VEK failed to decrypt data blocks of Fusion Encrypted drive

[Santosh123-creater]

Hi

I have iMac Machine which have APFS Fusion encrypted drive. Following is the logs: Dumping Keybag (keys)

Version : 0002 Keys : 0002 Bytes : 000000E0

Key 0: UUID : 73F6CBFD-EB00-43C4-B691-42757BA9334B Type : 0003 [Keybag Ref] Length : 0010 Block : 000000000000643E Count : 0000000000000001

Key 1: UUID : 73F6CBFD-EB00-43C4-B691-42757BA9334B Type : 0002 [VEK] Length : 007C [Blob Header] Unk 80 : 0 HMAC : D91CE91D5F6F4AD76795CC7A5DC430D66279D57B921BD856BEC921A2857B06AF Salt : A4407907EB2970B2

[VEK] Unk 80 : 0 UUID : 73F6CBFD-EB00-43C4-B691-42757BA9334B Unk 82 : 00000000 0001 7D AD VEK Wrpd: 07197A5F0BD0C450B9651015DB8E456AB5D8F535C80A4A13B5D8B5BF758350469BD7D1BB25708D87

starting LoadKeybag @ 643E all blocks verified Dumping Keybag (recs)

Version : 0002 Keys : 0002 Bytes : 000000E0

Key 0: UUID : 73F6CBFD-EB00-43C4-B691-42757BA9334B Type : 0003 [KEK] Length : 0094 [Blob Header] Unk 80 : 0 HMAC : 9727AA0BF36190FE9E958C86342FDE8873C9D47EC0151960D124394309C29D59 Salt : 9897F1A3901CFFC2

[KEK] Unk 80 : 0 UUID : 73F6CBFD-EB00-43C4-B691-42757BA9334B Unk 82 : 00000000 0002 7D AD KEK Wrpd: DAB7824FC1C1E3E4CFF60E674B297CFD99D1229F0A58263680F051D6EF2E46ED258652EB92677610 Iterat's: 193853 Salt : E0D31C6F524754AC1BA1884A4DC20D7C

Key 1: UUID : 73F6CBFD-EB00-43C4-B691-42757BA9334B Type : 0004 [Password Hint] Length : 0006 Hint : number

PW Key : DEE2B1C12FEFAB0E046DCC3888BFBD529593DAF6C2EB22802F94E750FBA64050 KEK Wrpd: DAB7824FC1C1E3E4CFF60E674B297CFD99D1229F0A58263680F051D6EF2E46ED258652EB92677610 KEK : F0E1F50AF0BEE7206BB089189777629D5CE4E24D6DBD1803CB6CC9B8FEED624D KEK IV : A6A6A6A6A6A6A6A6

VEK Wrpd: 07197A5F0BD0C450B9651015DB8E456AB5D8F535C80A4A13B5D8B5BF758350469BD7D1BB25708D87 VEK : 5743B74748AC188C23C678202609E7DA14179A81F8B43DB33AA01C24F85AAFD0 VEK IV : A6A6A6A6A6A6A6A6

I have set the found key… m_aes.SetKey(vek, vek + 0x10);

In case of fusion drive, primary drive (tier1) contains data position stored in secondary drive (tier2). We have read the data blocks from secondary drive (tier2) and started decryption.

bool ApfsContainer::ReadBlocks(uint8_t * data, paddr_t paddr, uint64_t blkcnt) const { uint64_t offs; uint64_t size;

//if ((paddr + blkcnt) > m_nx.nx_block_count)
//  return false;

offs = m_nx.nx_block_size * paddr;
size = m_nx.nx_block_size * blkcnt;

if (offs & FUSION_TIER2_DEVICE_BYTE_ADDR)
{
    if (!m_tier2_disk)
        return false;

    offs = offs - FUSION_TIER2_DEVICE_BYTE_ADDR + m_tier2_part_start;
    return m_tier2_disk->Read(data, offs, size);
}
else
{
    if (!m_main_disk)
        return false;

    offs = offs + m_main_part_start;
    return m_main_disk->Read(data, offs, size);
}

}

void ApfsVolume::Decrypt(uint8_t data, size_t size, uint64_t paddr) { uint64_t cs_factor = 4096 / 0x200; uint64_t uno = paddr cs_factor; size_t k;

for (k = 0; k < size; k += 0x200)
{
    m_aes.Decrypt(data + k, data + k, 0x200, uno);
    uno++;
}

}

I have attached the file 'EncryptedData' read from secondary drive. And also attached the file 'DecryptedData' which is decrypted by help of (m_aes.SetKey(vek, vek + 0x10) / VEK found in primary drive(tier1) and decrypt secondary drive(tier2) data/). But this decrypted data is incorrect/garbage value and could not decrypted it.

I have not figure out that what will be possible reason ? Same thing is working for APFS Encrypted drive and decrypted properly but in case of Fusion encrypted - it failed.

Please help me to figure out this issue.

Thanks Santosh

[Santosh123-creater]

DecryptedData.txt EncryptedData.txt

Data as in (.txt)

[Santosh123-creater]

If someone have solution then please help me.