We have apps structure now, so we could develop an "app" that implements deterministic entropy derivation according to BIP-85.
App has access to the keystore, so it could derive new seeds or WIFs or whatever from the root key of the keystore and show it on the screen. Completely stateless, no data storage, no communication with the host - only a GUI menu.

I understand that the seed is generated automagically using user input/interaction with the board before the seed generation button is pressed. Assuming every user has a different PIN and different handling, this should be enough from the technical perspective.

Anyway, it would be nice to be able to be more active on the seed creation process by adding entropy (and even seeing feedback of how that entropy affects the seed?)

I find the Specter DIY quite nice for this process, as a secure seed generator, a dedicated Ian Coleman BIP-39 tool: https://iancoleman.io/bip39/

Openoms also referred to another project that is using the raspi for this: https://www.rudefox.io/burrow/

He puts a great point here for adding this feature, it really makes the difference for people that don't trust hardware: https://www.rudefox.io/blog/2020-07-16-show-my-work.html

He even adds a sheet so people can verify if their dice entropy is actually being used for the seed creation:
https://www.rudefox.io/custody/walkthrough/create-seed/lookup-tables.pdf

Would be great to see something like this in the Specter DIY

Either bruteforcing or using format like bitcoin:<addr>?index=<derivation index>

Does something need to be erased before transferring a new bin file to the device? I'm getting an error that there is not enough space on the device to transfer the new .bin file. Attempted to format/erase but having difficulty there as well. Thanks

relevant to #47

Sometimes our QR code is too big. We can split it into pieces and either animate it or ask user to press for the next one.
Should be a class in gui.components.

In the tutorial we use classes for screens that leads to much cleaner code. See https://github.com/diybitcoinhardware/f469-disco/blob/master/docs/tutorial/4_miniwallet/readme.md for example.
We should use similar approach in the project as well. Functions are ugly.

Blockchain Commons would be interested in working with you to define some better cross-wallet standards for QR-based airgap exchange of master keys, child xprvs & xpubs, signing requests, and new wallet requests, for use with current and future versions of LetheKit as some of our other wallet projects such as our multisig iOS wallet FullyNoded-2, etc.

You also may be interested in the C-implementations of some our cryptographic libraries, in particular for two-level shamir restoration of keys compatible with SLIP-39.

Other than issues in our repos, what is the best channel for having further discussions? We currently use a private Signal group, and plan to move current thoughts into a currently very out-of-date AirgappedSigning repo.

See companion issue BlockchainCommons/Gordian-Developer-Community#2

cc: @Fonta1n3 @ksedgwic @wolfmcnally @howech @kanzure @msgilligan @bucko13 @dhruvbansal @unchained-capital @devrandom

-- Christopher Allen

LND uses the aezeed seed format for it's wallet: https://github.com/lightningnetwork/lnd/tree/master/aezeed
The wallet holds two balances:

• offchain / channel balance - 2of2 multisig according to the Lightning specification - this is not dealt with in this issue
• onchain - addresses derived only from the LND wallet seed (aezeed) which can be converted to a BIP32 Root Key. Generating the matching Master Public keys for native and nested SegWit addresses allows coin control with SpecterDesktop or Electrum: https://github.com/openoms/lightning-node-management/blob/master/RestoreLNDonchainFundsInElectrum.md#import-the-onchain-part-of-the-lnd-wallet-to-electrum-wallet

Currently the conversion is best done with:
https://guggero.github.io/cryptography-toolkit/#!/aezeed or
https://github.com/guggero/chantools

Request:

• An option to import the aezeed format 24 word seed + passphrase to SpecterDIY
• display the Master Public keys for the accounts on:
  m/84'/0'/0'/0 (p2wkh)
  m/49'/0'/0'/0 (np2wkh)

Abstract

I did a proof of concept for scanning animated qrs automatically (without buttons): https://github.com/gorazdko/specter-diy/tree/animiated_qr_video

