Bitcoin recovery - forgot my 12th recovery word for recovering my crypto account

Disclaimer: there may exist software that does all of this automatically for you, but I'm going to provide a quick walk-through of the steps, which will allow you to compute this manually.

If you only need to recover the last word, then you're in luck, as there are only a small number of possibilities for what that last word could be. The Bip-39 word list has 2048 possibilities, but the last word in a seed phrase is partially determined by a checksum, greatly reducing the number of possibilities. Here is how to determine the possibilities for that last word:

Before beginning, it is worth pointing out that you are going to be handling sensitive data. If you are handling this data on a compromised computer, there is risk of your bitcoins being stolen (ie, the attacker would be able to get a hold of the sensitive data). It is best to use a computer that you trust to be clean, and that is not connected to the internet (at least, until you can recover your funds and move them to a new wallet which is not compromised by handling the seed data in this way). Do NOT use online tools to perform any steps which could potentially leak this sensitive data.

Step 1: reconstruct the binary seed, from the mnemonic.

Here is the BIP39 English word list. Take your mnemonic phrase, and look up the number associated with each word. Subtract 1 from that number, and write it down. For example, the word guitar is number 831, so you would write down 830.

(the reason we subtract 1 is that the word list linked to above starts at index 1, whereas the index used in the actual code starts at zero: 00000000000 (binary representation)).

Step 2: convert those numbers to binary numbers.

Each word represents 11 bits of entropy, which we will write out as a string of zeros and ones. Continuing from the example above, for the word guitar, the number 830 is 1100111110. Notice that this binary string is only 10 digits long though (10 bits), so we need to add another 0 to the start of the string, to make it an 11-bit number. So the binary number we will write down is: 01100111110.

Repeat this process for all the other words, again appending zeros to the front of the binary string as needed to make each number 11 bits long.

Step 3: Assemble all the binary numbers into one long binary string

This step is easy: you should have eleven binary strings, each one 11-bits (11 digits) long. Concatenate them into one long string (in the correct order, of course!).

Continuing from our example above, lets pretend that our seed phrase begins with the word guitar repeated eleven times. Our concatenated binary string would now be: 0110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110

This 11 word phrase comes from this 121 bit number, but in total, your 12-word mnemonic seed phrase encodes 132 bits of entropy. Of this 132 bits, the first 128 bits are random, and then the last 4 bits are a checksum.

So this means that the last word includes 7 random bits, and then 4 bits that are a checksum (of the 128 bit seed). This means you have 2^7 = 128 possible words to check.

Step 4: Compute the last word

We must iterate through the range of all possible 7-bit numbers, from 0000000 to 1111111. Each attempt will involve appending a 7-bit number to the end of the 121-bit number we built from the list of 11 words. So to begin, we can just append 0000000 to our number from above (the word guitar, repeated 11 times):

01100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111100000000

The next attempt would be:

01100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111100000001

And so on, until we reach:

01100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111101111111

For each of these 128-bit numbers, we will need to SHA256 hash the binary value, and then take the first four bits of the resulting output, and append those 4 bits to the end of the 128-bit number we started this step with.

To perform this step, we can use the command line tool shasum:

echo 01100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111100000000 | shasum -0 -a 256

This command tells your computer to take the 128 bit number, and run 'shasum' on it, -a 256 tells the computer to use the SHA256 hash function, and -0 tells the computer to interpret the input as a string of bits (this is important! If the string is interpreted in some other way, the resulting output will be incorrect).

The output of this command should be (in hex):

21bb0a0efc9fec48880509aa11fd1cc7f16a014b8bee65ab87b0505145e2a865 ^-

In this case we just want the first 4 bits of the output, which is conveniently just the first hex character of the string above: 2. (note that the ^- at the end of the output denotes that the input was interpreted as bits)

So we can convert the hex number 2 back to binary: 0010, and then append this binary value onto the end of our 128-bit binary string:

0110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110000000000010

For this first attempt, we can see that the last eleven bits are thus: 00000000010. Converted to decimal notation, this is the number 2, which means the last word in our mnemonic is the word at index 2 from the BIP39 word list. BUT! Remember that the BIP39 word list starts at index 0, so similar to the above, we must add 1 to this number, leading us to the word at index 3, which is able.

So the first possible mnemonic would be:

guitar guitar guitar guitar guitar guitar guitar guitar guitar guitar guitar able

You can then input this seed phrase into some software that will accept 12-word BIP 39 seed phrases (such as Electrum wallet), and see what addresses the wallet generates for you. Note that you will also need information pertaining to the derivation path used by the wallet in question, for example was it BIP 44 or BIP 84? etc. I am aware of some tools that can help automate this step, for example see here or here. Ideally, you would know the first couple addresses of your wallet, so you can quickly check to see if electrum generates those same addresses, even in an offline environment. Ian Coleman's BIP39 tool will probably also be helpful, though you should be sure to download and run that webpage in an offline environment.

If you do not generate the correct wallet after this first attempt, you will need to increment the 7-bit number by 1, and then perform this step again. Possibly up to 128 times, but no more than that.