Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/garatc/BitUnlocker/llms.txt

Use this file to discover all available pages before exploring further.

BitUnlocker is a proof-of-concept that demonstrates how BitLocker-encrypted disks on fully patched Windows 11 machines can be accessed in under 5 minutes by exploiting a boot manager downgrade attack. The vulnerability, documented as CVE-2025-48804, affects systems whose Secure Boot database still trusts the Microsoft Windows PCA 2011 certificate. The July 2025 patch fixes bootmgfw.efi, but any pre-patch binary signed under PCA 2011 can be used to load a tampered WinRE environment — bypassing TPM-sealed BitLocker keys without a recovery password.
This tool is provided strictly for authorized security testing and research. Only use it on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal.

How It Works

Understand the downgrade attack chain, the SDI vulnerability, and why pre-patch boot managers expose the BitLocker VMK.

Prerequisites

Physical access, Secure Boot trust requirements, and the hardware/software you need before starting.

USB Boot (Recommended)

The simplest delivery method: format a FAT32 USB stick and trigger a UEFI boot in under 5 minutes.

PXE Boot

Network-based delivery using dnsmasq over Ethernet — useful when USB ports are restricted.

Build a Custom SDI

Use patch_sdi.py to append your own WinRE.wim to a stock boot.sdi and redirect the WIM blob pointer.

Mitigations

How to protect against this attack: TPM+PIN, CA 2023 migration, KB5025885, and PCR policy hardening.

Quick overview

1

Obtain boot_patched.sdi

Download the pre-built boot_patched.sdi from the GitHub Releases page, or build your own from a stock boot.sdi and a modified WinRE.wim.
2

Modify the BCD on the target

Open a WinRE command prompt on the target machine and use bcdedit to redirect the ramdisk SDI path to \sdi\boot_patched.sdi. See Modify BCD for exact commands.
3

Boot the target from your device

Use USB boot (recommended) or PXE boot to load the pre-patch bootmgfw.efi and the modified BCD.
4

Access the decrypted volume

Once the SDI transfer completes, a command prompt appears with the OS volume decrypted and mounted — typically at C: or E:.

About this research

This work builds entirely on original research by Microsoft STORM (Netanel Ben Simon and Alon Leviev). See the Credits page for attribution and links to the upstream disclosure.

Build docs developers (and LLMs) love