Passphrase. Cracking your own hidden wallet. Information and cooperation

Ok, users. I’ve faced this problem and so you did.
I’ve done some research and I’m gonna provide you with something that I figured out.

First one: if you can’t see some of your balances, first - you have to look for configuration feature in Trezor Suite that enables Hidden wallet option with empty string - this means you type nothing and just press Enter-button. This will activate default hidden wallet. Done. If you see your balances again - you are a happy fellow.

Now, information for people who were unlucky enough to type a passphrase with no additional thought, forgot the pass, mistyped, wrong copy pasted, lost.
If it’s not a technical issue, but only fools mistake - answer from support that you will get will sound like this:

  1. We are really sorry for the situation you put yourself into.
  2. The only way how to access your hidden wallet is to enter exactly the same input as you used when generated hidden wallet in the first place
  3. I am sorry to learn about your issue with forgotten password. Please note the passphrase brings an ultimate protection to your wallet. It is always necessary to read and learn about features you are about to use. It’s same with everything, not only with crypto. Please note we don’t have and we don’t keep any information about anyone’s seed or passphrase. This is what cryptocurrency is about. You are your own bank and you are fully responsible for your your keys and funds. If you lose it there is nobody who can recover it for you. The only chance for you is to brute force the passphrase. Please note the passphrase is not stored in your device so there is really no possible way to recover it using a firmware.

So, at first it seems everything is f***ked up.
BUT… read this Article written by SatoshiLabs in 2019 .
Then try to figure out: was your passphrase really strong enough? If not - that might be the chance.

Here is the support answer to make an article a solution:

The article you refer to it rather a theoretical demonstration of how strong the passphrase is. The technical instructions on how to proceed with a brute forcing your passphrase is far beyond of our support. You need to do your own research on how to proceed with such action if you are willing to do that.

Lastly, even if we had such information we couldn’t simply instruct our users on how to breach security features.

So, what do you think? The solution that most of people will come to: to hire a professional themselves and accept the risks.
But what I think is that the solution has to be found centralized, everyone will be involved and have their interest in “know-how”. Instructions have to be set, and a person even with little computer skills will be able to perform a way-out for the locked crypto on their hidden wallets. This will be a lesson of double-triple checks and way to figure out: is your password that strong by doing cracking on your own. Also, this lesson can be helpful in future, dark dark future…)

So, the GPU mentioned in an article was Nvidia Tesla V100, I suggest with one core. Today we can view next generation monstrous Nvidia Tesla A100 GPU. And AWS can give you 8 cores for 32.77$ per hour on demand.

Things I can’t do myself: to configure properly AWS, wallet(cause it will double check, so probably it will involve uploading it with modified firmware) and crack it.

So, first, this topic is informative, second is to agitate and put attention to the issue, third - to find a person capable and crypto-community oriented to make a crack possible and present it to the community.

Also, if this person reads this: please, suggest adding your Patreon and wallet address.

Also, note that you better withdraw funds that were left on your device with hidden wallet to another one before performing anything like mentioned here. And that you better make a hardware clone with your seeds for your existing hidden wallet for the moment if you ever get an access to it.

6 Likes

If you are facing the passphrase issue, suggest adding “Like”.
If you have any information regarding brute-forcing Trezor wallet, please, make a reply.
If you also need help and technical instructions on managing cracking process add “+” in reply.

Topic on Reddit

Medium article

2 Likes

Hi @Kindzadza,

It’s great that you share your thoughts and solution(s) with the community! Really appreciated!

first - you have to look for configuration feature in Trezor Suite that enables Hidden wallet option with empty string - this means you type nothing and just press Enter-button. This will activate default hidden wallet.

