libfvde_metadata_block_read_data: unsupported block size: 2466354417
dunkhong opened this issue · 11 comments
dunkhong commented
I am decrypting a encrypted disk by FileVault2, I guess. But, I got error the following:
libfvde_metadata_block_read_data: header data:
00000000: d9 79 20 d6 01 77 a1 b7 bc 32 75 91 2a 52 ba 22 .y ..w.. .2u.*R."
00000010: 48 d8 f7 87 0f 39 8d 69 51 e0 48 94 14 8a 78 5e H....9.i Q.H...x^
00000020: 0c a1 c3 fd ee 1a a9 5f 9c c1 d4 d6 c2 91 b4 1f ......._ ........
00000030: f1 94 01 93 09 56 08 37 1d 00 2d 4f 3d fc 68 91 .....V.7 ..-O=.h.
libfvde_metadata_block_read_data: checksum : 0xd62079d9
libfvde_metadata_block_read_data: initial value : 0xb7a17701
libfvde_metadata_block_read_data: version : 12988
libfvde_metadata_block_read_data: type : 0x9175
libfvde_metadata_block_read_data: serial number : 0x22ba522a
libfvde_metadata_block_read_data: group : 7605798084567095368
libfvde_metadata_block_read_data: unknown3 : 0x5e788a149448e051
libfvde_metadata_block_read_data: number : 6893070318429249804
libfvde_metadata_block_read_data: unknown5 : 0x1fb491c2d6d4c19c
libfvde_metadata_block_read_data: size : 2466354417
libfvde_metadata_block_read_data: unknown6 : 0x37085609
libfvde_metadata_block_read_data: unknown7 : 0x9168fc3d4f2d001d
Unable to open: /dev/loop14p2.
libfvde_metadata_block_read_data: unsupported block size: 2466354417.
libfvde_encrypted_metadata_read: unable to read metadata block.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
I am using libfvde-20180108.
Any help with this would be greatly appreciated.
Thank you.
delikat commented
Seeing a similar issue on libfvde-20190104 with a FileVault2 encrypted SD card.
fvdeinfo 20190104
Unable to open: /dev/disk3s2.
libfvde_metadata_block_read_data: unsupported block size: 843235416.
libfvde_encrypted_metadata_read: unable to read metadata block.
libfvde_volume_open_read: unable to read primary encrypted metadata.
libfvde_volume_open_file_io_handle: unable to read from file IO handle.
info_handle_open_input: unable to open input volume.
joachimmetz commented
Could you provide me with format debug output.
Also see: https://github.com/libyal/libfvde/wiki/Troubleshooting#verbose-and-debug-output
delikat commented
Yes, here's the stderr output: https://filebin.net/fehpd3bbrwdgc0rk/debug.log (it's quite large, about 32MB)
I configured with --enable-verbose-output --enable-debug-output. Thanks for taking a look!
Here's also an mmls of the card:
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000000039 0000000040 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000000040 0000409639 0000409600 EFI System Partition
005: 001 0000409640 0030619607 0030209968 Hmm
006: 002 0030619608 0030881751 0000262144 Booter
007: ------- 0030881752 0030881791 0000000040 Unallocated
joachimmetz commented
Yes, here's the stderr output: https://filebin.net/fehpd3bbrwdgc0rk/debug.log (it's quite large, about 32MB)
Thx, I'll have a look as soon as time permits.
For the future know you can compress the log file gzip debug.log
bulhakov-adf commented
Hi @joachimmetz,
I have faced the same problem with removable media volume, Here is an output —
fvdeinfo_output.txt
It looks like skipping the block size check for 8192 value fixes the problem, but I am not sure that this is a right approach.
I can share a 7 GB image with a password via Google Drive.
n0rdlicht90 commented
i have also the same problem with a removable media volume. Is there a solution for this? Here my error.log file:
The mmls of the removable media volume is:
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000000039 0000000040 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000000040 0000409639 0000409600 EFI System Partition
005: 001 0000409640 0014847335 0014437696
006: 002 0014847336 0015109479 0000262144 Booter
007: ------- 0015109480 0015109519 0000000040 Unallocated
And i use the command:
./fvdeinfo -p passwort -o $((512*409640)) ~/Sicherung/FileVault2/Image/FileVault2.dd
joachimmetz commented
thx for the additional debug information, I'll have a look at time permits.
joachimmetz commented
For both error.log.gz and fvdeinfo_output.txt there is "random" data after a 0x0013 block. Could this be related to #12 ?
joachimmetz commented
I can share a 7 GB image with a password via Google Drive.
