Final Perfected Ranking / Scoring / Analysis
DIY Bitcoin Signers vs Foundation Passport Core

This page consolidates the fully-audited final ranking, scoring framework, and criterion-by-criterion analysis for SeedSigner, Krux, Specter DIY, and Foundation Passport Core under a Bitcoin-only, FOSS-maximalist, privacy-maximalist, post-collapse-survivability framework.

The evaluation emphasizes sovereignty-preserving design patterns, commodity reproducibility, airgapped minimalism, and resistance to vendor/jurisdiction chokepoints—while also incorporating adversarial caveats such as shared code lineage, secure-boot reality, and malicious-firmware nonce exfiltration risk (e.g., Dark Skippy).

Bitcoin-only FOSS / reproducibility Privacy / airgap Post-collapse survivability Root-of-trust scrutiny Correlation-risk aware

1. Scoring Framework (weights locked)

Each device is scored 0–100 on each criterion and combined via weighted average. The weighting reflects a BTC/FOSS/privacy-maximalist evaluation plus post-collapse reproducibility and chokepoint resistance.

ID Criterion Weight
C1 Bitcoin-only & sidechain purity
No altcoin support; no Liquid/sidechain gravity; minimal “multi-coin” mental model contamination. 		10%
C2 FOSS & verifiability
Open firmware license, public repositories, reproducible builds, and (where applicable) open hardware documentation. 		15%
C3 Privacy & airgap minimalism
Data egress surface: radios, USB data paths, and companion-app dependence. 		15%
C4 Post-collapse reproducibility
DIY re-creatability from generic parts and survivability if vendors disappear. 		20%
C5 Vendor/jurisdiction chokepoint & root-of-trust
Who controls firmware keys, where the control center sits, and whether the boot chain can be user-owned. 		15%
C6 Statelessness & misconfiguration risk
Whether amnesic behavior is architectural vs optional; risk of silently degrading into a conventional stateful wallet. 		10%
C7 Lineage & correlation risk
Hardware and software independence from other signers (critical for multisig failure-mode diversity). 		5%
C8 Operational maturity & security track record
Release cadence, secure-boot reality, audit maturity, documented vulnerabilities, and complexity profile. 		10%
Shared red flag across all four:
None of these devices implement an explicit Anti-Klepto / Anti-Exfil protocol (as listed in The Bitcoin Hole’s SeedSigner page, Krux page, Specter DIY page, and Passport Batch 2/Core page).

That means none of them cryptographically prevent malicious-firmware nonce exfiltration attacks (e.g., Dark Skippy). Airgaps and statelessness remain valuable but do not close that specific attack class if signer firmware is compromised.

Weighted composite formula

Composite = Σ (CriterionScore × WeightFraction)

Example: C1×0.10 + C2×0.15 + C3×0.15 + C4×0.20 + C5×0.15 + C6×0.10 + C7×0.05 + C8×0.10

High score = better fit to this framework Low score ≠ “bad device” universally Scores are framework-specific

2. Final Scores & Ranking

Final weighted composite scores under the locked framework. The order remains stable across alternate telos-consistent weightings.

Rank Device Composite Primary interpretation
#1 SeedSigner 89.8 / 100 Most telos-aligned signer archetype: stateless, DIY, commodity hardware, Bitcoin-only, airgapped minimalism.
#2 Krux 82.5 / 100 Strong DIY sibling on K210 hardware; biggest penalty is optional persistent mnemonic storage (amnesic mode no longer structurally enforced).
#3 Specter DIY 81.3 / 100 Most root-of-trust-ownable among the DIY trio (secure boot with user keys), but more sidechain-ecosystem entanglement and less stateless purity.
#4 Foundation Passport Core 72.3 / 100 Excellent commercial BTC-only appliance, but structurally penalized for vendor/jurisdiction chokepoint and poor post-collapse reproducibility.
Result shape: SeedSigner leads clearly; Krux and Specter DIY form a middle cluster with different trade-offs; Passport Core remains a high-quality outer-ring appliance under this framework, not a core sovereign-pattern primitive.

3. Per-Criterion Score Matrix

Raw 0–100 criterion scores used for the weighted composite calculations.

Device C1 C2 C3 C4 C5 C6 C7 C8
SeedSigner 1009010095801006570
Krux 10090909078606565
Specter DIY 8592858588556075
Passport Core 95951004550409085

Note on C7 (lineage/correlation risk): The DIY trio share software lineage and common libraries (e.g., embit and Specter-derived PSBT logic), so hardware diversity does not equal software independence.

4. SeedSigner — Detailed Analysis

SeedSigner

Rank #1 Composite: 89.8 / 100

SeedSigner is a stateless, airgapped Bitcoin signer built around a Raspberry Pi Zero-based DIY assembly pattern, with QR-code communication and no dependency on a branded hardware-wallet vendor. The project is openly developed in the SeedSigner GitHub repository, and it is listed on Bitcoin.org as a hardware signer.

  1. C1 — Bitcoin-only purity: 100
    Project scope is Bitcoin-only; no altcoin/Liquid functionality is part of the signer’s purpose or UX framing.
  2. C2 — FOSS & verifiability: 90
    Firmware and code are open-source (see README and repository), with community reproducibility workflows. Score is not maximal because the Raspberry Pi boot chain and silicon remain opaque.
  3. C3 — Privacy & airgap minimalism: 100
    The recommended build path uses the Pi Zero 1.3 specifically to avoid Wi-Fi/Bluetooth hardware, and communication is QR-only (see The Bitcoin Hole’s SeedSigner page).
  4. C4 — Post-collapse reproducibility: 95
    The design is explicitly commodity/DIY (“build from off-the-shelf components” on the official site). No custom wallet PCB is required; this is a pattern, not a finite branded artifact.
  5. C5 — Vendor/jurisdiction chokepoint & root-of-trust: 80
    No Bitcoin hardware-wallet vendor chokepoint exists, but the system still depends on a central SBC ecosystem (Raspberry Pi supply + proprietary boot layers). Root-of-trust remains process-based (verified SD images), not hardware-enforced secure boot.
  6. C6 — Statelessness & misconfiguration risk: 100
    This is where SeedSigner dominates: stateless behavior is architectural, not optional. The device is designed to avoid storing the master seed persistently (see Bitcoin.org listing and official docs/site language).
  7. C7 — Lineage & correlation risk: 65
    Hardware differs from Krux/Specter DIY, but software-level independence is partial at best due to shared DIY ecosystem lineage and common Bitcoin libraries (e.g., embit).
  8. C8 — Operational maturity & security track record: 70
    Mature community use and strong documentation, but Secure Boot is listed as “NO”, and the attack surface includes the SD image + Linux/Python stack. No formal public third-party audit is a further constraint.
Primary adversarial caveat: SeedSigner’s statelessness and airgap do not protect against malicious signer firmware nonce exfiltration (Dark Skippy class attacks). Without Anti-Klepto, firmware integrity and multisig diversity become the real defense.
Official site GitHub README Bitcoin.org listing The Bitcoin Hole profile Dark Skippy

5. Krux — Detailed Analysis

Krux

Rank #2 Composite: 82.5 / 100

Krux is open-source firmware for converting generic Kendryte K210-based dev boards into Bitcoin signing devices, with QR and microSD workflows and a strongly airgapped operating pattern. Documentation and configuration guidance are published at the official Krux docs, including the important FAQ.

  1. C1 — Bitcoin-only purity: 100
    Krux is explicitly Bitcoin-only; no altcoin/Liquid features are part of the project scope (see repo and docs).
  2. C2 — FOSS & verifiability: 90
    Open-source firmware (MIT/Apache-2.0), public repo, and reproducibility work are all strong. Score remains below perfect due to opaque K210 silicon/boot layers and no hard secure-boot root.
  3. C3 — Privacy & airgap minimalism: 90
    QR/SD workflows are first-class and the project is framed around airgapped signing (see Krux docs and The Bitcoin Hole profile). Slightly below SeedSigner because some target boards expose more IO surface and upgrade paths.
  4. C4 — Post-collapse reproducibility: 90
    Strong DIY commodity dev-board model, but K210 boards are more niche and supply-chain concentrated than the Raspberry Pi ecosystem.
  5. C5 — Vendor/jurisdiction chokepoint & root-of-trust: 78
    No branded hardware-wallet vendor chokepoint exists, but the K210 supply ecosystem and lack of hardware-enforced secure boot keep root-of-trust process-dependent.
  6. C6 — Statelessness & misconfiguration risk: 60
    Krux originally centered on amnesic use, but the FAQ now explicitly documents optional mnemonic storage on device/internal memory or SD. That flexibility is useful—but under this framework it is a major “purity drift” risk.
  7. C7 — Lineage & correlation risk: 65
    Hardware family differs from SeedSigner/Specter DIY, but the software and library lineage remains significantly correlated with the broader DIY signer ecosystem.
  8. C8 — Operational maturity & security track record: 65
    Active development and real-world use are positives (see The Bitcoin Hole’s Krux page), but public formal third-party audit coverage is limited and secure boot is generally listed as unavailable in hardware-enforced form.
Key structural caveat: Krux is strongest when run in strict amnesic mode. Once persistent mnemonic storage is enabled, it begins converging toward the behavior of a conventional hardware wallet, which directly conflicts with this framework’s stateless bias.
GitHub repo Official docs Krux FAQ The Bitcoin Hole profile Dark Skippy reference

6. Specter DIY — Detailed Analysis

Specter DIY

Rank #3 Composite: 81.3 / 100

Specter DIY is a modular, open-source hardware signer platform in the Specter DIY firmware repository and documented on Specter Solutions. It typically runs on STM32-based dev hardware and supports QR/microSD airgapped workflows. It also occupies a special role as a root firmware lineage for later DIY signer projects.

  1. C1 — Bitcoin-only purity: 85
    Specter DIY firmware can be configured BTC-only, but the broader Specter ecosystem and tooling are publicly sidechain-aware (notably Liquid support in the Specter stack; see Liquid blog announcement). Under a strict BTC-purity frame, this is an ecosystem-level contamination penalty.
  2. C2 — FOSS & verifiability: 92
    Strong score due to open-source firmware (MIT), open documentation, and reproducibility support (see GitHub and The Bitcoin Hole profile).
  3. C3 — Privacy & airgap minimalism: 85
    Specter DIY can be fully airgapped (QR + microSD; listed as “100% air-gapped” on The Bitcoin Hole profile), but USB connectivity and richer ecosystem integration make connected-mode drift easier than with SeedSigner.
  4. C4 — Post-collapse reproducibility: 85
    Uses generic dev hardware and is highly rebuildable, but many common builds rely on specific boards/shields/kits and a somewhat more structured component stack than SeedSigner/Krux.
  5. C5 — Vendor/jurisdiction chokepoint & root-of-trust: 88
    This is Specter DIY’s major strength: it offers a credible path to a user-controlled secure boot chain (with custom bootloader/signing) on STM32-class hardware. Under this framework that scores very well, despite remaining dependencies on upstream silicon and tooling.
  6. C6 — Statelessness & misconfiguration risk: 55
    Specter DIY supports flexible modes, but persistent-key behavior is normal and stateless workflows are optional. That flexibility is powerful, but under a stateless-maximalist lens it is a downgrade vs SeedSigner.
  7. C7 — Lineage & correlation risk: 60
    Specter DIY is effectively the “trunk” of the DIY signer family tree. That centrality is good for influence and forkability—but bad for correlation risk in multisig quorums.
  8. C8 — Operational maturity & security track record: 75
    Long-running, technically mature, and secure-boot-capable, but also more featureful and ecosystem-entangled than simpler signer-only projects.
Borderline trade-off (Krux vs Specter DIY): Krux scores higher on stateless/intended-amnesic identity; Specter DIY scores higher on user-ownable secure boot potential. Different weighting emphasis can flip this pair, but only if statelessness is downweighted and root-of-trust ownership is boosted.
Specter hardware page Specter DIY GitHub The Bitcoin Hole profile Liquid support announcement embit library

7. Foundation Passport Core — Detailed Analysis

Foundation Passport Core

Rank #4 Composite: 72.3 / 100

Passport Core (often discussed alongside Passport Batch 2 in public references) is a Bitcoin-only, airgapped, commercially produced hardware wallet with open firmware, open hardware documentation, secure boot, and a secure element. Public documentation is maintained at Foundation’s docs, and product/comparison details are summarized on The Bitcoin Hole’s Passport page.

