Pages:
Author

Topic: Krux DIY Hardware Wallet - page 3. (Read 2089 times)

full member
Activity: 128
Merit: 190
September 01, 2023, 04:36:50 PM
#84
Unless you can fully replace the operating system with a custom firmware, it would be a very bad idea to repurpose an old phone for this.

You're right.  The more I think about it, the more obvious it is that using Android hardware for Krux would require a lot of work in order to make it secure.  I was just thinking out loud, since there are so many old phones just waiting to be repurposed rather than thrown out.  Hell, I still own an iPhone 4 that I used to use as a bedside clock.  But, yeah, it'd be a huge undertaking to make those kinds of devices truly secure for a hardware signer, whereas something like an Amigo works out of the box.

It took me less than 5 minutes to get Krux up and running on an Amigo, and I could do it again in less than 2 now that I know how.

That sounds great! Do you want to share any pictures of it?

I don't have any yet, but I found this on Twitter.  That's Krux running on an Amigo.  Note that the text in that pic is orange.  That's one of the theme options for Krux.  I prefer white, and there's also an option for black text on a white background.

Really, the Amigo seems like a perfect device for this.  It's a chunky device, but it has a nice sized touchscreen and you'd only need it to sign transactions.  Well, that and setup stuff, like creating a SeedQR.

Again, I have no experience with this thing yet, other than playing with it for an hour or so...  so I'm trying to keep my enthusiasm in check in case there's some fatal flaw I haven't discovered yet...  but I am truly blown away by this setup.

It's so simple.

I wish these guys had more support though.  Krux has so much potential, so I wish more people were working on it.  For example, I wish each page had an "i" icon to click for more info.  A touchscreen is perfect for that, especially since there are some options in the tools and settings that could be intimidating for new users, such as "Delete Mnemonic" ("Wait, didn't it get wiped out when I shut down the device?"), and at the bottom of each page's info I'd love a "Reset setting to default" option for that setting.

I'm just getting started with testing Krux, but I can't overstate how enthusiastic I am about it.  I've been wanting to get a SeedSigner for a while, but for my needs, this might be much better thanks to the larger screen and how they implemented the passphrase feature.
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
September 01, 2023, 10:45:01 AM
#83
I saw a video on Twitter where somebody ported Krux to run on an Android phone, and my jaw dropped.
Simply as an app running on good ol' Google Android or actually replacing the OS and running only Krux without networking and other attack surfaces?

The hardware is perfect for this sort of thing.
Not really; these devices are not meant to be programmed on a low level like the microcontroller in something like M5StickV.
Therefore you're usually restricted to running apps on top of a potentially highly insecure operating system, with connectivity and networking features built-in that offer zero advantages for a hardware wallet, meanwhile opening more attack surfaces.

Unless you can fully replace the operating system with a custom firmware, it would be a very bad idea to repurpose an old phone for this.

I've only started to play with it, but I'm blown away.  In some ways, Krux on an Amigo is the hardware wallet of my dreams.  It has a decently large touchscreen (the Amigo screen is the same size as the screen on an original iPhone).  It's air gapped.  It has SeedQR input, and it forgets the seed the moment the device is shut down.  YES!  It appears to have QR input for passphrases.  YES!!!
That sounds great! Do you want to share any pictures of it?
full member
Activity: 128
Merit: 190
September 01, 2023, 03:37:25 AM
#82
Actually, it looks like it should be shipping soon

Ha!  So much for that.  I was waiting to be notified that it shipped, but it arrived in my mailbox today.  NICE!

My first impression was...  very good.  Krux seems simple with some powerful features, such as a very clean interface with SeedQR and easy access to testnet.

Then, I loaded the latest binaries for Krux, and...  wow.  Krux is awesome.

I've only started to play with it, but I'm blown away.  In some ways, Krux on an Amigo is the hardware wallet of my dreams.  It has a decently large touchscreen (the Amigo screen is the same size as the screen on an original iPhone).  It's air gapped.  It has SeedQR input, and it forgets the seed the moment the device is shut down.  YES!  It appears to have QR input for passphrases.  YES!!!

Passphrase input by camera is a very big deal that deserves praise.  Honestly, this feature should be in every hardware wallet with a camera.

