Air-gapped PSBT signing
Full PSBTv2 support over animated UR/UR2 QR with Luby Transform fountain codes. Pairs with Sparrow, Specter, Electrum, BlueWallet, Nunchuk, Caravan - anything that speaks PSBT over QR. Private keys never touch a wire.
One install. One factory reset. Then never again.
iPhone or Android, six years old or newer. Factory reset. SIM out. Airplane mode on. That phone is done with the network.
Generate or import a seed. The phone’s secure element seals it with a key that cannot leave the chip. The seed only exists in plaintext for the moment it takes to sign - pull the battery and even that moment is gone.
Your online wallet shows an unsigned transaction as a QR code. Hypergap reads it through the camera, decodes it on the offline phone, and shows you the details - address, amount, fee - to confirm with your own eyes. Then it signs and shows the signature back as a QR. The keys never leave the offline phone.
Every feature you would expect from a hardware wallet, and several you would not. All offline. All open source. All running on a phone you already have.
Full PSBTv2 support over animated UR/UR2 QR with Luby Transform fountain codes. Pairs with Sparrow, Specter, Electrum, BlueWallet, Nunchuk, Caravan - anything that speaks PSBT over QR. Private keys never touch a wire.
Coordinator and cosigner roles. P2WSH, P2SH, P2TR script-path, BIP-48 descriptors. 2-of-3, 3-of-5, and geographically distributed setups without a $500 hardware bundle.
Schnorr key-path signing for single-sig and MuSig2. Script-path for Taproot policies. BIP-340 nonces derived deterministically inside the secure element.
BIP-85 derivation generates unlimited child wallets from one master seed. Decoy wallets, family wallets, time-locked wallets - all from a single paper backup.
Prove ownership of an address without spending. Used by exchanges, lending platforms, and proof-of-reserves audits. Signed inside the secure element, displayed back as QR.
Roll dice. Flip coins. Mix sensor noise from camera, microphone, accelerometer, and gyroscope. SHA3-256 accumulator. Verify every bit of randomness that creates your seed.
Shamir Secret Sharing, SSKR (Blockchain Commons), Seed XOR (Coldcard-compatible), and Hamming 2-of-3. Mix and match by threat model. Every share is a valid BIP-39 mnemonic.
Wipe & reboot, silent wipe, decoy wallet, brick device, countdown, look-blank, delta mode, reboot-and-wipe. Inspired by Coldcard Trick PINs - your seed survives the wrench.
Hold keys. Confirm transactions. Scan what to sign. The app does not do anything else, because anything else is attack surface.
From the network boundary to the silicon. Each layer operates independently - compromise one, the others hold. Click any ring for the full explanation.
No networking. The only networking code is a detector which marks the device as compromised if it succeeds. It is not used for sync, telemetry, remote config, update checks, backups, crash reports, or wallet-data transport. Combined with a phone in airplane mode and the SIM ejected, any successful network path becomes an alarm, not a feature.
Hypergap runs integrity checks on the running OS every 30 seconds while the signer is unlocked: su / Magisk indicators, Cydia / Substrate jailbreak markers, attached debuggers (ptrace), emulator fingerprints, and dynamic instrumentation frameworks like Frida and Xposed. On any anomaly, the app clears RAM, locks down, and refuses to sign until the device passes a clean boot.
Optional defense for stationary cold storage. Define one or more GPS regions where the signer is allowed to unlock. Outside those regions, even the correct PIN will not open it. Useful when the dedicated phone lives in one physical place - a home safe, a deposit box, a trusted relative's house. GPS data is processed on-device and never logged.
Inspired by Coldcard Trick PINs. Configure up to eight different PINs, each tied to a defense: Wipe & Reboot (full erase + restart), Silent Wipe (erase and present an empty wallet), Open Decoy (a BIP-85-derived wallet with small funds), Brick Device (permanent destruction of all secrets), Show Countdown (a visible timer to ostensibly unlock), Look Blank (the app appears freshly installed), Delta Mode (allows spending but hides seed display), and Reboot-and-Wipe. Under coercion, you choose which defense fires.
Seed words, derived keys, and signatures in flight live in memory regions that are mlocked (never paged to disk), zeroed before free, and cleared on every backgrounding event, screen-off, lock action, or integrity anomaly. Screen capture and screen recording are blocked at the OS level. Cold-boot attacks against physical RAM are mitigated by keeping sensitive material in memory for as little time as possible.
Three independent factors required to unlock: optional biometric (Face ID, Touch ID, fingerprint), a PIN of your choosing, and an optional paranoia password - a longer secret you type only for sensitive operations like seed display or recovery export. PIN attempts are rate-limited by the secure element itself, not by Hypergap software, so the cost of brute force is bounded by hardware rather than by code we wrote.
The innermost defense. Private keys are generated and used inside the phone's secure element - Apple Secure Enclave (iPhone 6s+), Google Titan M (Pixel 3+), or Samsung Knox StrongBox. Hypergap requests signatures from the secure element via the OS; the keys themselves are mathematically inaccessible to the operating system, to Hypergap, to us, and to anyone with physical access to the phone. This is the same hardware class that powers dedicated hardware wallets.
FTX, Celsius, BlockFi. Tornado Cash sanctions. Border seizures. The wrench attack. Hypergap assumes the worst threat model and designs the device for it.
Eight duress PINs. Wipe and reboot. Silent wipe. Open a BIP-85 decoy wallet with small funds. Brick the device permanently. Show a countdown. Look freshly installed. Allow spending but block seed viewing. Each PIN, a different defense. Under coercion, you choose which one fires.
