libfvde_io_handle_read_volume_header: unsupported core storage signature

[giorgidze]

I am trying to decrypt and external USB drive (time machine back up generated by Mac OS X).

Am I missing something obvious? (See below the steps to reproduce).

mmls output is as follows:

$ sudo mmls /dev/sda
[sudo] password for george: 
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

     Slot    Start        End          Length       Description
00:  Meta    0000000000   0000000000   0000000001   Safety Table
01:  -----   0000000000   0000000039   0000000040   Unallocated
02:  Meta    0000000001   0000000001   0000000001   GPT Header
03:  Meta    0000000002   0000000033   0000000032   Partition Table
04:  00      0000000040   0000409639   0000409600   EFI System Partition
05:  01      0000409640   1953262983   1952853344   TIME_MACHINE
06:  02      1953262984   1953525127   0000262144   Booter
07:  -----   1953525128   1953525167   0000000040   Unallocated

When running fvdemount I get the following error

$ sudo ./fvdemount -o $(( 409640 * 512 )) /dev/sda2 /mnt/Samsung
fvdemount 20170827

Unable to open: /dev/sda2.
libfvde_io_handle_read_volume_header: unsupported core storage signature.
libfvde_volume_open_read: unable to read volume header.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.

To obtain more detailed information I have built fvdemount with debug and verbose output. More detailed output is below.

I tried with the actual password (with -p), but still get the same error.

$ sudo ./fvdemount -v -o $(( 409640 * 512 )) /dev/sda2 /mnt/Samsung
fvdemount 20170827

libcfile_file_get_size: device media size: 999860912128
Reading volume header:
libfvde_io_handle_read_volume_header: reading volume header at offset: 0 (0x00000000)
libfvde_io_handle_read_volume_header: volume header data:
00000000: 50 a3 8a d1 71 40 35 09  ef a3 ab 84 f3 d3 09 d3   P...q@5. ........
00000010: b9 d7 1b 0b 48 7c fc 6a  89 11 95 3d af be ae fc   ....H|.j ...=....
00000020: 02 34 44 bf 04 ce 76 89  20 c8 ae 0d 88 a6 92 e1   .4D...v.  .......
00000030: cc 25 89 6e 98 27 19 82  8d d9 60 f6 97 81 3d 7a   .%.n.'.. ..`...=z
00000040: 08 e5 fc c9 d8 8e 18 3d  ed 8d 60 6a 31 b3 7e 07   .......= ..`j1.~.
00000050: db ba 1e d9 63 e8 f6 75  64 d0 e1 09 7b 73 b9 05   ....c..u d...{s..
00000060: 51 73 7e 82 f0 4a bb f4  b2 44 28 c7 15 25 a2 b2   Qs~..J.. .D(..%..
00000070: a7 f3 2c 8c 2c e9 86 9e  08 b2 1d c9 67 0d b1 6f   ..,.,... ....g..o
00000080: 77 b1 1b 76 bc 6a 27 70  68 a2 ed 4e c6 f8 dc d8   w..v.j'p h..N....
00000090: 57 f5 39 3a f9 ed ed 06  a6 09 55 6d ea 7d df e9   W.9:.... ..Um.}..
000000a0: ae 6c f5 44 a8 06 16 87  7e 4c cd b0 86 83 1e 27   .l.D.... ~L.....'
000000b0: 71 af 1b b0 33 0d 49 3f  14 47 3e e8 fe f3 22 a3   q...3.I? .G>...".
000000c0: fb e2 a9 e9 84 2e 91 5f  47 03 07 c8 42 60 46 20   ......._ G...B`F 
000000d0: 2f ae ac 09 3f ec 20 3f  3a 2d 3b b1 a3 fe 52 cc   /...?. ? :-;...R.
000000e0: 02 84 87 bf ed d3 02 97  32 f4 d1 33 c7 8a ba 55   ........ 2..3...U
000000f0: 74 92 ec f2 fc 28 19 8b  8f 4c 0b 75 4f 76 b5 b4   t....(.. .L.uOv..
00000100: a8 d1 5c cc 87 0a 8f 2a  4e bf 60 4a 0f 57 e5 f3   ..\....* N.`J.W..
00000110: 5b d6 78 7f b0 70 d6 48  f0 22 d8 47 59 ce 49 b3   [.x..p.H .".GY.I.
00000120: 47 15 f8 b5 99 b1 a0 f4  40 0e 7a d0 9b 00 68 2f   G....... @.z...h/
00000130: 6f c2 de 25 bd 15 89 65  64 e5 eb 8b 15 9d cb ba   o..%...e d.......
00000140: 34 57 11 75 75 98 11 56  62 5f 82 c2 0b 26 93 d6   4W.uu..V b_...&..
00000150: 0e 92 9d ab f4 53 bf a2  5b d8 0b 76 bb 23 fa df   .....S.. [..v.#..
00000160: d2 de 1a 8d 0b 96 6a 4e  07 8d 3c 7f f6 a5 5d c9   ......jN ..<...].
00000170: 66 b5 b9 e1 ba 80 d3 75  ee be 45 63 60 59 84 8f   f......u ..Ec`Y..
00000180: b1 71 0c 14 43 ad 6e a2  e3 cf 4c ab 86 7b 52 a9   .q..C.n. ..L..{R.
00000190: bc ee ed 3d ad 6e 1e d4  a9 50 4d 28 c1 1c e1 a2   ...=.n.. .PM(....
000001a0: 29 a8 89 e4 b7 a0 e0 c1  26 42 59 61 29 f5 99 37   )....... &BYa)..7
000001b0: 9c 13 9b 07 03 12 74 e0  b0 0a 52 46 89 ff 58 45   ......t. ..RF..XE
000001c0: 40 47 67 f0 40 c6 91 84  9e cc 64 af 8b dd 12 de   @Gg.@... ..d.....
000001d0: b5 42 62 3c b3 b2 f5 1b  70 4b 39 03 fb e9 c2 b5   .Bb<.... pK9.....
000001e0: 5a 1a 6e 07 8b 5b 27 6a  65 32 59 8c c1 0e 2b cb   Z.n..['j e2Y...+.
000001f0: 02 5e 78 f2 9f b0 54 63  e7 0e ab 7f 02 dd 7b ca   .^x...Tc ......{.

