two-factor apple id

[Zjemm]

I'm trying this today as my certs are about to expire
BUT
i'm getting messages my password is invalid.

so i thought, ofcourse....i have two factor auth enabled (can't be disabled)
so i made a special APP password and used that, but still i'm getting password is invalid messages.

anyone tried this? with 2fa>

[scintill]

I'll see if I can experiment with 2fa.

These things might be obvious to you, but some ideas: I wonder if you are accidentally adding whitespace to your password when you hash it -- don't press enter at the end, just Ctrl-D until the hash appears. Also, ensure you aren't copying part of your password as the hash (on my system at least, the hash starts immediately after the last character of the password.) Hope this helps.

[Zjemm]

yes i made sure to exactly typed the password and do a ctrl-d twice

the app password looks like this example: znjj-aaac-rgtz-dvgd

but it does not seem to work

curl -i --data-binary @request-body -H 'Content-Type: text/x-xml-plist' --user-agent 'Servermgrd%20Plugin/6.0 CFNetwork/811.11 Darwin/16.7.0 (x86_64)' https://identity.apple.com/pushcert/caservice/new -H 'Accept: /' -H 'Accept-Language: en-us' | tee response
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 15254 100 1116 100 14138 985 12489 0:00:01 0:00:01 --:--:-- 13475
HTTP/1.1 100 Continue

HTTP/1.1 200
Server: Apple
Date: Thu, 10 Sep 2020 20:05:30 GMT
Content-Type: text/x-xml-plist
Content-Length: 1116
Connection: keep-alive
Cache-Control: no-cache
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-Frame-Options: SAMEORIGIN
Host: identity.apple.com
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000; includeSubdomains
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Host: identity.apple.com
X-Frame-Options: SAMEORIGIN

Response Status ErrorDescription Invalid account name and password. Please verify the account name - password ErrorMessage Account Name - Password invalid. ErrorCode -80004 Header ClientIPAddress 1 LanguagePreference 1 TransactionId 1 ClientOSVersion 2.1 ClientOSName MAC OSX ClientApplicationName XServer ClientApplicationCredential 1

[pagaille]

Strange. I have 2fa activated and didn’t had that problem.

[Zjemm]

did you use a app password? or just your normal password?

could it be the hasing might be because of a different distro??

[pagaille]

Nope. Usual Apple password. I ran the tool on Linux.

[scintill]

Is there whitespace in your Apple ID account name? Check PushCertRequestPlist and verify it has something like this with no space in the XML tags:

			<key>AccountName</key>
			<string>name@example.com</string>

[Zjemm]

I’ll check it tonight when I’m home, thanks for thinking with me

[Zjemm]

well it must have been the username as the password hash was ok
it works now :) thanks for the help.

and indeed, no 2FA needed, just the normal appleID password

[scintill]

Glad you got it working. Thanks for the info on how 2FA works with this. I'll add it to the readme.

[titanism]

Can't seem to get it working with either app password or regular password while 2FA is enabled. Were there any workarounds?

[titanism]

Okay it appears that this library no longer properly generates the hash required.

Instead I generated a hash using this approach:

git clone https://github.com/freswa/dovecot-xaps-daemon.git
cd dovecot-xaps-daemon
go build ./cmd/xapsd/xapsd.go
./xapsd -pass

[titanism]

Behind the scenes it does this:

https://github.com/freswa/dovecot-xaps-daemon/blob/abce2f14cf1b5afa56329ebb4d923c9c2aebdfe3/cmd/xapsd/xapsd.go#L73-L83

[titanism]

You can simply instead do this:

echo -n "yourpasswordhere" | sha256sum

To get the value