Create wallet with custom seed list from bip 39 words

I have a list of seed words I auto generated for the electrum wallet. I would like to use 24 words from that list to create a new wallet on my Trezor device, all the words are a part of the bip39 standard. I tried “recovering” the wallet on my new Trezor One, all the words showed up as it had me pick them.

However, after I had entered all 24 words I got the error “invalid seed”.

I don’t understand how any combination of 24 words from the bip39 standard that the device recognizes could be an invalid seed. Is there a way to get around this error so I can create the wallet I want?

Electrum has its own seed standard that uses the same wordlist as BIP-39 but does not have a compatible checksum. You would need to tell Electrum to generate a BIP-39 mnemonic (off the top of my head, I’m not sure if the option is in there, I recall Electrum devs being opposed to the BIP-39 standard).

With that said, for the love of all that is holy, don’t do this!

Either you’re trying to import an old hot wallet into Trezor, which completely defeats the purpose of the cold wallet. Your mnemonic seed could have been exposed any number of times in the past, and could be grabbed from your computer at any moment, even from a backup.

Or you distrust the seed generator on Trezor and instead choose to trust a random generator on your PC, which, I honestly have no idea why you would think it’s any better. (plus again you risk exposure). If that’s the way you want to go, please at least look up dice-rolling your seed.

(of course there’s no need to do that in the first place because Trezor does the seed generation Right™)

1 Like

I wanted to do that because I took great pains to create a very secure air gapped version of my electrum wallet, and spent a lot of time making secure backups of the seed. If I start generating new seeds i’ll have to go through all that work again, and we’re talking days maybe a week or more worth of work.

I am getting pretty frustrated with Trezor.

  • Ledger has the potential for another front end bug and the ability to extract the seed that way
  • Trezor is not a physically secure device, at least not until Trezor 3, and they failed to mention that so now I have a bunch of worthless hardware devices.
  • Electrum doesn’t have a physical device so setting up an air gapped system is really painful.

It sounds like the answer to my original question is that there is no way to use even a portion of my original seed phrase since I have no way of creating a sequence that would pass the check-sum without compromising the seed phrase.

Which means I have no choice but to start over on all the backup work. I think i’ll end up just waiting at this point for the hardware wallet industry to mature a bit further. Electrum is right, BIP-39 isn’t as secure as I would prefer (especially now that I know the list of words isn’t even totally random), Trezor wasn’t secure at all until very recently; and they are all very painful to use.

It’s not supposed to be “secure”. BIP-39 has no security parameters, it’s just a scheme to convert a binary blob into a human-manageable string.
That’s like saying your username is not secure.

I’m assuming you mean the checksum at end? (If you mean the wordlist itself, that is obviously not random, it was curated by humans.)
A BIP-39 mnemonic phrase has 128 to 256 bits of entropy. The fact that there is a checksum appended to the end does not matter – you might pick 12 random words and add the text of the Czech national anthem at the end, and it would not make the initial 12 words have any less entropy.

If “skilled hacker steals my device” is part of your threat model, you should take a lot of additional precautions:

  • Always use a passphrase, which can’t be hacked out of the device. Passphrase is a first-class feature of Trezor devices and Trezor Suite, and fully mitigates the flaw that you mention.
  • Add anti-tamper measures so that your Trezor can’t be replaced by a fake.
  • Preferably, set up a multisig wallet with a trusted and/or contractually bound other party in a different location, preferably in a different state or country.

This is a flat out lie.

It’s the last word that is not random, so a 24 word seed phrase would really be 23 words plus the check sum. Since the last word has to be on the list, and has to be able to be a checksum for the prior 23 words, that seems like it would significantly reduce the combination of words available on an already very finite list of words. This might come down to something like the difference between a 50 character password and a 100 character where both are very secure; just feels limiting, which is Electrums argument as well I believe.

