FindMy.py icon indicating copy to clipboard operation
FindMy.py copied to clipboard
verified publisher icon malmeloo

Import accessories from iCloud Keychain

Open malmeloo opened this issue 3 months ago • 7 comments

Currently, importing accessories into FindMy.py requires access to a machine running MacOS. However, it should be possible to pull these secrets directly from the iCloud keychain without using a mac altogether.

Image

Rustpush has this implemented: https://github.com/OpenBubbles/rustpush/blob/master/src/cloudkit.rs#L828

Possible options:

  1. Re-implement the above rust code in Python and integrate it with the library (potentially a lot of work)
  2. Write a command-line tool in Rust that wraps Rustpush, downloads the accessory secrets and exports them to FindMy.py-compatible format a. Ideally, rustpush would use our already-existing session to communicate with Apple so users don't have to sign in twice, but this is optional
  3. Wrap rustpush in Python (not sure how well this would work, and I'd like to keep FindMy.py python-only)

malmeloo avatar Sep 11 '25 15:09 malmeloo

Is that rust code implementing the whole extraction logic from scratch? What are it's dependencies/inputs? I'm also unfamiliar with Rust, but you might be able to get pretty far by just dumping it into one of the LLM chatbots and asking it to rewrite it in python (and then just build it up step by step).

I think that considering they apparently broke all the workarounds for the latest MacOS version and the export step is so annoying, if this implementation fully covers getting the tags then this should probably be the preferred method of dealing with the tags.

parawanderer avatar Sep 19 '25 19:09 parawanderer

I started a discussion here and the author of OpenBubbles/rustpush seems interested in making a CLI utility to export the data they're able to collect already using their logic. This might solve the current issue people are having with the existing tooling not being cross-device and breaking with new releases of MacOS. Might make it easier to look into how to integrate it more deeply with FindMy.py too

parawanderer avatar Sep 19 '25 21:09 parawanderer

I took a stab at attempting to port the open bubbles / rustpush functionality this weekend. I learned a lot in the process, and in the end I hit an impasse. Unfortunately as it stands it's not possible to re-implement this in python in a self-contained way without first repeating the reverse-engineering behind rustpush. As I understand it, to fetch the device secrets from keychain requires first recovering the "master key" using escrow, and to do that requires an implementation of Apple's Network Absinthe Challenge. Within rustpush that is a closed-source component despite the misnomer "open-absinthe" and the developer has made it clear they are unwilling to open-source it. So the best option is probably a compiled utility that handles that part of the process. https://github.com/OpenBubbles/rustpush/issues/11

mfcarroll avatar Oct 19 '25 19:10 mfcarroll

@mfcarroll thanks for taking the time to look into this!

But yeah, that is very unfortunate then. I suppose in that case we are we are locked to the actual author creating that compiled tool for it?

Not the end of the world by any means, but it's too bad that the project naming turns out to not match the general pattern of "Open == here's all the code, you can compile it and it'll work". I'm sure reversing Apple's spaghetti took a lot of effort but nonetheless. The thing I like about the whole Open(source) world is that you can just take stuff and see the implementation details and build upon it further without gatekeeping knowledge/findings/technical details.

parawanderer avatar Oct 19 '25 20:10 parawanderer

@parawanderer yeah, I believe so. And yes, I agree with you, it's disappointing but ultimately it's the author's decision. Hopefully they have a plan in place so that considerable piece of work isn't lost if they can't maintain it at some point. If nothing else it sounds from that discussion you had with them like they may still be willing to assist with a binary tool to enable easier access to what we need from Apple.

I'm still trying another method that may not need the escrow recovery, but instead relies on another device "vouching" for the new "device" (in our case our FindMy.py instance) to be able to access the keychain. But I won't lie, I'm deep into learning completely new things territory here. I'll update if I manage to make any progress with that.

mfcarroll avatar Oct 19 '25 21:10 mfcarroll

It might be easier to wrap as a python extension with py03, less work then reimplementing if the logic is complex

kapilt avatar Oct 21 '25 16:10 kapilt

~~So we cannot build rustpush ourselves, and it seems that no binaries are provided either. That's a pretty big roadblock...~~

Edit: nevermind, seems like the absinthe dependency is not necessary after all?

malmeloo avatar Oct 21 '25 17:10 malmeloo