diff options
Diffstat (limited to 'iphone.c')
-rw-r--r-- | iphone.c | 1089 |
1 files changed, 1089 insertions, 0 deletions
diff --git a/iphone.c b/iphone.c new file mode 100644 index 0000000..9035be9 --- /dev/null +++ b/iphone.c @@ -0,0 +1,1089 @@ +/* + * Copyright (c) 2008 Jing Su. All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ +#include <stdint.h> +#include <stdarg.h> +#include <stdlib.h> +#include <string.h> +#include <usb.h> +#include <stdio.h> +#include <arpa/inet.h> +#include <errno.h> +#include <pthread.h> +#include "iphone.h" + +#define BULKIN 0x85 +#define BULKOUT 0x04 +#define HEADERLEN 28 + +typedef uint16_t uint16; +typedef uint32_t uint32; +typedef uint8_t uint8; + +static const uint8 TCP_FIN = 1; +static const uint8 TCP_SYN = 1 << 1; +static const uint8 TCP_RST = 1 << 2; +static const uint8 TCP_PSH = 1 << 3; +static const uint8 TCP_ACK = 1 << 4; +static const uint8 TCP_URG = 1 << 5; + +// I have trouble figuring out how to properly manage the windowing to +// the iPhone. It keeps sending back 512 and seems to drop off a cliff +// when the phone gets overwhelmed. In addition, the phone likes to +// panic and send out RESETS before the window hits zero. Also, waiting +// for responses seems to not be a winning strategy. +// +// Since I'm not sure how in the hell to interpret the window sizes that +// the phone is sending back to us, I've figured out some magic number +// constants which seem to work okay. +static const uint32 WINDOW_MAX = 5 * 1024; +static const uint32 WINDOW_INCREMENT = 512; + + +struct iphone_device_int { + char *buffer; + struct usb_dev_handle *device; + struct usb_device *__device; +}; + +typedef struct { + uint32 type, length, major, minor, allnull; +} usbmux_version_header; + +typedef struct { + uint32 type, length; + uint16 sport, dport; + uint32 scnt, ocnt; + uint8 offset, tcp_flags; + uint16 window, nullnull, length16; +} usbmux_tcp_header; + +struct iphone_umux_client_int { + usbmux_tcp_header *header; + iphone_device_t phone; + + char *recv_buffer; + int r_len; + pthread_cond_t wait; + + // this contains a conditional variable which usb-writers can wait + // on while waiting for window updates from the phone. + pthread_cond_t wr_wait; + // I'm going to do something really cheesy here. We are going to + // just record the most recent scnt that we are expecting to hear + // back on. We will actually halt progress by limiting the number + // of outstanding un-acked bulk sends that we have beamed out. + uint32 wr_pending_scnt; + long wr_window; + + pthread_mutex_t mutex; + + // this variable is not protected by the mutex. This will always + // be E_SUCCESS, unless an error of some kind breaks this stream. + // this will then be set to the error that caused the broken stream. + // no further operations other than free_client will be allowed. + iphone_error_t error; +}; + + +typedef struct { + char* buffer; + int leftover; + int capacity; +} receivebuf_t; + + +static pthread_mutex_t iphonemutex = PTHREAD_MUTEX_INITIALIZER; +static iphone_umux_client_t *connlist = NULL; +static int clients = 0; +static receivebuf_t usbReceive = {NULL, 0, 0}; + + +/** + */ +int toto_debug = 0; +void log_debug_msg(const char *format, ...) +{ +#ifndef STRIP_DEBUG_CODE + + va_list args; + /* run the real fprintf */ + va_start(args, format); + + if (toto_debug) + fprintf(stderr, format, args); + + va_end(args); + +#endif +} + + +/** Creates a USBMux header containing version information + * + * @return A USBMux header + */ +usbmux_version_header *version_header() +{ + usbmux_version_header *version = (usbmux_version_header *) malloc(sizeof(usbmux_version_header)); + version->type = 0; + version->length = htonl(20); + version->major = htonl(1); + version->minor = 0; + version->allnull = 0; + return version; +} + +/** + * This function sets the configuration of the given device to 3 + * and claims the interface 1. If usb_set_configuration fails, it detaches + * the kernel driver that blocks the device, and retries configuration. + * + * @param phone which device to configure + */ +static iphone_error_t iphone_config_usb_device(iphone_device_t phone) +{ + int ret; + int bytes; + char buf[512]; + + log_debug_msg("setting configuration...