Skip to content

Tools for decoding TPM SPI transaction and extracting the BitLocker key from them.

Notifications You must be signed in to change notification settings

WithSecureLabs/bitlocker-spi-toolkit

Repository files navigation

bitlocker-spi-toolkit

Extract BitLocker's volume master key (VMK) from an SPI bus. This repository contains the following Saleae Logic 2 High-Level analyzer extensions:

  • BitLocker-Key-Extractor: Extracting BitLocker keys from the SPI bus.
  • TPM-SPI-Transaction: Decoding TPM SPI transactions from the SPI bus. This extension is not required but is a handy tool for TPM transactions.

In addition, this toolkit includes a Docker container, which can be used to decrypt and mount the drive. For more information, read the following blog post.

Extracted BitLocker key Mounted drive

Installation

  1. Install the High-Level analyzers by selecting Load Existing Extension from Logic 2's extensions tab.
  2. Build the docker image: docker build -t bitlocker-spi-toolkit ..

Usage

  1. Capture SPI traffic by using Logic 2.
  2. Add the built-in SPI analyzer to decode the SPI byte stream.
  3. Add the BitLocker-Key-Extractor analyzer to find BitLocker keys from the SPI stream.
  4. Decrypt and mount the volume: ./mount-bitlocker /dev/sdXX <VMK>
    • This starts the docker container, which all necessary options.
    • This drops you to a new shell, which can be used to manipulate the volume content.
    • To unmount the drive, run exit.

Usage without Docker

Note for macOS users: It is not possible to share Mac host devices with the container. So therefore, you have to do this manually:

  1. Capture the VMK, as shown above.
  2. Build and install the latest version of Dislocker.
  3. Decrypt and mount the volume: ./run.sh <VMK> /dev/sdXX