Skip to content

An air-gapped wallet for Bitcoin SV

Built on a Raspberry Pi, a TFT bonnet, and an ArduCam OV5647 camera. Your keys never leave the device — no Wi-Fi, no Bluetooth, no Ethernet. A small web app on your phone or laptop talks to the chain; the Pi just signs.

Launch wallet ↗ Read the docs

On your phone

For full-screen access (camera pairing, sends), add the companion to your Home Screen.

Beta software

PiWalletSV is in active development. There is no warranty and no custodial backup. Read the Disclaimer and Security briefing before storing real funds on a device you built from this code.

Why do I need this?

  • Stay safe when your other devices don't

    The keys live on a Pi with no Wi-Fi, no Bluetooth, no Ethernet. Even if your laptop gets phished or your phone gets owned, the attacker has no path to your funds.

  • Nobody can lock you out

    No signed firmware, no proprietary hardware, no update server that can drop BSV, brick your device, or push a backdoor next quarter. You write the SD card, you read the source, you keep the parts.

  • Cold storage you can actually use

    Scan a QR with the camera, confirm the recipient on the Pi's screen, and press a button. Your seed phrase only comes out for first setup or recovery — never to send a transaction.

How it works

The system is intentionally split into two pieces that never share a trust boundary:

flowchart LR
  subgraph air["Air-gapped signer (Pi)"]
    seed["BIP39 seed<br/>encrypted vault"]
    verify["verify_proposal<br/>(BEEF + Merkle + anchors)"]
    sign["sign_transaction"]
    seed --> verify --> sign
  end

  subgraph online["Online companion (web app)"]
    woc["WhatsOnChain<br/>or other backend"]
    select["UTXO + coin selection"]
    proposal["unsigned_proposal<br/>builder"]
    broadcast["broadcast"]
    woc --> select --> proposal
    broadcast --> woc
  end

  proposal -- "QR (PW1 multipart)" --> verify
  sign -- "QR (PW1 multipart)" --> broadcast

The Pi has no Wi-Fi, no Bluetooth, no Ethernet — nothing reaches the network from the device that holds the keys. The companion runs in your existing browser at the companion and ferries transactions to the Pi over animated QR codes. Every input the companion proposes is cryptographically re-verified on the Pi (BEEF proofs anchored to user-displayed block headers) before the device signs anything.

Three reasons it's different

  • Public key only on the network

    The companion sees only your public xpub and pre-signed transactions. The seed phrase, the encrypted vault, and every signing key live exclusively on the Pi.

  • Open spec, not a black box

    The wire format, QR transport, derivation rules, and SPV requirements are documented as an open protocol spec. Anyone can build a compatible signer or companion.

  • USB vault backup

    Export and restore the encrypted vault to a FAT32/exFAT stick from Settings → Maintenance → USB backup — included on images built with deploy/provision-pi.sh. See User manual § USB backup.

  • Off-the-shelf parts

    Raspberry Pi, TFT bonnet, ArduCam OV5647 camera. No proprietary hardware, no soldering, no signed firmware to trust.

Get started

Help & support

General questions and usage help: @PiWalletSV on X.

Bug reports and feature requests: GitHub Issues.

Security vulnerabilities: use the private channel in Security briefing — not X or public issues.