• scanner is scanning in continuous mode with the following parameters:

# 100ms
INTERVAL_OF_SCANNING = 0x01
# 0x32 - enable 5 second delay
DELAY_OF_SAME_BARCODES = 128 + 0x32

Animations can be played with https://github.com/gorazdko/specter-desktop/tree/qr_animation

• def qr_animate(qrtext, max_len=100): max_len determines the maximum chunk size of the
  frame
• interval of animating can be set in window.setInterval(function(){full_psbt.qra_next()}, 250)
• qrs are set for high recovery level (30%): QRCode.CorrectLevel.H

Results

Its feasible, though results arent nearly as good as in https://divan.dev/posts/animatedqr/ where

The best result was 1.4 secs, which is almost 9KB/s! This result has been recorded at a rate of 11 frames per second and chunk size of 850 bytes with Medium recovery level

Here, one setting that works ok is 250 ms interval with 100 byte frames. For optimal settings one should play with parameters

Should we prefer this method over the one with buttons?

Entering the recovery phrase is still pretty painful.

I see two solutions:

• change the orientation to landscape mode just for this screen - keyboard will be larger
• add suggestions on top of keyboard, similar to modern phones
• try something like swipe keyboard

The problem:
Multisig wallet descriptors and transactions are pretty large. It's hard to scan even 2 of 3 multisig transaction with more than one input.

The idea is to split QR code on software and animate it. We can put a part number in the beginning of the QR code for example. Such that if we see QR code of the form p2of5 <data> we know that we scanned 2nd of 5 QR codes.
QRScanner class should be able to detect these animated QR codes and continue scanning until we got all the codes. Then it should combine them and send full data.

At the moment we are generating multisig addresses with pubkeys in the order of extended pub keys provided in the setup phase. This makes it compatible with current Bitcoin Core, but as sortedmulti descriptor is going to be added to Core we could change it to bip67 and sort pubkeys according to bip67.

Related to #14. Often when the scanner hits a timeout and I click on "Sign transaction" again, the light won't go on and I just get another timeout error.

Could you provide more information on the Waveshare scanner:
how to configure it, what to solder and how to connect it?

QR codes are nice but there are some cases when we want to connect hardware wallet to the computer:

• preform CoinJoin
• act as an HSM for lightning network
• do anti-nonce sidechannel protocol - it requires multiple communication rounds and is unconvenient in airgapped mode (see my writeup on Medium)
• firmware upgrade

For all this we need USB connectivity.

At the moment USB is used for MicroPython's REPL (that should be disabled in production). For development we can bind REPL to UART3 and use USB for communication.

Small snippet that implements this:

# UART3 connected to stlink
repl = pyb.UART('YB',115200)
# redirect REPL to UART
os.dupterm(repl,0)
# unconnect REPL from USB
os.dupterm(None, 1)
# use usb as a virtual serial port
usb = pyb.USB_VCP()

From the main logic side we should implement a class for communication that can be unidirectional and user-driven (qrscanner, user activates it from the GUI) or bidirectional and interactive (usb, host can ask for data / verification)

Sometimes, but not always, i get the below issue after i've entered my 12-word mnemonic (e.g. (11xghost machine") in the simulator and i'm clicking on "done".

You see this issue in the logs:

➜  specter-diy git:(testing) ✗ ./specter.sh sim    
Traceback (most recent call last):
  File "gui/screens.py", line 290, in cb
  File "main.py", line 346, in mnemonic_entered
AttributeError: 'NoneType' object has no attribute 'strip'

This is the code-snippet:

def mnemonic_entered(mnemonic):
    global entropy
    entropy = bip39.mnemonic_to_bytes(mnemonic.strip())
    ask_for_password()

At the moment if USB is enabled the wallet is visible from the computer right away, even before we enter the PIN.
The wallet logic ignores any data coming to USB, but still, it's there - possible attack vector via glitching during USB descriptor communication.
Would be nice to enable USB only after PIN code.

