1 files changed, 77 insertions, 187 deletions
diff --git a/README b/README
index 65219c1..7b0cfe4 100644
--- a/README
+++ b/README
@@ -1,206 +1,96 @@
+About
+=====
+A socket daemon to multiplex connections from and to iOS devices.
 Background
 ==========
 'usbmuxd' stands for "USB multiplexing daemon". This daemon is in charge of
-multiplexing connections over USB to an iPhone or iPod touch. To users, it means
+multiplexing connections over USB to an iOS device. To users, it means
 you can sync your music, contacts, photos, etc. over USB. To developers, it
 means you can connect to any listening localhost socket on the device. usbmuxd
-is not used for tethering data transfer, which uses a dedicated USB interface as
+is not used for tethering data transfer which uses a dedicated USB interface as
-a virtual network device.
+a virtual network device. Multiple connections to different TCP ports can happen
+in parallel. The higher-level layers are handled by libimobiledevice.
-Multiple connections to different TCP ports can happen in parallel. An example
+When usbmuxd is running (normally started, or stopped as a result of 'udev'
-(and useful) tool called 'iproxy' is included that allows you to forward
+auto-insertion messages or by systemd) it provides a socket interface in
-localhost ports to the device---allows SSH over USB on jailbroken devices, or
+'/var/run/usbmuxd' that is designed to be compatible with the socket interface
-allowing access the lockdown daemon (and then to all of the file access, sync,
+that is provided on Mac OS X.
-notification and backup services running on the device).
-The higher-level layers are handled by libimobiledevice. 'ifuse' is then able
+You should also create a 'usbmux' user that has access to USB devices on your
-to sit on top of this and mount your device's AFC filesystem share.
+system. Alternatively, you can pass a different username using the -U argument.
-License
+Due to iOS 7 the daemon now also manages pairing records with iOSdevices and
-=======
+the host in '/var/lib/lockdown' (Linux) or '/var/db/lockdown' (Mac OS X).
+Ensure proper permissions are setup for the daemon to access the directory.
-The contents of this package are licensed under the GNU General Public License,
+Requirements
-versions 2 or 3 (see COPYING.GPLv2 and COPYING.GPLv3). If a more permissive
+============
-license is specified at the top of a source file, it takes precedence over this.
-Legal
+Development Packages of:
-=====
+        libimobiledevice
+        libplist
+        libusb
-Apple, iPhone, and iPod touch are trademarks of Apple Inc., registered in the
+Software:
-U.S. and other countries.
+        make
+        autoheader
+        automake
+        autoconf
+        libtool
+        pkg-config
+        gcc
+        udev (Linux only)
-Building
+Optional:
-========
+        systemd (Linux only)
-  ./autogen.sh
+Installation
-  make
+============
-  sudo make install
-You should also create a 'usbmux' user that has access to USB devices on your
+To compile run:
-system. Alternatively, you can pass a different username after the -U argument.
+        ./autogen.sh
+        make
+        sudo make install
+The daemon is automatically started by udev or systemd depending on what you
+have configured it on hotplug of an iOS device and exits if the last device
+was unplugged.
+For debugging purposes it is helpful to start usbmuxd using the foreground '-f'
+argument and enable verbose mode '-v' to get suitable logs.
-Running (with magic)
+Who/What/Where?
-====================
+===============
+Home:
+        http://www.libimobiledevice.org/
+Code:
+        git clone http://git.sukimashita.com/usbmuxd.git
+Code (Mirror):
+        git clone https://github.com/libimobiledevice/usbmuxd.git
+Tickets:
+        http://github.com/libimobiledevice/usbmuxd/issues
+Mailing List:
+        http://lists.libimobiledevice.org/mailman/listinfo/libimobiledevice-devel
+IRC:
+        irc://irc.freenode.net#libimobiledevice
+Credits
+=======
-  (Unplug + replug your jailbroken device)
+The first usbmuxd daemon implementation was authored by Hector Martin.
-  ./iproxy 2222 22 &
-  ssh -p 2222 root@localhost
-Hopefully you get the normal SSH login prompt. You may still lots of debugging
+Apple, iPhone, iPod, and iPod Touch are trademarks of Apple Inc.
