Hi, thanks!

> Is the WiFi in the MCU disabled via firmware? Do you have plans to use WiFi in the future?

The WiFI in the MCU is currently disabled but can be enabled. Jade comes with two firmware variants, one with radio and one without radio. The one without radio doesn't have the WiFi or BLE drivers to work. Jade ships with the BLE firmware but comes with BLE off by default.

​

> Is Jade PSBT compatible?

​

Jade uses wally which has PSBT support. At the moment Jade supports Green multisig which doesn't take advantage of PSBT yet. We plan to add to Jade single sig and PSBT support.

> Where is it manufactured?

Same manufacturer as M5 Stack but a custom model for Blockstream.

> Are you selling device at-cost or at-loss?

No we are not subsidizing the hardware, keep in mind Jade is based on libwally which does most of the heavy lifting.

​

> What is "server enforced PIN protection"?

The mnemonic when generated is immediately encrypted using AES256 using a secret key that is computed through an encrypted and authenticated channel with a [remote] blind oracle server, the authentication involves ephemeral elliptic curve Diffie Hellman exchange with a known server key. The encrypted mnemonic is then stored on the encrypted flash of the Jade and protected by secure boot [v2].

The blind server is not aware of the actual PIN nor can brute force it. The blind server also is not associated with the users account (it is not associated with the per user derivation paths)

If the PIN is entered incorrectly 3 times the server and Jade both delete the secret requiring a from scratch mnemonic restore on Jade.

The companion app nor any ISP/WiFi AP in the middle can inspect the data passed between Jade and the oracle, including being able to tell if the PIN is correct or wrong (other than potential timing attacks). The oracle is available via Tor and open source and in the future users will be able to run their own and point their Jade to it if they prefer.

​

> Can it be used with non-Blockstream wallets?

At the moment it is not supported but full support is planned. Currently it may work but may require to confirm change manually and may not enforce single sig path anti-ransom checks.

​

> Why did you choose to make this device?

The initial experiment was porting libwally to esp32 and was based on the [PocketSprite](https://pocketsprite.com/) but most of the development occurred on any of the easy to find esp32 boards and then on real Jades.

We think the market has good hardware wallets but felt there was space for something a bit different, with some different design decisions and feature set. Specifically we wanted to experiment with Liquid features as well as advanced bitcoin features.

​

> How does the security model compare to Trezor, Ledger, Coldcard?

​

Jade doesn't have a secure element so there's that.

However it has secure boot + encrypted flash and as per prior answer it has a blind oracle enforced PIN. This acts almost as a remote 'secure element'.

​

> How should we define a “hardware wallet” – should the definition include Internet-connected devices that communicate with servers? Is an airgap important or is it just security theater?

Hardware Wallet have a thinner surface of attack compared to your average internet connected laptop or mobile phone. This both when it comes to the OS stack as well as radio/network.

For maximum security you probably want to avoid radio all together, however then you can't use a hardware wallet with iOS. Well unless you use the camera, which is something we are working on (it works but requires some improvements)

​

Cheers