├── scripts └── 3utoolsapi │ └── python │ └── api.py ├── Tutorial.md └── README.md /scripts/3utoolsapi/python/api.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | # Yes, 3utools does not need any API key how excellent and polite! 4 | # Let's build something beautiful out of the API, definitly not this crappy script I wrote in a minute. 5 | 6 | import os 7 | import sys 8 | import requests 9 | 10 | class TreeUAPI: 11 | def __init__(self): 12 | self.apibase = 'http://app.pcres.3u.com/' 13 | self.actions = ['firmware_list', 'firmware_iosVersion'] 14 | 15 | def firmware_list(self, model='', fs='', seltype='', ios=''): 16 | url = self.apibase + 'firmware_list.action?' 17 | if model != '': 18 | url += '&model=' + str(model) 19 | 20 | if fs != '': 21 | url += '&fs=' + str(fs) 22 | 23 | if seltype != '': 24 | url += '&seltype=' + str(seltype) 25 | 26 | if ios != '': 27 | url += '&ios=' + str(ios) 28 | 29 | response = requests.get(url) 30 | print(response.text) 31 | 32 | -------------------------------------------------------------------------------- /Tutorial.md: -------------------------------------------------------------------------------- 1 | # Reverse engineering 3utools tutorial 2 | 3 | ## Requirements 4 | - Microsoft windows 7 or higher, possibly a virtual machine. 5 | - Telerik's Fiddler (or burpsuite) (https://www.telerik.com/fiddler) 6 | - 3utools desktop application (3utools.com) 7 | - Dirbuster 8 | 9 | ## Preparations 10 | - Install 3utools. 11 | - Install Telerik's Fiddler (or burpsuite) 12 | - Close 3utools if open, in the tray as well. 13 | - Launch Fiddler and enable the proxy, default it is running on port 8888. 14 | - Launch 3utools and press the settings icon on the top right. 15 | - Now click proxy settings and enter localhost with the port from fiddler. 16 | 17 | ## Reversing 3utools 18 | 1. In fiddler you can now click the hitmark icon, drag it onto 3utools and turn decode on. 19 | 2. You will now be able to see the SSL traffic of 3utools through fiddler. 20 | 3. Any operation that is done by communicating through their api like for example a search query will appear in fiddler. 21 | 4. One can click the requrest and choose raw to see what the 3utools api responded to the application. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Reversing3utools 2 | Reverse engineering the commonly used 3utools software to make it more open and learn about it. 3 | 4 | ## Why 5 | 3utools is amazingly great software for managing iOS devices. 6 | Not only does it show you a lot information about hardware integrity of your devices, it also helps you fix problems and jailbreak them. 7 | 3utools is not opensource but has an API for most of their functionality. 8 | For the freedom of development I wanted to see if this API can be reused by developers as that would make the life of security researchers easier. 9 | 10 | ## The Research 11 | 3utools has the ability to specify a proxy in the settings. 12 | Since the traffic of 3utools is encrypted via TLS, I am using fiddler with its own CA certificate. 13 | After launching fiddler I simply set the proxy server in the settings to be localhost with port 8888, which is what fiddler runs on. 14 | Burpsuite is also possible the same way which is amazing for debugging API calls and reproducing / interacting with API calls. 15 | 16 | ## First 0-day vulnerability reported 17 | 18 | Without even using any research tools like burpsuite and fiddler I expected that most of the content loaded in 3utools is actually just a webpage with a lot of javascript, this due to the delays in rendering certain userinterface graphics because that could mean and turned out to be loaded over the network. 19 | 20 | 3utools was vulnerable to a low-risk cross site scripting vulnerability which I found by simply entering "" in almost any of the input fields a user could access in the software. 21 | With that I also found the domain where their UI is located at. 22 | 23 | Without further interruption or waiting, I immediately reported the vulnerability to 3utools and it got patched the same day. 24 | However, I did not get any bounty. After all 3utools is free software anyway. 25 | 26 | ## Amazing infrastructure 27 | 3utools seems to have amazing infrastructure. 28 | They have a persitant file storage server where they store almost any iOS firmware related files, such as developer dmgs and jailbreaks. 29 | This makes their service faster than Apple's and able to download files even when Apple's servers are down. 30 | What is where and where is what is yet to be found out, but at least I discovered that when clicking the 'view screen' button you can see that the corresponding developer dmg image is downloaded for your device and mounted. 31 | Probably because they use the 'screenshotr' xpc service to get the live screen. 32 | For developers and researchers this means it is amazingly easy to quickly download the developer dmg from their servers as they are all named logically. 33 | 34 | Aside the filestorage they also have a REST json API with one can retrieve information about firmware. 35 | One can ask the API to only give jailbreakable or jailbreakable and signed firmware or just any firmware for specific devices and OS versions. 36 | Great feature if you ask me, again for developers and researchers a good way to automate their work a few more. 37 | 38 | 39 | **NOTE FOR DEVELOPERS:** You can see the full documentation being developed when clicking the 'wiki' here on GitHub. 40 | 41 | **TLDR:** 42 | Reverse engineering 3utools pays off and the first vulnerability has been fixed. 43 | Developers and researchers benefit from 3utools rest API and filestorage. 44 | --------------------------------------------------------------------------------