Locked Surface Pro 4 - BitLocker & UEFI

[silver-bridge]

Looking for help..

Surface Pro 4, BitLocker locked - No more recovery options. UEFI locked and I don’t know the password.

Microsoft Customer Service were helpless. Tried to boot from USB but clearly it is locked.

I am planning to open the Surface and take the SDD out and plug it in another computer using M2 SDD reader.

if I install a fresh recovery image of windows on the SSD and plug it back again in the Surface Pro, will this work? Or the TPM chip will keep the surface locked?

And if this is the scenario, is it possible also to install an additional dual boot windows or any other OS and boot from it instead of the locked BitLocker partition?
I’m also planning to try to use couple of recommended software to extract BitLocker key from the drive, anyone heard any success story of that?

 

[Mujja]

Is there no way you can get the bios password from the current or previous owner?

What about recovery mode, from there you might be able to format the partition and copy a wim

 

[silver-bridge]

Is there no way you can get the bios password from the current or previous owner?

What about recovery mode, from there you might be able to format the partition and copy a wim

the surface pro is stuck at a boot loop between either a UEFI password or BitLocker no more recovery options screen.
I bought Surface Pro as spare/parts , no passwords available. I verified with Microsoft Customer Services that it is not stolen using the serial number.
I don’t have the logistics to extract the dumb of the bios, so was looking for a way around the UEFI, not keen also about the data on the device.
Was trying to figure out if I place a bootable windows on the SSD and plug it back again, Will this work or it will trigger the TPM chip..

 

[andshrew]

If it has an actual UEFI password then there is no way to reset it as far as I know without changing the motherboard. If boot from USB had been turned off then you won't be able to use a recovery drive.

Taking the SSD out and manually installing Windows on it via another system may be work, in that the UEFI will try to boot it by default and as you won't enable BitLocker on this install there should be nothing preventing it from booting. That's assuming you are able to take it apart without physically wrecking the system.

 

[Mujja]

Out of interest what model is it and how much did you pay? Interested to see if the risk was worth it.

 

[silver-bridge]

If it has an actual UEFI password then there is no way to reset it as far as I know without changing the motherboard. If boot from USB had been turned off then you won't be able to use a recovery drive.

Taking the SSD out and manually installing Windows on it via another system may be work, in that the UEFI will try to boot it by default and as you won't enable BitLocker on this install there should be nothing preventing it from booting. That's assuming you are able to take it apart without physically wrecking the system.

Thank you loads for the tip. That is what I thought off, instead of trying to reset the UEFI or the recovery key, I thought of installing a fresh windows on the SSD.
Taking it apart shouldn’t be an issue. Just lots of patience and picked up tons of tips from lots of videos I watched..
will keep you posted if it works.
My main worry is something that was mentioned before about BitLocker Redflag or something similar between the TPM chip and the SSD BitLocker.. will see how it goes

 

[silver-bridge]

Out of interest what model is it and how much did you pay? Interested to see if the risk was worth it.

Surface Pro 4, 128 g SSD, 4 gb RAM.. got it for 90 quid from eBay. In mint condition, no scratches or any damage, with unoriginal charger only..

 

[Mujja]

Wow, worth the effort for 90.

Is there no way to trigger the recovery mode? I'm sure on laptops in the past where a bitlocker recovery key was needed you could get in to recovery mode. If you are able to then you could use diskpart to format the partition and apply a wim from a Windows 10 ISO.

If you do open it up check if the recovery files from MS for the surface contain a WIM which you could use.

 

[silver-bridge]

Wow, worth the effort for 90.

Is there no way to trigger the recovery mode? I'm sure on laptops in the past where a bitlocker recovery key was needed you could get in to recovery mode. If you are able to then you could use diskpart to format the partition and apply a wim from a Windows 10 ISO.

If you do open it up check if the recovery files from MS for the surface contain a WIM which you could use.

triggering the recovery mode in surface pro 4 is usually done through pressing combination of volume down+ power button or volume up + power button. Unfortunately neither worked for me, I tried different USB and using RUFUS and windows recovery manager. Checked the recovery image on the USB drive and it has the WIM file on it.
i think the problem is the boot order in the UEFI is not allowing boot from USB, so it is restricted to BitLocker recovery key to enter the recovery mood.
I will have a shot later today or tomorrow and open the surface pro, I bought an M2 SSD reader for 15 quid and will have a shot at it and see..
The other options I read about when I looked the issue up are: extracting BIOS dumb and trying to flash the BIOS with a modified dumb..
There were mention of software that can attempt cracking the BitLocker recovery key, but I doubt it would work and it will need the SSD to be taken out anyway..
I tried default passwords for the UEFI but it didn’t work, found a website that can generate a default password for certain BIOS manufacturer but couldn’t get any luck with that..
I tried draining the battery completely hoping it will reset the BIOS , but it didn’t work
I hope I will get lucky with the SSD ..

 

[lord filbuster]

If you are going to open it up, maybe try disconnecting the battery internally and leaving it for 24 hours?
No idea if this is accurate, but apparently the CMOS has a direct line from the battery and a capacitor to keep it going for a bit if the battery is removed https://www.ifixit.com/Answers/View/453045/CMOS+battery+in+SP4

Maybe if you leave it long enough with no internal battery the capacitor will drain and the cmos will reset. No idea if that resets uefi passwords though.

EDIT: a bit more googling makes me think this won't reset the password, as it looks like you need to resolder a new bios chip to reset it, although I can't find anything conclusive.

Have you tried any default passwords on the bios? There's a reddit thread here that said 123456 worked, or maybe password or something like that.

 

[silver-bridge]

If you are going to open it up, maybe try disconnecting the battery internally and leaving it for 24 hours?
No idea if this is accurate, but apparently the CMOS has a direct line from the battery and a capacitor to keep it going for a bit if the battery is removed https://www.ifixit.com/Answers/View/453045/CMOS+battery+in+SP4

Maybe if you leave it long enough with no internal battery the capacitor will drain and the cmos will reset. No idea if that resets uefi passwords though.

EDIT: a bit more googling makes me think this won't reset the password, as it looks like you need to resolder a new bios chip to reset it, although I can't find anything conclusive.

Have you tried any default passwords on the bios? There's a reddit thread here that said 123456 worked, or maybe password or something like that.

thank you loads for the tips.
Trying to force the surface to boot from USB by pressing volume down and Power button doesn’t seem to work for me. I end up with BitLocker no more recovery options screen.
I was planning to disconnect the battery and check after 24 hours, if re-installing windows on the SSD directly fails.
I tried a different combination of passwords, I came across a post about UEFI password being “password” and just tried 123456 but unfortunately neither worked.
I recall trying entering the password through a USB keyboard, there was something mentioned about a problem with the on-screen keyboard.
I watched iFixit tutorial, planning on using similar approach using a hairdryer and a pick..
then will take it from there..

 

[Django x2]

If it has an actual UEFI password then there is no way to reset it as far as I know without changing the motherboard. If boot from USB had been turned off then you won't be able to use a recovery drive.

Taking the SSD out and manually installing Windows on it via another system may be work, in that the UEFI will try to boot it by default and as you won't enable BitLocker on this install there should be nothing preventing it from booting. That's assuming you are able to take it apart without physically wrecking the system.

The TPM will stop it from booting. This is how bitlocker works. It's a disk encryption with the keys escrowed to the hardware TPM. If you change the drive, the TPM will lock out. Op, have you tried Vol down and power just to see if it's LAN/PXE bootable?

It seems to me there's a huge misunderstanding about what Bitlocker actually does. It's not a drive encryption, "oh that's nice to have", it's an Entperprise grade, "you're not getting in to this machine" platform. Take the disk out, it's locked, put a new disk in, the TPM will prevent it from booting, it's that simple. If you don't have a UEFI option to boot or disable Secure Boot, it's not going anywhere.

You need to use an external keyboard too as the onscreen one on the SP4 doesn't play nice with some characters. It's also a complete long shot, but SEMM might be able to help.

 

[andshrew]

The TPM will stop it from booting. This is how bitlocker works. It's a disk encryption with the keys escrowed to the hardware TPM. If you change the drive, the TPM will lock out. Op, have you tried Vol down and power just to see if it's LAN/PXE bootable?

It seems to me there's a huge misunderstanding about what Bitlocker actually does. It's not a drive encryption, "oh that's nice to have", it's an Entperprise grade, "you're not getting in to this machine" platform. Take the disk out, it's locked, put a new disk in, the TPM will prevent it from booting, it's that simple. If you don't have a UEFI option to boot or disable Secure Boot, it's not going anywhere.

You need to use an external keyboard too as the onscreen one on the SP4 doesn't play nice with some characters. It's also a complete long shot, but SEMM might be able to help.

I have never heard of an implementation of BitLocker working like this, have you got any examples?

As far as I understand it BitLocker is about protecting the data on the device, not about protecting the device. In simple terms the TPM is a hardware device to validate nothing has been tampered with and to automatically unlock the drive if so. If there is no BitLocker volume on the drive (because OP has formatted it and put their own OS install), then the TPM is never going to be invoked on boot up because it has no reason to.

 

[silver-bridge]

This is my main concern which delaying my attempt to break the surface apart.

whether the TPM chip will revoke the new OS on the SSD.. I couldn’t find any solid info of anyone who attempted that.
As Django x2 said: my main worry is something mention about BitLocker red flag implemented within the TPM, and once it senses the SSD has been tampered with, it will stop it from booting.

I am trying it this weekend anyway, and will keep you posted..

If anyone comes across any info about any chance of resetting the UEFI or TPM chip on the motherboard, let me know, will keep the surface broken apart till I exhaust every attempt and will be thankful for your help ..

 

[lord filbuster]

The TPM will stop it from booting, but only if there is bitlocker installed on the drive. The TPM holds the encryption keys, and will only release them to windows if it detects that the install is original and not tampered with. However, if there is no bitlocker on the drive to begin with, the TPM will never get a request for the keys, as windows doesn't need them to boot. The bitlockered drive is unreadable without the TPM, but that doesn't mean you can't put another drive in the machine with the TPM and boot it.


Secure boot shouldn't be an issue, all that does it check that the bootloader has a valid signature. If you re-install windows on the ssd, it should all still have valid signatures. The only issue I can see is if you somehow install a version of windows that isn't signed, or if the bios doesn't have the signing certificate in the key database.

 

[Django x2]

I have never heard of an implementation of BitLocker working like this, have you got any examples?

As far as I understand it BitLocker is about protecting the data on the device, not about protecting the device. In simple terms the TPM is a hardware device to validate nothing has been tampered with and to automatically unlock the drive if so. If there is no BitLocker volume on the drive (because OP has formatted it and put their own OS install), then the TPM is never going to be invoked on boot up because it has no reason to.

Bitlocker on it's own is exactly that. But in almost all instances where secure boot is enabled, Bitlocker + a protector (TPM, PIN, TPM+PIN) is a device protector and drive protector. One, it stops a drive from being removed and accessed, two it stops a new fresh drive being added to the device and using the device. If the TPM is hardware (which it is in the SP4 - It's TPM2.0), it's a private key scenario. If the match of the HDD/SDD changes to what the TPM is expecting, it won't boot. Normally, in this instance, you'd enter UEFI and clear the TPM which is entirely feasible. However, in an Enterprise environment, or anyone worth their weight in security, the UEFI environment would be protected with a password (usually easily crackable ironically), and that would render you unable to clear the TPM = game over.

 

[lord filbuster]

I don't really see how that works though, the TPM is a passive chip isn't it? It's the bootloader that requests the key from the TPM, which it won't release if the bootloader has changed. But if the drive isn't encrypted in the first place, the bootloader will never activate the TPM. Secure boot should accept any microsoft signed bootloader as well, so a reinstall won't trip that either.

 

[andshrew]

I don't really see how that works though, the TPM is a passive chip isn't it? It's the bootloader that requests the key from the TPM, which it won't release if the bootloader has changed. But if the drive isn't encrypted in the first place, the bootloader will never activate the TPM. Secure boot should accept any microsoft signed bootloader as well, so a reinstall won't trip that either.

Exactly, I have never seen what Django x2 is describing using a combination of UEFI, TPM and BitLocker.

There is nothing in the Surface UEFI that says "only boot BitLocker encrypted volumes", and if the storage doesn't have a BitLocker volume to decrypt the TPM is never invoked on startup. Secure boot means nothing if you are installing Windows because a Surface will always trust a Microsoft signed installation.

 

[silver-bridge]

Here is the current update..

tried to break it apart, and failed miserably, so sacrificed the screen.

Removed the SSD and inserted another SSD but without any bootable windows on it, and plugged the surface to an external monitor using an HDMI converter.. the only screen that showed up was the UEFI password..

It didn’t show any booting errors or no media , didn’t show the BitLocker recovery options. It went straightforward to UEFI password..

which suggests if the SSD is swapped, it triggers the TPM..

I’m planning to install windows OS on the original SSD and give it a shot.. just having problems with the SSD reader which is not recognising the SSD media..

Will keep you posted..

 

[lord filbuster]

It's not the TPM. If there is no bootloader, it defaults to entering the bios, which obviously has the password. Fingers crossed the new windows install should fix it.