I was holding a large amount of Cardano in Daedalus for a few years. When Yoroi came out, I decided to switch to it in mid 2019 so I can start staking. I saved the 15 word phrase and spending password, moved all my funds from the Daedalus wallet to Yoroi, and forgot about it.
Fast forward to today. Both my stored 15 word phrase and spending password appear to be incorrect. I’m not entirely sure what happened but somewhere things got messed up. Ugh. Lots of things I could have done in hindsight to prevent this, but…ugh.
What I do have is an open Yoroi wallet on my laptop that shows my correct balance. I’ve gone into Chrome’s dev tools and backed up the encrypted private key from IndexedDB.
I don’t have many options, and I’ve resigned myself to the fact that those Cardano are lost to me. But before shedding my last tears, I wanted to try the following:
Brute-forcing combinations based on my old passwords. Is there any easy way to do this? Is there a small command-line tool for testing whether a password was correctly guessed for a key? Or is there a situation of plausible deniability where any password I enter will be valid, but for the wrong account?
Import the non-spendable Yoroi wallet to another laptop. The old laptop is…well…old, and I would like to at least be able to keep the wallet open in another machine, even if I can’t transfer it. I see a way to import Daedalus master keys, but is there a way to be able to import a raw encrypted key from Yoroi? Can this functionality be added?
Did u moved the funds from byron to shelley? Do u remember?
I think in 2019 it was byron era… so u need to go in yoroi - add wallet (byron era) - restore wallet and insert the 15 seed words
Do u see any transactions in transaction history?
To speed up the verification process u can restore both 12 and 15 seed words on adalite.io
Not entirely sure if I moved from Byron to Shelley. My wallet that’s loaded into Yoroi says “Byron - Standard Wallet”.
And again, as I mentioned in my first post, I have lost both the 15 seed word and the spending password. What I did manage to get from the open Yoroi wallet is the encrypted master key for the wallet (via Chrome dev tools).
So unfortunately, my only choice is to brute-force combinations of my commonly used passwords hoping that one of them gives.
I have a 15 word phrase stored from when I moved from Daedalus to Yoroi. However, when I input it, it loads an empty wallet with a different hash (the XXXX-XXXX formatted characters next to the wallet name).
I have the correct wallet opened on my old laptop so I can see it has the right balance and a different wallet hash from the one the 15 words open. Unfortunately, I can’t spend it and move the funds because the spending password is also incorrect.
Yes the Yoroi wallet with the correct balance shows the ADA having been transferred in 2019 from Daedalus to it. And I’m sure if I send more it’ll show up in the transactions as well.
I basically have no choice but to bruteforce the spending password. Just not sure if there’s an easy way to do it (e.g. a command line tool).
For anyone looking for a solution, I wrote a simple program in Rust to test a password against the encrypted key. While I’m still searching through passwords, I hope this helps someone in my situation to quickly try out some known password combinations to retrieve their spending password.
To retrieve your encrypted master key from an open wallet:
Open the Yoroi chrome extensions.
Open Chrome Developer Tools
Click the “Application” tab
Now on the left pane, go to IndexedDB → yoroi-schema → Key
For every open wallet, there should be two values on the right. You can tell the encrypted key by clicking one of them, expanding the value key, and seeing if isEncrypted is true. If true, copy the Hash field. That is your master key encrypted with your spending password.
To test passwords against it, here is a simple Rust program I wrote. It’s based on the procedure outlined at this link.
Here is the main.rs file. You need to replace the key variable with your encrypted master key, and the password variable with a password guess.
use cryptoxide::{chacha20poly1305::ChaCha20Poly1305, hmac::Hmac, pbkdf2::pbkdf2, sha2::Sha512};
use hex;
mod params {
pub const ITER: u32 = 19_162;
pub const SALT_SIZE: usize = 32;
pub const NONCE_SIZE: usize = 12;
pub const KEY_SIZE: usize = 32;
pub const TAG_SIZE: usize = 16;
pub const METADATA_SIZE: usize = SALT_SIZE + NONCE_SIZE + TAG_SIZE;
pub const SALT_START: usize = 0;
pub const SALT_END: usize = SALT_START + SALT_SIZE;
pub const NONCE_START: usize = SALT_END;
pub const NONCE_END: usize = NONCE_START + NONCE_SIZE;
pub const TAG_START: usize = NONCE_END;
pub const TAG_END: usize = TAG_START + TAG_SIZE;
pub const ENCRYPTED_START: usize = TAG_END;
}
pub fn password_decrypt(password: &str, encrypted_data: &[u8]) -> bool {
if encrypted_data.len() <= params::METADATA_SIZE {
return false;
}
let password = password.as_bytes();
let salt = &encrypted_data[params::SALT_START..params::SALT_END];
let nonce = &encrypted_data[params::NONCE_START..params::NONCE_END];
let tag = &encrypted_data[params::TAG_START..params::TAG_END];
let encrypted = &encrypted_data[params::ENCRYPTED_START..];
let mut mac = Hmac::new(Sha512::new(), &password);
let mut key = [0u8; params::KEY_SIZE];
pbkdf2(&mut mac, &salt[..], params::ITER, &mut key);
let mut decrypted: Vec<u8> = std::iter::repeat(0).take(encrypted.len()).collect();
ChaCha20Poly1305::new(&key, &nonce, &[]).decrypt(&encrypted, &mut decrypted, &tag)
}
fn main() {
let key = "XXXXX YOUR KEY HERE XXX";
let decoded = hex::decode(key).expect("Decoding failed");
let password = String::from("somerandompasswordhere");
let ret = password_decrypt(&password, &decoded);
if ret {
println!("Password is correct");
} else {
println!("Password is incorrect");
}
}
Here is the Cargo.toml file:
[package]
name = "decrypt"
version = "0.1.0"
edition = "2018"
[dependencies]
cryptoxide = "0.1.1"
hex = "0.4.3"
hi mate has this has this process managed to help you decrypt your password in the end? I have got stuck on the rust program part still trying to figure it out but would be amazing to know if this actually works
I’m still running through combinations of known passwords that I typically use. It might take a while though and it’s not guaranteed that I used a known password at the time. On the other hand, if I used a random password, then the chances are pretty slim; that may be intractable to bruteforce.
So yeah, if you can come up with some password ideas, you could extend the program to try them all out quickly.
Hey, you can use btcrecover to generate the passwords if you are confident that they have a certain pattern to them. I had lost my seed phrase and had also forgotten the spending password. It was the most depressing weekend i’d had in a while. But in the end, the tool worked and i recovered my spending password, moved my funds to a new wallet and had a good night’s sleep.
Their documentation has everything you’ll need, and for (free) support, you can use youtube’s comment section. And if you are absolutely stuck, they provide paid support as well. https://btcrecover.readthedocs.io/en/latest/
