Author

Topic: Feature suggestion. JavaScript offline recovery tool (Read 235 times)

legendary
Activity: 2870
Merit: 7490
Crypto Swap Exchange
So you can't even use it offline since it download some dependencies? People shouldn't use this tool.

That's not what I meant. All the dependencies' code is contained in this same file, but because of this, it's easier for someone to sneak in a backdoor in one of these lines of code since nobody likes to study dependency code.

I get it now. However, term "load" is more accurate since i assumed the HTML page download the external dependency.
legendary
Activity: 1042
Merit: 2805
Bitcoin and C♯ Enthusiast
If you want other tools to check Electrum mnemonics feel free to check out my project called FinderOuter. It is a recovery tool but in most recovery options when you enter an input (like mnemonic or WIF) that is not missing anything FinderOuter will automatically validate it and report if it is a valid input or not.
The current version (v0.11.0) will fully check mnemonics against the given word-list and their checksum based on selected mnemonic and Electrum mnemonic type. I'll also add the extra step to check against the given child key in next release (v0.12.0).
HCP
legendary
Activity: 2086
Merit: 4363
If I understood correctly, both releases are based on the same Ian Coleman tool. The difference between them is that MrFlay's version performs a checksum calculation, yours doesn't. Anything else?
That is indeed correct... mine was basically identical to Ian Coleman's with the checksum stuff effectively commented out (or forced to return "true")... and the BIP39 passphrase changed from "passphrase" to "electrum".

The FarCanary version was slightly more robust and actually implemented the Electrum checksum code.


Has anyone used the Electrum Seed Tester by MrFlay and checked its code that it doesn't do something it's not supposed to?
I had originally given it a "relatively thorough" check and couldn't see anything out of the ordinary... but it certainly wasn't a line by line check, so I wouldn't stake my life savings on it. Tongue
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
So you can't even use it offline since it download some dependencies? People shouldn't use this tool.

That's not what I meant. All the dependencies' code is contained in this same file, but because of this, it's easier for someone to sneak in a backdoor in one of these lines of code since nobody likes to study dependency code.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Has anyone used the Electrum Seed Tester by MrFlay and checked its code that it doesn't do something it's not supposed to?

I made quick check using GitHub compare feature at https://github.com/iancoleman/bip39/compare/master...FarCanary:master. At a glance, i didn't see anything which could steal your seed phrase. However, MrFlay made new file (ElectrumSeedTester-standalone.html) with 109,370 line.

I doubt anyone would bother read 109K line, so it'd be easier to inspect network activity when using this tool.

It appears that they used a tool that packs all the JS dependencies in the same file because no one can paste this many dependencies manually, which makes using it more dangerous - and slow, because browsers cannot download 3.92MB webpages quickly without frustrated users leaving - because when the dependencies are inline like this, it's easier for someone to sneak in a vulnerability in one of the dependencies instead of the main routines themselves.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Does it have to be a Javascript tool, or can it be an offline app made with a cross-platform GUI framework like Qt?

In my opinion, it would be much safer because Javascript libraries have complicated dependencies which makes it harder to spot vulnerabilities in one of them.
legendary
Activity: 2730
Merit: 7065
If I understood correctly, both releases are based on the same Ian Coleman tool. The difference between them is that MrFlay's version performs a checksum calculation, yours doesn't. Anything else?

Has anyone used the Electrum Seed Tester by MrFlay and checked its code that it doesn't do something it's not supposed to?
HCP
legendary
Activity: 2086
Merit: 4363
There is already one... (two in actual fact):

Best one: https://github.com/FarCanary/ElectrumSeedTester
- basically a port of Ian Coleman's tool that will also check the seed validity. Refer: https://bitcointalksearch.org/topic/electrum-seed-tester-5121443


and my hack version: https://github.com/HardCorePawn/electrumBIP39
(NOTE: does not do checksum validation)
legendary
Activity: 2730
Merit: 7065
I had tried it in the past and you can actually recover legacy addresses generated by electrum in Iancoleman.
I bookmarked HCPs post because it might come in handy sometimes. Thanks for suggesting it!

Why does this method only work with legacy addresses, and can't a similar modification be made for native segwit addresses as well?
Is there a different tool that could be used for for native segwit addresses?
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
To do that you have to download the source code and make a bunch of modifications.

I think that it may not be difficult to make a branch from IanColeman source code, add these modifications and maybe a few cosmetic ones and post the link.
Of course, it requires some time and it's not certain that those in need will know where to look for this.

I think though that OP's request is a pretty good idea. I would have liked to have at hand such a tool in the years before I've bought a HW.
legendary
Activity: 3472
Merit: 10611
~
Keep in mind that this only works if you were using the default English words with no passphrase (extension words) and obviously it assumes your Electrum specific checksum is correct.

I also wouldn't trust anything written in JavaScript, they are too hard to verify for lack of bugs or maliciousness and their dependencies can easily be changed to a malicious or buggy one. If you use Electrum itself for anything you want to do it is the safest option since it uses a solid cryptography library (same as bitcoin core) that has the least chance of having any kind of bugs that could lead to your funds being lost.
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
I had tried it in the past and you can actually recover legacy addresses generated by electrum in Iancoleman. To do that you have to download the source code and make a bunch of modifications.

Open src/js/jsbip39.js and search for:
Code:
self.check = function(mnemonic)

In that function, change this:
Code:
return h == nh;

To this:
Code:
return true;

(It should now skip the checksum's validity)


Now search for:
Code:
self.toSeed = function(mnemonic, passphrase)

And replace where you find this:
Code:
passphrase = "mnemonic" + passphrase;

With this:
Code:
passphrase = "electrum" + passphrase;

You should now be able to import an electrum seed by choosing BIP32. Don't thank me, but HCP.
staff
Activity: 3500
Merit: 6152
There are none and I don't think that the developers would invest time creating one when there are no other wallets that use Electrum's seed system.

What is it exactly that you're trying to achieve? If you just need the private keys, why don't you simply restore the seed in your Electrum since it already allows exporting the PKs.
newbie
Activity: 1
Merit: 2
Dear Friends

I use offline recovery tools for BIP39 mnemonic. The most famous from them is iancoleman.io

https://iancoleman.io/bip39/  (the offline version is available on Github)
other tools
https://kimbatt.github.io/btc-address-generator/?page=mnemonic-seed
https://bitaps.com/mnemonic


I would like to use the similar tool for Electrum seed. Dear developers, please...

Thank you
Jump to: