Bitcoin Forum

   I always felt uncomfortable carrying any large amounts of Bitcoin on my cellphone hot wallet when I am in need to carry it with me in the event of any purchases in person. SO that being said I was made aware of a very safe way to not to have the BTC on your phone but still be able to send it to the other persons address once needed.

  What I will show you in the following steps is a way to forge or CREATE a bitcoin transaction of x amount and have it forged to the address given prior to the meet.You can also have the BTC sent to your cell phone hot wallet and then from there you can send wherever you want to send it.

  So if I ever need to send a large chunk of BTC in person, I'd probably forge the transaction before at my place but only broadcast it in person.

  We will be using Electrum and Trezor to accomplish this forged BTC transaction and the output will be a raw Hex data which later I will show you how to transmit on blockchain once needed.


   Step 1

    Download Electrum https://electrum.org/#download
    Verify the the download
    If you do not know the verification steps then please read this article: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/
    Warning: Do not install the downloaded exe file without verifying the signature. It may risk losing your Bitcoins



    Step 2

    Once installed click on new wallet and this window will pop up. I labeled my new wallet Trezor2

   https://talkimg.com/images/2024/03/01/fBZ1j.png



     Step 3

     Click on the standard wallet option

     https://talkimg.com/images/2024/03/01/fBneG.png



     Step 4

      Click on using a hardware wallet

      https://talkimg.com/images/2024/03/01/fBQQD.png



      Step 5
   
      It will ask you to select a device on your Trezor. I selected the Legacy account as follows.

      https://talkimg.com/images/2024/03/01/fBGff.png



      Step 6

      Your Trezor passcode will pop up..Enter your password and continue..

      https://talkimg.com/images/2024/03/01/fBMKZ.png



      Step 7

      Since I have a legacy Trezor account I selected legacy from the following options..

     https://talkimg.com/images/2024/03/01/fB6A8.png



      Step 8

      The following is self explanatory....I chose to not encrypt.

      https://talkimg.com/images/2024/03/01/fBPI3.png



     Step 9

      Electrum will work with your Trezor to create addresses or copy the public addresses onto your PC.

      https://talkimg.com/images/2024/03/01/fBf7J.png



      Step 10

      Once is all said and done the folliwng wallet window will open up.

     https://talkimg.com/images/2024/03/01/fBJaC.png



     Step 11

      On the top tab click on send and the following screen will come into play.

       Enter the public address where you want to send the Bitcoin to and the amount.

      https://talkimg.com/images/2024/03/01/fBVTb.png



      Step 12

      DO NOT hit the send button but rather the preview button as follows...

     https://talkimg.com/images/2024/03/01/fBjLv.png



      Step 13

      A new window will come up and show as follows..Click on SIGN now...

      https://talkimg.com/images/2024/03/01/fBrqH.png



     Step 14

     Once you click the sign button...you will see a small popup window saying SIGNING TRANSACTION as follows..

     https://talkimg.com/images/2024/03/01/fBLGg.png


     
      Step 15

     Your Trezor popup for password will come up to confirm all of this.

       https://talkimg.com/images/2024/03/01/fBcyI.png


       
      Step 16

      Now Trezor will ask you to verify and confirm the transaction...

      https://talkimg.com/images/2024/03/01/fBhbd.png

      Step 17



     Once completed you will now click on copy as follows..

     https://talkimg.com/images/2024/03/01/fB4H5.png



     Step 18

     What you just copied is a raw hex data that will look as follows...

     https://talkimg.com/images/2024/03/01/fB5sz.png


        Step 19

       To confirm your raw data is sending to the right Bitcoin address click on decode raw data button as per below

        https://talkimg.com/images/2024/03/01/fB792.png

         Step 20

         Paste your raw data in the box as per below and then click DECODE TRANSACTION. What you will see is as follows...

