What if I have the seed but forgot the spending password?

You do not need the password. Reinstall Coinomi, choose 'Restore wallet', enter the 24-word seed and set a new spending password. The password is local to the device and the seed is the master backup.

Coinomi Wallet Password Recovery — Android, iOS, Desktop (PBKDF2 + AES-256)

Q: Where does Coinomi store the wallet file on Android?

Inside the app sandbox at /data/data/com.coinomi.wallet/files/wallets/. The file is named with the wallet UUID and contains PBKDF2 + AES-256-CBC encrypted seed material. Without root, the only legitimate way to extract it is via an unencrypted ADB backup.

Q: What KDF does Coinomi use?

PBKDF2-HMAC-SHA512 with 5,000 to 16,384 iterations depending on the build, followed by AES-256-CBC for the ciphertext. The iteration count is far lower than Bitcoin Core or Electrum, which means GPU brute force is realistic.

Q: Is there a hashcat mode for Coinomi?

Community modules and btcrecover support Coinomi natively. Some forks of hashcat add mode 28200; if your build does not, btcrecover with --wallet-type coinomi is the supported path.

Q: Can I recover Coinomi without the wallet file?

No. The encrypted wallet file is the only artifact that holds your seed. If the phone was wiped, factory-reset or the app was uninstalled, the wallet file is gone and only your 24-word recovery seed can restore funds.

Coinomi has been one of the longest-running multi-currency mobile wallets — first released in 2014 and supporting 1,700+ assets across 125+ blockchains. Most lockouts happen when users forget the spending password set during wallet creation. The good news: if you still have access to the device (or an old backup), the password is recoverable. The bad news: if the phone was wiped and you do not have the 24-word recovery seed, your funds are unrecoverable.

First check the obvious path: If you wrote down the 24-word seed at setup, you do not need to recover the password. Reinstall Coinomi, choose "Restore wallet", enter the seed and pick a new password. The brute-force path described below is only needed if both the password is forgotten and the seed is lost.

How Coinomi encrypts your seed

Coinomi uses a Bitcoinj-derived wallet format with custom encryption. Each wallet is a Protocol Buffer serialization of accounts, addresses and the master seed; the seed itself is then encrypted with the spending password.

# Simplified Coinomi key derivation
salt        = random(8 bytes)            # stored in wallet
iterations  = 5000 to 16384              # depending on build
key         = PBKDF2-HMAC-SHA512(password, salt, iterations, 32)
iv          = random(16 bytes)           # stored in wallet
ciphertext  = AES-256-CBC(key, iv, plaintext_seed_bytes)
wallet_file = magic | version | salt | iterations | iv | ciphertext

The low iteration count (versus, say, Bitcoin Core's 25,000+) makes Coinomi substantially more brute-forceable than desktop wallets — but only if you have the encrypted file in hand.

Where the wallet file lives

Platform	Path
Android (rooted)	/data/data/com.coinomi.wallet/files/wallets/
Android (ADB backup)	apps/com.coinomi.wallet/f/wallets/ inside the unpacked .ab
iOS (jailbroken)	/var/mobile/Containers/Data/Application/UUID/Documents/wallets/
iOS (encrypted iTunes backup)	Use iphone-backup-extractor → AppDomain-com.coinomi.wallet
Windows desktop	%APPDATA%\Coinomi\wallets\
macOS desktop	~/Library/Application Support/Coinomi/wallets/

Pulling the file from Android without root

On unrooted Android the wallet file lives inside the protected app sandbox. The only legal way to extract it without root is an unencrypted ADB backup, which works only on Android 6 and older (Google removed this on Android 12+). For Android 7-11 you can still try.

# Enable USB debugging in Developer options first
adb backup -f coinomi.ab -noapk com.coinomi.wallet
# Confirm with NO encryption password on the phone screen

# Convert .ab to .tar (Android Backup Extractor)
java -jar abe.jar unpack coinomi.ab coinomi.tar
tar -xf coinomi.tar
# Wallet file at: apps/com.coinomi.wallet/f/wallets/<UUID>

# Modern Android (12+): backup of third-party apps is blocked.
# Last resort: pay a forensic shop to image the userdata partition,
# OR root via Magisk (data-wiping on most devices).

Brute-forcing the password

Once you have the wallet file, btcrecover is the most reliable path because it understands Coinomi's exact serialization. For pure GPU throughput you can also extract a hashcat hash.

# btcrecover — Coinomi module
python3 btcrecover.py \
    --wallet wallet-uuid.wallet \
    --wallet-type coinomi \
    --tokenlist tokens.txt \
    --typos 2 --typos-case --typos-swap --typos-repeat

# Tokenlist example for "summer2019!" style passwords
# tokens.txt:
# summer winter spring fall
# 2017 2018 2019 2020
# ! @ # $

# Hashcat path (if you can extract a 28200-format hash)
hashcat -m 28200 -a 0 coinomi.hash rockyou.txt -r OneRuleToRuleThemAll.rule

Realistic GPU throughput

GPU	PBKDF2-HMAC-SHA512 (5k iter)	100M candidate pool
RTX 4090	~310,000 H/s	~5.4 min
RTX 3090	~190,000 H/s	~8.8 min
RTX 3080	~140,000 H/s	~12 min
CMP 90HX	~110,000 H/s	~15 min

Scam warning: Do not search "Coinomi password recovery" on Telegram or YouTube. Almost every result is a scammer claiming to have a "Coinomi cracker.exe" or to need your seed phrase to "verify ownership". The only safe artifact to share is the encrypted wallet file. Read our scam taxonomy first.

Scenarios — recoverable vs not

Recoverable

• Wallet file present, partial password memory
• 24-word seed written down somewhere
• Old phone backup (Google Drive ADB backup)
• iTunes encrypted backup with known password

Not recoverable

• Phone factory-reset, no seed
• App uninstalled before backup
• 16+ char random password, no fragments
• Lost device, no cloud backup

Why the seed is the only real backup

The Coinomi spending password protects the wallet file on a single device. The 24-word BIP39 seed protects the entire HD tree across all 1,700+ supported assets, on any device, forever. Always write the seed on paper or stamped metal at setup — not in a cloud notes app.

Related guides

Exodus / Atomic / Trust Wallet recovery — sister guides for other multi-asset wallets.
BIP39 seed recovery — partial seed recovery techniques.
btcrecover complete tutorial — tokenlists, typos, expand strategies.
Recovery scam taxonomy — what to never share.

Frequently asked questions

Where does Coinomi store the wallet file on Android?

In the protected app sandbox at /data/data/com.coinomi.wallet/files/wallets/. Without root the only extraction path is an unencrypted ADB backup (Android 6-11) or a forensic image.

What KDF does Coinomi use?

PBKDF2-HMAC-SHA512 with 5,000-16,384 iterations, then AES-256-CBC. Lower iteration count than desktop wallets, so GPU brute force is realistic.

Is there a hashcat mode for Coinomi?

Community builds support mode 28200. The first-class path is btcrecover with --wallet-type coinomi.

Can I recover Coinomi without the wallet file?

No. If both the wallet file and the 24-word seed are lost, funds are unrecoverable. Anyone claiming otherwise is lying.

I have the seed but forgot the spending password — what now?

Just reinstall Coinomi, restore from seed, set a new password. The seed is the master backup; the spending password is per-device convenience.

GPU recovery for Coinomi wallets

Pull your wallet file, list any password fragments you remember, and our farm runs the full btcrecover pipeline plus hashcat mode 28200. Pay only on success.

Submit wallet file Free format check