I have not found "No media" error message on VC sources on github, and have no idea how to reproduce that error. Maybe you've got a screenshot or more info?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I tried to create new hidden OS on same location like before. Decoy OS was already encrypted.
After whole precedure, to be exact after restoring header of decoy OS, like described in our manuals, I got the following error message trying to boot into hidden OS.
Exectly the same problem I had. SR and password work correctly but maybe H_ESP partition is damaged. To check this you may create WinPE USB and launch VC portable from it. Then go to system->mount without preboot authentification.
Note: if you will try to "mount without pre-boot authentification" from decoy os you'll see the next error message:
Thanks Felis, hadn't read every comment here. Indeed it was the same problem you had before.
I couldn't mount hidden OS in VC portable since the GPT table of system drive was already overwritten. But gpt_enc doesn't look well for me regarding check by "-pl" and "-pexec".
I am going to try again. ;-)
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ordinary OS and hidden OS are both running fine now. Thank you!
Writing SR for booting ordinary OS with authorization USB was successful proceeding steps 20 to 23 of Felis' manual. But I still can't explain the "No Media" problem in my attemps before.
If I use gpt_hidden, which was created in last step of "-oshideprep", I am able to remove GPT by "-pz". But I can not encrypt file for writing to SR, since password for ordinary OS isn't beeing accepted.
Regards
Bonez
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
No media - I guess according to the screenshot current volume was not selected.
"Shell>" - means no current volume
"fs0:>" - means FS0: volume selected as current
To select volume 0 - "fs0: <enter>"
To list volumes - "map"
gpt_hiiden - it contains header from hidden OS (so pwd and keys from hos) It is necessary to save gpt of ordinary OS with header
to list: -ds <n> -pl
to save: -ds <n> -pf ord_os_gpt -ps.
to remove -pf ord_os_gpt -pz
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hey Alex,
is there a possible solution to get a GPT file out of running hidden OS?
I lost my backup of gpt_enc, but still have one authorization USB to boot into hidden OS. Of course I don't know the exact position of gpt_enc on SR or anything else.
Thanks in advance
Bonez
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Fellis and DJ Bonez were you guys ever able to get a decoy/real os working in veracrypt?
If so I have a bounty of 0.025 btc for a guide a user can follow. Please take me up on this, I have a 2.5k euro comp that I dont feel comforatable using as its UEFI only and I cant hidden os
Ill pay bounty when and only when I can follow the guide and it works.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks for great job! I have new HP laptop with Win 10 on the board from the factory. Now I started to prepare my computer for hidden OS installation with your instruction. I encrypted decoy OS and prepared USB bootable flash memory card with Win 10 distributive. I think it will easy to do Step 3. At the Step 4: Preparing hidden OS there is a couple of question.
After point 2 "2. Install Windows on partition H_OS" need to do "3. Install VeraCrypt". I have never installed Win 10 from the USB but I think I will do it. But how to install VeraCrypt after this? Should I reboot or it will possible to do just after Win 10 installation without rebooting? Then point 4 "4. Start system encryption". Should I to start it without rebooting? At the point 5 "5. Add Shell.efi to RescueDisk:" tell please how exactly to do it? How and where to create new folder /EFI/Shell/ in root directory and how will it move to RescueDisk iso file?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've been able to install decoy+hidden os before, did it on the same computer, same OS, the same disk I'm trying with now, but now I can't do it for the life of me...
So, I've done all the steps (three times) and can always succesfully boot the decoy OS, but can't manage to boot the hidden one after modifying encryption range, suddessfully finishing encryption and updating GPT table to hide H_ESP and H_OS . The only thing I've done diferently than the first (succesfull) time (in January) is - using VeraCrypt 1.22 (which wasn't available before) and trying to create two authorisation USB flash drives in step 6 of @DJ Bonez manual; one totaly clean (no partitions on it) for backup and one with a single primary partition offset by 20 MB for carrying around and using.
How I've made two auth USB flash drives - did the srw, srm, encryption, sra to one USB and then connected the other one and did the srw, srm, skipped the encryption and finally sra to the USB. In both cases using the disk number (as given for example by EFI\VeraCrypt\DcsCfg.dcs -dl d), not the partition number (in the case of the USB drive that had a partition on it)
Unfortunately, neither one works for booting the hidden OS., but both of them work in the sense of preventing the decoy OS to boot.
no usb + decoy os password -> successful boot into decoy OS
no usb + hidden os password -> no boot(Authorization failed. Wrong password, PIM, or hash.)
usb 1 + decoy os password -> no boot (Authorization failed. Wrong password, PIM, or hash.)
usb 2 + decoy os password -> no boot (Authorization failed. Wrong password, PIM, or hash.)
usb 1 + hidden os password -> no boot (Authorization failed. Wrong password, PIM, or hash.)
usb 2 + hidden os password -> no boot (Authorization failed. Wrong password, PIM, or hash.)
If it wasn't happening for the third time, I'd doubt my password inputing skills or memory, but I've been extra careful with password input, and I've carefuly followed all the "manuals" in existence to no avail. Is it possible that the v1.22 final changed something somewhere? For example, I can't remember if the keys "SecRegionSearch" and "DcsBootForce" existed in DcsProp in the former version and just needed to change value from 0 to 1, or did you have to add both the keys and the ir values to the file as you have to now.
Now I'm trying to create a WinPE, VeraCrypt, Veracrypt Recovery Disk combo and see if I can mount the hidden OS drive from there... Since I'm a total noob, if you have any suggestions, pls share them with me.
I have time to have one more go at it, but I have no idea what to change to try differently than the last three unsuccessful tries.
Thanks in advance
BTW, @DJ Bonez, there's a small mistype in step 5.3. of your manual - using "/" instead of "\" in EFI\VeraCrypt....
Last edit: tulip 2018-04-17
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
well... i try to make hidden OS in uefi mode on lenovo g50-30, lenovo V510 and Sony Vaio 14fit. in all three cases i use:
1.New SSD
2. Low level formatted USB
3. Diffirent OS.
In all three cases i have one error in the end:
Can't open partition ** Status - Unsupported.
Anyone have ideas how to fix this?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Alex, thx for answer. Yes, i configure DcsProp, gpt table also saved to the usb key, backup of the gpt tables (encrypted and unencrypted) also exist.
When i trying to boot hiddenOS and key installed - system ask me for enter pim and password twice. If i correctly understand the process - after first entering gpt_enc become decrypted and asking pass and pim for decrypt system and boot it. error appears after second entering.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It looks like DcsBoot(or DcsInt) is executed twice (it is wrong).
Probably ESP for HOS contains EFI\Boot\Microsoft\bootmgfw.efi replaced by DcsBoot.efi (latest 1.23 beta contains some improvements for HP and other platforms) It can affect HOS installation flow.
It is possible to restore original or set file name to be executed in gpt via "DcsCfg -pexec".
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I've been working on the UEFI hidden OS for quite a while now and i still cannot achieve an end result. I am able to follow the steps all the way to the end of the tutorial. I can go as far as change the ESP type partition from recovery to UEFI partition type but once i reboot the machine the only operating system i can boot into is the D_OS.
I've modified the dcsprop to include the SecRegionRearch and DcsBootForce but also to include SecRegionInfoDelay this extra configuration keys allows me to check when the USB authorizatoin is being read by the computer.
Using the "restore veracrypt bootloader" from the rescue disk of H_OS, I am able to see the usb auth, and typing the H_OS password allows me to get authorized but when its about to load windows, it loads another veracrypt bootloader, when i type the H_OS password again it gets accepted but then i get a error saying : "Can't open partition Status - Unsupported." and the computer freezes. its similar to the problem face by minimaxxximus but i just dont understand what am i supposed to do with dcscfg -pexec commmand
If i dont use the bootloader from the rescue disk but rather the bootloader contain within the disk, which is located in the Normal_ESP , then i am only able to boot into the D_OS even with usb authorization inserted. As mention above i have modified the dcsprop to work with usb auth but it seems its not working since i am not getting any feedback from the infoDelay config key and also i cannot boot into the H_OS password.
So far this is what i can achieve with the tutorials:
1- i'm able to encrypt the D_OS
2- I'm able to create the 4 sequencial partitions and install H_OS
3- I'm able run the Pre-test in H_OS
4- i can run -oshideprep -rnd 2
5 - I'm able to create gpt_enc and gpt_hos
6- I'm able to encrypt H_OS
7- I'm able to apply gpt_hos to the disk
8- I'm able to load gpt_enc into USB AUTH
9- I'm able to restore the ESP from recovery to efi partition
10 - I'm able to edit the dcscProp using mountvol , to add the SecRegionSearch and dcsBootForce config keys.
11- I'm able to boot into d_os even after dcsProp has been modifed
What i cannot achieve:
1- Get veracrypt bootloader to recognized the USB auth
2- boot into H_OS from normal veracrypt bootloader
I've honestly run out out of ideas, it seems to be working for everyone, i follow all the steps in the tutorials with no errors but when it comes to boot the actual H_OS i CANNOT.
if somebody could tell me what hell i'm doing wrong i would be very thankfull.
I'm sorry if i havent relay all the information you might need to help but i'm still trying to figure this out so if you have any questions please ask them and i will try to give all the information you need.
Last edit: alfie mr 2018-11-12
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have not found "No media" error message on VC sources on github, and have no idea how to reproduce that error. Maybe you've got a screenshot or more info?
Seems to be an error message from EFI shell.
Actually I got a more important new problem.
I tried to create new hidden OS on same location like before. Decoy OS was already encrypted.
After whole precedure, to be exact after restoring header of decoy OS, like described in our manuals, I got the following error message trying to boot into hidden OS.
Regards
Bonez
Exectly the same problem I had. SR and password work correctly but maybe H_ESP partition is damaged. To check this you may create WinPE USB and launch VC portable from it. Then go to system->mount without preboot authentification.
Note: if you will try to "mount without pre-boot authentification" from decoy os you'll see the next error message:
Thanks Felis, hadn't read every comment here. Indeed it was the same problem you had before.
I couldn't mount hidden OS in VC portable since the GPT table of system drive was already overwritten. But gpt_enc doesn't look well for me regarding check by "-pl" and "-pexec".
I am going to try again. ;-)
Remove boot loader from boot disk is possible. The only problem - select boot order to boot from USB (it might require manual selection)
"No media" error - Probably select media volume with files first via e.g. "fs1:" (fsN:). to list of FS in EFI - "map"
To check contents - "ls"
Ordinary OS and hidden OS are both running fine now. Thank you!
Writing SR for booting ordinary OS with authorization USB was successful proceeding steps 20 to 23 of Felis' manual. But I still can't explain the "No Media" problem in my attemps before.
If I use gpt_hidden, which was created in last step of "-oshideprep", I am able to remove GPT by "-pz". But I can not encrypt file for writing to SR, since password for ordinary OS isn't beeing accepted.
Regards
Bonez
No media - I guess according to the screenshot current volume was not selected.
"Shell>" - means no current volume
"fs0:>" - means FS0: volume selected as current
To select volume 0 - "fs0: <enter>"
To list volumes - "map"
gpt_hiiden - it contains header from hidden OS (so pwd and keys from hos) It is necessary to save gpt of ordinary OS with header
to list: -ds <n> -pl
to save: -ds <n> -pf ord_os_gpt -ps.
to remove -pf ord_os_gpt -pz
Hey Alex,
is there a possible solution to get a GPT file out of running hidden OS?
I lost my backup of gpt_enc, but still have one authorization USB to boot into hidden OS. Of course I don't know the exact position of gpt_enc on SR or anything else.
Thanks in advance
Bonez
yes. see "dcscfg -srdump". It saves regions to set of ifles. region with gpt can be decrypted ("dcscfg -pd").
Thanks a lot. I already tested -srdump, but there were hundreds of files created. Parameter <SFX> is number of security regions, isn't it?
No. it is suffix of files created. Each file is region. do not forget select volume with SR (-ds <n> )
Thank you, Alex. Sucessfully recovered gpt_enc.
Hi! DJ, can you explain, how you restore it from srdump?
Fellis and DJ Bonez were you guys ever able to get a decoy/real os working in veracrypt?
If so I have a bounty of 0.025 btc for a guide a user can follow. Please take me up on this, I have a 2.5k euro comp that I dont feel comforatable using as its UEFI only and I cant hidden os
Ill pay bounty when and only when I can follow the guide and it works.
At your special request I created this manual. Please leave feedback after success.
Regards
DJ Bonez
Thanks for great job! I have new HP laptop with Win 10 on the board from the factory. Now I started to prepare my computer for hidden OS installation with your instruction. I encrypted decoy OS and prepared USB bootable flash memory card with Win 10 distributive. I think it will easy to do Step 3. At the Step 4: Preparing hidden OS there is a couple of question.
After point 2 "2. Install Windows on partition H_OS" need to do "3. Install VeraCrypt". I have never installed Win 10 from the USB but I think I will do it. But how to install VeraCrypt after this? Should I reboot or it will possible to do just after Win 10 installation without rebooting? Then point 4 "4. Start system encryption". Should I to start it without rebooting? At the point 5 "5. Add Shell.efi to RescueDisk:" tell please how exactly to do it? How and where to create new folder /EFI/Shell/ in root directory and how will it move to RescueDisk iso file?
Тебе просто нужно распаковать rescue disk на пустую флешку и добавить в корень директории efi папку shell с содержимым.
U just need to unpack rescuedisk in clear flash drive and copy shell folder in the efi folder.
Hello guys! Heeelp please!
I've been able to install decoy+hidden os before, did it on the same computer, same OS, the same disk I'm trying with now, but now I can't do it for the life of me...
So, I've done all the steps (three times) and can always succesfully boot the decoy OS, but can't manage to boot the hidden one after modifying encryption range, suddessfully finishing encryption and updating GPT table to hide H_ESP and H_OS . The only thing I've done diferently than the first (succesfull) time (in January) is - using VeraCrypt 1.22 (which wasn't available before) and trying to create two authorisation USB flash drives in step 6 of @DJ Bonez manual; one totaly clean (no partitions on it) for backup and one with a single primary partition offset by 20 MB for carrying around and using.
How I've made two auth USB flash drives - did the srw, srm, encryption, sra to one USB and then connected the other one and did the srw, srm, skipped the encryption and finally sra to the USB. In both cases using the disk number (as given for example by EFI\VeraCrypt\DcsCfg.dcs -dl d), not the partition number (in the case of the USB drive that had a partition on it)
Unfortunately, neither one works for booting the hidden OS., but both of them work in the sense of preventing the decoy OS to boot.
If it wasn't happening for the third time, I'd doubt my password inputing skills or memory, but I've been extra careful with password input, and I've carefuly followed all the "manuals" in existence to no avail. Is it possible that the v1.22 final changed something somewhere? For example, I can't remember if the keys "SecRegionSearch" and "DcsBootForce" existed in DcsProp in the former version and just needed to change value from 0 to 1, or did you have to add both the keys and the ir values to the file as you have to now.
Now I'm trying to create a WinPE, VeraCrypt, Veracrypt Recovery Disk combo and see if I can mount the hidden OS drive from there... Since I'm a total noob, if you have any suggestions, pls share them with me.
I have time to have one more go at it, but I have no idea what to change to try differently than the last three unsuccessful tries.
Thanks in advance
BTW, @DJ Bonez, there's a small mistype in step 5.3. of your manual - using "/" instead of "\" in EFI\VeraCrypt....
