// check for validity of curve point in case of public data not performed
int hdnode_deserialize(const char *str, HDNode *node)
{
uint8_t node_data[78];
memset(node, 0, sizeof(HDNode));
if (!base58_decode_check(str, node_data, sizeof(node_data))) {
return -1;
}
uint32_t version = read_be(node_data);
if (version == 0x0488B21E) { // public node
memcpy(node->public_key, node_data + 45, 33);
} else if (version == 0x0488ADE4) { // private node
if (node_data[45]) { // invalid data
return -2;
}
memcpy(node->private_key, node_data + 46, 32);
hdnode_fill_public_key(node);
} else {
return -3; // invalid version
}
node->depth = node_data[4];
node->fingerprint = read_be(node_data + 5);
node->child_num = read_be(node_data + 9);
memcpy(node->chain_code, node_data + 13, 32);
return 0;
}
void hdnode_from_xprv(uint8_t version_byte, uint32_t version, uint32_t depth, uint32_t fingerprint, uint32_t child_num, uint8_t *chain_code, uint8_t *private_key, HDNode *out)
{
out->version = version;
out->depth = depth;
out->fingerprint = fingerprint;
out->child_num = child_num;
memcpy(out->chain_code, chain_code, 32);
memcpy(out->private_key, private_key, 32);
hdnode_fill_public_key(out);
out->version_byte = version_byte;
hdnode_fill_address(out);
}
void hdnode_from_seed(uint8_t version_byte, uint32_t version, uint8_t *seed, int seed_len, HDNode *out)
{
uint8_t I[32 + 32];
out->version = version;
out->depth = 0;
out->fingerprint = 0x00000000;
out->child_num = 0;
hmac_sha512((uint8_t *)"Bitcoin seed", 12, seed, seed_len, I);
memcpy(out->chain_code, I + 32, 32);
memcpy(out->private_key, I, 32);
hdnode_fill_public_key(out);
out->version_byte = version_byte;
hdnode_fill_address(out);
}
int hdnode_from_xprv(uint32_t depth, uint32_t fingerprint, uint32_t child_num, const uint8_t *chain_code, const uint8_t *private_key, HDNode *out)
{
bignum256 a;
bn_read_be(private_key, &a);
if (bn_is_zero(&a) || !bn_is_less(&a, &order256k1)) { // == 0 or >= order
return 0;
}
out->depth = depth;
out->fingerprint = fingerprint;
out->child_num = child_num;
memcpy(out->chain_code, chain_code, 32);
memcpy(out->private_key, private_key, 32);
hdnode_fill_public_key(out);
return 1;
}
serializedAsymmetricKey TrezorCrypto::PrivateToPublic(
const proto::AsymmetricKey& key) const
{
std::shared_ptr<HDNode> node = SerializedToHDNode(key);
hdnode_fill_public_key(node.get());
// This will cause the next function to serialize as public
OTPassword::zeroMemory(node->private_key, sizeof(node->private_key));
serializedAsymmetricKey publicVersion = HDNodeToSerialized(
*node,
TrezorCrypto::DERIVE_PUBLIC);
publicVersion->set_role(key.role());
return publicVersion;
}
int hdnode_private_ckd(HDNode *inout, uint32_t i)
{
uint8_t data[1 + 32 + 4];
uint8_t I[32 + 32];
uint8_t fingerprint[32];
bignum256 a, b;
if (i & 0x80000000) { // private derivation
data[0] = 0;
memcpy(data + 1, inout->private_key, 32);
} else { // public derivation
memcpy(data, inout->public_key, 33);
}
write_be(data + 33, i);
sha256_Raw(inout->public_key, 33, fingerprint);
ripemd160(fingerprint, 32, fingerprint);
inout->fingerprint = (fingerprint[0] << 24) + (fingerprint[1] << 16) + (fingerprint[2] << 8) + fingerprint[3];
bn_read_be(inout->private_key, &a);
hmac_sha512(inout->chain_code, 32, data, sizeof(data), I);
memcpy(inout->chain_code, I + 32, 32);
memcpy(inout->private_key, I, 32);
bn_read_be(inout->private_key, &b);
if (!bn_is_less(&b, &order256k1)) { // >= order
return 0;
}
bn_addmod(&a, &b, &order256k1);
if (bn_is_zero(&a)) {
return 0;
}
inout->depth++;
inout->child_num = i;
bn_write_be(&a, inout->private_key);
hdnode_fill_public_key(inout);
return 1;
}
int hdnode_from_seed(const uint8_t *seed, int seed_len, HDNode *out)
{
uint8_t I[32 + 32];
memset(out, 0, sizeof(HDNode));
out->depth = 0;
out->fingerprint = 0x00000000;
out->child_num = 0;
hmac_sha512((uint8_t *)"Bitcoin seed", 12, seed, seed_len, I);
memcpy(out->private_key, I, 32);
bignum256 a;
bn_read_be(out->private_key, &a);
if (bn_is_zero(&a) || !bn_is_less(&a, &order256k1)) { // == 0 or >= order
return 0;
}
memcpy(out->chain_code, I + 32, 32);
hdnode_fill_public_key(out);
return 1;
}
/*
* verify_exchange_address - verify address specified in exchange contract belongs to device.
