Usually you need a very expensive logic analyzer to read the Windows Bitlocker Keys from Lpic and SPI bus, some people have done it with cheaper hardware.
How about the buspirate, is it able to read and reconstruct the bitlocker key when attached to the tpm chip?
2 Likes
I did a quick search, but did not find any specs for the Lpic SPI bus speed. SPI bus usually maxes out at 50MHz, depending on bus voltage and hardware design.
The Bus Pirate logic analyzer runs up to 125MHz, but it is also limited by the IO buffers (what are the voltage levels being translated?), cable length, etc.
What constitutes as expensive logic analyzer? Is there any demo out there I could read further?
I had a quick look at the Infineon SLB 9665 TPM2.0 data sheet, and it lists its LCLK clock signal as running up to 33MHz, see page 10. (Sorry couldn’t copy it out.)
Is this the sort of chip of interest or is there another, faster part involved?
Edit: The Infineon SLB 9670 works over SPI, and its SCLK maxes out at 43MHz (p13).
1 Like
Good find. It looks like a 3.3volt bus, so the Bus Pirate buffers should be able to handle 210Mbps.
I am unfamiliar with the actual bus type. Imagine you need to dig into the official specs to find out how to decode the physical and protocol layers. Ah ok, here. 33MHz typical.
Generally I like at least 4x oversampling, ideally 8. 4 x 33 = 132MSPS. Without overclocking the Bus Pirate can do 62.5 MSPS. If overclocked to 200MHz, then we get 100MSPS. It would be possible I guess if you were determined and have a lot of patience.
An alternative is to use the 33MHz clock to drive the logic analyzer and capture it synchronously. The Bus Pirate doesn’t currently support this, but maybe it could be done with the $4 PICO board and Dr. GusmanB’s logic analyzer. I’m not sure that actually supports external clock, but it’s worth a look.
Not currently. A stock Pico 2 can do 200MSPS in “blast mode” (no presamples), I believe an overclocked Pico 2 will do that in normal mode (with presamples).
1 Like
This reminds me of this project: GitHub - aplhk/pico-spisniffer: SPI TPM sniffing for BitLocker VMK with a Pi Pico
2 Likes
That looks like just the thing!
It’s been sitting in the back of my mind as “something to mess around with”, but that list is just soooooo long! 
1 Like
I think its related:
RPi Pico used here.
1 Like
Here’s a great video by StackSmashing on the whole process: https://youtu.be/wTl4vEednkQ?feature=shared
There was a plugin for the Saleae Logic 2 software (GitHub - ReversecLabs/bitlocker-spi-toolkit: Tools for decoding TPM SPI transaction and extracting the BitLocker key from them.) and their hardware comes at 530 to 1600 €
Which i think is far more expensive than a buspirate
1 Like
Software used is also Available at
keep in mind the various pull requests to extend capabilities to other bitlocker keys and the spi bus.
I think this is one of those cases where the custom tool is your best bet.
This one does LPC.
This one does SPI.
1 Like
However… We could integrate those into the Bus Pirate, they are just simple sniffing PIO programs with some analysis code. However one is GPL licensed and the other unlicensed, so first step is asking the author is they’d license it MIT. Second is I have no targets to test with.
1 Like
I was thinking the same about the licensing. I do have a “spare” notebook/laptop, but I’m not sure what it has for a TPM or of it even has one.
Again, on my list…
My plate is a bit full right now, and in 2 weeks it’s off on another holiday. After that, I can start looking at what I have and see if I can work on adding this to the BP.
If anyone else wants to have at it before then, it’s fine with me. I’d be happy to help when I’m back to it.
To avoid licensing issues, would it be possible to add “app” like support to BusPirate?
Could be as simple as a folder during the build process that gets included? So apps would require a custom firmware as such, but avoids complex logic to support loading a binary during runtime etc
With something like this the “app” would remain in its own code repo, and wouldn’t be included by default
1 Like
I don’t know enough about licenses to know if that is permissible. Maybe we could do something where you build this yourself, but I don’t think I could distribute it from the project without making the whole code base GPL. That may be different if it were LGPL, but I don’t know and every discussion of the GPL issue devolves into a number of informed but likely not completely legally correct opinions.
1 Like
Probably best to just start with the author and ask nicely if they’re willing to relicense as MIT
1 Like
I opened an issue with the unlicensed SPI project. Maybe you could ask the other to consider re-licensing? I’ve had luck before, there have not been any other contributors to the project so that makes it a bit easier (no need to ask multiple people). However all the pending pull-requests we’d need to ask the authors before integrating them in a new MIT licensed project.
1 Like
I’ll reach out to them later today.
1 Like