend (sign) because of a serious bug. Of course, I am just throwing ideas out there, and I don't think it's a realistic scenario.
hero member
Activity: 560
Merit: 1060
April 01, 2024, 12:16:24 PM
#44
I think, I wouldn't be as scared as fillippone is. After you can revive the device by re-flashing the firmware and it doesn't nag with further obvious instability or hangs, I'd dismiss the previous glitch as a one-time hiccup. Am I reckless?

You aren't. I don't care very much to be honest, but I understand fillippone's concern, because it's a natural behaviour to be concerned when things like this happen and especially when they happen to devices that are used to hold secrets of any type. Could be private keys, gpg keys, passwords, anything like that.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
April 01, 2024, 06:50:00 AM
#43
Wow, what's that? Sounds intriguing, my knowledge in physics sucks haha

You might be interested to watch The Universe is Hostile to Computers. In the first minutes an election machines glitch is explained which likely happened due to radioactive decay or this cosmic ray stuff aftermath.


In fact, as I have said, my Jade is amnesiac. Every time I turn it off it erases its memory. So I always need to scan a QR code to load my wallet. Nothing is persisted once it's shut down.

I know, that's the purpuse and part of the security model of those signing devices. You still want to be sure that after you re-instantiate your wallet, everything from that point of usage of the device is working reliably.

I think, I wouldn't be as scared as fillippone is. After you can revive the device by re-flashing the firmware and it doesn't nag with further obvious instability or hangs, I'd dismiss the previous glitch as a one-time hiccup. Am I reckless?
hero member
Activity: 560
Merit: 1060
April 01, 2024, 05:42:21 AM
#42

Maybe a cosmic ray particle or photons incident at the wrong place and time affecting the startup process when apogio turned on his device? Speculation...


Wow, what's that? Sounds intriguing, my knowledge in physics sucks haha

As far a the backups are concerned. Yeah, obviously nothing bad happened. In fact, as I have said, my Jade is amnesiac. Every time I turn it off it erases its memory. So I always need to scan a QR code to load my wallet. Nothing is persisted once it's shut down.

hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
April 01, 2024, 05:26:56 AM
#41
It would be nice to understand what caused the issue in the first place.

Maybe a cosmic ray particle or photons incident at the wrong place and time affecting the startup process when apogio turned on his device? Speculation...


As I said before, I still would be scared of using that particular hardware.

I assume apogio checked thoroughly the recovery of his wallet after reflashing the device. That should be fine then, except if you're scared that some bits or registers could be instable in his device. If this were the case, instability could occur more often or worse screws things up right when you don't need it, like when you sign a large transaction.

Should we have some function tests built into the firmware to be able to check manually that all major functions are performing properly?
legendary
Activity: 2268
Merit: 16328
Fully fledged Merit Cycler - Golden Feather 22-23
March 31, 2024, 11:33:55 AM
#40

I had the 1.0.23 version and I upgraded to 1.0.29.
It works well so far, since yesterday. I have done a full test of my personal use case. I mean, I have imported the wallet using the QR code, I have signed a transaction, I have changed the colors and the brightness, I have performed a factory reset. All good!

Well, Probably a software error. Nice recovery, Jade.
It would be nice to understand what caused the issue in the first place.
Of course, long-term holding with a Hardware Wallet is not a state-of-the-art practice, but It' 's fairly common.
As I said before, I still would be scared of using that particular hardware.
hero member
Activity: 560
Merit: 1060
March 30, 2024, 02:47:41 AM
#39
I am glad that it turned out to be such an easy fix in the end that only required a fresh software installation. While we are on it, was the firmware on the device outdated anyways and you installed a new one or did you install the same version you already had on your Jade when it all went tits up?

I had the 1.0.23 version and I upgraded to 1.0.29.
It works well so far, since yesterday. I have done a full test of my personal use case. I mean, I have imported the wallet using the QR code, I have signed a transaction, I have changed the colors and the brightness, I have performed a factory reset. All good!
legendary
Activity: 2730
Merit: 7065
March 30, 2024, 02:30:23 AM
#38
I am glad that it turned out to be such an easy fix in the end that only required a fresh software installation. While we are on it, was the firmware on the device outdated anyways and you installed a new one or did you install the same version you already had on your Jade when it all went tits up?
hero member
Activity: 560
Merit: 1060
March 29, 2024, 03:31:49 PM
#37
I am happy to tell you that my Jade looks ok now:



What I did, as I said above, was to re-flash the firmware using the browser.
So I went to this page: https://jadefw.blockstream.com/upgrade/fwupgrade.html (it's the same that fillippone mentioned above).
It worked perfectly, somehow...

Once again, thanks for trying to help me and thanks for all the suggestions.
legendary
Activity: 1148
Merit: 3117
March 29, 2024, 03:27:50 PM
#36
Directly from BlockStream. In general, I would never buy a device that is supposed to hold secrets from a reseller. Even if you find reputable resellers, I will always choose the original manufacturer.
Understandable. Well, like I said before, if you live in a EU country, you are entitled to a 2 year warranty. What happens is that since there is no official representation of Blockstream, then you will probably have to incur in shipping fees in sending the device to them (which may be bigger than the cost of the device).
hero member
Activity: 560
Merit: 1060
March 29, 2024, 01:28:44 PM
#35
Did you bought the device directly from Blockstream? Or did you bought it from a reseller?

Directly from BlockStream. In general, I would never buy a device that is supposed to hold secrets from a reseller. Even if you find reputable resellers, I will always choose the original manufacturer.
legendary
Activity: 1148
Merit: 3117
March 29, 2024, 01:26:50 PM
#34
Hmm... thanks for the info.
The problem is, I own it for more than a year and I am also not in the US. So I need to cover the shipping fees, but also, it looks like they can't do anything for me.
Anyway, I will try to upgrade the firmware later tonight. Perhaps this issue will be solved.
Did you bought the device directly from Blockstream? Or did you bought it from a reseller?
hero member
Activity: 560
Merit: 1060
March 29, 2024, 01:12:11 PM
#33
@apogio
Take a look at this:

I couldn't find any warranty information on Jade's website either. I did find this Jade review from January 2024, and there is a section that discusses the warranty.

The reviewer said they spoke to the Blockstream team who told them that if the Jade has any issues within the first year that can't be solved remotely or with a software update, you'll get a replacement device or a refund. They cover the return shipping within the US. For orders from outside the States, the buyer covers the shipping fees.

Hmm... thanks for the info.
The problem is, I own it for more than a year and I am also not in the US. So I need to cover the shipping fees, but also, it looks like they can't do anything for me.
Anyway, I will try to upgrade the firmware later tonight. Perhaps this issue will be solved.
legendary
Activity: 2730
Merit: 7065
March 29, 2024, 11:39:37 AM
#32
You can't really complain to Blockstream since there is no warranty on this devices, but at least they are cheap-ish.
As I wrote in the other thread where we touched upon this subject, it's worth trying. There is no official warranty, but the company might still be willing to fix problems for their customers depending on what went wrong and how. And even if there is a warranty that has expired, we have seen examples (from Ledger) where they have sent replacements for devices that were no longer under warranty.

@apogio
Take a look at this:

I couldn't find any warranty information on Jade's website either. I did find this Jade review from January 2024, and there is a section that discusses the warranty.

The reviewer said they spoke to the Blockstream team who told them that if the Jade has any issues within the first year that can't be solved remotely or with a software update, you'll get a replacement device or a refund. They cover the return shipping within the US. For orders from outside the States, the buyer covers the shipping fees.
Pages:
Jump to: