FileVault2 with extracted keybag from Apple T2 chip
#1
Hello everybody,
as explained in this post, I'm trying to recover a FileVault2 password from a MacBook with a T2 chip.

After getting down the rabbit hole and into the T2 chip to get a root shell. I successfully extract the Key bag (systembag.kb) and also the corresponding iv and key from Effaceable Storage to decrypt the Key bag.

The Keybag looks like:
Code:
HEADER
  VERS = 4
  TYPE = 0
  UUID = 32 HEX
  HMCK = 80 HEX
  WRAP = 1
  SALT = 40 Hex
  ITER = 50000
  TKMT = 0
  SART = 98
  UUID = 32 HEX
KEYS
  0:
    CLAS = 1
    WRAP = 3
    KTYP = 0
    WPKY = 80 HEX
    UUID = 32 HEX

... up to
  9:
Because I get starting LoadKeybag Initialization of KeyManager failed. with sgan81/apfs-fuse and Banaanhangwagen/apfs2hashcat.

Now, the big question, how I get the Key bag into apfs2hashcat? After a short flyover, I don't see the right point to inject the Key bag data.

A short reminder of what is my goal:
I want to get access to the Data of a FileVault2 encrypted MacBook Air 2020 (Intel).
I have a part of the password but after 30 attempts the T2 locks me out forever.
The current count is at 17. So less than half is remaining.
And no, iCloud recovery and also the FileVault Recovery Key are not accessible.

Thanks for your're supporting.
Reply
#2
Hi,

I'm struggling with the same problem.

I guess that you successfully got the root sheel into T2 by relying on the checkm8 + blackbird vulnerability.
I also copied easily with scp the systembag.kb but I'm still struggling with the extraction of IV and payload key from Effaceable Storage to decrypt the keybag. Any suggestions?

I tried the tool from https://github.com/russtone/systembag.kb but it didn't work for me.

Sincerely,
gostep
Reply
#3
Hello,
sorry for my late response, but I also can't find any solution.
I contacted Cellebrite for assistance, but don't get an answer yet.
If I get a working solution, I will post it here.
Reply