Seems like this should be a part of everyone’s security model. Adding a passphrase is very cumbersome for most users (but thanks for mentioning it, I missed that when I first read about this issue). The documentation indicates that this gets combined with the seed; does this mean it generates a new seed from the combination making the seed no longer compatible with other wallets, or does it simply encrypt the seed?

So my next question would be, is this standard and impossible to fix across all hardware wallets? I don’t recall seeing any such issue with Ledger, although being closed source could be a part of the reason why.

The hack without the passphrase has been pretty well documented it seems, even by Ledger; makes sense as they are a competitor.

And the documentation feels like it indicates compatibility with other wallets is broken when the passphrase is used.

It seems like the addition of the secure element in the Safe 3 model solves the need for the passphrase issue. If it doesn’t, then what was the point of adding it? If it does, then I feel like my prior statement on security stands (at least when used without a passphrase, which is going to be most people by default).

I had to break all the links in this post as it would not let me include them in full.

Each word comes out of a list of 2048 words, or 2^11 combinations, so each word encodes 11 bits of information.
So 24 words encode 24 * 11 = 264 bits.
Out of that, 256 bits are entropy and the remaining 8 are checksum.
(That’s a good thing, by the way. This allows you to detect that you wrote down something wrong, as opposed to just not telling you and opening a new empty wallet.)

Teeechnically you could want all 264 for entropy, but

more like 10000-character vs 10001-character.

Quite the opposite, actually. It seems that Electrum’s seed have a chance to be longer in order to include a stronger checksum. See more here: Electrum Seed Version System — Electrum 3.3 documentation

Neither. To understand what the passphrase does, we need to dive a bit deeper into the details.
BIP-39 prescribes a way to:

  1. generate 128 to 256 random bits
  2. add a checksum, such that the total number of bits is a multiple of 11 (4 bits for 128-bit entropy for a total of 132, or 8 bits for 256-bit entropy for a total of 264)
  3. encode the resulting bit string as words from a wordlist
  4. one-way hash the resulting words into a so-called Master Secret for BIP-32 derivation. The passphrase is an additional parameter of this one-way conversion (specifically it’s a salt for the PBKDF2 function).

No new seed is generated, and nothing is encrypted.
The changed thing is the Master Secret. And because your wallet addresses and keys depend on this Master Secret (which in turn depends on both your seed and the passphrase), you get a whole new set of accounts from the same seed.

The passphrase is a part of the BIP-39 specification. All major HW wallets support this standard.

This is a frequently reported confusion.
I wonder, which part exactly makes you think that the compatibility will be broken? We might want to improve this document if we identify a problem.

The Secure Element and the passphrase feature serve two different threat models:

  • the Secure Element protects the device against physical hacks
  • the passphrase protects your seed – or, more precisely, protects your accounts in case your seed is compromised.

As such, the passphrase is the stronger of the two. Even if your seed backup is stolen from you, it is useless to an attacker without the passphrase.

Still, the Secure Element has its roles: it makes it more difficult to execute targeted attacks against you, and it allows you to check the authenticity of the device.

For most people, “getting burgled by a skilled hacker” is somewhere near the bottom of the threat list. Skilled hackers don’t go around pickpocketing people for Trezors – and pickpockets are more likely to pawn off a Trezor than to try to hack it.
The practical threat is malware, and all Trezors are perfectly fine as a defence against malware and remote hacks.

Ok, looking over Trezor and Ledgers websites I think I get it. The passphrase is simply part of the seed phrase, but a part not stored on the device.

My confusion was I was always focused on the portion of the seed phrase generated by the devices, I never realized there was a second optional user generated portion. Electrum is the only wallet I knew had this feature, and it’s user generated portion is embedded into the seed phrase stored on the device.

Every youtube show i’ve seen focused on the seed phrase stored on the device and kept ultra secret. No one i’ve watched has talked about the user generator portion.

So that means that if someone got a hold of the physical device, they could get the portion of the seed stored on the device itself, but not the user portion, which makes sense. In theory they could only do this by hacking the pin.

