Pages:
Author

Topic: Krux DIY Hardware Wallet - page 6. (Read 2062 times)

legendary
Activity: 2212
Merit: 7064
September 26, 2021, 01:52:41 PM
#24
Thanks for these clarifications! So it's really a simpler version of SeedSigner basically. Pity it has no persistent (secure) storage, I assumed it had.
Yeah, I think jreesun first saw SeedSigner DIY device, and than he came up with an idea to use M5StickV to create his own version of signing device.
I think he did a great job with that fast QR codes and simple menus.

Didn't an M5Stack with secure element exist? I think it does, but without camera.
There is only one ESP32 device with secure element same like in ColdCard, Bitbox02 and Passport, that is M5Stack Core2 ESP32 AWS, but it's more expensive and there is no camera included.
You always have tradeoffs with this devices.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
September 26, 2021, 10:04:55 AM
#23
I think I will actually build one Smiley
Please note that Kruh wallet can't function as normal hardware wallet, but more like a cosigner in a multisignature setup,
so every time you turn it off from power you will wipe his memory, and you will have to import your key every time you turn it on.
Other thing that I don't like is the fact that code is new, not time tested and there could be some hidden bugs even in this simple code.
This wallet has good and bad sides, it's very cheap and I think it serves great purpose for multisig device.

Here are some images and videos how Krux works in real life:
https://twitter.com/DIYbitcoin/status/1437293312810143745
Thanks for these clarifications! So it's really a simpler version of SeedSigner basically. Pity it has no persistent (secure) storage, I assumed it had.
Didn't an M5Stack with secure element exist? I think it does, but without camera.

I'll have a look if maybe a secure memory chip can just be added (soldered) into such an M5StickV device and firmware modified to make use of it.
legendary
Activity: 2212
Merit: 7064
September 26, 2021, 08:14:18 AM
#22
I think I will actually build one Smiley
Please note that Kruh wallet can't function as normal hardware wallet, but more like a cosigner in a multisignature setup,
so every time you turn it off from power you will wipe his memory, and you will have to import your key every time you turn it on.
Other thing that I don't like is the fact that code is new, not time tested and there could be some hidden bugs even in this simple code.
This wallet has good and bad sides, it's very cheap and I think it serves great purpose for multisig device.

Here are some images and videos how Krux works in real life:
https://twitter.com/DIYbitcoin/status/1437293312810143745
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
September 25, 2021, 11:49:22 AM
#21
Wow, this is so cool! I found this from @dkbit98's other great thread: AirGapped Hardware Wallets. Good job, @jreesun, I think I will actually build one Smiley Wanted to build a SeedSigner, but honestly there are more components that need to be sourced and more assembly, so I love that you use an M5Stack as base for this project. I'm a big fan of these devices, even though I haven't gotten around to buying one to play around with yet, so this looks like the perfect opportunity.. Grin

One big advantage is also that it's not so expensive. The other airgapped hardware wallets are much more expensive or not open source, etc., while here you actually buy a device without any firmware at all, which I love and it's around 50 bucks. Edit: It's actually only just over 30, where I live! Shocked

As for:
Why would I go with a product with some code with this warning:

Quote
WARNING: While functional, this is currently alpha-quality software and could have bugs or other issues that might cause you to lose your coins. Use at your own risk!
...when for about the same price I could buy a Trezor or Ledger?
For me, the difference is that this is air gapped and open source. Trezor is also open source, but not air gapped. I have yet to look more into this specific M5Stack, since I'm not sure if it has a secure element or not, but if it had, that would be another advantage over the Trezor. Of course, Ledger is not an option for me, but there are other topics about Ledger. And finally, they're both more than 50 bucks, even when on discount.

I'd still not store too much on such an M5Stack, but would be quite fun to play around with one for sure..

Edit 2: For anyone wondering where to get one cheap, so far it seems to me CoolComponents (UK) has the best price, just over 23GBP before VAT (which depends on where you live).
newbie
Activity: 11
Merit: 2
July 31, 2021, 08:30:35 AM
#20
Lol:

https://i.imgur.com/fuKjuiC.png

And though this might just be a standard disclaimer, why would I go with a product with some code with this warning:

Quote
WARNING: While functional, this is currently alpha-quality software and could have bugs or other issues that might cause you to lose your coins. Use at your own risk!
...when for about the same price I could buy a Trezor or Ledger?

On a positive note, it is very small and doesn't look like a standard HW wallet.  On the other hand, from the pictures it looks rather cheaply-made.  I'm not at all familiar with M5Stack, so I could be wrong.  Am I wrong?

is that the m5stack website? depending where you are, try digikey, mouser, farnell, aliexpress, etc. they are almost always in stock somewhere.
newbie
Activity: 10
Merit: 108
July 27, 2021, 07:09:51 PM
#19
There are obviously small differences in devices and batteries, but I guess in theory your code for Krux wallet could work perfectly fine even on Jade hardware wallet, and it is currently a bit cheaper than M5StickV.

Yes, I see what you mean! That would be a cool thing to test. If it works, that could be a good source of ~$40 devices if there ends up being limited availability of the M5StickV. It would also be a good way to continue supporting Blockstream's efforts Smiley

That said, there are quite a few distributors of the M5StickV that I thought I would list here. You don't have to buy it directly from the M5Stack shop. The average price across all of them is also around $40:

https://www.adafruit.com/product/4321
https://www.mouser.com/ProductDetail/Adafruit/4321
https://www.digikey.com/en/products/detail/m5stack-technology-co-ltd/K027/10492135
https://leeselectronic.com/en/product/169940-m5stick-ai-camera-kendryte-k210-risc-v-core-no-wifi.html
https://www.cytron.io/c-development-tools/c-fpga/p-m5stickv-k210-ai-camera-without-wifi
https://shop.pimoroni.com/products/m5stick-v-k210-ai-camera-without-wifi
https://www.okdo.com/p/m5stickv-k210-ai-camera-without-wifi/
legendary
Activity: 2212
Merit: 7064
July 27, 2021, 07:31:34 AM
#18
Wow! I honestly had no idea that existed until now. There's certainly an uncanny resemblance, but upon closer inspection there do appear to be some (minor) differences:
1. Their case is (obviously) custom and isn't the same one that the M5StickV uses. Their case also appears to be longer, and the front button is in a different location.
2. The specs of the two devices are similar but seem to be very slightly different: the Jade has Bluetooth, the M5StickV does not. Also, their battery is 240mAh, whereas the M5StickV is 200mAh. Maybe this is why their case is longer?
It's easy to 3d print custom case and I even found Jade cad STL file on github.
There are even cheaper devices like M5StickC ESP32 for less than $14 but they are basic model and they don't have camera integrated.
One more DIY wallet with similar concept like yours is Bowser wallet made by arcbtc.

It says "M5 Bitcoin Pocket," so I'm guessing it's a custom M5 product that is obviously extremely similar to the M5StickV with minor differences?
There are obviously small differences in devices and batteries, but I guess in theory your code for Krux wallet could work perfectly fine even on Jade hardware wallet, and it is currently a bit cheaper than M5StickV.
newbie
Activity: 10
Merit: 108
July 27, 2021, 06:28:27 AM
#17
Hey all, I'm the author of Krux. I noticed some traffic coming from here on GitHub and was pleasantly surprised to find this post.  Smiley Thank you, dkbit98, for the write-up!
Hi jreesun,
I am glad you found the source of traffic, joined Bitcointalk forum, and I hope you will stick around as we need more genuine users like you.

One question for you, have you checked Blockstream Jade hardware wallet and can you confirm it is using exactly the same M5StickV device as Krux wallet?
https://blockstream.com/jade/

Wow! I honestly had no idea that existed until now. There's certainly an uncanny resemblance, but upon closer inspection there do appear to be some (minor) differences:
1. Their case is (obviously) custom and isn't the same one that the M5StickV uses. Their case also appears to be longer, and the front button is in a different location.
2. The specs of the two devices are similar but seem to be very slightly different: the Jade has Bluetooth, the M5StickV does not. Also, their battery is 240mAh, whereas the M5StickV is 200mAh. Maybe this is why their case is longer?

Looking at their code, they don't seem to be using MaixPy at all (M5Stack's version of Micropython), but rather are building on top of the Espressif IoT Development Framework.

Their hardware folder contains this:
https://github.com/Blockstream/Jade/blob/master/hardware/Jade_v1_schematics.pdf

It says "M5 Bitcoin Pocket," so I'm guessing it's a custom M5 product that is obviously extremely similar to the M5StickV with minor differences?
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
July 26, 2021, 03:35:08 AM
#16
It's fun as hobby, but creating your own Jade (Blockstream's hardware wallet) is more practical. Jade also use similar hardware (on price and physical size), but the source code available for free and thoughtfully tested.
Yes, I think they are using exact same device as Jade wallet, but one problem with Jade code is that some people don't like their pin code connected with their server.

You're right, i completely forget about the controversial feature.

Krux would be alternative for that but I would wait few weeks or months for some code audits and reviews.


Assuming someone plan to perform audit (or pay someone to do it), but i doubt it'll happen anytime soon since the repository itself has 0 starts.
legendary
Activity: 2212
Merit: 7064
July 27, 2021, 05:51:05 AM
#16
Hey all, I'm the author of Krux. I noticed some traffic coming from here on GitHub and was pleasantly surprised to find this post.  Smiley Thank you, dkbit98, for the write-up!
Hi jreesun,
I am glad you found the source of traffic, joined Bitcointalk forum, and I hope you will stick around as we need more genuine users like you.

One question for you, have you checked Blockstream Jade hardware wallet and can you confirm it is using exactly the same M5StickV device as Krux wallet?
https://blockstream.com/jade/
newbie
Activity: 10
Merit: 108
July 27, 2021, 05:41:21 AM
#15
Hey all, I'm the author of Krux. I noticed some traffic coming from here on GitHub and was pleasantly surprised to find this post.  Smiley Thank you, dkbit98, for the write-up!

I wanted to answer some questions that were brought up in this thread and shed more light on the project in general.

First of all, I'd like to be clear that this project isn't associated with the company (M5Stack) that makes the M5StickV. They make a bunch of embedded devices, of which the M5StickV is one. From what I gather, M5Stack is sort of like the Chinese for-profit version of the Raspberry Pi Foundation.

Krux is "just" custom firmware and software I wrote for the device to turn it into a hardware wallet. I was in the market for a DIY multisig device and came across cool projects like SeedSigner (for the Pi Zero) and Specter-DIY, but ultimately decided that I wanted to try making my own after I came across the M5StickV on Adafruit. It seemed ripe for being turned into a hardware wallet with all it had packed into it, especially for the price point ($30-$50 depending on which distributor you buy it from).

So, I got to work, used the embit (embedded bitcoin) micropython library for bitcoin-related logic, wrote an interface on top of it, and got my hands dirty making QR codes (and everything else) work.

This started as a side project that morphed into something I thought was pretty cool and had the potential to be more widely useful, so here we are. I made the repo public a few days ago and haven't had any audits done (not opposed, but I don't think I could afford it), let alone another software engineer's eyes. That's the reason for the scary-sounding disclaimer for now; I don't want my hobby project to be the reason someone loses their money. But it does work!

Quote
I never had a device with an OV7740 sensor but I think it'd take a while before someone can successfully scan a Qr code with its camera.
This is actually rather fast so long as the QR code is flat and not changing too rapidly. For some reference, it can handle reading the animated QR codes that Specter Desktop generates, which I believe change every 500ms. I did have to do some work here to speed things up and improve accuracy such as capturing in grayscale at a lower resolution and converting to a binary black/white image for processing. Fun problem to solve. The display shows the processed image, so you can see the world in black and white [insert maximalist joke here].

The more difficult part was making QR codes fit the tiny display and still be readable by other devices (webcams). It generates its own animated QR codes to solve for this. Alternatively, you can also hook up an Adafruit thermal printer to it and print out the QR codes to pack more data into them (thus generating fewer).

Printing is a useful feature in general: it lets you make physical backups of your seed phrase, print out signed PSBTs (that you could mail if you wanted), etc. There's a section on the README about it if anyone's interested. It adds to the cost, but just another $50.

Quote
Then again, there doesn't seem to be a way to zoom in on the pictures so I can't tell with any great detail how the finish of the shell actually looks but it does look like cheap plastic.
Not sure what your criteria are to consider something "cheap plastic," but it feels solid to me. You'd have to be trying to break it in order to break it. It seems to be two pieces (front and back) of injection molded plastic snapped and screwed together.

Quote
I am to lazy during summertime to load and install firmware with everything else on it and do some testing and reviews.
For anyone reading this, just want to mention that I added a Dockerfile to handle the process of building the firmware so that anyone with Docker and Python 3 installed should be able to do this now. Ideally, I would have liked for Docker to be the only requirement, but passing through USB serial devices from the host into Docker seems to be hard to do. So for now, Docker builds the firmware, and the Python scripts you invoke directly load the firmware (a binary file that resides in the Docker image) and the software (all contents under 'src').

Hope that helped. I'll check this thread periodically and try to answer what I can!
legendary
Activity: 2212
Merit: 7064
July 25, 2021, 12:56:32 PM
#14
It's fun as hobby, but creating your own Jade (Blockstream's hardware wallet) is more practical. Jade also use similar hardware (on price and physical size), but the source code available for free and thoughtfully tested.
Yes, I think they are using exact same device as Jade wallet, but one problem with Jade code is that some people don't like their pin code connected with their server.
Krux would be alternative for that but I would wait few weeks or months for some code audits and reviews.

I'm not very fond of hardware wallets either, but it does the job and is a lot more n00b friendly (until they enter their seed words on a phishing site).
Or until scammers send you modified ''free gift'' fake device, because your address got leaked in one of ledger leaks (true story) Cheesy
legendary
Activity: 2968
Merit: 3406
Crypto Swap Exchange
July 25, 2021, 08:11:48 AM
#13
and it has camera for QR codes, something that trezor or ledger don't have.
You're right but after watching the following "video", I'm not convinced that feature would be usable for those with a slight hand tremor...

- I never had a device with an OV7740 sensor but I think it'd take a while before someone can successfully scan a Qr code with its camera.
- Sorry for nitpicking [I do know it's just a $50 product], but I expected a little more after seeing they've doubled its price [it used to be only "$26.50"].
legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
July 25, 2021, 04:48:55 AM
#12
It's fun as hobby, but creating your own Jade (Blockstream's hardware wallet) is more practical. Jade also use similar hardware (on price and physical size), but the source code available for free and thoughtfully tested.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
July 25, 2021, 07:54:21 AM
#12
In my experience, those requirements don't work well together. I've spent a lot of time creating and signing a transaction offline, and ran into several problems (wrong version of Electrum and later a fee of less than 1 sat/byte). It took a while to get it all right, and considering how little I do this, I already forgot which Live CD eventually worked.

I've done that successfully for a short while before moving to the convenience of a proper HW.
After writing the latest Tails OS onto the USB stick it's all good, no need to look for "what was the CD"? Or at least for me that was it all.

I do have spare netbooks though, but they're old (1GB) and slow, and I never set them up for offline usage.

 Smiley and here comes the difference. While I do have plenty of spare USB sticks, I literally have no old laptop for this. My oldest laptop (12 years old) got a RAM update and was used lately by my kids even for online school.

(until they enter their seed words on a phishing site).

LOL!
Those who don't read the very basics do deserve their fate though...

Until they come with their own data connection. Prepaid data isn't that expensive anymore, and could be worth it in a targeted attack. People have already been sent fake hardware wallets by post.

I've read about the fake ledgers on bitcointalk. I don't think though that general purpose development devices like this worth such an attack, since the vast majority will not be used as HW.

It's fun as hobby, but creating your own Jade (Blockstream's hardware wallet) is more practical. Jade also use similar hardware (on price and physical size), but the source code available for free and thoughtfully tested.

Imho the more the variety to choose from, the better. I expect Jade be less easy to buy than this M5StickV in some countries.
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
July 24, 2021, 09:21:45 AM
#11
a few reboots ~ easy to use cold storage
In my experience, those requirements don't work well together. I've spent a lot of time creating and signing a transaction offline, and ran into several problems (wrong version of Electrum and later a fee of less than 1 sat/byte). It took a while to get it all right, and considering how little I do this, I already forgot which Live CD eventually worked.

I do have spare netbooks though, but they're old (1GB) and slow, and I never set them up for offline usage.

Quote
But some do prefer the convenience of HW, some do prefer to use it together with their smartphone, ... and this kind of setup may be OK for them.
I'm not very fond of hardware wallets either, but it does the job and is a lot more n00b friendly (until they enter their seed words on a phishing site).

Quote
And those devices can have their own "hidden" internet only if they get connected through wires (which you should clearly not do) or you enter there your WiFi password (which would be even more stupid to do).
Until they come with their own data connection. Prepaid data isn't that expensive anymore, and could be worth it in a targeted attack. People have already been sent fake hardware wallets by post.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
July 24, 2021, 08:56:47 AM
#10
Again: I'd trust a standard netbook with standard Linux distribution more, especially when kept offline. If USB cables can be used to access your computer, how long will it takes before "offline" devices come with their own hidden internet connection?

It's not even needed to have an old notebook. An USB stick with Tails OS and a few reboots actually can do all you need for pretty much all the safety you need and an easy to use cold storage.
But some do prefer the convenience of HW, some do prefer to use it together with their smartphone, ... and this kind of setup may be OK for them.

And those devices can have their own "hidden" internet only if they get connected through wires (which you should clearly not do) or you enter there your WiFi password (which would be even more stupid to do).
legendary
Activity: 3290
Merit: 16489
Thick-Skinned Gang Leader and Golden Feather 2021
July 24, 2021, 08:46:59 AM
#9
Since Ledger/Trezor is not available in certain countries or there could be trust issues there, with this kind of setup you should be basically risk free.
If that would be the case, I'd rather use an old netbook, they're cheap and much more versatile. Take out the Wifi module if needed, and install anything you want offline.

On the other hand, this hind of hardware may be safe since you flash it yourself with the software you probably check first.
Again: I'd trust a standard netbook with standard Linux distribution more, especially when kept offline. If USB cables can be used to access your computer, how long will it takes before "offline" devices come with their own hidden internet connection?
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
July 24, 2021, 07:42:43 AM
#8
Since Ledger/Trezor is not available in certain countries or there could be trust issues there, with this kind of setup you should be basically risk free.
Are those two brands specifically prohibited in certain countries or are HW wallets in general prohibited?  If it's the latter, then owning this device--even though it's not officially a HW wallet--would be kind of risky, wouldn't it?  Also, I know this is straying from the topic, but what countries have banned HW wallets?

I think that it was about not being available (no way to buy it, no resellers, nothing), not straight banned.
There was a thread from a guy (iirc he was from Arabia somewhere) who had this issue and wanted a solution.

The problem is that a HW I would not buy from just anybody. It has to be the producer or a certified reseller.
On the other hand, this hind of hardware may be safe since you flash it yourself with the software you probably check first.

Judging by the address at the bottom of the page, these products are shipped out of China.

Indeed, AliExpress has its share of M5Stack sellers, so it's most probably from China.

>>>
And while it's not a HW per se, it's actually a development kit, like RasPi or Arduino, it seems to have all you need to build something with HW capabilities off it.
legendary
Activity: 2212
Merit: 7064
July 24, 2021, 07:26:44 AM
#7
Have you ordered one of these, by the way?  I'd love to see some high resolution pics and hear a review about its utility as a HW wallet.
No, I ordered other similar ESP32 device but I am to lazy during summertime to load and install firmware with everything else on it and do some testing and reviews.
I was thinking of ordering similar M5Stick device that was much cheaper but it didn't have camera or battery.
This DIY projects are not meant for keeping large amounts of coins, but they are more of better version of wallet than keeping coins on some mobile device.
Pages:
Jump to: