Hey everyone,
A while back, like in 2011-2012, I was mining with Bitcoin-QT. Back then, I didn’t really know much about Bitcoin and ended up deleting Bitcoin-QT from my old computer to clear some space. Total bummer, right?
I’m not super tech-savvy, so I’ve been on a mission to recover this wallet for years. I did manage to back up the disk before things went south with the computer. As far as I recall, it didn’t get much use after I deleted Bitcoin-QT, and then it eventually broke down. I’ve still got the hard drive and made a copy to play around with.
Any tips or advice would be really helpful.
I’ve tried a bunch of methods to get back that wallet.dat file. I scanned the external drive with recovery tools, but it seems like the file name and its path got messed up, so I can’t track it down.
I even searched for hex code strings like 0201010420 and found tons of results. I tried converting them to WIF keys, but the unencrypted ones are all invalid. I did find one encrypted WIF wallet though.
When I checked its address, I saw activity from 2014 to 2020, with transactions totaling 2.81 BTC. But I’m pretty sure this isn’t my wallet since I should have had more in there. Could it just be a coincidence?
Trying to jog my memory, I recalled that my Bitcoin-QT wallet was encrypted. Back then, I used a few passwords across different platforms, and I still remember those. I later found out that the hex string 0201010420 doesn’t apply to my situation.
How to Recover an Old Wallet.dat File
6 replies 428 views
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#2Feb 2, 2025, 03:32 AM
With the size of a Bitcoin private key (almost 2^256), that can't be a random coincidence and you've properly restored one of the private key in that disk.
If you're certain that it's not yours, then you might have imported that private key that you got somewhere.
If you're expecting more bitcoins, those might be the other keys but each has at least one Bit flipped since it's already party overwritten or corrupted.
You could iterate one to a few bits difference of the result empty private keys;
e.g.: if your restored privKey is ...001010101 but the actual private key is ...001011101, you can try to switch each Bit of the restored prvKey to reproduce the correct prvKey.
But don't put your hopes on it since usually, the damage is a significant chunk, not just a few bits.
It's worth the try for a last resort but I can't find a tool that does that so you need a specifically written script for that.
Hello, thank you for your response. While scanning hexadecimal values, I found multiple identical hex codes. For example, there are 15 instances of the value D030123456...47 00, and I converted only one of them into a WIF code. I found many similar results. Does this seem normal?
Am I correct in understanding that, using the method you mentioned, I need to convert the hexadecimal code into a WIF code and then randomly modify the prvKey values?
Also, could entering the wrong password while scanning with Pywallet lead to a result like the one above?
gr3g.0rbitHero Member
Posts: 1025 · Reputation: 2646
#4Feb 2, 2025, 09:55 AM
Those example may not be private keys since the possibility of randomly generating multiple collisions (or even one) is near impossible.
The logical explanation is those are may be from duplicate copies of your wallet.dat file or the same private key imported to multiple wallets or other data that's normally repeated.
You need to modify the private key one or multiple Bits per iteration.
To visualize that and to do it manually, you need the "binary" format, it's not something that can be easily done manually.
Flipping each Bit (change '1' to '0', vice-versa) at a time, maybe, since that's 256 iterations per private key, but with 2 or more, you'll need to automate it.
That suggestion isn't normally used to recover corrupted data since it's basically bruteforcing your way to reproduce the correct data.
No, pywallet will still show if there are encrypted private keys to be recovered from the "recov-device".
Providing the wrong password will result with failed to decrypt private keys, it'll show you an error message saying that the provided passwords do not work.
Hello again everyone,
I wanted to give a technical update and ask some detailed questions about my progress.
I have spent weeks working on this problem, trying to recover my old encrypted wallet.dat (Bitcoin Core, 20122014 era) from a full dd disk image. I strongly suspect that the original wallet.dat file has been fragmented (split into pieces) on the disk over time. The original filename and path were lost or changed, so standard data recovery programs (like Recuva, Photorec, TestDisk, etc.) have not been able to help.
I have written and used various Python scripts to scan the disk image for wallet fragments. These scripts can recover mkey and ckey data as separate pieces, but there seems to be no existing tool or ready-made program that can actually reassemble a complete wallet.dat from these fragments. So far, I have only been able to extract mkey and ckey blobs as individual fragments, not as a complete, original file.
I wrote and used several Python scripts to scan the .dd disk image for wallet fragments. My scripts look for both mkey and ckey structures, using entropy, struct, salt, and iteration count filters to try to select only genuine blobs. The scripts report blocks with high confidence, but sometimes Im not 100% sure which results are real and which are false positives.
I can locate files or fragments that contain what appear to be valid mkey and ckey entries (sometimes with high entropy and correct struct). However, almost never in the same file or at the same offsettypically, one fragment has mkey, another has ckey. I have my password and am sure its correct. I tried creating hybrid wallet.dat files by combining mkey from one fragment and ckey from another (using PyWallet, manual methods, and so on). When I do this and try to open or dump the wallet, I usually get a checksum errorso the file is seen as a wallet, but keys cannot be used. Sometimes my script finds multiple candidate mkeys/ckeys with different offsets, and its not clear how to know which ones are valid or complete.
My main questions: If I have extracted good-looking mkey and ckey blocks (with correct entropy, struct and salt/iterations), is it theoretically possible to recover the encrypted private keys (knowing the passphrase) even if they are from different fragments? Or must they be from the exact same original wallet.dat? Are there proven methods (or real-world forum threads) where someone has matched mkey/ckey from different disk locations and successfully reconstructed a working wallet? Are there advanced scripts or workflows to help determine which mkey/ckey are actually a valid pair, or to brute-force through combinations, given many extracted fragments? Does the checksum error always mean a bad match, or can it be caused by other recovery problems?
I have tried PyWallet and also my own scripts; I know about the difference between encrypted/unencrypted keys (0201010420 prefix vs. ckey). I filtered for entropy, salt variation, iterations, and struct signatures, but sometimes blocks look right yet fail in decryption. Im not sure if my good mkey/ckey are really valid, or if theres something Im missing in their extraction or recombination.
If anyone here has successfully recovered a wallet this way, or can point to forum links or scripts for this exact mkey/ckey from disk fragments situation, it would be a huge help. Thanks for any ideas or references!
I put this up a while back.
Have a look at the last post. OFFLINE you will be able to substitute and test your information.
You can also modify it to make it more useful to you
https://bitcointalk.org/index.php?topic=5331322.0
It will be a long process good luck.
Something to OP's story doesn't add up. At the start of 2011 difficulty and network hashrate were already at a level where you couldn't really compete to mine blocks with a CPU alone. And OP speaks of an old computer...
Yes, I'm aware OP might have left out some specific details, but I'm pretty sure you couldn't mine anything with a CPU alone. GPU mining software was already a thing and later in 2011 first FPGA miners surfaced which started to smoke the GPU miners, IIRC.
I mined in spring or summer of 2011 with a modest GPU and I had to use a mining pool to pick up some breadcrumbs (ok, ok, it wasn't that bad but still took quite some days to mine a whole bitcoin).
Related topics
- Need help with an old Wallet Master Key 6
- Recovering a Bitcoin wallet and address 8
- CipherSeed: A Comprehensive Guide to Super-Secure Crypto Wallet Backups 5
- What derivation path does mm-gen wallet use? 3
- Looking for wallet software that supports custom P2SH redeem scripts? 19
- Simple Offline Wallet (key-pair) Setup on Linux Without GUI 0