kkamagui / bitleaker Goto Github PK
View Code? Open in Web Editor NEWThis tool can decrypt a BitLocker-locked partition with the TPM vulnerability
License: Other
This tool can decrypt a BitLocker-locked partition with the TPM vulnerability
License: Other
I am attempting to recover my personal data. I first used napper, which reports my system is vulnerable. However when I run bitleaker, I get the following "Get PCR data from bitleaker driver.. Fail". Does the bitleaker driver support sha1 pcr data, and is it possible to recover my data using bitleaker?
When trying to run bootstrap, it attempts this step:
git clone https://github.com/kkamagui/bitleaker-grub.git
However, that repository doesn't seem to be published yet. Are you planning on releasing that?
Hi, I'm trying to recover my data from my Dell Latitude 5511 laptop, as I cannot recover the recovery key since I've never activated bitlocker.
I found your amazing project and I thought perhaps I have a chance to get back my data.
I run Napper 1.3 live cd but after starting Napper, it seems to stack with no progress at the "Napper 1.3 is stacking without no results at the "Reading PCR values of TPM and checking a vulnerability ..." , I noted that there is an error, I will add a picture to let you understand better my problem
Can you please help me?
Hi,
I checked the device with napper (and it said the device is vulnerable). I installed an Ubuntu 18.04 on an USB stick and build the bitleaker tool.
When i start the stick, it says that the uefi event log cannot be read due to invalid parameters. On another machine, grub can read the event log, but the device is not vulnerable. The differences of the two devices is, that the vulnerable device uses an Intel fTPM and the other a dTPM.
Has anyone a clue, where the error is? I changed nothing.
Hi. I was asking before about V1 code. I modified your code to use either the V1 or the V2 code depending on which key you press at boot time. I've been working on trying to get the script to work. I've been able to get most of the pieces, but I wanted to find out if there was a SHA1 that needed to be used for the signature? I've checked a few things (I monitored the LPC bus, and checked against the data you recovered). And I still seem to be missing something, as I get all the way to the Unseal command and it fails. I can't give you direct logs or anything now because I don't have the system available. Unfortunately, I don't have a compiler handy to compile PCRTool, which I believe would be helpful, but I can't find an executable, just source code (I can't compile on my target. No compiler). Also, it seems that there might be more things sent to the TPM than got logged. Maybe there is another way to check this Windows TPM logs?
This isn't really a bug, but there didn't seem like a better place to put this.
I was wondering if bitleaker has some kind of log for when you are attempting to boot windows to discover what the TPM messaging looks like? If so, how can I activate it? If not, do you have any ideas on how to implement one? I don't know what kind of logging grub already has available. My current quick approach would be a video camera I guess.
Any chance to fix this error (newest ubuntu):
error: implicit declaration of function ‘ioremap_nocache’ [-Werror=implicit-function-declaration]
60 | buffer = (char*) ioremap_nocache(RESERVED_START, RESERVED_SIZE);
| ^~~~~~~~~~~~~~~
/home/karol/bitleaker/bitleaker-kernel-module/bitleaker-kernel-module.c:60:18: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
60 | buffer = (char*) ioremap_nocache(RESERVED_START, RESERVED_SIZE);
| ^
/home/karol/bitleaker/bitleaker-kernel-module/bitleaker-kernel-module.c:85:9: error: implicit declaration of function ‘iounmap’; did you mean ‘do_munmap’? [-Werror=implicit-function-declaration]
85 | iounmap(buffer);
| ^~~~~~~
| do_munmap
cc1: some warnings being treated as errors
make[2]: *** [scripts/Makefile.build:257: /home/karol/bitleaker/bitleaker-kernel-module/bitleaker-kernel-module.o] Error 1
make[1]: *** [Makefile:1850: /home/karol/bitleaker/bitleaker-kernel-module] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-5.19.0-38-generic'
make: *** [Makefile:4: all] Error 2
Finished.
Hi There,
I wonder if you can help.
I'm trying to mount a Windows 10 partition that is currently locked by TPM. (TPM with Secure Boot ON appears to unlock the drive and try to boot the Windows partition).
Bitleaker appears to be my last hope.
When running this tool on a USB setup of Ubuntu 18.04.6 LTS (in UEFI mode) I get the below results:
Preparing TPM data. [>>] Get TPM-encoded blob from dislocker... Success [>>] Convert TPM-encoded blob to hex data... Success [>>] Create TPM2_Load data... Success [>>] Create TPM2_StartSession data... Success [>>] Create TPM2_PolicyAuthorize data... Success [>>] Create TPM2_PolicyPCR data... Success [>>] Create TPM2_Unseal data... Success Execute TPM commands [>>] Execute TPM2_Load... Input file tpm2_load.bin Initializing Local Device TCTI Interface [*] Input Size 247 00000000 80 02 00 00 00 f7 00 00 01 57 81 00 00 01 00 00 |.........W......| 00000010 00 09 40 00 00 09 00 00 00 00 00 00 8a 00 20 ba |..@........... .| 00000020 75 54 35 6a 9f e1 13 d5 45 a8 c0 5a 71 05 a1 f2 |uT5j....E..Zq...| 00000030 94 54 3f 5d f2 6e de b4 b8 54 70 73 7f 42 11 00 |.T?].n...Tps.B..| 00000040 10 34 f2 6e e4 c9 f2 71 a7 c6 5a d6 c1 d5 10 5c |.4.n...q..Z....\| 00000050 02 ef d5 11 c4 dd 4c 17 07 0b 2f ce 14 71 6e 61 |......L.../..qna| 00000060 ac 54 0a d4 22 d7 b9 42 f7 08 a0 b0 d4 f8 a3 45 |.T.."..B.......E| 00000070 8e 18 e9 e7 c8 2b 40 8e e2 ff 2c a5 72 1b d0 b7 |.....+@...,.r...| 00000080 86 85 79 84 44 39 1d 0c 9b 3c 00 3a 16 cd f6 28 |..y.D9...<.:...(| 00000090 48 e3 5d e9 dd bf d7 2e de 1b ed f2 a1 a1 d1 e9 |H.].............| 000000a0 48 32 3e fd 69 fb 8e 00 4e 00 08 00 0b 00 00 04 |H2>.i...N.......| 000000b0 12 00 20 50 03 70 af 37 9b 13 5f fd a0 d4 fd 9f |.. P.p.7.._.....| 000000c0 d3 8f 1a ae 99 b4 5d ef 7f b8 65 07 53 47 ff de |......]...e.SG..| 000000d0 18 a0 0c 00 10 00 20 53 57 d7 1a c7 40 6d 99 81 |...... SW...@m..| 000000e0 db 50 37 d5 5d de 55 9b 89 9a d6 79 4b 16 7a 9a |.P7.].U....yK.z.| 000000f0 e6 63 d1 50 ce b6 30 |.c.P..0| [*] Output Size 10, Result: Fail! 00000000 80 01 00 00 00 0a 00 00 01 8b |..........| [>>] Fail
Any idea what I can do to proceed please?
I currently have Secure Boot disabled i the BIOS to allow me to get to this stage.
I did notice it's showing PCR 0 at the start though?
BitLeaker v1.0 for decrypting BitLocker with the TPM vulnerability Made by Seunghun Han, https://kkamagui.github.io Project link: https://github.com/kkamagui/bitleaker Search for BitLocker-locked partitions. [>>] BitLocker-locked partition is [/dev/sda4] Loading BitLeaker kernel module... Success Entering sleep... [>>] Please press any key or power button to wake up... Waking up... [>>] Please press any key to continue... Preparing PCR data. [>>] Get PCR data from BitLeaker driver... Success Cut and extract essential PCR data. [>>] Extract PCR numbers and SHA256 hashes... Success Replay TPM data. [>>] Checking the resource manager process... Success [>>] PCR 0 , SHA256 = 69614becb0612e90ed4f22ed22318184a3ad475b27cd17c738a2f6f6ca68194d PCR Num 0 69614becb0612e90ed4f22ed22318184a3ad475b27cd17c738a2f6f6ca68194d
Great job!!!!
Maybe you are planning to release a ready bitleaker USB version (.iso) ? I want to test this on my system.