libfvde_io_handle_read_volume_header: checksum              : 0xd18aa350
libfvde_io_handle_read_volume_header: initial value         : 0x09354071
libfvde_io_handle_read_volume_header: version               : 41967
libfvde_io_handle_read_volume_header: block type            : 0x84ab
libfvde_io_handle_read_volume_header: serial number         : 0xd309d3f3
libfvde_io_handle_read_volume_header: unknown2              : 0x6afc7c480b1bd7b9
libfvde_io_handle_read_volume_header: unknown3a             : 0xfcaebeaf3d951189
libfvde_io_handle_read_volume_header: unknown3b             : 0x8976ce04bf443402
libfvde_io_handle_read_volume_header: unknown3c             : 0xe192a6880daec820
libfvde_io_handle_read_volume_header: bytes per sector          : 1854481868
libfvde_io_handle_read_volume_header: unknown4a             : 0x82192798
libfvde_io_handle_read_volume_header: unknown4b             : 0x7a3d8197f660d98d
libfvde_io_handle_read_volume_header: physical volume size      : 4402425697507534088
libfvde_io_handle_read_volume_header: unknown5:
00000000: ed 8d 60 6a 31 b3 7e 07  db ba 1e d9 63 e8 f6 75   ..`j1.~. ....c..u

libfvde_io_handle_read_volume_header: core storage signature        : d
libfvde_io_handle_read_volume_header: checksum algorithm        : 1937443297
libfvde_io_handle_read_volume_header: unknown6              : 0x05b9
libfvde_io_handle_read_volume_header: block size            : 2189325137
libfvde_io_handle_read_volume_header: metadata size         : 4105915120
libfvde_io_handle_read_volume_header: first metadata block number   : 12871891460444144818
libfvde_io_handle_read_volume_header: second metadata block number  : 11423073882411430823
libfvde_io_handle_read_volume_header: third metadata block number   : 8048228748494746120
libfvde_io_handle_read_volume_header: fourth metadata block number  : 8081545414007566711
libfvde_io_handle_read_volume_header: unknown7:
00000000: 68 a2 ed 4e c6 f8 dc d8  57 f5 39 3a f9 ed ed 06   h..N.... W.9:....
00000010: a6 09 55 6d ea 7d df e9  ae 6c f5 44 a8 06 16 87   ..Um.}.. .l.D....

libfvde_io_handle_read_volume_header: encryption method         : 656311174
libfvde_io_handle_read_volume_header: key data:
00000000: 71 af 1b b0 33 0d 49 3f  14 47 3e e8 fe f3 22 a3   q...3.I? .G>...".
00000010: fb e2 a9 e9 84 2e 91 5f  47 03 07 c8 42 60 46 20   ......._ G...B`F 
00000020: 2f ae ac 09 3f ec 20 3f  3a 2d 3b b1 a3 fe 52 cc   /...?. ? :-;...R.
00000030: 02 84 87 bf ed d3 02 97  32 f4 d1 33 c7 8a ba 55   ........ 2..3...U
00000040: 74 92 ec f2 fc 28 19 8b  8f 4c 0b 75 4f 76 b5 b4   t....(.. .L.uOv..
00000050: a8 d1 5c cc 87 0a 8f 2a  4e bf 60 4a 0f 57 e5 f3   ..\....* N.`J.W..
00000060: 5b d6 78 7f b0 70 d6 48  f0 22 d8 47 59 ce 49 b3   [.x..p.H .".GY.I.
00000070: 47 15 f8 b5 99 b1 a0 f4  40 0e 7a d0 9b 00 68 2f   G....... @.z...h/

libfvde_io_handle_read_volume_header: physical volume identifier    : 6fc2de25-bd15-8965-64e5-eb8b159dcbba
libfvde_io_handle_read_volume_header: logical volume group identifier   : 34571175-7598-1156-625f-82c20b2693d6
libfvde_io_handle_read_volume_header: unknown8:
00000000: 0e 92 9d ab f4 53 bf a2  5b d8 0b 76 bb 23 fa df   .....S.. [..v.#..
00000010: d2 de 1a 8d 0b 96 6a 4e  07 8d 3c 7f f6 a5 5d c9   ......jN ..<...].
00000020: 66 b5 b9 e1 ba 80 d3 75  ee be 45 63 60 59 84 8f   f......u ..Ec`Y..
00000030: b1 71 0c 14 43 ad 6e a2  e3 cf 4c ab 86 7b 52 a9   .q..C.n. ..L..{R.
00000040: bc ee ed 3d ad 6e 1e d4  a9 50 4d 28 c1 1c e1 a2   ...=.n.. .PM(....
00000050: 29 a8 89 e4 b7 a0 e0 c1  26 42 59 61 29 f5 99 37   )....... &BYa)..7
00000060: 9c 13 9b 07 03 12 74 e0  b0 0a 52 46 89 ff 58 45   ......t. ..RF..XE
00000070: 40 47 67 f0 40 c6 91 84  9e cc 64 af 8b dd 12 de   @Gg.@... ..d.....
00000080: b5 42 62 3c b3 b2 f5 1b  70 4b 39 03 fb e9 c2 b5   .Bb<.... pK9.....
00000090: 5a 1a 6e 07 8b 5b 27 6a  65 32 59 8c c1 0e 2b cb   Z.n..['j e2Y...+.
000000a0: 02 5e 78 f2 9f b0 54 63  e7 0e ab 7f 02 dd 7b ca   .^x...Tc ......{.

Unable to open: /dev/sda2.
libfvde_io_handle_read_volume_header: unsupported core storage signature.
libfvde_volume_open_read: unable to read volume header.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
mount_handle_open_input: unable to open input volume.

I can reproduce with the latest version available for download, as well as, the latest code in Git.

My system spec is as follows

Linux raspberrypi 4.9.35-v7+ #1014 SMP Fri Jun 30 14:47:43 BST 2017 armv7l GNU/Linux

[joachimmetz]

libfvde_io_handle_read_volume_header: unsupported core storage signature.

this tells you libfvde cannot find the correct data structure signature

[giorgidze]

Is this because of the type of encryption not yet supported by libfvde ?

[joachimmetz]

I do not have sufficient details to answer your question. In the data you've provided there is no core storage signature. It could be a different format, it could be something specific to your set up.

How did you create your USB drive?

[giorgidze]

The Samsung USB drive was formatted by Mac OS X (Time Machine), it should have an encrypted HFS+ file system. What I see in gparted and other Linux tools is that unrecognisable / encrypted partition is on /dev/sda2.

Are the commands I am issuing above (including the offset calculation) correct?

[joachimmetz]

Are the commands I am issuing above (including the offset calculation) correct?

As far I can tell yes: 512 byte sector size x 409640 sectors

Can you try hexdump -Cv /dev/sda | less and look at the first 512 bytes of the volume

[joachimmetz]

Also what do you mean with "encrypted HFS+ file system"

Note that there is FileVault 1 and FileVault 2 (core storage).

[joachimmetz]

No update from original reporter closing issue.