Recovering a BitBox 1 hardware wallet

Recently I was lucky enough to get my hands on a BitBox 1 hardware wallet. As a wallet recovery service provider, the biggest dream I have is to recover funds from a hardware wallet. However, recovering a BitBox 1 hardware wallet is not an easy task!

Full of excitement, I went to meet the client. After looking at the client’s situation, the challenge turned out to be bigger than I thought. The client has neither the password nor the knowledge of any Bitcoin address from the wallet! Within one hour we recovered access to one of his old blockchain.info (now blockchain.com) wallets. Unfortunately, this wallet did not show any transactions that linked to the BitBox 1 hardware wallet. The password we found however gave us additional clues on password for the BitBox 1.

We had a couple of good coffees. The client discussed all hints that he had on the “password” and he handed me his wallet SD backup. It was one year later when the Bitcoin bear market hit that I finally had sufficient time to solve this challenging case. As one can expect, Shift Crypto, the company that designed the BitBox 1, did not take security lightly. Recovering the Bitcoin from this wallet turned out to be a test of my perseverance. But guess what, I succeeded in the end!

BitBox 1 Hardware Wallet

Implementing virtual BitBox 1 in Python

When I looked up the encryption of the BitBox 1, I found that the BitBox 1 uses PBKDF2 hashing and key stretching for its encryption. PBKDF2 is resistant to dictionary and rainbow table attacks, but computationally relatively weak. Easy enough I thought, oh boy, I was wrong.

After contacting Shift Crypto, it became quickly clear that everything on BitBox 1 was customized. They sent me a link to their BitBox 1 restore from backup tool. Although this tool allows a user to try and recover a wallet using a seed backup and password, it is incredibly slow and requires manual input. In order to recover the wallet, we needed a lightning fast implementation to brute force parts of the password. I start to read up on their JavaScript code and implement a much faster implementation in Python. After multiple rounds of optimization, it turned out my implementation was around 1000-10.000 times faster than the JavaScript recovery code. The BitBox 1 uses a BIP39 mnemonic with a BIP38 password with 2048 rounds of PBKDF2 hashing. However, their key-derivation included another 20480 rounds of PBKDF2 hashing and a custom Salt to protect against rainbow table attacks. That is a total of 41943040 rounds of PBKDF2!

Since the customer did not know the address or the derivation type of the wallet, I had to virtually implement wallet key derivation for BIP44, BIP49 and BIP84 wallets. That had to be all right? It could not get much harder than that? Oops, wrong again.

It turned out that BitBox 1 wallets also had a custom legacy hidden wallet feature that involved swapping the order of bytes in their key derivation, adding yet another derivation type for me to implement. Without knowing the address, this means that for each password, I had to generate four types of virtual wallets and their addresses and to check whether each address exists on the Bitcoin blockchain.

One month of work further and 3 billion addresses checked using my highly optimized and parallelized custom BitBox 1 implementation, and finally I had a hit! The customer could not believe it when I contacted him after 1 year but was grateful, nonetheless.  This hardware wallet recovery adventure thought me that a) it is incredibly hard to recover funds from a hardware wallet, b) Shift Crypto has awesome customer support and c) bear markets are great for solving complex cases. Shift Crypto support helped their customer get his funds back by sharing information on their elaborate security and by sending me a free BitBox 1. I hope I never have to recover a BitBox 2, because oh boy, that wallet is even more secure and challenging to recover than the BitBox 1. I might however get my own BitBox 2 to store my Bitcoin since I love Open Source hardware wallets and I know from first hand experience that Shift Crypto takes both security and customer support very serious.


Recovering a BitBox 1 hardware wallet

Recently I was lucky enough to get my greedy hands on a BitBox 1 hardware wallet. As wallet recovery service, the biggest dream and challenge, is to recover funds from a hardware wallet. Full of excitement I went to meet the client in a coffee shop. When I met the client, the challenge turned out to bigger than I thought. Not only did the client not have the password, but neither did the client know the address of the Bitcoin wallet! Within one hour we recovered access to one of his old blockchain.info (now blockchain.com) wallets. Unfortunately, this wallet did not show any transactions to the BitBox 1wallet. It did however give us additional clues on the possible password fragments.
We had a couple of good coffees, discussed all hints the customer had on the password, he shared his wallet SD backup, and we went our own way. It was one year later when the Bitcoin bear market hit that I had sufficient time to solve this challenging case. As one can expect, Shift Crypto, the company that designed the BitBox 1, did not take security lightly and recovering the Bitcoin from this wallet turned out to be a test of my perseverance. But guess what, I persevered in the end.

When I looked up the encryption of the BitBox 1, I saw the BitBox 1 used PBKDF2 hashing and key stretching for its encryption. PBKDF2 is resistant to dictionary attacks and rainbow table attacks but computationally relatively easy to attack. Easy enough I thought, boy was I wrong.
After contacting Shift Crypto, it quickly became clear that everything BitBox 1 was custom. They used BIP38 password protected mnemonics (BIP39) with 2048 rounds of PBKDF2 hashing and another 20480 rounds of PBKDF2 hashing for of their mnemonic with a custom salt. That is a total of 41943040 rounds of PBKDF2! And that was not all. Since the customer did not know the address or derivation type of the wallet, it meant I had to implement virtually generate wallet key derivation for BIP44, BIP49 and BIP84 wallets. That had to be all right, it could not get harder than that…
It turned out that BitBox 1 wallets also had a custom legacy hidden wallet feature that involved swapping the order of bytes in their key derivation, adding a fourth custom type of derivation to implement. And without knowing the address this means that for each ‘virtual wallet’ wI generated, I needed to check if this address exists on the entire Bitcoin blockchain.

One month of work further and 3 billion addresses checked, and finally, we had a hit! The customer could not believe it when I contacted him after 1 year but was grateful, nonetheless.  What this adventure thought me was that a) it is incredibly hard to recover funds from a hardware wallet, b) Shift Crypto has great support and c) bear markets are great for development. Shift Crypto helped their customer get his funds back by explaining their elaborate security details and sending me a free of charge BitBox 1, even when they did not have to do so. Now I just hope I never have to recover a BitBox 2, because boy, that one is way more secure than the BitBox 1 and nearly impossible to crack. I might however get a BitBox 2 to hold my own BTC, knowing how good their customer support and security is after experiencing it hands on.