I decoded your transaction manually, because all the decode transaction tools on the net gave back -22 error and wouldn't give a deserialized transaction. Electrum's decode transaction command gave me back the following, but it didn't print out the signatures and just says "null" But in the raw transaction, the signatures are all there, and I verified each one individually and they all check out ok. I noticed you were sending two outputs of 583952 and 359215 satoshis to the same address. Add together your 156000 satoshi fee, and I assume your total balance to be 1099167 satoshis. What you might want to try and do is send just smaller amounts to consolidate without going over 100 kB. A lot of the servers were telling me errors saying "error -22 over 100kB" So maybe send 3 mBTC at a time to yourself to consolidate. Send them to separate addresses, then use the right click > send from button to slowly empty out the address in a few transactions. Maybe splitting into 3 will help. Other than that, everything looks fine. Perhaps 100kB is the upper limit for transaction size? Edit: Here's the deserialized raw transaction, without the signatures. http://0bin.net/paste/w8DGRILBfxr2Bf5x#/evNhWe5JyUb5rQpt+3jEKK8JvYntanfLaZB0fGfAIk= |
|
|
|
My saved transaction file is 254.0 kB (254,003 bytes) in size. When I tried to post it here I received the message:
The following error or errors occurred while posting this message:
The message exceeds the maximum allowed length (64000 characters).
Just out of interest, my default_wallet file in my .electrum folder is 59.2 MB (59,235,431 bytes).
http://0bin.net/Go to this site, paste the signed transaction and click submit. (You can set it for 1 day and it will disappear after 1 day) Then post the link here. (including all the gibberish after the # and it should end with a = ) |
|
|
|
What's BIP32?
BIP32 is basically Electrum's Deterministic Wallet version 2.0 Thomas, the lead dev for Electrum, helped design the BIP32 protocol and it was inspired and based on the Electrum deterministic model. http://bip32.org/This website allows you to mess around with BIP32 and switch around the branches and whatnot to see what kind of addresses are made. Many wallets are now supporting BIP32, in fact Electrum 2.0 will support BIP32 and on top of that supports 2of2 and 2of3 Multisig addresses generated deterministically |
|
|
|
I installed Electrum on Android by following the official instructions, and chose to restore my wallet by scanning the QR code given by the desktop version under Wallet -> Seed. This is the result:  In Electrum on my desktop, I have a balance of ~0.023 BTC, and 4 items in my history. On Android I see "0." and no recent transactions. - What might be wrong?
- Where is the user data stored / how do you remove the wallet to try again?
1. What is the gap_limit for your desktop client? If you don't know what this means, what version of electrum did you create your seed on? 2. Wallet data is stored in the SD card's root folder, I believe. It should be called electrum.dat you can rename electrum.dat to electrum.dat.old etc. and then restarting Electrum will prompt for creating a new wallet or restoring. |
|
|
|
I'm really glad you cleared this up. At an Ethereum meetup the other day a couple guys explained it to me differently, saying that the seed is tied to your private keys which are encrypted on the electrum servers.
I was actually disappointed to hear that, so this is awesome news. So the servers only broadcast transactions and check balances, while the seed and corresponding private keys are held locally. So even if there were no servers available, and the new electrum client did not support old seeds, you can still gain access to your bitcoin by using this script to derive the private keys. (Correct me if I have anything wrong)
I think they were getting confused with Blockchain.info. Electrum can be generated completely offline and still function perfectly. |
|
|
|
When I tried to send normally, the amount to send said 3.58215 mBTC, with a fee of 1.56 mBTC.
I tried to create a transaction of 3.59215 mBTC using: Create transaction > From CSV text, but the Transaction box looked all wrong, with 0 BTC sent, and a negative fee!
It took 20 minutes to sign, with the Python process using 900MB of memory. I saved the file, but haven't tried to broadcast it.
I'm not at all familiar with this non-standard usage. Where would I find the raw transaction?
The transaction box will always show a negative fee. And when sending to yourself, Electrum detects it is sending to itself and adjusts to tell you how much coin is leaving your wallet. So it says 0 if you send to yourself. Open the signed transaction file in a word editor. You should see something like Copy the entire hex string inside the quotes after "hex": Here's an example of what a signed raw transaction looks like. 01000000021e471cd741587122765369c24d788c865f6943aff06968a58757b1c6751a5d05010000006a47304402204e060c4d3e9c3ea1d1bf4ec055122c2216336d9cbb1f736df0862a2891f2b945022042915f2ba2a95a36a832dfc3c8a4e4357d713d5df610adaf82bc8a388df557850121036c38c71c8f869e74ab8f4dfacbab38dfdef27b42f250eef560f991943c1b3327ffffffff24d5f6f0f74c573e8ab09c52e32d1fdec5a91bc222cb6640d9459f6f03ad13e7010000006b483045022100e35e28e6fa8cb6ee923c4d6a81113a2d6e62d456338045028de764b389ecd8b9022013e2d46db521b137242e7044d7b1aec4a3840f6071195aebef5b5335d0bd32900121036c38c71c8f869e74ab8f4dfacbab38dfdef27b42f250eef560f991943c1b3327ffffffff0133e60300000000001976a914cd73598414597e3110f26f8a1d6ab3b849c1ef4788ac00000000 |
|
|
|
I tried using the method described in the other thread.
I changed MIN_RELAY_TX_FEE = in /lib/bitcoin.py from 10000 to 1000, and reduced the default fee in the settings from 0.2 mBTC to 0.01 mBTC.
When I tried to send the transaction, the fee was 1.56 mBTC.
After 15 minutes of waiting for it to send, I received an error message: error: {u'message': u'TX rejected', u'code': -22}
15 minutes!!!!!!!!! WOW! You must have a lot of inputs.... Here's a tip to make sure you don't have to wait again: Try using Create transaction > From CSV text. In the box, write the destination address, a comma, and then the amount (in BTC) 1FYrgGoniPUuiSXPmQ6D53rdwod5V1z6eQ, 0.01 This would send 10 mBTC to 1FYrgGoniPUuiSXPmQ6D53rdwod5V1z6eQ. (this does not include fees, so you should subtract 1.56 mBTC from your total balance and send that. Doing it this way will show a transaction dialogue. Clicking "Sign" will sign it. You can save the signed transaction file and try re-broadcasting it multiple times. Probably a good idea if signing took 15 minutes. If you can post the raw transaction, I might be able to tell you why it failed. |
|
|
|
|
Hi all,
In another thread, it seemed that not many people are aware (even though there is a warning message when you export a private key from a seeded address) of the (MPK + privkeyn = Master Private Key (mpk)) quirk.
I'm here to explain it.
First, some clarification.
Your seed is not your Master Private Key. Your seed is "stretched" out 100,000 times by hashing it against itself and subsequent hashes. The final hash that arises from this process is your "Master Private Key" or Extended Private Key. This is the private key to your Master Public Key.
Now that you understand this, here's some basic ECC math:
For a private-public keypair d = private, P = Public, the formula that calculates the public key from the private key is P = dG... where G is the "generator point" on the curve that Bitcoin uses for Elliptic Curve calculations. All keypairs in Bitcoin use the same Generator point G.
This relationship of P = dG is important to understand how the attack takes place.
First let's learn about Electrum's address derivation.
Well, the address derivation formula works something like this:
1. We first create an "s" which is = Hash( n:c:MPK ) where n = the index number of the address (0 = first address, 1 = second address, etc.) and c = Change addresses or not. (1 = change, 0 = regular) and MPK = your master public key.
2. Then we take that hash, use it as a private key against the generator point to get a public key R = sG
3. Then we take the master public key and add it to the sequence public key. This gives us a 3rd public key without needing to know its private key or the master private key, we will call this Pn = dnG
Notice how nowhere in that process did I use the master private key or the private key to Pn.
Now, how do I spend bitcoins for the address at Pn?
1. I stretch the seed 100,000 times to get the Master private key.
2. Since Pn = MPK + R... we can also write the equation as dnG = mpkG + sG.... G cancels out to get dn = mpk + s
3. We add the master private key to the Sequence "s" (and mod by the curve order) to get dn... with this, we can sign for the address at Pn
......
Ok, now that we understand what's going on, how are we vulnerable?
First, what does the attacker need?
1. Your Master Public Key.
2. Any one of the private keys from an individual address derived from your Master Public(/private) Key.
How do they attack you?
I know 100% that your MPK is correct, I know 100% that the private key I obtained is from that MPK's address. Normally people don't use a lot of addresses on Electrum, so even if we don't know the sequence number, we could try about 100 times and most likely find the right sequence.
Here's what I do:
1. I calculate the Bitcoin address from your private key, public key is X.
2. I attempt to guess, let's say I get it right that your number was Hash( 0:0:MPK ). Because I know your MPK and I guessed the index of your private key, I now have the sequence secret.
