It's been common knowledge that there are some limitations with bitlocker protection when secured with either TPM only or startup PIN only.
But with TPM Only until recently I believed this was too hard to be done on a lost laptop review or pentest. The myth many in IT and security believe is that it requires hard to come by specialised tools and knowledge, and requires you to mess around inside the TPM itself. The word "nation state" gets used a lot.
However, there has been some excellent research on this showing it can be extracted as it passed over a bus on the motherboard. After reading a few articles it suddenly didn't seem all that difficult. Having previously played with software defined radio and digital signal processing it didn't seem too much of a stretch for me to do this. I used Henri Nurmi at F-Secure work as a starting point and going forward I will assume you've read Henri's article.
During the process of trying to replicate that work I ran into something a little different, which is worth documenting for others attempting this attack. I'm also recovering some of the work done by Henri, and go into a little more detail.
The Setup
Initially I started by obtaining exactly the same laptop used by Henri, a used Dell Latitude E5470, so I could be sure to get easy access the SPI bus. I also purchased a Saleae 8 Pro. I went for this version as it had a higher sample rate as well as having enough probes to perform a similar attack on other laptops with an LPC bus.
Accessing the Physical SPI Bus
After taking the cover off the laptop, accessing to the chips was easy enough. Of course the hard work of locating the chips had already been done, but I can say after hunting for the TPM chip on another laptop motherboard this is an excellent laptop to get started with because it requires relatively little disassembly. You can see in the video below that the TPM is located on the top right, with the flash on the top left. Note that access to some of the pins of the flash is obstructed on the cover. As described in Henri's work, that flash chip is on the same SPI bus as the TPM and much easier to access.
Attaching the probes then requires either this cover to be removed, or you can cut away the offending plastic. I used a pair of wire cutters.
In this photo we can see the flash chip in the bottom with it's lower pins now exposed and the TPM chip at the top.
The following screenshot shows the PIN layout of the flash chip. We'll need the four pins defined by the SPI standard plus a the ground pin for reference. These are CLK, MOSI (labelled DI), MISO (labelled DO), CS and GND.
Make sure to disconnect the battery, power, and leave a few minutes for any capacitors to discharge. I initially left the battery plugged in, and although the laptop was powered off one of the probes touched something it shouldn't of done and there was some smoke. Thankfully, and wonder if this is by design, the probe burned out before anything on the motherboard did. The following photo shows the flash chip all connected up.
Analysing the Capture
For the capture itself I configured a 500 MS/s, the maximum my Saleae supports, disabled the analogue capture, and set a 20 second timer. It's also handy to label your channels.
Attempting the capture with additional Analysers enabled caused the RAM use to spike to 12 GB and often crashed Logic 2. So rather than running it with the capture, I saved the capture without analysers first. Then I could add the analysers one at a time and recover if something went wrong.
Here I add the SPI analyser, match up the channels. The only setting I had to change from default was the enable line. This is because we're connected to the CS line of the flash chip, not the TPM, as described in Henri's work.
Next I added Henri's TPM SPI Transaction Analyzer. You need to get this from his github.
Finding the Key
Here is things went differently for me. Initially I tried Henri's key extraction tool to try and automatically extract the key, but it couldn't find it.
After several hours of trouble shooting and manual eyeballing SPI messages I came across this. The data sent by the TPM chip is the last four bytes on the bottom channel. It starts with 2c, as expected, but is three bytes too long.
However, immediately following this are more four byte blocks.
Another two packets of data
What we're expecting based on the key extractor source code is some metadata before the key that matches the regex 2c000[0-6]000[1-9]000[0-1]000[0-5]200000. Key data seen here in these four byte blocks is 0x02c2c0000 00010000 00032000 0088A08A 69F2EDA7. This matches the regex and includes the start of our Bitlocker VMK. 2c is repeated twice at the start, and I can only assume the key is being wrapped in another data structure, which unlike the key metadata doesn't include it's own length in the length of the message.
It's confusing that this is occurring when I'm using exactly the same laptop with the same chips, but given this method has a higher data transfer rate I assume it is due to a firmware update.
TODO
Next on my list of things to is to patch Henri's TPM Key Extractor to identify keys are sent using this message structure.
Key Lessons Learned
Bypassing Bitlocker on a TPM Only setup isnt nearly as hard as I was led to believe. £500 of new hardware and a day is all it took.
The Bitlocker Keys may not be transmitted in TPM_DATA_FIFO_0 single data byte messages, as previous tools and research shows. Check for a series of four byte blocks.
Remove the battery as well as the power before attempting to connect probes, and wait a few minutes for capacitors to discharge or the magic smoke may escape. While none of the pins being connected to in this attack have any significant power, they are surrounded by components that do.
When using Saleae's Logic application, perform an initial capture, save it, then added required analysers one at a time. Some plugins, including ones provided by Saleae can use GB of RAM in seconds and crash when being run live.
100 MHz sampling on a 30 MHz clock isn't ideal. Data fidelity is much better with a higher sample rate.
Performing this attack has some risks, a conversation with the client about the relative value of the hardware and making backups would be recommended before performing this on a penetration test
Buy a SOIC clip, they're worth it.