MP 1,1-5,1 [GUIDE] Bypass FileVault blacklist on 5,1 in Mojave -- on existing installation

[Ludacrisvp]

I know there are some methods to get FileVault to work but none that I recall are simple for someone who is already running macOS, or they require access to another Mac to do it.

Apple added simple board-id checks to the Security prefpane file and the command line utility to prevent enabling FileVault (which is why the 3,1 is able to enable FV when running Mojave).

You can modify the binary to bypass this check, this will allow those that had to disable FV to upgrade to Mojave to be able to re-enable it while on Mojave presuming they have a GPU that supports the correct EFI boot screens, and now with MVC RX 580 cards available, I'd suspect that the number of people able to do this will increase.


There are two methods available to bypass the blacklist.
1. Modify CLI tool
2. Modify Security PreferencePane

Personally, I'd suspect the best idea is to modify only the CLI tool for purposes of enabling FV and then manage the rest from the prefpane.

Option 1 (safest, shouldn't need SIP disabled as we aren't replacing any system files):
Copy the CLI tool over to your desktop for hex editing.

Mac-Pro:~ ludacrisvp$ cp /usr/bin/fdesetup ~/Desktop/

Open up your favorite hex editor, I prefer HexFiend, and search for the 5,1 board-id (Mac-F221BEC8) and then replace it with another ID, in my example I'm swapping in a 1,1 board-id (Mac-F4208DC8). I do suspect that you really could just change the ID to an invalid one of the same length and it would have the same effect (for example using Mac-F221BEC2 would probably work too as that is not a real board-id).


Some IDs for reference:

Mac-F4208DC8 - 1,1
Mac-F42C88C8 - 3,1
Mac-F221BEC8 - 5,1

Save the file, then you need to code sign it and you can actually run it from right there without replacing the original binary.

Mac-Pro:~ ludacrisvp$ sudo codesign -f -s - ~/Desktop/fdesetup
/Users/ludacrisvp/Desktop/fdesetup: replacing existing signature

Then execute the binary file to enable FileVault.

Mac-Pro:~ ludacrisvp$ sudo ~/Desktop/fdesetup enable

As the check is only processed during the attempt to enable FileVault, you really don't need to keep the modified binary and you can do the rest of the FileVault management from the Security PrefPane.

==========================================================
Option 2:

This one will probably require SIP to be disabled as you will need to replace the system file with your modified file.
I'm not going to cover that in this.

Copy the Security binary out of the preference pane to your desktop for modification.

Mac-Pro:~ ludacrisvp$ cp /System/Library/PreferencePanes/Security.prefPane/Contents/MacOS/Security ~/Desktop/Security

Make a backup of this one though as we have to replace it.

Mac-Pro:~ ludacrisvp$ cp /System/Library/PreferencePanes/Security.prefPane/Contents/MacOS/Security ~/Desktop/Security.orig

Same process here, there is a single match for the board ID, this time I used the 3,1 Board-ID
Here is the board-id for the 5,1 in the PrefPane for security.


Replace the signature on the binary:

Mac-Pro:~ ludacrisvp$ sudo codesign -f -s - ~/Desktop/Security
/Users/ludacrisvp/Desktop/Security: replacing existing signature

Replace the system file with your modified and signed binary:

Mac-Pro:~ ludacrisvp$ sudo cp ~/Desktop/Security /System/Library/PreferencePanes/Security.prefPane/Contents/MacOS/Security

Then launch system preferences and go to security and you should be free to enable FileVault like any normal Mac user.

Not sure if Catalina has the same block in place, as the 5,1 isn't supported on Catalina, if it does have this block as part of code carryover then I'd suspect the same modification could be made.

 

[Ludacrisvp]

Nobody seems to want to be the tester of my theory ... so I'm decrypting my 3,1 now to see if I can blacklist it using the board-id edit.
If I can blacklist the 3,1 when it wasn't blocked before then that should prove this works.

 

[bookemdano]

Really nice thorough work there--nice of you to detail the steps for everyone. I don't presently have a metal-capable EFI GPU, so I 'm not super motivated to test this at the moment. Hopefully someone else will step up, but if not I will try it eventually.

Still would be interested to know if this is even necessary on Catalina since Apple is prohibiting installing it on a 5,1 anyway.

 

[Ludacrisvp]

Thanks for the response.

I've confirmed that I can blacklist the 3,1 using this method so that should be proof that this will unblock the 5,1 from a proper deployment.