\n"); + ret = usb_set_configuration(phone->device, 3); + if (ret != 0) { + log_debug_msg("Hm, usb_set_configuration returned %d: %s\n", ret, strerror(-ret)); +#if LIBUSB_HAS_GET_DRIVER_NP + log_debug_msg("trying to fix:\n"); + log_debug_msg("-> detaching kernel driver... "); + ret = usb_detach_kernel_driver_np(phone->device, phone->__device->config->interface->altsetting->bInterfaceNumber); + if (ret != 0) { + log_debug_msg("usb_detach_kernel_driver_np returned %d: %s\n", ret, strerror(-ret)); + } else { + log_debug_msg("done.\n"); + log_debug_msg("setting configuration again... "); + ret = usb_set_configuration(phone->device, 3); + if (ret != 0) { + log_debug_msg("Error: usb_set_configuration returned %d: %s\n", ret, strerror(-ret)); + log_debug_msg("--> trying to continue anyway...\n"); + } else { + log_debug_msg("done.\n"); + } + } +#else + log_debug_msg("--> trying to continue anyway...\n"); +#endif + } else { + log_debug_msg("done.\n"); + } + + log_debug_msg("claiming interface... "); + ret = usb_claim_interface(phone->device, 1); + if (ret != 0) { + log_debug_msg("Error: usb_claim_interface returned %d: %s\n", ret, strerror(-ret)); + return IPHONE_E_NO_DEVICE; + } else { + log_debug_msg("done.\n"); + } + + do { + bytes = usb_bulk_read(phone->device, BULKIN, buf, 512, 800); + } while (bytes > 0); + + return IPHONE_E_SUCCESS; +} + +/** + * Given a USB bus and device number, returns a device handle to the iPhone on + * that bus. To aid compatibility with future devices, this function does not + * check the vendor and device IDs! To do that, you should use + * iphone_get_device() or a system-specific API (e.g. HAL). + * + * @param bus_n The USB bus number. + * @param dev_n The USB device number. + * @param device A pointer to a iphone_device_t, which must be set to NULL upon + * calling iphone_get_specific_device, which will be filled with a device + * descriptor on return. + * @return IPHONE_E_SUCCESS if ok, otherwise an error code. + */ +iphone_error_t iphone_get_specific_device(int bus_n, int dev_n, iphone_device_t * device) +{ + struct usb_bus *bus, *busses; + struct usb_device *dev; + usbmux_version_header *version; + int bytes = 0; + + //check we can actually write in device + if (!device || (device && *device)) + return IPHONE_E_INVALID_ARG; + + iphone_device_t phone = (iphone_device_t) malloc(sizeof(struct iphone_device_int)); + + // Initialize the struct + phone->device = NULL; + phone->__device = NULL; + phone->buffer = NULL; + + // Initialize libusb + usb_init(); + usb_find_busses(); + usb_find_devices(); + busses = usb_get_busses(); + + // Set the device configuration + for (bus = busses; bus; bus = bus->next) + if (bus->location == bus_n) + for (dev = bus->devices; dev != NULL; dev = dev->next) + if (dev->devnum == dev_n) { + phone->__device = dev; + phone->device = usb_open(phone->__device); + iphone_config_usb_device(phone); + goto found; + } + + iphone_free_device(phone); + + log_debug_msg("iphone_get_specific_device: iPhone not found\n"); + return IPHONE_E_NO_DEVICE; + + found: + // Send the version command to the phone + version = version_header(); + bytes = usb_bulk_write(phone->device, BULKOUT, (char *) version, sizeof(*version), 800); + if (bytes < 20) { + log_debug_msg("get_iPhone(): libusb did NOT send enough!\n"); + if (bytes < 0) { + log_debug_msg("get_iPhone(): libusb gave me the error %d: %s (%s)\n", + bytes, usb_strerror(), strerror(-bytes)); + } + } + // Read the phone's response + bytes = usb_bulk_read(phone->device, BULKIN, (char *) version, sizeof(*version), 800); + + // Check for bad response + if (bytes < 20) { + free(version); + iphone_free_device(phone); + log_debug_msg("get_iPhone(): Invalid version message -- header too short.\n"); + if (bytes < 0) + log_debug_msg("get_iPhone(): libusb error message %d: %s (%s)\n", bytes, usb_strerror(), strerror(-bytes)); + return IPHONE_E_NOT_ENOUGH_DATA; + } + // Check for correct version + if (ntohl(version->major) == 1 && ntohl(version->minor) == 0) { + // We're all ready to roll. + fprintf(stderr, "get_iPhone() success\n"); + free(version); + *device = phone; + return IPHONE_E_SUCCESS; + } else { + // Bad header + iphone_free_device(phone); + free(version); + log_debug_msg("get_iPhone(): Received a bad header/invalid version number."); + return IPHONE_E_BAD_HEADER; + } + + // If it got to this point it's gotta be bad + log_debug_msg("get_iPhone(): Unknown error.