If you have noted a BIP39 seed phrase, but one word is missing or unclear, it can still be recovered. One way to go about it is to use a software like BTCRecover to automatically try all 2,048 entries in the BIP39 wordlist. However, you must know one of your Bitcoin addresses for such a software to work properly. Another option is to manually enter each of the 2,048 possible seed phrases into your wallet software and check if any of them leads to your Bitcoins. While that works, it is hugely time-consuming.
Enter Bitcoin Seed Phrase Recoverer, a tool I have created to reduce the workload should you need to try each word manually into your wallet software. It works by taking advantage of the fact that the last word of a BIP39 seed phrase serves as a checksum: thus, it can be used to reduce the number of tries you have to make. Typically, my software will reduce the number of candidate words from 2,048 to about 128 for a 12-word seed phrase. Below, here’s how it fares with 15, 18, 21 and 24-word seed phrases.
| Seed words | Candidate words | Size reduction |
|---|---|---|
| 12 | ≈ 128 | 93.75 % |
| 15 | ≈ 64 | 96.88 % |
| 18 | ≈ 32 | 98.44 % |
| 21 | ≈ 16 | 99.22 % |
| 24 | ≈ 8 | 99.61 % |
In this article, I will explain in further detail how Bitcoin Seed Phrase Recoverer works. Note that while most wallet software use the BIP39 standard to generate a seed phrase, not all of them do. This article does not apply to non-BIP39 seed phrases.
How seed phrases are generated
In the first place, a binary string – that is, a series of 0s and 1s – of a certain length is randomly generated. The length depends on the number of words your seed phrase is set to contain. For instance, a 12-word seed phrase will require a binary string of 128 bits – that is, a binary string comprised of 128 characters that are either 0s or 1s. We shall call these bits entropy bits. Below, you will find how many entropy bits are needed depending on the number of seed words.
| Seed words | Number of bits |
|---|---|
| 12 | 128 |
| 15 | 160 |
| 18 | 192 |
| 21 | 224 |
| 24 | 256 |
Afterwards, the entropy bits go through a SHA-256 hash function. The first few bits of the hash output, which we shall call the checksum bits, are appended to the entropy bits. Below, you will find how many checksum bits are needed depending on the number of seed words.
| Seed words | Number of bits |
|---|---|
| 12 | 4 |
| 15 | 5 |
| 18 | 6 |
| 21 | 7 |
| 24 | 8 |
Our binary string is now comprised of entropy bits followed by checksum bits. Next, it is split into groups of 11-bit strings. Each one of them is the binary encoding of an integer between 0 and 2,047. This integer acts as the index of a word within the BIP39 wordlist (the first word having an index of 0 and the last one of 2,047 for a total of 2,048 entries). Thus, each word within a seed phrase is obtained by looking at their index in the BIP39 wordlist.
An example of a seed phrase
Say we want a wallet software to create a 12-word seed phrase. The first step is for it to randomly generate a 128-bit binary string. We will use the entropy bits below as an example of our binary string. It is split into a series of 11-bit strings, but notice that the last group only has 7 bits.
00111011000 01101100101 10011001000 01011000100 00011011001 01100011000 00010110011 01010100001 10111111001 00000010110 10101101000 1011011
The next step is to put the entropy bits through a SHA-256 hash function. The hash output below is generated. It is split into 8-bit strings for readability purposes only.
10111010 10011001 11011011 11010110 11000010 00011111 11101101 01011000 01100011 00000010 00000110 10001001 10011110 10100011 11011101 01101110 01111011 01101100 11100110 11110110 00100010 01000110 00010111 11100001 10001011 00000100 00100000 00000110 01001000 00111010 11010000 00011100
Because this is a 12-word seed phrase, we take the first 4 bits of the hash output: 1011. These are our checksum bits
and they are appended to our entropy bits. Below, here’s the resulting binary string.
00111011000 01101100101 10011001000 01011000100 00011011001 01100011000 00010110011 01010100001 10111111001 00000010110 10101101000 10110111011
We now have twelve 11-bit strings: each one represents a word. The first 11-bit string is 00111011000, which is the binary
representation of the integer 472. In the BIP39 wordlist, the 472th word is deposit. We repeat the process for each word
and we end up with something like this:
| Binary string | Index | Word |
|---|---|---|
00111011000 |
472 | deposit |
01101100101 |
869 | hole |
10011001000 |
1224 | october |
01011000100 |
708 | flat |
00011011001 |
217 | brass |
01100011000 |
792 | glide |
00010110011 |
179 | biology |
01010100001 |
673 | feature |
10111111001 |
1529 | sand |
00000010110 |
22 | actress |
10101101000 |
1384 | public |
10110111011 |
1467 | resist |
Thus, our 12-word seed phrase is:
deposit hole october flat brass glide biology feature sand actress public resist
How the checksum works
While each word was chosen randomly, the checksum make it so that not all word combinations can form a valid seed phrase. This can be useful to detect a mistake.
For instance, let’s assume that you have noted the second word as hold (01101100100) instead of hole (01101100101).
Everything else is the same. The binary string for our seed phrase now looks like the one below. The difference is minuscule,
but it is there.
00111011000 01101100100 10011001000 01011000100 00011011001 01100011000 00010110011 01010100001 10111111001 00000010110 10101101000 10110111011
When the binary string goes through the SHA-256 hash function, we obtain the hash output below.
00110101 01110100 01001001 01111011 10110100 00010100 00011110 11110011 00010001 11011101 00100110 01111001 11111101 01010010 01010111 00010100 11100110 01010101 01110111 11011111 01001111 01011010 10001001 10001100 11010011 10001100 00100001 11110101 01011000 11111101 00101100 01100000
Notice that the first 4 bits of the hash output (0011) differ from the checksum bits (1011). Thus, we know that the
seed phrase is invalid.
My service: I can help you recover your seed phrase
While this checksum mechanism is useful, it does not allow you to recover a seed phrase that is badly damaged. After all, seed phrases wouldn’t be secure if you could recover them even when half of the words are missing. In fact, if you are missing 2 to 4 words, your job is already made much harder and you may need professional help. Should that be your case, you’re in luck: I offer a service where I help people recover their seed phrase. I don’t charge any flat, hourly or upfront fee. I only charge a 15% fee on the recovered Bitcoins, and that’s if I succeed. To get in touch with me, click on the button below.