Does not get the correct BuildVersion and ProductVersionExtra

Question

Does not get the correct BuildVersion and ProductVersionExtra

mnrkbys opened this issue a year ago · comments

If Rapid Security Response is applied, mac_apt can not get the correct BuildVersion and ProductVersionExtra.

sw_ver command

% sw_vers 
ProductName:		macOS
ProductVersion:		13.3.1
ProductVersionExtra:	(a)
BuildVersion:		22E772610a

/System/Library/CoreServices/SystemVersion.plist

% plutil -p /System/Library/CoreServices/SystemVersion.plist                                                          
{
  "BuildID" => "6B08394E-D0A4-11ED-8DAB-1CA630367858"
  "iOSSupportVersion" => "16.4"
  "ProductBuildVersion" => "22E261"
  "ProductCopyright" => "1983-2023 Apple Inc."
  "ProductName" => "macOS"
  "ProductUserVisibleVersion" => "13.3.1"
  "ProductVersion" => "13.3.1"
}

/System/Volumes/Preboot/[UUID]/cryptex1/current/SystemVersion.plist

% plutil -p /System/Volumes/Preboot/5BF509A5-9093-4D37-AEEB-54522F6341CD/cryptex1/current/SystemVersion.plist 
{
  "BuildID" => "D53AC950-DEA8-11ED-AFD0-CC27BBCD0793"
  "iOSSupportVersion" => "16.4"
  "ProductBuildVersion" => "22E772610a"
  "ProductCopyright" => "1983-2023 Apple Inc."
  "ProductName" => "macOS"
  "ProductUserVisibleVersion" => "13.3.1"
  "ProductVersion" => "13.3.1"
  "ProductVersionExtra" => "(a)"
}

Minoru Kobayashi · Answer 1 · Thu May 11 2023 14:02:33 GMT+0800 (China Standard Time)

Are there APIs to access files in Preboot volume? @ydkhatri

Minoru Kobayashi · Answer 2 · Thu May 11 2023 15:11:39 GMT+0800 (China Standard Time)

Or, as you know, macOS 13 mounts Preboot volume automatically.

% mount
/dev/disk3s1s1 on / (apfs, sealed, local, read-only, journaled)
devfs on /dev (devfs, local, nobrowse)
/dev/disk3s6 on /System/Volumes/VM (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk3s2 on /System/Volumes/Preboot (apfs, local, journaled, nobrowse)
/dev/disk3s4 on /System/Volumes/Update (apfs, local, journaled, nobrowse)
/dev/disk1s2 on /System/Volumes/xarts (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk1s1 on /System/Volumes/iSCPreboot (apfs, local, journaled, nobrowse)
/dev/disk1s3 on /System/Volumes/Hardware (apfs, local, journaled, nobrowse)
/dev/disk3s5 on /System/Volumes/Data (apfs, local, journaled, nobrowse, protect)
map auto_home on /System/Volumes/Data/home (autofs, automounted, nobrowse)

Therefore, could we be able to access the file entries in Preboot in a manner similar to reproducing the Firmlink between System and Data?

Yogesh Khatri (@swiftforensics) · Answer 3 · Fri May 12 2023 12:04:14 GMT+0800 (China Standard Time)

Are there APIs to access files in Preboot volume? @ydkhatri

Not currently, but can be added.

Yogesh Khatri (@swiftforensics) · Answer 4 · Fri May 12 2023 12:08:10 GMT+0800 (China Standard Time)

Or, as you know, macOS 13 mounts Preboot volume automatically.

% mount
/dev/disk3s1s1 on / (apfs, sealed, local, read-only, journaled)
devfs on /dev (devfs, local, nobrowse)
/dev/disk3s6 on /System/Volumes/VM (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk3s2 on /System/Volumes/Preboot (apfs, local, journaled, nobrowse)
/dev/disk3s4 on /System/Volumes/Update (apfs, local, journaled, nobrowse)
/dev/disk1s2 on /System/Volumes/xarts (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk1s1 on /System/Volumes/iSCPreboot (apfs, local, journaled, nobrowse)
/dev/disk1s3 on /System/Volumes/Hardware (apfs, local, journaled, nobrowse)
/dev/disk3s5 on /System/Volumes/Data (apfs, local, journaled, nobrowse, protect)
map auto_home on /System/Volumes/Data/home (autofs, automounted, nobrowse)

Therefore, could we be able to access the file entries in Preboot in a manner similar to reproducing the Firmlink between System and Data?

Do you mean it is a persistent mount? I don't see it on mine. I know it does this at boot to get crypto keys to unlock the Data volume. That's the behaviour since APFS encryption was introduced. But is there more to it?

Minoru Kobayashi · Answer 5 · Fri May 12 2023 14:03:26 GMT+0800 (China Standard Time)

Do you mean it is a persistent mount?

Yes, I think so.
The following result is from my M1 MacbookAir with macOS 13.3.1(a).
I confirmed the result of mount command on macOS 13.2.1 UTM VM guest too, but I can see the same result.

% sw_vers 
ProductName:		macOS
ProductVersion:		13.3.1
ProductVersionExtra:	(a)
BuildVersion:		22E772610a

% uname -m 
arm64

% mount
/dev/disk3s1s1 on / (apfs, sealed, local, read-only, journaled)
devfs on /dev (devfs, local, nobrowse)
/dev/disk3s6 on /System/Volumes/VM (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk3s2 on /System/Volumes/Preboot (apfs, local, journaled, nobrowse)
/dev/disk3s4 on /System/Volumes/Update (apfs, local, journaled, nobrowse)
/dev/disk1s2 on /System/Volumes/xarts (apfs, local, noexec, journaled, noatime, nobrowse)
/dev/disk1s1 on /System/Volumes/iSCPreboot (apfs, local, journaled, nobrowse)
/dev/disk1s3 on /System/Volumes/Hardware (apfs, local, journaled, nobrowse)
/dev/disk3s5 on /System/Volumes/Data (apfs, local, journaled, nobrowse, protect)
map auto_home on /System/Volumes/Data/home (autofs, automounted, nobrowse)

Cryptexes are introduced in macOS 13 and for it to work, mounting the Preboot volume is required.
https://eclecticlight.co/2023/04/05/how-cryptexes-are-changing-macos-ventura/

Yogesh Khatri (@swiftforensics) · Answer 6 · Fri May 26 2023 12:46:56 GMT+0800 (China Standard Time)

Ok, fixed now.