Last edit: tulip 2018-04-17
well... i try to make hidden OS in uefi mode on lenovo g50-30, lenovo V510 and Sony Vaio 14fit. in all three cases i use:
1.New SSD
2. Low level formatted USB
3. Diffirent OS.
In all three cases i have one error in the end:
Can't open partition ** Status - Unsupported.
Anyone have ideas how to fix this?
Probably - loader cant find hidden ESP via guid. Did you save gpt table to authorization USB? Did you configure DcsProp?
Hi Alex, thx for answer. Yes, i configure DcsProp, gpt table also saved to the usb key, backup of the gpt tables (encrypted and unencrypted) also exist.
When i trying to boot hiddenOS and key installed - system ask me for enter pim and password twice. If i correctly understand the process - after first entering gpt_enc become decrypted and asking pass and pim for decrypt system and boot it. error appears after second entering.
It looks like DcsBoot(or DcsInt) is executed twice (it is wrong).
Probably ESP for HOS contains EFI\Boot\Microsoft\bootmgfw.efi replaced by DcsBoot.efi (latest 1.23 beta contains some improvements for HP and other platforms) It can affect HOS installation flow.
It is possible to restore original or set file name to be executed in gpt via "DcsCfg -pexec".
Alex, thx u, after restoring original bootmgfw all working correct.
I already using 1.23 beta.
Last edit: minimaxxximus 2018-06-14
Hello everyone, please please help me
I've been working on the UEFI hidden OS for quite a while now and i still cannot achieve an end result. I am able to follow the steps all the way to the end of the tutorial. I can go as far as change the ESP type partition from recovery to UEFI partition type but once i reboot the machine the only operating system i can boot into is the D_OS.
I've modified the dcsprop to include the SecRegionRearch and DcsBootForce but also to include SecRegionInfoDelay this extra configuration keys allows me to check when the USB authorizatoin is being read by the computer.
Using the "restore veracrypt bootloader" from the rescue disk of H_OS, I am able to see the usb auth, and typing the H_OS password allows me to get authorized but when its about to load windows, it loads another veracrypt bootloader, when i type the H_OS password again it gets accepted but then i get a error saying : "Can't open partition Status - Unsupported." and the computer freezes. its similar to the problem face by minimaxxximus but i just dont understand what am i supposed to do with dcscfg -pexec commmand
If i dont use the bootloader from the rescue disk but rather the bootloader contain within the disk, which is located in the Normal_ESP , then i am only able to boot into the D_OS even with usb authorization inserted. As mention above i have modified the dcsprop to work with usb auth but it seems its not working since i am not getting any feedback from the infoDelay config key and also i cannot boot into the H_OS password.
So far this is what i can achieve with the tutorials:
1- i'm able to encrypt the D_OS
2- I'm able to create the 4 sequencial partitions and install H_OS
3- I'm able run the Pre-test in H_OS
4- i can run -oshideprep -rnd 2
5 - I'm able to create gpt_enc and gpt_hos
6- I'm able to encrypt H_OS
7- I'm able to apply gpt_hos to the disk
8- I'm able to load gpt_enc into USB AUTH
9- I'm able to restore the ESP from recovery to efi partition
10 - I'm able to edit the dcscProp using mountvol , to add the SecRegionSearch and dcsBootForce config keys.
11- I'm able to boot into d_os even after dcsProp has been modifed
What i cannot achieve:
1- Get veracrypt bootloader to recognized the USB auth
2- boot into H_OS from normal veracrypt bootloader
I've honestly run out out of ideas, it seems to be working for everyone, i follow all the steps in the tutorials with no errors but when it comes to boot the actual H_OS i CANNOT.
if somebody could tell me what hell i'm doing wrong i would be very thankfull.
I'm sorry if i havent relay all the information you might need to help but i'm still trying to figure this out so if you have any questions please ask them and i will try to give all the information you need.
Last edit: alfie mr 2018-11-12