Topic: Krux DIY Hardware Wallet - page 6. (Read 2062 times)

Yeah, I think jreesun first saw SeedSigner DIY device, and than he came up with an idea to use M5StickV to create his own version of signing device.
I think he did a great job with that fast QR codes and simple menus.

There is only one ESP32 device with secure element same like in ColdCard, Bitbox02 and Passport, that is M5Stack Core2 ESP32 AWS, but it's more expensive and there is no camera included.
You always have tradeoffs with this devices.

Thanks for these clarifications! So it's really a simpler version of SeedSigner basically. Pity it has no persistent (secure) storage, I assumed it had.
Didn't an M5Stack with secure element exist? I think it does, but without camera.

I'll have a look if maybe a secure memory chip can just be added (soldered) into such an M5StickV device and firmware modified to make use of it.

Please note that Kruh wallet can't function as normal hardware wallet, but more like a cosigner in a multisignature setup,
so every time you turn it off from power you will wipe his memory, and you will have to import your key every time you turn it on.
Other thing that I don't like is the fact that code is new, not time tested and there could be some hidden bugs even in this simple code.
This wallet has good and bad sides, it's very cheap and I think it serves great purpose for multisig device.

Here are some images and videos how Krux works in real life:
https://twitter.com/DIYbitcoin/status/1437293312810143745

Wow, this is so cool! I found this from @dkbit98's other great thread: AirGapped Hardware Wallets. Good job, @jreesun, I think I will actually build one Wanted to build a SeedSigner, but honestly there are more components that need to be sourced and more assembly, so I love that you use an M5Stack as base for this project. I'm a big fan of these devices, even though I haven't gotten around to buying one to play around with yet, so this looks like the perfect opportunity..

One big advantage is also that it's not so expensive. The other airgapped hardware wallets are much more expensive or not open source, etc., while here you actually buy a device without any firmware at all, which I love and it's around 50 bucks. Edit: It's actually only just over 30, where I live!

As for:
For me, the difference is that this is air gapped and open source. Trezor is also open source, but not air gapped. I have yet to look more into this specific M5Stack, since I'm not sure if it has a secure element or not, but if it had, that would be another advantage over the Trezor. Of course, Ledger is not an option for me, but there are other topics about Ledger. And finally, they're both more than 50 bucks, even when on discount.

I'd still not store too much on such an M5Stack, but would be quite fun to play around with one for sure..

Edit 2: For anyone wondering where to get one cheap, so far it seems to me CoolComponents (UK) has the best price, just over 23GBP before VAT (which depends on where you live).

is that the m5stack website? depending where you are, try digikey, mouser, farnell, aliexpress, etc. they are almost always in stock somewhere.

Yes, I see what you mean! That would be a cool thing to test. If it works, that could be a good source of ~$40 devices if there ends up being limited availability of the M5StickV. It would also be a good way to continue supporting Blockstream's efforts

That said, there are quite a few distributors of the M5StickV that I thought I would list here. You don't have to buy it directly from the M5Stack shop. The average price across all of them is also around $40:

https://www.adafruit.com/product/4321
https://www.mouser.com/ProductDetail/Adafruit/4321
https://www.digikey.com/en/products/detail/m5stack-technology-co-ltd/K027/10492135
https://leeselectronic.com/en/product/169940-m5stick-ai-camera-kendryte-k210-risc-v-core-no-wifi.html
https://www.cytron.io/c-development-tools/c-fpga/p-m5stickv-k210-ai-camera-without-wifi
https://shop.pimoroni.com/products/m5stick-v-k210-ai-camera-without-wifi
https://www.okdo.com/p/m5stickv-k210-ai-camera-without-wifi/

It's easy to 3d print custom case and I even found Jade cad STL file on github.
There are even cheaper devices like M5StickC ESP32 for less than $14 but they are basic model and they don't have camera integrated.
One more DIY wallet with similar concept like yours is Bowser wallet made by arcbtc.

There are obviously small differences in devices and batteries, but I guess in theory your code for Krux wallet could work perfectly fine even on Jade hardware wallet, and it is currently a bit cheaper than M5StickV.

