Re: Two way factor authentications

[rameshT108]

Is it possible to do for 2 way factor authentication enabled Appli Ids

[horrorho]

Hi. You can, but not in a direct manner. There was a ticket dealing with this but it seems to have been deleted. Unfortunately I don't own any iOS devices and I've largely stopped working on this project so I'm unable to test any methods.

If you supply InflatableDonkey with a two factor authenticated dsPrsID:mmeAuthToken token it should work. These can be ripped from http headers or retrieved via third party tools, such as Elcomsoft's Apple Token Extractor.

Also have you tried application specific passwords? For this you'll need to grab an application specific password and run it using the --token command.

java -jar InflatableDonkey.jar appleid appspecificpassword --token

It should output a dsPrsID:mmeAuthToken that should look like:

1137633663:AQAAAABY7ySCtLEzo0RWEuIjR6KJs+NYKIJk7yE=

Copy this token and keep it safe. From now on use the token with InflatableDonkey:

java -jar InflatableDonkey.jar 1137633663:AQAAAABY7ySCtLEzo0RWEuIjR6KJs+NYKIJkw7yE=

[rameshT108]

Application specific is fine. Is it possible or not the two way authentication?

[horrorho]

Thank you for the feed back.

Unfortunately as it stands two factor authentication is not directly implemented. Sorry. If at some point I have the time to add in new features I'll certainly consider it.

[rameshT108]

Can you guide me how to implement that. I will do my best, because your lib is very good

[horrorho]

I've no idea if the full protocol has been published at all. If not it would need to be elucidated somehow, either by snooping on client-server interactions or by reversing binaries. Unfortunately I really don't have the time to do this at present.

Is there a reason that two factor authentication is particularly important? The same outcome can be achieved with application specific passwords, namely the production of a working dsPrsID:mmeAuthToken.

[ghost]

You can also get the tokens by using this program https://github.com/manwhoami/MMeTokenDecrypt

[horrorho]

@manwhoami Excellent, thank you!

[themylogin]

Is backup download with application-specific passwords really possible? I get 401 for all my requests, e.g.

$ java -jar InflatableDonkey/target/InflatableDonkey.jar themylogin@gmail.com gsrm-evia-hesg-ebtf --token
NOTE! Experimental Data Protection class mode detection.
If you have file corruption issues please try setting the mode manually:
    --mode CBC  OR  --mode XTS
16:37:23.253 [main] WARN  c.g.h.i.cloud.auth.Authenticator - --authenticate() - HttpResponseException: Unauthorized: 
Exception in thread "main" org.apache.http.client.HttpResponseException: Bad appleId/ password or not an iCloud account?
    at com.github.horrorho.inflatabledonkey.cloud.auth.Authenticator.authenticate(Authenticator.java:81)
    at com.github.horrorho.inflatabledonkey.Main.main(Main.java:160)

[horrorho]

@themylogin I don't have any iOS devices to play with so I'm unable to do any testing. I've had reports that application specific passwords are working (or were working).

Is anyone else still able to use application specific passwords with success?

[ajlyakhov]

It seems like app-specific passwords does not allow to generate dsPrsID:mmeAuthToken. Here is my output:

$ java -jar ./InflatableDonkey.jar appleid appspecificpass --token NOTE! Experimental Data Protection class mode detection. If you have file corruption issues please try setting the mode manually: --mode CBC OR --mode XTS 22:01:51.458 [main] WARN c.g.h.i.cloud.auth.Authenticator - --authenticate() - HttpResponseException: Unauthorized: Exception in thread "main" org.apache.http.client.HttpResponseException: Bad appleId/ password or not an iCloud account? at com.github.horrorho.inflatabledonkey.cloud.auth.Authenticator.authenticate(Authenticator.java:81) at com.github.horrorho.inflatabledonkey.Main.main(Main.java:160)

[horrorho]

There are a few authentication routes available to us. InflatableDonkey/ iLoot use a particular method to avoid a certain security mechanism which I won't detail here. It's possible application specific passwords are not compatible with it. If I get time, which is going to unlikely, I'll try and code a more conventional authentication process for people to test.

