how to remove tc bootloader

Discussion in 'encryption problems' started by happyyarou666, Feb 7, 2013.

Thread Status:
Not open for further replies.
  1. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    so anybody got dibs on this , i kinda dont know how to remove it , lols , all help is appreciated :cool:, ive heard something about using hex editor to remove it or something,fyi i already got the encrypted decoy and hidden os setup, ,before that thou i removed the 100mb reserved partitions and moved the mbr to the system partition in order to have everything encrypted as recommended by tc tutorial ,the tc bootloader is not encrypted and stored in

    plaintext hence why i want to remove it id rather have the default vanilla windows mbr instead if anything at all,to aid in tamper proofing including a bios password , and no it doesnt stop tampering but it atleast gives you a big warning that your stuff has been messed with and then theres physical setups ,ive destroyed the orginal rescue iso but i backed up a new tc rescure iso to my hdd and to my usb flash drive that i setup as bootable drive to boot from in order to load the tc rescue iso from it as per pauly defrans post in my previous network logging thread , oh and another thing id like to add a nice live cd os as well to my tc bootloader flash drive , like tails or something like qubes , dont know it it has TC support thou hmmmm....
     
    Last edited: Feb 7, 2013
  2. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    So bootrec.exe /fixmbr didn't work? Odd.

    The option to re-write the original bootloader (F8 Options, I think) didn't work?

    PD
     
  3. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    nope ,as i said the original aka windows bootloader is on the system partition before it even got encrypted and cloned to the hidden volume as hidden os aka there is no plaintext windows mbr outside of the system partitions, so no f8 dont do jack without me having to completely decrypt my tc fde hdd since that is what it wants when i select restore original bootloader, wich i sure as hell wont do
     
  4. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    I'm so confused :D

    I don't know, but I'll explain what I've done in the past, that worked.

    Had a laptop with TC FDE on it. Didn't need anything on it, and wanted to just reinstall Windows on it. So in my haste, I just popped in a partition manager CD (Gparted or Mini-Tool, I forget) and just formatted C:\. Well, the TC Bootloader still survived. So I booted a Win7 DVD and went to Recovery Command prompt and typed bootrec.exe /fixmbr. That got rid of the TC MBR. I don't know if I just had a weird deal going on or what, but it worked. What happened when you tried booting from a Windows DVD and going into Recovery and trying that command?

    PD
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Say, happyyarou666, you do have two or three verified backups of this system that you're messing so seriously with, right? ;)
     
  6. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    dont worry i have backups , but i sure as hell wont run a format ,lols , btw what did i explain about windows dvd and the recovery , lols , ok ill repeat it then i guess , when i go into the windows dvd windows recovery before that it says no OS selected and it dont list any, makes sense since the os decoy and hidden os both are encrypted aka RAW volumes , then i click continue anyhow , what do i get i get unknown volume on unknown device at the top , i select the cmd tool at the bottom and it opens up giving me a x>sources directory

    i enter your command and it dont do jack to the tc bootloader ive tried fixmbr/device/harddisk0 but that dont work either, says directory specified dont exist , same with bootrec.exe/fixmbr/device/harddisk0 , my bios has 2 ,0 ID harddisk devices one is on a seperate raid controller seen as device id 0 and my other ssd on its own sata controller too as device id 0 by bios bootup, this is another tough nut
     
    Last edited: Feb 9, 2013
  7. secureasanut

    secureasanut Registered Member

    Joined:
    Jan 24, 2013
    Posts:
    4
    Location:
    UK
    @happyyarou666

    Use your truecrypt rescue iso to restore the bootloader.

    The windows dvd won't work as they can't read encryted data.

    Also you won't be able to have a fully vanilla mbr.As you can't wipe out the mbr out complety as that will get rid of disk partitions for the drive and such.

    Your TrueCrypt Rescue Disk contains a backup of the original content of the first drive track (made before the TrueCrypt Boot Loader was written to it) and allows you to restore it if necessary. The first track of a boot drive typically contains a system loader or boot manager. In the Rescue Disk screen, select Repair Options > Restore original system loader.

    http://www.truecrypt.org/docs/?s=rescue-disk

    You will still be able to boot in to the hidden or should be able to.

    But the decoy must be non encryted.

    Atleast i think this is the method your after.

    There also a bunch of posts on other people trying to do an unencryted decoy and still keep the hidden here.

    https://www.wilderssecurity.com/showpost.php?p=2043763&postcount=32

    Read from 32 onwards.

    Should state that you won't be able to use system favourites truecrypt volumes but that you can still use normal favourites.
     
    Last edited: Feb 9, 2013
  8. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    what so i have to decrypt and leave it decrypted my decoy os , makes no sense to have a unencrypted decoy, not to mention i still have seperate drives with outer volumes containing hidden volumes , so no need to hide the fact that im using encryption , again makes no sense , you trying to hide something so obvious is not in your interest matter of fact will make you that more suspicious, the tc devs havent made the official tc setup the way it is for nothing , only thing they havent considered was tampering with the plaintext tc bootloader wich im trying to address , ive seen somebody remove the tc bootloader with a hex editor from a live cd with truecrypt integrated


    as per here


    https://www.anti-forensics.com/modify-truecrypt-encryption-boot-loader-strings/

    i think ive found the solution apparently ill try

    update>

    well new problem , i have no idea in hell how to delete the first 63 sectors does he mean from the first hex string to the last aka 63 counted from starting at the first string or what since i use hxd, we need somebody with the knowledge of from where to where the tc bootloader takes up wich address , so we can delete it
     
    Last edited: Feb 9, 2013
  9. secureasanut

    secureasanut Registered Member

    Joined:
    Jan 24, 2013
    Posts:
    4
    Location:
    UK
    @happyyarou666

    now i get what you are trying to do

    while it is possible to remove the truecryt boot loader it is not easy and is very risky to do

    someone mange to do it here

    http://forums.truecrypt.org/viewtopic.php?t=26521

    None the less this would mean you would need to boot from a linux live cd and restore the sectors to be able to make the drive bootable

    and do the same to make them like just random wipe sectors

    ps this is very risky business i can't be much more help am afarid mucking around with disc sectors or the mbr send a cold shiver down my spine.

    Also this is the only true way i seen as of date.
     
  10. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    looks good , will try it out , ill report back once i get some more time , been abit busy with work , sorry
     
  11. happyyarou666

    happyyarou666 Registered Member

    Joined:
    Jan 29, 2012
    Posts:
    802
    ok ive got abit of time now , finally , anyhow so ive checked out the tut over at the tc forum as linked too , and maybe someone could elaborate where in hell to input this :



    dd if=/dev/sda of=backup.sda.mbr count=1 bs=512
    od -h backup.sda.mbr
    (Wrote down the values of the six bytes starting at 01B:cool:
    sfdisk -d /dev/sda > backup.sf
    dd if=/dev/urandom of=/dev/sda count=62 bs=512
    sfdisk /dev/sda < backup.sf
    hexedit -s /dev/sda
    (Edit the six bytes I wrote down before)


    is it like in xubuntu where you open up a terminal command line or what , forgive me, a very noob linux user here , lols
     
Loading...
Thread Status:
Not open for further replies.