How to brute force test different/legacy derivation paths for a given SRP?

Hello - my question is potentially related to an issue I have seen in quite a few threads/reddit posts regarding Chrome crashing MM → reinstalling the extension → seeing different addresses.

Also to potential related issue: Passphrase option enabled → Chrome crashing MM → reinstalling the extension → seeing different addresses.


Trezor Model T wallet created in 2019. Passphrase enabled 2021. Wallet crash & extension reinstalled later 2021. Addresses after address #1 at derivation path m/44’/60’/0’/0 are different post this occurrence.

Assuming that the missing addresses are standard and seed is 100% correct, how can I brute force test derivation paths to find a specific address or any addresses that have funds given my SRP?

I am trying to locate missing standard addresses that I was previously able to see in Trezor Suite with the same first address that I am currently able to recover, which leads me to believe testing derivation paths could be my solution.

I know that many users simply were using the wrong seed or passphrase and changing that resolved their issues. Please refrain from commenting that, I am so far past that at this point and just looking for new things to test.

Have tried iancoleman Bip39, offline FindMyETH tool, recovering old vault files for MetaMask Vault Decryptor, etc.


Also, is it worth the effort to try older firmware versions of Trezor/Trezor Suite/MM from before my issue occurred? Or could I potentially find old Trezor Logs (?) to show that those addresses were in fact shown in Trezor Suite at an earlier date? (given I have reinstalled Trezor Suite as well).

Thank you to anyone who reads this/provides suggestions.

There isn’t really much to brute-force in your situation.

It seems to me that you claim that, before restore, you had a set of addresses AAA, BBB, CCC, DDD …

And after restore, you have a set of addresses AAA, EEE, FFF, GGG …

iow, the first address is the same, correct?

Your first address presumably lives at m/44h/60h/0h/0/0 – that is, five components (ignoring the initial m/), what you posted is a four-component prefix of the path, and the last component is incremented to get the different addresses.

You can verify this on the iancoleman site: if you select ETH - Ethereum and leave the settings on default (using the BIP44 tab in particular), you should see the correct first address in the list:

(see that the paths are five-component)


The point of all this?

If your first address is the same, then you got the right seed, right passphrase, and right schema.

That is:

  • BIP/SLIP44 like 44h purpose field
  • SLIP44 60h coin type field
  • 0h account 0 field
  • 0 address type (this should in theory be always 0 for ethereum)
  • 0 address index

The normal way to iterate here is changing the address index. This is what iancoleman site will do for you automatically: you get addresses /0, /1, /2 … etc.

If the address at /0 is the same and addresses on further indices are different, this must mean that you are iterating the wrong component.

One vaguely plausible thing to try is to iterate the account field. On iancoleman site, you can manually change account from 0 to 1, 2, 3, etc. In all cases, address 0 on account N would match address N from your original list.


Another option is that your passphrase is getting in the way:

In other words, you created the wallet in 2019, used it without passphrase.

Later, you added a passphrase.

Adding a passphrase will give you a completely different set of addresses at the same derivation paths.

So perhaps your “address #1” is standard wallet (no passphrase), but the other addresses you are looking for are passphrased.
(hard to say what you would see in metamask? i would expect that you’d get “Trezor #1”, “Trezor #2”, “Trezor #3”, but this is completely independent of the actual address indexes. “Trezor #1” could as well be “address #1 of passphrased wallet”, and “Trezor #2” could be “address #1 of standard wallet”, or maybe “address #2 of standard wallet”, or even “address #1 of different passphrased wallet”)

Then the answer would be, try different passphrases (or no passphrase) and check that the addresses that you are looking for are somewhere in your list.