[edit] Create an iTunes Trace

First of all, an iTunes trace is a file which contains all of the USB commands which iTunes sends and receives to the iPhone. In order to create a driver for Linux, we must gather a number of these traces in order to determine what is similar among them and what is different among them. Then we can create a document describing the communications protocol and create a working implementation from that.

[edit] Windows

1. Download the USB sniffer, extract the zip file and run the enclosed executable. Allow it to install the required file into the system directory. That program is not made to work on Vista, which it doesn't; it must run as root (MS elevate command), but will not write to the logfile even if you create an empty world writable logfile for it.
2. Plug the iPhone into the computer.
3. Select the device line that contains 0x05ac and 0x1290, its the iPhone and press Install.
4. Then unplug the iPhone from the computer.
5. Then launch iTunes.
6. After iTunes has fully launched, reconnect your iPhone.
7. When done syncing, eject the iPhone and physically disconnect it from the computer.
8. Copy the log file from where is was stored and rename it to include the version of the iPhone firmware, the version of iTunes used and whether you have jailbreaked your iPhone or not.
   1. Additionally it would be good to describe what operations the synchronization performed (it copied 1 song, or it copied 3 photos).
   2. Finally if you feel comfortable posting the data, upload it here and link to it. Keep in mind cryptographic keys are transmitted as well as any personal data that could be included in the transfer. However the data is invaluable for creating a driver which can communicate with the iPhone. The choice is yours.

[edit] VMWare Windows Guest

It is possible to log all USB communication using a VMWare virtual host. In order to enable the hidden USB debugging you have to follow the tutorial here.

Later you can use the Virtual USB Analyzer to browse the communication log.

[edit] Mac OSX

I'm not aware of any software sniffers for OS X. There's a third-party opportunity!

You can install the debugging USB family and use USB Prober from Apple to trace *all* USB activity, in sometimes excruciating detail. Unfortunately, even at log level 7, with this prober, you get nothing but usb status messages and information. Just to give you an idea, I ran a restore, which generated a 500-megabyte log at level 7. I ran lzma on it, and got it down to 8 megs :(

http://developer.apple.com/hardwaredrivers/download/usbdebug.html

However, due to the fact that it uses usbmuxd, you can do the following in terminal (requires socat from macports or something):

cd /var/run/
mv usbmuxd usbmux.orig
socat -d -d -x -v unix-listen:usbmuxd,fork unix-connect:usbmuxd.orig

Which will hexdump all communications over usbmuxd to stdout. Won't help much with the SSL traffic, but most traffic isn't over SSL. To trace SSL traffic, you can use dtrace on 10.5 to great effect (I'll post a script here, eventually) on SSL_write and (almost) SSL_read to see what's being sent and received, but there are complications with iTunes trying its best to prevent you from using dtrace on it.

[edit] Existing Traces

• iTunes 7.5.0.20, 1.1.3 Firmware, jailbroken - Uploaded 1 song [Pink - Feel Good Time]. SSL keys
• iTunes 8.0.2.20, FW 2.2.1, JailBroken - Removed and re-added a ringtone
• iTunes 8.1.0.51, iPod Touch 1G, FW 2.2.1, JailBroken - Installed app [Payback Lite]
• iTunes 8.1.1.10, iPhone 3G, FW 2.2.1, Not-JailBroken
  - [15 ms - 28690 ms] : Activate USB Connection
  - [67099 ms - 239955 ms] : Copy 1 MP3 from iTunes to iPhone
  - [295556 ms - 353741 ms] : Eject and Disconnect iPhone

[edit] External Resources

• Samsutools Reverse Engineering - Describes how the samsutools project reverse engineers phones.