Retrieving Bitlocker keys from the TPM using SPI, I2C or LPC communications requires an understanding of the specific protocol supported by the TPM chip, as well as the device’s make and model.
Proper documentation and research are essential for successful key retrieval. This repo is to collaborate all the awesome resources and information hopefully into one place!
NOTE: I’m 100% sure that there is alot of blogs/data missing here, but please if you know of any and want to contribute, please DO a PR!
Trusted Platform Module (TPM) is a hardware-based security chip that is often used to store encryption keys securely, including Bitlocker keys used for full disk encryption in Windows environments.
Retrieving these keys from the TPM can be achieved through various communication channels, although the specific method may vary depending on the device’s make and model.
| Make | Model | Model Number | TPM | Chipset | Protocol | Location | Debug Headers | Blog/Research | Extractable |
|---|---|---|---|---|---|---|---|---|---|
| Lenovo | Thinkpad | L440 | 1.2 | P24JPVSP | LPC | Under Keyboard | Yes | Blog | Yes |
| Lenovo | X1 Carbon | Gen 11 | 2.0 | ST33TPHF2XSPI | SPI | Under Motherboard | Test Pads | @NoobieDog | Yes |
| Dell | Lattitude | E7450 | 1.2 | AT97SC3205 | SPI | Motherboard | No | @SecurityJon | Yes |
| Dell | Lattitude | E5470 | 2.0 | NPCT650JAOYX | SPI | Motherboard | Yes | Blog | Yes |
| Dell | Lattitude | E5450 | 1.2 | AT97SC3205 | SPI | Motherboard | Yes | Blog | Yes |
| Microsoft | Surface Pro 3 | 2.0 | SLB9665TT2.0 | LPC | Under Battery | No | Blog | Yes | |
| Asus | TPM-M R2.0 | 2.0 | SLB9665TT2.0 | LPC | – | Yes | Video | Yes |
For further information and detailed instructions, refer to the provided blog posts and research documents.
A Deep Dive into TPM-based BitLocker Drive Encryption
Extracting BitLocker keys from a TPM
Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop
From Stolen Laptop to Inside the Company Network
Sniffing Bitlocker Keys on the SPI Bus
TPM 2.0: Extracting Bitlocker keys through SPI
Understanding TPM Sniffing Attacks
Breaking Bitlocker: Bypassing the Windows Disk Encryption
TPM Sniffing Attacks Against Non-Bitlocker Targets
Sniff, there leaks my BitLocker key
BitCracker: BitLocker meets GPUs
A list of awesome tools for sniffing TPM data are listed below.
Playwright-MCP (Model Context Protocol) is a cutting-edge tool designed to bridge the gap between AI…
JBDev is a specialized development tool designed to streamline the creation and debugging of jailbreak…
The Kereva LLM Code Scanner is an innovative static analysis tool tailored for Python applications…
Nuclei-Templates-Labs is a dynamic and comprehensive repository designed for security researchers, learners, and organizations to…
SSH-Stealer and RunAs-Stealer are malicious tools designed to stealthily harvest SSH credentials, enabling attackers to…
Control flow flattening is a common obfuscation technique used by OLLVM (Obfuscator-LLVM) to transform executable…