  1. C1 — Bitcoin-only purity: 95
    Passport Core is Bitcoin-only (also reflected in The Bitcoin Hole profile and Bitcoin.org listings). Small penalty is applied because the broader Foundation product trajectory includes more app/platform integration and the Passport Prime docs (multi-asset/product-line contamination risk).
  2. C2 — FOSS & verifiability: 95
    Passport scores extremely high here: open firmware and open hardware docs, reproducible builds, and public documentation (see Foundation docs, WalletScrutiny, and The Bitcoin Hole profile).
  3. C3 — Privacy & airgap minimalism: 100
    USB-C is power-only and data transfer is via QR + microSD; no Wi-Fi/Bluetooth/NFC on Core (see official docs and The Bitcoin Hole profile).
  4. C4 — Post-collapse reproducibility: 45
    This is the dominant penalty. Passport is specialized/custom hardware (custom PCB, enclosure, keypad, secure element, camera/display integration). Even with open hardware docs, it is not realistically reconstructible from generic dev boards and salvage parts.
  5. C5 — Vendor/jurisdiction chokepoint & root-of-trust: 50
    Foundation is a US-based vendor with branded hardware and vendor-controlled defaults for secure-boot signing. Open documentation improves auditability but does not eliminate the jurisdictional chokepoint or vendor-key dependency in normal operation.
  6. C6 — Statelessness & misconfiguration risk: 40
    Passport is fundamentally a stateful secure-element-backed wallet. However, Foundation docs document Temporary Seed workflows and explicitly note that Passport Core can be used in a full stateless mode after erasing the persistent master seed. This raises the score above the earliest drafts, but the mode remains advanced/optional rather than architectural default.
  7. C7 — Lineage & correlation risk: 90
    Passport is genuinely independent from the DIY trio in hardware and firmware lineage, making it highly valuable for multisig failure-mode diversity even if it scores lower overall in this framework.
  8. C8 — Operational maturity & security track record: 85
    Strong engineering posture (secure boot, secure element, reproducibility, multiple public revisions), active releases, and substantial community scrutiny. The lower overall ranking does not imply weak engineering; it reflects structural framework penalties.
Framework-specific ceiling: Passport can be an excellent BTC-only commercial appliance and a strong multisig diversity component, yet it remains structurally penalized here because the design is a vendor-centered product artifact rather than a post-collapse-reproducible signer pattern.
Foundation Passport docs Temporary Seed / More menu docs Prime backup docs (direction-of-travel reference) The Bitcoin Hole profile WalletScrutiny

8. Ranking Stability / Alternate Weighting Notes

The ranking was stress-tested conceptually against alternate emphasis patterns while keeping the evaluation frame intact.

Stable structure across telos-consistent weighting:
SeedSigner remains the top archetype; Krux and Specter DIY remain the middle cluster; Passport Core remains a strong outer-ring appliance.

9. Methodological Notes & Shared Risks (Critical Context)

Shared code lineage / correlation risk

The DIY trio are not independent software implementations. They share ecosystem DNA through Specter-derived patterns and common Bitcoin libraries such as embit. Hardware diversity (Pi vs K210 vs STM32) therefore does not automatically provide software-level diversity in multisig setups.

Practical implication: treat the DIY trio as a partially correlated family rather than three completely independent signers.

Dark Skippy / malicious firmware reality

The Dark Skippy disclosure highlights a class of attacks where compromised signer firmware can leak seeds via nonce manipulation over ordinary signatures. This bypasses the psychological comfort many people derive from “airgapped” and even “stateless” labels.

Under this threat model, the key controls become firmware integrity verification, signer diversity, and multisig architecture—not just airgapped transport.

Secure-boot reality vs marketing shorthand

  • SeedSigner: no hardware secure boot (see The Bitcoin Hole profile).
  • Krux: no hardware-enforced secure boot; software signature checks exist, but boot-chain trust remains soft/replaceable.
  • Specter DIY: strongest DIY path to a user-ownable secure boot chain via custom bootloader/signing.
  • Passport Core: real secure boot and SE-backed architecture, but vendor-centered root-of-trust in normal usage.

Statelessness: architecture vs optional mode

This framework distinguishes between devices that are stateless by structural design (e.g., SeedSigner) and devices that merely offer a stateless/temporary mode (e.g., Krux, Specter DIY, and Passport Core Temporary Seed mode).

10. Final Structural Interpretation

Under a Bitcoin/FOSS/privacy-maximalist and post-collapse-resilience framework, the evaluated devices do not form a simple “best to worst” consumer list. They separate into structural roles:

Inner-ring signer archetype

SeedSigner ranks first because it is closest to the desired pattern: stateless, DIY, commodity hardware, pure Bitcoin scope, and low product/vendor gravity.

Middle cluster (trade-off split)

Krux and Specter DIY are both highly viable but diverge in what they optimize: Krux tracks closer to DIY amnesic identity (if configured that way), while Specter DIY offers the strongest path to user-owned secure boot and custom trust anchors.

Outer-ring strategic impurity / diversity node

Passport Core is a high-quality BTC-only commercial appliance with strong engineering, reproducibility, and airgap posture. It ranks lower only because this framework heavily penalizes vendor/jurisdiction chokepoints and bespoke hardware dependence. Its strongest role here is as an independent-lineage component in multisig diversity, not as the canonical sovereign signer pattern.

This page intentionally embeds links inline throughout the analysis rather than pushing sources to a detached appendix, so each claim remains locally verifiable in context.

↑ Top