New Architecture: Pure Go L2 Bridge (Zero Tunnel)¶
Date: 2026-04-02 Status: APPROVED DIRECTION
Key Discovery¶
RSD port 58783 listens on CDC-NCM link-local IPv6 IMMEDIATELY after USB mode switch, BEFORE any tunnel is created. Mode switch and tunnel are independent operations. Linux never needs to create a tunnel — the slot stays free for Mac's remoted.
Architecture¶
Local VM (same host)¶
iPhone ──USB──→ Linux host
│
├── iosmux: gousb mode switch (0x52, wIndex=3)
│ → kernel auto-attaches cdc_ncm → interface UP
│
├── kernel bridge: br-iphone
│ CDC-NCM interface + VM's tap on same bridge
│ multicast_snooping=0 for mDNS
│
└── Mac VM (libvirt)
→ remoted discovers iPhone via mDNS on bridge
→ connects to RSD fe80::X:58783
→ creates tunnel (slot free!)
→ Xcode sees device
Remote Mac (over network)¶
iPhone ──USB──→ Linux server Remote Mac
│ │
├── iosmux server: ├── iosmux client:
│ gousb mode switch │ connect to server
│ AF_PACKET on CDC-NCM │ receive L2 frames
│ forward L2 frames ──────→│ inject into feth pair
│ over TCP/TLS │ remoted discovers
│ │ via mDNS on feth
│ │ creates tunnel
│ │ Xcode sees device
Dependencies (NEW — dramatically simpler)¶
| Dependency | Purpose | License |
|---|---|---|
| google/gousb | USB mode switch | Apache-2.0 |
| mdlayher/packet | AF_PACKET L2 frames | MIT |
| spf13/cobra | CLI | Apache-2.0 |
REMOVED: pymobiledevice3, gvisor, yamux, hashicorp/mdns
NEW (to write): - feth wrapper for macOS (~300 LOC) - L2 frame encapsulation over TCP/TLS (~200 LOC)
PoC Results (2026-04-02)¶
PROVEN WORKING¶
- gousb mode switch (0x52) → Config 5 with two CDC-NCM interfaces
- Kernel bridge (br-iphone) with BOTH NCM interfaces + VM tap
- Mac VM reaches iPhone RSD:58783 through bridge
- pymobiledevice3 tunneld on Mac VM creates tunnel (pair + tunnel)
- Full device info accessible through tunnel
KEY DISCOVERY: Two NCM Interfaces¶
Config 5 exposes TWO CDC-NCM pairs: - Interface 2+3 (tethering): has interrupt endpoint, lockdownd:62078 here - Interface 4+5 (private): NO interrupt endpoint, RSD:58783 here Both must be on bridge for full functionality.
UNSOLVED: Xcode Integration¶
- macOS remoted does NOT use mDNS _remoted._tcp for discovery (our assumption was WRONG)
- remoted uses internal CoreDevice/XPC mechanism
- dns-sd -P advertisement of _remoted._tcp is ignored by remoted
- Tunnel works, device accessible via pymobiledevice3 CLI, but Xcode UI empty
- Need research into CoreDevice framework registration
CORRECTED Assumptions¶
remoted is dormant without IOKit→ remoted always running, uses XPC not mDNSRSD on first NCM interface→ RSD on PRIVATE (second) NCM interface onlymDNS enough for Xcode→ CoreDevice uses different discovery path
Phase Plan (Updated)¶
Phase 1: Mode switch + kernel bridge + local VM test DONE
Phase 2: Xcode integration (CoreDevice registration research)
Phase 3: Pure Go implementation (tunnel protocol, no pymobiledevice3)
Phase 4: AF_PACKET relay + feth client (remote case)
Phase 5: TLS, auth, multi-device, polish