New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Crypto hardwallet (BIP39 passphrase recovery) - using PBKDF2-HMAC-SHA512 #1546

kyubane opened this Issue Mar 18, 2018 · 1 comment


None yet
3 participants

kyubane commented Mar 18, 2018

Hardware wallets for cryptocurrencies generally use BIP39 / BIP44 / BIP49 for the deterministic generation of keys given a master key (stored as a mnemonic for easy restoration). They also have an option for the usage of passphrases - which each generate a new key - for plausible deniability. However, if you don't use a passphrase in a while, you are liable to forget it. Like me.

If you have the seed words (the mnemonic), the target address, and knowledge of the path, using a program like hashcat with a password candidate list could recover the password. I've been working to modify hashcat myself, but figured I'd try asking here as a feature request.

I'm happy to donate a significant amount to this project to help make it worth your time.

The required changes can be broken down as follows:
1.) Modify the PBKDF2-HMAC-SHA512 function to input the password candidates as the salt and data from the mnemonic as the password.
2.) Convert the the resulting private key (along with the path) into a public address and compare this against the target.

Additional info:
1.) BIP39 info can be found here:
with the key information being: "To create a binary seed from the mnemonic, we use the PBKDF2 function with a mnemonic sentence (in UTF-8 NFKD) used as the password and the string "mnemonic" + passphrase (again in UTF-8 NFKD) used as the salt. The iteration count is set to 2048 and HMAC-SHA512 is used as the pseudo-random function. The length of the derived key is 512 bits (= 64 bytes)."

2.) For my specific use case the target address is m / 49' / 0' / 0' / 0 / 0. You could allow it to be more general by allowing people to specify a path or even a range of paths.

the format of the path is "m / purpose' / coin_type' / account' / change / address_index"
The user should generally know the exact values of purpose, coin_type, and account. They may wish to cycle through change and address_index (as accounts will increment these during normal use) with an upper limit.

Read more here:

Example test vector:
Target Address: 33747aCmUp8PkWmWWY8epR1Cph8Tf9Aozt (m/49'/0'/0'/0/0)
BIP39 mneumonic: abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about
passphrase: testpass

Extra (not visible to user):
BIP32 root key: yprvABrGsX5C9janudxvqdKg47twvnZoNjbmqgMt8GCDpx2xYN2351agtWysXhZ44tV92JDvZU2ppimnoJzF2A79r58KLA7c2aNV65zwZrph67B
BIP32 Extended Private Key: yprvALaobegiKdgMpUaWNgK12feBKeewQ72CM2wwtcmi1CYvuCjKmn2SgmVJkFN9KURybbqiA8U7fN1JEsPRZUhJNWtbWEddEMk93QXD6DEuB1U
Address public key: 03eabf118ca2918b3c1fa16d675ffb6382d6f40bae63c9e096548dd2b3dd6bfd5a
Address private key: KwxGq13B9B4BX6tjNc9pvVzMpKQ72SjEJ4R1ZLtSAC5qRuFzUFWW

A new set of test vectors can be generated here:


This comment has been minimized.


philsmd commented Mar 22, 2018

I assume that this involves elliptic curve cryptography that needs to be done on GPU ? not sure if something like this is easy to implement (feasible?)

I'm also not sure how often it happens that you exactly know all the mnemonic words, but just do not know the optional password. I think this is kind of a rare situation (for the time being).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment