BitUnlocker is a proof-of-concept tool that demonstrates how a boot manager downgrade attack can access BitLocker-encrypted disks in under 5 minutes on fully patched Windows 11 machines. It is intended for security researchers and penetration testers who need to understand, reproduce, and ultimately mitigate the class of vulnerability described in CVE-2025-48804. By leveraging a legitimately signed but pre-patch boot manager binary, an attacker with physical access can bypass BitLocker without knowing the recovery key — exposing the full OS volume via a modified WinRE environment.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/garatc/BitUnlocker/llms.txt
Use this file to discover all available pages before exploring further.
CVE-2025-48804 Overview
The July 2025 patch addresses the SDI vulnerability by updatingbootmgfw.efi. However, any pre-patch copy of bootmgfw.efi that was signed under the Microsoft Windows PCA 2011 certificate chain remains cryptographically valid as far as Secure Boot is concerned — provided the target system’s Secure Boot database (DB) still trusts PCA 2011. This trust relationship is the root of the downgrade: an attacker can substitute the modern, patched boot manager with an older, vulnerable one and the firmware will happily execute it.
The result is that the pre-patch boot manager loads a maliciously crafted SDI ramdisk image containing a modified WinRE environment (with cmd.exe as the launch application), the TPM unseals the BitLocker Volume Master Key (VMK) because the PCR measurements still satisfy the policy, and the encrypted OS volume is mounted and accessible from the command prompt.
This work builds entirely on the original research by Microsoft STORM (Netanel Ben Simon and Alon Leviev): BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets.
Authorized use only. This tool and all accompanying documentation are provided strictly for authorized security testing and research purposes. Only use BitUnlocker on systems you own or have explicit written permission to test. Unauthorized access to computer systems is illegal. The author assumes no liability for any misuse or damage resulting from the use of this material.
Delivery Methods
BitUnlocker supports two delivery methods. The USB method is simpler and recommended for most engagements. The PXE method is useful when USB booting is unavailable or impractical.USB Boot
Format a USB stick as FAT32, copy the pre-built directory structure, and trigger a UEFI USB boot on the target. Recommended for most assessments.
PXE Boot
Serve the boot manager and SDI file over TFTP using
dnsmasq on a Linux machine connected via Ethernet. Useful when USB is not an option.SDI Tooling
Thescripts/ directory contains two Python utilities for working with SDI ramdisk images. Use them to build a custom boot_patched.sdi or to inspect an existing one.
Build SDI
patch_sdi.py — builds a modified SDI file from a boot.sdi and a WinRE.wim, replacing the WIM blob with a custom one that launches cmd.exe.Parse SDI
parse_sdi.py — parses an SDI file to validate its internal structure and inspect the blobs it contains.Pre-built Release
The pre-built release available on the GitHub Releases page includes a ready-to-useboot_patched.sdi file. This SDI contains a modified WinRE.wim where the WinRE launch application has been replaced with cmd.exe. Download it and place it in USB/sdi/ (for USB method) or TFTP-root/sdi/ (for PXE method) — no Python or build tooling required.