8/22/2021

3utools Wikipedia

41

3uTools is an all-in-one tool for all iOS devices. It can help you view and manage the data files of your iOS devices. It also offers you with the professional flashing and jailbreaking function. Besides, 3uTools includes a series of assistant tools. 3uTools is an all-in-one tool for all iOS devices. It can help you view and manage the data files of your iOS devices. It also offers you with the professional flashing and jailbreaking function. Besides, 3uTools includes a series of assistant tools.

Get music for free downloads. Tethered Downgrades are downgrades which flash unsigned iOS versions in a way that meets certain iTunes requirements to complete a restore. It is possible to perform a tethered downgrade on any device that is vulnerable to the limera1n Exploit.

Installing a firmware version using this method (without valid SHSH blobs) will result in a permanently tethered jailbreak. Each time the device boots, the bootrom validates the SHSH blobs for LLB, LLB for iBoot, and so on. Therefore, the image validation function must be patched or bypassed with an appropriate bootrom exploit payload on every boot or the device will be forced into DFU mode or recovery mode depending on the method.

Dead LCD Bug

Locking a device with an unsigned bootchain (specifically the LLB) while on battery power causes iOS to disable the LCD. A restore to the latest iOS is needed to fix this.

LCD Incompatibility

Some iOS versions (such as iOS 5) cannot boot when the device has a counterfeit display. A workaround is available here.

Method

3utools Wikipedia
NameDescription
GeekGrade
  • Instead of making the IPSW via sn0wbreeze, it's made via iFaith. The ramdisk is modified to remove iH8sn0w's iFaith logo and to replace it with BlackGeek's logo. It also sets FlashNOR to false in option.plist. This last modification allows the bootchain to stay signed (if it was signed prior to restore). This method fixes the display failure bug. The device is then sent to recovery mode (instead of DFU) because the bootchain is signed but fails to load iOS.
iFaith
  • Make an IPSW in iFaith with someone else's valid blobs for your specific device and swap that IPSW's ramdisk with the one in GeekGrade's IPSWs or make the modified ramdisk yourself.
Sund0wn
  • Downgrade utility for Windows written by iSuns9 that allows tether and untether downgrades for all models of the iPhone 3GS, iPhone 4, and iPod touch (4th generation).

Purpose

With this method you can install a firmware for which you don't have SHSH saved for. This is handy in the case that you're a software developer and need to do some tests on a specific version or if you prefer older iOS versions.

Alternative

You have to patch a firmware file (IPSW) which is signed by Apple exactly when you want to perform the downgrade.

  1. Patch out the signature check in iBSS and iBEC and apply another patch to iBEC (some lines of code before the patch the string 'debug-enabled' is loaded into a register and some lines after the patch the string 'development-cert' is loaded. Look at a patched iBEC from an iFaith IPSW for details).
  2. Patch the boot-args in iBEC to 'rd=md0 amfi=0xff cs_enforcement_disable=1 pio-error=0' and do an iBEC patch that injects the boot-args.
  3. Patch asr to return 'Image passed signature verification' where it would usually return 'Image failed signature verification'.
  4. Update the page hashes of asr with ldid.
  5. Grow the ramdisk to original size + size of asr (better some bytes larger).
  6. Rename the original asr and add the patched asr.
  7. chmod asr to 100755
  8. Replace the root file system dmg with the decrypted root file system dmg of the older firmware you want to downgrade to.
  9. Enter pwned DFU Mode.
  10. Use an old iTunes version that allows downgrades on your iOS device and restore to your patched IPSW.
  11. To start up your device you will have to boot tethered (depending on iOS version redsn0w or opensn0w).
Retrieved from 'https://www.theiphonewiki.com/w/index.php?title=Tethered_Downgrade&oldid=57066'
3utools wikipedia free

Reverse engineering the commonly used 3utools software to make it more open and learn about it.

3utools Wikipedia App

Why

3utools is amazingly great software for managing iOS devices.
Not only does it show you a lot information about hardware integrity of your devices, it also helps you fix problems and jailbreak them.
3utools is not opensource but has an API for most of their functionality.
For the freedom of development I wanted to see if this API can be reused by developers as that would make the life of security researchers easier.

The Research

3utools has the ability to specify a proxy in the settings.
Since the traffic of 3utools is encrypted via TLS, I am using fiddler with its own CA certificate.
After launching fiddler I simply set the proxy server in the settings to be localhost with port 8888, which is what fiddler runs on.
Burpsuite is also possible the same way which is amazing for debugging API calls and reproducing / interacting with API calls.

First 0-day vulnerability reported

Without even using any research tools like burpsuite and fiddler I expected that most of the content loaded in 3utools is actually just a webpage with a lot of javascript, this due to the delays in rendering certain userinterface graphics because that could mean and turned out to be loaded over the network.

3utools was vulnerable to a low-risk cross site scripting vulnerability which I found by simply entering '<script>alert(1)</script>' in almost any of the input fields a user could access in the software.With that I also found the domain where their UI is located at.

Without further interruption or waiting, I immediately reported the vulnerability to 3utools and it got patched the same day.
However, I did not get any bounty. After all 3utools is free software anyway.

Amazing infrastructure

3utools seems to have amazing infrastructure.
They have a persitant file storage server where they store almost any iOS firmware related files, such as developer dmgs and jailbreaks.
This makes their service faster than Apple's and able to download files even when Apple's servers are down.
What is where and where is what is yet to be found out, but at least I discovered that when clicking the 'view screen' button you can see that the corresponding developer dmg image is downloaded for your device and mounted.
Probably because they use the 'screenshotr' xpc service to get the live screen.
For developers and researchers this means it is amazingly easy to quickly download the developer dmg from their servers as they are all named logically.

Aside the filestorage they also have a REST json API with one can retrieve information about firmware.
One can ask the API to only give jailbreakable or jailbreakable and signed firmware or just any firmware for specific devices and OS versions.
Great feature if you ask me, again for developers and researchers a good way to automate their work a few more.

3utools Wikipedia Full

NOTE FOR DEVELOPERS: You can see the full documentation being developed when clicking the 'wiki' here on GitHub.

3utools Wikipedia

TLDR:Reverse engineering 3utools pays off and the first vulnerability has been fixed.
Developers and researchers benefit from 3utools rest API and filestorage.