Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Bitlocker is a Full Disk Encryption (FDE) solution offered by Microsoft for the Windows Operating system. There are many different configurations for how this is setup practically.

One of the setups is having a Volume Master Key (VMK) within the Trusted Platform module (TPM). When the decryption process needs to take place, the key is sent from the TPM to the computer. The problem with this is that if you can sniff the TPM to sniff the data, including the key, to eventually decrypt the entire drive.

The first part of the article is dedicated to finding the TPM (and the pins on it) on a Lenovo Thinkpad. After doing some digging, they figured out that this was using the LPC protocol in order to send data, which requires 6 pins.

Even though the pins could be directly connected to via direct soldering, they ended up finding a series of pads to connect to. From doing continuity tests, they figured out what each pad did, eventually getting a clean connection!

To originally observe the traffic, they used a MSO 19.2 logic analyzer. This worked for basic analysis, but the sample rate on the logic analyzer was not fast enough. So, they setup an FPGA to do the sniffing instead with the LPC Sniffer tool.

At this point, the bus could be sniffed to see all data coming and leaving the TPM. Using this, the VMK header can be identified, with the encryption key being viewable directly afterwards. At this point, it is real easy to view the key!

They had a consistency problem with output. As a result, they ran this test a few times and compared the output. As doing this, they were able to easily figure out the content. Damn, the key had been taken once it was sent out of the TPM.

After this, it was possible to decrypt the disk via the dislocker utility. This allows you to specify the VMK key, without rebuilding the FVEK (whatever this is). Now, Bitlocker was completely circumvented simply because data was being sent out of the TPM. The original article comes from Pulse Security.