Exodus Wallet . Byron Era question

Short Story :

I have some ADA locked in an Exodus wallet using a 12 word phrase during the byron era.
But exodus did not use a standard derivation path back then and (I dont think they do now for Shelley either )

I have a script that can generate the addr and private key and the signing key if I am able to find out the derivation path . Exodus lists it as m/44’/1815’/0’/0/0 , but that does not seem to work. I tried the Shelley derivation path as well by subbing to m/1852’/1815’/0’/0/0

So my questions are

  1. What is the derivation path for a 12 word phrase during the byron era? (Note : neither daedalus or adalite seems to be able to get the address)
  2. Is there an easy way to convert once I receive the Byron era key … into a Shelley key ?

Any help would be appreciated.

Hey @perzimegnu

It seems you already have some technical knowledge, so your best chance is probably to reach out (or wait) for @HeptaSean .

You can simply create a new wallet and transfer your funds from your Byron wallet to a new Shelley wallet.


I have never looked into how Exodus did Byron back in the days, unfortunately.

I have found out how they do Shelley and it’s strange.

Here is my Python implementation using https://pypi.org/project/bip-utils/:

from bip_utils import (Bip39SeedGenerator,
                       Cip1852, Cip1852Coins, Bip32KeyData,
from bip_utils.cardano.bip32.cardano_byron_legacy_mst_key_generator import (

seed_phrase = ("abandon abandon abandon abandon abandon abandon "
               "abandon abandon abandon abandon abandon about")
bip39_seed_bytes = Bip39SeedGenerator(seed_phrase).Generate()
cardano_bip32_key = Bip32Slip10Secp256k1.FromSeedAndPath(bip39_seed_bytes,
cardano_bip32_private_bytes = cardano_bip32_key.PrivateKey().Raw().ToBytes()
# Used as seed bytes for legacy Byron master key derivation:
byron_private_key, _ = (
            cardano_bip32_private_bytes, 1))
# Make Cip1852 object out of it to make bip_utils happy:
cip1852 = Cip1852.FromPrivateKey(byron_private_key,
# Same key used for payment and stake key:
shelley_pair = CardanoShelley(cip1852, cip1852)
shelley_address = shelley_pair.PublicKeys().ToAddress()
print(f"Strange Derivation: {shelley_address}")
print("Exodus: addr1q9av2w6nz9tzv8rc3vfqs95av844gkcqxm0qeezvlf07p3r6c5a4xy"

So, they use the path not to derive according to BIP32-Ed25519 (https://input-output-hk.github.io/adrestia/static/Ed25519_BIP.pdf) as it is used everywhere else in Cardano, but according to BIP32-Secp256k1 as it is used in Bitcoin and friends.

Only after that they use the Byron master key derivation to derive an Ed25519 key pair using the derived private key as a seed. (And then they use that key pair for payment as well as stake part.)

That makes almost no sense. The reason for the non-hardened elements of a derivation path are that you can derive different public keys without having to know the private keys. You can forget that with this strange and non-compliant process.

It’s an abomination.

But maybe they have done something similar in Byron era. Maybe it is as simple as replacing the part after “#Make Cip1852 object” in my code by creating a Byron address from it.

If you can make sense of my code and of bip_utils you can try yourself. If not please ask, but I can’t promise a timely answer. More something like in a week or two.

I’d also need a test case (which could be a bit complicated/risky if you only have one with balance on it): What Byron address is supposed to be derived from what seed phrase? I just tried installing Exodus, but they seem to have removed Byron from the current version.

1 Like

Apologies for the delay in response , had some personal issues to resolve .
It appears they made that change in this release

Released on August 14, 2020

They do give access to the pvt keys of a token , so the easiest way would be to probably get hold of a prior release .

However I havent recieved a response from them and have been waiting for a while.
I am unable to find a github repo for the exodus wallet either.

And yes , It gets annoying when wallets do not use the standard expected derivations.