Attack on Trezor (scroll to Secret information leak via USB Descriptors): https://blog.trezor.io/details-of-security-updates-for-trezor-one-firmware-1-8-0-and-trezor-model-t-firmware-2-1-0-408e59dc012

Docs of USB class in micropython: https://docs.micropython.org/en/latest/library/pyb.USB_VCP.html
But we may need to change something in micropython core.

Hi, the recommended dev board is out of stock now.
I've been researching a bit, and wanted to check out if these other boards might be compatible:
STM32F746G-DISCO
STM32F429I-DISC1
STM32H745I-DISCO
STM32H750B-DK

Or better to wait for the other one (should be back in stock around August)

Thanks

GUI is a disaster. It shows all the necessary information and allows to navigate between the screens, but otherwise, it's terrible.

We need to improve both UX and UI.

UI

Would be nice to make it visually similar to the desktop app: https://github.com/cryptoadvance/specter-desktop

UX

Recovery phrase & password

Typing a recovery phrase and a password is painful - the keyboard is way too small, very easy to make a mistake.
We could switch the orientation of the screen to portrait mode for this view, or completely redesign the GUI in portrait mode. How and where should we place words in this case?
We could also add autosuggestion - like in a phone, words that match the first characters.

Menus & navigation

Often we have a "Back" button in the menus - should we make it more like on a phone - add a top navbar?

Current network

Should we store the last used network? Also would be nice to visualize somehow the current network in the GUI, similar to what Core does when it starts - with colors for example. People notice colors better than the text.

QR code scanning

For large transactions, it becomes annoying and sometimes impossible to scan. We could try using animated QR codes. QR scanner can scan many codes per second, but the question is how we split the transaction to multiple QR codes and recombine them if some of them are not scanned? Include an index in the beginning? Rotate and wait while we scan everything?

In the master keys menu we only have two keys - native segwit and native segwit multisig.
If a person wants to use nested segwit he should be able to do it.

I think we can add two buttons in this menu

• scan derivation path (scan text like "m/49h/1h/0h")
• enter derivation path - popup with a keyboard and symbols 0..9, h, / should appear where we can enter the derivation path.

Just allow user to cancel scan if he wants to.

At the moment rng module is only using TRNG by ST, we need to collect entropy from TRNG for longer time add mix in user entropy as well.
To do that we can implement rng.feed(data) function that will be called when we got some random data.

Good possible sources of entropy:

• timestamps & position of user touch
• on-board microphone
• RAM state on boot

Analog inputs could be another source, but all exposed analog pins are busy with the extension board.

Maybe add a button "Add more entropy", when you click on it wallet asks to draw something on the screen.
When you draw on the screen, the wallet takes coordinates of your finger and hashes them together with initial entropy. At the end your entropy is always better.

Here is a small snippet that can be in the callback of the screen where we draw:

def cb(obj, event):
    if event == lv.EVENT.PRESSING:
        point = lv.point_t()
        indev = lv.indev_get_act()
        lv.indev_get_point(indev, point)
        # now we can take bytes([point.x % 256, point.y % 256])
        # and feed it into hash digest

Example of what my DIY returns on signing (this is a 1-of-4 on testnet):

cHNidP8BAH0CAAAAAcHvPZ3T/4G4m+ZUJWUA7wu2WsD48adq4dakp4JoRUJTAAAAAAD/////AtMSAAAAAAAAFgAUNTpLGUQtYD0P0IfyYHSm4B9K06iIEwAAAAAAACIAIE1pVeThYKqzZZmSDwOs1LWIkyF2CjS+UMG8yJ19SMShAAAAAAAAAAA=

I'm not sure if this is a DIY or Desktop issue. Desktop will scan the device QR code from DIY yet still displays 0 signatures (and no error/warning):

Standard PSBT works great though, so perhaps this is more of a UX issue (warn user that this workflow doesn't work and that they need a device PSBT).

