libfvde_metadata_block_read_data: unsupported block size: 2466354417

dunkhong commented 5 years ago

I am decrypting a encrypted disk by FileVault2, I guess. But, I got error the following:

libfvde_metadata_block_read_data: header data:
00000000: d9 79 20 d6 01 77 a1 b7  bc 32 75 91 2a 52 ba 22   .y ..w.. .2u.*R."
00000010: 48 d8 f7 87 0f 39 8d 69  51 e0 48 94 14 8a 78 5e   H....9.i Q.H...x^
00000020: 0c a1 c3 fd ee 1a a9 5f  9c c1 d4 d6 c2 91 b4 1f   ......._ ........
00000030: f1 94 01 93 09 56 08 37  1d 00 2d 4f 3d fc 68 91   .....V.7 ..-O=.h.

libfvde_metadata_block_read_data: checksum              : 0xd62079d9
libfvde_metadata_block_read_data: initial value             : 0xb7a17701
libfvde_metadata_block_read_data: version               : 12988
libfvde_metadata_block_read_data: type                  : 0x9175
libfvde_metadata_block_read_data: serial number             : 0x22ba522a
libfvde_metadata_block_read_data: group                 : 7605798084567095368
libfvde_metadata_block_read_data: unknown3              : 0x5e788a149448e051
libfvde_metadata_block_read_data: number                : 6893070318429249804
libfvde_metadata_block_read_data: unknown5              : 0x1fb491c2d6d4c19c
libfvde_metadata_block_read_data: size                  : 2466354417
libfvde_metadata_block_read_data: unknown6              : 0x37085609
libfvde_metadata_block_read_data: unknown7              : 0x9168fc3d4f2d001d

 Unable to open: /dev/loop14p2.
 libfvde_metadata_block_read_data: unsupported block size: 2466354417.
 libfvde_encrypted_metadata_read: unable to read metadata block.
 libfvde_volume_open_read: unable to read primary encrypted metadata.
 libfvde_volume_open_file_io_handle: unable to read from file IO handle.
 info_handle_open_input: unable to open input volume.

I am using libfvde-20180108. Any help with this would be greatly appreciated. Thank you.

delikat commented 5 years ago

Seeing a similar issue on libfvde-20190104 with a FileVault2 encrypted SD card.

fvdeinfo 20190104

Unable to open: /dev/disk3s2.
libfvde_metadata_block_read_data: unsupported block size: 843235416.
libfvde_encrypted_metadata_read: unable to read metadata block.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.

joachimmetz commented 5 years ago

Could you provide me with format debug output.

Also see: https://github.com/libyal/libfvde/wiki/Troubleshooting#verbose-and-debug-output

delikat commented 5 years ago

Yes, here's the stderr output: https://filebin.net/fehpd3bbrwdgc0rk/debug.log (it's quite large, about 32MB)

I configured with --enable-verbose-output --enable-debug-output. Thanks for taking a look!

Here's also an mmls of the card:

GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000000039   0000000040   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000033   0000000032   Partition Table
004:  000       0000000040   0000409639   0000409600   EFI System Partition
005:  001       0000409640   0030619607   0030209968   Hmm
006:  002       0030619608   0030881751   0000262144   Booter
007:  -------   0030881752   0030881791   0000000040   Unallocated

joachimmetz commented 5 years ago

Yes, here's the stderr output: https://filebin.net/fehpd3bbrwdgc0rk/debug.log (it's quite large, about 32MB)

Thx, I'll have a look as soon as time permits.

For the future know you can compress the log file gzip debug.log

bulhakov-adf commented 5 years ago

Hi @joachimmetz,

I have faced the same problem with removable media volume, Here is an output — fvdeinfo_output.txt

It looks like skipping the block size check for 8192 value fixes the problem, but I am not sure that this is a right approach.

I can share a 7 GB image with a password via Google Drive.

n0rdlicht90 commented 4 years ago

i have also the same problem with a removable media volume. Is there a solution for this? Here my error.log file:

error.log.gz

The mmls of the removable media volume is:

GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000000039   0000000040   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000033   0000000032   Partition Table
004:  000       0000000040   0000409639   0000409600   EFI System Partition
005:  001       0000409640   0014847335   0014437696   
006:  002       0014847336   0015109479   0000262144   Booter
007:  -------   0015109480   0015109519   0000000040   Unallocated

And i use the command:

./fvdeinfo -p passwort -o $((512*409640)) ~/Sicherung/FileVault2/Image/FileVault2.dd

joachimmetz commented 4 years ago

thx for the additional debug information, I'll have a look at time permits.

joachimmetz commented 2 years ago

For both error.log.gz and fvdeinfo_output.txt there is "random" data after a 0x0013 block. Could this be related to https://github.com/libyal/libfvde/issues/12 ?

joachimmetz commented 2 years ago

I can share a 7 GB image with a password via Google Drive.

@bulhakov-adf if you still have the image, that could be useful in determining what the cause of this is.

joachimmetz commented 2 years ago

same error message seen in combination with physical volume with different key data in the volume header

For both error.log.gz and fvdeinfo_output.txt

0x0013 block with 2 blocks as part of transaction
followed by a 0x001a block
error message is raised

And for debug.txt from https://github.com/libyal/libfvde/issues/53

0x0013 block with 4 blocks as part of transaction
followed by a 0x0016, 0x0017, 0x0011 blocks
error message is raised

maybe related on how the encrypted metadata should be read?

foglerek commented 6 months ago

Hello,

I'm facing a similar issue with a CoreStorage encrypted external USB drive.

Here's the beginning of the error log output. I initially had the entirety gzipped and uploaded (it was ~40MB), but after skimming over it I saw unencrypted PII in the libfvde_metadata_block_read_data: data: output (which doesn't really make sense to me).

Verbose Log (Truncated)

``` Reading volume header: libfvde_volume_header_read_file_io_handle: reading volume header at offset: 0 (0x00000000) libfvde_volume_header_read_data: volume header data: 00000000: 94 44 91 f4 ff ff ff ff 01 00 10 00 07 14 d7 01 .D...... ........ 00000010: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000030: 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000040: 00 20 d8 3d 00 00 00 00 00 00 00 00 00 00 00 00 . .=.... ........ 00000050: 00 00 00 00 00 00 00 00 43 53 01 00 00 00 04 00 ........ CS...... 00000060: 00 10 00 00 00 00 40 00 01 00 00 00 00 00 00 00 ......@. ........ 00000070: 01 04 00 00 00 00 00 00 81 d5 03 00 00 00 00 00 ........ ........ 00000080: 81 d9 03 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000a0: 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 ........ ........ 000000b0: f6 8f ba 34 a9 e6 32 86 6e 0a 3f 15 a5 71 f5 5b ...4..2. n.?..q.[ 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ ... 00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000130: db e2 92 6d c6 95 40 e9 9b 8f a1 57 1f 30 71 ff ...m..@. ...W.0q. 00000140: 28 48 7e a5 45 32 44 94 a1 9e 6a 26 b6 8e b6 cd (H~.E2D. ..j&.... 00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ ... 000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ libfvde_volume_header_read_data: checksum : 0xf4914494 libfvde_volume_header_read_data: initial value : 0xffffffff libfvde_volume_header_read_data: format version : 1 libfvde_volume_header_read_data: block type : 0x0010 libfvde_volume_header_read_data: serial number : 0x01d71407 libfvde_volume_header_read_data: unknown2 : 0x00000001 libfvde_volume_header_read_data: unknown3a : 0x00000000 libfvde_volume_header_read_data: unknown3b : 0x00000000 libfvde_volume_header_read_data: unknown3c : 0x00000000 libfvde_volume_header_read_data: bytes per sector : 512 libfvde_volume_header_read_data: unknown4a : 0x00000000 libfvde_volume_header_read_data: unknown4b : 0x00000000 libfvde_volume_header_read_data: physical volume size : 1037574144 libfvde_volume_header_read_data: unknown5: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ libfvde_volume_header_read_data: core storage signature : CS libfvde_volume_header_read_data: checksum algorithm : 1 libfvde_volume_header_read_data: unknown6 : 0x0004 libfvde_volume_header_read_data: block size : 4096 libfvde_volume_header_read_data: metadata size : 4194304 libfvde_volume_header_read_data: metadata: 1 block number : 1 libfvde_volume_header_read_data: metadata: 2 block number : 1025 libfvde_volume_header_read_data: metadata: 3 block number : 251265 libfvde_volume_header_read_data: metadata: 4 block number : 252289 libfvde_volume_header_read_data: unknown7: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ libfvde_volume_header_read_data: key data size : 16 libfvde_volume_header_read_data: encryption method : 2 libfvde_volume_header_read_data: key data: 00000000: f6 8f ba 34 a9 e6 32 86 6e 0a 3f 15 a5 71 f5 5b ...4..2. n.?..q.[ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ ... 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ libfvde_volume_header_read_data: physical volume identifier : dbe2926d-c695-40e9-9b8f-a1571f3071ff libfvde_volume_header_read_data: volume group identifier : 28487ea5-4532-4494-a19e-6a26b68eb6cd libfvde_volume_header_read_data: unknown8: 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ ... 000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ Reading metadata: 1 libfvde_metadata_read_file_io_handle: reading metadata at offset: 4096 (0x00001000) libfvde_metadata_block_read_data: header data: 00000000: 63 29 1a a0 ff ff ff ff 01 00 11 00 07 14 d7 01 c)...... ........ 00000010: 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000030: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . ...... ........ libfvde_metadata_block_read_data: checksum : 0xa01a2963 libfvde_metadata_block_read_data: initial value : 0xffffffff libfvde_metadata_block_read_data: version : 1 libfvde_metadata_block_read_data: type : 0x0011 libfvde_metadata_block_read_data: serial number : 0x01d71407 libfvde_metadata_block_read_data: transaction identifier : 6 libfvde_metadata_block_read_data: object identifier : 0 libfvde_metadata_block_read_data: number : 0 libfvde_metadata_block_read_data: unknown5 : 0x00000000 libfvde_metadata_block_read_data: size : 8192 libfvde_metadata_block_read_data: unknown6 : 0x00000000 libfvde_metadata_block_read_data: unknown7 : 0x00000000 libfvde_metadata_block_read_data: data: 00000000: 00 00 40 00 03 00 00 00 fb a7 93 6c ff ff ff ff ..@..... ...l.... 00000010: 07 57 7e c0 07 14 d7 01 07 14 d7 01 10 27 01 00 .W~..... .....'.. 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000040: 00 00 00 00 00 00 00 00 07 14 d7 01 07 14 d7 01 ........ ........ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000060: 00 00 00 00 00 00 00 00 0c 00 00 00 0d 00 00 00 ........ ........ 00000070: 40 00 00 00 30 00 01 00 01 00 00 00 01 00 01 00 @...0... ........ 00000080: 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 ........ ..... .. 000000a0: 30 20 00 00 72 01 00 00 72 01 00 00 00 00 00 00 0 ..r... r....... 000000b0: 82 dd 03 00 00 00 00 00 0a 00 00 00 00 00 00 00 ........ ........ 000000c0: 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 000000d0: 19 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 ........ ........ 000000e0: 00 00 00 00 00 00 00 00 15 00 00 00 00 00 00 00 ........ ........ 000000f0: 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000100: 11 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 ........ ........ 00000110: 00 00 00 00 00 00 00 00 0d 00 00 00 00 00 00 00 ........ ........ 00000120: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000130: 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ........ ........ 00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000150: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ 00000160: 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ........ ........ 00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........ ... ```

And mmls output:

GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Safety Table
001:  -------   0000000000   0000000039   0000000040   Unallocated
002:  Meta      0000000001   0000000001   0000000001   GPT Header
003:  Meta      0000000002   0000000033   0000000032   Partition Table
004:  000       0000000040   0002026551   0002026512   Stuff
005:  -------   0002026552   0002026591   0000000040   Unallocated

The non-verbose output from fvdeinfo is:

> fvdeinfo -p x -o $((512*40)) ~/stuff.dd
fvdeinfo 20240113

libfvde_metadata_block_read_data: unsupported block size: 1907549319.
libfvde_encrypted_metadata_read_from_file_io_handle: unable to read metadata block.
libfvde_internal_volume_open_read: unable to read encrypted metadata 1.
libfvde_internal_volume_open_read: unable to read physical volume files from file IO pool.
Unable to open: /Users/Alex/stuff.dd.
libfvde_metadata_block_read_data: unsupported block size: 1907549319.
libfvde_encrypted_metadata_read_from_file_io_handle: unable to read metadata block.
libfvde_internal_volume_open_read: unable to read encrypted metadata 1.
libfvde_volume_open_physical_volume_files_file_io_pool: unable to read physical volume files from file IO pool.
info_handle_open: unable to open physical volume files.

The output is identical to running sudo fvdeinfo -p x -o $((512*40)) /dev/disk5.

The image file was created through:

dd bs=16M if=/dev/disk5 of=/<redacted>/stuff.dd

And lastly, the diskutil output is here:

> diskutil coreStorage list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group 28487EA5-4532-4494-A19E-6A26B68EB6CD
    =========================================================
    Name:         Stuff
    Status:       Online
    Size:         1037574144 B (1.0 GB)
    Free Space:   14159872 B (14.2 MB)
    |
    +-< Physical Volume DBE2926D-C695-40E9-9B8F-A1571F3071FF
    |   ----------------------------------------------------
    |   Index:    0
    |   Disk:     disk5s1
    |   Status:   Online
    |   Size:     1037574144 B (1.0 GB)
    |
    +-> Logical Volume Family EEDD82BD-A08A-408C-8FE7-B7F2E5C9950C
        ----------------------------------------------------------
        Encryption Type:         AES-XTS
        Encryption Status:       Locked
        Conversion Status:       Complete
        High Level Queries:      Fully Secure
        |                        Passphrase Required
        |                        Accepts New Users
        |                        Has Visible Users
        |                        Has Volume Key
        |
        +-> Logical Volume AA69F2A7-A5CD-4DDF-A79B-3B04741A6D9E
            ---------------------------------------------------
            Disk:                  -none-
            Status:                Locked
            Size (Total):          671088640 B (671.1 MB)
            Revertible:            No
            LV Name:               Stuff
            Content Hint:          Apple_HFSX

libyal / libfvde

libfvde_metadata_block_read_data: unsupported block size: 2466354417 #40