[SergeyTim]

Hello, horrorho!

Thank you for your hard work on this tool!

Is anyone else still able to use application specific passwords with success?

Yes, I've just checked. And everything works fine for me.

@ajlyakhov , did you use your real appleID and password for it? not just this as is: "$ java -jar ./InflatableDonkey.jar appleid appspecificpass --token"

[ajlyakhov]

Glad to hear that it works for your @SergeyTim :) Sure I try to use my appleid/pass but its not working because of 2fa enabled (it was fine before 2fa enabled). May be I did something wrong. I've generated app specific pass on apple.com inside apple id portal and then used generated pass instead of real one. What was your process?

[horrorho]

@SergeyTim Thank you! As comical as it sounds, I cannot fully test my own program as I don't own any iOS devices, so your feedback is greatly appreciated.

If you have the time available, as @ajlyakhov suggested, it would be wonderful if you could outline the process you used so others may benefit.

[ajlyakhov]

Today I've done new test. I've created a simple authentication function in python, which send GET on https://setup.icloud.com/setup/authenticate/$APPLE_ID$ (+ proper Authorization header). When I used apple id without 2FA enabled - auth was successful, then with 2FA - got 409 status code (and description that 2FA enabled etc.) - thats OK and expected. Then I try app-specific password and got 401 (Unauthorized) which I get when I try invalid pass. I made a try with and without "specific" user agent (found it in InflattableDonkey sources), but that does not help me. Any ideas what else I can try?

[ghost]

I have not played around with app-specific passwords too much. I will poke around a bit and post any updates here.

User agent should not affect it [but who knows].

[ajlyakhov]

Thank you @manwhoami any info would be great. Also, I've created new apple id, enabled 2FA and app-specific pass - same 401 status code. May its ok and I need send some other requests based on that response, but I don't know which one.

[horrorho]

@ajlyakhov Hi. Those responses are what you tend to get with a correct/ incorrect passwords. Unfortunately I've not been able to do further testing. My lack of spare time and iOS devices is problematic.

[mca-gif]

2FA works if you follow Apple's documentation for using 2FA on applications that don't support it. Available at https://support.apple.com/en-us/HT204915

You just have to append the 2FA code to the end of your password. The codes expire after use or after minute or so.

[ajlyakhov]

Thank you @mattandersen, that works for me now! Here is my steps:

1) I try to login www.icloud.com, as I've enabled 2FA, it request me to input 2FA code after login/pass. 2) I see popup on my associated iPhone with 6-digit code 3) Then I use InflatableDonkey to get token by adding that 6-digit code to my pass

Thats cool, but it be would much more logical, if I'd not need to use www.icloud.com to receive code, right? Based on pyicloud project, I see that they send POST request to:

https://setup.icloud.com/setup/ws/1/sendVerificationCode

with trusted device json data and session cookies. Thats nice, but pyicloud use separate "web api" of iCloud. Do you guys know about similar endpoint on our API which will do same thing?

[horrorho]

@ajlyakhov I had a quick look at the iCloud web API log in via Firefox and live-http-headers-clone. There are a number of cookies with components that look suspiciously like mmeAuthTokens:

Set-Cookie: X-APPLE-WEBAUTH-LOGIN=...
Set-Cookie: X-APPLE-WEBAUTH-VALIDATE=...
Set-Cookie: X-APPLE-WEBAUTH-TOKEN=...

I did try, although only briefly, to forge them into dsPrsID:token items to pass via InflatableDonkey. I did not have any success. It would certainly be worth trying this again as I was rushed. There is a discrepancy in the Base64 tables that may be relevant, something that I didn't fully adjust for.

Although I can't claim to know any details regarding the mmeAuthToken format. It appears to have a small fixed header combined with a key and a generated token, or simply a small fixed header and a token. There are quite a few of these binary blob types around. Again, I've not taken time to formally assess the mmeAuthFormat, so please take my observations with a pinch of salt.