Makes sense to use standard well-reviewed libraries.
They can be used on this with mbed, see:
https://github.com/diybitcoinhardware/libwally-core

Then one would need SD card + device + correct PIN to decrypt the secret.

Attack:
https://blog.trezor.io/details-of-firmware-updates-for-trezor-one-version-1-9-1-and-trezor-model-t-version-2-3-1-1eba8f60f2dd

We need to either show fee:unknown if non_witness_utxo is not present in PSBT, or store tx history and show a warning if we see the same txid with a different amount.

If non_witness_utxo is present we need to check it and optionally convert it to witness_utxo for signing.

PSBT implementation was ignoring non_witness_utxo because we didn't support legacy transactions. Now we need to add support for them and also properly sign witness transactions when non_witness_utxo is provided.

In the "wallets" menu one should be able to display addresses and navigate through them

We are missing a bootloader now. Firmware is always open for reading and writing - it's ok for development but not cool for production. For development we can still keep firmware readable and writable using stlink, but bootloader should be still there.

Let's discuss what we need from the bootloader and how we can get it.

Here are my thoughts:

Bootloader should be able to:

• store and protect a unique secret (generated at first boot) that can be used for anti-phishing words on the PIN screen and key encryption/decryption
• verify firmware stored in the flash against pubkeys stored in the bootloader
• verify and flash new firmware (the firmware should be signed and firmware version should be larger - no downgrades)

The bootloader gets to the update mode if the blue button (user button) is pressed during boot.
We can also use the bootloader to enable/disable REPL and pybflash.
Can we move PIN code verification to the bootloader? If the PIN code is correct we allow the user to do anything with the device. PIN verification is very security-critical, I would prefer to do it before all the micropython complexity.
Does it make sense?

We can use micropython's pyboot, coldcard's bootloader or trezor's bootloader as a starting point.

Software wallets often have a gap limit of 20 addresses, so if my last change address was m/.../1/123 and in the next transaction I use a change m/.../1/9999 it can cause lock of funds.
We should warn the user if the change index is weird. To do this we should store the largest change index and warn if the next one is more than 20 larger.

Feature request: show change address on Specter DIY when signing a transaction

Cold Card shows a change address [if applicable] in raw text form when you sign a transaction. It would be nice if you could see what the change address is (in plain text) on the Specter DIY when signing a transaction. This is in addition to showing the receive address, which the DIY already does cleanly.

Hi all. I have been playing with SpecterDIY and I really like how easy you can have your airgapped QR code HWW device running.

The potential of the DIY is crazy and I would like to share a feature with you that I think would make it even more amazing.
I like to create the seeds on my own using a coin and after the whole airgapped&manual process of calculating the 11 digits binari, translating it to decimal and finding the corresponding BIP39 words, I am not very happy having to jump to an 'offline' computer and using seedpicker to calculate the 24th word. I think a better way would be to use the Specter DIY to calculate either the 12th word or the 24th (on seedpicker you can only get the 24th).

As you already do ECC in it, I suppose could be an easy (and superpowerful) feature to add.
How does it sound?

Abstract

gorazd@gorazd-MS-7C37:~/Projects/specter-diy/src$ ../f469-disco/micropython_unix -c "import main; main.main()"

My simulator (ubuntu 18.04) freezes after entering password:

generate new key -> continue - > Enter your password -> freezes

For example on verify address screen or sign transaction screen

and more clear warning what to do if the wallet is not found on the device

We initialize and configure the QR code scanner after the pin screen.
It happens sometimes that at this moment the scanner is not fully booted yet, and then configuration silently fails.
We need to have a fixed minimal time delay before we start initializing the scanner. It can be done via asyncio task

Standard:
https://github.com/BlockchainCommons/Research/blob/master/papers/bcr-2020-006-urtypes.md#partially-signed-bitcoin-transaction-psbt-crypto-psbt

Issue for desktop:

cryptoadvance/specter-desktop#513

TODO:

• SD card for key storage #83
• Load / save PSBT transactions #130
• Import / export wallet in our format (descriptor and name) #130
• Import / export wallet in CC format
• Export / import seed in encrypted form

Something is wrong with calibration file loading after calibration

With diybitcoinhardware/micropython#1 we now can use flash storage independently of qspi. Makes sense to store device secret on flash and all other files on /qspi.