\n"); + iphone_free_device(phone); + free(version); + return IPHONE_E_UNKNOWN_ERROR; // if it got to this point it's gotta be bad +} + + +/** + * Scans all USB busses and devices for a known AFC-compatible device and + * returns a handle to the first such device it finds. Known devices include + * those with vendor ID 0x05ac and product ID between 0x1290 and 0x1293 + * inclusive. + * + * This function is convenient, but on systems where higher-level abstractions + * (such as HAL) are available it may be preferable to use + * iphone_get_specific_device instead, because it can deal with multiple + * connected devices as well as devices not known to libiphone. + * + * @param device Upon calling this function, a pointer to a location of type + * iphone_device_t, which must have the value NULL. On return, this location + * will be filled with a handle to the device. + * @return IPHONE_E_SUCCESS if ok, otherwise an error code. + */ +iphone_error_t iphone_get_device(iphone_device_t * device) +{ + struct usb_bus *bus; + struct usb_device *dev; + + pthread_mutex_init(&iphonemutex, NULL); + + usb_init(); + usb_find_busses(); + usb_find_devices(); + + for (bus = usb_get_busses(); bus != NULL; bus = bus->next) + for (dev = bus->devices; dev != NULL; dev = dev->next) + if (dev->descriptor.idVendor == 0x05ac + && dev->descriptor.idProduct >= 0x1290 && dev->descriptor.idProduct <= 0x1293) + return iphone_get_specific_device(bus->location, dev->devnum, device); + + return IPHONE_E_NO_DEVICE; +} + +/** Cleans up an iPhone structure, then frees the structure itself. + * This is a library-level function; deals directly with the iPhone to tear + * down relations, but otherwise is mostly internal. + * + * @param phone A pointer to an iPhone structure. + */ +iphone_error_t iphone_free_device(iphone_device_t device) +{ + char buf[512]; + int bytes; + + if (!device) + return IPHONE_E_INVALID_ARG; + iphone_error_t ret = IPHONE_E_UNKNOWN_ERROR; + + do { + bytes = usb_bulk_read(device->device, BULKIN, buf, 512, 800); + } while (bytes > 0); + + if (device->buffer) { + free(device->buffer); + } + if (device->device) { + usb_release_interface(device->device, 1); + usb_close(device->device); + ret = IPHONE_E_SUCCESS; + } + free(device); + + pthread_mutex_destroy(&iphonemutex); + + return ret; +} + + + +/** Sends data to the phone + * This is a low-level (i.e. directly to phone) function. + * + * @param phone The iPhone to send data to + * @param data The data to send to the iPhone + * @param datalen The length of the data + * @return The number of bytes sent, or -ERRNO on error + */ +int send_to_phone(iphone_device_t phone, char *data, int datalen) +{ + if (!phone) + return -1; + + int timeout = 1000; + int retrycount = 0; + int bytes = 0; + do { + if (retrycount > 3) { + fprintf(stderr, "EPIC FAIL! aborting on retry count overload.\n"); + return -1; + } + + bytes = usb_bulk_write(phone->device, BULKOUT, data, datalen, timeout); + if (bytes == -ETIMEDOUT) { + // timed out waiting for write. + fprintf(stderr, "usb_bulk_write timeout error.\n"); + return bytes; + } + else if (bytes < 0) { + fprintf(stderr, "usb_bulk_write failed with error. err:%d (%s)(%s)\n", + bytes, usb_strerror(), strerror(-bytes)); + return -1; + } + else if (bytes == 0) { + fprintf(stderr, "usb_bulk_write sent nothing. retrying.