Review

After owning the Foundation Devices Passport 'Founders Edition' for a few months, I would like to share my thoughts experience!
I kept notes of stuff I tried so far, so I hope I'm not missing anything.

Full disclosure: I bought it completely with my own money, no contact to Foundation, no affiliation or anything and also preordered the "batch 2" (which is more a version 2 than a batch 2 due to all the announced changes), again out of my pocket. They did provide a 21% discount code and it costs 33% less than the founders edition by default ($199 vs $299), so with the code it comes into BitBox02-and-similar-territory (150ish) which I find a good normal price for a hardware wallet. But I'll talk about it more later. I wouldn't have ordered it for $299 though, after my experience with v1.

TL;DR: It's good, but not $299 good, I think.
Still my current favourite wallet.
Pros:

• Completely open source
• Has secure element
• Airgapped
• Easy setup and usage
• Compact size
• Large screen
• AAA batteries will always be around
• Usable with any device that has a webcam

Cons:

• Delicate screen (scratches)
• Pretty dim screen brightness
• Kind of need special batteries
• Expensive

---

Features:

• Truly open source software: https://github.com/Foundation-Devices/passport-firmware
• Open source hardware: https://github.com/Foundation-Devices/passport-electronics
• Open source mechanical design: https://github.com/Foundation-Devices/passport-assembly
• Airgapped (microSD or camera)
• Secure chip: ATECC608A-MAHCZ-T (source)

First impressions
My first impressions were pretty good: the device is relatively heavy, the material is soft to the touch and it's trying to feel like a 'premium' device. However, the screen has tiny scratches which are very annoying to see on such an expensive device. They are not noticeable in normal usage or when looking at it from a bit far away, but if you look closely it becomes apparent. At first, it seemed to me like a protective foil, but it doesn't have one (why??). The screen is also pretty dim; I'm not sure you can really use it in full sunlight for example.


Here, we see the tiny scratches on the screen's surface. I've got a note from my initial impressions that they somewhere mentioned admitted themselves that somehow all or most FE's have little scratches like this, but can't find a reference to that information again right now. I also spoke to them and they reassured me that the new version will have an improved screen.


I don't understand wallet manufacturers when they make such an integral part of their admittedly mostly not cheap devices, so prone to wear and tear. I know I'm going on a tangent here, but I noticed this a lot - but tell me your opinions - hardware wallets often seem to have little thought into screen durability. Especially the newer, 'shiny' designs: BitBox02 has an easily scratchable screen (just after a few days of normal use and sitting in a drawer it was full of microscratches). Ledger Nano X also has a non-recessed screen (not tried it myself). And of course Foundation Passport here comes scratched. In my mind, these devices are kind of a semi-hot wallet, in that they allow you to do daily transactions easily and quickly, while also being a good option for long-term hodling (unlike e.g. a phone that you replace frequently). So durability has to be taken into account if you offer a product that is supposed to still be usable in 10 years time.^{[rant over]}

It seems to me that the approach in Trezor One and Model T are your best bet: simply recess it into the device a bit and call it a day.
From experience with smartphones, anything plastic and shiny will scratch over time, while anything glass won't scratch but shatter.
Another option could be screen protectors. However, the curved screen on this wallet specifically, would make it tricky to achieve.

It's reassuring to see that Foundation is moving to a recessed screen in version two (but I'll have a segment on that later down):

It also seems to me like it didn't pick up any more 'new' scratches since I got it, so maybe it doesn't scratch from usage but only e.g. from being mishandled during production. However, I always kept it in its box, so there's that. I envisioned using it more as a daily driver (to throw into pocket or backpack) but the scratches and poor battery life discouraged me from trying that.

Size & shape
Yes, I am making a segment just about the size of this thing! It seems to me they got a lot of flak from people complaining it will be too large or too thick, that it looks outdated old and stuff like that, before it was released. Let me tell you: This wallet is tiiiiny Really, it looks much larger in pictures! It's smaller than an old phone for sure. Maybe draw it out on a piece of paper and cut it out to get an idea if you're unsure^{[that's what I did]}.

It does have the shape of an old Nokia, but I don't think it's a bad thing because it is an easy to use form factor for such a device. It makes it easy to input passphrases, PIN and also see a whole transaction on the screen without scrolling. It could also serve a bit for plausible deniability; it has no active 'pd feature' (like showing a contact list or stuff like that), but you could probably sign a transaction in the office and colleagues might think you're just playing around with an older phone.

Battery
The elephant in the room? Usage of AAA batteries! When I first read about it, I was excited. It made so much sense: the classic triple-A is around for over 100 years by now, and probably always will. So compared to Li-Ion rechargeable batteries, you can tuck this thing away somewhere for cold storage with (or without) a set of batteries and when you take it out in 10 or 20 years time, it will be easy to find batteries for it and access funds. Instead, a rechargeable Li-Ion battery will be dead by then and you may not be able to find a fitting charger. Imagine finding a 20 year old Nokia phone right now; would you know where to quickly get a charger for it? I don't know if we'll have micro-USB or even USB-C in 20 years, but we will have AAA batteries.



Now, one culprit we find is that this device only really works with Lithium batteries. Not Lithium-Ion, Lithium (non-rechargeable). An Alkaline will suffice for sure (e.g. in '20 years' scenario) to send a transaction or two, but the issue is their capacity drains super fast if you try pulling higher currents.
A typical Alkaline has 1200mAh, so you'd expect to pull 1.2A for 1h? Not gonna happen. It will happily give you 12mA for 100 hours, though. Hope that makes sense.
Alkaline batteries also discharge differently than Lithium ones. The latter hold a higher voltage longer, and then drop off quickly, while the former go down more linearly. That's why a 1.3V Lithium cell may be almost empty while a 1.3V Alkaline still has a lot of juice in it.


The Passport also doesn't play well with normal rechargeable (Li-Ion)NiMH cells, since these start at 1.3V and from my testing that's approximately where Passport stops working due to too low voltage.
This is one of the reasons the batteries don't hold that long: an Alkaline battery with 1.3V is still over 50% full, but the voltage is not high enough for the Passport. Hence, if using rechargeables, you need constant-voltage ones.

They explicitly recommend Lithium cells and also send a set of two; you can find more information on Lithium batteries on Wikipedia. Matter of fact though, they are very uncommon and expensive. The ones that came with my Passport lasted for probably 4h; while Alkalines last maybe 15 minutes or 30 tops.


Another option are constant-voltage rechargeable Li-Ion cells. I honestly think these make more sense than buying non-rechargeable Lithium ones.
Rough prices:

• 32x Alkaline: 15€
• 16x Lithium: 30€
• 4x rechargeable constant voltage (builtin charger): 25€

Since the Alkalines go flat so fast, I would probably get rechargeable ones instead of Lithium, since they can be reused so many times and still cost less than a 16 pack of Lithium cells. Also less pollution and less hassle of buying batteries regularly.

Edit: Due to suspicions about camera being on even while not scanning QR codes, thus draining batteries, I checked the code.
As we can see, the camera is only enabled when starting to scan.

Security
I stated this once or twice before, but as of now, QR codes seem like the most secure communication method between hardware wallet and computer. Of course, there are many definitions and implementations of the term 'airgapped', but a few issues with other methods I'll present here.

• Bluetooth: In BT, the whole stack is one 2000 page spec (and growing), so compared to WiFi which is only high layer, the spec alone is a mess already. It goes from application layer to physical layer, and has to cover everything. The implementations are even worse and security researchers find vulnerabilities in Bluetooth all the time, to the point that it's not even such an interesting research topic anymore.
• Non-standard QR: Compared to Passport's standard PSBT QR codes, some other wallets use proprietary QR codes which bind you to the brand's own wallet app(s) and could include information you don't want to be transmitted between devices. Meanwhile you can photograph and control Passport's QR codes and verify it's just simply PSBT files encoded in QR.
• NFC: Similarly to existing attacks on credit cards, NFC can be easily wormholed since it has no protections against it on the physical layer and you have to trust the implementation mitigates these risks on application layer (through timing etc.)
• microSD: This is a method that the Passport itself offers, but I find very risky. As soon as you insert an SD card into a computer, basically any process and any unprivileged app running on it, that has filesystem access (most of them, even the browser..) can read and modify the contents of that SD card. It should be pretty easy to write a background program that waits for SD cards and replaces PSBT files on the fly.

It's pretty hard to middle-man a 'QR code connection'; I don't even know how such a setup could look like, but it would involve a lot of convincing someone to scan QR codes they don't know with their Bitcoin wallet app and having them scan another code with their HW wallet, which I find very unlikely to succeed. I'm not sure a completely passive attack scenario like in NFC or microSD even exists.

Hidden menu
For some reason, Foundation Devices thought it's a good idea to include unnecessary software in their firmware for a premium-priced, supposed high-end hardware wallet. I don't think anyone will secure $100 of BTC in a $300 device, but at the same time you wouldn't want to store large amounts on a device that has games on it, right?

It is accessed by typing these keys within 3 seconds, also known as 'Konami Code':


You can play Snake, Tetris and there is a fake Internet Explorer loading screen 'game'.
There is one useful feature though; it allows you to take screenshots which are saved to the microSD card.
I could imagine this useful for creating tutorials educational material in different languages for example.

They argue that since it's all MicroPython code and no way the game influences anything during payments or other way round, no matter how you try to attack, I always prefer my code as 'lean' as possible, with as little stuff in it as I can. I think this is a security practice everyone should follow. After asking them via E-Mail, they unfortunately told me they aren't planning on a 'pure firmware' without these shenanigans unlike ShiftCrypto with their Bitcoin-only firmware.

However, you could transfer your own developer key onto the device and flash it with a self-compiled firmware without the games. https://github.com/Foundation-Devices/passport-firmware/blob/main/DEVELOPMENT.md As far as I know, when booting a developer firmware, it will show a disclaimer every time it boots so you know you're not running modified firmware, if you didn't flash it yourself.

Version two

I am not even sure how to call their new device. Looks cool! It will ship in two months from now roughly and as I said, I preordered it for a bit over 150 bucks which I find a fair price for such a device. I don't really like it being called 'batch 2', since it seems it'll really be more a new version refresh than a second batch of the same device. It always sounded like after the founders edition there would be a 'normal edition' or so, maybe just other colours and small improvements. But with reduced price of $199 from $299 and 21% discount for FE customers, it's not too bad. Still I'm not a fan of 'punishing' early 'backers' of a project by immediately releasing the new version afterwards.
Since I just talked about batteries, one of the biggest changes will probably be the switch to a Li-Ion battery.
I don't think it's as well suited for a long-term cold storage solution, to be honest.


But I really like that it seems to be a standard size, commonly found (for a while and probably continuing) in a multitude of devices. I think I even had a phone once with this exact battery; it's probably available all over the web or literally from a phone if needed.

One point to consider, though I'm not sure how big a risk this is, comes straight from them a while back:

Discounts
I haven't seen many discounts by them so far, except the one for FE customers, but I just found that they do have independence day deals, so if you're interested in such a device but not in a hurry, summer's around the corner, right?

Source & Reproducibility
I'm very content with how much information can be found on the GitHub. Down to every single resistor, there are BOMs and all kinds of file types needed to answer all hardware and software questions with a repository search and a bit of time.
Just also found out that its builds are confirmed reproducible by WalletScrutiny!