Recently I was lucky enough to get my hands on a BitBox 1 hardware wallet. As a wallet recovery service provider, the biggest dream I have is to recover funds from a hardware wallet. However, recovering a BitBox 1 hardware wallet is not an easy task!

Full of excitement, I went to meet the client. After looking at the client’s situation, the challenge turned out to be bigger than I thought. The client has neither the password nor the knowledge of any Bitcoin address from the wallet! Within one hour we recovered access to one of his old (now wallets. Unfortunately, this wallet did not show any transactions that linked to the BitBox 1 hardware wallet. The password we found however gave us additional clues on password for the BitBox 1.

We had a couple of good coffees. The client discussed all hints that he had on the “password” and he handed me his wallet SD backup. It was one year later when the Bitcoin bear market hit that I finally had sufficient time to solve this challenging case. As one can expect, Shift Crypto, the company that designed the BitBox 1, did not take security lightly. Recovering the Bitcoin from this wallet turned out to be a test of my perseverance. But guess what, I succeeded in the end!

BitBox 1 Hardware Wallet

Implementing virtual BitBox 1 in Python

When I looked up the encryption of the BitBox 1, I found that the BitBox 1 uses PBKDF2 hashing and key stretching for its encryption. PBKDF2 is resistant to dictionary and rainbow table attacks, but computationally relatively weak. Easy enough I thought, oh boy, I was wrong.

After contacting Shift Crypto, it became quickly clear that everything on BitBox 1 was customized. They sent me a link to their BitBox 1 restore from backup tool. Although this tool allows a user to try and recover a wallet using a seed backup and password, it is incredibly slow and requires manual input. In order to recover the wallet, we needed a lightning fast implementation to brute force parts of the password. I start to read up on their JavaScript code and implement a much faster implementation in Python. After multiple rounds of optimization, it turned out my implementation was around 1000-10.000 times faster than the JavaScript recovery code. The BitBox 1 uses a BIP39 mnemonic with a BIP38 password with 2048 rounds of PBKDF2 hashing. However, their key-derivation included another 20480 rounds of PBKDF2 hashing and a custom Salt to protect against rainbow table attacks. That is a total of 41943040 rounds of PBKDF2!

Since the customer did not know the address or the derivation type of the wallet, I had to virtually implement wallet key derivation for BIP44, BIP49 and BIP84 wallets. That had to be all right? It could not get much harder than that? Oops, wrong again.

It turned out that BitBox 1 wallets also had a custom legacy hidden wallet feature that involved swapping the order of bytes in their key derivation, adding yet another derivation type for me to implement. Without knowing the address, this means that for each password, I had to generate four types of virtual wallets and their addresses and to check whether each address exists on the Bitcoin blockchain.

One month of work further and 3 billion addresses checked using my highly optimized and parallelized custom BitBox 1 implementation, and finally I had a hit! The customer could not believe it when I contacted him after 1 year but was grateful, nonetheless.  This hardware wallet recovery adventure thought me that a) it is incredibly hard to recover funds from a hardware wallet, b) Shift Crypto has awesome customer support and c) bear markets are great for solving complex cases. Shift Crypto support helped their customer get his funds back by sharing information on their elaborate security and by sending me a free BitBox 1. I hope I never have to recover a BitBox 2, because oh boy, that wallet is even more secure and challenging to recover than the BitBox 1. I might however get my own BitBox 2 to store my Bitcoin since I love Open Source hardware wallets and I know from first hand experience that Shift Crypto takes both security and customer support very serious.