jPhone (2010)

jPhone was a Windows application which allowed the user to mount the file system of an iOS device (iPhone, iPad) as a hard drive. The idea behind jPhone was to make it possible for jPod to support managing the media libraries of iOS devices. jPhone was written in C# and the source code is available.

While several applications existed to mount the file system of an iOS device as a hard drive in Windows, they all (at the time of jPhone’s creation) relied on iTunes being installed, and they gained iOS file system access through iTunes’ device driver. On the other hand, jPhone was essentially a replacement device driver and, as such, could operate without iTunes.

A device driver in C#? What an odd concept.

I used the LibUsbDotNet library, installing a libusb device driver for the device and then reading and writing the raw USB traffic with C#. In order to mount the drive (so it was, e.g., accessible through Windows Explorer), I used the dokan library.

Some color commentary

The USB traffic on the iPhone was very peculiar. It was almost TCP but not quite: as I recall, the packet header was slightly different. Once the device and computer had gotten acquainted, the device started a TLS handshake. Afterwards, the USB traffic between your device and your computer was encrypted. Let that sink in for a minute. Was Apple protecting you here from hackers? From the government? No, the traffic is encrypted between your device and your computer so that you can’t read it. Pretty amazing.

I imagine there were at least two reasons to model the USB traffic after TCP:

  • the device runs several daemons, and ports are a clean, natural abstraction for addressing them
  • TLS sits happily on top of TCP (with standard library implementations), so it made it easy to add encryption without reinventing any wheels

I’ll also note that what jPhone did (speaking the language of iOS USB traffic) is orthogonal to jailbreaking. Using jPhone on a vanilla (non-jailbroken) iOS device, the file system would be exposed but it would be locked down to a user’s home directory. Access to the file system was through a proprietary transfer protocol called AFC (“Apple File Conduit”), which was transmitted over TCP and encrypted with TLS. If the device was jailbroken, an unofficial “AFC2” daemon, protocol-compatible with AFC, would be listening on a separate port, giving access to all files from the root of the file system.

Last updated 15 October 2014