kkamagui / bitleaker

This tool can decrypt a BitLocker-locked partition with the TPM vulnerability
Other
187 stars 35 forks source link

Output Size 10, Reults: Fail! (after success to Unseal data etc.) #21

Open Repsol73 opened 11 months ago

Repsol73 commented 11 months ago

Hi There,

I wonder if you can help.

I'm trying to mount a Windows 10 partition that is currently locked by TPM. (TPM with Secure Boot ON appears to unlock the drive and try to boot the Windows partition).

Bitleaker appears to be my last hope.

When running this tool on a USB setup of Ubuntu 18.04.6 LTS (in UEFI mode) I get the below results:

Preparing TPM data.
    [>>] Get TPM-encoded blob from dislocker... Success
    [>>] Convert TPM-encoded blob to hex data... Success
    [>>] Create TPM2_Load data... Success
    [>>] Create TPM2_StartSession data... Success
    [>>] Create TPM2_PolicyAuthorize data... Success
    [>>] Create TPM2_PolicyPCR data... Success
    [>>] Create TPM2_Unseal data... Success

Execute TPM commands
    [>>] Execute TPM2_Load... Input file tpm2_load.bin
Initializing Local Device TCTI Interface
    [*] Input Size 247
00000000  80 02 00 00 00 f7 00 00  01 57 81 00 00 01 00 00  |.........W......|
00000010  00 09 40 00 00 09 00 00  00 00 00 00 8a 00 20 ba  |..@........... .|
00000020  75 54 35 6a 9f e1 13 d5  45 a8 c0 5a 71 05 a1 f2  |uT5j....E..Zq...|
00000030  94 54 3f 5d f2 6e de b4  b8 54 70 73 7f 42 11 00  |.T?].n...Tps.B..|
00000040  10 34 f2 6e e4 c9 f2 71  a7 c6 5a d6 c1 d5 10 5c  |.4.n...q..Z....\|
00000050  02 ef d5 11 c4 dd 4c 17  07 0b 2f ce 14 71 6e 61  |......L.../..qna|
00000060  ac 54 0a d4 22 d7 b9 42  f7 08 a0 b0 d4 f8 a3 45  |.T.."..B.......E|
00000070  8e 18 e9 e7 c8 2b 40 8e  e2 ff 2c a5 72 1b d0 b7  |.....+@...,.r...|
00000080  86 85 79 84 44 39 1d 0c  9b 3c 00 3a 16 cd f6 28  |..y.D9...<.:...(|
00000090  48 e3 5d e9 dd bf d7 2e  de 1b ed f2 a1 a1 d1 e9  |H.].............|
000000a0  48 32 3e fd 69 fb 8e 00  4e 00 08 00 0b 00 00 04  |H2>.i...N.......|
000000b0  12 00 20 50 03 70 af 37  9b 13 5f fd a0 d4 fd 9f  |.. P.p.7.._.....|
000000c0  d3 8f 1a ae 99 b4 5d ef  7f b8 65 07 53 47 ff de  |......]...e.SG..|
000000d0  18 a0 0c 00 10 00 20 53  57 d7 1a c7 40 6d 99 81  |...... SW...@m..|
000000e0  db 50 37 d5 5d de 55 9b  89 9a d6 79 4b 16 7a 9a  |.P7.].U....yK.z.|
000000f0  e6 63 d1 50 ce b6 30                              |.c.P..0|

    [*] Output Size 10, Result: Fail!
00000000  80 01 00 00 00 0a 00 00  01 8b                    |..........|
    [>>] Fail

Any idea what I can do to proceed please?

I currently have Secure Boot disabled i the BIOS to allow me to get to this stage.

I did notice it's showing PCR 0 at the start though?

    BitLeaker v1.0 for decrypting BitLocker with the TPM vulnerability
             Made by Seunghun Han, https://kkamagui.github.io
           Project link: https://github.com/kkamagui/bitleaker 

Search for BitLocker-locked partitions.
    [>>] BitLocker-locked partition is [/dev/sda4]

Loading BitLeaker kernel module... Success
Entering sleep...
    [>>] Please press any key or power button to wake up...
Waking up...
    [>>] Please press any key to continue...

Preparing PCR data.
    [>>] Get PCR data from BitLeaker driver... Success

Cut and extract essential PCR data.
    [>>] Extract PCR numbers and SHA256 hashes... Success

Replay TPM data.
    [>>] Checking the resource manager process... Success
    [>>] PCR 0 , SHA256 = 69614becb0612e90ed4f22ed22318184a3ad475b27cd17c738a2f6f6ca68194d
PCR Num 0
69614becb0612e90ed4f22ed22318184a3ad475b27cd17c738a2f6f6ca68194d
Repsol73 commented 11 months ago

This is what I can see from the recovery partition:

×: \windows \system32>manage-bde c: -status BitLocker Drive Encryption: Configuration Tool version 10.0.19041 Copyright (C) 2013 Microsoft Corporation. A11 rights reserved. Volume C: [Label Unknown] [Data Volume] Size: Unknown GB BitLocker Version: 2.0 Conversion Status: Unknown Percentage Encrypted: Unknown% Encryption Method: XTS-AES 256 Protection Status: Unknown Lock Status: Locked Identification Field: Unknown Automatic Unlock: Disabled Key Protectors: Numerical Password ТРМ

*: \windows \system32>manage-be c: -protectors -get

BitLocker Drive Encryption: Configuration Tool version 10.0.19041 Copyright (C) 2013 Microsoft Corporation. All rights reserved. Volume C: [Label Unknown] All Key Protectors

Numerical Password: ID: {B9CB013B-1F6D-474-83F9-960F12D73FB1} ТРМ: ID: {0A02ESDA-CDOO-41A7 -ADEO-2F57C3D7FA04) PCR Validation Profile: 7, 11

Repsol73 commented 11 months ago

Just read this:

- If UEFI Secure Boot is enabled, it uses PCR #7 and #11
- If UEFI Secure Boot is disabled, it uses PCR #0, #2, #4 and #11

Guess I need to enable Secure Boot again and figure out how to register my Ubuntu USB session with the MOK Manager?

Something I’m failing with at the moment as manual registration gives me the error that ‘Secure Boot is not enabled on this system’ and if I enable it again and try the MOK Manager shows no hash or file/cert on the USB drive :-/