Unable to open: /dev/sda2

libyal / libfvde

Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes

GNU Lesser General Public License v3.0

339 stars 34 forks source link

Unable to open: /dev/sda2 #20

Closed wefner closed 1 year ago

wefner commented 7 years ago

Hi there,

I am using pre-release version libfvde-20160918 on Ubuntu 16.04 and I am hitting this error when trying to mount encrypted HFS. I am describing the commands I am issuing and the according error.

$ sudo mount -t auto /dev/sda3 appboot/
$ sudo fvdemount -e appboot/com.apple.boot.P/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey -r XAYL-67N3-DPXM-PUTQ-36TK-33RJ /dev/sda2 /media/osx/ -v
fvdemount 20160918

Unable to open: /dev/sda2.
libfvde_encryption_context_plist_decrypt: invalid plist - decrypted data already set.
libfvde_volume_open_read_keys_from_encrypted_metadata: unable to decrypt encrypted root plist.
libfvde_volume_open_read: unable to read keys from secondary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.

Thanks for taking your time on this experimental tool.

harerama commented 3 years ago

Hello, I have been having the same kind of issue: fvde2john (v20180108) running on Kali Linux 2020.4) It seems that libfvde is not able to read the proper volume start offset.

I am not sure of the target MacOS version (could it be derived from the "com.apple.boot.P/System/Library/Caches/com.apple.corestorage/EncryptedRoot.plist.wipekey" path ?)

Here is a debug trace attached (if it can help).

Does anyone know if running under OSX (Catalina in my case) could help ?

If anyone has an idea on what to try next, that would be a huge help.

My use case is just to retrieve the volume hash so that I can brute force the password (I should be able to generate a good enough password list because I have a pretty good idea of what the password should be). debug.txt.zip

joachimmetz commented 2 years ago

Based on debug.txt.zip

libfvde_encryption_context_plist_get_passphrase_wrapped_kek: unable to retrieve PassphraseWrappedKEKStruct sub property.
libfvde_encrypted_metadata_get_volume_master_key: unable to retrieve passphrase wrapped KEK: 0 from encryption context plist.
libfvde_volume_open_read_keys_from_encrypted_metadata: unable to retrieve volume master key from encrypted metadata.
libfvde_volume_open_read: unable to read keys from primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.

Looks like this could be related to the XML plist processing. Marking as needs a closer look

joachimmetz commented 1 year ago

My use case is just to retrieve the volume hash so that I can brute force the password (I should be able to generate a good enough password list because I have a pretty good idea of what the password should be). debug.txt.zip

looks like an old version of libfvde 20180108 more recent versions will skip entries with a missing PassphraseWrappedKEKStruct.

Insufficient information to address original reported issue, closing.