-output for the moment. If this is getting in the way of your ssh login, then
+libimobiledevice is an independent software library and has not been
-run the 'ssh' command from a different xterminal or virtual console. Of course,
+authorized, sponsored, or otherwise approved by Apple Inc.
-you need to have OpenSSH installed on your jailbroken device for this to work.
-If you have iFuse, you can run "ifuse <mountpoint">. This doesn't require
+README Updated on:
-iproxy and works on all devices, jailbroken or not.
+        2014-10-02
-Running (without magic)
-=======================
-If 'udev' is _not_ automatically running on your machine and picking up the new
-.rules file, you will need to start usbmuxd by hand first. Check it's running
-and that there is only one copy with 'ps aux | grep
-usbmuxd'.
-  sudo usbmuxd -U usbmux -v -v &
-  ./iproxy 2222 22 &
-  ssh -p 2222 root@localhost
-Tip: Starting SSH if disabled
-=============================
-If your device is rooted, but SSH isn't started and you _cannot_ (for instance,
-cracked/broken screen) get to the Services control panel on the device, then you
-can start the SSH service over the USB by mounting the (jailbroken) filesystem.
-You will need to mount it using 'ifuse --afc2' (to access the root directory of
-the device), and then edit:
-  /Library/LaunchDaemons/com.openssh.sshd.plist
-to _remove_ the lines:
-  <key>Disabled</key>
-  <true/>
-Reboot the device and then sshd should be running.
-TODO
-====
-The server currently assumes that the device is well-behaved and does not do a
-bunch of checks like looking for the expected SEQ and ACK numbers from it. This
-is normally not an issue, but it's annoying for debugging because lost packets
-(which shouldn't happen, but can happen if the code is buggy) mean that stuff
-gets out of sync and then might crash and burn dozens of packets later.
-The server needs more testing, and some optimizing.
-Someone should probably do some edge-case testing on the TCP stuff.
-The outgoing ACK handling on the server probably needs some thought. Currently,
-when there's an outstanding ACK, we send it after a timeout (to avoid sending
-a no-payload ACK packet for everything the phone sends us). However, there's
-probably a better way of doing this.
-Architecture information
-========================
-The iPhone / iPod Touch basically implements a rather strange USB networking
-system that operates at a higher level. It is of course completely proprietary.
-Generally speaking, this is what goes on in a typical usage scenario:
-0. iTunes opens a connection to usbmuxd and asks it for device notifications
-1. User inserts phone into computer
-2. usbmuxd notices the phone and pings it with a version packet
-3. phone replies
-4. usbmuxd now considers the phone to be connected and tells iTunes
-5. iTunes opens another separate connection to usbmuxd and asks it to connect
-   to, say, the afc port on the device
-6. usbmuxd sends a pseudo-TCP SYN packet to the phone
-7. the phone's kernel driver receives the SYN packet and itself opens a
-   TCP connection to localhost on the afc port
-8. the phone replies with a pseudo-TCP SYN/ACK indicating that the port is open
-   and the connection can proceed
-7. usbmuxd sends a final ACK to the phone
-8. usbmuxd replies to iTunes with a "connection successful" message
-9. any data that iTunes writes to the usbmuxd socket from now on is forwarded,
-   through pseudo-TCP, through USB, back into a more regular TCP connection to
-   localhost, to the afc daemon on the phone, and vice versa
-The usbmuxd protocol is a relatively simple binary message protocol documented
-here:
-http://wikee.iphwn.org/usb:usbmux
-Note that once a connection is established the UNIX socket essentially becomes
-a dedicated pipe to the TCP connction and no more high-level control is
-possible (closing the socket closes the TCP connection). Ditto for the "listen
-for devices" mode - usbmuxd will reject any commands in such mode, and the
-socket essentially becomes a dedicated device notification pipe. This means
-that you need, at minimum, TWO connections to usbmuxd to do anything useful.
-On Windows, usbmuxd works the same way but a TCP connection to localhost port
-27015 replaces the UNIX socket. On OSX, the UNIX socket is /var/run/usbmuxd. The
-server and client implemented here default the same /var/run/usbmuxd socket.
-The phone protocol operates over a pair of USB bulk endpoints. There is an outer
-layer used for packet size info and a "protocol" (version and TCP are the only
-two options), and that header is followed by TCP headers for actual data comms.
-However, the protocol isn't actual TCP, just a custom protocol which for some
-reason uses a standard TCP header and leaves most fields unused.
-There is no reordering or retransmission. There are no checksums, no URG, no
-PSH, no non-ACK, no FIN. What there *is* is the SEQ/ACK/window mechanism used
-for flow control, and RST is used as the only connection teardown mechanism (and
-also for "connection refused"), and the connection startup is SYN/SYNACK/ACK.
-Windows are constant-scaled by 8 bits. This is legal TCP as long as the
-corresponding option is negotiated. Of course, no such negotiation happens on
-this protocol.
-Note that, since there are no retransmissions, there is some overlap between ACK
-and window for flow control. For example, the server doesn't ever touch its
-window size, and just refuses to ACK stuff if its buffers are full and the
-client isn't reading data. The phone happily seems to stop sending stuff.
-Also, if the phone RSTs you out of nowhere, look at the packet payload for a
-textual error message. Note: if it claims to suffer from amnesia, that probably
-means you overflowed its input buffer by ignoring its flow control / window
-size. Go figure. Probably a logic bug in the kernel code.
-Note that all normal packets need to have flags set to ACK (and only ACK). There
-is no support for, erm, not-acking. Keep the ack number field valid at all
-times.
-The usbmuxd CONNECT request port field is byte-swapped (network-endian). This is
-even more annoying for the plist based protocol, since it's even true there
-(where the field is plain text). So even for the plain text int, you need to
-swap the bytes (port 22 becomes <integer>5632</integer>). I have no clue if this
-is the case on the new plist protocol on PPC macs (is the newer iTunes available
-for those?)
-There are a bunch of gotchas due to the USB framing, and this is even worse
-because implementations tend to get it wrong (i.e. libusb, and this is the
-reason for the patch). Basically, USB Bulk offers, at the low level, the ability
-to transfer packets from 0 to wMaxPacketSize (512 here) bytes, period. There is
-no other support for higher level framing of transfers. The way you do those is
-by breaking them up into packets, and the final shorter packet marks the end of
-the transfer. The critical bit is that, if the transfer happens to be divisible
-by 512, you send a zero-length packet (ZLP) to indicate the end of the transfer.
-Libusb doesn't set this option by default and the iPhone gets packets stuck to
-each other, which it doesn't like. Actually, this framing is sort of redundant
-because the usbmux packet header includes a length field, but the phone still
-wants the ZLPs or else it breaks. To make matters worse, usbdevfs imposes a max
-transfer size of 16k, so libusb breaks transfers into that size. This is okay
-for sending as long as the ZLP is only added to the last transfer (the patch
-does that), but it can easily cause nasty race conditions on RX due to libusb
-doing multiple outstanding reads at the same time and then cancelling the rest
-when shorter data arrives (but what if some data got into the other requests
-already?), so we only do 16k reads and stick them together ourselves by looking
-at the packet size header. We still depend on ZLPs being sent to end transfers
-at non-16k boundaries that are multiples of 512, but that seems to work fine. I
-guess the ZLPs might cause spurious 0-byte transfers to show up on RX if things
-line up right, but we ignore those. By the way, the maximum packet/transfer size
-is 65535 bytes due to the 16-bit length header of the usbmux protocol.

diff --git a/README b/README index 65219c1..7b0cfe4 100644 --- a/README +++ b/README
@@ -1,206 +1,96 @@
		1	About
		2	=====
		3
		4	A socket daemon to multiplex connections from and to iOS devices.
		5
1	Background	6	Background
2	==========	7	==========
3		8
4	'usbmuxd' stands for "USB multiplexing daemon". This daemon is in charge of	9	'usbmuxd' stands for "USB multiplexing daemon". This daemon is in charge of
5	multiplexing connections over USB to an iPhone or iPod touch. To users, it means	10	multiplexing connections over USB to an iOS device. To users, it means
6	you can sync your music, contacts, photos, etc. over USB. To developers, it	11	you can sync your music, contacts, photos, etc. over USB. To developers, it
7	means you can connect to any listening localhost socket on the device. usbmuxd	12	means you can connect to any listening localhost socket on the device. usbmuxd
8	is not used for tethering data transfer, which uses a dedicated USB interface as	13	is not used for tethering data transfer which uses a dedicated USB interface as
9	a virtual network device.	14	a virtual network device. Multiple connections to different TCP ports can happen
		15	in parallel. The higher-level layers are handled by libimobiledevice.
10		16
11	Multiple connections to different TCP ports can happen in parallel. An example	17	When usbmuxd is running (normally started, or stopped as a result of 'udev'
12	(and useful) tool called 'iproxy' is included that allows you to forward	18	auto-insertion messages or by systemd) it provides a socket interface in
13	localhost ports to the device---allows SSH over USB on jailbroken devices, or	19	'/var/run/usbmuxd' that is designed to be compatible with the socket interface
14	allowing access the lockdown daemon (and then to all of the file access, sync,	20	that is provided on Mac OS X.
15	notification and backup services running on the device).
16		21
17	The higher-level layers are handled by libimobiledevice. 'ifuse' is then able	22	You should also create a 'usbmux' user that has access to USB devices on your
18	to sit on top of this and mount your device's AFC filesystem share.	23	system. Alternatively, you can pass a different username using the -U argument.
19		24
20	License	25	Due to iOS 7 the daemon now also manages pairing records with iOSdevices and
21	=======	26	the host in '/var/lib/lockdown' (Linux) or '/var/db/lockdown' (Mac OS X).
		27	Ensure proper permissions are setup for the daemon to access the directory.
22		28
23	The contents of this package are licensed under the GNU General Public License,	29	Requirements
24	versions 2 or 3 (see COPYING.GPLv2 and COPYING.GPLv3). If a more permissive	30	============
25	license is specified at the top of a source file, it takes precedence over this.
26		31
27	Legal	32	Development Packages of:
28	=====	33	libimobiledevice
		34	libplist
		35	libusb
29		36
30	Apple, iPhone, and iPod touch are trademarks of Apple Inc., registered in the	37	Software:
31	U.S. and other countries.	38	make
		39	autoheader
		40	automake
		41	autoconf
		42	libtool
		43	pkg-config
		44	gcc
		45	udev (Linux only)
32		46
33	Building	47	Optional:
34	========	48	systemd (Linux only)
35		49
36	./autogen.sh	50	Installation
37	make	51	============
38	sudo make install
39		52
40	You should also create a 'usbmux' user that has access to USB devices on your	53	To compile run:
41	system. Alternatively, you can pass a different username after the -U argument.	54	./autogen.sh
		55	make
		56	sudo make install
		57
		58	The daemon is automatically started by udev or systemd depending on what you
		59	have configured it on hotplug of an iOS device and exits if the last device
		60	was unplugged.
		61
		62	For debugging purposes it is helpful to start usbmuxd using the foreground '-f'
		63	argument and enable verbose mode '-v' to get suitable logs.
42		64
43	Running (with magic)	65	Who/What/Where?
44	====================	66	===============
		67
		68	Home:
		69	http://www.libimobiledevice.org/
		70
		71	Code:
		72	git clone http://git.sukimashita.com/usbmuxd.git
		73
		74	Code (Mirror):
		75	git clone https://github.com/libimobiledevice/usbmuxd.git
		76
		77	Tickets:
		78	http://github.com/libimobiledevice/usbmuxd/issues
		79
		80	Mailing List:
		81	http://lists.libimobiledevice.org/mailman/listinfo/libimobiledevice-devel
		82
		83	IRC:
		84	irc://irc.freenode.net#libimobiledevice
		85
		86	Credits
		87	=======
45		88
46	(Unplug + replug your jailbroken device)	89	The first usbmuxd daemon implementation was authored by Hector Martin.
47	./iproxy 2222 22 &
48	ssh -p 2222 root@localhost
49		90
50	Hopefully you get the normal SSH login prompt. You may still lots of debugging	91	Apple, iPhone, iPod, and iPod Touch are trademarks of Apple Inc.
51	output for the moment. If this is getting in the way of your ssh login, then	92	libimobiledevice is an independent software library and has not been
52	run the 'ssh' command from a different xterminal or virtual console. Of course,	93	authorized, sponsored, or otherwise approved by Apple Inc.
53	you need to have OpenSSH installed on your jailbroken device for this to work.
54		94
55	If you have iFuse, you can run "ifuse <mountpoint">. This doesn't require	95	README Updated on:
56	iproxy and works on all devices, jailbroken or not.	96	2014-10-02
57
58	Running (without magic)
59	=======================
60
61	If 'udev' is _not_ automatically running on your machine and picking up the new
62	.rules file, you will need to start usbmuxd by hand first. Check it's running
63	and that there is only one copy with 'ps aux \| grep
64	usbmuxd'.
65
66	sudo usbmuxd -U usbmux -v -v &
67	./iproxy 2222 22 &
68	ssh -p 2222 root@localhost
69
70	Tip: Starting SSH if disabled
71	=============================
72
73	If your device is rooted, but SSH isn't started and you _cannot_ (for instance,
74	cracked/broken screen) get to the Services control panel on the device, then you
75	can start the SSH service over the USB by mounting the (jailbroken) filesystem.
76
77	You will need to mount it using 'ifuse --afc2' (to access the root directory of
78	the device), and then edit:
79
80	/Library/LaunchDaemons/com.openssh.sshd.plist
81
82	to _remove_ the lines:
83
84	<key>Disabled</key>
85	<true/>
86
87	Reboot the device and then sshd should be running.
88
89	TODO
90	====
91
92	The server currently assumes that the device is well-behaved and does not do a
93	bunch of checks like looking for the expected SEQ and ACK numbers from it. This
94	is normally not an issue, but it's annoying for debugging because lost packets
95	(which shouldn't happen, but can happen if the code is buggy) mean that stuff
96	gets out of sync and then might crash and burn dozens of packets later.
97
98	The server needs more testing, and some optimizing.
99
100	Someone should probably do some edge-case testing on the TCP stuff.
101
102	The outgoing ACK handling on the server probably needs some thought. Currently,
103	when there's an outstanding ACK, we send it after a timeout (to avoid sending
104	a no-payload ACK packet for everything the phone sends us). However, there's
105	probably a better way of doing this.
106
107	Architecture information
108	========================
109
110	The iPhone / iPod Touch basically implements a rather strange USB networking
111	system that operates at a higher level. It is of course completely proprietary.
112	Generally speaking, this is what goes on in a typical usage scenario:
113
114	0. iTunes opens a connection to usbmuxd and asks it for device notifications
115	1. User inserts phone into computer
116	2. usbmuxd notices the phone and pings it with a version packet
117	3. phone replies
118	4. usbmuxd now considers the phone to be connected and tells iTunes
119	5. iTunes opens another separate connection to usbmuxd and asks it to connect
120	to, say, the afc port on the device
121	6. usbmuxd sends a pseudo-TCP SYN packet to the phone
122	7. the phone's kernel driver receives the SYN packet and itself opens a
123	TCP connection to localhost on the afc port
124	8. the phone replies with a pseudo-TCP SYN/ACK indicating that the port is open
125	and the connection can proceed
126	7. usbmuxd sends a final ACK to the phone
127	8. usbmuxd replies to iTunes with a "connection successful" message
128	9. any data that iTunes writes to the usbmuxd socket from now on is forwarded,
129	through pseudo-TCP, through USB, back into a more regular TCP connection to
130	localhost, to the afc daemon on the phone, and vice versa
131
132	The usbmuxd protocol is a relatively simple binary message protocol documented
133	here:
134
135	http://wikee.iphwn.org/usb:usbmux
136
137	Note that once a connection is established the UNIX socket essentially becomes
138	a dedicated pipe to the TCP connction and no more high-level control is
139	possible (closing the socket closes the TCP connection). Ditto for the "listen
140	for devices" mode - usbmuxd will reject any commands in such mode, and the
141	socket essentially becomes a dedicated device notification pipe. This means
142	that you need, at minimum, TWO connections to usbmuxd to do anything useful.
143
144	On Windows, usbmuxd works the same way but a TCP connection to localhost port
145	27015 replaces the UNIX socket. On OSX, the UNIX socket is /var/run/usbmuxd. The
146	server and client implemented here default the same /var/run/usbmuxd socket.
147
148	The phone protocol operates over a pair of USB bulk endpoints. There is an outer
149	layer used for packet size info and a "protocol" (version and TCP are the only
150	two options), and that header is followed by TCP headers for actual data comms.
151	However, the protocol isn't actual TCP, just a custom protocol which for some
152	reason uses a standard TCP header and leaves most fields unused.
153
154	There is no reordering or retransmission. There are no checksums, no URG, no
155	PSH, no non-ACK, no FIN. What there is is the SEQ/ACK/window mechanism used
156	for flow control, and RST is used as the only connection teardown mechanism (and
157	also for "connection refused"), and the connection startup is SYN/SYNACK/ACK.
158
159	Windows are constant-scaled by 8 bits. This is legal TCP as long as the
160	corresponding option is negotiated. Of course, no such negotiation happens on
161	this protocol.
162
163	Note that, since there are no retransmissions, there is some overlap between ACK
164	and window for flow control. For example, the server doesn't ever touch its
165	window size, and just refuses to ACK stuff if its buffers are full and the
166	client isn't reading data. The phone happily seems to stop sending stuff.
167
168	Also, if the phone RSTs you out of nowhere, look at the packet payload for a
169	textual error message. Note: if it claims to suffer from amnesia, that probably
170	means you overflowed its input buffer by ignoring its flow control / window
171	size. Go figure. Probably a logic bug in the kernel code.
172
173	Note that all normal packets need to have flags set to ACK (and only ACK). There
174	is no support for, erm, not-acking. Keep the ack number field valid at all
175	times.
176
177	The usbmuxd CONNECT request port field is byte-swapped (network-endian). This is
178	even more annoying for the plist based protocol, since it's even true there
179	(where the field is plain text). So even for the plain text int, you need to
180	swap the bytes (port 22 becomes <integer>5632</integer>). I have no clue if this
181	is the case on the new plist protocol on PPC macs (is the newer iTunes available
182	for those?)
183
184	There are a bunch of gotchas due to the USB framing, and this is even worse
185	because implementations tend to get it wrong (i.e. libusb, and this is the
186	reason for the patch). Basically, USB Bulk offers, at the low level, the ability
187	to transfer packets from 0 to wMaxPacketSize (512 here) bytes, period. There is
188	no other support for higher level framing of transfers. The way you do those is
189	by breaking them up into packets, and the final shorter packet marks the end of
190	the transfer. The critical bit is that, if the transfer happens to be divisible
191	by 512, you send a zero-length packet (ZLP) to indicate the end of the transfer.
192	Libusb doesn't set this option by default and the iPhone gets packets stuck to
193	each other, which it doesn't like. Actually, this framing is sort of redundant
194	because the usbmux packet header includes a length field, but the phone still
195	wants the ZLPs or else it breaks. To make matters worse, usbdevfs imposes a max
196	transfer size of 16k, so libusb breaks transfers into that size. This is okay
197	for sending as long as the ZLP is only added to the last transfer (the patch
198	does that), but it can easily cause nasty race conditions on RX due to libusb
199	doing multiple outstanding reads at the same time and then cancelling the rest
200	when shorter data arrives (but what if some data got into the other requests
201	already?), so we only do 16k reads and stick them together ourselves by looking
202	at the packet size header. We still depend on ZLPs being sent to end transfers
203	at non-16k boundaries that are multiples of 512, but that seems to work fine. I
204	guess the ZLPs might cause spurious 0-byte transfers to show up on RX if things
205	line up right, but we ignore those. By the way, the maximum packet/transfer size
206	is 65535 bytes due to the 16-bit length header of the usbmux protocol.