Based on the safe 3 chip documentation
trezor io/learn/a/secure-element-in-trezor-safe-3

it sounds like the purpose of the chip is to store a hash generated from the pin. The hash is then used to decrypt the portion of the seed stored on the device. So this would make pin attacks nearly impossible even if the device were physically acquired.

If i’m understanding all of this correctly now, I can see the argument that implementing the user portion of the seed is superior security, and that when used the wallet would still be secure, at least long enough to get the funds transferred somewhere else before the attacker got through.

However I also believe the difference in security between Trezor one and Trezor 3 is night and day because of this. Trezor one is 90% of the way there, but if given the choice between having a wallet that could be easily broken into by a techie if stolen (even to get most but not all of the seed), and one that would be nearly impossible to break into physically, i’ll take the second option.

Almost every modern wallet supports a 12 or 24 word seed phrase with an optional password. As said earlier above it’s a standard. This is basic software and hardware knowledge. Most wallets out there adhere to the standards otherwise the wallets would be less usable if you couldn’t import other wallets. Wallets are interchangeable and compatible with each other, but it’s good to always check before using and/or buying stuff.

Regarding importing a software wallet to a hardware wallet, doing this would really defeat the purpose of a hardware wallet, because a hardware is very secure because the private keys never leave the device. It’s an extra security feature of a hardware wallet.

This is BS, but the chance of someone knowing you having crypto and stealing a device from your home (I assume it’s there) and being able to hack it would be very low. Trezor is always updating the device and it’s open source so many people including security researchers can check the code for vulnerabilities. That hardware secure element is just an extra layer of security.

Also, this has been debunked. Old Trezor device or older software. It’s also coming from the biggest competitor of Trezor who has been hacked several times too. Always read independent and neutral news and articles and never trust ads, companies who say stuff about their competitors and public relations/propaganda.

Also, Trezor responded to Ledger’s blog article, see: Our Response to Ledger’s #MITBitcoinExpo Findings | by SatoshiLabs | Trezor Blog

Is it accurate to say that the Secure Element hashes the pin turning it into a difficult to hack hash in addition to providing other resistant features physical tampering?

A simplified statement would be that “Secure Element provides an additional encryption layer for the seed storage”, leaving out everything about “hashing”.

A more technical statement would be something along the lines of, a salted hash of the PIN is provided as an authorization token to the SE. If the authorization token is accepted, the SE will release an encryption key which is then used, in addition to the PIN itself, to decrypt the storage.

1 Like

Perfect, thank-you. I think this thread has significantly increased my knowledge around the security of hardware wallets.

I’m going to get the Trezor Safe 3, and start over on my security plan. Still wish I would have known all of this before purchasing the Trezor One, it would have saved a lot of headache.


And as always, the biggest risk to crypto holders is forgetting and losing their seed phrase also called recovery seed. Do yourself a favour and also buy a backup for your seed phrase like Trezor Keep Metal or Cryptotag Zeus.

In your threat analysis losing your seed phrase needs to be on the top. Write it down on the paper you get when buying a hardware wallet and punch it into a metal backup for extra security. Most complains here on the forums are of people who lost their seed phrase and/or passwords. Their funds are permantality lost and there is nothing Trezor or anybody else can do for them. Without the seed phrase you’re unable to do any recovery.

Recovery is usually needed for the following:

  • Forgetting the PIN of the hardware wallet (you can still recovery it with the seed phrase and password if you used one for your wallet)
  • Hardware wallet (device) is lost
  • Hardware wallet (device) is stolen
  • Hardware wallet (device) corrupted by an update (most unlikely but could happen)
  • For your offspring/heirs if they know where you store the seed phrase + password they can inherit and/or distribute your crypto among the heirs.

These are things on the top of my head a good backup of your seed phrase and your password(s) or more important than anything else. Most people lose crypto because they lost access to it and not because a hacker or a criminal organisation targeted them. It’s also ridiculous to think anyone is going to waste a large amount of resources to try to steal your crypto unless you have millions of Euro/Dollars worth of it.