Add README, stuff, .gitignore

author: Hector Martin 2009-05-05 01:40:40 +0200
committer: Hector Martin 2009-05-05 01:40:40 +0200
commit: 102e8ff46e5491c8d1a5928b34f058c88e55d065 (patch)
tree: 4511da9f495dd6318d3a71765e087ec0c8c2a0ee /README
parent: dce2546afadd9185b7e65f1db6b127d6293b178c (diff)
download: usbmuxd-102e8ff46e5491c8d1a5928b34f058c88e55d065.tar.gz
usbmuxd-102e8ff46e5491c8d1a5928b34f058c88e55d065.tar.bz2
1 files changed, 150 insertions, 0 deletions
diff --git a/README b/README
new file mode 100644
index 0000000..60c2603
--- /dev/null
+++ b/README
@@ -0,0 +1,150 @@
+.This is an implementation of the iPhone/iPod Touch USB connection protocol.
+The server should be mostly compatible with the original Apple usbmuxd
+protocol. This means that a single client lib should be able to interoperate
+with both. Apple has now introduced a new plist-based version of the protocol
+which works in essentially the same way but uses XML-based plists as
+command/response payloads instead of binary blobs. The outer binary protocol is
+still the same used but now the only command/response format is 8 (plist).
+The server is under the usbmuxd directory. You'll need CMake and libusb 1.0 to
+build it. In addition, you need to apply the libusb patch in the patches/
+directory. If you want to debug using valgrind, apply the valgrind patch to
+improve the handling of the USB device filesystem ioctls.
+There is a Python client library in the python-client directory. It should be
+compatible with Windows, Linux, and OSX (using the Apple usbmuxd on Win and OSX)
+tcprelay.py implements a TCP connection forwarder that lets you pipe TCP
+connections to localhost to the phone. Run it with --help for usage. Note that
+under OSX you'll have to change the socket path from /tmp/usbmuxd to
+/var/run/usbmuxd (there is no socket path on Windows, only a TCP connection to
+localhost). The Python client lib is also compatible with the new plist-based
+protocol and should automatically select it if it sees such a server. However,
+you need Python 2.6 for Windows and Linux in this case, since the plistlib
+module doesn't come with older versions under these OSes (not that you'll have a
+server that supports this protocol under Linux. TODO: does Windows iTunes even
+use this yet?)
+ARCHITECTURE
+The iPhone / iPod Touch basically implements a rather strange USB networking
+system that operates at a higher level. It is of course completely proprietary.
+Generally speaking, this is what goes on in a typical usage scenario:
+0. iTunes opens a connection to usbmuxd and asks it for device notifications
+1. User inserts phone into computer
+2. usbmuxd notices the phone and pings it with a version packet
+3. phone replies
+4. usbmuxd now considers the phone to be connected and tells iTunes
+5. iTunes opens another separate connection to usbmuxd and asks it to connect
+to, say, the afc port on the device
+6. usbmuxd sends a pseudo-TCP SYN packet to the phone
+7. the phone's kernel driver receives the SYN packet and itself opens a
+   TCP connection to localhost on the afc port
+8. the phone replies with a pseudo-TCP SYN/ACK indicating that the port is open
+   and the connection can proceed
+7. usbmuxd sends a final ACK to the phone
+8. usbmuxd replies to iTunes with a "connection successful" message
+9. any data that iTunes writes to the usbmuxd socket from now on is forwarded,
+   through pseudo-TCP, through USB, back into a more regular TCP connection to
+   localhost, to the afc daemon on the phone, and vice versa
+The usbmuxd protocol is a relatively simple binary message protocol documented
+here:
+http://wikee.iphwn.org/usb:usbmux
+Note that once a connection is established the UNIX socket essentially becomes
+a dedicated pipe to the TCP connction and no more high-level control is
+possible (closing the socket closes the TCP connection). Ditto for the "listen
+for devices" mode - usbmuxd will reject any commands in such mode, and the
+socket essentially becomes a dedicated device notification pipe. This means
+that you need, at minimum, TWO connections to usbmuxd to do anything useful.
+On Windows, usbmuxd works the same way but a TCP connection to localhost port
+27015 replaces the UNIX socket. On OSX, the UNIX socket is /var/run/usbmuxd. The
+server and client implemented here default to /tmp/usbmuxd at the moment.
+The phone protocol operates over a pair of USB bulk endpoints. There is an outer
+layer used for packet size info and a "protocol" (version and TCP are the only
+two options), and that header is followed by TCP headers for actual data comms.
