Shop
The engineering story

Precision-engineered. Audited everywhere.

Four pieces of hardware, three independent audit firms, and a supply chain you can inspect. Here is how a ChinaBridge device actually works — and why we publish the evidence.

Secure element

Keys live inside a certified chip. Everything else is a courier.

The heart of every ChinaBridge device is a Common Criteria EAL6+ certified secure element — the same class of chip used in passports, EMV bank cards, and government smart cards. The SE generates your private keys, stores them in hardware-isolated memory, and performs the signature operation itself. The keys never leave the chip.

HOST untrusted Wallet software Browser / OS Network unsigned tx CHINABRIDGE DEVICE Application FW open-source · audited Display + touch direct-wired UI Secure Element · EAL6+ Private keys isolated memory Sign + verify on-chip only Physical confirm · gold button / touch signed tx (keys never cross) BACK TO HOST Broadcast via USB-C, BT, or QR air-gap Fortress only: QR-only mode

EAL6+ secure element

A dedicated, tamper-resistant chip that generates and stores your keys. Certified against physical and side-channel attack classes under Common Criteria.

Isolated firmware

Application firmware runs in a separate domain from the secure element. Compromising the app layer does not grant access to key material.

Physical confirm

Every signature requires a physical press. No remote attacker — not malware, not a malicious browser tab — can produce a signature without your finger.

Open firmware

Don't trust us. Read the source.

The ChinaBridge application firmware — the code that renders transaction details, drives the display, handles the touchscreen, talks to host software, and asks the secure element to sign — is published under a permissive open-source license. Build it, audit it, submit fixes, or simply diff it against the binary that ships on your device.

The repository lives at github.com/chinabridge/firmware. The secure-element firmware itself is proprietary and under NDA with the chip vendor — a standard Common Criteria requirement — but its behavior is fully specified and its interaction surface with the application layer is part of the audit scope below.

Audit · 2024

Kudelski Security

Full firmware review of the Vault Pro v3.2 branch, including the HID transport layer, SLIP-39 Shamir implementation, and the secure-element IPC boundary. Zero critical findings; three low-severity items fixed in v3.2.4.

Audit · 2024

Trail of Bits

Cryptographic review of key derivation paths, BIP32/BIP39/SLIP-39, and Bluetooth pairing attestation on the Vault Pro. One medium-severity finding in the BT pairing nonce rotation; fixed and re-verified in v3.2.6.

Audit · 2025

Quarkslab

Fortress dual-SE architecture review: QR air-gap camera pipeline, SE-A/SE-B cross-attestation, hidden-wallet derivation. Two low-severity findings on input parsing; fixed in the Fortress release candidate firmware.

Full audit reports, including every finding and its disposition, are published in the firmware repository under /audits.

Supply chain

From silicon to your door, nothing leaves unsealed.

Supply-chain attacks — interception between factory and customer — are a real threat vector for hardware wallets. ChinaBridge devices are manufactured in a single secure facility, sealed at assembly, and shipped with tamper-evident packaging that cryptographically attests to the device firmware on first connect.

01

Assembly in Hong Kong

Every unit is assembled at the ChinaBridge facility under ESD-controlled conditions, with full part-level traceability by serial number.

02

Factory attestation

Each secure element is provisioned with a per-device attestation certificate signed by the ChinaBridge factory key. The private factory key never leaves an HSM on-site.

03

Tamper-evident seal

Devices ship sealed in a holographic sleeve with a unique tracking code. The sleeve cannot be opened and reapplied without visible damage.

04

On-boot verification

On first connect, your host verifies the factory attestation and the firmware hash against published, reproducible builds. If the check fails, the setup wizard refuses to proceed.

Certifications register

Every claim, on the record.

Standard Identifier Scope Applies to
Common Criteria EAL6+ CC-2024-08-CH-NSCIB Primary secure element Vault, Vault Pro, Fortress (SE-A)
Common Criteria EAL6+ CC-2025-02-CH-NSCIB Secondary secure element Fortress (SE-B)
FCC Part 15 FCC ID 2AZGP-CBBRV1 Emissions compliance Vault
FCC Part 15 FCC ID 2AZGP-CBBRV2 Emissions + BT 5.3 compliance Vault Pro
FCC Part 15 FCC ID 2AZGP-CBBRF1 Emissions + BT 5.3 compliance Fortress
CE (EU) RED 2014/53/EU Radio equipment directive All models
RoHS 2 2011/65/EU + 2015/863 Restricted substances All models
ISO 27001 ISO/IEC 27001:2022 Information security management Dollar Media Technology Limited organization

Certificate PDFs and test reports are available on request to [email protected]. Regulated buyers (enterprise, custodians) receive the full compliance dossier as part of onboarding.

Everything above, in your hand.

Pick the model that fits your threat model. Start self-custody with hardware you can read, verify, and trust.

Shop hardware Read our security model