TPM Sniffing – Unveiling Methods To Retrieve Bitlocker Keys Through Hardware Communication Channels

Retrieving Bitlocker keys from the TPM using SPI, I2C or LPC communications requires an understanding of the specific protocol supported by the TPM chip, as well as the device’s make and model.

Proper documentation and research are essential for successful key retrieval. This repo is to collaborate all the awesome resources and information hopefully into one place!

NOTE: I’m 100% sure that there is alot of blogs/data missing here, but please if you know of any and want to contribute, please DO a PR!

Introduction

Trusted Platform Module (TPM) is a hardware-based security chip that is often used to store encryption keys securely, including Bitlocker keys used for full disk encryption in Windows environments.

Retrieving these keys from the TPM can be achieved through various communication channels, although the specific method may vary depending on the device’s make and model.

Table: TPM Communication Methods

Make	Model	Model Number	TPM	Chipset	Protocol	Location	Debug Headers	Blog/Research	Extractable
Lenovo	Thinkpad	L440	1.2	P24JPVSP	LPC	Under Keyboard	Yes	Blog	Yes
Lenovo	X1 Carbon	Gen 11	2.0	ST33TPHF2XSPI	SPI	Under Motherboard	Test Pads	@NoobieDog	Yes
Dell	Lattitude	E7450	1.2	AT97SC3205	SPI	Motherboard	No	@SecurityJon	Yes
Dell	Lattitude	E5470	2.0	NPCT650JAOYX	SPI	Motherboard	Yes	Blog	Yes
Dell	Lattitude	E5450	1.2	AT97SC3205	SPI	Motherboard	Yes	Blog	Yes
Microsoft	Surface Pro 3		2.0	SLB9665TT2.0	LPC	Under Battery	No	Blog	Yes
Asus	TPM-M R2.0		2.0	SLB9665TT2.0	LPC	–	Yes	Video	Yes

Research

For further information and detailed instructions, refer to the provided blog posts and research documents.

A Deep Dive into TPM-based BitLocker Drive Encryption

TPM Sniffing

Extracting BitLocker keys from a TPM

Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop

From Stolen Laptop to Inside the Company Network

Sniffing Bitlocker Keys on the SPI Bus

TPM 2.0: Extracting Bitlocker keys through SPI

Understanding TPM Sniffing Attacks

Breaking Bitlocker: Bypassing the Windows Disk Encryption

TPM Sniffing Attacks Against Non-Bitlocker Targets

Sniff, there leaks my BitLocker key

Bitlocker Attacks

BitCracker: BitLocker meets GPUs

TPM Fail

TPM Vulnerabilties

AMD TPM Exploit

Tools

A list of awesome tools for sniffing TPM data are listed below.

bitlocker-spi-toolkit

Pico-TPMSniffer

LPCClocklessAnalyzer

libsigrokdecoder_spi-tpm

IceStick LPC TPM Snigger

Trainings

Hands-on-security Bitlocker/TPM Hardware training Course

Tamil S

Tamil has a great interest in the fields of Cyber Security, OSINT, and CTF projects. Currently, he is deeply involved in researching and publishing various security tools with Kali Linux Tutorials, which is quite fascinating.