Apple servers probably have a database that references dsPrsIDs/ randomly generated tokens for authentication. Possibly, put on tinfoil hat, there is an key derivation function in use, this would allow those in the know to forge tokens, remove tinfoil hat.

There are other cookies that may have information that you might want to explore, particularly in regards to pulling out a CLOUDKIT_AUTH_TOKEN which could possibly be used, but would require a modified InflatableDonkey to do so.

Set-Cookie: X-APPLE-WEBAUTH-PCS-Cloudkit=

Again I make no promises that anything will work, just avenues of enquiry that you might want to consider.

[fongph]

With mattandersen's way (appending the 6-digit code to the end of password), we can use InflatableDonkey to display mmeAuthToken (--token option) and we can use that to sign in going foward. However, I am not sure how long that mmeAuthToken is good for and whether it is the right way of obtaining the 2FA'd token.

[tpatterson]

Hi @horrorho, InflatableDonkey is great. I'll probably be using it in a production environment as part of my anti-pornography/parental-monitoring system. Really appreciate the efforts you've put into this project! Best of luck with whatever it is you've moved on to.

[tpatterson]

You can get a 6-digit code from an iOS device like this: Settings -> Your Name -> Passwords & Security -> Get Verification Code.

Append that code to the end of the password and you can get the mmeAuthToken.

[preetisantoki]

Thank you @mattandersen, that works for me now! Here is my steps:

1. I try to login www.icloud.com, as I've enabled 2FA, it request me to input 2FA code after login/pass.
2. I see popup on my associated iPhone with 6-digit code
3. Then I use InflatableDonkey to get token by adding that 6-digit code to my pass

Thats cool, but it be would much more logical, if I'd not need to use www.icloud.com to receive code, right? Based on pyicloud project, I see that they send POST request to:

https://setup.icloud.com/setup/ws/1/sendVerificationCode

with trusted device json data and session cookies. Thats nice, but pyicloud use separate "web api" of iCloud. Do you guys know about similar endpoint on our API which will do same thing?

Can you give an example of how to append 6 digit code with the password to get token?

[Galeneius]

Anyone managed to download a backup with 2FA on?

[vipinbeni]

Anyone managed to download a backup with 2FA on?

[vipinbeni]

Thank you Sir @mattandersen , @tpatterson and @horrorho ,@ajlyakhov ,@preetisantoki Please help

i need  to clear my problem with you all that i am adding 6 digit code at end of password  like  if code is 989898 but i **got bad apple id or password error** please tell me where and how we add the 6 digit code in arguments  please help ... 

 "vipin.beniwal722@gmail.com" "mypassword989898"

    I try to login www.icloud.com, as I've enabled 2FA, it request me to input 2FA code after login/pass.
    I see popup on my associated iPhone with 6-digit code
    Then I use InflatableDonkey to get token by adding that 6-digit code to my pass

Thats cool, but it be would much more logical, if I'd not need to use www.icloud.com to receive code, right? Based on pyicloud project, I see that they send POST request to:

https://setup.icloud.com/setup/ws/1/sendVerificationCode

with trusted device json data and session cookies. Thats nice, but pyicloud use separate "web api" of iCloud. Do you guys know about similar endpoint on our API which will do same thing?

@preetisantoki Can you give an example of how to append 6 digit code with the password to get token?

[vipinbeni]

Hi Sir ,Please help @horrorho @rameshT108 @themylogin @ajlyakhov @SergeyTim @preetisantoki

i need to clear my problem with you all that i am adding 6 digit code at end of password like if code is 989898 but i got bad apple id or password error please tell me where and how we add the 6 digit code in arguments please help ...

"vipin.beniwal722@gmail.com" "mypassword989898"

[vipinbeni]

Please help @horrorho @rameshT108 @themylogin @ajlyakhov @SergeyTim @preetisantoki @asifmehmoood

[vipinbeni]

Please help @horrorho @rameshT108 @themylogin @ajlyakhov @SergeyTim @preetisantoki @asifmehmoood

[tadangky]

I'm stuck here, please help @horrorho @rameshT108 @themylogin @ajlyakhov @SergeyTim @preetisantoki @asifmehmoood @tpatterson