\n"); + timeout = timeout * 4; + retrycount++; + continue; + } + else if (bytes < datalen) { + fprintf(stderr, "usb_bulk_write failed to send full dataload. %d of %d\n", bytes, datalen); + timeout = timeout * 4; + retrycount++; + data += bytes; + datalen -= bytes; + continue; + } + } + while(0); // fall out + + return bytes; +} + +/** + */ +int recv_from_phone_timeout(iphone_device_t phone, char *data, int datalen, int timeoutmillis) +{ + if (!phone) + return -1; + int bytes = 0; + + if (!phone) + return -1; + log_debug_msg("recv_from_phone(): attempting to receive %i bytes\n", datalen); + + bytes = usb_bulk_read(phone->device, BULKIN, data, datalen, timeoutmillis); + if (bytes < 0) { + // there are some things which are errors, others which are no problem. + // it's not documented in libUSB, but it seems that the error returns are + // just negated ERRNO values. + if (bytes == -ETIMEDOUT) { + // ignore this. it just means timeout reached before we + // picked up any data. no problem. + } + else { + fprintf(stderr, "recv_from_phone(): libusb gave me the error %d: %s (%s)\n", bytes, usb_strerror(), + strerror(-bytes)); + log_debug_msg("recv_from_phone(): libusb gave me the error %d: %s (%s)\n", bytes, usb_strerror(), + strerror(-bytes)); + } + return -1; + } + + return bytes; +} + +/** This function is a low-level (i.e. direct to iPhone) function. + * + * @param phone The iPhone to receive data from + * @param data Where to put data read + * @param datalen How much data to read in + * + * @return How many bytes were read in, or -1 on error. + */ +int recv_from_phone(iphone_device_t phone, char *data, int datalen) { + return recv_from_phone_timeout(phone, data, datalen, 100); +} + + +/** Creates a USBMux packet for the given set of ports. + * + * @param s_port The source port for the connection. + * @param d_port The destination port for the connection. + * + * @return A USBMux packet + */ +usbmux_tcp_header *new_mux_packet(uint16 s_port, uint16 d_port) +{ + usbmux_tcp_header *conn = (usbmux_tcp_header *) malloc(sizeof(usbmux_tcp_header)); + conn->type = htonl(6); + conn->length = HEADERLEN; + conn->sport = htons(s_port); + conn->dport = htons(d_port); + conn->scnt = 0; + conn->ocnt = 0; + conn->offset = 0x50; + conn->window = htons(0x0200); + conn->nullnull = 0x0000; + conn->length16 = HEADERLEN; + return conn; +} + + +/** Removes a connection from the list of connections made. + * The list of connections is necessary for buffering. + * + * @param connection The connection to delete from the tracking list. + */ +static void delete_connection(iphone_umux_client_t connection) +{ + pthread_mutex_lock(&iphonemutex); + + // update the global list of connections + iphone_umux_client_t *newlist = (iphone_umux_client_t *) malloc(sizeof(iphone_umux_client_t) * (clients - 1)); + int i = 0, j = 0; + for (i = 0; i < clients; i++) { + if (connlist[i] == connection) + continue; + else { + newlist[j] = connlist[i]; + j++; + } + } + free(connlist); + connlist = newlist; + clients--; + + // free up this connection + pthread_mutex_lock(&connection->mutex); + if (connection->recv_buffer) + free(connection->recv_buffer); + if (connection->header) + free(connection->header); + connection->r_len = 0; + pthread_mutex_unlock(&connection->mutex); + pthread_mutex_destroy(&connection->mutex); + free(connection); + + pthread_mutex_unlock(&iphonemutex); +} + +/** Adds a connection to the list of connections made. + * The connection list is necessary for buffering. + * + * @param connection The connection to add to the global list of connections. + */ + +static void add_connection(iphone_umux_client_t connection) +{ + pthread_mutex_lock(&iphonemutex); + iphone_umux_client_t *newlist = + (iphone_umux_client_t *) realloc(connlist, sizeof(iphone_umux_client_t) * (clients + 1)); + newlist[clients] = connection; + connlist = newlist; + clients++; + pthread_mutex_unlock(&iphonemutex); +} + +/** + * Get a source port number that is not used by one of our connections + * This is needed for us to make sure we are not sending on another + * connection. + */ +static uint16_t get_free_port() +{ + int i; + uint16_t newport = 30000; + int cnt = 0; + + pthread_mutex_lock(&iphonemutex); + while (1) { + cnt = 0; + for (i = 0; i < clients; i++) { + if (ntohs(connlist[i]->header->sport) == newport) { + cnt++; + } + } + if (cnt == 0) { + // newport is not used in our list of connections! + break; + } else { + newport++; + if (newport < 30000) { + // if all ports from 30000 to 65535 are in use, + // the value wraps (16-bit overflow) + // return 0, no port is available. + // This should not happen, but just in case ;) + newport = 0; + break; + } + } + } + pthread_mutex_unlock(&iphonemutex); + + return newport; +} + +/** Initializes