3. I created the public key for the sequence secret, and add it to your Master Public Key. If the end result is X, I have correctly found the sequence secret. If not, just keep guessing, its fast.
4. As we said before, private key derivation is d0 = mpk + s... so we change it around to mpk = s - d0
5. We know the sequence secret now, and the Bitcoin address private key. we subtract the private key from the sequence secret, modding by the curve order, we get the master private key.
6. Just in case, check if MPK = mpk * G. If it does, now you can solve any sequence address's private key.
So everyone, please treat every single individual private key on your seed's wallet as carefully as you would treat your seed.
BIP32 has the same problem, however, it also has something called "hardened keys." Which are supposed to break the chain (so you can only derive it one way) but at the expense of utility. (You won't be able to derive deeper chains from that child)
That being said. Electrum's offline signing ability and its lightweight client make it my favorite Bitcoin client to date. Just be sure to educate yourself. The same can be said with anything in life, especially Bitcoin related things, but it always helps to learn.
I hope this helps prevent theft. Please take care of your private keys.
Thank you.
|
|
|
|
Wow, ok thanks for warning me, I am pretty sure my master public key never went online but is it really that easy, if someone finds out my master public key and private key of any of my addresses it will discover my seed?
Yes, it is very easy. But no, they will not discover your SEED, but they will discover your MASTER PRIVATE KEY. Using this, you can generate all private keys in the wallet, just like seed, but it is not exactly the seed. So then how is it when one uses a master public key on an online client to send some coins, doesn't at any point the private key is inserted to sign off the transaction for it to go through?
If you use the master public key on an online client, your seed and private keys are on an offline computer. This is safe. If you are talking about a normal online wallet (with seed on the online computer) then your seed will get stolen directly if someone has enough control of your PC to see your RAM, no need to steal your master public key, they just take your seed... so Master Public Key is not an added risk. btw, this vulnerability also affects BIP32, so be careful. |
|
|
|
I thought we have to copy the master public key to online computer to set up watching only wallet.  Yes. But you keep your seed offline, so it is OK. No one can know your seed if you keep it, and ALL PRIVATE KEYS OFFLINE. ie. DO NOT export a single private key from your seed and bring it online to import into some service. As soon as you do this, anyone who knows that the private key belongs to one of the addresses generated by the master public key, they can combine them to create your master private key (which is what your seed is used to make) Remember: When you click "Export Private Key" a huge warning message appears. Please read the warning messages and do not ignore them. |
|
|
|
It will cost you a little fee Your described method would have worked fine, except that the amount that I was trying to transfer was 26.04785 mBTC, and the fee was 31.2 mBTC! I think that my imported addresses contained quite a bit of useless unspendable bitdust. 0.2 mBTC is the default per/kB fee... How could your tx be 156 kB? I want to see the unsigned transaction... seriously... how many inputs... my brain is boggled. You could always try to consolidate with a no-fee tx... it might take a few days to confirm tho. https://bitcointalk.org/index.php?topic=644533.msg7230650#msg7230650This post of mine will tell you how to send no-fee tx in Electrum. Warning: don't make a habit of it, so once you're done, change the bitcoin.py back. |
|
|
|
Any ideas?