+However, the protocol isn't actual TCP, just a custom protocol which for some
+reason uses a standard TCP header and leaves most fields unused.
+There is no reordering or retransmission. There are no checksums, no URG, no
+PSH, no non-ACK, no FIN. What there *is* is the SEQ/ACK/window mechanism used
+for flow control, and RST is used as the only connection teardown mechanism (and
+also for "connection refused"), and the connection startup is SYN/SYNACK/ACK.
+Windows are constant-scaled by 8 bits. This is legal TCP as long as the
+corresponding option is negotiated. Of course, no such negotiation happens on
+this protocol.
+Note that, since there are no retransmissions, there is some overlap between ACK
+and window for flow control. For example, the server doesn't ever touch its
+window size, and just refuses to ACK stuff if its buffers are full and the
+client isn't reading data. The phone happily seems to stop sending stuff.
+Also, if the phone RSTs you out of nowhere, look at the packet payload for a
+textual error message. Note: if it claims to suffer from amnesia, that probably
+means you overflowed its input buffer by ignoring its flow control / window
+size. Go figure. Probably a logic bug in the kernel code.
+Note that all normal packets need to have flags set to ACK (and only ACK). There
+is no support for, erm, not-acking. Keep the ack number field valid at all
+times.
+GOTCHAS AND ANNOYANCES
+The usbmuxd CONNECT request port field is byte-swapped (network-endian). This is
+even more annoying for the plist based protocol, since it's even true there
+(where the field is plain text). So even for the plain text int, you need to
+swap the bytes (port 22 becomes <integer>5632</integer>).
+There are a bunch of gotchas due to the USB framing, and this is even worse
+because implementations tend to get it wrong (i.e. libusb, and this is the
+reason for the patch). Basically, USB Bulk offers, at the low level, the ability
+to transfer packets from 0 to wMaxPacketSize (512 here) bytes, period. There is
+no other support for higher level framing of transfers. The way you do those is
+by breaking them up into packets, and the final shorter packet parks the end of
+the transfer. The critical bit is that, if the transfer happens to be divisible
+by 512, you send a zero-length packet (ZLP) to indicate the end of the transfer.
+Libusb doesn't set this option by default and the iPhone gets packets stuck to
+each other, which it doesn't like. Actually, this framing is sort of redundant
+because the usbmux packet header includes a length field, but the phone still
+wants the ZLPs or else it breaks. To make matters worse, usbdevfs imposes a max
+transfer size of 16k, so libusb breaks transfers into that size. This is okay
+for sending as long as the ZLP is only added to the last transfer (the patch
+does that), but it can easily cause nasty race conditions on RX due to libusb
+doing multiple outstanding reads at the same time and then cancelling the rest
+when shorter data arrives (but what if some data got into the other requests
+already?), so we only do 16k reads and stick them together ourselves by looking
+at the packet size header. We still depend on ZLPs being sent to end transfers
+at non-16k boundaries that are multiples of 512, but that seems to work fine. I
+guess the ZLPs might cause spurious 0-byte transfers to show up on RX if things
+line up right, but we ignore those. By the way, the maximum packet/transfer size
+is 65535 bytes due to the 16-bit length header of the usbmux protocol.
+TODO
+The server currently assumes that the phone is well-behaved and does not do a
+bunch of checks like looking for the expected SEQ and ACK numbers from it. This
+is normally not an issue, but it's annoying for debugging because lost packets
+(which shouldn't happen, but can happen if the code is buggy) mean that stuff
+gets out of sync and then might crash and burn dozens of packets later.
+The server needs a proper front-end (i.e. daemonizing, commandline options,
+etc), a lot of testing, and some optimizing.
+Someone should probably do some edge-case testing on the TCP stuff.
+At some point we should probably write a C client lib.
+The outgoing ACK handling on the server probably needs some thought. Currently,
+when there's an outstanding ACK, we send it after a timeout (to avoid sending
+a no-payload ACK packet for everything the phone sends us). However, there's
+probably a better way of doing this.
author	Hector Martin	2009-05-05 01:40:40 +0200
committer	Hector Martin	2009-05-05 01:40:40 +0200
commit	102e8ff46e5491c8d1a5928b34f058c88e55d065 (patch)
tree	4511da9f495dd6318d3a71765e087ec0c8c2a0ee /README
parent	dce2546afadd9185b7e65f1db6b127d6293b178c (diff)
download	usbmuxd-102e8ff46e5491c8d1a5928b34f058c88e55d065.tar.gz usbmuxd-102e8ff46e5491c8d1a5928b34f058c88e55d065.tar.bz2

diff --git a/README b/README new file mode 100644 index 0000000..60c2603 --- /dev/null +++ b/README
@@ -0,0 +1,150 @@
	1	.This is an implementation of the iPhone/iPod Touch USB connection protocol.