a connection on phone, with source port s_port and destination port d_port + * + * @param device The iPhone to initialize a connection on. + * @param src_port The source port + * @param dst_port The destination port -- 0xf27e for lockdownd. + * @param client A mux TCP header for the connection which is used for tracking and data transfer. + * @return IPHONE_E_SUCCESS on success, an error code otherwise. + */ +iphone_error_t iphone_mux_new_client(iphone_device_t device, uint16_t src_port, uint16_t dst_port, + iphone_umux_client_t * client) +{ + if (!device || !dst_port) + return IPHONE_E_INVALID_ARG; + + src_port = get_free_port(); + + if (!src_port) { + // this is a special case, if we get 0, this is not good, so + return -EISCONN; // TODO: error code suitable? + } + + // Initialize connection stuff + iphone_umux_client_t new_connection = (iphone_umux_client_t) malloc(sizeof(struct iphone_umux_client_int)); + new_connection->header = new_mux_packet(src_port, dst_port); + + // send TCP syn + if (new_connection && new_connection->header) { + new_connection->header->tcp_flags = TCP_SYN; + new_connection->header->length = htonl(new_connection->header->length); + new_connection->header->length16 = htons(new_connection->header->length16); + new_connection->header->scnt = 0; + new_connection->header->ocnt = 0; + new_connection->phone = device; + new_connection->recv_buffer = NULL; + new_connection->r_len = 0; + pthread_cond_init(&new_connection->wait, NULL); + pthread_mutex_init(&new_connection->mutex, NULL); + pthread_cond_init(&new_connection->wr_wait, NULL); + new_connection->wr_pending_scnt = 0; + new_connection->wr_window = 0; + add_connection(new_connection); + new_connection->error = IPHONE_E_SUCCESS; + if (send_to_phone(device, (char *) new_connection->header, sizeof(usbmux_tcp_header)) >= 0) { + *client = new_connection; + return IPHONE_E_SUCCESS; + } else { + delete_connection(new_connection); + return IPHONE_E_NOT_ENOUGH_DATA; + } + } + // if we get to this point it's probably bad + return IPHONE_E_UNKNOWN_ERROR; +} + +/** Cleans up the given USBMux connection. + * @note Once a connection is closed it may not be used again. + * + * @param connection The connection to close. + * + * @return IPHONE_E_SUCCESS on success. + */ +iphone_error_t iphone_mux_free_client(iphone_umux_client_t client) +{ + if (!client || !client->phone) + return IPHONE_E_INVALID_ARG; + + pthread_mutex_lock(&client->mutex); + client->header->tcp_flags = TCP_FIN; + client->header->length = htonl(0x1C); + client->header->scnt = htonl(client->header->scnt); + client->header->ocnt = htonl(client->header->ocnt); + client->header->window = 0; + client->header->length16 = htons(0x1C); + int bytes = 0; + + bytes = usb_bulk_write(client->phone->device, BULKOUT, (char *) client->header, sizeof(usbmux_tcp_header), 800); + if (bytes < 0) + log_debug_msg("iphone_mux_free_client(): when writing, libusb gave me the error: %s\n", usb_strerror()); + + bytes = usb_bulk_read(client->phone->device, BULKIN, (char *) client->header, sizeof(usbmux_tcp_header), 800); + if (bytes < 0) + log_debug_msg("get_iPhone(): when reading, libusb gave me the error: %s\n", usb_strerror()); + + pthread_mutex_unlock(&client->mutex); + // make sure we don't have any last-minute laggards waiting on this. + // I put it after the mutex unlock because we have cases where the + // conditional wait is dependent on re-grabbing that mutex. + pthread_cond_broadcast(&client->wait); + pthread_cond_destroy(&client->wait); + pthread_cond_broadcast(&client->wr_wait); + pthread_cond_destroy(&client->wr_wait); + + delete_connection(client); + + return IPHONE_E_SUCCESS; +} + + +/** Sends the given data over the selected connection. + * + * @param phone The iPhone to send to. + * @param client The client we're sending data on. + * @param data A pointer to the data to send. + * @param datalen How much data we're sending. + * @param sent_bytes The number of bytes sent, minus the header (28) + * + * @return IPHONE_E_SUCCESS on success. + */ +iphone_error_t iphone_mux_send(iphone_umux_client_t client, const char *data, uint32_t datalen, uint32_t * sent_bytes) +{ + if (!client->phone || !client || !sent_bytes) + return IPHONE_E_INVALID_ARG; + + if (client->error != IPHONE_E_SUCCESS) { + return client->error; + } + + *sent_bytes = 0; + pthread_mutex_lock(&client->mutex); + + int sendresult = 0; + uint32 blocksize = 0; + if (client->wr_window <= 0) { + struct timespec ts; + clock_gettime(CLOCK_REALTIME, &ts); + //ts.tv_sec += 1; + ts.tv_nsec += 750 * 1000; + if (pthread_cond_timedwait(&client->wait, &client->mutex, &ts) == ETIMEDOUT) { + // timd out. optimistically grow the window and try to make progress + client->wr_window += WINDOW_INCREMENT; + } + } + + blocksize = sizeof(usbmux_tcp_header) + datalen; + + // client->scnt and client->ocnt should already be in host notation... + // we don't need to change them juuuust yet. + char *buffer = (char *) malloc(blocksize + 2); // allow 2 bytes of safety padding + // Set the length and pre-emptively htonl/htons it + client->header->length = htonl(blocksize); + client->header->length16 = htons(blocksize); + + // Put scnt and ocnt into big-endian notation + client->header->scnt = htonl(client->header->scnt); + client->header->ocnt = htonl(client->header->ocnt); + // Concatenation of stuff in the buffer. + memcpy(buffer, client->header, sizeof(usbmux_tcp_header)); + memcpy(buffer + sizeof(usbmux_tcp_header), data, datalen); + + sendresult = send_to_phone(client->phone, buffer, blocksize); + // Now that we've sent it off, we can clean up after our sloppy selves. + if (buffer) + free(buffer); + + // update counts ONLY if the send succeeded. + if (sendresult == blocksize) { + // Re-calculate scnt and ocnt + client->header->scnt = ntohl(client->header->scnt) + datalen; + client->header->ocnt = ntohl(client->header->ocnt); + // Revert lengths + client->header->length = ntohl(client->header->length); + client->header->length16 = ntohs(client->header->length16); + + client->wr_window -= blocksize; + } + + + pthread_mutex_unlock(&client->mutex); + + + if (sendresult == -ETIMEDOUT || sendresult == 0) { + // no problem for now... + *sent_bytes = 0; + return IPHONE_E_TIMEOUT; + } + else if (sendresult < 0) { + return IPHONE_E_UNKNOWN_ERROR; + } + else if (sendresult == blocksize) { + // actual number of data bytes sent. + *sent_bytes = sendresult - HEADERLEN; + return IPHONE_E_SUCCESS; + } + else { + fprintf(stderr, "usbsend managed to dump a packet that is not full size. %d of %d\n", + sendresult, blocksize); + return IPHONE_E_UNKNOWN_ERROR; + } +} + +/** append the packet's DATA to the receive buffer for the client. + * + * this has a few other corner-case functions: + * 1. this will properly handle the handshake syn+ack. + * 2. for all receives, this will appropriately update the ocnt. + * + * @return number of bytes consumed (header + data) + */ +uint32 append_receive_buffer(iphone_umux_client_t client, char* packet) +{ + if (client == NULL || packet == NULL) return 0; + + usbmux_tcp_header *header = (usbmux_tcp_header *) packet; + char* data = &packet[HEADERLEN]; + uint32 packetlen = ntohl(header->length); + uint32 datalen = packetlen-HEADERLEN; + + int dobroadcast = 0; + + pthread_mutex_lock(&client->mutex); + + // we need to handle a few corner case tasks and book-keeping which + // falls on our responsibility because we are the ones reading in + // feedback. + if (client->header->scnt == 0 && client->header->ocnt == 0 ) { + fprintf(stdout, "client is still waiting for handshake.\n"); + if (header->tcp_flags == (TCP_SYN | TCP_ACK)) { + fprintf(stdout, "yes, got syn+ack ; replying with ack.\n"); + client->header->tcp_flags = TCP_ACK; + client->header->length = htonl(sizeof(usbmux_tcp_header)); + client->header->length16 = htons(sizeof(usbmux_tcp_header)); + client->header->scnt = htonl(client->header->scnt + 1); + client->header->ocnt = header->ocnt; + // push it to USB + // TODO: need to check for error in the send here.... :( + if (send_to_phone(client->phone, (char *)client->header, sizeof(usbmux_tcp_header)) <= 0) { + fprintf(stdout, "%s: error when pushing to usb...