Bitcoin recovery - forgot my 12th recovery word for recovering my crypto account

Bitcoin Asked on December 17, 2021

I have managed to forget the last (12th) mnemonic word to my crypto-account.
Could you please show me how I can find software with which I can enter recovery words from a file so that I can attempt recovering by changing the last word, which I do not know, from the dictionary.

I have read some answers but did not understood how to do it.

Disclaimer: there may exist software that does all of this automatically for you, but I'm going to provide a quick walk-through of the steps, which will allow you to compute this manually.

If you only need to recover the last word, then you're in luck, as there are only a small number of possibilities for what that last word could be. The Bip-39 word list has 2048 possibilities, but the last word in a seed phrase is partially determined by a checksum, greatly reducing the number of possibilities. Here is how to determine the possibilities for that last word:

Before beginning, it is worth pointing out that you are going to be handling sensitive data. If you are handling this data on a compromised computer, there is risk of your bitcoins being stolen (ie, the attacker would be able to get a hold of the sensitive data). It is best to use a computer that you trust to be clean, and that is not connected to the internet (at least, until you can recover your funds and move them to a new wallet which is not compromised by handling the seed data in this way). Do NOT use online tools to perform any steps which could potentially leak this sensitive data.

Step 1: reconstruct the binary seed, from the mnemonic.

Here is the BIP39 English word list. Take your mnemonic phrase, and look up the number associated with each word. Subtract 1 from that number, and write it down. For example, the word guitar is number 831, so you would write down 830.

(the reason we subtract 1 is that the word list linked to above starts at index 1, whereas the index used in the actual code starts at zero: 00000000000 (binary representation)).

Step 2: convert those numbers to binary numbers.

Each word represents 11 bits of entropy, which we will write out as a string of zeros and ones. Continuing from the example above, for the word guitar, the number 830 is 1100111110. Notice that this binary string is only 10 digits long though (10 bits), so we need to add another 0 to the start of the string, to make it an 11-bit number. So the binary number we will write down is: 01100111110.

Repeat this process for all the other words, again appending zeros to the front of the binary string as needed to make each number 11 bits long.

Step 3: Assemble all the binary numbers into one long binary string

This step is easy: you should have eleven binary strings, each one 11-bits (11 digits) long. Concatenate them into one long string (in the correct order, of course!).

Continuing from our example above, lets pretend that our seed phrase begins with the word guitar repeated eleven times. Our concatenated binary string would now be: 0110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110

This 11 word phrase comes from this 121 bit number, but in total, your 12-word mnemonic seed phrase encodes 132 bits of entropy. Of this 132 bits, the first 128 bits are random, and then the last 4 bits are a checksum.

So this means that the last word includes 7 random bits, and then 4 bits that are a checksum (of the 128 bit seed). This means you have 2^7 = 128 possible words to check.

Step 4: Compute the last word

We must iterate through the range of all possible 7-bit numbers, from 0000000 to 1111111. Each attempt will involve appending a 7-bit number to the end of the 121-bit number we built from the list of 11 words. So to begin, we can just append 0000000 to our number from above (the word guitar, repeated 11 times):

01100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111100000000

The next attempt would be:

01100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111100000001

And so on, until we reach:

01100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111101111111

For each of these 128-bit numbers, we will need to SHA256 hash the binary value, and then take the first four bits of the resulting output, and append those 4 bits to the end of the 128-bit number we started this step with.

To perform this step, we can use the command line tool shasum:

echo 01100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111100000000 | shasum -0 -a 256

This command tells your computer to take the 128 bit number, and run 'shasum' on it, -a 256 tells the computer to use the SHA256 hash function, and -0 tells the computer to interpret the input as a string of bits (this is important! If the string is interpreted in some other way, the resulting output will be incorrect).

