Author

Topic: how I rescued my wallet.dat (Read 812 times)

newbie
Activity: 17
Merit: 0
March 18, 2021, 06:41:12 PM
#22

As for using hexfiend... you'd be better off creating a raw image of the disk and then attempting to use file recovery software to try and locate the wallet files rather than relying on finding raw bytes.

It seems that all the Armory .wallet files that I have created start with:
Code:
BA 57 41 4C 4C 45 54 00 60 FE CD 00
https://i.imgur.com/etrSjNi.png

as I understand it I can search the raw drive for that with hexfiend. Is there some advantage to a different program for this?

I have Disk Drill but am not sure it is up for the tasks...
HCP
legendary
Activity: 2086
Merit: 4361
March 18, 2021, 06:32:24 PM
#21
Armory wallet files will most definitely be encrypted, you cannot actually create Armory wallet files without a password... Also note that PyWallet will not be able to help you with Armory wallet files.

As for using hexfiend... you'd be better off creating a raw image of the disk and then attempting to use file recovery software to try and locate the wallet files rather than relying on finding raw bytes.

It seems that all the Armory .wallet files that I have created start with:
Code:
BA 57 41 4C 4C 45 54 00 60 FE CD 00

newbie
Activity: 17
Merit: 0
March 18, 2021, 05:26:46 PM
#20
I have a bunch of drives and one of them probably has some armory and/or bitcoin in deleted space. I don't know which it sadly. 

So I am running pywallet on each drive to look for bitcoin-qt wallets/keys
and then using hexfiend to search for the armory wallet/keys. I am not even sure if the Armory wallet is encrypted or not.. It is from 2018, I am pretty sure I have the password.
But I need help choosing the ideal string(s) to search for with hexfiend.
HCP
legendary
Activity: 2086
Merit: 4361
March 18, 2021, 04:42:10 PM
#19
what would be the search string for an armory wallet?
In what sense? To try and find the raw "bytes" on a harddrive? Or when using a file recovery application and filtering on file names? Huh

Not sure what the "bytes" would be... I don't even know if they have a unique byte sequence that you could search for. But the filenames are of the form: armory_xxxxxxxx_.wallet where xxxxxxxx are 8 or 9 characters that could be UPPER/lower or numbers... ie. 24thyQTeb or Xta7DzBg etc

I assume you don't have your Armory "root key" backup if you're trying to recover wallet files? Huh
newbie
Activity: 17
Merit: 0
March 18, 2021, 08:15:37 AM
#18
what would be the search string for an armory wallet?
HCP
legendary
Activity: 2086
Merit: 4361
December 10, 2020, 08:07:42 PM
#17
...but when I launch pywallet with those files I always got an error:

Code:
"ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again."

Either the "recovered" files are so badly corrupted that PyWallet cannot read them, or you are not using PyWallet correctly.

Have you tried using PyWallet with a wallet.dat file that you know is "good"? Huh ie. create a new wallet.dat and try and use PyWallet to try and dump the keys from it. Once you've confirmed that PyWallet is actually working correctly, then try again on a copy of one of the recovered files.

If you still get the "ERROR:root:Couldn't open wallet.dat/main" error, then the file is most likely corrupted (ie. a "bad" recovery). Undecided
newbie
Activity: 2
Merit: 0
December 10, 2020, 08:11:10 AM
#16
Many thanx for help and suggestions, I will try, just after RAW copy of SSD will be completed.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
December 10, 2020, 07:21:12 AM
#15
and of course bitcoin-qt can not handle those wallet files. I remember my passwords for wallet decoding. But seems messages by "pywallet" means those recovered files not valid at all? What I can do in next step to try recover those wallet files if they are not corrupted at all?

If you remember any of the addresses you used in that wallet, try searching for each of them using grep -a -C 200 -F 'Bitcoin address here' /dev/sdXN > address.txt . Replace sdXN with your SSD disk name. If any matches are found, then there is some data left to work with which you will see in the output, it's just her pysallet won't be able to use it. If no matches are found, then I'm afraid your private keys are lost.
newbie
Activity: 2
Merit: 0
December 10, 2020, 12:55:34 AM
#14
I am so sorry for writing in that old thread. But need some help or suggestions by more knowledgeable people.

Some time ago I had my first bitcoin-core wallet (in 2017-2018). Wallet files was just deleted from SSD, but few days ago with program from OP I have founded 7 wallet.dat files on this SSD, but when I launch pywallet with those files I always got an error:

Code:
"ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again."


and of course bitcoin-qt can not handle those wallet files. I remember my passwords for wallet decoding. But seems messages by "pywallet" means those recovered files not valid at all? What I can do in next step to try recover those wallet files if they are not corrupted at all?

P.S. I had a 2-3 working wallets (maybe on this SSD) at all with a low bitcoin balance on them. But at this moment those balances may become a few thousands of dollars, which is very nice for me at this time...
full member
Activity: 229
Merit: 134
December 25, 2017, 12:59:01 PM
#13
Would love to try it but I would need some detailed noob instructions.  I have a 500 gig drive that had 32 BTC on it, so you see why I would want to give it a try  Smiley. Merry Xmas to you.

Shocked Wow, that's some serious money, like half a million dollar, and even like $90k for Bitcoin Cash, if the Bitcoin was there at August 1st.

First you should turn off the PC immediately, if you are still using the harddisk. Install Windows or Linux on a new harddisk. Then add the harddisk as a second disk, from which you don't boot. You can then scan the second harddisk. If you are using Linux on your new harddisk (I used Debian Linux), you can see how the disk is labeled with the "dmesg" command (executed as root), e.g. /dev/sdc. Then you can use my program with this device name, which will create the wallet files, and then you can scan each file as described.

If you have problems, I can help you by PM, or a private room on https://hack.chat (my spoken English is not so good, better chat), and/or Teamviewer. If I'm successful, would be nice to get one of your Bitcoins, this would really motivate me Grin But any good computer professional with Linux experience could do the same for you. Just watch him/her not to steal your 32 BTC when found, so best someone on site.

For 32 BTC it could be even worth to try more advanced rescue functions, like if the wallet is fragmented, if the harddisk was very full, to try analyze the sectors and NTFS header entries in depth with a program or even manually for a few days. Also you could try first to use RStudio and a full disk scan (there is a free trial version, with which you can see if it finds anything, and you need the full version to rescue the file). If you are lucky, you don't need anything more special. As always, install it on a new harddisk and don't write anything on your old harddisk, and don't boot from your old harddisk. If you try other rescue programs, make sure they don't modify the original disk, but restore files to a new harddisk (RStudio is very professional, it does this).

Might be also a good idea to backup the full harddisk first with a program like Ghost: https://www.wikihow.com/Ghost-a-Hard-Drive If in doubt, get the help from a professional before you lose the coins forever.
full member
Activity: 217
Merit: 109
December 25, 2017, 08:05:29 AM
#12
Why didn't you just use pywallet to scan the drive from the start? Was there an advantage to using your program first?.

I don't think that pywallet can do a low-level scan of the harddisk, it expects a wallet.dat file. And Python would be very slow anyway compared to my C program.
Would love to try it but I would need some detailed noob instructions.  I have a 500 gig drive that had 32 BTC on it, so you see why I would want to give it a try  Smiley. Merry Xmas to you.
full member
Activity: 229
Merit: 134
December 24, 2017, 07:17:53 PM
#11
Why didn't you just use pywallet to scan the drive from the start? Was there an advantage to using your program first?.

I don't think that pywallet can do a low-level scan of the harddisk, it expects a wallet.dat file. And Python would be very slow anyway compared to my C program.
hero member
Activity: 840
Merit: 500
December 24, 2017, 06:29:30 PM
#10
I already cashed it out. Now I'm syncing the Bitcoin Cash wallet and then importing the private keys to this wallet again, because of course there was Bitcoin on it at August 1st this year. Current exchange rate is 0.2 BTC for one Bitcoin Cash. Probably I will convert it on Poloniex and hold it as Bitcoin then.
congratulation found back your coin , there are easy to get your bitcoin cash , you just need to

put your privkey to blockchian.info wallet and then you can use it .
hero member
Activity: 1442
Merit: 629
Vires in Numeris
December 24, 2017, 06:23:11 PM
#9
I already cashed it out. Now I'm syncing the Bitcoin Cash wallet and then importing the private keys to this wallet again, because of course there was Bitcoin on it at August 1st this year. Current exchange rate is 0.2 BTC for one Bitcoin Cash. Probably I will convert it on Poloniex and hold it as Bitcoin then.
And also don't forget about Bitcoin Gold and about the recent 'noname' forks too Smiley
I have no experience with Bitcoin Gold yet, but be really careful there were problems with their desktop wallet install, so if you want to mess with it, take care about your existing coins.
I have just found this topic, the brain wallet donation was a nice idea, but you should have taken into account that this is holiday season, so there were a few members only to grab those coins from that brainwallet. As I see it took more than a day for someone to find your topic and to find the hidden treasure  Smiley
full member
Activity: 217
Merit: 109
December 24, 2017, 06:19:15 PM
#8
Why didn't you just use pywallet to scan the drive from the start? Was there an advantage to using your program first?.
full member
Activity: 229
Merit: 134
December 24, 2017, 05:48:57 PM
#7
I already cashed it out. Now I'm syncing the Bitcoin Cash wallet and then importing the private keys to this wallet again, because of course there was Bitcoin on it at August 1st this year. Current exchange rate is 0.2 BTC for one Bitcoin Cash. Probably I will convert it on Poloniex and hold it as Bitcoin then.
hero member
Activity: 1484
Merit: 535
December 24, 2017, 05:33:55 PM
#6
Congratz mate,  you seriously have an incredible luck that no one is able to have everyday! Specially on Christmas.

Congratulations for you, i guess that this has probably be one of the most beautiful christmas gift that you could receive right? like $26,000 just for doing nothing...

I hope that something like this is just going to happen to me.. only that i have never mined before and i have never stored before, because i have been trading with all the funds that i have on my wallet right now.

Are you going to hold them all or are you going to cash them out?

BTW, I guess I'm drunk, but I'm so happy that I found my Bitcoins, try the last chant line from my posting as a brainwallet in https://www.bitaddress.org for a surprise Wink
full member
Activity: 229
Merit: 134
December 24, 2017, 05:29:38 PM
#5
BTW, I would have expected that the 0.05 BTC I donated to the brainwallet (with the Bitcoin address 1AF6eZBqwP4cStwJtfSPDTtqsjd6PXMFNA) would have claimed by now. Maybe read my second post in this thread again Grin Note: in case someone already imported the private key, you should really transfer it to another address, before someone else does this.
full member
Activity: 140
Merit: 100
Mining Maganda paba?
December 24, 2017, 04:33:19 AM
#4
Two years ago I formatted my harddisk and installed Windows 10 on it. Before this I did a backup, but unfortunately the backup was broken. So I lost my wallet.dat, with a few Bitcoins in it. I could restore some files with RStudio, and I had older backups for the rest, but seemed to be that the latest wallet.dat was already overwritten, and I frequently add new addresses. So I gave up, not a big deal, maybe $200 lost. But I didn't use the harddisk and bought a new one.

Fast forward to December 2017: Now a few Bitcoins is some serious money, so I decided to give it another try. I tried any option I could find in RStudio, checking the dozens of filesystems it reported after scanning it for hours (only a few where valid from previous installations), but I couldn't restore it. Ok, this needed some more work.

My assumption was, that the file headers were broken, so I wrote a small C program myself, which scanned the whole harddisk for the wallet.dat signature (testing for the first 16 bytes). The filesystem was NTFS, which has 4k sector sizes and a file starts always at sector start, if I understand it correctly, which makes things easier. Also usually if there is enough space, contiguous sectors are used to save a file. My hope was that somewhere I could find old version of the wallet.dat, but not too old that the new keys were missing.

This is the very simple and straightforward scan program I hacked together:

Code:
#include 
#include
#include
#include

uint8_t buf[4096];
char filename[1000];

uint8_t search[] = {
    0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x31, 0x05, 0x00
};

int main(int argc, char** argv)
{
    uint64_t pos = 0;
    FILE* f = fopen("/dev/sdd", "rb");
    FILE* w = NULL;
    int walletNumber = 0;
    int walletIndex = 0;
    uint64_t max = 1000000000000ULL;
    while (1) {
        int c = fread(buf, 1, 4096, f);
        if (c != 4096) break;
        if (!w) {
            if (memcmp(search, buf, 16) == 0) {
                sprintf(filename, "wallet%i.dat", walletNumber++);
                walletIndex = 0;
                w = fopen(filename, "wb");
                printf("found: %" PRIu64 "\n", pos);
            }
        }
        if (w) {
            fwrite(buf, 1, 4096, w);
            walletIndex++;
            if (walletIndex == 256) {
                fclose(w);
                w = NULL;
            }
        }
        pos += 4096;
    }
    fclose(f);
    return 0;
}

I used it on Linux as my host system and the old harddisk was visible as /dev/sdd (you can see this with dmesg). I compiled it with "gcc -O3 scan.cpp -o scan" and started it with "sudo ./scan", and a few hours later (it was a 1 TB harddisk) I got a wallet0.dat to wallet9.dat, each 1 MB in size (it doesn't matter if there is crap after the wallet data). This was a nice start Grin

Then I tried to copy it to a wallet.dat of a current Bitcoin installation, but most of the time it said the wallet was corrupt, once it even crashed at start and when it said it could salvage some information, no keys were in it.

My rescue was https://github.com/joric/pywallet This program could decode all files and output it in JSON format. It needs the wallet.dat in a bitcoin-qt installation in the .bitcoin directory. I knew one of my old addresses, so I wrote a script which did test all files (actual key changed) :

Code:
for i in $( ls wallet*.dat ); do
    echo item: $i
    cp $i .bitcoin/wallet.dat
    ./pywallet.py --dumpwallet --datadir=.bitcoin | grep -i 12QDRXssT63Pv5KTGBN2kyAvfLW3s7jxBs
done

The output looked like this:

Code:
item: wallet0.dat
item: wallet10.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet11.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet1.dat
WARNING:root:encrypted wallet, specify password to decrypt
item: wallet2.dat
item: wallet3.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet4.dat
Traceback (most recent call last):
  File "./pywallet.py", line 1706, in
    main()
  File "./pywallet.py", line 1683, in main
    read_wallet(json_db, db_env, True, True, "")
  File "./pywallet.py", line 1556, in read_wallet
    parse_wallet(db, item_callback)
  File "./pywallet.py", line 1287, in parse_wallet
    for (key, value) in db.items():
bsddb.db.DBPageNotFoundError: (-30986, 'BDB0075 DB_PAGE_NOTFOUND: Requested page not found')
item: wallet5.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet6.dat
WARNING:root:encrypted wallet, specify password to decrypt
            "addr": "12QDRXssT63Pv5KTGBN2kyAvfLW3s7jxBs",
item: wallet7.dat
WARNING:root:encrypted wallet, specify password to decrypt
item: wallet8.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet9.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.

So the address was in wallet6.dat, success! I then used "/pywallet.py --dumpwallet --datadir=.bitcoin --password=mysecrectpassword > keys.txt" and I got all my keys back. In the bitcoin client I could import it with importprivkey (don't forget the "false" parameter as the last parameter, to avoid rescanning after each import, if you import multiple keys) and after the final rescan, I got my Bitcoins back. One day work for like 2 Bitcoins, which I already sold, that's a nice hourly rate Cool

Maybe this will help some other people as well. In case you rescue a lot of Bitcoins, I would really love it if you would send me some to 1HagWYdLaFRbXwUfzbuWzcDc4WzmsRGqg7.

Marilyn wishes you a merry Christmas, a merry Christmas, And a happy New Year!
That was a roller coaster of a ride  Shocked, you were very lucky and that was a great christmas present for you. If only I could have found old wallet dats I mined, but of course I am a late adopter in terms of you all. I would love to one day say that I made a great decision to invest in bitcoin, again great job to you and I am glad you found the very thing that has made you happy this year! Merry Christmas!
legendary
Activity: 2338
Merit: 1047
December 24, 2017, 04:21:11 AM
#3
Grats for your recover Smiley, merry christmas and happy new year, I bet your thing will help a lot of people.
full member
Activity: 229
Merit: 134
December 23, 2017, 02:30:33 PM
#2
BTW, I guess I'm drunk, but I'm so happy that I found my Bitcoins, try the last chant line from my posting as a brainwallet in https://www.bitaddress.org for a surprise Wink
full member
Activity: 229
Merit: 134
December 23, 2017, 02:28:23 PM
#1
Two years ago I formatted my harddisk and installed Windows 10 on it. Before this I did a backup, but unfortunately the backup was broken. So I lost my wallet.dat, with a few Bitcoins in it. I could restore some files with RStudio, and I had older backups for the rest, but seemed to be that the latest wallet.dat was already overwritten, and I frequently add new addresses. So I gave up, not a big deal, maybe $200 lost. But I didn't use the harddisk and bought a new one.

Fast forward to December 2017: Now a few Bitcoins is some serious money, so I decided to give it another try. I tried any option I could find in RStudio, checking the dozens of filesystems it reported after scanning it for hours (only a few where valid from previous installations), but I couldn't restore it. Ok, this needed some more work.

My assumption was, that the file headers were broken, so I wrote a small C program myself, which scanned the whole harddisk for the wallet.dat signature (testing for the first 16 bytes). The filesystem was NTFS, which has 4k sector sizes and a file starts always at sector start, if I understand it correctly, which makes things easier. Also usually if there is enough space, contiguous sectors are used to save a file. My hope was that somewhere I could find old version of the wallet.dat, but not too old that the new keys were missing.

This is the very simple and straightforward scan program I hacked together:

Code:
#include 
#include
#include
#include

uint8_t buf[4096];
char filename[1000];

uint8_t search[] = {
    0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x62, 0x31, 0x05, 0x00
};

int main(int argc, char** argv)
{
    uint64_t pos = 0;
    FILE* f = fopen("/dev/sdd", "rb");
    FILE* w = NULL;
    int walletNumber = 0;
    int walletIndex = 0;
    uint64_t max = 1000000000000ULL;
    while (1) {
        int c = fread(buf, 1, 4096, f);
        if (c != 4096) break;
        if (!w) {
            if (memcmp(search, buf, 16) == 0) {
                sprintf(filename, "wallet%i.dat", walletNumber++);
                walletIndex = 0;
                w = fopen(filename, "wb");
                printf("found: %" PRIu64 "\n", pos);
            }
        }
        if (w) {
            fwrite(buf, 1, 4096, w);
            walletIndex++;
            if (walletIndex == 256) {
                fclose(w);
                w = NULL;
            }
        }
        pos += 4096;
    }
    fclose(f);
    return 0;
}

I used it on Linux as my host system and the old harddisk was visible as /dev/sdd (you can see this with dmesg). I compiled it with "gcc -O3 scan.cpp -o scan" and started it with "sudo ./scan", and a few hours later (it was a 1 TB harddisk) I got a wallet0.dat to wallet9.dat, each 1 MB in size (it doesn't matter if there is crap after the wallet data). This was a nice start Grin

Then I tried to copy it to a wallet.dat of a current Bitcoin installation, but most of the time it said the wallet was corrupt, once it even crashed at start and when it said it could salvage some information, no keys were in it.

My rescue was https://github.com/joric/pywallet This program could decode all files and output it in JSON format. It needs the wallet.dat in a bitcoin-qt installation in the .bitcoin directory. I knew one of my old addresses, so I wrote a script which did test all files (actual key changed) :

Code:
for i in $( ls wallet*.dat ); do
    echo item: $i
    cp $i .bitcoin/wallet.dat
    ./pywallet.py --dumpwallet --datadir=.bitcoin | grep -i 12QDRXssT63Pv5KTGBN2kyAvfLW3s7jxBs
done

The output looked like this:

Code:
item: wallet0.dat
item: wallet10.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet11.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet1.dat
WARNING:root:encrypted wallet, specify password to decrypt
item: wallet2.dat
item: wallet3.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet4.dat
Traceback (most recent call last):
  File "./pywallet.py", line 1706, in
    main()
  File "./pywallet.py", line 1683, in main
    read_wallet(json_db, db_env, True, True, "")
  File "./pywallet.py", line 1556, in read_wallet
    parse_wallet(db, item_callback)
  File "./pywallet.py", line 1287, in parse_wallet
    for (key, value) in db.items():
bsddb.db.DBPageNotFoundError: (-30986, 'BDB0075 DB_PAGE_NOTFOUND: Requested page not found')
item: wallet5.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet6.dat
WARNING:root:encrypted wallet, specify password to decrypt
            "addr": "12QDRXssT63Pv5KTGBN2kyAvfLW3s7jxBs",
item: wallet7.dat
WARNING:root:encrypted wallet, specify password to decrypt
item: wallet8.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.
item: wallet9.dat
ERROR:root:Couldn't open wallet.dat/main. Try quitting Bitcoin and running this again.

So the address was in wallet6.dat, success! I then used "/pywallet.py --dumpwallet --datadir=.bitcoin --password=mysecrectpassword > keys.txt" and I got all my keys back. In the bitcoin client I could import it with importprivkey (don't forget the "false" parameter as the last parameter, to avoid rescanning after each import, if you import multiple keys) and after the final rescan, I got my Bitcoins back. One day work for like 2 Bitcoins, which I already sold, that's a nice hourly rate Cool

Maybe this will help some other people as well. In case you rescue a lot of Bitcoins, I would really love it if you would send me some to 1ieKggPzp2DfroFBNie4ib77kHKNbJMkw.

Marilyn wishes you a merry Christmas, a merry Christmas, And a happy New Year!
Jump to: