Usbmux

During normal operations, iTunes communicates with the iPhone using something called usbmux – this is a system for multiplexing several “connections” over one USB pipe. Conceptually, it provides a TCP-like system – processes on the host machine open up connections to specific, numbered ports on the mobile device. (This resemblance is more than superficial – on the mobile device, usbmuxd actually makes TCP connections to localhost using the port number you give it.)

On the Mac, this is handled by, a daemon that is started by launchd (see  ). It creates a listening UNIX Domain Socket at. usbmuxd then watches for iPhone connections via USB; when it detects an iPhone running in normal mode (as opposed to recovery mode), it will connect to it and then start relaying requests that it receives via /var/run/usbmuxd – this is to say, usbmuxd is the only thing that actually speaks USB to the iPhone. This means that third-party applications which wish to talk to the iPhone must either do so through usbmuxd, or usbmuxd must be replaced.

Layered Communications
Communications between the host (generally, iTunes running on a Mac or Windows machine) and the device (an iPhone, iPad or iPod touch) take place using a complicated scheme of nested layers. From lowest level to highest, they are:


 * USB protocol: multiplexes multiple data streams over one pair of bulk endpoints
 * usbmuxd protocol: provides a way of opening connections to TCP ports on the device
 * lockdownd protocol: tbd
 * iTunesHelper?
 * AFC?

Client to usbmuxd
When a process on the host machine wants to talk to the iPhone, it opens up a connection to /var/run/usbmuxd. It then performs an initial handshake; after this handshake, the data in the socket is transparently tunneled to the specified TCP port on the phone. An easy way to watch this happen is to use socat, like so:

Data structures
All data structures are little-endian

Sequence of Events

 * 1) Client opens connection to /var/run/usbmuxd
 * 2) Client sends "Hello" packet:
 * 3) Client receives "Hello" response:
 * 4) Client receives device ID:
 * 5) Client sends TCP connect request:
 * 6) Client receives ACK:
 * 7) * Connection refused:
 * 8) * Connection established:

From this point on, data is piped directly between the unix socket on the host and the TCP port on the device.

lockdownd protocol
lockdownd uses port 62078. It uses a simple packet format - each packet is a 32-bit big-endian word indicating the size of the payload of the packet. Packets are in XML plist format, unless otherwise stated; the first two packets are shown in full, and the rest are abbreviated for the sake of readability.

Example: plug iPod touch into iTunes

HostCertificate HostID D7......-....-....-....-........4EFE RootCertificate Request ValidatePair
 * 1) Request:     (length of request, now in big-endian!) ASCII payload:
 * 2) Response:     (length)
 * 3) Request:
 * 1) Response:
 * 2) Request:
 * 3) Response: