Jump to content

I need help with my Bitlocker Key

PC Chaos

Recommended Posts


I need help with a Bitlockercracker. My Datatransfer was interupted and I can´t read my Data short I can´t open my Dataplate. I tghink I have a Cryptovirus or had a bruteforce attack before and now I need help with the correct path in and out. I´ve found a MOD online wich works on TPM. Think that´s needed. I like to put it in here. Think it´s written correct in, but not to get it out of the Hardware. I have too less knowings about programmings and have consulted a specialist that can´t help me, because his work lays nearly one year in his Storage without beeing over worked. Fucked twice. Would be nice when some could fullfill the rest of the Mod:


"""This module implements BitLocker key extractor analyzer for Saleae Logic 2

Installation: I think "define" at first is ok isn´t it?

(This MOD is of a Stefan from his Homepage)
Add the analyzer by selecting Load Existing Extension from Logic 2's extensions tab.
from enum import Enum
import re
from saleae.analyzers import HighLevelAnalyzer, AnalyzerFrame

WAIT_MASK = 0x01
WAIT_END = 0x01
TPM_DATA_FIFO_0 = 0xd40024


class Operation(Enum):
    """Enum for a TPM transaction type"""
    READ = 0x80
    WRITE = 0x00

class TransactionState(Enum):
    """Different states for the decofing state machine"""
    WAIT = 3

class Transaction:
    """Capsulates one TPM SPI transaction

        start_time: A timestamp when the first byte in this transatcion captured.
        operation: Transaction type.
        size: The number of data bytes.

        start_time: A timestamp when the first byte in this transatcion captured.
        end_time: A timestamp when the last byte in this transatcion captured.
        operation (Operation): Transaction type.
        address (bytearray): The target address in the transatcion. (big-endian).
        data (bytearray): The data in the transatcion.
        size (int): The number of data bytes.
        wait_count (int): Holds the number of wait states between the address and data .
    start_time: float
    end_time: float
    operation: Operation
    address: bytearray
    data: bytearray
    size: int
    wait_count: int

    def __init__(self, start_time, operation, size):
        self.start_time = start_time
        self.end_time = None
        self.operation = operation
        self.address = bytearray()
        self.data = bytearray()
        self.size = size
        self.wait_count = 0

    def is_complete(self):
        """Return True if this transaction is complete.
        A transaction is complete when all address and data bytes are capture"""
        return self.is_address_complete() and self.is_data_complete()

    def is_data_complete(self):
        """Return True if all data bytes are captured."""
        return len(self.data) == self.size

    def is_address_complete(self):
        """Return True if all three address bytes are captured."""
        return len(self.address) == 3

class Hla(HighLevelAnalyzer):
    """Implements the BitLocker key extractor

        state (TransactionState): The current state of the state machine
        current_transaction (Transaction): Contains the transaction to be decoded
        window (bytearray): the last WINDOW_SIZE bytes from transactions. Used to search the key
    result_types = {}

    state = TransactionState.READ_OPERATION
    current_transaction = None
    window = b''

    def __init__(self):

    def decode(self, frame: AnalyzerFrame):
        if frame.type == 'enable':
        elif frame.type == 'disable':
        elif frame.type == 'result':
            mosi = frame.data['mosi'][0]
            miso = frame.data['miso'][0]
            self._state_machine(mosi, miso, frame)

    def _reset_state_machine(self):
        self.state = TransactionState.READ_OPERATION

    def _state_machine(self, mosi, miso, frame):
        machine = {
            TransactionState.READ_OPERATION: self._read_state,
            TransactionState.READ_ADDRESS: self._read_address_state,
            TransactionState.WAIT: self._wait_state,
            TransactionState.TRANSFER_BYTE: self._transfer_byte_state
        return machine[self.state](mosi, miso, frame)

    def _read_state(self, mosi, miso, frame):
        operation = Operation(mosi & OPERATION_MASK)
        size_of_transfer = (mosi & ADDRESS_MASK) + 1
        self.current_transaction = Transaction(
            frame.start_time, operation, size_of_transfer)
        self.state = TransactionState.READ_ADDRESS

    def _read_address_state(self, mosi, miso, frame):
        self.current_transaction.address += mosi.to_bytes(1, byteorder='big')
        address_complete = self.current_transaction.is_address_complete()
        if address_complete and not miso & WAIT_MASK:
            self.state = TransactionState.WAIT
        elif address_complete:
            self.state = TransactionState.TRANSFER_BYTE

    def _wait_state(self, mosi, miso, frame):
        self.current_transaction.wait_count += 1
        if miso == WAIT_END:
            self.state = TransactionState.TRANSFER_BYTE

    def _transfer_byte_state(self, mosi, miso, frame):
        if self.current_transaction.operation == Operation.READ:
            self.current_transaction.data += miso.to_bytes(1, byteorder='big')
        elif self.current_transaction.operation == Operation.WRITE:
            self.current_transaction.data += mosi.to_bytes(1, byteorder='big')

        if self.current_transaction.is_complete():
            self.current_transaction.end_time = frame.end_time
            key = self._find_key()
            if key:
                print(f'[+] Found BitLocker key: {key}')
                self.window = b''
            if len(self.window) >= WINDOW_SIZE:
                self.window = self.window[-WINDOW_SIZE:]

    def _append_transaction(self):
        if int.from_bytes(self.current_transaction.address, "big") != TPM_DATA_FIFO_0:
        self.window += self.current_transaction.data

    def _find_key(self):
        data = self.window.hex()
        key = re.findall(
            r'2c000[0-6]000[1-9]000[0-1]000[0-5]200000(\w{64})', data)
        if key:
            return key[0]
        return None

  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...