Two-step verification

[ThomasJames-zz]

Hello!

Firstly, I want to say thank you for developing this great tool. It is exactly what I have been looking for.

Secondly, please forgive me if this question has already been covered, and if I word it in a less than technical manner.

Is there a way of using this tool with two-step verification enabled on my account? Can I obtain (and use) the DsPrsID/mmeAuthToken? I have tried using an app-specific password I generated, too, but this doesn't seem to work. I receive the following message:

[main] Warn c.g.h.i.cloud.auth.Authenticator - --authenticate() - HttpResponse Exception: Unauthorized: Exception in thread "main" org.apache.http.client.HttpResponseException: Bad appleID/ password or not an iCloud account?

at com.github.horrorho.inflatabledonkey.cloud.auth.Authenticator.authenticate(Authenticator.java:81)
at com.github.horrorho.inflatabledonkey.Main.main(Main.java:125)

Thanks in advance for any suggestions/updates on this matter.

[horrorho]

Hi there. As it stands the tool doesn't work with two-step verification. I also don't have access to a two-step verification device or the corresponding http logs to work with. So although it shouldn't be difficult to add in support for this, I don't have the information to do so.

Also unless I'm mistaken, you should be able to retrieve a DsPrsID/ mmeAuthToken from a two-step authenticated device and use that.

[ThomasJames-zz]

Thanks for the quick response! This is what I receive when I add --token, which hopefully I have done correctly:

[main] WARN  c.g.h.i.cloud.auth.Authenticator - --authenticate() - HttpResponseException: Conflict: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
        <dict>
                <key>protocolVersion</key>
                <string>2</string>

                <key>appleAccountInfo</key>
                <dict>
                        <key>dsid</key>
                        <string>[number redacted]</string>

                </dict>

                <key>title</key>
                <string>Verification Required</string>

                <key>localizedError</key>
                <string>ACCOUNT_INVALID_HSA_TOKEN</string>

                <key>message</key>
                <string>This Apple ID is protected with two-step verification. To sign in, you must verify your identity.</string>

        </dict>
</plist>
Exception in thread "main" org.apache.http.client.HttpResponseException: Two-step enabled or partial iCloud account activation?
        at com.github.horrorho.inflatabledonkey.cloud.auth.Authenticator.authenticate(Authenticator.java:85)
        at com.github.horrorho.inflatabledonkey.Main.main(Main.java:125)

I am not sure if this is relevant at all: http://stackoverflow.com/questions/26605293/setup-icloud-com-two-step-verification

[horrorho]

Thank you for the link, but unfortunately the details are far too vague. In all honesty the underlying server calls are probably fairly simple, it's just that without a two-step verification device to play with I can't spy on and replicate what's going on under the hood.

However, the real issue is my lack of spare time. I have been offered free iPhone devices, but as I'm unable to commit to any development time I've declined. At present I'm basically tidying up a few loose ends before I put this project to one side.

[ThomasJames-zz]

Completely understandable. Thank you again for the quick responses, anyhow!

[horrorho]

Thank you for understanding and sorry. I'll leave this ticket open as others may have additional insight or could possibly supply patches.

[ghost]

You can definitely use InflatableDonkey with a 2SV account. The process of obtaining the MMeAuthToken is the tricky part. Any iCloud device that you use has to use this token to connect to iCloud in the background without asking for verification (Contacts sync, Photo Library, iMessage etc).

So you cannot obtain this token AFTER enabling 2SV without going through a few hoops.

Do you have a Mac or PC with iCloud logged in? If you do, you can get a token using Elcomsoft Token Extractor (no endorsement, just a great tool). It is free.

If you don't have a computer with iCloud logged in, find a computer, log into / install iCloud, use the Token extractor and then write down the token somewhere. Then log out. This token will be valid forever until you change your iCloud Password (or if you enable/disable 2SV I believe, although I have never actually tested this. So another possibility is to disable 2SV, get the token using InflatableDonkey, and then enable 2SV, and the token may work. Again, not positive, but worth a shot).

If you don't want to use a computer, you can also intercept the HTTPS traffic coming in / out of your iOS device, by installing a root CA and using MITMproxy or Burp or a similar MITM tool. By inspecting any background iCloud requests that your phone is making, you will find an MMeAuthToken encoded in base64 in the Authorization header of the HTTPS request. This is slightly less intuitive and easy as the token extractor, so I recommend you go that route.

If you have 2SV enabled and try to use InflatableDonkey with just your Apple ID and Password, the credentials will not work (HTTP 409), because of the 2SV. So just pipe your DSID and MMeAuthToken into InflatableDonkey and it will bypass the 2SV. Elcomsoft will also get your DSID for you. Pretty great stuff!

The token should look something like this

DSID: xxxxxxxxxx (9-11 chars) Token: Axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx (40 chars)

[ThomasJames-zz]

That worked perfectly. Thank you very much, manwhoami!