         I circled where you should see the BTC address where your Bitcoin will be sent to.

         https://talkimg.com/images/2024/03/01/fBBac.png



    Step 21

     You can now carry this at your leisure knowing that your btc is safe until you broadcast it. Once you do it will goto the address of your choice. If you ever lose the data your btc will remain in your Trezor wallet! So you can never ever lose it due to theft or hacking on your cell phone!!



     Step 22

      Once ready to transmit on blockchain go here and paste in TRANSACTION HEX and then BROADCAST TRANSACTION

      https://live.blockcypher.com/btc/pushtx/ (https://live.blockcypher.com/btc/pushtx/)


Its that simple!  Cheers!!   ;)

   Thankyou Yogg for showing me the path to enlightenment! :D

****************************************************************************************************************************************************************************
****************************************************************************************************************************************************************************



     
   
     
 

Reserved

You missed some important information to add about verifying the downloaded file, may be add file lines of a link of the verify download page. This is very important before installing the wallet. By the way, very good tutorial. This will help a lot of users.

Thank you.

Edit: Ok here is the link for you: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/

I hope this helps

Thankyou. The link is the official electrum website. Why is that a problem or am I misunderstanding you? Please explain. In the meanwhile will place the main home page as follows..  https://electrum.org/#home  If its coming from Electrums website I am sure the file will not be an issue.

Verifying the files signatures should be a mandatory step when downloading Electrum. There are many reasons why someone could end up in the wrong website or trusting a phishing email/message. Let’s not forget the last vulnerability where Electrum was showing fake “please update” messages leading to an infected wallet.

Since it was coming from the legit wallet, people fell for it. But if they had the habit of verifying the signatures, they would know that something wasn’t right. Let’s not be lazy with our security; always double check your files.

You already had your answer here https://bitcointalk.org/index.php?topic=5106013.msg49582538#msg49582538
And I am sure this should be enough to explain.

Thank you.

I see all your points. Very good ones. I updated accordingly and thanks again for the enlightenment.. :D

If I missed anything..please let me know...cheers ;D

May I help you to rewrite the section?


Step 1
    Download Electrum https://electrum.org/#download
    Verify the the download
    If you do not know the verification steps then please read this article: https://bitzuma.com/posts/how-to-verify-an-electrum-download-on-windows/
    Warning: Do not install the downloaded exe file without verifying the signature. It may risk losing your bitcoins (https://bitcointalk.org/index.php?topic=5101715.msg49401725#msg49401725)


Hope it helps 🙂

Thank you.

Updated and of course. Thankyou!

Very good tutorial.

Of course this applies the same way if you want to sign your transactions on an offline/airgapped machine and broadcast them later from a possibly compromised device.

The seventh step lacks information on adding any other account than the default one. Each account in the receive tab in TREZOR web interface displays a BIP32 path which needs to be typed in during that step.

https://i.imgur.com/KLD2Puz.png

Each account in Electrum will be saved in a separate wallet file.

One of the tings I wanted to attempt on doing this was to do it all OFFLINE!

I had started a thread because of issues I can encountered here>>https://bitcointalk.org/index.php?topic=5094605.msg49587834#msg49587834 (https://bitcointalk.org/index.php?topic=5094605.msg49587834#msg49587834)

But I had no luck in doing it or was todl it cannot be done.

Well, a forum member pointed me to this thread here according to the instructions it can be done

 https://www.reddit.com/r/Bitcoin/comments/6kek57/question_trezor_on_offline_computer/ (https://www.reddit.com/r/Bitcoin/comments/6kek57/question_trezor_on_offline_computer/)

    I will need to find the time to try it again someday in the steps they mention.

   Has anyone had any first hand experience of this? If so kindly share it here or in my other thread as stated above.  

