I have address and BIP32 root key, How to brute force to find derived pathway?

[shivam72]

I have xpub, xpri, address and BIP32 root key, I need to get private key to my address, its HD wallet, My thought process is if I brute force using BIP32 root key, xpub, address. I'll get the derived pathway then using it I can get pair of private and public key which I need.

Please tell me if this is the right process and if yes what would be the best way/script to brute force?

[Charles-Tim]

If you want to check the corresponding private key and public key for your address, use https://iancoleman.io/bip39/ offline. Using the HTML file (https://github.com/iancoleman/bip39/releases/latest/) on a word edit on an airgapped device is most secure.

You will see the space that you can paste the master or the extended private key (that begins with xpri) and also you will see where you can paste the BIP32 root key. Use any of the two and it will generate the child keys and addresses. Scroll down to check the address and its corresponding keys.

Do not use is Coleman tool to generate seed phrase, keys and addresses because JavaScript is not secure but you can use it to check for what you posted. If done offline, you are good to use the tool.

[shivam72]

Already tried but its not able to generate my address, since I think the pathway used is not upto the BIP32 standard and more on the older pathways used by developers or maybe custom pathways. Thats where the situation got tricky.

[Cricktor]

Am I correct to assume that you speak of the unknown derivation path which you want to brute-force and what you call "pathways"?

Can you tell from which wallet you have your details? Any hint on which wallet was in use here will help because someone might know what derivation path pattern might have been used.

btcrecover seems to have the ability to search derivation paths via its --pathlist command option. I haven't tried and used this option with btcrecover, so I'm not entirely sure if it's a valid recommendation and if you can even start with the details you know about your wallet.

Ability to search multiple derivation paths simultaneously for a given seed via --pathlist command (example pathlist files in the )

The problem is that the search space can grow pretty large especially when some sort of weird and deliberately non-standard derivation path was used. It's also unclear how many address indices should you check to find your matching public address.

[nc50lc]

Please tell me if this is the right process and if yes what would be the best way/script to brute force?

It's only possible if the derivation path is one of the commonly used derivation paths,
Example list: https://github.com/spesmilo/electrum/blob/master/electrum/bip39_wallet_formats.json

Generally, the "right process" is to check the wallet's documentation or source code depending on the availability.
With that, telling the wallet's name should be sufficient for experts to tell the correct derivation path to your address or if it's possible even.

btcrecover seems to have the ability to search derivation paths via its --pathlist command option. I haven't tried and used this option with btcrecover, so I'm not entirely sure if it's a valid recommendation and if you can even start with the details you know about your wallet.

The arg will only take a file containing a list of derivation paths that the user provided but wont bruteforce a combination of indices based from the list unlike a token file.

[Cricktor]

The arg will only take a file containing a list of derivation paths that the user provided but wont bruteforce a combination of indices based from the list unlike a token file.

Ah, ok, the command option name is a hint to what you say. So not really suitable to extensively seach derivation path tree branches. Given that every derivation path step after m/ can have 2³¹ unhardened and 2³¹-1 hardened branches, it's better to know quite specifically where and what to search for, otherwise as I wrote earlier the search space blows up quickly.

Another reason to document well what derivation path a wallet uses when it's not any common standard derivation path.


Does any such tool exist to extensively search through derivation path branches? I can't remember ever having seen such an option, maybe because it gets unfeasible pretty quickly.

[shivam72]

I had created a mnemonic seed and address using MMGEN wallet but forgot to store the mnemonic seed, but did store the bip 32 root key by using the mnemonic seed on Ian colmen

Now I want to derive the same address using a derivation path and bip 32 root key. can you please tell me what would be the derivation path, since it is mentioned in the wiki, that the wallet is deterministically deriving its keys, but uses a non-hierarchical scheme differing from the BIP32.

Please help me if anyone has any idea which derivation path they are using.

[nc50lc]

-snip- but did store the bip 32 root key by using the mnemonic seed on Ian colmen

Based on that tool's labeling, the "bip32 root key" that you have is the "master private key" derived from your mnemonic via BIP39 standard.