Or maybe you can give some advice how can I do it myself (how to create a bootable bitleaker USB).
Thank you!
Is it possible to integrate Bitleaker into Kali Linux ISO?
I ran ./bootstrap in Cubic, but Build BitLeaker kernel module failed:
make[1]: *** /lib/modules/5.15.0-47-generic/build: No such file or directory. Stop.
make: *** [Makefile:4: all] Error 2
"Clone BitLeaker Bootloader repository and build it" also failed
make[2]: *** [Makefile:6575: grub-core/partmap/libgrubkern_a-gpt.o] Error 1
make[1]: *** [Makefile:11506: all-recursive] Error 1
make[1]: Leaving directory '/git/bitleaker/bitleaker-grub'
make: *** [Makefile:3562: all] Error 2
./build.sh: line 9: ../grub-mkimage: No such file or directory
sudo: unable to resolve host cubic: Temporary failure in name resolution
cp: cannot stat 'grub-core/grubx64.efi': No such file or directory
For checking the S3 sleep feature of the system, it's needed to find "[deep]" string from /sys/power/mem_sleep like below.
$> cat /sys/power/mem_sleep
s2idle [deep]
Thank you for @roboknight.
Failed at getting PCR data from BitLeaker driver. No more details directly available. Is this error code common?
I was able to get some PCR output from napper-for-tpm, but no success with bitleaker.
Alienware 15 R3 Intel PTT, secure boot disabled
root@ubuntu:~/bitleaker# ./bitleaker.py
,║▒▒▒▒▒▒@╖
╥▒▒╝ ▒▒▒╢
]▒▒╢ ]▒▒╢
]▒▒▒ j▒▒╢
, ,╖║▒▒▒
,╓╖, ╓@╬@╥╥╬╣╢╢▓▓ ╖▒╖▒╙▒▒▒░░░▒░▒▒▒▒.
║╬@▓╢╢╢╢╢ ╢╢╢╢╢╢╢╢╢╢╢╢[ ╜╜╜╢╢▒▒░░░░░░▒@▓▓▄▒▒▒▒╖
╢╢╢╢╢╢╢╢╢ ╢╢╢╢╢╢╢╢╢╢╢╢[ ░░░░░╙╢▓╣╬▓▓@@▓▓@░░æ▓▓▓[
╢╢╢╢╢╢╢╢╢ ╢╢╢╢╢╢╢╢╢╢..[ ░░░░░ ░▒▒▒▒▒▒▒▒▒▒▓▓▓▒▒▒H
╢ ╢ ░░░░░░░▒▒▒▒▒▒▒▒▒▒╢▒▒╢╢╢[ ..╢╢╢╢╢╢╢ ╢╢╢╢╢╢╢╢╢╢╢╢ ░░░░░░░▒▒▒▒▒▒▒▒▒▒╢╢╢╢╢╢[ ╢╢╢╢╢╢╢╢╢ ╢╢╢╢╢╢╢╢╢╢╢╢[ ¿░░░,░░░░░░░▒▒▒▒▒▒▒▒▒▒╢╢╢╢╢╢[ ╢╢╢╢╢╢╢╢╢ ╢╢╢╢╢╢╢╢╢╢╢╢░░░░░░░░░░░░╣▓▓@░░░▒▒▒▒▒▒▒▒▒▒╫╣╣╣▓▓[ ╙╙ ╙╬ ╨╜╙╬╢╢╢╣╣╢╢╢░░░░░░░░░░░░░░░░╫▓@▓▓▓▒▒▒▒▒▒▒▓▓▓▓▓▓[ ,,, ,░░░░░░░░░░╙╨░░░░░░░░░░░░░░░░░░▓▒▒▒▓▓▓▓▓▓▓▓▓▓▓▀"