TANGENT ALERT:  Somebody convinced hardware wallet manufacturers that the BIP39 passphrase is a dangerous feature, so they mostly hide it to discourage its use.  What they should be doing is simplifying the setup and educating users.  A strong passphrase is an incredible form of security that is unique to the user.  More people should be using passphrases.  I have three: One is for personal use.  One is for work.  And one is for testing (which rarely gets used).  One seed.  Three passphrases.  Perfect.  I've had this setup for a few years.

Like I said, I just got my Amigo, so I haven't had much time to play with it yet, but Krux on an Amigo looks like it might be an amazing setup.

I'm so impressed with Krux!

SO IMPRESSED!
full member
Activity: 128
Merit: 190
August 30, 2023, 03:37:03 AM
#81
As for your Amigo being on backorder that's too bad.

Actually, it looks like it should be shipping soon, so it's all good.

I saw a video on Twitter where somebody ported Krux to run on an Android phone, and my jaw dropped.

Could you imagine how great it would be if there was a way to repurpose old Android phones and old iPhones to run Krux or something similar?  Obviously, at that point, the old phone would need to become a single-purpose device for security.  But, seriously, think about how many people might buy a new phone and turn their old one into a Bitcoin transaction signer like Krux if it was easy to do.  The hardware is perfect for this sort of thing.
newbie
Activity: 11
Merit: 2
August 26, 2023, 04:40:55 PM
#80
Don't think I've came across a story for the name actually. As for your Amigo being on backorder that's too bad. Which site and continent are you ordering from if you don't mind me asking? Usually there is someone somewhere that has them in stock.
full member
Activity: 128
Merit: 190
August 21, 2023, 04:34:32 PM
#79
Krux smaller devices has 3 buttons, and the most popular, Amigo, has capacitive touch screen.

I'm just replying to say that I love what you guys are doing and I'm very excited about the project.  I have an Amigo on backorder, so I guess I'll be waiting for a while, but I ca't wait to give Krux a try.

Is there a story behind the Krux name?
newbie
Activity: 28
Merit: 29
April 16, 2023, 11:57:52 AM
#78
Thanks(in the name of all Krux contributors)! I encourage you to build them, but I warn you it is addictive, once you build one you'll want all types Smiley
Regarding the law, the way I see it is there's one great thing about Krux: There's no business! No consumers or clients to "be protected". We are just a few nerds having fun with code e general purpose hardware at our own risk. No one asked for trust or money, all we want are scrutiny and ideas to improve our toys Wink
hero member
Activity: 882
Merit: 860
April 15, 2023, 11:03:45 AM
#77
I have to make you my most sincere congratulations! you are the master of DIY hardware wallets! sooner or later I'll try to make a DIY hw, as regards the new European law on the creation of open source codes which will have to be approved on April 26, do you know if there will be problems with the krux repositories?

I am referring to this bill
https://www.european-cyber-resilience-act.com/




legendary
Activity: 2212
Merit: 7064
April 14, 2023, 03:20:01 PM
#76
Sorry to hear that, I believe we won't be able to go lower than Android 6.0. But the effort to lower the requirements was fruitful. Thanks for testing!
No problem, sorry for not posting screenshot/video confirmation, it took me only few minutes of testing, and I don't have any other old devices to try, so it could be related only with my device.
I am glad you tried to work on that and remembered to make a post about it in forum Smiley


newbie
Activity: 28
Merit: 29
April 13, 2023, 09:02:49 AM
#75
I just tried latest github version Krux 23.04 BETA_3 Android_0.5 on same old junk Android 4.4.2 and I can confirm it's sadly NOT  working.
Error message I am getting is: There was a problem parsing the package.
This is very old android device so I am not expecting any miracles Smiley
Sorry to hear that, I believe we won't be able to go lower than Android 6.0. But the effort to lower the requirements was fruitful. Thanks for testing!
legendary
Activity: 2212
Merit: 7064
April 12, 2023, 03:30:49 PM
#74
You may try the last version. It is now compatible with armv7 chips (not only v8). I tested on a Android v6.0, it wasn't working, now it is!
I just tried latest github version Krux 23.04 BETA_3 Android_0.5 on same old junk Android 4.4.2 and I can confirm it's sadly NOT  working.
Error message I am getting is: There was a problem parsing the package.
This is very old android device so I am not expecting any miracles Smiley
newbie
Activity: 28
Merit: 29
April 12, 2023, 02:08:23 PM
#73
I tried using Krux app with Android v4.4.2 and sadly it could not be installed on this old smartphone from year 2015.
You may try the last version. It is now compatible with armv7 chips (not only v8). I tested on a Android v6.0, it wasn't working, now it is!
newbie
Activity: 28
Merit: 29
February 09, 2023, 12:08:50 PM
#72
Yes, the buttons and small screen don't make a good UX, but as M5stickV was the first Krux device and has its fans for being so tiny it will always get our attention and updates.
Amigo UX, on the other hand, is really smooth, and still has a lot of room for improvements.

I'll see if I find some older phone to check if its possible to build the app for them too.
legendary
Activity: 2212
Merit: 7064
February 08, 2023, 02:52:47 PM
#71
Even M5stickV has 3 buttons now. After an update, power button can be used to navigate(go back).
DIY version Dock navigates using a rotary encoder.
Yeah I know, but I have to admit that buttons are not very comfortable to use, if anyone plans to use them for entering letters and seed words manually Wink

I don't know how old Androids will handle the app. As the app doesn't require anything fancy I hope it has some wide range of compatibility. I have some cheap, but not old phones to test. If you try let us know if it worked.
I tried using Krux app with Android v4.4.2 and sadly it could not be installed on this old smartphone from year 2015.
It works just fine in any newer smartphone and in android emulators.
newbie
Activity: 28
Merit: 29
February 07, 2023, 05:39:19 PM
#70
Small device M5StickV K210 have two buttons I think, and other larger devices that work with Krux code have more buttons.
Even M5stickV has 3 buttons now. After an update, power button can be used to navigate(go back).
DIY version Dock navigates using a rotary encoder.

-Android:
I don't know how old Androids will handle the app. As the app doesn't require anything fancy I hope it has some wide range of compatibility. I have some cheap, but not old phones to test. If you try let us know if it worked.
- Linux, Windows, Mac
If you have a PC running python, on any OS, by installing some requirements you can also run a very functional simulator from source code. It's a very good to start point to play with Krux code.
legendary
Activity: 2212
Merit: 7064
February 07, 2023, 04:04:55 PM
#69
How do you enter the passphrase when it has just one button? Or is it scanned in through a second QR code? Of course this wouldn't be an acceptable solution either, since someone could take a photo of that (while you don't notice) or just steal it, as well.
Dude, I don't know who told you about one button, but you are wrong about this, it would be almost impossible to operate any device with just one button, unless it's joystick style  Wink
Small device M5StickV K210 have two buttons I think, and other larger devices that work with Krux code have more buttons.

Sure! But at that point, it resembles more an airgapped computer than a hardware wallet, for me. Of course it will be hard to draw a line between the two definitions.
It's airgapped device.
Computer usually have more functions and it has wider attack surface.

Yes I was talking about this, but previous version of secure element ATECC508A had even bigger issues, so old ColdCard (I think mk2) had to change it very fast.
It's realistic to say that same thing can happen with  ATECC608A and ATECC508B in future, like with any other secure elements, and you can't exactly remove and replace secure element from working device.

Do you know how passphrase entry is realized? I believe unless you have a nice keypad like Passport or ColdCard, most people will just avoid using (a sufficiently secure) one.
Even if you have perfect keypad like Passport you certainly wont write very long passphrase essays, because you still need to enter this each time you use device.

You could check the Android app to have an idea of what we are talking about.
Krux Android App for testing (this is also working on some Android emulators I tried):
https://github.com/odudex/krux_binaries/tree/main/Android

What would be oldest the Android version supporting Krux app?
I have some ancient smartphone device with Android 4 or 5 I think  Cheesy
newbie
Activity: 28
Merit: 29
February 07, 2023, 08:48:02 AM
#68
Krux smaller devices has 3 buttons, and the most popular, Amigo, has capacitive touch screen. You could check the Android app to have an idea of what we are talking about.
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
February 07, 2023, 12:23:33 AM
#67
The necessity to protect the (cleartext) seed QR is a pretty huge downside of this system. You can't even know if someone copied it, since you always carry it around in clear text.
While a quick picture of the QR gives the attacker full access, as well as the ability to stay unnoticed
That's what passphrases are for.
How do you enter the passphrase when it has just one button? Or is it scanned in through a second QR code? Of course this wouldn't be an acceptable solution either, since someone could take a photo of that (while you don't notice) or just steal it, as well.

