Topic: Electrum wallet on corrupted SSD. Seed restore not working. (Read 361 times)

Electrum seed phrases are different as explained by the link nc50lc shared above.

You can read our discussion on the previous page of this topic as to why it would still be a 1/16 chance of generating a valid BIP39 seed phrase. Yes, the last word contains 7 bits of entropy in addition to 4 bits of checksum (and so they are not independent as your correctly point out), but whatever the resulting checksum turns out to be, there will always be a 1/16 chance on average that it matches whatever the last 4 bits of the final word are.

SomberNight (Electrum dev) actually says this too in the second link nc50lc has shared above:

Yes, it's possible.
Although Electrum's "seed version system" is different from BIP39's checksum, both are using the same wordlist when generating mnemonics.
So an Electrum seed has that chance to be a valid BIP39 seed.
(electrum doesn't rely on a fixed word list to create a seed but currently uses the same word list as BIP39's)

However, if he used v4.1.3 or later versions of Electrum to create the wallet, there's no chance that it'll also be a valid BIP39 seed because they excluded such results when generating seed phrases.
https://github.com/spesmilo/electrum/pull/6001

I'm not good at combinatory math or statistics (or basically too lazy for it). My thinking was that for a 12-word mnemonic seed there's only those 4 bits left for the checksum (4 bits imply this 1/16 chance), but the last word contains both bits that influence the binary seed hash which contributes in part to the checksum bits, so it's not independant from each other (at least I only know this for a BIP39 mnemonic seed, not sure how Electrum encodes its seed details into the Electrum mnemonic seed).

I admit I haven't checked this mathematically nor by experiment, but still I'd assume (and may be totally wrong) it unlikely that, as the OP implied, an Electrum mnemonic seed would pass a BIP39 checksum test (by 1/16 chance). Just my gutt fealing, I'm not insisting on it.

There would be a 1/16 chance. So just unlikely, but not highly unlikely.

I would assume that you have a badly documented mnemonic seed phrase because some of your details just don't go well together.

Electrum itself doesn't generate a BIP39 compatible mnemonic seed phrase and I find it highly unlikely that a possibly wrong or mixed up sequence of an Electrum mnemonic seed would pass a BIP39 checksum test by chance. I have to assume you're sure about the correct sequence of your mnemonic seed words.

I.e. your mnemonic seed has very likely been created by some other BIP39 compatible wallet or mnemonic seed words generator. So, apparently your documentation for your mnemonic seed is flawed. This may also leave the possibility open that you might have used an optional mnemonic seed passphrase (which shouldn't be written down together with the mnemonic seed words for obvious reasons).

Next already mentioned issue could be some non-standard derivation path on top of all (which would have needed proper documentation, too). If you remember which wallet software generated your BIP39 mnemonic seed words then the information provided at https://walletsrecovery.org/ may help to pinpoint the likely used derivation path of your wallet.

I'm emphasizing the necessity of good and complete documentation of such important wallet restauration details (by no means a complete list: when created, for what reason, which wallet software name and version, number and order of words, optional passphrase used?, derivation path) because a lot of wallet restauration issues show some lack of it. I highly recommend to test a wallet recovery on a secure computer while the wallet is still accessible.

HD-wallet gap limit issues could also prevent the proper automatic detection of your derivation path.

if he remembers the wallets password, assuming it was encrypted then maybe that could work but then again, the ssd might be in bad shape but there's always data recovery companies willing to help out if it makes financial sense for the ssd owner. not sure how succesful those type of recovery attempts are though but if he plans on going that route, he probably shouldn't be playing around with the drive himself...

This part looks convincing, I'll settle with "average" then.
But I can't help but think that there should be a factor to consider when discarding half of the list so I'll do my research on "chance" in general.

Thank you.

---

@notphus Pardon for the going quite off-topic; that was just about the small chance of your seed phrase's "good checksum" to be false-positive.

It's not.
When we select the last word from the 2048 words, the chance to have a seed phrase which passes checksum is 1/16 on average. It seems that we both agree on this.

Now assume that we have 12 words instead of those 2048 words. The chance is still 1/16 on average. Because those 12 words have been selected randomly from the 2048 words.
The only difference is that instead of selecting each of 12 words from the 2048 words separately, first we selected 12 words from the 2048 words randomly and then selected each of the words from those 12 words.
This doesn't change the chance of having a seed phrase which passes checksum. In both cases, we selected 12 words from the 2048 words randomly.

I'm not saying the chance is always 1/16. That's 1/16 on average.
For example, any combination of following words give you a seed phrase which passes checksum.

But the chance doesn't change depending on the size of the pool of possibilities.

Let's stick with a presumed checksum of "0000". Of all the 2048 words in the BIP39 word list, 128 of them end in "0000". So 1 out of 16. Now, randomly discard half of the word list. You'll now have, on average, 64 words out of the available 1024 which end in "0000", so still a 1 in 16 chance. Do it again. 32 out of 512. Then 16 out of 256. Down to 1 out of 16. So any given word will always have 1 in 16 chance of giving a valid checksum.

It doesn't matter that you are de-scrambling 12 words, and so you only end up with 1 possibility for your final word. For any 12 word seed phrase, there can only be 16 possible different checksums. The final word must possess exactly 1 of those 16 possible checksums.

Okay, and all of those count in the 1/16 chance because it's only based from the last 4-bit, including the non "gravity" ones.
So actual chance to get a valid seed phrase when "scrambling the 12 words" will be a lot lower than 1/16 since most of those "other words" aren't in any of the 12 words to be scrambled.

The last word is influenced by every word. The first 7 bits of it are entropy, the last 4 bits of it are checksum. Changing any one of the other 11 words has a 15/16 chance to change the checksum.

Right. There would be a 1/16 chance that gravity could be the last word. There would also be a bunch of other words which would work as the last word.

It won't be an exact 1/16 chance for any given set of 12 words, no, but it will be 1/16 on average across all possible sets of 12 words.

Sure, but the first 7 bits were irrelevant to my explanation.

Well, the tricky part is while the checksum is only the last 4-bits, the last word is influenced by the last few words because each word is equals to 11-bits.
I'm thinking that while it's true that the checksum last 4-bit "0000" has 1/16 chance, some of those valid mnemonic phrase's last word can't be "gravity" because there other words that end with "0000".
That's why in that scenario where the words are scrambled, we should be computing the chance based from the number of words or at least it can't be 1/16 chance.

Note: 816 - 'gravity' is actually "01100110000".

It would still be 1/16 on average, for a 12 word seed phrase.

Consider the scenario in reverse: Rather than computing the correct checksum for the entropy we have, lets fix the checksum and vary the entropy until we find an entropy which matches that checksum. Let's say one of his words is "gravity". We use that as the last word, which gives the checksum "0000". We now vary the order of the other 11 words, giving 11! = 39,916,800 possible combinations. 1/16 of those on average would match the checksum "0000".

Whatever order you enter the 12 words in, it will generate 1 of 16 possibilities for a checksum. 1 out of those 16 possibilities will be the correct one.

---

Back to OP, the other possibility which has not yet been mentioned is the use of an additional passphrase.

True, but till they come back and give more info there is not a lot that we can do.

But to sum up what I see from the OP:

So they think they were using electrum.


So either the phrase is wrong OR they were not using electrum.

Until more info is given it seems we can't help.

-Dave

Yes, always 1/16 if we're talking about the 4-bit checksum and the entropy, it's simply because a random 4-bit can only have 2^4 combinations.

But:
In which case, we can't use the entropy to compute the chance.
And I doubt that the chance is constant for every 12 word seed phrase since the each 12-word combinations can have lower or higher chances than the others.
So it's hard to give an accurate rate, but I doubt it's still as high as 1/16 in this case.

BTW, we're not helping in solving OP's case 

I think the chance is still ¹/₁₆ on average. Because all the 12 words have been selected randomly. (Even the last word is random, because it's a function of a random number.)

If you select the last word from the 2048 words, there's 1/16 chance on average that the seed phrase passes the checksum.
There wouldn't be any difference, if you select 12 words from the 2048 words and then select each of the words from those 12 words.
Correct me if I am wrong, please.

True but isn't that 'average' only for situations when all the words are candidates for the checksum?
If the only candidates are his 12 words, then the odds should be way lower than that (depending on the words), or wont even form another combination with a valid checksum.

If you can't restore the seed: how "corrupted" is the SSD? Any chance you can still read data from it? Create a disk image first, then mount it from a different OS for instance? Maybe you can still recover the wallet.

I've read some good things about BlueWallet guessing the correct format, but I wouldn't recommend doing that on an online (hot) device.

I know it's unlikely, but it's possible that checksum is OK, even if you enter the words in the wrong order.
If you enter the 12 words in the random order, on average there's ¹/₁₆ chance that it passes checksum.

Some sort of wild guess - I don't know how helpful, but still: was it indeed Electrum for Bitcoin? Maybe there was an Electrum - based wallet for some altcoins, like Electron Cash?