Announcement

Collapse
No announcement yet.

Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

    Hi there, apologies I'm a real noob with this sort of stuff so please bear with me:

    A week or two ago my laptop randomly started having the Blue Screen of Death and bootloop every time it booted up. So I tried the recovery options while trying to retain the data: the laptop then said you need a Bitlocker Recovery Key. I never selected for the drive to be bitlocker encrypted so this was really weird to me- I have looked through every Microsoft account I own and none of them have the bitlocker recovery key.

    After researching I came across this article: https://dolosgroup.io/blog/2021/7/9/...ompany-network . I managed to get the laptop specs off a website for my motherboard version "lenovo x1 carbon lcfc yoda 2 nm-b48 schematic". I also ordered this https://www.ebay.co.uk/itm/113701218925 and this https://www.ebay.co.uk/itm/164470624858 . Using the schematic I assume the chip I am looking for is the U49 chip, but I am not sure of this. I have found a chip that looks quite similar but its the U184 chip. But there are a few issues that I am encountering: First of all there is like a piece of plastic all over the motherboard I am not sure what it is for and I am trying not to peel all of it off because it looks like it wont go back to sticking after I peel it off. Could anybody if possible please guide me as to where this chip would be on the board?

    I also have a few questions regarding this usb analyzer: I noticed in the article in one of the pictures the author connects one of the wires to a completely different area that is not on the chip, why does he do this? Is it necessary or can I just connect all these clips to purely the chip and it will work? Hopefully once I find this chip, I will hopefully have a better idea of how to hook everything up using the logic analyzer.

    If anybody can help it would be really appreciated!

    Thanks

    #2
    Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

    From my experience with bit locker encryption from windows if the encryption was done on the machine, one is using it is simple to unencrypt the software. just google how to do that. However, if the encryption was done on another machine and then the software was then placed on the machine then it will be a nightmare to unencrypt.

    The TMP from what I remember is an intel device that can be enabled and disenabled in the Bios if someone did not lock out accessing into the Bios.
    Here is an explanation of TMP from the Intel Web Site.

    https://www.intel.com/content/www/us...rm-module.html

    Here are some ways to disable bit locker encryption on the window OS.

    https://www.isunshare.com/windows-10...indows-10.html

    I am not sure that taking out where the encryption keys are stored will actually decrypt the software as there may be a program looking for these keys during boot up and if they are not there then the computer stops booting.
    Last edited by keeney123; 08-14-2022, 12:36 PM.

    Comment


      #3
      Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

      Bitlocker gets enabled a lot on systems without the user being aware. It's only supposed to be on Pro and Enterprise, but I've seen it on Home systems as well. It can be enabled by Group Policy if you join the laptop to a Domain (e.g. school or business network). In that case, the recovery key will be linked to that account you sign in with.

      During normal bootup, Bitlocker drives are unlocked using the key stored in the TPM. So the user won't even be aware that it's there during normal operation. The idea is that if the drive is moved to another system, you can't access its contents without the recovery key (which can be stored on a USB or online account etc). I see this all the time when a motherboard is replaced under warranty by Dell, HP etc. As the TPM does not have the key, we are met with the Bitlocker recovery prompt. At that point, the OEM's wash their hands of it as its now the owners problem. Microsoft usually don't help either. I'm not sure how the data recovery guys deal with Bitlocker drives without the key, not something I've looked into.

      Presuming you haven't disabled or cleared the TPM, your keys should still be on the system. I've also seen this occur when some of the boot defaults are changed too in the BIOS, so revisit any changes you have done in that area. Changing out any chips on the board will not help - the decryption key is unique to your drive, and it's designed to be tamper proof.

      Comment


        #4
        Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

        Originally posted by reformatt View Post
        Bitlocker gets enabled a lot on systems without the user being aware. It's only supposed to be on Pro and Enterprise, but I've seen it on Home systems as well. It can be enabled by Group Policy if you join the laptop to a Domain (e.g. school or business network). In that case, the recovery key will be linked to that account you sign in with.

        During normal bootup, Bitlocker drives are unlocked using the key stored in the TPM. So the user won't even be aware that it's there during normal operation. The idea is that if the drive is moved to another system, you can't access its contents without the recovery key (which can be stored on a USB or online account etc). I see this all the time when a motherboard is replaced under warranty by Dell, HP etc. As the TPM does not have the key, we are met with the Bitlocker recovery prompt. At that point, the OEM's wash their hands of it as its now the owners problem. Microsoft usually don't help either. I'm not sure how the data recovery guys deal with Bitlocker drives without the key, not something I've looked into.

        Presuming you haven't disabled or cleared the TPM, your keys should still be on the system. I've also seen this occur when some of the boot defaults are changed too in the BIOS, so revisit any changes you have done in that area. Changing out any chips on the board will not help - the decryption key is unique to your drive, and it's designed to be tamper proof.
        Thank you for the in-depth knowledge. I also had it done on one of my home windows 10 OS but, I was able to undue it through the Window OS by simply deciding to decrypt the drive. I did not have a key.

        I have also witnessed that if an encrypted drive is moved to another system and one does know the key it still will not decrypt on that system. As if the Mac address is also written into the encryption.

        Comment


          #5
          Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

          Originally posted by keeney123 View Post
          I have also witnessed that if an encrypted drive is moved to another system and one does know the key it still will not decrypt on that system. As if the Mac address is also written into the encryption.
          This is not true, if you have the Bitlocker key you can move a drive to another machine to decrypt it, it doesn't store the MAC. I have done it several times.

          The Bitlocker key is linked to the computer name in AD not the account the user signs in with.

          The TPM is supposed to be secure but i remember reading the link the OP posted last year and couldn't find anything to suggest it was fake.

          Comment


            #6
            Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

            Originally posted by diif View Post
            This is not true, if you have the Bitlocker key you can move a drive to another machine to decrypt it, it doesn't store the MAC. I have done it several times.

            The Bitlocker key is linked to the computer name in AD not the account the user signs in with.

            The TPM is supposed to be secure but i remember reading the link the OP posted last year and couldn't find anything to suggest it was fake.
            I can only tell you what I have experienced. I was unable to decrypt a drive in another machine even with the Bitlocker key. I then had to put it into the original machine to decrypt it with the key. Also, I believe reformatt when he said. "It can be enabled by Group Policy if you join the laptop to a Domain (e.g. school or business network). In that case, the recovery key will be linked to that account you sign in with." I have had the encryption happen on a machine without me enabling it for encryption with no indication that it was encrypted until I tried to access a program to write information and was then informed. This happened after I had been using the machine for several years. Talk about frustration and anger at Microsoft. If you do not believe me that is your right.
            So, what does AD stand for Administrative Domain? Can one create and Administrative Domain with one's sign-in account? I will let you answer these questions for yourself. I also like AD as analog to digital converter.
            Last edited by keeney123; 08-15-2022, 09:09 PM.

            Comment


              #7
              Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

              AD is active directory it's on the DC or domain controller where the group policies for the network are set. Its also where you set passwords.
              The bitlocker key is stored against the computer name in AD not the name they log on with. If a device is on a domain with the right privelages then anyone can log on.
              Having transfered data off bitlocker drives in other machines many times I know it works
              If a laptop was setup by a single user to have bitlocker then you can log into your Microsoft account and see the bitlocker key there I believe, perhaps thats what was meant.

              Comment


                #8
                Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                Hi all, thanks for your replies, so I don't think anything has been changed in the BIOS unless some type of windows update has done something.

                I have checked all the settings and it all seems to be normal- I don't think I've ever really touched them - I just can't figure out why this has suddenly happened. I am not sure what the BIOS version prior to the boot loop issue was but it is currently on: N23ET63W 1.38 that seems to be fairly old so I don't think anything has changed there.

                The boot loop error code is 0xc000021a which I've read online can be stopped if I disable driver enforcement, but I cannot do that due to bitlocker. If only there was a way to get around this then I would be able to get my files back.

                As for the actual settings of the BIOS: I've made sure not to press anything like clear keys. I have been playing with the secure boot option toggling it on and off and this doesn't give me a boot loop but just leads me straight to the recovery key page. Also when I switch it to legacy it will boot straight into the BIOS.

                If there has been a change in the BIOS or something, would the USB Logic Analyser still be an option? The key would still be in memory?

                Comment


                  #9
                  Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                  Originally posted by jiraiyaishere View Post
                  Hi all, thanks for your replies, so I don't think anything has been changed in the BIOS unless some type of windows update has done something.

                  I have checked all the settings and it all seems to be normal- I don't think I've ever really touched them - I just can't figure out why this has suddenly happened. I am not sure what the BIOS version prior to the boot loop issue was but it is currently on: N23ET63W 1.38 that seems to be fairly old so I don't think anything has changed there.

                  The boot loop error code is 0xc000021a which I've read online can be stopped if I disable driver enforcement, but I cannot do that due to bitlocker. If only there was a way to get around this then I would be able to get my files back.

                  As for the actual settings of the BIOS: I've made sure not to press anything like clear keys. I have been playing with the secure boot option toggling it on and off and this doesn't give me a boot loop but just leads me straight to the recovery key page. Also when I switch it to legacy it will boot straight into the BIOS.

                  If there has been a change in the BIOS or something, would the USB Logic Analyser still be an option? The key would still be in memory?
                  Are you saying that the Bios is actually booting in UEFI?

                  Comment


                    #10
                    Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                    Originally posted by keeney123 View Post
                    Are you saying that the Bios is actually booting in UEFI?
                    It will do, the BIOS (basic input output system) was replaced with UEFI (unified extensible firmware interface) in Windows 8.

                    Lets have a photo of the plastic on the motherboard if you haven't got it off jiraiyaishere. It's possibly just stuck down with double sided tape.
                    Last edited by diif; 08-17-2022, 08:05 PM.

                    Comment


                      #11
                      Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                      Originally posted by diif View Post
                      It will do, the BIOS (basic input output system) was replaced with UEFI (unified extensible firmware interface) in Windows 8.

                      Lets have a photo of the plastic on the motherboard if you haven't got it off jiraiyaishere. It's possibly just stuck down with double sided tape.
                      Sorry for late reply, here ya go:

                      https://imgur.com/a/b4AlqOe

                      I've just peeled off that corner the other bits are stuck down

                      Comment


                        #12
                        Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                        It looks like the heatsink needs removing first.

                        Comment


                          #13
                          Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                          Originally posted by jiraiyaishere View Post
                          Hi there, apologies I'm a real noob with this sort of stuff so please bear with me:

                          A week or two ago my laptop randomly started having the Blue Screen of Death and bootloop every time it booted up. So I tried the recovery options while trying to retain the data: the laptop then said you need a Bitlocker Recovery Key. I never selected for the drive to be bitlocker encrypted so this was really weird to me- I have looked through every Microsoft account I own and none of them have the bitlocker recovery key.

                          After researching I came across this article: https://dolosgroup.io/blog/2021/7/9/...ompany-network . I managed to get the laptop specs off a website for my motherboard version "lenovo x1 carbon lcfc yoda 2 nm-b48 schematic". I also ordered this https://www.ebay.co.uk/itm/113701218925 and this https://www.ebay.co.uk/itm/164470624858 . Using the schematic I assume the chip I am looking for is the U49 chip, but I am not sure of this. I have found a chip that looks quite similar but its the U184 chip. But there are a few issues that I am encountering: First of all there is like a piece of plastic all over the motherboard I am not sure what it is for and I am trying not to peel all of it off because it looks like it wont go back to sticking after I peel it off. Could anybody if possible please guide me as to where this chip would be on the board?

                          I also have a few questions regarding this usb analyzer: I noticed in the article in one of the pictures the author connects one of the wires to a completely different area that is not on the chip, why does he do this? Is it necessary or can I just connect all these clips to purely the chip and it will work? Hopefully once I find this chip, I will hopefully have a better idea of how to hook everything up using the logic analyzer.

                          If anybody can help it would be really appreciated!

                          Thanks
                          What is happened to your machine is "Device encryption" which is based on Bitlocker but works on Home OS and enabled automatically if the system meets "Modern standby" specification.

                          https://support.hp.com/us-en/document/c06432394

                          "Windows automatically enables Device Encryption on devices that support Modern Standby (in English). Microsoft offers Device Encryption support on a broad range of devices, including devices that run Windows 10 Home edition. See Overview of BitLocker Device Encryption.
                          Device Encryption is enabled automatically when you either sign into your device with a Microsoft account or join with a corporate domain account"

                          Unlike full Bitlocker which needs manual activation, this subset of Bitlocker will be activated automatically and silently. No warning, no message, nothing at all.

                          Comment


                            #14
                            Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                            I found the U49 chip! it is in fact just above the heatsink as shown in this video right at the top of the board: https://youtu.be/AX_e9jlhbAg?t=84.

                            I am gonna buy a SOIC8 clip, because these probes I have aren't attaching.

                            Is there anything I should know in terms of using the analyzer? Can the chip be bricked from doing this if something were to go wrong? I am just trying to do a risk assessment haha.

                            I still don't understand why in the article, the person attaches one of the probes to a completely separate location that isn't on the chip.

                            Comment


                              #15
                              Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                              Well, I guess that was pointless. I connected the logic analyzer onto the chip and when I power on the laptop, it makes a a really weird chime of 6 beeps and no screen. Computer is still working when I take the clip off. Not sure what I did wrong

                              Comment


                                #16
                                Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                                Did it not pass any data ?

                                Comment


                                  #17
                                  Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                                  Originally posted by diif View Post
                                  Did it not pass any data ?
                                  Unfortunately not, I tried it quite a few times by disconnecting and reconnecting the clip. There was only one time it booted normally but I then noticed that the clip was not on properly because I wasn't getting my data then as well.

                                  When I think the clip is on properly is just makes that chime.

                                  The only differences between the articles analysers and my one is that my analyser can only sample up to 24mhz and I cannot adjust the voltage in the software. But I'm not sure if that has anything to do with it because surely it should still boot when it's clipped on.

                                  Comment


                                    #18
                                    Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                                    Sorry but a very long thread to read but can you summarize the following?

                                    1) device you wish to read is 8 pin soic ?

                                    2) any schematics or datasheet for the component?

                                    3) the device is likely a spi or i2c bus interface. How did you setup the bus analyzer tool? Software and hardware.

                                    4) voltage (Vcc) of this device may be a factor and may demand a voltage / logic translator

                                    Comment


                                      #19
                                      Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                                      Originally posted by mon2 View Post
                                      Sorry but a very long thread to read but can you summarize the following?

                                      1) device you wish to read is 8 pin soic ?

                                      2) any schematics or datasheet for the component?

                                      3) the device is likely a spi or i2c bus interface. How did you setup the bus analyzer tool? Software and hardware.

                                      4) voltage (Vcc) of this device may be a factor and may demand a voltage / logic translator
                                      Hi there, no worries:

                                      1. Yes

                                      2. Sure, here ya go https://cdn.badcaps-static.com/pdfs/...6707b85307.pdf and https://www.digikey.co.uk/en/product...8JVSIQ/5803943

                                      3. Used this analyzer https://www.ebay.co.uk/itm/113701218925,
                                      "Specifications:
                                      Sampling Rate Up To: 24 MHz
                                      Logic: 5V voltage, received 5.25 V
                                      Standard CMOS logic threshold 0.8V low level. 2.0Vlogic high.
                                      Input impedance of approximately 1m ohm or more
                                      Material: Plastic + Circuit Board
                                      Color: As the picture shown
                                      Quantity: 1 Set"

                                      alongside soic8 clip kit here: https://www.amazon.co.uk/EEPROM-Circ.../dp/B08P7GDZJ1.

                                      Plugged in the logic analyzer and used the saleae logic software. Logic Analyzer was recognized on computer as an original Logic model, so wasn't able to adjust voltages or deselect channels. Installed the Bitlocker github extension and selected SPI section and made sure that the channels were aligned with what I had plugged them in as. Also selected "enable line is active high" Then I flipped the switch on the SPI entry I had made and the program said it would use "looping".

                                      Connected clip onto the chip making sure orientation of clip was correct. Occasionally I would get a full signal saying error on a couple of channels prior to turning on the laptop on so I just kept reseating the clip until all channel lines were flat. Finally, pressed the start button in software and then turned on laptop and it would do that chime and black screen.

                                      4. Oh, oof more stuff to get. Is it likely I'll get key from this as I have read that I need to go 4 times the signal strength or something like that and this only goes up to like 24mhz?
                                      Last edited by jiraiyaishere; 08-28-2022, 11:14 AM.

                                      Comment


                                        #20
                                        Re: Recover data from Lenovo Thinkpad X1 Carbon 6th Generation w/ USB Logic Analyzer

                                        Originally posted by diif View Post
                                        It will do, the BIOS (basic input output system) was replaced with UEFI (unified extensible firmware interface) in Windows 8.

                                        Lets have a photo of the plastic on the motherboard if you haven't got it off jiraiyaishere. It's possibly just stuck down with double sided tape.
                                        Understand that one can run a legacy bios system on a windows 10 computer if the bios which the board manufacturer makes allows it. It is not automatic to have UEFI on Windows 8 and higher. Many older computers that the board system qualifies to be upgraded to Windows 10 from Windows 7 can run in only legacy bios. Or they may have the ability to run in UEFI. And some systems can run on either. It will load the drivers for UEFI if supported and if not they will run the Legacy drivers. Just saying that a Windows 8 was replaced by UEFI is misleading. I bought a Window 8 computer new, and know the difficulties to the OS and the UEFI limitations.
                                        Also, understand that this Computer is listed with both Window 7 and Windows 8 OS
                                        Last edited by keeney123; 09-04-2022, 03:36 PM.

                                        Comment

                                        Working...
                                        X