Here is the 3,1 board-id again for reference
Mac-F42C88C8

Mac-Pro:~ ludacrisvp$ hexdump -c ~/Desktop/fdesetup|grep "M   a   c   -   F"
002c9b0   i   d  \0   M   a   c   -   F   4   2   C   8   8   C   8  \0
Mac-Pro:~ ludacrisvp$ sudo ~/Desktop/fdesetup enable
Enter the user name:ludacrisvp
Enter the password for user 'ludacrisvp':
Error: FileVault can't be enabled on this system.

Also tested the prefpane method:

Mac-Pro:~ ludacrisvp$ hexdump -c /System/Library/PreferencePanes/Security.prefPane/Contents/MacOS/Security |grep -A1 "M   a   c   -   F"
0057b30       n   i   l  \0   M   a   c   -   F   4   2   C   8   8   C
0057b40   8  \0   F   D   E   _   D   I   S   A   B   L   E   D  \0   I

Reverted change to prefpane... and block was removed again, allowing FV to be used as expected.

 

[crjackson2134]

If using the prefpane method, does SIP have to remain disabled for daily use, or can it be enabled again once the file modification is done?

 

[Ludacrisvp]

If using the prefpane method, does SIP have to remain disabled for daily use, or can it be enabled again once the file modification is done?

Once modified you can re-enable SIP.
In reality you could disable SIP, modify prefpane, enable FV, once it is done processing then revert modification, enable SIP.
And then you'd be back to the original prefpane and have SIP enabled and have FileVault enabled too.
This is because Apple only blocked at one point in the code (the action of enabling it), any other interaction you have with it works once it is enabled (even disabling it).

 

[crjackson2134]

Once modified you can re-enable SIP.
In reality you could disable SIP, modify prefpane, enable FV, once it is done processing then revert modification, enable SIP.
And then you'd be back to the original prefpane and have SIP enabled and have FileVault enabled too.
This is because Apple only blocked at one point in the code (the action of enabling it), any other interaction you have with it works once it is enabled (even disabling it).

I don't use FV but it's nice to have the option. Thanks for taking the time to show how this can be done.

 

[cdf]

Very nice contribution @Ludacrisvp. I don't use FileVault, but I can see these patches as being very useful. (Just for fun, I might write a small Lilu plugin to do the patching; that way, the binaries can stay untouched.)

 

[TimTower01]

Thank you for this very helpful guide @Ludacrisvp.

The first method of patching the cli tool did not work for me as running the tool resulted in the following error message:

sudo ~/Desktop/fdesetup enable
Password:
Enter the user name:tim
Enter the password for user 'tim':
Error: A problem occurred while trying to enable FileVault. (-69556)

I followed the steps exactly as you described but still encountered this error.
If you have any idea why this happened please let me know.

Luckily the second method by patching the security pane worked like a charm for me.

I would also apprecuate the use of a Lilu plugin for this purpose as @cdf propsed.

Keep up your good work

 

[Ludacrisvp]

Thank you for this very helpful guide @Ludacrisvp.

The first method of patching the cli tool did not work for me as running the tool resulted in the following error message:

sudo ~/Desktop/fdesetup enable
Password:
Enter the user name:tim
Enter the password for user 'tim':
Error: A problem occurred while trying to enable FileVault. (-69556)

I followed the steps exactly as you described but still encountered this error.
If you have any idea why this happened please let me know.

Luckily the second method by patching the security pane worked like a charm for me.

I would also apprecuate the use of a Lilu plugin for this purpose as @cdf propsed.

Keep up your good work

Was “tim” your exact user name of an account on the computer?

 

[TimTower01]

Yes, my username is "tim" and my displayname "Tim".

If i change the username the cli returns an authentication error.
I checked for this by entering a wrong userrname to check this before posting.
I also checked for casesensitivity which isnt the case.
I uploaded my modified fdesetup binary here and below with hope that that maybe helps you locating the issue.

I am trying this guide now on Catalina to further narrow down any issues.
Btw. the check is still present in Catalina.

EDIT: Ok so i did the same thing under catalina agian.
Same issue with the cli (exact same error code) and the preference pain worked like a charm.

 

[MoerBoer]

This method does not seem to work on Catalina.

I tried the CLI route. No errors, but it still doesn't allow me setting it. I then disabled SIP, did the edit of the Security pref panel, but it doesn't allow me to copy it over the existing one.

 

[Ludacrisvp]

This method does not seem to work on Catalina.

I tried the CLI route. No errors, but it still doesn't allow me setting it. I then disabled SIP, did the edit of the Security pref panel, but it doesn't allow me to copy it over the existing one.

Catalina changes the OS to read only as well from what i understand, so you'd probably have to get the root mounted read write as well in order to change in catalina.

Your screenshot showing that fdesetup wants to enable filevault seems promising, whats the failure?

Also, in terminal what do you see when you run this command?

  ioreg -l|grep board-id

 

[MoerBoer]

I reverted back to Mojave and wanted to turn on FileVault.

Now I get the same result as @TimTower01 when going the CLI route.

Mac-Pro:~ redacted$ sudo ~/Desktop/fdesetup enable
Enter the user name:redacted
Enter the password for user 'redacted':
Error: A problem occurred while trying to enable FileVault. (-69556)

Luckily the preference pane trick also worked for me. I really appreciate this!

 

[Ludacrisvp]

hmm i wonder why the CLI isn't working for others. but at least the prefpane method does
for catalina i've not tested it, but i assume it must be related to read-only os.

 

[MoerBoer]

hmm i wonder why the CLI isn't working for others. but at least the prefpane method does
for catalina i've not tested it, but i assume it must be related to read-only os.

Yeah, it would be very cool if you could put a guide on how to bypass that. I want to install Catalina again on a separate drive, but FileVault if crucial for me.

Thank you for this guide as it makes my Mac workable again.

 

[MoerBoer]

So an extremely easy way to get FileVault working on Catalina is as follows:

Requirements:

• Install disk with Mojave installed
• OpenCore installed and working with BootPicker
• Extra HDD/SSD/M.2 for Catalina to be installed on

Steps:

• Be sure to download the Catalina installer
• Ensure the VMM flag is set as per the OpenCore thread
• Reboot after setting the flag back into Mojave
• Now go to Disk Utility and simply format the drive you wish to install Catalina on as APFS Encrypted
• Due to the VMM flag being set, it does this without any issues
• Now just install Catalina as per normal on the encrypted disk

After it's first reboot, the password prompt will pop up ( after the BootPicker ), and now your Catalina install is also encrypted.

After everything is installed, you can turn off the VMM flag again and reboot back into Catalina.

 

[Northernchip]

I get the following error when I try this with the re-signing.
Anyone have a clue ?

I removed the screen print as I made a really idiots error.

 

[cdf]

If you use OpenCore with BoardProduct spoofing (like for hardware acceleration), then FileVault should just work.

 

[Northernchip]

Thanks Happy to try anything. Not familiar with these two products. Can you point me to a guide on this for FileVault. I am in Corona lock down so happy to work on it

 

[cdf]

The first step is to install OpenCore. There is a guide for that. Then you can edit the config.plist. To enable BoardProduct spoofing:
a) Look for

<key>SMBIOS</key>
<dict/>

And change it to

<key>SMBIOS</key>
<dict>
<key>BoardProduct</key>
<string>Mac-7BA5B2D9E42DDD94</string>
</dict>

b) Find the UpdateSMBIOS entry, and change <false/> to <true/>.

 

[Northernchip]

thanks so much, I will no doubt be back very soon.

 

[Northernchip]

Done, thanks everyone. I did the SIP method in the end.
I used the 3,1 board reference and the only other step that should be added to the original instructions is to restart your machine then launch system preferences.

For your viewing pleasure

[automerge]1585412922[/automerge]

Done, thanks everyone. I did the SIP method in the end.
I used the 3,1 board reference and the only other step that should be added to the original instructions is to restart your machine then launch system preferences.

For your viewing pleasure

Additionally I am using a metal enabled GPU - AMD Radeon HD 7950 Mac Edition. Also works a treat.

 

[Northernchip]

Done, thanks everyone. I did the SIP method in the end.
I used the 3,1 board reference and the only other step that should be added to the original instructions is to restart your machine then launch system preferences.

For your viewing pleasure View attachment 901956

Additionally I am using a metal enabled GPU - AMD Radeon HD 7950 Mac Edition. Also works a treat.
[automerge]1585423374[/automerge]
Further to changing the Security file I also had to delete the com.apple.TimeMachine.plist in the /Library/Preferences folder. TimeMachine kept throwing an error, I did also reboot. Hope this helps. Further issues I will let you all know.

 

[Macschrauber]

Confirm Method 2 on 5.1 with latest 2020-003 Security Update (Mojave 18G5033)

Method 1 gave me also an error (could not enable Filevault)