@bulhakov-adf if you still have the image, that could be useful in determining what the cause of this is.
joachimmetz commented
same error message seen in combination with physical volume with different key data in the volume header
For both error.log.gz and fvdeinfo_output.txt
- 0x0013 block with 2 blocks as part of transaction
- followed by a 0x001a block
- error message is raised
And for debug.txt from #53
- 0x0013 block with 4 blocks as part of transaction
- followed by a 0x0016, 0x0017, 0x0011 blocks
- error message is raised
maybe related on how the encrypted metadata should be read?
foglerek commented
Hello,
I'm facing a similar issue with a CoreStorage encrypted external USB drive.
Here's the beginning of the error log output. I initially had the entirety gzipped and uploaded (it was ~40MB), but after skimming over it I saw unencrypted PII in the libfvde_metadata_block_read_data: data: output (which doesn't really make sense to me).
Verbose Log (Truncated)
Reading volume header:
libfvde_volume_header_read_file_io_handle: reading volume header at offset: 0 (0x00000000)
libfvde_volume_header_read_data: volume header data:
00000000: 94 44 91 f4 ff ff ff ff 01 00 10 00 07 14 d7 01 .D...... ........
00000010: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000030: 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000040: 00 20 d8 3d 00 00 00 00 00 00 00 00 00 00 00 00 . .=.... ........
00000050: 00 00 00 00 00 00 00 00 43 53 01 00 00 00 04 00 ........ CS......
00000060: 00 10 00 00 00 00 40 00 01 00 00 00 00 00 00 00 ......@. ........
00000070: 01 04 00 00 00 00 00 00 81 d5 03 00 00 00 00 00 ........ ........
00000080: 81 d9 03 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000a0: 00 00 00 00 00 00 00 00 10 00 00 00 02 00 00 00 ........ ........
000000b0: f6 8f ba 34 a9 e6 32 86 6e 0a 3f 15 a5 71 f5 5b ...4..2. n.?..q.[
000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
00000120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000130: db e2 92 6d c6 95 40 e9 9b 8f a1 57 1f 30 71 ff ...m..@. ...W.0q.
00000140: 28 48 7e a5 45 32 44 94 a1 9e 6a 26 b6 8e b6 cd (H~.E2D. ..j&....
00000150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
000001f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
libfvde_volume_header_read_data: checksum : 0xf4914494
libfvde_volume_header_read_data: initial value : 0xffffffff
libfvde_volume_header_read_data: format version : 1
libfvde_volume_header_read_data: block type : 0x0010
libfvde_volume_header_read_data: serial number : 0x01d71407
libfvde_volume_header_read_data: unknown2 : 0x00000001
libfvde_volume_header_read_data: unknown3a : 0x00000000
libfvde_volume_header_read_data: unknown3b : 0x00000000
libfvde_volume_header_read_data: unknown3c : 0x00000000
libfvde_volume_header_read_data: bytes per sector : 512
libfvde_volume_header_read_data: unknown4a : 0x00000000
libfvde_volume_header_read_data: unknown4b : 0x00000000
libfvde_volume_header_read_data: physical volume size : 1037574144
libfvde_volume_header_read_data: unknown5:
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
libfvde_volume_header_read_data: core storage signature : CS
libfvde_volume_header_read_data: checksum algorithm : 1
libfvde_volume_header_read_data: unknown6 : 0x0004
libfvde_volume_header_read_data: block size : 4096
libfvde_volume_header_read_data: metadata size : 4194304
libfvde_volume_header_read_data: metadata: 1 block number : 1
libfvde_volume_header_read_data: metadata: 2 block number : 1025
libfvde_volume_header_read_data: metadata: 3 block number : 251265
libfvde_volume_header_read_data: metadata: 4 block number : 252289
libfvde_volume_header_read_data: unknown7:
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
libfvde_volume_header_read_data: key data size : 16
libfvde_volume_header_read_data: encryption method : 2
libfvde_volume_header_read_data: key data:
00000000: f6 8f ba 34 a9 e6 32 86 6e 0a 3f 15 a5 71 f5 5b ...4..2. n.?..q.[
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
libfvde_volume_header_read_data: physical volume identifier : dbe2926d-c695-40e9-9b8f-a1571f3071ff
libfvde_volume_header_read_data: volume group identifier : 28487ea5-4532-4494-a19e-6a26b68eb6cd
libfvde_volume_header_read_data: unknown8:
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
000000a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
Reading metadata: 1
libfvde_metadata_read_file_io_handle: reading metadata at offset: 4096 (0x00001000)
libfvde_metadata_block_read_data: header data:
00000000: 63 29 1a a0 ff ff ff ff 01 00 11 00 07 14 d7 01 c)...... ........