I’m not aware of such a configuration option in Trezor Suite. I use the latest version of Suite, currently v21.8.1, and as far as I know the program works like this:

  1. You can enable the use of Passhrases in Settings → Device → Security. This is a simple ON/OFF switch.
  2. You can make a new Hidden wallet, if the setting in pt. 1 is ON. The Passphrase you enter is case sensitive and space is also a valid character.
  3. Per default, at login in Trezor Suite you have a choice of selecting your Standard wallet or your Hidden wallet (if you’ve made one). You have to click on the Standard wallet choice to select it. The way to select a Hidden wallet is to fill in a Passphrase (not leave it blank). You don’t have to click on the Hidden wallet coice to select it, just fill in the Passphrase. Same when you connect your Trezor to 3rd party accounts on Internet via Trezor Connect.
    I don’t think you can select a hidden wallet at login in Trezor Suite and not enter a Passphrase.
  4. When you access your Hidden wallet later and enter your Passphrase, it must be exactly as you created it. If you mistype it, Trezor Suite will create a new Hidden wallet.

If you have found a configuration option in Suite that operates as you say, I’m very interested in seeing a screenshot - if you can provide that, please.

1 Like

@Kindzadza

The discussion whether the passphrase is strong enough is absolutely fine. However, please, do not post any urls to any recovery tools here. I’ll leave there other links if anyone is interested. Let anyone make research on their own, taking all the responsibility.

Thank you for understanding.

1 Like

All true by you, just simplified by me.

Censorship is not the right thing in the community, as long as it doesn’t harm the community.
You are in the wrong.
Dear community, the instrument moderator was trying to censor is called

BTCrecover by Stephen Rothery
It is open source so I will post the direct link on docs:
BTCRecover

But as pavel mentioned, please, before making any action - do your own research. You and only you will be responsible for the actions made.

Also, please, be aware that your operating system and Internet access is good. From the point of security. As an example: many people use separate laptops for their crypto.
Shortly: be security aware.

Kindzadza,

Please understand that this forum belongs to a private company and they make the rules for engagement in discussions here. By your defiance to refuse moderation advice you only risk further reactions from the Community team.

I also want to comment on your reply to me above. No, you didn’t write the same as I did, just simplified. Your statement about a configuration feature in Trezor Suite for enabling a Hidden wallet with an empty string, is not correct as far as I know.

No, the moderation is needed. Even more, if its harming community.
What I provided is the result of my research and my understanding, that moderators were silent of like partisans.

If the user did not input any passphrase (default setting), an empty string "" is used.

As for me, I was confused with “empty string” that was typed and no further explanation. And the meaning was to type nothing. I know English well, but many users don’t. Some are using online translators, some are performing “I do what I see”. Also, I may be wrong, but wiki was a little modified.
As for me, there has to be information notice on the main page if the wiki was updated.
As I remember: before new version update and Trezor Suite coming out of Beta - it was possible to create another accounts without any hidden wallet feature, am I wrong? It just so happened that this account became default hidden wallets that has to be accessed with empty string with new firmware update.

Even if its private company - it makes community and ecosystem products. pine64.org is like this: they post, propose, discuss and withdraw information. Critical information has to be silenced like vulnerabilities and harming information has to be silenced.
I faced some shit during my research and lack of information, technical skills, so don’t tell me I’m doing the bad thing. From my point of view, Trezor team has to learn one or few things from their competitors as well. Also, experience with cracking wallet that belongs to a person can protect funds from unauthorized access. Weak passphrase is also some kind of vulnerability made by the the person itself.
And you never know who can perform a crack and what computing power can be used against a certain user.

Also, big sized/long and complex passphrases are problematic to be typed with Trezor. And using default keyboard is not recommended. Suggest exploring CrowdSupply and Pastilda project

Hi Kindzadza,

sharing recovery tools also has its own disadvantages. From our point of view, we can only recommend it as a possibility, but users need to do their own research. If you recommend any particular tools, you are treading on very thin ice. If something goes wrong and the user’s funds are stolen or lost or whatever, it will set you back and that will certainly not be pleasant. That’s the reason why we do it the way Pavel said.

I understand your point of view, and I thank you for doing your own research and activity here on the forum, but forum rules should be respected. Anyway, let’s leave your post public and I’ll just change the disclaimer to make it more visible. As mentioned before, working with such tools can be extremely risky.

I don’t see that configuration option in Trezor Suite either.

Thanks for understanding.

Also I had recent thoughts about this method and came to conclusion that the best way will be to create new wallet with known passphrase and minimum-minimum balance and first: go with it with BTCrecover.
When you are successful, then you can go with wallet, that needs actual crack.