FileVault2 with extracted keybag from Apple T2 chip
#1
Hello everybody,
as explained in this post, I'm trying to recover a FileVault2 password from a MacBook with a T2 chip.

After getting down the rabbit hole and into the T2 chip to get a root shell. I successfully extract the Key bag (systembag.kb) and also the corresponding iv and key from Effaceable Storage to decrypt the Key bag.

The Keybag looks like:
Code:
HEADER
  VERS = 4
  TYPE = 0
  UUID = 32 HEX
  HMCK = 80 HEX
  WRAP = 1
  SALT = 40 Hex
  ITER = 50000
  TKMT = 0
  SART = 98
  UUID = 32 HEX
KEYS
  0:
    CLAS = 1
    WRAP = 3
    KTYP = 0
    WPKY = 80 HEX
    UUID = 32 HEX

... up to
  9:
Because I get starting LoadKeybag Initialization of KeyManager failed. with sgan81/apfs-fuse and Banaanhangwagen/apfs2hashcat.

Now, the big question, how I get the Key bag into apfs2hashcat? After a short flyover, I don't see the right point to inject the Key bag data.

A short reminder of what is my goal:
I want to get access to the Data of a FileVault2 encrypted MacBook Air 2020 (Intel).
I have a part of the password but after 30 attempts the T2 locks me out forever.
The current count is at 17. So less than half is remaining.
And no, iCloud recovery and also the FileVault Recovery Key are not accessible.

Thanks for your're supporting.
Reply
#2
Hi,

I'm struggling with the same problem.

I guess that you successfully got the root sheel into T2 by relying on the checkm8 + blackbird vulnerability.
I also copied easily with scp the systembag.kb but I'm still struggling with the extraction of IV and payload key from Effaceable Storage to decrypt the keybag. Any suggestions?

I tried the tool from https://github.com/russtone/systembag.kb but it didn't work for me.

Sincerely,
gostep
Reply
#3
Hello,
sorry for my late response, but I also can't find any solution.
I contacted Cellebrite for assistance, but don't get an answer yet.
If I get a working solution, I will post it here.
Reply
#4
Hello,

no worries and thanks for your answer.

However, I understood from your first message that you successfully extracted the systembag.kb and also the corresponding iv and key from Effaceable Storage to decrypt the key bag.

Unfortunately, I am not able yet to extract the IV and KEY from the Effaceable Storage.
Did you extract them with get_bag1 from https://github.com/russtone/systembag.kb ? I tried it but I always get a "Killed: 9" error message.

I would just need help for this step now.

Thanks in advance and best regards.
Reply
#5
(02-26-2021, 12:26 PM)gostep Wrote: Hello,

no worries and thanks for your answer.

However, I understood from your first message that you successfully extracted the systembag.kb and also the corresponding iv and key from Effaceable Storage to decrypt the key bag.

Unfortunately, I am not able yet to extract the IV and KEY from the Effaceable Storage.
Did you extract them with get_bag1 from https://github.com/russtone/systembag.kb ? I tried it but I always get a "Killed: 9" error message.

I would just need help for this step now.

Thanks in advance and best regards.

Hi, so what's was the your success in this case? Any tips for me? Sad now I trying to decrypt my Mac pro 2019 with t2 I did already obtain encryptedroot plist. And cannot now use apfs quick dump Sad
Reply