A factory-reset-looking phone with no apps, no accounts, no SIM card, and a benign decoy wallet behind a separate PIN. Plausible deniability built into the architecture, not bolted on as a feature flag. Keys derive from a seed only you remember - and never appear on screen unless you ask.
No SIM, no Wi-Fi, no network data plane. The only networking code is a detector which marks the device as compromised if it succeeds. There is no sync, telemetry, remote config, backup, crash report, or wallet-data upload to capture.
No accounts. No KYC. No servers we run. The seed is generated on-device, stored in the secure element, and never leaves it. If we disappear tomorrow, your keys are unaffected and your funds keep moving on the next compatible wallet you install.
Setting up the dedicated air-gapped phone. The device is online exactly once - long enough to install Hypergap - then never again.
Any iPhone with Secure Enclave (6s+) or Android with StrongBox (Pixel 3+, recent Samsung flagships). Older is fine - fewer concerns about resale value, same hardware key isolation.
Erase everything. Set up as a brand new device. Skip iCloud / Google account, biometrics-tied-to-account, location services, and Siri or Assistant. The phone has no identity other than "Hypergap signer".
Connect to a trusted network exactly once. Install from the App Store or Play Store, or sideload a reproducibly-built APK / IPA after verifying its hash. Then install nothing else.
Sign out of any Apple ID or Google account. Disable iCloud Keychain, Find My, automatic backups, and auto-updates. Set a long PIN. Disable biometric unlock if your threat model requires it.
Eject the SIM. Disable Wi-Fi, Bluetooth, NFC, AirDrop, and cellular data. Enable airplane mode and leave it on. Optional: keep the device in a Faraday pouch when not in use.
Open Hypergap. Generate a seed using verifiable dice or coin entropy. Back up to one or more of the four schemes: Shamir, SSKR, Seed XOR, Hamming. Distribute shares geographically.
Any iPhone or Android from the last six years. No specialty device to order, no customs to clear, no new supply chain to trust beyond the one your phone is already on.
Every byte in, every byte out, travels through a QR code on a screen. The camera reads. The screen writes. One direction at a time. No bluetooth, no USB, no wireless pairing - the only channel between the offline phone and the world is one you can watch happen.
Every line of code is public. Releases are reproducibly built. You can verify the binary on your phone matches the source on GitHub - yourself, by hand, no trust required.
A dedicated phone with Hypergap matches dedicated hardware on every column that matters - and wins the ones nobody else competes on.
| Hypergap | Ledger | Trezor | Coldcard | SeedSigner | Keystone | |
|---|---|---|---|---|---|---|
| Price | Free | $79–$399 | $69–$219 | $160+ | BYO hardware | $129–$169 |
| Hardware to buy | None | Yes | Yes | Yes | RPi + screen | Yes |
| Supply-chain trust required | None | Reseller chain | Reseller chain | Direct only | Self-source | Reseller chain |
| Air-gapped by default | USB / BT | USB | ||||
| Verification screen | Full-size phone | 128×64 mono | Color, small | 128×64 mono | 1.5" mono | 4" color |
| Bitcoin multisig | Coord + cosigner | |||||
| BIP-85 child seeds | ||||||
| Backup schemes | 4 (Shamir+SSKR+XOR+Hamming) | Shamir | Shamir | Seed XOR | SeedQR / BIP-39 | Shamir |
| Duress / decoy modes | 8 modes | Passphrase only | Trick PINs | Passphrase only | Passphrase only | |
| Verifiable entropy (dice/coin) | Dice + coins + sensors | Dice | Dice / coin | |||
| Open source | Partial | Partial | ||||
| Reproducible builds | Target v1 | |||||
| Hides in plain sight | Just a phone | Obvious | Obvious | Obvious | DIY box | Obvious |
Everything that runs on the dedicated phone is free, forever. No subscriptions, no accounts, no security feature ever gated behind a paywall. The optional services below add convenience - never custody, never gating.
End-to-end encrypted cloud backup for everything that is not a seed - descriptors, labels, recovery instructions, signer policy. Encrypted on the offline phone before it ever leaves; we host opaque bytes. Free tier; sat-priced unlock for unlimited vaults and cross-device restore.
Learn more →Hosted multisig coordinator. Stores public descriptors, relays PSBTs between cosigners, never sees a private key and never has custody. Free tier; sat-priced unlock for unlimited vaults and offline backup of the coordinator state.
Learn more →Dead-man's switch. After a configurable inactivity period, encrypted instructions are released to heirs you designated. End-to-end encrypted on your device; we cannot read instructions and cannot hold keys.
Learn more →Paid 1:1 setup, multisig design review, recovery rehearsal, threat-model consultation. A real human, scheduled, scoped. For users who want hand-holding through the dedicated-phone setup or a multisig inheritance design.
Book time →Donate and unlock alternate app icons, themes, accent colors, and a supporter badge in community channels. Pure cosmetics - every security feature stays free, forever, for everyone.
Become a supporter →GitHub Sponsors, Geyser, Lightning address. Hypergap is and will remain free, open source, and unsubsidized by VC. Plebs fund plebs - your sats keep this project independent of investors who would want the wrong things from it.
Donate →▸ Free forever guarantee: every security feature in Hypergap is free, every release of the signer is free, and no service above ever gates a security feature. Services overview →
Coming soon. Free, open source, no signup, no telemetry. Star the repo to be there for the first release.