kkamagui / bitleaker

This tool can decrypt a BitLocker-locked partition with the TPM vulnerability
Other
187 stars 35 forks source link

[>>] Convert TPM-encoded blob to hex data... (Failed) #24

Open itFIX90 opened 2 months ago

itFIX90 commented 2 months ago

Hi, I've got an issue related to the script.. Unfortunately I don't have enough knowledge to understand what went wrong. The data seems to be extracting correctly but on the "Convert TPM-encoded blob to hex data..." step, I get this:

Preparing TPM data.
    [>>] Get TPM-encoded blob from dislocker... Success
    [>>] Convert TPM-encoded blob to hex data... Traceback (most recent call last):
  File "./bitleaker.py", line 534, in <module>
    prepare_tpm_data(drive_path)
  File "./bitleaker.py", line 331, in prepare_tpm_data
    hex_priv_pub, pcr_policy = extract_priv_pub_and_pcr_policy_from_raw_blob(raw_data_list)
  File "./bitleaker.py", line 315, in extract_priv_pub_and_pcr_policy_from_raw_blob
    pcr_policy = [int(hex_data[i], 16) for i in range(220, len(hex_data) - 1)]
ValueError: invalid literal for int() with base 16: ''

And all stops there. Any help is much appreciated.. I've got my laptop busted by Bitlocker. I really hope this script will allow to at least extract the data... (sorry if I'm asking something obvious. I'm a noob in Linux)

itFIX90 commented 2 months ago

So.. It appears that while the Secure Boot is disabled, the TPM chip is using wrong PCR modules, and some of them have incorrect data. But the problem now is that while on Ubuntu 18.4 I cannot enable the Secure boot, as it results in "verifying shim SBAT data failed: security policy violation error". This is (as far as I understand) because of and update to UEFI boot policies, which requires a MOK license.

I was unfortunately unable to sign the bootloader I have. So I decided to upgrade the Ubuntu version. But now I'm getting another error, right at the start.

After the notebook wakes up, on the step: "[>>] get PCR data from Bitleaker driver... Fail"

I have no Idea what went wrong now..

roboknight commented 2 months ago

Yeah, you’re going to have a bad day there. His code won’t run on the latest Ubuntu (driver needed some work. It’s been aeons, so I don’t remember the details unfortunately) I’d point you at my fork because I updated a lot of this, but it might not help. I think your first error could have been related to your TPM possibly using v1.3 standards. It makes Bitlocker send a different sized blob and this code didn’t deal with that. If you aren’t using secure boot, then the TPM vars used are 2,4,and maybe 6 and one other one. Secure boot uses only 7&11.

itFIX90 commented 1 month ago

@roboknight thank you for your reply, I was honestly not hoping to get a response, I thought this thread is most likely forgotten.

I actually have some news on the matter - I tried to reinstall the Ubuntu 18.4 as required by the instruction of bitleaker, and the problem above self resolved!

However.. I now have a new one. Now the script fails on "Checking Resource manager process" step. It appears that for some reason it cannot start.

The error reads "tcti initialization failed 0xa000a" I tried searching for ways to resolve this.. But most of the things I find (which are not many, by the way. Really. Google gives like.. 5 links for this) are not really helpful, or I simply do not understand them.

So I'm still struggling..

roboknight commented 1 month ago

This might help … The first option is likely what you want. It is possible things are trying to access TPM through resource manager but it isn’t running. Hence, my suggestion to use first option.

roboknight commented 1 month ago

Oh, didn’t pay close enough attention to your message. Which Ubuntu did you upgrade to?

itFIX90 commented 1 month ago

Oh, didn’t pay close enough attention to your message. Which Ubuntu did you upgrade to?

I think it was Ubuntu 20.04 LTS Focal Fossa I've read the instruction under the link you posted. Perhaps I should try installing the 20.4 instead of trying to upgrade, maybe it will work

itFIX90 commented 1 month ago

Welp.. I guess this is the end of my suffering. I just accidently deleted the encrypted partition while reinstalling Ubuntu, instead of creating a new one on the USB drive. Thank you for your help @roboknight

roboknight commented 1 month ago

Ouch! Sorry to hear that. Yeah, I used a thumb drive when I was doing that. Again, sorry to hear it. Not sure you could have recovered it, but now we’ll never know.