00000010: 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000030: 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 . ...... ........
libfvde_metadata_block_read_data: checksum : 0xa01a2963
libfvde_metadata_block_read_data: initial value : 0xffffffff
libfvde_metadata_block_read_data: version : 1
libfvde_metadata_block_read_data: type : 0x0011
libfvde_metadata_block_read_data: serial number : 0x01d71407
libfvde_metadata_block_read_data: transaction identifier : 6
libfvde_metadata_block_read_data: object identifier : 0
libfvde_metadata_block_read_data: number : 0
libfvde_metadata_block_read_data: unknown5 : 0x00000000
libfvde_metadata_block_read_data: size : 8192
libfvde_metadata_block_read_data: unknown6 : 0x00000000
libfvde_metadata_block_read_data: unknown7 : 0x00000000
libfvde_metadata_block_read_data: data:
00000000: 00 00 40 00 03 00 00 00 fb a7 93 6c ff ff ff ff ..@..... ...l....
00000010: 07 57 7e c0 07 14 d7 01 07 14 d7 01 10 27 01 00 .W~..... .....'..
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000040: 00 00 00 00 00 00 00 00 07 14 d7 01 07 14 d7 01 ........ ........
00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000060: 00 00 00 00 00 00 00 00 0c 00 00 00 0d 00 00 00 ........ ........
00000070: 40 00 00 00 30 00 01 00 01 00 00 00 01 00 01 00 @...0... ........
00000080: 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000090: 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 ........ ..... ..
000000a0: 30 20 00 00 72 01 00 00 72 01 00 00 00 00 00 00 0 ..r... r.......
000000b0: 82 dd 03 00 00 00 00 00 0a 00 00 00 00 00 00 00 ........ ........
000000c0: 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
000000d0: 19 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 ........ ........
000000e0: 00 00 00 00 00 00 00 00 15 00 00 00 00 00 00 00 ........ ........
000000f0: 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000100: 11 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 ........ ........
00000110: 00 00 00 00 00 00 00 00 0d 00 00 00 00 00 00 00 ........ ........
00000120: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000130: 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ........ ........
00000140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000150: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
00000160: 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 ........ ........
00000170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
...
<truncated>
And mmls output:
GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Safety Table
001: ------- 0000000000 0000000039 0000000040 Unallocated
002: Meta 0000000001 0000000001 0000000001 GPT Header
003: Meta 0000000002 0000000033 0000000032 Partition Table
004: 000 0000000040 0002026551 0002026512 Stuff
005: ------- 0002026552 0002026591 0000000040 Unallocated
The non-verbose output from fvdeinfo is:
> fvdeinfo -p x -o $((512*40)) ~/stuff.dd
fvdeinfo 20240113
libfvde_metadata_block_read_data: unsupported block size: 1907549319.
libfvde_encrypted_metadata_read_from_file_io_handle: unable to read metadata block.
libfvde_internal_volume_open_read: unable to read encrypted metadata 1.
libfvde_internal_volume_open_read: unable to read physical volume files from file IO pool.
Unable to open: /Users/Alex/stuff.dd.
libfvde_metadata_block_read_data: unsupported block size: 1907549319.
libfvde_encrypted_metadata_read_from_file_io_handle: unable to read metadata block.
libfvde_internal_volume_open_read: unable to read encrypted metadata 1.
libfvde_volume_open_physical_volume_files_file_io_pool: unable to read physical volume files from file IO pool.
info_handle_open: unable to open physical volume files.
The output is identical to running sudo fvdeinfo -p x -o $((512*40)) /dev/disk5.
The image file was created through:
dd bs=16M if=/dev/disk5 of=/<redacted>/stuff.dd
And lastly, the diskutil output is here:
> diskutil coreStorage list
CoreStorage logical volume groups (1 found)
|
+-- Logical Volume Group 28487EA5-4532-4494-A19E-6A26B68EB6CD
=========================================================
Name: Stuff
Status: Online
Size: 1037574144 B (1.0 GB)
Free Space: 14159872 B (14.2 MB)
|
+-< Physical Volume DBE2926D-C695-40E9-9B8F-A1571F3071FF
| ----------------------------------------------------
| Index: 0
| Disk: disk5s1
| Status: Online
| Size: 1037574144 B (1.0 GB)
|
+-> Logical Volume Family EEDD82BD-A08A-408C-8FE7-B7F2E5C9950C
----------------------------------------------------------
Encryption Type: AES-XTS
Encryption Status: Locked
Conversion Status: Complete
High Level Queries: Fully Secure
| Passphrase Required
| Accepts New Users
| Has Visible Users
| Has Volume Key
|
+-> Logical Volume AA69F2A7-A5CD-4DDF-A79B-3B04741A6D9E
---------------------------------------------------
Disk: -none-
Status: Locked
Size (Total): 671088640 B (671.1 MB)
Revertible: No
LV Name: Stuff
Content Hint: Apple_HFSX