*
* INPUT
* coin - the CoinType
* address_n_count - depth of node
* address_n - pointer to node path
* address_str - string representation of address
* address_str_len - address length
* root - root hd node
*
* OUTPUT
* true/false - success/failure
*/
static bool verify_exchange_address(const CoinType *coin, size_t address_n_count,
uint32_t *address_n, char *address_str, size_t address_str_len,
const HDNode *root, bool is_token)
{
static CONFIDENTIAL HDNode node;
memcpy(&node, root, sizeof(HDNode));
if (hdnode_private_ckd_cached(&node, address_n, address_n_count, NULL) == 0) {
memzero(&node, sizeof(node));
return false;
}
if (isEthereumLike(coin->coin_name) || is_token) {
char tx_out_address[sizeof(((ExchangeAddress *)NULL)->address)];
EthereumAddress_address_t ethereum_addr;
ethereum_addr.size = 20;
if (hdnode_get_ethereum_pubkeyhash(&node, ethereum_addr.bytes) == 0) {
memzero(&node, sizeof(node));
return false;
}
data2hex((char *)ethereum_addr.bytes, 20, tx_out_address);
return addresses_same(tx_out_address, sizeof(tx_out_address),
address_str, address_str_len, true);
}
const curve_info *curve = get_curve_by_name(coin->curve_name);
if (!curve) {
memzero(&node, sizeof(node));
return false;
}
char tx_out_address[36];
hdnode_fill_public_key(&node);
ecdsa_get_address(node.public_key, coin->address_type, curve->hasher_pubkey,
curve->hasher_base58, tx_out_address,
sizeof(tx_out_address));
memzero(&node, sizeof(node));
return strncmp(tx_out_address, address_str, sizeof(tx_out_address)) == 0;
}
int main(int argc, char **argv) {
if (argc != 2 && argc != 3) {
fprintf(stderr, "Usage: bip39bruteforce address [mnemonic]\n");
return 1;
}
const char *address = argv[1];
const char *mnemonic, *item;
if (argc == 3) {
mnemonic = argv[2];
item = "passphrase";
} else {
mnemonic = NULL;
item = "mnemonic";
}
if (mnemonic && !mnemonic_check(mnemonic)) {
fprintf(stderr, "\"%s\" is not a valid mnemonic\n", mnemonic);
return 2;
}
if (!ecdsa_address_decode(address, 0, secp256k1_info.hasher_base58, addr)) {
fprintf(stderr, "\"%s\" is not a valid address\n", address);
return 3;
}
printf("Reading %ss from stdin ...\n", item);
start = clock();
for (;;) {
if (fgets(iter, 256, stdin) == NULL) break;
int len = strlen(iter);
if (len <= 0) {
continue;
}
count++;
iter[len - 1] = 0;
if (mnemonic) {
mnemonic_to_seed(mnemonic, iter, seed, NULL);
} else {
mnemonic_to_seed(iter, "", seed, NULL);
}
hdnode_from_seed(seed, 512 / 8, SECP256K1_NAME, &node);
hdnode_private_ckd_prime(&node, 44);
hdnode_private_ckd_prime(&node, 0);
hdnode_private_ckd_prime(&node, 0);
hdnode_private_ckd(&node, 0);
hdnode_private_ckd(&node, 0);
hdnode_fill_public_key(&node);
ecdsa_get_pubkeyhash(node.public_key, secp256k1_info.hasher_pubkey,
pubkeyhash);
if (memcmp(addr + 1, pubkeyhash, 20) == 0) {
found = 1;
break;
}
}
float dur = (float)(clock() - start) / CLOCKS_PER_SEC;
printf("Tried %d %ss in %f seconds = %f tries/second\n", count, item, dur,
(float)count / dur);
if (found) {
printf("Correct %s found! :-)\n\"%s\"\n", item, iter);
return 0;
}
printf("Correct %s not found. :-(\n", item);
return 4;
}