libfplist_property_get_value_string: unsupported value type

[eternaleye]

Non-verbose output:

fvdeinfo 20161110

Unable to open: /dev/loop0p2.
libfplist_property_get_value_string: unsupported value type.
libfplist_property_value_uuid_string_copy_to_byte_stream: unable to retrieve logical volume family identifier.
libfvde_encrypted_metadata_read_type_0x001a: unable to copy LVF UUID string to byte stream.
libfvde_encrypted_metadata_read: unable to read metadata block type 0x001a.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.

Turning on verbose output yields the following info (with everything before the seeming error removed, and UUIDs snipped out, as I don't know what is/isn't private):

libfvde_metadata_read_core_storage_plist: XML:
<dict><key>com.apple.corestorage.label.sequence</key><integer size="32">0x1</integer><key>com.apple.corestorage.lvg.uuid</key><string>UUID_WAS_SNIPPED</string><key>com.apple.corestorage.lvg.name</key><string>Macintosh HD</string><key>com.apple.corestorage.lvg.physicalVolumes</key><array><string>UUID_WAS_SNIPPED</string></array></dict>xml_scanner: offset: 5 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 6 token: XML_TAG_END
xml_scanner: offset: 10 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 11 token: XML_TAG_END
xml_scanner: offset: 47 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 53 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 61 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 66 token: XML_ATTRIBUTE_NAME
xml_scanner: offset: 67 token: XML_ATTRIBUTE_ASSIGN
xml_scanner: offset: 71 token: XML_ATTRIBUTE_VALUE
xml_parser: rule: xml_attribute
xml_scanner: offset: 72 token: XML_TAG_END
xml_scanner: offset: 75 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 85 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 89 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 90 token: XML_TAG_END
xml_scanner: offset: 120 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 126 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 133 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 134 token: XML_TAG_END
xml_scanner: offset: 170 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 179 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 183 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 184 token: XML_TAG_END
xml_scanner: offset: 214 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 220 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 227 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 228 token: XML_TAG_END
xml_scanner: offset: 240 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 249 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 253 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 254 token: XML_TAG_END
xml_scanner: offset: 295 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 301 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 307 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 308 token: XML_TAG_END
xml_scanner: offset: 315 token: XML_TAG_OPEN_START
xml_parser: rule: xml_tag_open_start
xml_scanner: offset: 316 token: XML_TAG_END
xml_scanner: offset: 352 token: XML_TAG_CONTENT
xml_parser: rule: xml_tag_content
xml_scanner: offset: 361 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 369 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
xml_scanner: offset: 376 token: XML_TAG_CLOSE
xml_parser: rule: xml_tag_close
Unable to open: /dev/loop0p2.
libfplist_property_get_value_string: unsupported value type.
libfvde_metadata_read_core_storage_plist: unable to retrieve logical volume group identifier.
libfvde_metadata_read_type_0x0011: unable to read metadata block type 0x0011.
libfvde_metadata_read: unable to read metadata block type 0x0011.
libfvde_volume_open_read: unable to read primary metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.

[joachimmetz]

<dict>
  <key>com.apple.corestorage.label.sequence</key>
  <integer size="32">0x1</integer>
  <key>com.apple.corestorage.lvg.uuid</key>
  <string>UUID_WAS_SNIPPED</string>
  <key>com.apple.corestorage.lvg.name</key>
  <string>Macintosh HD</string>
  <key>com.apple.corestorage.lvg.physicalVolumes</key>
  <array>
    <string>UUID_WAS_SNIPPED</string>
  </array>
</dict>

This might be related to the array

[eternaleye]

After patching the library to hardcode the LVF UUID (and skip the related checks), I got it to make progress - However, it now fails in libfvde_io_handle_read_logical_volume_header. If I add a debug print, I see it's called twice - once on a volume with the signature 0x28ec, and once on a volume with the signature 0xe33b.

This is the layout of the (last listing of) volumes, on a 750GB (~700GiB) drive:

libfvde_encrypted_metadata_read_type_0x0405: number of entries                  : 10
libfvde_encrypted_metadata_read_type_0x0405: unknown1                           : 0x00000000

libfvde_encrypted_metadata_read_type_0x0405: entry: 000 block number            : 0
libfvde_encrypted_metadata_read_type_0x0405: entry: 000 number of blocks        : 12066944
libfvde_encrypted_metadata_read_type_0x0405: entry: 000 data type               : 0x00000009
libfvde_encrypted_metadata_read_type_0x0405: entry: 000 copy number             : 0
libfvde_encrypted_metadata_read_type_0x0405: entry: 000 unknown1                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0405: entry: 000 unknown2                : 0x00000000

libfvde_encrypted_metadata_read_type_0x0405: entry: 001 block number            : 12066944
libfvde_encrypted_metadata_read_type_0x0405: entry: 001 number of blocks        : 65536
libfvde_encrypted_metadata_read_type_0x0405: entry: 001 data type               : 0x00000009
libfvde_encrypted_metadata_read_type_0x0405: entry: 001 copy number             : 0
libfvde_encrypted_metadata_read_type_0x0405: entry: 001 unknown1                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0405: entry: 001 unknown2                : 0xfffffffffffffffe

libfvde_encrypted_metadata_read_type_0x0405: entry: 002 block number            : 12132480
libfvde_encrypted_metadata_read_type_0x0405: entry: 002 number of blocks        : 171049984
libfvde_encrypted_metadata_read_type_0x0405: entry: 002 data type               : 0x00000009
libfvde_encrypted_metadata_read_type_0x0405: entry: 002 copy number             : 0
libfvde_encrypted_metadata_read_type_0x0405: entry: 002 unknown1                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0405: entry: 002 unknown2                : 0x00b82080

libfvde_encrypted_metadata_read_type_0x0405: entry: 003 block number            : 183191190
libfvde_encrypted_metadata_read_type_0x0405: entry: 003 number of blocks        : 6144
libfvde_encrypted_metadata_read_type_0x0405: entry: 003 data type               : 0xfffffffffffffffd
libfvde_encrypted_metadata_read_type_0x0405: entry: 003 copy number             : 1
libfvde_encrypted_metadata_read_type_0x0405: entry: 003 unknown1                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0405: entry: 003 unknown2                : 0x00000000

libfvde_encrypted_metadata_read_type_0x0405: entry: 004 block number            : 183197334
libfvde_encrypted_metadata_read_type_0x0405: entry: 004 number of blocks        : 6144
libfvde_encrypted_metadata_read_type_0x0405: entry: 004 data type               : 0xfffffffffffffffd
libfvde_encrypted_metadata_read_type_0x0405: entry: 004 copy number             : 0
libfvde_encrypted_metadata_read_type_0x0405: entry: 004 unknown1                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0405: entry: 004 unknown2                : 0x00000000

libfvde_encrypted_metadata_read_type_0x0405: entry: 005 block number            : 183203478
libfvde_encrypted_metadata_read_type_0x0405: entry: 005 number of blocks        : 1024
libfvde_encrypted_metadata_read_type_0x0405: entry: 005 data type               : 0xfffffffffffffffb
libfvde_encrypted_metadata_read_type_0x0405: entry: 005 copy number             : 0
libfvde_encrypted_metadata_read_type_0x0405: entry: 005 unknown1                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0405: entry: 005 unknown2                : 0x00000000

libfvde_encrypted_metadata_read_type_0x0405: entry: 006 block number            : 183204502
libfvde_encrypted_metadata_read_type_0x0405: entry: 006 number of blocks        : 1024
libfvde_encrypted_metadata_read_type_0x0405: entry: 006 data type               : 0xfffffffffffffffb
libfvde_encrypted_metadata_read_type_0x0405: entry: 006 copy number             : 1
libfvde_encrypted_metadata_read_type_0x0405: entry: 006 unknown1                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0405: entry: 006 unknown2                : 0x00000000

libfvde_encrypted_metadata_read_type_0x0405: entry: 007 block number            : 183205526
libfvde_encrypted_metadata_read_type_0x0405: entry: 007 number of blocks        : 1024
libfvde_encrypted_metadata_read_type_0x0405: entry: 007 data type               : 0xfffffffffffffffb
libfvde_encrypted_metadata_read_type_0x0405: entry: 007 copy number             : 2
libfvde_encrypted_metadata_read_type_0x0405: entry: 007 unknown1                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0405: entry: 007 unknown2                : 0x00000000

libfvde_encrypted_metadata_read_type_0x0405: entry: 008 block number            : 183206550
libfvde_encrypted_metadata_read_type_0x0405: entry: 008 number of blocks        : 1024
libfvde_encrypted_metadata_read_type_0x0405: entry: 008 data type               : 0xfffffffffffffffb
libfvde_encrypted_metadata_read_type_0x0405: entry: 008 copy number             : 3
libfvde_encrypted_metadata_read_type_0x0405: entry: 008 unknown1                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0405: entry: 008 unknown2                : 0x00000000

libfvde_encrypted_metadata_read_type_0x0405: entry: 009 block number            : 183207574
libfvde_encrypted_metadata_read_type_0x0405: entry: 009 number of blocks        : 1
libfvde_encrypted_metadata_read_type_0x0405: entry: 009 data type               : 0xfffffffffffffffc
libfvde_encrypted_metadata_read_type_0x0405: entry: 009 copy number             : 1
libfvde_encrypted_metadata_read_type_0x0405: entry: 009 unknown1                : 0x00000000
libfvde_encrypted_metadata_read_type_0x0405: entry: 009 unknown2                : 0x00000000

If I force it to accept either of those volume signatures, then I get a fvde1 volume of no discernible filesystem format, measuring 47901573120 bytes in size. Given the sizes (47901573120 / 4096 = 11694720), I suspect fvdemount is deciding that entry 000 is more meaningful than it is, and the solution has something to do with how entry 002 has an unusual unknown2 value (given it's the largest volume, I suspect it's the one that SHOULD be mounting).

[cyberxml]

Confirming the same non-verbose message as in original post. Receive the same error using 'a full device image with an offset' or using 'the partition image with no offset'.

[gliwka]

Same here.

[joachimmetz]

Looks like a multi extent logical volume closing in favor of https://github.com/libyal/libfvde/issues/2