My brother has a bitcoin wallet on a protected stick. He has the passphrase but, you guessed it, it doesn't work. He is convinced the passphrase is correct but he only has one try left before his stick sets itself on fire.
So, me being a pretty new to Rust, and with no knowledge of blockchain coding (although decades of programming experience behind me) I thought it must be easy to build a quick app that will brute force the passphrase, assuming my brother is correct and his passphrase is already very close to the real one.
I found a couple of crates that looked promising, and along the way discovered that Rust is very popular for blockchain coding so I felt encouraged. But today I finally admitted that I had no idea what I was doing.
I appreciate this is a very nebulous question but with nothing to lose I thought I would reach out here. Any ideas where I should start?
This is not quite the way you're going to do it. It depends on the hardware wallet and what it does for security (generally a lot see this breakin How I hacked a hardware crypto wallet and recovered $2 million - YouTube) but these wallets do have bugs that are reported often. So your best first step is to see if there any any known vulnerabilities first, call the company and ask them what you can do, and then call someone who is able to do this thing.
There might be a way to get it to dump non secret information that is easier than trying to get the private key, but I'm not sure how "easy" or difficult.
bitcoin wallet on a protected stick
So are you breaking the passphrase of the stick, or a bitcoin wallet? These are completely two different things.
Anyway - first rule of stuff like this, don't trust anyone, people will try to "help" you in PMs etc, whenever you go, trying to get access to your funds and steal them. Better keep all your communication public and sanity check everything with multiple sources.
And the whole thing is probably not strictly Rust related, so you might want to move it to Bitcoin stack overflow or reddit. If I were you I would avoid using your real name or anything giving away your id anywhere with relation to this. Giving away anything about yourself online like this is basically asking all the scammers on the Internet "if you can get me hacked, maybe you can get some BTC". At very least it might be annoying. You still have some relation to delete this post, I think.
I can get into the stick, its the passphrase of the wallet that isn't working. I hear you about this not being fully Rust related, sorry about that. In all honesty I think this may be much harder than anticipated. My first thoughts were something along the lines of:
- Copy out the wallet to some other unprotected location
- Load up the wallet using a Rust Crate
- Attempt to open the wallet using the wallet passphrase
- Modify the passphrase and try again
- 10 billion tries later - bingo!
Basically to do whatever these guys are doing but without losing 20% of the wallets contents
That phrase is very disturbing. Is it a figure of speech, or does the stick literally implement protection measures which wipe it if the incorrect password is entered too many times? If that is the case, then you are likely out of luck. It doesn't matter whether you try passwords programmatically or via the usual GUI interfaces, the result is the same: wipe. And a stick like that almost certainly won't allow you to just copy the wallet and brute force it at your leisure, that would make its protection measures meaningless.
Unless you have taken the time to backup the wallet in advance, if it was possible, you're screwed.
Oh. I've missed this part. Yeah. This is weird. Self-encrypted or software encrypted sticks don't implement anything like that.
Software wallets also don't (because they can't) implement anything like that.
Are you talking about a hardware wallet device like Trezor, Coldcard, BitBox, Ledger and many others? Probably Ledger, since it's popular and it does seem very much like a stick. Please do not call them "usb stick", because it's very confusing. They are specialized hardware.
If we're talking about hardware wallet:
There is no way to copy-out the secret key material from them, by design (other than hacking-hacking them - finding a combination of a hardware/software bug to do it; these companies will pay you a lot of money if you can find a way like this, so you can assume it's very hard (though not impossible, because some devices did have some bugs in the past that if unpatched by firware upgrade can still be abused)). The user is supposed to write down the secret material on a piece of paper and secure that when using the device for the first. The device itself is a bit of a throw-away. If it is lost or breaks, one is supposed to just restore the paper copy onto another hardware wallet. Failing to do so is critical failure of following simple and explicit instructions at users own peril.
So if we are talking about restoring funds from a hardware wallet, better start looking for that paper copy, instead of trying to break into a wallet.
If this device is not a hardware wallet and is just a form of an usb pen
Then to help you we need more detail on what is on that usb pen. There must be some encrypted file, and we need to know what type of software was used to to access it. Then we figure out the type of that file, and recommend software to access it programmatically.
I feel like I am doing a bit of an ignorance strip-tease here, slowly revealing with each post just how little I know.
To answer the salient question: yes its hardware wallet and not a usb stick, a Ledger Nano S to be precise, and to his credit my brother did in fact follow the 'simple and explicit' instructions and then proceeded to carefully and meticulously record what turned out to be the incorrect passphrase. It beggars belief I know, but that is what he did.
To summarise then - a hardware wallet exists to thwart just the sort of brute force attack I originally proposed. Excellent. I will go tell my brother he is buggered.
Thanks for the detailed responses. I have learned something and it saved me wasting my time. And look, absolutely no Rust was harmed in the making of the this thread
Don't worry about knowing little. Everybody starts somewhere.
So you have a hardware wallet.
Ledger Nano, like most hardware wallets, when initialized for the first will require user to write down 24 words (aka. seed). These words are actually the only thing that matters. These are the secret material that holds the funds. The device is just a secure container, to enable using the words, without exposing them to easy to hack normal computer.
The wallet already has these 24 words (seed) inside, and to protect them from unauthorized use requires a PIN. It will have a limit on how many attempts it allows, after which it will erase them. Please also double check if you are failing to enter correct PIN vs Passphrase. These are easily confused, but mean something else specifically. PIN is the first thing the device asks after turning on. Passphrase is an advanced feature, that actually not many people use.
AFAIK, it's pretty much impossible to skip writing down these 24 words, so your brother must have had them somewhere.The instructions are clear about storing these words as a backup and protecting from unauthorized access.
Go find the piece of paper that your brother probably still has. Do not ever give these words to anyone, do not take any photos of them, do not put them on electronic devices, or enter these words anywhere. They are supposed to stay secret, and they are on paper to prevent a hacker from getting them.
If you can find the 24 words, report back.
If not - you probably screwed, though keep the device and store and safety and some company might be able to recover the funds now or in the future if they can use any methods to hack into it. Do not attempt to use the last attempt if you are not 100% certain it will work, because the device WILL ERASE the secret and no amount of hacking will ever recover it.
This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.