Password SRP issue, valid password fails fix

[ambiman]

After upgrading to v3.1 today, it seems that I'm still not able to login to iCloud:

iCloud3 Error > useraccount, Authentication Failed, Authentication error, Invalid Username or Password, ErrorCode-401
iCloud3 Error > useraccount, Authentication Failed, An unknown error occurred, ErrorCode-403
iCloud3 Device Configuration Error > phone1 (iCloud3) (phone1_icloud3), iCloudDevice-phone1, Not in Apple Acct-useraccount@…………
iCloud3 Device Configuration Error > phone2 (iCloud3) (phone2_icloud3), iCloudDevice-phone2, Not in Apple Acct-useraccount@…………
iCloud3 Device Configuration Error > applewatch (iCloud3) (applewatch_icloud3), iCloudDevice-Apple Watch von XYZ, Not in Apple Acct-useraccount@…………

Any ideas ? What additional logs would you need?

Specs of my installation:

HA Core 2024.10.4

Thanks and all the best!

[gcobb321]

What did you upgrade from, v2.4.7 or v3.0.x? Go to the Configure Settings > Data Sources > Apple Acct Username/Password and verify your username p/w. Click Add it it does not show up.

[ambiman]

I followed your guidance and re-entered my AppleID PW in the referred menu, but still saw the error messages below and I was also not prompted for any verification code. At this stage, interestingly my iPhones could be tracked again (and values of the different entities were updated frequently), but an AppleWatch of a family member was not tracked/updated at all.

So, I followed your hint here and changed my AppleID PW to a different value, which entirely fixed my problem. I received a token verification requested and now all former devices are tracked again !

[gcobb321]

@ambiman
Glad that took care of the problem. The guys maintaining that SRP code have asked me to send them passwords that fail so they can fix their code.

I would appreciate it if you would email your old password. Send it to [email protected] with the subject ‘SRP failed password’ do it doesn’t get lost with everything else.

Thanks

[codebar33]

@gcobb321,

As the developers of iMazing, we've updated our authentication method for downloading photos from iCloud. We now use the SRP-6a protocol with the icloud.com API.

We've identified the root cause of the issue where older Apple accounts were receiving a 401 instead of 409 during authentication.

Here's the solution: When the /signin/init request returns protocol: 's2k_fo' in the response body (instead of s2k), you need to pass the SHA256 hashed password to the PBKDF2 HMAC function as a hexadecimal string represantation without a null-terminating character, rather than the raw SHA256 bytes.

I hope this helps :)

[gcobb321]

@codebar33
Thanks for the info. Can you point me to your code so I don’t mess it up trying to implement it. The examples were from others, not my account although I will change my test account to one of those. I’ll be away for 3-weeks so no coding for me until next month.

[codebar33]

Sure, please note that this is C++ code, you'll need to adapt the implementation in Python:

    std::vector< uint8_t > AppleAccountManager::_getDerivatedPasswordHash( const std::string & password, const std::string & protocol, const std::vector< uint8_t > & salt, uint32_t iterations )
    {
        std::vector< uint8_t > derivatedPasswordHash;
        
        CkByteData sha256PasswordHash;

        if( protocol == "s2k_fo" )
        {
            std::string sha256PasswordHashHeyStr = Crypto::sha256( password );
            
            sha256PasswordHash.appendStr( sha256PasswordHashHeyStr.c_str() );
        }
        else // default is "s2k"
        {
            CkCrypt2 crypt;

            crypt.put_Utf8( true );
            crypt.put_HashAlgorithm( "sha256" );

            crypt.HashString( password.c_str(), sha256PasswordHash );
        }

        uint8_t derivatedPasswordHashBytes[ SRP_KEY_LENGTH ];
        if( PKCS5_PBKDF2_HMAC( reinterpret_cast< const char * >( const_cast< unsigned char * >( sha256PasswordHash.getBytes() ) ), sha256PasswordHash.getSize(), salt.data(), salt.size(), iterations, EVP_sha256(), SRP_KEY_LENGTH, derivatedPasswordHashBytes ) == false )
        {
            return derivatedPasswordHash;
        }

        derivatedPasswordHash.insert( derivatedPasswordHash.end(), derivatedPasswordHashBytes, derivatedPasswordHashBytes + SRP_KEY_LENGTH );

        return derivatedPasswordHash;
    }

[codebar33]

In Python this would be:

class SrpPassword():
    def __init__(self, password: str):
        self.password = password
    def set_encrypt_info(self, protocol: str, salt: bytes, iterations: int, key_length: int):
        self.protocol = protocol
        self.salt = salt
        self.iterations = iterations
        self.key_length = key_length
    def encode(self):
        if (self.protocol == 's2k_fo'):
            password_hash = hashlib.sha256(self.password.encode('utf-8')).hexdigest()[:-1]
        else:
            password_hash = hashlib.sha256(self.password.encode('utf-8')).digest()
        
        return hashlib.pbkdf2_hmac('sha256', password_hash, salt, iterations, key_length)

[rlpowell]

There's a bug in the python code, but I did get it working; see icloud-photos-downloader/icloud_photos_downloader#975 (comment) for the fix

[26tajeen]

@ambiman or @rlpowell is there a suggested patch for this issue?

[rlpowell]

The project that I was using did icloud-photos-downloader/icloud_photos_downloader#1014 ; I'm not involved in this project, I was just providing feedback on the almost-working fix for others to use.