ICloud 2FA seems to have broken

[diminDDL]

Trying to log in using the Docker method explained in the main readme, I get the following:

025-11-29 00:51:24,353 - INFO - 2FA required, requesting SMS code. (No other 2FA-code will work!)
2025-11-29 00:51:25,264 - INFO - Using phone with id 1 for SMS2FA
Enter SMS 2FA code (If you do not receive a code, wait 60s and press Enter. An attempt will be made to request the SMS in another way.): 
Traceback (most recent call last):
  File "/app/endpoint/mh_endpoint.py", line 177, in <module>
    apple_cryptography.registerDevice()
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/app/endpoint/register/apple_cryptography.py", line 71, in registerDevice
    getAuth(regenerate=True)
    ~~~~~~~^^^^^^^^^^^^^^^^^
  File "/app/endpoint/register/apple_cryptography.py", line 44, in getAuth
    mobileme = icloud_login_mobileme(
        username=mh_config.getUser(), password=mh_config.getPass())
  File "/app/endpoint/register/pypush_gsa_icloud.py", line 45, in icloud_login_mobileme
    g = gsa_authenticate(username, password)
  File "/app/endpoint/register/pypush_gsa_icloud.py", line 126, in gsa_authenticate
    sms_second_factor(spd["adsid"], spd["GsIdmsToken"])
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/endpoint/register/pypush_gsa_icloud.py", line 289, in sms_second_factor
    code = request_code(headers)
  File "/app/endpoint/register/pypush_gsa_icloud.py", line 329, in request_code
    req.raise_for_status()
    ~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/local/lib/python3.13/site-packages/requests/models.py", line 1026, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 405 Client Error:  for url: https://gsa.apple.com/auth/verify/phone/

I don't receive any 2FA, wait a minute and hit enter and get this error.
Going to the gsa link in a browser gives me a Error code: 403 Forbidden even though I am logged into iCould on this browser.

Trying to log into iCloud on a web browser wile logging the traffic showed that Apple right now seems to do a PUT request to https://idmsa.apple.com/appleauth/auth/verify/phone.
It sends it:
{"phoneNumber":{"id":1},"mode":"sms"}
and then the verification code goes as a POST to https://idmsa.apple.com/appleauth/auth/verify/phone/securitycode
with the following content:
{"phoneNumber":{"id":1,"nonFTEU":true},"securityCode":{"code":"123456"},"mode":"sms"}

[diminDDL]

Upon looking at the source code I suspect they simply updated the domain and changing it here to the new one would likely fix the issue:

macless-haystack/endpoint/register/pypush_gsa_icloud.py

Lines 317 to 331 in b32a805

	def request_code(headers):
	# This will send the 2FA code to the user's phone over SMS
	# We don't care about the response, it's just some HTML with a form for entering the code
	# Easier to just use a text prompt
	body = {"phoneNumber": {"id": 1}, "mode": "sms"}
	with requests.put(
	"https://gsa.apple.com/auth/verify/phone/",
	json=body,
	headers=headers,
	verify=False,
	timeout=5
	) as req:
	req.raise_for_status()
	code = input(f"Enter SMS 2FA code:")
	return code

[lpg2709]

Hi diminDDL,

I've had some authentication problems too, usually solved by:

1. Logging in with my Apple ID on an Apple device, at least once.
2. I once forgot to log out on a Mac, and the authentication was going to the Mac and not to 2FA. I logged out of all devices and started receiving the SMS again.

I hope this helps you.

[diminDDL]

Probably fixed with #222 will confirm once in a release, or when I'll have time to mess with the live branch.

[ddd999]

I'm seeing a similar issue, when I use the "alternate method" to receive the SMS, I do get a code, but then I get this output after entering it:

2026-02-03 07:13:57,190 - INFO - Sending SMS via id 1
Enter SMS 2FA code:621313
Traceback (most recent call last):
  File "/app/endpoint/mh_endpoint.py", line 177, in <module>
    apple_cryptography.registerDevice()
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/app/endpoint/register/apple_cryptography.py", line 71, in registerDevice
    getAuth(regenerate=True)
    ~~~~~~~^^^^^^^^^^^^^^^^^
  File "/app/endpoint/register/apple_cryptography.py", line 44, in getAuth
    mobileme = icloud_login_mobileme(
        username=mh_config.getUser(), password=mh_config.getPass())
  File "/app/endpoint/register/pypush_gsa_icloud.py", line 45, in icloud_login_mobileme
    g = gsa_authenticate(username, password)
  File "/app/endpoint/register/pypush_gsa_icloud.py", line 126, in gsa_authenticate
    sms_second_factor(spd["adsid"], spd["GsIdmsToken"])
    ~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/app/endpoint/register/pypush_gsa_icloud.py", line 301, in sms_second_factor
    resp.raise_for_status()
    ~~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/local/lib/python3.14/site-packages/requests/models.py", line 1026, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 401 Client Error:  for url: https://gsa.apple.com/auth/verify/phone/securitycode

Edit: My Apple ID was logged in on an iPhone when I got the output above. When I signed out the ID on the iPhone, I received the SMS right away using the first method. I haven't flashed any tags yet to confirm but the server at least appears to be running.

[diminDDL]

Tried it with the latest-dev tag and was able to log in, it wasn't able to issue an sms request on it's own so I manually navigated to https://www.icloud.com/ and initiated an sms code login, typed the code I got over sms into macless-haystack and it worked.

The latest tag however still tries to use the https://gsa.apple.com/auth/verify/phone/securitycode for some reason.