Unfortunately, upon looking at: Recovering-Your-Keys-Without-the-MMGen-Wallet-Software.md
That wallet isn't utilizing variants of BIP32 derivation like BIP44 or BIP84, etc. or even BIP39.

Firstly, derivation of the seed (binary seed) from the mnemonic phrase (seed phrase) is not the same as BIP39 (Converting an MMGen mnemonic to hexadecimal format)
So, your xprv that's derived using IanColeman's BIP39 tool wont be of any use since it can't be used retrieve the binary seed since it's already an output of a "one-way hash function".

Secondly, even if there's a possibility (which is extremely hard that it's deemed impossible);
The binary seed used to create that xprv key is a product of BIP39's mnemonic seed to seed algorithm which is entirely different from mmgen's algorithm. (refer to 'mnemonic to hex' link above)
So it's not what you've used in mmgen.

And lastly, they have their own method of "scrambling" the 'binary seed' depending on the target cryptocurrency.
They do not use "derivation path" like any standard wallet does.

TL;DR: In other words, you either need the mnemonic phrase (words) or binary seed in hex format to retrieve your bitcoins.

[BitMaxz]

Already tried but its not able to generate my address, since I think the pathway used is not upto the BIP32 standard and more on the older pathways used by developers or maybe custom pathways. Thats where the situation got tricky.

This thread is a bit old, and it seems no one mentions this tool called xPub scanner that's the only one that you can easily find the derivation path of the address you're looking for.

I'm going to share it here if someone experienced the same thing and wants to find the right derivation path of the target BTC address.
Check the xPub Scanner here and follow the guide how to run it.
It can also be used to scan all used addresses or with balances; the result gives you the right derivation path of each used addresses.

Alternatively to this scanner you can use this too https://blockpath.com/wallets/local/101?action=appxpub
The only problem using this tool is that it only supports legacy wallets segwits are not supported yet.

[alexeyneu]

if you just got all this stuff from mobile wallet or whatever you'd already have your money. there's something here you did not told us about hehe.

[mcdouglasx]

I had created a mnemonic seed and address using MMGEN wallet but forgot to store the mnemonic seed, but did store the bip 32 root key by using the mnemonic seed on Ian colmen

Now I want to derive the same address using a derivation path and bip 32 root key. can you please tell me what would be the derivation path, since it is mentioned in the wiki, that the wallet is deterministically deriving its keys, but uses a non-hierarchical scheme differing from the BIP32.

Please help me if anyone has any idea which derivation path they are using.

According to Mmgen's github repository, apart from the standard:

BIP44 (P2PKH): m/44 '/0'/0 '/0

BIP49 (P2SH-P2WPKH): m/49 '/0'/0 '/0

BIP84 (P2WPKH): m/84 '/0'/0 '/0

BIP86 (P2TR): M/86 '/0'/0 '/0

This could be the path in their derivations.

Taking as an example Bech32

Code:

import hashlib
import bip32utils

def sha256(data):
    return hashlib.sha256(data).digest()

def ripemd160(data):
    h = hashlib.new('ripemd160')
    h.update(data)
    return h.digest()

def bech32_polymod(values):
    generator = [0x3b6a57b2, 0x26508e6d, 0x1ea119fa, 0x3d4233dd, 0x2a1462b3]
    chk = 1
    for v in values:
        b = (chk >> 25)
        chk = (chk & 0x1ffffff) << 5 ^ v
        for i in range(5):
            chk ^= generator[i] if ((b >> i) & 1) else 0
    return chk

def bech_expand(hrp):
    return [ord(x) >> 5 for x in hrp] + [0] + [ord(x) & 31 for x in hrp]

def bech_checksum(hrp, data):
    values = bech_expand(hrp) + data
    polymod = bech32_polymod(values + [0, 0, 0, 0, 0, 0]) ^ 1
    return [(polymod >> 5 * (5 - i)) & 31 for i in range(6)]

def bech32_encode(hrp, data):
    combined = data + bech_checksum(hrp, data)
    BECH_CHRS = 'qpzry9x8gf2tvdw0s3jn54khce6mua7l'
    return hrp + '1' + ''.join([BECH_CHRS[d] for d in combined])

def cbits(data, frombits, tobits, pad=True):
    acc = 0
    bits = 0
    ret = []
    maxv = (1 << tobits) - 1
    for value in data:
        if value < 0 or (value >> frombits):
            raise ValueError("Invalid value")
        acc = (acc << frombits) | value
        bits += frombits
        while bits >= tobits:
            bits -= tobits
            ret.append((acc >> bits) & maxv)
    if pad:
        if bits:
            ret.append((acc << (tobits - bits)) & maxv)
    elif bits >= frombits or ((acc << (tobits - bits)) & maxv):
        raise ValueError("Invalid bits")
    return ret

def bech_address(pubkey):
    sha256_r = sha256(pubkey)
    ripemdr = ripemd160(sha256_r)
    data = cbits(ripemdr, 8, 5)
    data = [0] + data
    hrp = 'bc'  # for MainNet
    address = bech32_encode(hrp, data)
    return address

xprv = "XPRV here"
bip32_root_key_obj = bip32utils.BIP32Key.fromExtendedKey(xprv)


with open("derived_addresses.txt", "w") as file:

    # Derive keys using the path m/0'/0'/0'
    for i in range(1001):
        derived_key = bip32_root_key_obj.ChildKey(0 + 0x80000000).ChildKey(0 + 0x80000000).ChildKey(i + 0x80000000)
        priv_key = derived_key.WalletImportFormat()
        pubkey = derived_key.PublicKey().hex()
        pubkey_bytes = bytes.fromhex(pubkey)
        bech32_address = bech_address(pubkey_bytes)
        file.write(f"Private Key: {priv_key}\nPublic Key: {pubkey}\nSegWit (Bech32) Address: {bech32_address}\n\n")

    # Derive keys using the path m/0'/1'/0'
    for z in range(1001):
        derived_key = bip32_root_key_obj.ChildKey(0 + 0x80000000).ChildKey(1 + 0x80000000).ChildKey(z + 0x80000000)
        priv_key = derived_key.WalletImportFormat()
        pubkey = derived_key.PublicKey().hex()
        pubkey_bytes = bytes.fromhex(pubkey)
        bech32_address = bech_address(pubkey_bytes)
        file.write(f"Private Key: {priv_key}\nPublic Key: {pubkey}\nSegWit (Bech32) Address: {bech32_address}\n\n")

    # Derive keys using the path m/84'/2'/0'
    for x in range(1001):
        derived_key = bip32_root_key_obj.ChildKey(84 + 0x80000000).ChildKey(2 + 0x80000000).ChildKey(x + 0x80000000)
        priv_key = derived_key.WalletImportFormat()
        pubkey = derived_key.PublicKey().hex()
        pubkey_bytes = bytes.fromhex(pubkey)
        bech32_address = bech_address(pubkey_bytes)
        file.write(f"Private Key: {priv_key}\nPublic Key: {pubkey}\nSegWit (Bech32) Address: {bech32_address}\n\n")

print("Derivation completed. The results are saved in 'derived_addresses.txt'.")

[AlphaNode]

If you have your BIP32 Root Key you can import it in Bitcoin Core for instance with importdescriptors command:

