libfvde_xml_plist_copy_from_byte_stream: unable to parse XML plist

[waynemcdougall]

I get "Unable to unlock keys." in the 20160801 version. The previous version 20160729 gives a list of errors. So maybe this is an area that is being worked on.

The disk image is from El Capitan. Happy to supply more information.

I took a snapshot of the hard drive (booting into Ubuntu using USB and the a dd of the drive). My friend lost her emails off her iPhone (going back to 2009), and then when she turned on her Mac Air, it seemed to sync, and deleted all her emails as she was watching. I'm trying to get a disk image I can work with to scan for the email files on the drive. Feel free to tell me I'm being stupid or there is a better way.

family@kitchen:~/Desktop/cr$ sudo fvdemount -v -p ValidPassword -o 314597376 cr.dd /media/fvde fvdemount 20160801

Unable to unlock keys.

family@kitchen:~/Desktop/cr$ sudo fvdemount -v -p ValidPassword -e EncryptedRoot.plist.wipekey -o 314597376 cr.dd /media/fvde fvdemount 20160729

Unable to open: cr.dd. libfvde_xml_plist_copy_from_byte_stream: unable to parse XML plist. libfvde_encryption_context_plist_read_xml: unable to copy XML plist from byte stream. libfvde_encryption_context_plist_decrypt: unable to retrieve XML. libfvde_volume_open_read_keys_from_encrypted_metadata: unable to decrypt encrypted root plist. libfvde_volume_open_read: unable to read keys from primary encrypted metadata. libfvde_volume_open_file_io_handle: unable to read from file IO handle. mount_handle_open_input: unable to open input volume.

[joachimmetz]

So maybe this is an area that is being worked on.

yes, this is an experimental library, that is being worked on when time permits

Unable to open: cr.dd.

Can you provide me with the verbose and debug output per https://github.com/libyal/libfvde/wiki/Troubleshooting#verbose-and-debug-output

[waynemcdougall]

Very grateful for the work done to date, and not demanding anything. I hope this data will be helpful. Sorry for not providing it immediately. Super impressed with instantaneous response - which I don't expect ever again. :-)

debug.txt.tar.gz

[joachimmetz]

I hope this data will be helpful.

Thx, I'll have a look as soon time permits.

Super impressed with instantaneous response

Thx, depends on what I was doing at the time you reported the issue ;)

[glaureano]

I get the same error too.

$ fvdemount -e EncryptedRoot.plist.wipekey -p XXXXXX -o 209735680 FILE.dd MOUNT_POINT
fvdemount 20160918

Unable to unlock keys.

But, the debug output was too large, almost 30MB, so I will need 3 post to send the file and rename zip.00X to 00X.zip to work. debug.001.zip

[glaureano]

This is the second part. debug.002.zip

[glaureano]

This is the last one.

debug.003.zip

[joachimmetz]

thx, will try to have a look later this week.

[glaureano]

I appreciate.

[drvk]

The same problem here:

fvdemount 20160918

Unable to unlock keys.

Will gladly post more details / outputs via e-mail if needed.

Treat the ZIP as RAR ;)

fvdemount.zip

[monteirotorres]

I am sorry for the trouble, but I have bumped into this very error, have you had any news about it? @joachimmetz ?

[bigbillchoney]

Same problem here :(

fvdemount 20160918

Unable to unlock keys.

[monteirotorres]

Hello there, any news about this issue?

[joachimmetz]

based on debug.001.zip

libfvde_volume_open_read: physical volume size                          : 120368205824
libfvde_volume_open_read: logical volume offset                         : 0x11280000
libfvde_volume_open_read: logical volume size                           : 119329128448

it looks like unsupported format features (also see: https://github.com/libyal/libfvde/issues/2)

try HEAD for now various changes have been made in the mean time, I'll try to release an updated version as soon as time permits

[monteirotorres]

fvdemount -p p455w0rd -e EncryptedRoot.plist.wipekey -o $(( 409640 * 512)) mac.dd mount/ fvdemount 20170527

Unable to unlock keys.

No luck yet. By HEAD, you meant the last version? Sorry, I am not used to developers terms.

[joachimmetz]

By HEAD, you meant the last version?

HEAD is the latest version in the git repo

@monteirotorres I would need the verbose and debug output per https://github.com/libyal/libfvde/wiki/Troubleshooting#verbose-and-debug-output

to say anything useful about the error

[arcticforensics]

Re: Unable to unlock keys Version 20170527 fvdemount works perfectly on MacOS version 10.12.3 Sierra (MacBook Air 13, block size 4096), but fails on 10.12.5. It looks like a problem determining the Logical Volume offset/size. Verbose/Debug output attached. Fantastic product, by the way :) verbose-and-debug-output.zip

[joachimmetz]

@brucemarkey thanks, I'll have a look as soon as time permits

[monteirotorres]

Well, it took a while, but here is the verbose output, using the latest version. Thanks for all your trouble!

fvdemount.zip

[joachimmetz]

thx, trying to have a look later this week

[joachimmetz]

sry for slow response, swamped at the moment with other stuff

@brucemarkey

No 0x0505 but 0x0305

libfvde_encrypted_metadata_read_type_0x0305: entry: 031 unknown1                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 031 logical block number    : 11872
libfvde_encrypted_metadata_read_type_0x0305: entry: 031 number of blocks        : 29151392
libfvde_encrypted_metadata_read_type_0x0305: entry: 031 unknown3                : 0x00400000
libfvde_encrypted_metadata_read_type_0x0305: entry: 031 unknown4                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 031 unknown5                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 031 physical block number   : 77408
libfvde_encrypted_metadata_read_type_0x0305: entry: 031 unknown6                : 0x00000000

So definitely something wrong with the size offset detection

libfvde_volume_open_read: physical volume size                          : 120473067520
libfvde_volume_open_read: logical volume offset                         : 0x00020000
libfvde_volume_open_read: logical volume size                           : 131072

[joachimmetz]

@monteirotorres

Alas log is truncated

xml_scanner: offset: 947747 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
Binary file (standard input) matches

libfvde_encrypted_metadata_read_type_0x0505: entry: 000 number of blocks        : 121796096
libfvde_encrypted_metadata_read_type_0x0505: entry: 000 block number            : 65536
...
libfvde_encrypted_metadata_read_type_0x0505: entry: 000 number of blocks        : 50936320
libfvde_encrypted_metadata_read_type_0x0505: entry: 000 block number            : 65536

The wrong 0x0505 block seems to be applied

libfvde_volume_open_read: physical volume size                          : 499248103424
libfvde_volume_open_read: logical volume offset                         : 0x10000000
libfvde_volume_open_read: logical volume size                           : 208635166720

[nodje]

Hi, did you have any success on the latest 10.12.6 or even 10.13.x?

[monteirotorres]

Haven't tried yet. Was waiting for the developer to signal me any new changes that could have resolved the issue.

[4n6x]

Hi Joachim,

I'm also getting this problem using v20180821 (built from source).

Command used: fvdemount -v -e EncryptedRoot.plist.wipekey -o $((512 * 409640)) -p testdev29-full.dd /mnt/

I've attached a sanitised verbose log plus the output from mmls and fls just FYI

verbose-and-debug-output.zip

Any pointers to resolving this issue would be very much welcomed.

Thanks in advance Andy Sheldon

[joachimmetz]

@4n6x sry my time is limited at the moment, I'll have look as soon as time permits.

[akoidan]

Any updates? Are there alternatives to this lib?

[joachimmetz]

Closing in favor of https://github.com/libyal/libfvde/issues/2