From MultimediaWiki
Jump to: navigation, search

PCoIP is a real-time Audio/Video/Keyboard/Mouse/USB streaming protocol intended for remote desktop access to physical and virtual machines. It exists primarily in the form of a Terradici hardware encoder/decoder ASIC that may be integrated into graphics cards and thin-clients. A software implementation exists within recent versions of the VMware View Agent and VMware View Client products. According to the website, PCoIP protocol continuously analyzes and decomposes image elements – graphics, text, icons, photographs, video, etc – and compresses them with the right codec for each and every pixel.

Management Channel (MGMT)

The management channel establishes a PCoIP session between the client and server. The channel is created when the client connects to the server via SSL on port 4172. Existing PCoIP clients and servers perform validation of the SSL keys against the PCoIP Root Certificate Authority (see below). The channel is closed following negotiation of the data channel parameters. Parameters are listed below.


Existing server implementations check that the remote client's certificate is signed by the PCoIP Root Certificate Authority.

PCoIP Certificate Authority Key

//FIXME: Public key
//FIXME: Private key

PCoIP Client Key (libpcoip_client)

//FIXME: Public key
//FIXME: Private key

Message Format

Each MGMT message consists of a 64-bit header followed by list of chunks. The first chunk is always the 'ssig' chunk, which identifies the purpose of the message.

Header Record

   uint64_t  size;   Packet size excluding this header (bytes)

Chunk Record

   uint32_t  tag;    FourCC code
   uint32_t  size;   Chunk data size (bytes)
   var       data;   Chunk data

General FourCC Codes

FourCC Length (Bytes) Name Data type
ssig 4 Purpose 0=Invite, 1=Invite Ok, 2=Not Acceptable, 3=Ack, 4=Bye, 5=Bye Ok, 6=Ping, 7=Pong
byec 4 Bye reason
psec 4 security type Integer; 0=NULL, 1=AES-128-GCM, 2=AES-256-GCM, 3=Salsa20-256-round12
1key 16 AES 128 key
1slt 4 AES 128 salt
1spi 4 AES 128 spi
2key 32 AES 256 key
2slt 4 AES 256 salt
2spi 4 AES 256 spi
s12k 32 Salsa20-256-round12 key
s12s 4 Salsa20-256-round12 salt
s12t 4 Salsa20-256-round12 spi
cipa <= 255 Connection IP address
cmac 6 Connection MAC address
cpri 4 Connection PRI address
ctag <= 127 Connection tag VMware View Client 'token'
cprt 2 Connection port Integer
pca1 32 AES-128-GCM key
pca2 48 AES-256-GCM key
pcs2 48 Salsa20-256-round12 key
penc <= 64 PCoIP encoding Array of bytes, where 0=pcoip_data_1, 1=pcoip_data_2
pcap <= 64 PCoIP encapsulation Array of bytes, where 0=IP, 1=UDP, 2=TCP
pclr 1 Cleartext transport header supported Boolean
psak 1 Selective ACK supported Boolean
plnk 4 PCoIP link rate Integer; BPS
pmtu 4 MTU size Integer
pprf <= 96 PCoIP packet preference Array of 3-byte records

Media FourCC Codes

When describing a specific media type (e.g. Audio), the following common chunks are present, followed by chunks specific to the media.

FourCC Length (Bytes) Name Data type
mtyp 4 Media type 0=USB, 1=Audio, 2=Video, 3=DDC, 4=KMP, 5=VChan
menc var Media encoding (Media specific)
menb 4 Media Boolean


Media Encoding:

Value Encoding


FourCC Length (Bytes) Name Data type
usbb 4 Client paramter version
usbp 4 Plugin version
usbc 4 Number of channels


Media Encoding:

Value Codec Frequency Channels
1 ADPCM 48000 Stereo
2 ADPCM 8000 Mono
3 ADPCM 16000 Mono
4 PCM 16-bit LE 48000 Stereo
5 PCM 16-bit LE 48000 Mono


FourCC Length (Bytes) Name Data type
audf <= 100 FEC mode array of byes, where 0=FEC Mode 1
audi 4 Audio input Boolean
audy 4 Standy mode


Media Encoding:

Value Encoding
0 Video 1
1 Video 2
2 Video 3


FourCC Length (Bytes) Name Data type
vidt 4 Topology caching Boolean
vidn 4 Max number of displays
vidv 4 Vertical extended motion Boolean
vidh 4 Horizontal extended motion Boolean
vidp 4 SACK Boolean
vidl  ? (deprecated)
vidb 4 Image cache size
vidu 4 User config Boolean
vidy 4 Standby mode Boolean
vidm 4 Monitor power saving Boolean
vidC 4  ?
viCA 4  ?


Always media encoding value 0

FourCC Length (Bytes) Name Data type
ddce 4 Asynchronous EDID Update Boolean


Always media encoding value 0

FourCC Length (Bytes) Name Data type
kmpa <= 100 Auto repeat modes array of bytes, where 0=client auto repeat
kmpb <= 100 Pointer shape bitmap types array of bytes, where 0=alpha, 1=color, 2=xor, 3=compressed alpha, 4=compressed color, 5=compressed xor
kmpc 4 Pointer shape caches
kmpx 4 Pointer shape cache size
kmps 4 Pointer shape max size (x,y)
kmpf 4 Pointer fadeout Boolean
kmpl 4 Multiple locale Boolean
kmpu 4 Unicode key Boolean
kmpk 4 Key block Boolean


Always media encoding value 0

FourCC Length (Bytes) Name Data type
vchc 4 Number of channels
vchs 4 Buffer size

Key Exchange Obfuscation

PCoIP supports an optional method to obfuscate the the key exchange with the management channel. Obfuscation is achieved by xoring the client and server keys with values derived from a shared secret. The shared secret is communicated to the client and server via the VMware View Client Protocol. The shared secret is called the reservation_vcs_tag or PCoIP token. The shared secret also contains a unique connection identifier called the reservation_ssig_tag or connection tag. This is exchanged over the management channel via the 'ctag' chunk.

 if (reservation_vcs_tag starts with "SCS1" && strlen(reservation_vcs_tag) >= 104) {
   server key xor value = decodebase64(reservation_vcs_tag[4..47])
   client key xor value = decodebase64(reservation_vcs_tag[48..91])
   reservation_ssig_tag = reservation_vcs_tag[92..]
 } else {
   //server and client keys are exchanged verbatim
   reservation_ssig_tag = reservation_vcs_tag

Data Channel (DATA)

The data channel exists to exchange encrypted data packets between the client and server. The channel is configured by the 'pcap' and 'penc' parameters negotiated in the MGMT channel. The following subsections relate to the (UDP, pcoip_data_2) configuration. In the default configuration, UDP messages are sent from client-to-server on UDP port 4172, and sent from the server-to-client on UDP port 50002. The network address and port are specified via the cipa and cprt chunks in the management channel.

Encrypted Data Packet

PCoIP supports Salsa20/12, AES-128 and AES-256 encryption algorithms. Different algorithm and key may be used in each directions of the channel. Each encrypted data packet is sent as a UDP datagram and (when decrypted) contains a single data message. Note that each encryption algorithm uses a different packet format, but the resulting plaintext message is the same format.

Salsa20/12 Encapsulated Packet

A reference Salsa20/12 algorithm can be found here: http://cr.yp.to/snuffle/salsa20/ref/salsa20.c. Note the final four bytes of the plaintext data message is always equal to 0xDEADBEEF. These bytes are not considered part of the data message.

 uint32_t    spi;          Unique indicator
 uint32_t    serial;       Packet serial number, starts at zero
 uint8_t     iv[8];        Crypto IV
 variable    payload[]     Ciphertext message

AES-128 Encapsulation Packet

//FIXME: Document

AES-256 Encapsulation Packet

//FIXME: Document

Data Message Format

Data message consist of a header followed by message-specific body.


 uint8_t   type;         Message type (see table below)
 uint8_t   unknown[3];
 uint16_t  serial_no;    Serial number; separate serial numbers maintained for each message type

Packet Type

Packet Type Name Description Source(s)
2 IMG Video Channel Server
6  ? Redirection services Client,Server
8 DDC Display Data Channel Client,Server
9  ? Client,Server
10  ? Client,Server
12 HDA Audio Channel Client,Server