FileVault2 with extracted keybag from Apple T2 chip
Hello everybody,
as explained in this post, I'm trying to recover a FileVault2 password from a MacBook with a T2 chip.

After getting down the rabbit hole and into the T2 chip to get a root shell. I successfully extract the Key bag (systembag.kb) and also the corresponding iv and key from Effaceable Storage to decrypt the Key bag.

The Keybag looks like:
  VERS = 4
  TYPE = 0
  UUID = 32 HEX
  HMCK = 80 HEX
  WRAP = 1
  SALT = 40 Hex
  ITER = 50000
  TKMT = 0
  SART = 98
  UUID = 32 HEX
    CLAS = 1
    WRAP = 3
    KTYP = 0
    WPKY = 80 HEX
    UUID = 32 HEX

... up to
Because I get starting LoadKeybag Initialization of KeyManager failed. with sgan81/apfs-fuse and Banaanhangwagen/apfs2hashcat.

Now, the big question, how I get the Key bag into apfs2hashcat? After a short flyover, I don't see the right point to inject the Key bag data.

A short reminder of what is my goal:
I want to get access to the Data of a FileVault2 encrypted MacBook Air 2020 (Intel).
I have a part of the password but after 30 attempts the T2 locks me out forever.
The current count is at 17. So less than half is remaining.
And no, iCloud recovery and also the FileVault Recovery Key are not accessible.

Thanks for your're supporting.

Messages In This Thread
FileVault2 with extracted keybag from Apple T2 chip - by Zen6 - 01-14-2021, 09:51 AM