Extracting BitLocker key possible with known pin?

[softScheck]

We tried to capture the Bitlocker key for a laptop that has a security pin (entered at boot) set. We have access to that pin and the SPI bus communication but have not been able to extract the key. We captured the communication beginning the moment when the key is entered up to the point where Windows start booting.

Do you have any hints about doing that? Is it even possible to get access to the key when the pin feature is enabled (with access to the pin)? The capture is attached. Thanks a lot for your help!
bitlockerCaptureSaleae.sal.zip

[gibasboy]

4BS59ZEA.txt

[target-0]

@softScheck did you manage to find out if in the situation you mentioned it is possible to extract the key?
We ran into the same problem and are wondering if a security pin prevents sniffing the VMK from the SPI bus communication.

Thanks!

[en4rab]

A bit late but yes it is possible to sniff and then decrypt the VMK in TPMandPIN mode but you need to know the PIN there is more info and some tools here https://github.com/en4rab/SPITkey

[target-0]

A bit late but yes it is possible to sniff and then decrypt the VMK in TPMandPIN mode but you need to know the PIN there is more info and some tools here https://github.com/en4rab/SPITkey

Nevertheless thanks for your reply & tool. looks promising, I'll give it a shot on TPMandPIN👍

[idarlund]

https://blog.scrt.ch/2024/10/28/privilege-escalation-through-tpm-sniffing-when-bitlocker-pin-is-enabled/

#7