	2
	3	The server should be mostly compatible with the original Apple usbmuxd
	4	protocol. This means that a single client lib should be able to interoperate
	5	with both. Apple has now introduced a new plist-based version of the protocol
	6	which works in essentially the same way but uses XML-based plists as
	7	command/response payloads instead of binary blobs. The outer binary protocol is
	8	still the same used but now the only command/response format is 8 (plist).
	9
	10	The server is under the usbmuxd directory. You'll need CMake and libusb 1.0 to
	11	build it. In addition, you need to apply the libusb patch in the patches/
	12	directory. If you want to debug using valgrind, apply the valgrind patch to
	13	improve the handling of the USB device filesystem ioctls.
	14
	15	There is a Python client library in the python-client directory. It should be
	16	compatible with Windows, Linux, and OSX (using the Apple usbmuxd on Win and OSX)
	17	tcprelay.py implements a TCP connection forwarder that lets you pipe TCP
	18	connections to localhost to the phone. Run it with --help for usage. Note that
	19	under OSX you'll have to change the socket path from /tmp/usbmuxd to
	20	/var/run/usbmuxd (there is no socket path on Windows, only a TCP connection to
	21	localhost). The Python client lib is also compatible with the new plist-based
	22	protocol and should automatically select it if it sees such a server. However,
	23	you need Python 2.6 for Windows and Linux in this case, since the plistlib
	24	module doesn't come with older versions under these OSes (not that you'll have a
	25	server that supports this protocol under Linux. TODO: does Windows iTunes even
	26	use this yet?)
	27
	28	ARCHITECTURE
	29
	30	The iPhone / iPod Touch basically implements a rather strange USB networking
	31	system that operates at a higher level. It is of course completely proprietary.
	32	Generally speaking, this is what goes on in a typical usage scenario:
	33
	34	0. iTunes opens a connection to usbmuxd and asks it for device notifications
	35	1. User inserts phone into computer
	36	2. usbmuxd notices the phone and pings it with a version packet
	37	3. phone replies
	38	4. usbmuxd now considers the phone to be connected and tells iTunes
	39	5. iTunes opens another separate connection to usbmuxd and asks it to connect
	40	to, say, the afc port on the device
	41	6. usbmuxd sends a pseudo-TCP SYN packet to the phone
	42	7. the phone's kernel driver receives the SYN packet and itself opens a
	43	TCP connection to localhost on the afc port
	44	8. the phone replies with a pseudo-TCP SYN/ACK indicating that the port is open
	45	and the connection can proceed
	46	7. usbmuxd sends a final ACK to the phone
	47	8. usbmuxd replies to iTunes with a "connection successful" message
	48	9. any data that iTunes writes to the usbmuxd socket from now on is forwarded,
	49	through pseudo-TCP, through USB, back into a more regular TCP connection to
	50	localhost, to the afc daemon on the phone, and vice versa
	51
	52	The usbmuxd protocol is a relatively simple binary message protocol documented
	53	here:
	54
	55	http://wikee.iphwn.org/usb:usbmux
	56
	57	Note that once a connection is established the UNIX socket essentially becomes
	58	a dedicated pipe to the TCP connction and no more high-level control is
	59	possible (closing the socket closes the TCP connection). Ditto for the "listen
	60	for devices" mode - usbmuxd will reject any commands in such mode, and the
	61	socket essentially becomes a dedicated device notification pipe. This means
	62	that you need, at minimum, TWO connections to usbmuxd to do anything useful.
	63
	64	On Windows, usbmuxd works the same way but a TCP connection to localhost port
	65	27015 replaces the UNIX socket. On OSX, the UNIX socket is /var/run/usbmuxd. The
	66	server and client implemented here default to /tmp/usbmuxd at the moment.
	67
	68	The phone protocol operates over a pair of USB bulk endpoints. There is an outer
	69	layer used for packet size info and a "protocol" (version and TCP are the only
	70	two options), and that header is followed by TCP headers for actual data comms.
	71	However, the protocol isn't actual TCP, just a custom protocol which for some
	72	reason uses a standard TCP header and leaves most fields unused.
	73
	74	There is no reordering or retransmission. There are no checksums, no URG, no
	75	PSH, no non-ACK, no FIN. What there is is the SEQ/ACK/window mechanism used
	76	for flow control, and RST is used as the only connection teardown mechanism (and
	77	also for "connection refused"), and the connection startup is SYN/SYNACK/ACK.
	78
	79	Windows are constant-scaled by 8 bits. This is legal TCP as long as the
	80	corresponding option is negotiated. Of course, no such negotiation happens on
	81	this protocol.
	82
	83	Note that, since there are no retransmissions, there is some overlap between ACK
	84	and window for flow control. For example, the server doesn't ever touch its
	85	window size, and just refuses to ACK stuff if its buffers are full and the
	86	client isn't reading data. The phone happily seems to stop sending stuff.
	87
	88	Also, if the phone RSTs you out of nowhere, look at the packet payload for a
	89	textual error message. Note: if it claims to suffer from amnesia, that probably
	90	means you overflowed its input buffer by ignoring its flow control / window
	91	size. Go figure. Probably a logic bug in the kernel code.
	92
	93	Note that all normal packets need to have flags set to ACK (and only ACK). There
	94	is no support for, erm, not-acking. Keep the ack number field valid at all
	95	times.
	96
	97
	98	GOTCHAS AND ANNOYANCES
	99
	100	The usbmuxd CONNECT request port field is byte-swapped (network-endian). This is
	101	even more annoying for the plist based protocol, since it's even true there
	102	(where the field is plain text). So even for the plain text int, you need to
	103	swap the bytes (port 22 becomes <integer>5632</integer>).
	104
	105	There are a bunch of gotchas due to the USB framing, and this is even worse
	106	because implementations tend to get it wrong (i.e. libusb, and this is the
	107	reason for the patch). Basically, USB Bulk offers, at the low level, the ability
	108	to transfer packets from 0 to wMaxPacketSize (512 here) bytes, period. There is
	109	no other support for higher level framing of transfers. The way you do those is
	110	by breaking them up into packets, and the final shorter packet parks the end of
	111	the transfer. The critical bit is that, if the transfer happens to be divisible
	112	by 512, you send a zero-length packet (ZLP) to indicate the end of the transfer.
	113	Libusb doesn't set this option by default and the iPhone gets packets stuck to
	114	each other, which it doesn't like. Actually, this framing is sort of redundant
	115	because the usbmux packet header includes a length field, but the phone still
	116	wants the ZLPs or else it breaks. To make matters worse, usbdevfs imposes a max
	117	transfer size of 16k, so libusb breaks transfers into that size. This is okay
	118	for sending as long as the ZLP is only added to the last transfer (the patch
	119	does that), but it can easily cause nasty race conditions on RX due to libusb
	120	doing multiple outstanding reads at the same time and then cancelling the rest
	121	when shorter data arrives (but what if some data got into the other requests
	122	already?), so we only do 16k reads and stick them together ourselves by looking
	123	at the packet size header. We still depend on ZLPs being sent to end transfers
	124	at non-16k boundaries that are multiples of 512, but that seems to work fine. I
	125	guess the ZLPs might cause spurious 0-byte transfers to show up on RX if things
	126	line up right, but we ignore those. By the way, the maximum packet/transfer size
	127	is 65535 bytes due to the 16-bit length header of the usbmux protocol.
	128
	129	TODO
	130
	131	The server currently assumes that the phone is well-behaved and does not do a
	132	bunch of checks like looking for the expected SEQ and ACK numbers from it. This
	133	is normally not an issue, but it's annoying for debugging because lost packets
	134	(which shouldn't happen, but can happen if the code is buggy) mean that stuff
	135	gets out of sync and then might crash and burn dozens of packets later.
	136
	137	The server needs a proper front-end (i.e. daemonizing, commandline options,
	138	etc), a lot of testing, and some optimizing.
	139
	140	Someone should probably do some edge-case testing on the TCP stuff.
	141
	142	At some point we should probably write a C client lib.
	143
	144	The outgoing ACK handling on the server probably needs some thought. Currently,
	145	when there's an outstanding ACK, we send it after a timeout (to avoid sending
	146	a no-payload ACK packet for everything the phone sends us). However, there's
	147	probably a better way of doing this.
	148
	149
	150