   Thankyou :D

 Good point but I am just dealing with one Trezor..one account in my case. Still good to know for the person who has multiple accounts  :D

It looks like you have misunderstood me. I am not talking about using multiple TREZOR devices to sign a transaction. TREZOR allows you to create separate accounts which have a different Public Key derived from your Master Public Key. This increases your privacy since it helps you not to mix certain coins, but it's less advanced than Electrum's built-in coin control which can be also used with any TREZOR device. You can generate only up to 20 accounts per passphrase due to performance issues.

  That is good to know..Thankyou. :D

I can't say that I've done it offline as such, but I have certainly used python-trezor to interact with a Trezor device.

So, I tried disconnecting my WiFi, and unfortunately, the example of signing a transaction shown at: https://github.com/trezor/python-trezor/blob/master/docs/EXAMPLES.rst does not work offline. As, if you're offline there is no way for it to find the transaction info necessary to complete the creation of the transaction :-\

Given that it is an open-source library, it should theoretically be possible to modify the python-trezor code so that you could pass in the appropriate transaction information (ie. raw hex) so that it could piece together all the information without needing to connect to the Trezor API...

However, as has already been mentioned a few times, attempting to use a Trezor (or most of the common hardware wallets for that matter) offline is problematic as they all seem to rely on online APIs to retrieve information.

Mainly because the design philosophy of the hardware wallet is that it doesn't need to be used offline to be secure.

a couple of thoughts:
- is "forge" the correct word? to forge something has the meaning of "faking it" and you are not "faking" anything here. you are creating a real transaction here and don't broadcast it, that's all.

- there is a big problem with this specially when you talk about wanting to spend it. because price is volatile if you create a transaction with X amount at home and then go out, by the time you reach your destination your X may be worth higher or lower than the initial amount you create it at. you can make bigger transactions but then the merchant would have to create a new transaction paying you back the difference. and also you don't know the address of the merchant specially if they are following guidelines and create a new address for every transaction so it is impossible to create a transaction at home!

That is one meaning... forge can also mean "to create". But yeah, it probably isn't the best word to use, especially when talking about things that require signatures etc ;)



This is a very valid point tho...

   You make a good point however...in the physical crypto world, once a price is predetermined and agreed upon in BTC that is what shall be set in stone..regardless what happens with the FIAT value of BTC. So upon the meet, the agreed upon x amount of BTC shall be delivered. We do not go in FIAT value price but BTC amount. I do anyway..Cheers :D
 

nice and concise tutorial krogo, thanks for the guide.

Thanks for the great guide. 8) Now I know a safe way to keep BTC in my mobile and are not afraid to lose them. I think this method is little known.

Why would the forged TX be unsafe in the case of a "PC&Electrum"?

Once a transaction has been constructed and signed, you cannot modify it in any meaningful way... or are you implying that there is a possibility for the transaction to be constructed improperly? (ie. wrong address/amount due to malware interference etc?) ???

Because I assume PC&Electrum means that the keys are sitting on an online computer, which means the keys are compromised by default, specially if you are using Windows.

Even with Trezor, I wouldn't trust that thing due you trusting some RNG you don't know, also google "Trezord.exe calls home"

So the way I see it is that airgapped linux computer + online linux node in which you move the tx into to broadcast it is the best possible scenario.

Bitcoin Core can do this too but it's harder since there isn't a nice GUI this too for some reason.

     For arguments sake, IF electrum was infected with malware or a virus...

     a) Then you still need to confirm on the Trezor screen the sending amount and Bitcoin address where the Bitcoin is being sent to.

     b) The Trezor is signing or forging the Bitcoin transaction not electrum.

     c) I added step 19 and 20. You can decode the data and see where your Bitcoin is going to.

     d) Your private keys are never exposed to Electrum at all.

        SO  not only do you have Trezor signing to the correct address that you as a user will be confirming BUT you can also check it on the decoder page.

        That will put my mind at ease.

    Edit: I emailed Trezor about infected computers and here is their response..