\n", __func__); + } + // need to revert some of the fields back to host notation. + client->header->scnt = ntohl(client->header->scnt); + client->header->ocnt = ntohl(client->header->ocnt); + client->header->length = ntohl(client->header->length); + client->header->length16 = ntohs(client->header->length16); + } + else { + client->error = IPHONE_E_ECONNABORTED; + // woah... this connection failed us. + // TODO: somehow signal that this stream is a no-go. + fprintf(stderr, "WOAH! client failed to get proper syn+ack.\n"); + } + } + + // update TCP counters and windows. + // + // save the window that we're getting from the USB device. + // apparently the window is bigger than just the 512 that's typically + // advertised. iTunes apparently shifts this value by 8 to get a much + // larger number. + if (header->tcp_flags & TCP_RST) { + client->error = IPHONE_E_ECONNRESET; + fprintf(stderr, "peer sent connection reset. setting error: %d\n", client->error); + } + + // the packet's ocnt tells us how much of our data the device has received. + if (header->tcp_flags & TCP_ACK) { + + // this is a hacky magic number condition. it seems that once the window + // reported by the phone starts to drop below this number, we quickly fall + // into connection reset problems. Once we see the reported window size + // start falling off, cut off and wait for solid acks to come back. + if (ntohs(header->window) < 256) + client->wr_window = 0; + + // check what just got acked. + if (ntohl(header->ocnt) < client->header->scnt) { + // we got some kind of ack, but it hasn't caught up with the + // pending that have been sent. + pthread_cond_broadcast(&client->wr_wait); + } + else if (ntohl(header->ocnt) > /*client->wr_pending_scnt*/ client->header->scnt) { + fprintf(stderr, "WTF?! acks overtook pending outstanding. %u,%u\n", + ntohl(header->ocnt), client->wr_pending_scnt); + } + else { + // reset the window + client->wr_window = WINDOW_MAX; + pthread_cond_broadcast(&client->wr_wait); + } + } + + // the packet's scnt will be our new ocnt. + client->header->ocnt = ntohl(header->scnt); + + // ensure there is enough space, either by first malloc or realloc + if (datalen > 0) { + if (client->r_len == 0) dobroadcast = 1; + + if (client->recv_buffer == NULL) { + client->recv_buffer = malloc(datalen); + client->r_len = 0; + } + else { + client->recv_buffer = realloc(client->recv_buffer, client->r_len + datalen); + } + + memcpy(&client->recv_buffer[client->r_len], data, datalen); + client->r_len += datalen; + } + + pthread_mutex_unlock(&client->mutex); + + // I put this outside the mutex unlock just so that when the threads + // wake, we don't have to do another round of unlock+try to grab. + if (dobroadcast) + pthread_cond_broadcast(&client->wait); + + + return packetlen; +} + +/** NOTE! THERE IS NO MUTEX LOCK IN THIS FUNCTION! + because we're only called from one location, pullbulk, where the lock + is already held. + */ +iphone_umux_client_t find_client(usbmux_tcp_header* recv_header) +{ + // remember, as we're looking for the client, the receive header is + // coming from the USB into our client. This means that when we check + // the src/dst ports, we need to reverse them. + iphone_umux_client_t retval = NULL; + + // just for debugging check, I'm going to convert the numbers to host-endian. + uint16 hsport = ntohs(recv_header->sport); + uint16 hdport = ntohs(recv_header->dport); + + pthread_mutex_lock(&iphonemutex); + int i; + for (i = 0; i < clients; i++) { + uint16 csport = ntohs(connlist[i]->header->sport); + uint16 cdport = ntohs(connlist[i]->header->dport); + + if (hsport == cdport && hdport == csport) { + retval = connlist[i]; + break; + } + } + pthread_mutex_unlock(&iphonemutex); + + return retval; +} + +/** pull in a big USB bulk packet and distribute it to queues appropriately. + */ +void iphone_mux_pullbulk(iphone_device_t phone) +{ + static const int DEFAULT_CAPACITY = 128*1024; + if (usbReceive.buffer == NULL) { + usbReceive.capacity = DEFAULT_CAPACITY; + usbReceive.buffer = malloc(usbReceive.capacity); + usbReceive.leftover = 0; + } + + // start the cursor off just ahead of the leftover. + char* cursor = &usbReceive.buffer[usbReceive.leftover]; + // pull in content, note that the amount we can pull is capacity minus leftover + int readlen = recv_from_phone_timeout(phone, cursor, usbReceive.capacity - usbReceive.leftover, 5000); + if (readlen < 0) { + //fprintf(stderr, "recv_from_phone_timeout gave us an error.\n"); + readlen = 0; + } + if (readlen > 0) { + //fprintf(stdout, "recv_from_phone_timeout pulled an extra %d bytes\n", readlen); + } + + // the amount of content we have to work with is the remainder plus + // what we managed to read + usbReceive.leftover += readlen; + + // reset the cursor to the front of that buffer and work through + // trying to decode packets out of them. + cursor = usbReceive.buffer; + while (1) { + // check if there's even sufficient data to decode a header + if (usbReceive.leftover < HEADERLEN) break; + usbmux_tcp_header *header = (usbmux_tcp_header *) cursor; + + // now that we have a header, check if there is sufficient data + // to construct a full packet, including its data + uint32 packetlen = ntohl(header->length); + if (usbReceive.leftover < packetlen) { + break; + } + + // ok... find the client this packet will get stuffed to. + iphone_umux_client_t client = find_client(header); + if (client == NULL) { + fprintf(stderr, "WARNING: client for packet cannot be found. dropping packet.\n"); + } + else { + // stuff the data + append_receive_buffer(client, cursor); + } + + // move the cursor and account for the consumption + cursor += packetlen; + usbReceive.leftover -= packetlen; + } + + // now, we need to manage any leftovers. + // I'm going to manage the leftovers by alloc'ing a new block and copying + // the leftovers to it. This is just to prevent problems with memory + // moves where there may be overlap. Besides, the leftovers should be + // small enough that this copy is minimal in overhead. + // + // if there are no leftovers, we just leave the datastructure as is, + // and re-use the block next time. + if (usbReceive.leftover > 0 && cursor != usbReceive.buffer) { + char* newbuff = malloc(DEFAULT_CAPACITY); + memcpy(newbuff, cursor, usbReceive.leftover); + free(usbReceive.buffer); + usbReceive.buffer = newbuff; + usbReceive.capacity = DEFAULT_CAPACITY; + } +} + +/** + * return the error code stored in iphone_umux_client_t structure, + * e.g. non-zero when an usb read error occurs. + * + * @param client the umux client + * + * @return IPHONE_E_* error codes. + */ +iphone_error_t iphone_mux_get_error(iphone_umux_client_t client) +{ + if (!client) { + return 0; + } + + return client->error; +} + +/** This is a higher-level USBMuxTCP-like function + * + * @param connection The connection to receive data on. + * @param data Where to put the data we receive. + * @param datalen How much data to read. + * + * @return IPHONE_E_SUCCESS or error code if failure. + */ +iphone_error_t iphone_mux_recv(iphone_umux_client_t client, char *data, uint32_t datalen, uint32_t * recv_bytes) +{ + return iphone_mux_recv_timeout(client, data, datalen, recv_bytes, 0); +} + +/** + @param timeout + */ +iphone_error_t iphone_mux_recv_timeout(iphone_umux_client_t client, char *data, uint32_t datalen, uint32_t * recv_bytes, int timeout) +{ + + if (!client || !data || datalen == 0 || !recv_bytes) + return IPHONE_E_INVALID_ARG; + + if (client->error != IPHONE_E_SUCCESS) return client->error; + + pthread_mutex_lock(&client->mutex); + + if (timeout > 0 && (client->recv_buffer == NULL ||client->r_len == 0)) { + struct timespec ts; + clock_gettime(CLOCK_REALTIME, &ts); + ts.tv_sec += timeout/1000; + ts.tv_nsec += (timeout-((int)(timeout/1000))*1000)*1000; //millis * 1000; + pthread_cond_timedwait(&client->wait, &client->mutex, &ts); + } + + *recv_bytes = 0; + if (client->recv_buffer != NULL && client->r_len > 0) { + uint32_t foolen = datalen; + if (foolen > client->r_len) foolen = client->r_len; + memcpy(data, client->recv_buffer, foolen); + *recv_bytes = foolen; + + // preserve any left-over unread amounts. + int remainder = client->r_len - foolen; + if (remainder > 0) { + char* newbuf = malloc(remainder); + memcpy(newbuf, client->recv_buffer + foolen, remainder); + client->r_len = remainder; + free(client->recv_buffer); + client->recv_buffer = newbuf; + } + else { + free(client->recv_buffer); + client->recv_buffer = NULL; + client->r_len = 0; + } + } + + pthread_mutex_unlock(&client->mutex); + + + return IPHONE_E_SUCCESS; +} |