Trezor - seed extraction

[PawGo]

Hello

Is there any "legal" way to retrieve (again) the seed, after Initial Backup process has finished?
I am aware of some "hacking" ways, brute-forcing PIN etc., is there any way how to do it with Suite? Or any other kung-fu way, even with firmware modification, but purely programmatically?
The official FAQ says "NO" (they advice to migrate to new seed & transfer coins), but maybe someone knows the way...

[1714829655]

1714829655

[1714829655]

1714829655

[1714829655]

1714829655

[1714829655]

1714829655

[1714829655]

1714829655

[Maus0728]

If I understood you correctly? Did you mean displaying your seed phrase again that had been previously generated by your Trezor?

If yes, then your seed phrase can only be displayed once, after the HW generated it. Trezor does not offer a function where you can reveal your seed phrase again, besides it would not make any sense for a hardware wallet to have that function as it will defeat its purpose where the security is the focal point why people are using it.

I am not sure about extracting it programmatically though, because in the first place, the seed phrase isn't stored anywhere..

[bitmover]

Hello

Is there any "legal" way to retrieve (again) the seed, after Initial Backup process has finished?
I am aware of some "hacking" ways, brute-forcing PIN etc., is there any way how to do it with Suite? Or any other kung-fu way, even with firmware modification, but purely programmatically?
The official FAQ says "NO" (they advice to migrate to new seed & transfer coins), but maybe someone knows the way...

I believe this defeats the whole purpose of a hardware wallet.

If you can "hack" it to display your seed again , you are breaking its security.  The seed is not supposed to show again, as it would literally be e exposing "

[PawGo]

I believe this defeats the whole purpose of a hardware wallet.

If you can "hack" it to display your seed again , you are breaking its security.  The seed is not supposed to show again, as it would literally be e exposing "

Guys, I know all that. I did not ask you for advice "do not do it, it is against security rules", I asked you HOW to do it ;-)
I am checking trezor-suite sources, retrieving backup seems to be blocked programmatically, just as a result of check "if it was already done". I would have to rebuild Suite and see if I am able to talk to device. Unfortunately I am allergic to typescript/node etc.

[NeuroticFish]

Is there any "legal" way to retrieve (again) the seed, after Initial Backup process has finished?
I am aware of some "hacking" ways, brute-forcing PIN etc., is there any way how to do it with Suite? Or any other kung-fu way, even with firmware modification, but purely programmatically?
The official FAQ says "NO" (they advice to migrate to new seed & transfer coins), but maybe someone knows the way...

If there's no other way to access the funds, go the hacking route.

If you can access the funds, make an Electrum temporary cold wallet with a Tails OS stick and no internet (make sure you write down the temporary seed, just in case!), send the coins to that wallet, reset Trezor with a new seed (which you backup properly this time), send the coins to Trezor (make sure you keep that Tails OFFLINE), and you're done.

I would not expect a hardware wallet like Trezor is easy to tamper, and that's the reason of the proposed "routes".

[PawGo]

If you can access the funds, make an Electrum temporary cold wallet with a Tails OS stick and no internet (make sure you write down the temporary seed, just in case!), send the coins to that wallet, reset Trezor with a new seed (which you backup properly this time), send the coins to Trezor (make sure you keep that Tails OFFLINE), and you're done.

Yes, transfer to the new seed is my Plan B, but I think I will give myself some time, maybe I will find the way to do it other way.
Unfortunately I do not see any active discount/promo codes for Trezor T.

[dkbit98]

Is there any "legal" way to retrieve (again) the seed, after Initial Backup process has finished?

If you already have backup words written on paper just use that.
It would be stupid for anyone to trust only their hardware device as only source for keeping seed phrase, especially without pasphrase.

I am aware of some "hacking" ways, brute-forcing PIN etc., is there any way how to do it with Suite? Or any other kung-fu way, even with firmware modification, but purely programmatically?

Be serious please... or ask Kingin or other developers who hacked Trezor before.
Trezor fixed previous bugs so it would be much harder to repeat something like that again.
This is not a trivial task and certainly can't be performed by weekend forum warrior hacker.

[PawGo]

Be serious please... or ask Kingin or other developers who hacked Trezor before.
Trezor fixed previous bugs so it would be much harder to repeat something like that again.
This is not a trivial task and certainly can't be performed by weekend forum warrior hacker.

Funds are already sent to new address, so it is just for fun - and to learn something new. I have HW for years and never spent so much time reading code as during last two days. And some say "it is open source, it must be tested/verified/checked by many people..." ;-)

The test if device already provided seed is performed in firmware too:
https://github.com/trezor/trezor-firmware/blob/395324a8ad9399bacba2ebb8740d72971842d761/legacy/firmware/reset.c (from line 156)
It would be easy to change it, but of course installing custom build firmware removes seed.

[Pmalek]

In all these years I have been here, I have never heard of anyone extracting or managing to display their seed a second time except during the wallet creation process. If you know your recovery phrase and you want to get a specific private key of one or multiple addresses, it can be done with the IanColeman BIP39 tool. I think the correct field where the seed needs to be entered is "BIP39 Mnemonic". This should of course be done in an offline environment. 

[o_e_l_e_o]

There is no "legal" way to do this. If there was an easy "illegal" way to do this, then it would have been done already, a security bounty claimed, and patched so it was no longer possible. It took Joe Grand (Kingpin) several months with a very outdated wallet to exploit a vulnerability which was patched 4 years ago just to unlock a wallet. The only way I am aware of to do this would be via the Ledger Donjon's method: https://donjon.ledger.com/Unfixable-Key-Extraction-Attack-on-Trezor/

There are some hardware wallets which retain the option to display the seed phrase after you have unlocked them which you could look in to if you want to be able to do this in the future. I don't really like that option though, as it does pose an additional security risk.

[dkbit98]

It would be easy to change it, but of course installing custom build firmware removes seed.

Some hardware wallets have option for revealing seed words on display, I think it's Coldcard wallet and maybe some others, but you first need to know or hack PIN code.
I don't know how this works and I don't have the skills to examine and try what you want, and I doubt many people on earth can do what you want.
I know Kraken team was also doing testing like this, along with ledger donjon and other unknown people.

[PrimeNumber7]

Hello

Is there any "legal" way to retrieve (again) the seed, after Initial Backup process has finished?

No.

am aware of some "hacking" ways, brute-forcing PIN

This is also not possible. Each time you incorrectly enter your PIN, you will have to wait an increasingly long amount of time before you can try again.

If it were possible to extract the seed from a HW wallet, it would be a security vulnerability, and the manufacturer would need to take steps to prevent this. You were instructed to write down the seed phrase when you initially created your seed. If you no longer have access to the seed, if you have access to the PIN, you should move all the coin out of your HW wallet and into a wallet whose private keys you have multiple backups to.

[witcher_sense]

I am not sure about extracting it programmatically though, because in the first place, the seed phrase isn't stored anywhere..

Wait a minute, I always thought that a hardware wallet stores a seed phrase inside its hardware so that a wallet could generate private keys with which to sign transactions? If it had been otherwise, there wouldn't have been a chance to extract it either legally or illegally due to the physical absence of necessary keys.

Hello

Is there any "legal" way to retrieve (again) the seed, after Initial Backup process has finished?
I am aware of some "hacking" ways, brute-forcing PIN etc., is there any way how to do it with Suite? Or any other kung-fu way, even with firmware modification, but purely programmatically?
The official FAQ says "NO" (they advice to migrate to new seed & transfer coins), but maybe someone knows the way...

As many have correctly pointed out, Trezor hardware wallets don't offer the functionality of displaying the seed words you were shown upon the initial setup. Therefore, there is no legal way to reveal your seed. However, Trezor offers something else that could help you to compare the seed you have backed up on a piece of paper and the seed that is stored inside a hardware wallet, albeit without revealing the latter. This feature is called "Dry-run recovery." [1][2][3]

[1] https://wiki.trezor.io/User_manual:Dry-run_recovery
[2] https://blog.trezor.io/test-your-seed-backup-dry-run-recovery-df9f2e9889
[3] https://www.reddit.com/r/TREZOR/comments/rj7fpx/is_is_possible_to_do_the_dryrun_to_verify_my/

[o_e_l_e_o]

Wait a minute, I always thought that a hardware wallet stores a seed phrase inside its hardware so that a wallet could generate private keys with which to sign transactions?

Yes, they do store the seed phrase. It would be possible for a hardware wallet to derive a root seed number from the seed phrase and then delete the seed phrase, but then the hardware wallet would not be able to use passphrases to create additional wallets. Since the seed phrase and any additional passphrase are both used as inputs to the same PBKDF2 function, if your hardware wallet supports passphrases then the seed phrase must be stored on it somewhere, even if the user cannot access it.

[dkbit98]

Yes, they do store the seed phrase. It would be possible for a hardware wallet to derive a root seed number from the seed phrase and then delete the seed phrase, but then the hardware wallet would not be able to use passphrases to create additional wallets. Since the seed phrase and any additional passphrase are both used as inputs to the same PBKDF2 function, if your hardware wallet supports passphrases then the seed phrase must be stored on it somewhere, even if the user cannot access it.

Some DIY hardware wallets like SeedSigner are using nonconsistent storage, so every time you turn off power from your device you lose all information from memory.
This means you would have to import your seed words in SeedSigner each time when you power on device, but this is fast process with QR code import system.
I think this is better option for devices that don't have secure element installed (read Trezor), it is safer and you don't have to worry if someone will hack your device.
Some people would argue this is even better approach than using closed source secure elements in hardware wallets (read ledger).
It can be a hastle if you use hardware wallet all the time and turn it on/off, but it is good if you just hodl coins and make only few transactions.

[Pmalek]

Wait a minute, I always thought that a hardware wallet stores a seed phrase inside its hardware so that a wallet could generate private keys with which to sign transactions? If it had been otherwise, there wouldn't have been a chance to extract it either legally or illegally due to the physical absence of necessary keys.

The seed is stored inside the wallet but you can't access it just like that. o_e_l_e_o mentioned Kingpin and his successful seed extraction of a Trezor One with an outdated and vulnerable firmware. The only reason that hack worked was because the device kept the seed and the PIN in RAM when the device booted. But getting your hands on it still required extensive work and penetration. But this has already been fixed a few years ago.

[PrimeNumber7]

Wait a minute, I always thought that a hardware wallet stores a seed phrase inside its hardware so that a wallet could generate private keys with which to sign transactions?

Yes, they do store the seed phrase. It would be possible for a hardware wallet to derive a root seed number from the seed phrase and then delete the seed phrase, but then the hardware wallet would not be able to use passphrases to create additional wallets. Since the seed phrase and any additional passphrase are both used as inputs to the same PBKDF2 function, if your hardware wallet supports passphrases then the seed phrase must be stored on it somewhere, even if the user cannot access it.

In theory, a HW wallet could store some derivative of the seed and use a non-standard implementation of a passphrase in order to avoid storing the seed.

Doing so would not improve the security of the HW wallet. If someone is able to extract the "secrets" from a HW wallet, they are going to use tools with the ability to copy arbitrary information, and are not going to write information displayed on the HW wallet's display.

The algorithm to calculate the private keys based on the above derivative will need to be public, so it will be possible for the user to recover their private keys in case their HW wallet breaks.

[witcher_sense]

Yes, they do store the seed phrase. It would be possible for a hardware wallet to derive a root seed number from the seed phrase and then delete the seed phrase, but then the hardware wallet would not be able to use passphrases to create additional wallets. Since the seed phrase and any additional passphrase are both used as inputs to the same PBKDF2 function, if your hardware wallet supports passphrases then the seed phrase must be stored on it somewhere, even if the user cannot access it.

The only sensitive information a hardware wallet stores is the seed phase, right? I mean, a hardware wallet doesn't store private keys, which it derives from the seed once you request it to sign transactions, nor does it keep in its memory a passphrase that was initially used to create "hidden" private keys. It also follows that once you unplug the USB cable or turn it off, a hardware wallet forgets everything it has derived during the time of being used as a signing device. In other words, it has a short memory. A hardware wallet, again and again, has to perform certain calculations every time you connect and ask it to authorize the transfer of funds from the address for which it has a corresponding private key to some other address. Am I right?

The only reason that hack worked was because the device kept the seed

This is what I was trying to convey: if a hardware wallet didn't keep the seed phrase, it wouldn't be possible to extract it.

[o_e_l_e_o]

In theory, a HW wallet could store some derivative of the seed and use a non-standard implementation of a passphrase in order to avoid storing the seed.

There are no hardware wallets I am aware of which do this, and it would achieve next to nothing anyway.

The only sensitive information a hardware wallet stores is the seed phase, right? I mean, a hardware wallet doesn't store private keys, which it derives from the seed once you request it to sign transactions, nor does it keep in its memory a passphrase that was initially used to create "hidden" private keys.

Depends on the hardware wallet. I can't possible speak for all hardware wallets, but most do not store private keys but instead derive them each time they are required and "forget" them when you unplug the device. The passphrase is another matter. There are some which do not store the passphrase, some which do, and some which can do either. Ledger wallets, for example, give you the option to attach the passphrase to a secondary PIN (in which case it is stored in the device), or to attach it temporarily each time you want to use it (in which case it isn't stored in the device).

[dkbit98]

This is what I was trying to convey: if a hardware wallet didn't keep the seed phrase, it wouldn't be possible to extract it.

I said before there are DIY hardware wallets who are doing exactly that with non-consistent file storage, and memory gets deleted each time when device power is turned off.
Two examples I know are SeedSigner based on Raspberry Pi Zero, and Krux Wallet based on M5StickV device... importing seed words is quick for both of them with QR code.
Both of them are relative cheap to make and you won't be targeted by anyone for using general use devices like this not connected with cryptocurrencies.
They are more like signing devices than hardware wallets, but I see no reason why someone couldn't release something similar that is not DIY.