      Trezor is designed so it won't reveal your private keys even when used with an infected computer. The transaction is signed by the device and this needs to be confirmed by the user (physical on-device confirmation). Therefore, even if  malware is present it cannot trick you into signing a different transaction if the address is correct and confirmed on the device's display  -

        

Your assumption is wrong. Trezor is more than a box that keeps public/private key pairs. The transactions are signed within the hardware wallet itself... the private keys NEVER leave the device. They are never exposed to Electrum... server OR client. They are not even exposed to the Trezor wallet software.

You create an unsigned transaction within your wallet software (electrum, mycelium, hardware wallet software in browser or on desktop etc)... The unsigned hex is then passed to the hardware wallet and the hardware wallet signs the transaction internally and returns the signed transaction hex.

Again, the private keys NEVER, EVER leave the hardware wallet.


This is why you cannot be "in a harry[sic] or/and inattentive"...


You might want to reconsider your position.

I don't see why... air-gapped PC with cold wallet == hardware wallet, with slightly different workflows... all they do is hold private keys and sign transactions.

In both cases, you still need the online computer to generate the unsigned transaction... this is the point where the "fake destination" will be injected. Regardless of whether or not you use airgapped PC or Hardware wallet, you still need to take your time and verify the destination address.

Essentially... an air-gapped PC and a hardware wallet are the same thing and achieve the same goal... Separation of private keys from the online world. The only real differences are probably cost, convenience and workflow.

What do you mean by forged? I meant sending the raw tx hash into the online wallet, ideally via a QR code, not an USB since that could be compromised (unlikely.. but still worth considering). What other way would you do it?

So it would be best to have a QR code reader, I don't see how that can be hacked? I have not tried this, but if anyone wants to try, let us know.

For the airgap, there's old thinkpads sold with librebooted bios. You need to change some hardware, but if you don't want to, you can buy one of the smaller ones, the x60 I think didn't need any hardware changes to flash the bios. Be sure to follow a tutorial or you may brick the bios.

Great "last-ditch" technique actually but in response to Pooya, I would actually use it as a "in case I lose my access to everything or it's stolen" step. Soon as I think it's in danger of being accessed, just broadcast the tx and it's out of your wallet before it can be accessed. I'd only just make sure the fee is very high!

And as such, it's not very useful for a p2p transfer, unless, as OP says, you fix the BTC price before the meet. Might work for small purchases or very big transactions paid with BTC, but that's not usually how it works though for BTC buy/sell trades.

And yes, definitely not "forge". I clicked on this thread thinking it was a forgery tutorial.

  Damn I cannot believe the word forge is being thought about as forgery!

  That being said I have changed the word with GENERATE. I have also added the word signed

   Thus the new heading is  How to Generate a signed BTC transaction using Electrum and Trezor

     I hope that helps. Cheers  :D


  

Hi Krog, just want to ask if this can't be done using mobile phone specifically in their app? I navigate the electrum app and don't see those images on OP.


This confuse the hell out of me, so I looked at my electrum app and don't see those.


I wonder if ledger has also this kind of security, well maybe, since their both hardware wallet. Maybe I should email them too and confirm this or else.

It does have this kind of security. Ledger and Trezor are a bit different. Trezor hardware and software is fully open-soure so that anyone can build it up from the scratch while Ledger believes in security through obscurity. Ledger has a limited amount of space because of built-in Secure Element. Ledger wrote a good article on why they decided to use it. You can find it here (https://www.ledger.fr/2018/12/03/a-closer-look-into-ledger-security-the-secure-element/).

  Never tried it on the phone app so I cannot really say.



  What the guy meant is he could carry the raw data on an email that could send any amount of btc to the address it was genereated to send to and thus if ever hacked or cell phone lost he would never lose any BTC.

  Example, you generated raw data to send 100 BTC to a particular address and are carrying the raw data. If a hacker or other person ever grabs that data and then transmits on Blockchain, then the BTC will go to that address that you had in mind and NOWHERE ELSE.