importdescriptors '[
    {
      "desc": "pkh(your BIP32 Root Key/44h/0h/0h/0/*)#xxxxxxxx",
      "timestamp": "now",
      "active": true,
      "internal": false,
      "range": [
        0,
        999
      ],
      "next": 0,
      "next_index": 0
    },
    {
      "desc": "pkh(your BIP32 Root Key/44h/0h/0h/1/*)#xxxxxxxx",
      "timestamp": "now",
      "active": true,
      "internal": true,
      "range": [
        0,
        999
      ],
      "next": 0,
      "next_index": 0
    },
    {
      "desc": "sh(wpkh(your BIP32 Root Key/49h/0h/0h/0/*))#xxxxxxxx",
      "timestamp": "now",
      "active": true,
      "internal": false,
      "range": [
        0,
        999
      ],
      "next": 0,
      "next_index": 0
    },
    {
      "desc": "sh(wpkh(your BIP32 Root Key/49h/0h/0h/1/*))#xxxxxxxx",
      "timestamp": "now",
      "active": true,
      "internal": true,
      "range": [
        0,
        999
      ],
      "next": 0,
      "next_index": 0
    },
    {
      "desc": "tr(your BIP32 Root Key/86h/0h/0h/0/*)#xxxxxxxx",
      "timestamp": "now",
      "active": true,
      "internal": false,
      "range": [
        0,
        999
      ],
      "next": 0,
      "next_index": 0
    },
    {
      "desc": "tr(your BIP32 Root Key/86h/0h/0h/1/*)#xxxxxxxx",
      "timestamp": "now",
      "active": true,
      "internal": true,
      "range": [
        0,
        999
      ],
      "next": 0,
      "next_index": 0
    },
    {
      "desc": "wpkh(your BIP32 Root Key/84h/0h/0h/0/*)#xxxxxxxx",
      "timestamp": "now",
      "active": true,
      "internal": false,
      "range": [
        0,
        999
      ],
      "next": 0,
      "next_index": 0
    },
    {
      "desc": "wpkh(your BIP32 Root Key/84h/0h/0h/1/*)#xxxxxxxx",
      "timestamp": "now",
      "active": true,
      "internal": true,
      "range": [
        0,
        999
      ],
      "next": 0,
      "next_index": 0
    }
  ]'

First, you'll get an error because of the chain #xxxxxxxx, just replace xxxxxxxx for the given chain on each case and launch de command again. You'll get a wallet with receiving and changing addresses for the following:

Base58 (Legacy)
Base58 (P2SH-SegWit)
Bech32 (Segwit)
Bech32m (Taproot)

[nc50lc]

If you have your BIP32 Root Key you can import it in Bitcoin Core for instance with importdescriptors command:

importdescriptors

If it's that simple, he wouldn't have to open this thread.
He should've immediately saw his private keys in each of the default derivation paths of each Derivation path Tabs when he tested it IanColeman's BIP39 tool (read his reply).

The main issue here is how MMGen generates its private keys from the mnemonic which isn't following the standard.
He just derived that "BIP32 Root Key" in that BIP39 tool which is different from what MMGen does.

[alexeyneu]

Given that every derivation path step after m/ can have 2³¹ unhardened and 2³¹-1 hardened branches, it's better to know quite specifically where and what to search for, otherwise as I wrote earlier the search space blows up quickly.

2⁸ may be? idk how non-standard it goes but i never seen m/0'/319'/0'.... kind of stuff

[AlphaNode]

If you have your BIP32 Root Key you can import it in Bitcoin Core for instance with importdescriptors command:

importdescriptors

If it's that simple, he wouldn't have to open this thread.
He should've immediately saw his private keys in each of the default derivation paths of each Derivation path Tabs when he tested it IanColeman's BIP39 tool (read his reply).

The main issue here is how MMGen generates its private keys from the mnemonic which isn't following the standard.
He just derived that "BIP32 Root Key" in that BIP39 tool which is different from what MMGen does.

I can assure you from experience that creating a HD Wallet in Bitcoin Core from the BIP32 Root Key works with the method I explain...

[nc50lc]

If it's that simple, he wouldn't have to open this thread.

I can assure you from experience that creating a HD Wallet in Bitcoin Core from the BIP32 Root Key works with the method I explain...

That will certainly work when importing master private keys to Bitcoin Core. (I've been suggesting descriptors ever since it's implemented)
But you certainly didn't read the whole topic or at least OP's replies which is why I explained that simply importing his xprv key as descriptors wont solve OP's issue.