Wow! I honestly had no idea that existed until now. There's certainly an uncanny resemblance, but upon closer inspection there do appear to be some (minor) differences:
1. Their case is (obviously) custom and isn't the same one that the M5StickV uses. Their case also appears to be longer, and the front button is in a different location.
2. The specs of the two devices are similar but seem to be very slightly different: the Jade has Bluetooth, the M5StickV does not. Also, their battery is 240mAh, whereas the M5StickV is 200mAh. Maybe this is why their case is longer?

Looking at their code, they don't seem to be using MaixPy at all (M5Stack's version of Micropython), but rather are building on top of the Espressif IoT Development Framework.

Their hardware folder contains this:
https://github.com/Blockstream/Jade/blob/master/hardware/Jade_v1_schematics.pdf

It says "M5 Bitcoin Pocket," so I'm guessing it's a custom M5 product that is obviously extremely similar to the M5StickV with minor differences?

You're right, i completely forget about the controversial feature.



Assuming someone plan to perform audit (or pay someone to do it), but i doubt it'll happen anytime soon since the repository itself has 0 starts.

Hi jreesun,
I am glad you found the source of traffic, joined Bitcointalk forum, and I hope you will stick around as we need more genuine users like you.

One question for you, have you checked Blockstream Jade hardware wallet and can you confirm it is using exactly the same M5StickV device as Krux wallet?
https://blockstream.com/jade/

Hey all, I'm the author of Krux. I noticed some traffic coming from here on GitHub and was pleasantly surprised to find this post.  Thank you, dkbit98, for the write-up!

I wanted to answer some questions that were brought up in this thread and shed more light on the project in general.

First of all, I'd like to be clear that this project isn't associated with the company (M5Stack) that makes the M5StickV. They make a bunch of embedded devices, of which the M5StickV is one. From what I gather, M5Stack is sort of like the Chinese for-profit version of the Raspberry Pi Foundation.

Krux is "just" custom firmware and software I wrote for the device to turn it into a hardware wallet. I was in the market for a DIY multisig device and came across cool projects like SeedSigner (for the Pi Zero) and Specter-DIY, but ultimately decided that I wanted to try making my own after I came across the M5StickV on Adafruit. It seemed ripe for being turned into a hardware wallet with all it had packed into it, especially for the price point ($30-$50 depending on which distributor you buy it from).

So, I got to work, used the embit (embedded bitcoin) micropython library for bitcoin-related logic, wrote an interface on top of it, and got my hands dirty making QR codes (and everything else) work.

This started as a side project that morphed into something I thought was pretty cool and had the potential to be more widely useful, so here we are. I made the repo public a few days ago and haven't had any audits done (not opposed, but I don't think I could afford it), let alone another software engineer's eyes. That's the reason for the scary-sounding disclaimer for now; I don't want my hobby project to be the reason someone loses their money. But it does work!

This is actually rather fast so long as the QR code is flat and not changing too rapidly. For some reference, it can handle reading the animated QR codes that Specter Desktop generates, which I believe change every 500ms. I did have to do some work here to speed things up and improve accuracy such as capturing in grayscale at a lower resolution and converting to a binary black/white image for processing. Fun problem to solve. The display shows the processed image, so you can see the world in black and white [insert maximalist joke here].

The more difficult part was making QR codes fit the tiny display and still be readable by other devices (webcams). It generates its own animated QR codes to solve for this. Alternatively, you can also hook up an Adafruit thermal printer to it and print out the QR codes to pack more data into them (thus generating fewer).

Printing is a useful feature in general: it lets you make physical backups of your seed phrase, print out signed PSBTs (that you could mail if you wanted), etc. There's a section on the README about it if anyone's interested. It adds to the cost, but just another $50.

Not sure what your criteria are to consider something "cheap plastic," but it feels solid to me. You'd have to be trying to break it in order to break it. It seems to be two pieces (front and back) of injection molded plastic snapped and screwed together.

For anyone reading this, just want to mention that I added a Dockerfile to handle the process of building the firmware so that anyone with Docker and Python 3 installed should be able to do this now. Ideally, I would have liked for Docker to be the only requirement, but passing through USB serial devices from the host into Docker seems to be hard to do. So for now, Docker builds the firmware, and the Python scripts you invoke directly load the firmware (a binary file that resides in the Docker image) and the software (all contents under 'src').

Hope that helped. I'll check this thread periodically and try to answer what I can!

Yes, I think they are using exact same device as Jade wallet, but one problem with Jade code is that some people don't like their pin code connected with their server.
Krux would be alternative for that but I would wait few weeks or months for some code audits and reviews.

Or until scammers send you modified ''free gift'' fake device, because your address got leaked in one of ledger leaks (true story) 

You're right but after watching the following "video", I'm not convinced that feature would be usable for those with a slight hand tremor...

<sup>- I never had a device with an OV7740 sensor but I think it'd take a while before someone can successfully scan a Qr code with its camera.
- Sorry for nitpicking [I do know it's just a $50 product], but I expected a little more after seeing they've doubled its price [it used to be only "$26.50"].</sup>

It's fun as hobby, but creating your own Jade (Blockstream's hardware wallet) is more practical. Jade also use similar hardware (on price and physical size), but the source code available for free and thoughtfully tested.

I've done that successfully for a short while before moving to the convenience of a proper HW.
After writing the latest Tails OS onto the USB stick it's all good, no need to look for "what was the CD"? Or at least for me that was it all.


  and here comes the difference. While I do have plenty of spare USB sticks, I literally have no old laptop for this. My oldest laptop (12 years old) got a RAM update and was used lately by my kids even for online school.


LOL!
Those who don't read the very basics do deserve their fate though...


I've read about the fake ledgers on bitcointalk. I don't think though that general purpose development devices like this worth such an attack, since the vast majority will not be used as HW.


Imho the more the variety to choose from, the better. I expect Jade be less easy to buy than this M5StickV in some countries.

In my experience, those requirements don't work well together. I've spent a lot of time creating and signing a transaction offline, and ran into several problems (wrong version of Electrum and later a fee of less than 1 sat/byte). It took a while to get it all right, and considering how little I do this, I already forgot which Live CD eventually worked.

I do have spare netbooks though, but they're old (1GB) and slow, and I never set them up for offline usage.

I'm not very fond of hardware wallets either, but it does the job and is a lot more n00b friendly (until they enter their seed words on a phishing site).

Until they come with their own data connection. Prepaid data isn't that expensive anymore, and could be worth it in a targeted attack. People have already been sent fake hardware wallets by post.

It's not even needed to have an old notebook. An USB stick with Tails OS and a few reboots actually can do all you need for pretty much all the safety you need and an easy to use cold storage.
But some do prefer the convenience of HW, some do prefer to use it together with their smartphone, ... and this kind of setup may be OK for them.

And those devices can have their own "hidden" internet only if they get connected through wires (which you should clearly not do) or you enter there your WiFi password (which would be even more stupid to do).

If that would be the case, I'd rather use an old netbook, they're cheap and much more versatile. Take out the Wifi module if needed, and install anything you want offline.

Again: I'd trust a standard netbook with standard Linux distribution more, especially when kept offline. If USB cables can be used to access your computer, how long will it takes before "offline" devices come with their own hidden internet connection?

I think that it was about not being available (no way to buy it, no resellers, nothing), not straight banned.
There was a thread from a guy (iirc he was from Arabia somewhere) who had this issue and wanted a solution.

The problem is that a HW I would not buy from just anybody. It has to be the producer or a certified reseller.
On the other hand, this hind of hardware may be safe since you flash it yourself with the software you probably check first.


Indeed, AliExpress has its share of M5Stack sellers, so it's most probably from China.

>>>
And while it's not a HW per se, it's actually a development kit, like RasPi or Arduino, it seems to have all you need to build something with HW capabilities off it.

No, I ordered other similar ESP32 device but I am to lazy during summertime to load and install firmware with everything else on it and do some testing and reviews.
I was thinking of ordering similar M5Stick device that was much cheaper but it didn't have camera or battery.
This DIY projects are not meant for keeping large amounts of coins, but they are more of better version of wallet than keeping coins on some mobile device.