kkamagui / napper-for-tpm Goto Github PK

Hello @kkamagui
I'm trying to recover my data from Hp Pavilion 15-ab102ns laptop.
I have checked and tried the following:

• Check if the TPM option is enable on BIOS.
• Disable Secure Boot.
• Run napper but not read PCR values.
  
• Checked other issues: change values 0x04 to 0x0b on napper.py, run commands and check the version of TPM with Windows livecd.
  
  
  Can you please help me?

failed at preparing for sleep, because the operation to insert module napper-driver/napper.ko was not permitted.. any clue what this means?

root@ubuntu:/home/ubuntu/Downloads/napper-for-tpm# ./napper.py
,----------------, ,---------,
,-----------------------, ," ,"|
," Napper v 1.3 for TPM ,"| ," ," |
+-----------------------+ | ," ," |
| .-----------------Z | | +---------+ |
| | Z | | | | -==----'| |
| | ︶ ︶ z | | | | | |
| | - | | |/----| ==== oo | |
| | | | | ,/| (((( | ,"
| -----------------' |," .;'/ | (((( | ," +-----------------------+ ;; | | |," /_)______________(_/ //' | +---------+ ___________________________/___ ,
/ oooooooooooooooo .o. oooo / ,"---------
/ ==ooooooooooooooo==.o. ooo= / ,\--{-D) ," -----------------------------' '----------"

Napper v1.3 for checking a TPM and Intel PTT vulnerability, CVE-2018-6622 and unknown CVE
Made by Seunghun Han, https://kkamagui.github.io
Project link: https://github.com/kkamagui/napper-for-tpm

Checking TPM version for testing.
[] Checking TPM version... Intel PTT.
[] Your system has TPM v2.0, and vulnerability checking is needed.

Preparing for sleep.
insmod: ERROR: could not insert module napper-driver/napper.ko: Operation not permitted
[*] Checking the TPM vulnerability testing module... Fail.
You might need to disable lockdown mode with

 echo 1 > /proc/sys/kernel/sysrq
 echo x > /proc/sysrq-trigger

When Secure Boot is enabled, Boot fails or Napper driver cannot be loaded.

Thanks to Gwan-gyeong Mun and Junyoung Jung.

Thanks for the tool, I was able to get some output,
(1) TPM version is Intel PTT. does it mean the motherboard doesn't have a dedicated TPM chip? Is the volume master key sealed inside PTT?
(2) I was able to get two PCR tables. the 1st table is pretty much 0s, the 2nd table repeats the same sequence from bank 00 to 16. is this sequence read from inside PTT? is the same used for measured boot?
(3) can bitleaker support TPM PIN?

root@ubuntu:~/napper-for-tpm# ./napper.py
,----------------, ,---------,
,-----------------------, ," ,"|
," Napper v 1.3 for TPM ,"| ," ," |
+-----------------------+ | ," ," |
| .-----------------Z | | +---------+ |
| | Z | | | | -==----'| |
| | ︶ ︶ z | | | | | |
| | - | | |/----| ==== oo | |
| | | | | ,/| (((( | ,"
| -----------------' |," .;'/ | (((( | ," +-----------------------+ ;; | | |," /_)______________(_/ //' | +---------+ ___________________________/___ ,
/ oooooooooooooooo .o. oooo / ,"---------
/ ==ooooooooooooooo==.o. ooo= / ,\--{-D) ," -----------------------------' '----------"

Napper v1.3 for checking a TPM and Intel PTT vulnerability, CVE-2018-6622 and unknown CVE
Made by Seunghun Han, https://kkamagui.github.io
Project link: https://github.com/kkamagui/napper-for-tpm

Checking TPM version for testing.
[] Checking TPM version... Intel PTT.
[] Your system has TPM v2.0, and vulnerability checking is needed.

Preparing for sleep.
[] Checking the TPM vulnerability testing module... Starting.
[] Ready to sleep! Please press "Enter" key.
[*] After sleep, please press "Enter" key again to wake up.

[*] Waking up now. Please wait for a while. . . . . . . . . . . 
[*] Checking the resource manager process... Starting.

[*] Reading PCR values of TPM and checking a vulnerability... Vulnerable.
[*] Show all PCR values:         
    Bank/Algorithm: TPM_ALG_SHA1(0x0004)
    PCR_00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_01: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_02: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_03: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_04: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_05: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_06: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_07: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_08: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_09: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_12: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_14: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_15: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_16: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_23: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    

[*] Extending 0xdeadbeef to all static PCRs.
[*] Show all PCR values:         
    Bank/Algorithm: TPM_ALG_SHA1(0x0004)
    PCR_00: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_01: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_02: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_03: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_04: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_05: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_06: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_07: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_08: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_09: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_10: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_11: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_12: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_13: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_14: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_15: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_16: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5
    PCR_17: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_18: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_19: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_20: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_21: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_22: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
    PCR_23: 82 84 fc 88 52 49 4a 2a fd d8 70 3e 62 16 cb c2 a0 8f 62 a5

Summary. Please contribute summary below to the Napper project, https://www.github.com/kkamagui/napper-for-tpm.
[*] Your TPM version is 2.0, and it is vulnerable.
Please download the latest BIOS firmware from the manufacturer's site and update it.

[*] TPM v2.0 information.
    Manufacturer: INTC
    Vendor strings: Inte  l   
    Firmware Version: 012F000C 00000000 
    Revision: 116
    Year: 2016
    Day of year: 265

[*] System information.
    Baseboard manufacturer: Alienware
    Baseboard product name: Alienware 15 R3
    Baseboard version: A00
    BIOS vendor: Alienware
    BIOS version: 1.13.0
    BIOS release date: 09/09/2021
    System manufacturer: Alienware
    System product name: Alienware 15 R3

Napper v1.3 for checking a TPM and Intel PTT vulnerability, CVE-2018-6622 and unknown CVE
Made by Seunghun Han, https://kkamagui.github.io
Project link: https://github.com/kkamagui/napper-for-tpm

Checking TPM version for testing.
[] Checking TPM version... Intel PTT.
[] Your system has TPM v2.0, and vulnerability checking is needed.

Preparing for sleep.
[] Checking the TPM vulnerability testing module... Running.
[] Ready to sleep! Please press "Enter" key.
[*] After sleep, please press "Enter" key again to wake up.

[*] Waking up now. Please wait for a while. . . . . . . . . . . 
[*] Checking the resource manager process... Running.

Segmentation fault (core dumped)
[*] Reading PCR values of TPM and checking a vulnerability...

sudo dmesg |tail
[ 4552.923732] wlo1: send auth to 2c:ba:ba:8c:2b:e0 (try 1/3)
[ 4552.953995] wlo1: authenticated
[ 4552.958414] wlo1: associate with 2c:ba:ba:8c:2b:e0 (try 1/3)
[ 4553.062365] wlo1: associate with 2c:ba:ba:8c:2b:e0 (try 2/3)
[ 4553.073414] wlo1: RX AssocResp from 2c:ba:ba:8c:2b:e0 (capab=0x1511 status=0 aid=2)
[ 4553.077872] wlo1: associated
[ 4553.088820] wlo1: Limiting TX power to 24 (24 - 0) dBm as advertised by 2c:ba:ba:8c:2b:e0
[ 4554.062742] IPv6: ADDRCONF(NETDEV_CHANGE): wlo1: link becomes ready
[ 4559.634200] tpm2_listpcrs[188147]: segfault at 556b3dcc2000 ip 0000556b3dcb2fa7 sp 00007ffc1918f668 error 4 in tpm2_listpcrs[556b3dcb2000+5000]
[ 4559.634210] Code: 41 b8 01 00 00 00 31 c0 0f 1f 00 89 c1 45 89 c1 89 c6 83 c0 01 83 e1 07 c1 ee 03 41 d3 e1 44 09 ca 88 54 37 07 89 c2 c1 ea 03 <0f> b6 54 17 07 eb da 66 90 f3 0f 1e fa 44 8b 15 55 80 00 00 c7 05

Hi 👋
I am trying to use Napper livecd.

when I started napper I got an error at stage:

Checking the resource manager process…. starting
/bin/sh: 1: resourcemgr: Input/output error

And the process is frozen
what could have gone wrong?

i created a usb boot stick, confirmed TPM v2.0 is enabled in BIOS and followed the instructions to use your script.

it stucks at "Reading PCR values of TPM......", i waited for 1 hour and tried two different systems.
does it takes longer than this or is it a bug or some other error?

additional infos: i tried the "tpm2_getinfo" executable and it throws an error too:
"Resource Mgr, resMgr, failed to initialization: 0x1. Exiting"

It says that no TPM found. Is any way to work around this? Also, I have a positive (vulnerable) result for onboard (Asus Q170M-C) Infenion TPM (ver 5.62.3126.0), do you need any additional data? Thanks.