We can use last block of flash to store the secret and hmac with the PIN.
Later we can also make a block before secrets unreadable such that glitch attacks doesn't read out the secret.

Every block is 512 bytes. We can get the last block like this:

import pyb
flash = pyb.Flash(start=0)
last_block = flash.ioctl(4,None)-1
block_size = flash.ioctl(5,None)
buf = bytearray(block_size) # buffer to store block content
flash.readblocks(last_block, buf) # read block content
flash.writeblocks(last_block, buf) # write block content

Might make sense to add a checksum to make sure we are reading the secret, not some random junk.
We can store data in the block like this for example:
<secret><sha256(secret)><hmac_sha512(secret,pin)>

Factory reset should erase content of the last block with random data.

Requires changes in gui - adding "Multisig wallets" in the main menu and corresponding verification screen.
Requires changes in keystore module - to check that output is a change we need to verify that output belongs to the same wallet as inputs (i.e. single sig, or multisig with known descriptor)
Another change in keystore module - parsing, storage and authentication of the wallets descriptors (using internal memory). This data should be authenticated with HMAC using m/0x1d' for id key derivation.

During the migration to micropython we didn't implement the screen calibration.
We need to get it back, maybe in a better way by asking the user to type a few words.

Requires implementation of the pin screen in the gui module.
Requires implementation of the secure key storage in keystore module.

Mnemonic should be encrypted with a unique key (hardcoded in firmware using define in specter_config.h), HMACed with PIN code.
Identificator of the mnemonic could be hash160(mnemonic)[0:4] - like a fingerprint, but for mnemonic. This id can be used as a folder name for all relevant information for this mnemonic / wallet.

What happens with a wallet using multiple derivation paths:
Import:

• import seed (+ passphrase) to SpecterDIY
• select Master Public keys
• select Enter custom derivation
• Scan the master public key to a SpecterDesktop device
• create wallets one-by-one in SpecterDesktop, see: cryptoadvance/specter-desktop#369

Sign:

• Scan wallet Master Public Key from SpecterDesktop with SpecterDIY
• create unsigned PSBT with SpecterDesktop
• scan with SpecterDIY
• sign and scan with SpecterDesktop

Request:
A button to add the wallet Master Public Key to the Wallets on SpecterDIY when the custom derivation path is shown.
This way the step to import the wallet before signing would become unnecessary and could just proceed to scanning and signing the unsigned PSBT created on SpecterDesktop.

Probably should be in https://github.com/diybitcoinhardware/f469-disco

It is possible to move GUI memory to external SDRAM.

https://github.com/diybitcoinhardware/f469-disco/blob/master/usermods/udisplay_f469/lv_stm_hal/lv_stm_hal.c#L25

lvgl guys did it in their example, we only need to port it:

https://github.com/littlevgl/lv_port_stm32f469_disco_sw4stm32/blob/master/hal_stm_lvgl/tft/tft.c#L91

This just confuses the user. I suggest only showing it when it's not verified.

At the moment we just print the whole descriptor to the label. But we check that we are included in the wallet.
If we use this function to also highlight our key in the descriptor it would help the user visually recognize which key is where.
Note we can use .recolor method from lvgl

Also makes sense to represent descriptor itself in a better form - like:

2 of 3 multisignature wallet
Type: native segwit
Cosigners:
xpubA
xpubB - mine
xpubC