,,.░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░]▒░░░╙╢▒▓╣▓▒▒▒▒ ]
▐▓█████▄░░░░▒░░░░░░░░░░░░░░░░░░░░░░░░░░╟▒▒▒▒▒▒▒▒▒╣▓╢╢╢ ░░
▐▓▓██████████▄░░░░░░░░░░░░░░░░░░░░░▒▒▒▒▒▒▒▒▓╢▒▒▒▒╢▓╢╢▒┌░░
▐▓▓█████████████████▄░░░▒▒░░▒▒▒▒▒▒▒╢╢╢╢╢╢Ñ▒▒▓╢▒▒▒▒▓╣╢╜▒░░
╜▓▓██▀████████████████▌║▒▒▒▒╢╢╢╢╣╢╢╢╣╣╣╣╣╣╣╝╣▒▒╢▓" ▒░░
"╙``╙╣▀█▀▀██████████▌╢╢╢╢╢╢╢╣╣╣╣╣╢Ñ╜╨Ñ╝
╙ ,, ▒▒▒
" "╨╢▀▀▓▓███▌╢╣╣╣╣╣╣╜╜╨╨╜ ▄, ░░ ,▌ ░░▒▒▒ ░ e ╙╣▓▌Ñ╜╙╙╜
▌▓ ░░░ ░░░░░▒▒▒
░░░░╧╤░░░ , , ▐░ ░░░░ ░░░░░░░░█▐░▒░▒▒▒
░░░░,░░░░░░ ▐, j▌█ ░ ░░░░░░░░░░░▐░░▒░░░░░░░▒░▒▒▒
░░░░▌█░░░░░░░░░░░░ ░░░░░░░░░░░░╪░░░░░░░░░░░▒░░▒░▒▌▒▒▒▒▒▒`
▒▒▒▒░▒▒▒▒▒▒░░æ▄▒░▒▒░░æ▄▒▒▒▒▒▒▒▒▌▓▒▒▒▒▒▒▒æ▒▒▒▒▒▒▒▓▓▒▒▒▒▒▒
]▒▒▒▒░▒▒▒▒▒▒▒▒╬▒▒▒▒▒▒▒╬▒▒▒▒▒▒▒▒▒▐▌▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒░░
└ ▒░░▒▒▒▒▒░▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒]▒░▒▒░▒░▒▒▒░▒▒▒░░░ ░░░; ░░
▒░░▒▒░▒║░▒▒▒▒▒▒░▒▒▒▒▒░▒]▒▒]░░▒▒░░ ░░▒░▒░▒░░ ░░ ⌡ ░
░ ░░▒░▒] ░░▒░▒░░▒▒░]░░▒;▒▒]░░░░ ░ ░░j░░░▒░ ░ !
░▒L░░└ ░░ ░▒ ░ ░░▒!▒▒ ░ ░ ░ ░░└ ░ ▒
▒L░ ░▒ ░ ░ ░ ░ ░ └ ░
BitLeaker v1.0 for decrypting BitLocker with the TPM vulnerability
Made by Seunghun Han, https://kkamagui.github.io
Project link: https://github.com/kkamagui/bitleaker
Search for BitLocker-locked partitions.
[>>] BitLocker-locked partition is [/dev/nvme0n1p3]
Loading BitLeaker kernel module... Success
Entering sleep...
[>>] Please press any key or power button to wake up...
Waking up...
[>>] Please press any key to continue...
Preparing PCR data.
[>>] Get PCR data from BitLeaker driver... Fail
I'm having a somewhat similar problem to #9. I'm attaching my bitleaker log: log.txt
I'm fairly new to TPM, so I've been trying to understand what is happening. As far as I can tell, bitleaker reads a binary blob from dislocker, and that is supposed to contain 220 bytes of the priv/pub object, and the rest is something else.
Here is the snippet that dislocker is returning:
Tue May 2 10:34:49 2023 [DEBUG] Total datum size: 0x012e (302) bytes
Tue May 2 10:34:49 2023 [DEBUG] Datum entry type: 0
Tue May 2 10:34:49 2023 [DEBUG] `--> ENTRY TYPE UNKNOWN 1
Tue May 2 10:34:49 2023 [DEBUG] Datum value type: 6
Tue May 2 10:34:49 2023 [DEBUG] `--> TPM_ENCODED -- Total size header: 12 -- Nested datum: no
Tue May 2 10:34:49 2023 [DEBUG] Status: 0x1
Tue May 2 10:34:49 2023 [DEBUG] Unknown: 0x815
Tue May 2 10:34:49 2023 [DEBUG] Payload:
Tue May 2 10:34:49 2023 [DEBUG] 0x00000000 00 aa 00 20 5d 12 f2 03-70 ef 92 d1 a5 05 e7 c6
Tue May 2 10:34:49 2023 [DEBUG] 0x00000010 a9 5f 6f 24 e9 d1 66 c6-be 0a a8 d9 c6 07 24 cf
Tue May 2 10:34:49 2023 [DEBUG] 0x00000020 57 9e cd 47 00 10 7d 34-bb d9 51 a9 aa aa 33 6b
Tue May 2 10:34:49 2023 [DEBUG] 0x00000030 6c c7 b1 c6 ac ae 7b 43-66 80 ab a9 cb 50 08 f1
Tue May 2 10:34:49 2023 [DEBUG] 0x00000040 53 84 f5 ac 2f ae 0b d1-54 60 df 71 39 2b 95 31
Tue May 2 10:34:49 2023 [DEBUG] 0x00000050 99 e3 45 1b cc a8 f6 da-d4 b0 05 e0 60 09 ce 89
Tue May 2 10:34:49 2023 [DEBUG] 0x00000060 5f c0 8e 72 86 03 62 7d-1c 1d 3e b5 9a 02 67 0b
Tue May 2 10:34:49 2023 [DEBUG] 0x00000070 35 23 a1 e8 33 e6 f0 ef-38 5d 7d e1 bd ce 48 32
Tue May 2 10:34:49 2023 [DEBUG] 0x00000080 e9 ca 0a ff a8 87 ab 89-53 fa d7 eb 51 0f 9c c2
Tue May 2 10:34:49 2023 [DEBUG] 0x00000090 56 b3 b3 f2 a4 41 50 7a-5a d0 b8 06 7f 84 8c 59
Tue May 2 10:34:49 2023 [DEBUG] 0x000000a0 1b c5 05 69 ed 16 f2 85-49 04 06 03 00 4e 00 08
Tue May 2 10:34:49 2023 [DEBUG] 0x000000b0 00 0b 00 00 04 12 00 20-f5 10 e7 eb cb a2 25 bc
Tue May 2 10:34:49 2023 [DEBUG] 0x000000c0 21 68 c2 23 d6 eb 84 1e-7c 03 2c f1 28 1f e5 ab
Tue May 2 10:34:49 2023 [DEBUG] 0x000000d0 23 c3 73 7e 8a d2 f7 ef-00 10 00 20 75 ff bf 4e
Tue May 2 10:34:49 2023 [DEBUG] 0x000000e0 cd c7 63 24 ba 6b b7 96-e3 b6 ef 36 e8 80 89 fe
Tue May 2 10:34:49 2023 [DEBUG] 0x000000f0 57 17 6d d2 a2 be 41 92-42 6b d3 cb 00 20 0a 5b
Tue May 2 10:34:49 2023 [DEBUG] 0x00000100 7b 84 98 30 8a dc 33 ea-b7 6f 81 6b 7a cb 9d 0d
Tue May 2 10:34:49 2023 [DEBUG] 0x00000110 91 ab 73 a2 13 74 a3 2b-06 c5 93 7f c9 da 03 15
Tue May 2 10:34:49 2023 [DEBUG] 0x00000120 08 00
Tue May 2 10:34:49 2023 [DEBUG] Header safe: 0x12e, 0, 0x6, 0x1
Tue May 2 10:34:49 2023 [DEBUG] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The private portion is 0xaa bytes long. So the public portion should start at 0xac. The size of the public portion is then 0x4e, and so it should end at 0xae + 0x4e = 0xfc. But 0xfc > 0xdc == 220. So it seems like maybe my keys are 0x20 bytes larger than usual, and bitleaker is truncating them, which causes the TPM2_Load
to fail?
I am not sure if it is relevant, but I have SecureBoot disabled, and I am running Windows 11.
I'll try to change 220 to 0xfc in bitleaker.py and see if that fixes the TPM error.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.