libfvde_io_handle_read_volume_header: unsupported core storage signature

[isacaagesen]

I am trying to access the files on the boot HDD of a macbook. Working off ubuntu 22.04 lts running on windows hyper-v. With the macbook drive directly passed to the VM.

I've ran the following command

fvdemount -e /home/isac/EncryptedRoot.plist.wipekey -p x -io $((409640*512)) /dev/sdb2 /mnt/fuse

To which i get the following output.

Unable` to open: /dev/sdb2. libfvde_io_handle_read_volume_header: unsupported core storage signature. libfvde_volume_open_read: unable to read volume header. libfvde_volume_open_file_io_handle: unable to read from file IO handle. mount_handle_open_input: unable to open input volume.

I am unsure of where to proceed from here. Found two other issues on github with the same output but they remain unresolved.

Ubuntu disk utility show the contents as "Unknown" fdisk -l

Disk /dev/sdb: 698,64 GiB, 750156374016 bytes, 1465149168 sectors Disk model: MK7559GSXF
Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 4096 bytes I/O size (minimum/optimal): 4096 bytes / 4096 bytes Disklabel type: gpt Disk identifier: 00005488-647E-0000-CD37-00007E6C0000

Device Start End Sectors Size Type /dev/sdb1 40 409639 409600 200M EFI System /dev/sdb2 409640 1463879591 1463469952 697,8G Apple Core storage /dev/sdb3 1463879592 1465149127 1269536 619,9M Apple boot

[joachimmetz]

are you sure your macbook uses CoreStorage ?

[isacaagesen]

are you sure your macbook uses CoreStorage ?

I don't know other than that fdisk says it is. Quite a while since the HDD died. Machine has been bootcamped in the past.

[joachimmetz]

not sure where/how fdisk gets that information. I assume given the GPT ID is 53746f72-6167-11aa-aa11-00306543ecac

the library is not able to find the right signature, this could be due to the fact that the format is partially understood publicly. Try verbose and debug output https://github.com/libyal/libfvde/wiki/Troubleshooting#verbose-and-debug-output it might indicate what is different in your case.

[isacaagesen]

Here it is. I'll be frank and say i can't make much sense of this myself.

sudo fvdemount -v -e /home/isac/EncryptedRoot.plist.wipekey -p x -o $((409640*512)) /dev/sdb2 /mnt/fuse fvdemount 20220915

libfvde_encryption_context_plist_read_file_io_handle: reading file of size: 906400

libcfile_internal_file_get_size: device media size: 749296615424 Reading volume header: libfvde_volume_header_read_file_io_handle: reading volume header at offset: 0 (0x00000000) libfvde_volume_header_read_data: volume header data: 00000000: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........ ... 000001f0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........

libfvde_volume_header_read_data: checksum : 0x00000000 libfvde_volume_header_read_data: initial value : 0x00000000 libfvde_volume_header_read_data: format version : 0 libfvde_volume_header_read_data: block type : 0x0000 libfvde_volume_header_read_data: serial number : 0x00000000 libfvde_volume_header_read_data: unknown2 : 0x00000000 libfvde_volume_header_read_data: unknown3a : 0x00000000 libfvde_volume_header_read_data: unknown3b : 0x00000000 libfvde_volume_header_read_data: unknown3c : 0x00000000 libfvde_volume_header_read_data: bytes per sector : 0 libfvde_volume_header_read_data: unknown4a : 0x00000000 libfvde_volume_header_read_data: unknown4b : 0x00000000 libfvde_volume_header_read_data: physical volume size : 0 libfvde_volume_header_read_data: unknown5: 00000000: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........

libfvde_volume_header_read_data: core storage signature : libfvde_volume_header_read_data: checksum algorithm : 0 libfvde_volume_header_read_data: unknown6 : 0x0000 libfvde_volume_header_read_data: block size : 0 libfvde_volume_header_read_data: metadata size : 0 libfvde_volume_header_read_data: metadata: 1 block number : 0 libfvde_volume_header_read_data: metadata: 2 block number : 0 libfvde_volume_header_read_data: metadata: 3 block number : 0 libfvde_volume_header_read_data: metadata: 4 block number : 0 libfvde_volume_header_read_data: unknown7: 00000000: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........ 00000010: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........

libfvde_volume_header_read_data: key data size : 0 libfvde_volume_header_read_data: encryption method : 0 libfvde_volume_header_read_data: key data: 00000000: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........ ... 00000070: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........

libfvde_volume_header_read_data: physical volume identifier : 00000000-0000-0000-0000-000000000000 libfvde_volume_header_read_data: volume group identifier : 00000000-0000-0000-0000-000000000000 libfvde_volume_header_read_data: unknown8: 00000000: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........ ... 000000a0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........

Unable to open: /dev/sdb2. libfvde_volume_header_read_data: unsupported core storage signature. libfvde_volume_header_read_file_io_handle: unable to read volume header data. libfvde_internal_volume_open_read: unable to read volume header. libfvde_volume_open_file_io_handle: unable to read volume from file IO handle. mount_handle_open: unable to open volume.

[isacaagesen]

I assume given the GPT ID is 53746f72-6167-11aa-aa11-00306543ecac You assume right.

[joachimmetz]

00000000: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........
...
000001f0: 00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00   ........ ........

your volume header is empty