EDIT: Here, I made a one line command window command that will generate a number of addresses for you that are related to your seed. combine it with two other lines (3 commands in a row) to get the addresses you want. 1. set an array called "addy" (line 1) 2. change the 50 in range(0,50) to tell the number of addresses you want to generate. However, from that number, any addresses with a history will be removed in the 3rd step. Also, the 0 can be changed to pick a staring point. (0 is first address, 1 is second address, 2 is third address, etc.) 3. just run the third line as is. It will print out all the addresses that don't have a tx history. (Remember, don't copy over the ">>" when inputting) >> addy = []
>> for i in range(0,50): addy.append(bitcoin.public_key_to_bc_address(('04' + '%064x' % (bitcoin.ecdsa.ellipticcurve.Point(bitcoin.ecdsa.ecdsa.curve_secp256k1, int(wallet.storage.get('master_public_key')[:64],16), int(wallet.storage.get('master_public_key')[64:],16), 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141L) + (int(bitcoin.Hash("%d:%d:"%(i,0) + wallet.storage.get('master_public_key').decode('hex')).encode('hex'),16) * bitcoin.ecdsa.ellipticcurve.Point(bitcoin.ecdsa.ecdsa.curve_secp256k1, 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798L, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8L, 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141L))).x() + '%064x' % (bitcoin.ecdsa.ellipticcurve.Point(bitcoin.ecdsa.ecdsa.curve_secp256k1, int(wallet.storage.get('master_public_key')[:64],16), int(wallet.storage.get('master_public_key')[64:],16), 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141L) + (int(bitcoin.Hash("%d:%d:"%(i,0) + wallet.storage.get('master_public_key').decode('hex')).encode('hex'),16) * bitcoin.ecdsa.ellipticcurve.Point(bitcoin.ecdsa.ecdsa.curve_secp256k1, 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798L, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8L, 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141L))).y()).decode('hex')))
>> print "\n".join(i for i in addy if len(wallet.history.get(i,{})) == 0) VVV---OLD---VVV print "\n".join(i for i in wallet.addresses() if len(wallet.history.get(i,{})) == 0 and not wallet.is_change(i))Paste this into your console and it will only list addresses with 0 transaction history AND that are NOT CHANGE ADDRESSES. NOTE: THIS WILL NOT LIST ADDRESSES WITH TRANSACTION HISTORY, EVEN WITH 0 BALANCE. Notice the number of addresses listed will = your gap_limit. So before using the above command, use: wallet.storage.put('gap_limit', XX)1. Replace XX with the number of addresses you wish to generate, and then restart Electrum. 2. Run the "print "\n".join..." command 3. Copy the list that comes out of the console. I think that electrum's console doesn't have a limit to the number of lines that can be displayed, but if you have any problems let me know. |
|
|
|
Another solution would be to just generate 50 new addresses and show them to me.
What is your definition of "new"? Do you mean new addresses that are NOT a part of your seed? If you want addresses that are a part of your seed, then what is your idea of "new"? One that is not showing in the receive tab? One that has not been used before? But is it ok if it's been shown on the receive tab before? I think maybe it would be better to tell us what you want to do rather than asking how to make addresses. |
|
|
|
1. wallet.storage.put('gap_limit', 50)2. close, reopen electrum 3. https://github.com/bitcoin/bips/blob/master/bip-0032.mediawikiBIP32 was based off of Electrum. But slightly different. For more details about mpk and its calculations, peek into your /lib/accounts.py file and you should find the code somewhere in there. |
|
|
|
You know I couldn't understand this raw transaction, watch wallet etc mumbo jumbo, so here is what I did...
... something way more complicated imo. Not to mention dangerous. As long as you don't ever copy your Master Public Key from your offline computer you should be safe with your method. Why? Because if I have a master public key and any one of the private keys of an individual address derived from that master public key, I can calculate the master private key. To make it easy to understand: Master Public Key + Private Key of any address from it = I now know your seed. So I hope you never touched the Master Public Key button on your offline wallet... because you've got private keys all over the place, and the one's you've used up, you're probably not too careful with anymore now that they have no balance... But, if your Master Public Key has never touched an online computer, you're fine. |
|
|
|
Hey coinsentry,
Just a heads up. You may want to find another name for the product as I have a pending copyright on it. It sounds like a worthwhile idea though.
Goodluck
Just a heads up to both of you, I have copyrighted "Coin Dysentery" in Zimbabwe. Just so we all cool, k. |
|
|
|
how can a keylogger in windows read unbutu OS when i am running windows? becuz i can only run 1 os at a time with dual boot.. whats the risk like? 1%? or 0.00000001%? (if i scan my usb stick with a virus scanner if i wanna sign files)
If you were very unlucky, and your online OS was compromised, someone could write code to read uninitialized RAM. When you use "reboot" the 1s and 0s on the RAM can stick around, and it could be possible someone could read that from your Ubuntu session and look for your seed. (though this would be VERY unlikely, and could be easily solved by turning off your computer, unplugging it and waiting 10 seconds, then plugging it back in an turning it on.) However, the far more likely problem you will most likely run into is: 1. you "reboot" into Ubuntu. 2. You leave the LAN cable plugged in, because you think Ubuntu is set to disable Network adapter. 3. For some reason, when you boot, Ubuntu has activated the network adapter and is trying to connect to the net. Which is why I recommend unplugging the physical LAN cable itself whenever you boot your cold storage, and when you switch back to online boot, unplug the electricity for 10 seconds. (this wipes the 1s from the RAM) |
|
|
|
Ugh confusing stuff everywhere  Just wait til 2.0... it'll be in there. |
|
|
|
|
Show Posts
