Author

Topic: Need help locating seed phrase in IOS files. (Read 245 times)

legendary
Activity: 2730
Merit: 7065
September 08, 2022, 03:55:58 AM
#9
I can't believe Coinbase still allows users to bypass the seed creation process and offers them a chance to use their wallet without needing to create and verify the correctness of their seeds. A terrible wallet!

You are unfortunately not the first one who has lost the coins with this wallet because of a failure to back up the recovery phrase. You can take a look at two other cases and see the methods that users tried there to regain access to their Coinbase wallets. It unfortunately didn't work.

Coinbase Wallet - Is my $ lost because I pressed this one button (dangerous)?
Coinbase Wallet: Re-set Face ID, recovery phrase not saved
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
September 05, 2022, 08:51:11 AM
#8
The device probably has to be jail broken or disassembled so that a charging cable can directly copy filesystem files, as opposed to just things exposed by MTP (i.e. images, videos).
OP already mention he use Cellebrite (iOS forensic/crack tool) though. AFAIK that software automatically perform Jailbreak and everything else needed to access the files directly.
Again, you don't normally store such important data in the normal file system anyway. It is going to be in the secure enclave; which I don't think forensic tools have access to.
Especially not, if the user was 'logged out' of the application (in other words: the secure enclave entry was wiped). You can't recover what's been deleted off that chip.

I'd recommend to instead use an older backup (if existent) and try to restore that - if you secure iOS backups with a password, they use that password to encrypt and store your secure enclave secrets (as well as everything else).
If the user honestly neither did regular device backups, nor seed phrase backups, they were double as silly and reckless..
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
September 05, 2022, 02:16:30 AM
#7
Thank you! I don't know what he did exactly but it's on a hard drive and Cellebrite for me to search. I don't know what to search for? Like what format or words.

We don't know either, since Coinbase wallet is closed source (which already mentioned in detail by @Cricktor). But we know iOS has sandbox where each application has it's own folder. As first step, you could find folder used by Coinbase and make a copy of that folder.

The device probably has to be jail broken or disassembled so that a charging cable can directly copy filesystem files, as opposed to just things exposed by MTP (i.e. images, videos).
hero member
Activity: 910
Merit: 5935
not your keys, not your coins!
September 03, 2022, 07:07:03 PM
#6
Jailbreaking the phone maybe can help you access those Coinbase hidden files may be one of the data under that Coinbase hidden files is your wallet which includes private keys.
If Coinbase's dev team has any competence, they are saving the seed in the iPhone's secure enclave - and even a jailbreak can't extract data from there.
I am pretty sure a secure enclave exploit / 0-day would be worth quite a lot. It is designed in a way that only the application that saved a dataset can also access it.

Furthermore, what usually happens when you're logged out of an application is that the dataset (hashed password / other authentication method / seed - in this case) is erased from the secure enclave.
Checking if a dataset exists is actually how many coders check login status at an application's start up. So my bet is that if Coinbase 'logged you out', the seed is gone from the device altogether, as well.

You could try having someone decrypt / extract an image from an earlier iPhone backup - at a time where you still had access to the coins. Keep in mind they don't include secure enclave contents - at least if they're not encrypted, so your mileage may vary.
Actually, if you do have such an earlier, encrypted iPhone backup, just try restoring it. If your phone has been updated in the meantime and can't restore an older backup, buy an old iPhone that is still on that version and set that one up from said backup.
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
September 03, 2022, 06:53:47 PM
#5
If you don't have a seed backup anywhere on your PC/phone or paper backup then you can't able to recover them. Seed backup is very important for future wallet recovery like your case if you have the backup seed you can recover your wallet right away.

Do you have recently sync your data to iCloud? I heard that encrypted Coinbase data can be synced to iCloud it includes private keys and is encrypted with AES-256-GCM and can be only accessed with the Coinbase app. If you can find that exact data maybe you can brute-force that file to decrypt it and extract the private keys but the problem is no one knows what data you need to find exactly.

Jailbreaking the phone maybe can help you access those Coinbase hidden files may be one of the data under that Coinbase hidden files is your wallet which includes private keys.  
Why not try to jailbreak it without people's help?
I just don't trust other people to jailbreak it and know that it has a big amount of BTC in your Coinbase wallet.
There are two options for Jailbreaking IOS phones untethered and tethered if you choose untethered it's permanently jailbroken but if you choose tethered it's temporarily jailbroken so you must choose tethered because untethered can be only removed jailbroken if you restore the iPhone.
hero member
Activity: 714
Merit: 1010
Crypto Swap Exchange
September 03, 2022, 02:57:44 PM
#4
On the Coinbase Github https://github.com/coinbase I looked if there's some repo for the Coinbase wallet iOS app. Likely it's not open source, but frankly I don't know and care about Coinbase stuff at all. As the Coinbase wallet is non-custodial, the mnemonic words or the seed are the keys to your wallet. Without the source code unfortunately you can't see how the data is stored on the device and searching could render difficult.

Problem is: if you don't know how to do it yourself and don't have trustworthy people with knowledge who don't steal your wallet's funds when they manage to scrape it from your device image, your wallet could be in danger of theft. Even the forensic company could now look for something of value on the image file if you made the mistake to drop any word about a Coinbase wallet on your device that you try to gain access to.

This is why it's a terrible wallet design decission to let people skip the wallet mnemonic words backup to paper (and noobs commonly don't have a clue of the importance of those mnemonic words as the rescue and recovery anchor of the wallet). And once again, using a non-open source wallet hides important details you likely desperately need to know for what to look for in your image data.

I don't know about how iOS organizes app files and data and if by chance such sensitive wallet data is kept outside of the secure enclave or unencrypted on the device. If the Coinbase wallet app was designed properly, sensitive wallet details like the seed of the wallet shouldn't be unencrypted and the encryption key(s) should be protected by whatever iOS offers to store it as securely as possible.

But let's break it down for those who know more:
My questions are.
1. Does anyone know what I should be searching for on the phone in the files?

Your app was the non-custodial Coinbase wallet iOS app, I assume. On the Coinbase wallet website I don't see anything about source code availability. Only https://docs.cloud.coinbase.com/wallet-sdk/docs which might not be of help, but I don't know.


2. Would jailbreaking the phone be of any additional benefit being the forensics company extracted all phone data for me?

What expertise does this forensics company have that they claim to really have extracted all phone data from your device?
What kind of proof do you have that all data has been extracted from your phone?

You should only jailbreak your device if you know this would help to extract the required wallet details. You shouldn't do anything with your phone anymore as any further use could spoil further data recovery attempts. As long as you or any involved data recovery expert don't know how to get to the required wallet data, it's probably better to keep the device off any further use.


That's all I can contribute to your sad case and it's not very much, sorry.
newbie
Activity: 5
Merit: 1
September 03, 2022, 02:03:05 PM
#3
Thank you! I don't know what he did exactly but it's on a hard drive and Cellebrite for me to search. I don't know what to search for? Like what format or words. I've tried quite a few things and digging for hours in random files but I don't know what I should be looking for exactly.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
September 03, 2022, 01:45:10 PM
#2
Did the forensics company take the phone apart and scan the chip itself? Have you tried importing the disk image yet?

The disk image will have the most you can recover (unless the wallet made you do a cloud backup of the file such as to Apple ID/ICLOUD).

If you can import the image and find the exact file then that's probably your best hope. Since you used face ID to unlock it, it either won't be encrypted or the encryption key will be stored on your phone.



The nmemonic is normally nearly always the easiest way to recover a wallet though - also storing that amount of funds on a phone isn't considered secure.
newbie
Activity: 5
Merit: 1
September 03, 2022, 01:34:22 PM
#1
My first ever crypto wallet was coinbase wallet. At the time of creation I made the mistake of bypassing the back up seed phrase option. I used face ID for several months of logging in using this wallet. One day, my wallet randomly logged me off and requested the seed phrase to login or create a new wallet. I contacted support, they said there's nothing they can do. I'm aware this is 100% my responsibility and I'm only looking for assistance if there's any ideas or suggestions.

Current Value: $30,000 | Peak Value: $180,000

Steps I have taken so far.
1. Contacted Coinbase Support Relentlessly
2. Had my phone sent to a forensics company and had the image file extracted to a hard drive with an application that can search all files on the drive.

My questions are.
1. Does anyone know what I should be searching for on the phone in the files?
2. Would jailbreaking the phone be of any additional benefit being the forensics company extracted all phone data for me?
3. Does anyone know how to do this? Any guidance or suggestions is greatly appreciated!

Thank you in advance.

Regards
Jump to: