joachimmetz
commented
6 years ago Thx for the report with debug log, I'll have a look as soon as time permits. My guess it that libfvde is running into an issue with format compatibility.
Closed romanoju closed 2 years ago
joachimmetz
commented
6 years ago Thx for the report with debug log, I'll have a look as soon as time permits. My guess it that libfvde is running into an issue with format compatibility.
romanoju
commented
6 years ago Just found out that 'High Sierra' does not implement "Full Disk Encryption". It encrypts those blocks which are in use only. This would explain the small logical volume size which probably represents used blocks only. So, it would not be supported by libfvde.
axet
commented
5 years ago Mac Mojave (most recent)
axet@axet-laptop:~/source/libfvde$ sudo fvdeinfo -v /dev/sda2
fvdeinfo 20181008
libcfile_file_get_size: device media size: 500068036608
Reading volume header:
libfvde_io_handle_read_volume_header: reading volume header at offset: 0 (0x00000000)
libfvde_io_handle_read_volume_header: volume header data:
00000000: dc 48 51 44 dd bd de 78 01 00 00 00 00 00 00 00 .HQD...x ........
00000010: e0 62 35 00 00 00 00 00 01 00 00 80 00 00 00 00 .b5..... ........
00000020: 4e 58 53 42 00 10 00 00 0b e6 46 07 00 00 00 00 NXSB.... ..F.....
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000040: 02 00 00 00 00 00 00 00 2f d8 ef af 40 40 48 f2 ........ /...@@H.
00000050: a4 8d fd f4 d2 c8 b8 cf 27 f2 be 00 00 00 00 00 ........ '.......
00000060: e1 62 35 00 00 00 00 00 18 01 00 00 34 6c 00 00 .b5..... ....4l..
00000070: 01 00 00 00 00 00 00 00 19 01 00 00 00 00 00 00 ........ ........
00000080: 13 00 00 00 12 5a 00 00 10 00 00 00 03 00 00 00 .....Z.. ........
00000090: 7e 59 00 00 94 00 00 00 00 04 00 00 00 00 00 00 ~Y...... ........
000000a0: 78 4d 0d 00 00 00 00 00 01 04 00 00 00 00 00 00 xM...... ........
000000b0: 00 00 00 00 64 00 00 00 02 04 00 00 00 00 00 00 ....d... ........
000000c0: 06 04 00 00 00 00 00 00 08 04 00 00 00 00 00 00 ........ ........
000000d0: 6e a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n....... ........
000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
libfvde_io_handle_read_volume_header: checksum : 0x445148dc
libfvde_io_handle_read_volume_header: initial value : 0x78debddd
libfvde_io_handle_read_volume_header: version : 1
libfvde_io_handle_read_volume_header: block type : 0x0000
libfvde_io_handle_read_volume_header: serial number : 0x00000000
libfvde_io_handle_read_volume_header: unknown2 : 0x003562e0
libfvde_io_handle_read_volume_header: unknown3a : 0x80000001
libfvde_io_handle_read_volume_header: unknown3b : 0x10004253584e
libfvde_io_handle_read_volume_header: unknown3c : 0x0746e60b
libfvde_io_handle_read_volume_header: bytes per sector : 0
libfvde_io_handle_read_volume_header: unknown4a : 0x00000000
libfvde_io_handle_read_volume_header: unknown4b : 0x00000000
libfvde_io_handle_read_volume_header: physical volume size : 2
libfvde_io_handle_read_volume_header: unknown5:
00000000: 2f d8 ef af 40 40 48 f2 a4 8d fd f4 d2 c8 b8 cf /...@@H. ........
libfvde_io_handle_read_volume_header: core storage signature : '�
libfvde_io_handle_read_volume_header: checksum algorithm : 190
libfvde_io_handle_read_volume_header: unknown6 : 0x0000
libfvde_io_handle_read_volume_header: block size : 3498721
libfvde_io_handle_read_volume_header: metadata size : 0
libfvde_io_handle_read_volume_header: first metadata block number : 118970594099480
libfvde_io_handle_read_volume_header: second metadata block number : 1
libfvde_io_handle_read_volume_header: third metadata block number : 281
libfvde_io_handle_read_volume_header: fourth metadata block number : 99033355911187
libfvde_io_handle_read_volume_header: unknown7:
00000000: 10 00 00 00 03 00 00 00 7e 59 00 00 94 00 00 00 ........ ~Y......
00000010: 00 04 00 00 00 00 00 00 78 4d 0d 00 00 00 00 00 ........ xM......
libfvde_io_handle_read_volume_header: encryption method : 0
libfvde_io_handle_read_volume_header: key data:
00000000: 00 00 00 00 64 00 00 00 02 04 00 00 00 00 00 00 ....d... ........
00000010: 06 04 00 00 00 00 00 00 08 04 00 00 00 00 00 00 ........ ........
00000020: 6e a4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 n....... ........
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
libfvde_io_handle_read_volume_header: physical volume identifier : 00000000-0000-0000-0000-000000000000
libfvde_io_handle_read_volume_header: logical volume group identifier : 00000000-0000-0000-0000-000000000000
libfvde_io_handle_read_volume_header: unknown8:
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
Unable to open: /dev/sda2.
libfvde_io_handle_read_volume_header: unsupported core storage signature.
libfvde_volume_open_read: unable to read volume header.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.@axet you are trying to mount an APFS container (which is not supported). This library only supports FVDE CoreStorage volumes.
joachimmetz
commented
2 years ago Closing in favor of https://github.com/libyal/libfvde/issues/2
joachimmetz
commented
2 years ago Original issue likely related to multiple data segments:
libfvde_encrypted_metadata_read_type_0x0305: number of entries : 2
libfvde_encrypted_metadata_read_type_0x0305: unknown1 : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 000 unknown1 : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 000 logical block number : 0
libfvde_encrypted_metadata_read_type_0x0305: entry: 000 number of blocks : 1281120
libfvde_encrypted_metadata_read_type_0x0305: entry: 000 unknown3 : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 000 unknown4 : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 000 unknown5 : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 000 physical block number : 0
libfvde_encrypted_metadata_read_type_0x0305: entry: 000 unknown6 : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 001 unknown1 : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 001 logical block number : 1281120
libfvde_encrypted_metadata_read_type_0x0305: entry: 001 number of blocks : 29677056
libfvde_encrypted_metadata_read_type_0x0305: entry: 001 unknown3 : 0x00400000
libfvde_encrypted_metadata_read_type_0x0305: entry: 001 unknown4 : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 001 unknown5 : 0x00000000
libfvde_encrypted_metadata_read_type_0x0305: entry: 001 physical block number : 1346656
libfvde_encrypted_metadata_read_type_0x0305: entry: 001 unknown6 : 0x00000000
We connected a 128G drive externally and installed MAC OS 10.13.6 (High Sierra) on a HFS+ partition. After the installation it was encrypted with Filevault. After which the drive shows a EFI FAT partition, a Core storage Partition (about 127GB) and a Boot partition (shown below). 'fvdemount 20180108' generates a small fuse file (about 5GB) which fails to mount with error to the effect that it cannot find secondary superblock. I even increased the logical volume size in the code resulting in the fuse file being larger but it still won't mount and differs considerably from the original data. I have attached the output debugging messages (Added a few debugging messages). Any help with this would be greatly appreciated. Thank you.
fail-to-mount.log