The output of this command should be (in hex):

21bb0a0efc9fec48880509aa11fd1cc7f16a014b8bee65ab87b0505145e2a865 ^-

In this case we just want the first 4 bits of the output, which is conveniently just the first hex character of the string above: 2. (note that the ^- at the end of the output denotes that the input was interpreted as bits)

So we can convert the hex number 2 back to binary: 0010, and then append this binary value onto the end of our 128-bit binary string:

0110011111001100111110011001111100110011111001100111110011001111100110011111001100111110011001111100110011111001100111110000000000010

For this first attempt, we can see that the last eleven bits are thus: 00000000010. Converted to decimal notation, this is the number 2, which means the last word in our mnemonic is the word at index 2 from the BIP39 word list. BUT! Remember that the BIP39 word list starts at index 0, so similar to the above, we must add 1 to this number, leading us to the word at index 3, which is able.

So the first possible mnemonic would be:

guitar guitar guitar guitar guitar guitar guitar guitar guitar guitar guitar able

You can then input this seed phrase into some software that will accept 12-word BIP 39 seed phrases (such as Electrum wallet), and see what addresses the wallet generates for you. Note that you will also need information pertaining to the derivation path used by the wallet in question, for example was it BIP 44 or BIP 84? etc. I am aware of some tools that can help automate this step, for example see here or here. Ideally, you would know the first couple addresses of your wallet, so you can quickly check to see if electrum generates those same addresses, even in an offline environment. Ian Coleman's BIP39 tool will probably also be helpful, though you should be sure to download and run that webpage in an offline environment.

If you do not generate the correct wallet after this first attempt, you will need to increment the 7-bit number by 1, and then perform this step again. Possibly up to 128 times, but no more than that.

Answered by chytrik on December 17, 2021

Related Questions

What makes cross input signature aggregation complicated to implement?

1  Asked on January 2, 2021

In a Proof of Stake (PoS) mining scheme what prevents miners from producing many more blocks or inflating the currency?

1  Asked on December 25, 2020 by kristopher-ives

What kinds of wallets are there?

3  Asked on December 23, 2020 by karlito

From Edge to Poloniex

1  Asked on December 22, 2020 by don-myers

In theory could we skip the proposed Taproot soft fork, activate Simplicity instead and use Simplicity to write the equivalent of Taproot scripts?

1  Asked on December 20, 2020 by michael-folkson

i have 0.10096 mbtc (0.00010096 BTC) in my btc wallet but when ever i try to send bitcoins it always says your balance is low to pay the fee

2  Asked on December 20, 2020 by noor-siddiq

Create Raw Transaction in BitcoinJ offline starting from UTXO info

1  Asked on December 19, 2020 by andrean

How do I calculate transaction fee for call to createpsbt()?

1  Asked on December 18, 2020

GREP help: Bitcoin address/key buried as text somewhere on hdd

1  Asked on December 17, 2020 by stormshadow

What is the longest firstbits?

1  Asked on December 17, 2020 by lurf-jurv

Proof of address ownership

1  Asked on December 15, 2020 by theruss

Bip39 tool – BIP32 Extended Private Key vs BIP32 Root Key

1  Asked on December 14, 2020 by guillaume07

How to configure bitcoind to wait for X confirmations to make the payment submitted

1  Asked on December 13, 2020 by valometrics-com

Stale block verification at node level

2  Asked on December 10, 2020 by user87441

How to import address with private key using importmulti

1  Asked on December 8, 2020 by kimon

What is the program in Python that print information about the current block?

1  Asked on December 6, 2020 by roofnos

What exactly is the relation between Bisq and Bitcoin Core?

1  Asked on December 5, 2020 by j-lotz

How to automatically get transaction while sending BTC?

0  Asked on December 2, 2020 by abhishek-pandey

Can a wallet/exchange provider ask for transaction details

1  Asked on December 1, 2020 by digitalnomad30

Is there any python library could be used to decodescript in output

2  Asked on December 1, 2020 by carpemer