I don't need to carry around my seed phrase backups, though. They are in safe locations.
You don't need to care physical seed phrase backup, but you are doing it in digital form inside secure element.
Exactly: Inside a secure element and not in clear text on an easy to scan QR code. Even if you have a good exploit against the specific secure element, it may take hours or days, as well as obviously lots of money and knowledge, execute it.

I agree with you that Krux is not very good as a portable device, but it's good enough as a part of multisig setup and to use it at home.
Sure! But at that point, it resembles more an airgapped computer than a hardware wallet, for me. Of course it will be hard to draw a line between the two definitions.

Meanwhile a hardware wallet with secure element can also be left in a less secure location where it is quickly and easily accessible.
That is fine until someone exploits that secure element, and we already saw that many secure elements are not secure anymore, including ATECC608A that is used in Passport, OneKey, Cypherock, ColdCard Mk3...
You are referring to this attack, right? https://hackaday.com/2022/11/26/defeating-a-cryptoprocessor-with-laser-beams/
Well, not secure is a bit exaggerated. Have you seen what type of setup and knowledge is needed to attack it, the risks and challenges in that process? It's not comparable to just having the seed on a piece of paper in clear text. Even setting up a passphrase cracking rig will be easier and cheaper for most folks than performing a hardware attack on a secure element. There are also significant risks involved, such as breaking the device / chip while opening and decapsulating the secure element.
Basically, you can compare such measures to physical locks. None is 100% safe, but they are made to discourage an attacker and buy you as much time as possible in case they do decide to try bypassing it. Time for moving your coins / calling the police, respectively.

While a quick picture of the QR gives the attacker full access, as well as the ability to stay unnoticed, hacking a Passport (or similar) requires it to be gone for hours (to attempt an intensive hardware attack). You are much more likely to notice that.
Good passphrase and multisig solves this problem very easy, but it would be good to see Krux devs making some unique protection methods in future.
Do you know how passphrase entry is realized? I believe unless you have a nice keypad like Passport or ColdCard, most people will just avoid using (a sufficiently secure) one.

With that said: I could argue that you could also use a passphrase on your Passport with secure element. Twice as secure; first layer of defense: secure element, second layer of defense: passphrase. Meanwhile when stealing someone's Krux & QR code, there is only the second layer.
legendary
Activity: 2212
Merit: 7064
February 06, 2023, 03:17:08 PM
#66
I don't need to carry around my seed phrase backups, though. They are in safe locations.
You don't need to care physical seed phrase backup, but you are doing it in digital form inside secure element.
I agree with you that Krux is not very good as a portable device, but it's good enough as a part of multisig setup and to use it at home.

Meanwhile a hardware wallet with secure element can also be left in a less secure location where it is quickly and easily accessible.
That is fine until someone exploits that secure element, and we already saw that many secure elements are not secure anymore, including ATECC608A that is used in Passport, OneKey, Cypherock, ColdCard Mk3...

While a quick picture of the QR gives the attacker full access, as well as the ability to stay unnoticed, hacking a Passport (or similar) requires it to be gone for hours (to attempt an intensive hardware attack). You are much more likely to notice that.
Good passphrase and multisig solves this problem very easy, but it would be good to see Krux devs making some unique protection methods in future.

That's what passphrases are for. You can also write your seed in different ways, formats, number bases, encodings, encrypted, but sure this is not for everyone. Most people should just trust companies and go with mainstream solutions.
Krux has a supporting role in sovereign strategy, it's a Swiss army knife for create and load seeds in a variety of forms and to sign PSBTs and messages, it requiring less trust.
Do you think it would be possible to have some alternative firmware option for Krux similar like Jade wallet is using with third party server?
newbie
Activity: 28
Merit: 29
February 06, 2023, 12:18:24 PM
#65
The necessity to protect the (cleartext) seed QR is a pretty huge downside of this system. You can't even know if someone copied it, since you always carry it around in clear text.
While a quick picture of the QR gives the attacker full access, as well as the ability to stay unnoticed
That's what passphrases are for. You can also write your seed in different ways, formats, number bases, encodings, encrypted, but sure this is not for everyone. Most people should just trust companies and go with mainstream solutions.
Krux has a supporting role in sovereign strategy, it's a Swiss army knife for create and load seeds in a variety of forms and to sign PSBTs and messages, it requiring less trust.

Can Krux be used in multisig setup with other hardware wallets?
Yes!
Pages:
Jump to: