• Company: Teradici
• Description: http://teradici.com/pcoip/pcoip-technology.php

PCoIP is a real-time Audio/Video/Keyboard/Mouse/USB streaming protocol intended for remote desktop access to physical and virtual machines. It exists primarily in the form of a Terradici hardware encoder/decoder ASIC that may be integrated into graphics cards and thin-clients. A software implementation exists within recent versions of the VMware View Agent and VMware View Client products. According to the website, PCoIP protocol continuously analyzes and decomposes image elements – graphics, text, icons, photographs, video, etc – and compresses them with the right codec for each and every pixel.

Management Channel (MGMT)

The management channel establishes a PCoIP session between the client and server. The channel is created when the client connects to the server via SSL on port 4172. Existing PCoIP clients and servers perform validation of the SSL keys against the PCoIP Root Certificate Authority (see below). The channel is closed following negotiation of the data channel parameters. Parameters are listed below.

Security

Existing server implementations check that the remote client's certificate is signed by the PCoIP Root Certificate Authority.

PCoIP Certificate Authority Key

//FIXME: Public key
//FIXME: Private key

PCoIP Client Key (libpcoip_client)

//FIXME: Public key
//FIXME: Private key

Message Format

Each MGMT message consists of a 64-bit header followed by list of chunks. The first chunk is always the 'ssig' chunk, which identifies the purpose of the message.

Header Record

   uint64_t  size;   Packet size excluding this header (bytes)

Chunk Record

   uint32_t  tag;    FourCC code
   uint32_t  size;   Chunk data size (bytes)
   var       data;   Chunk data

General FourCC Codes

FourCC	Length (Bytes)	Name	Data type
ssig	4	Purpose	0=Invite, 1=Invite Ok, 2=Not Acceptable, 3=Ack, 4=Bye, 5=Bye Ok, 6=Ping, 7=Pong
byec	4	Bye reason
psec	4	security type	Integer; 0=NULL, 1=AES-128-GCM, 2=AES-256-GCM, 3=Salsa20-256-round12
1key	16	AES 128 key
1slt	4	AES 128 salt
1spi	4	AES 128 spi
2key	32	AES 256 key
2slt	4	AES 256 salt
2spi	4	AES 256 spi
s12k	32	Salsa20-256-round12 key
s12s	4	Salsa20-256-round12 salt
s12t	4	Salsa20-256-round12 spi
cipa	<= 255	Connection IP address
cmac	6	Connection MAC address
cpri	4	Connection PRI address
ctag	<= 127	Connection tag	VMware View Client 'token'
cprt	2	Connection port	Integer
pca1	32	AES-128-GCM key
pca2	48	AES-256-GCM key
pcs2	48	Salsa20-256-round12 key
penc	<= 64	PCoIP encoding	Array of bytes, where 0=pcoip_data_1, 1=pcoip_data_2
pcap	<= 64	PCoIP encapsulation	Array of bytes, where 0=IP, 1=UDP, 2=TCP
pclr	1	Cleartext transport header supported	Boolean
psak	1	Selective ACK supported	Boolean
plnk	4	PCoIP link rate	Integer; BPS
pmtu	4	MTU size	Integer
pprf	<= 96	PCoIP packet preference	Array of 3-byte records

Media FourCC Codes

When describing a specific media type (e.g. Audio), the following common chunks are present, followed by chunks specific to the media.

FourCC	Length (Bytes)	Name	Data type
mtyp	4	Media type	0=USB, 1=Audio, 2=Video, 3=DDC, 4=KMP, 5=VChan
menc	var	Media encoding	(Media specific)
menb	4	Media	Boolean

USB

Media Encoding:

Value	Encoding
0	OHCI
1	EHCI
3	URB

FourCCs:

FourCC	Length (Bytes)	Name	Data type
usbb	4	Client paramter version
usbp	4	Plugin version
usbc	4	Number of channels

Audio

Media Encoding:

Value	Codec	Frequency	Channels
1	ADPCM	48000	Stereo
2	ADPCM	8000	Mono
3	ADPCM	16000	Mono
4	PCM 16-bit LE	48000	Stereo
5	PCM 16-bit LE	48000	Mono

FourCCs:

FourCC	Length (Bytes)	Name	Data type
audf	<= 100	FEC mode	array of byes, where 0=FEC Mode 1
audi	4	Audio input	Boolean
audy	4	Standy mode

Video

Media Encoding:

Value	Encoding
0	Video 1
1	Video 2
2	Video 3

FourCCs:

FourCC	Length (Bytes)	Name	Data type
vidt	4	Topology caching	Boolean
vidn	4	Max number of displays
vidv	4	Vertical extended motion	Boolean
vidh	4	Horizontal extended motion	Boolean
vidp	4	SACK	Boolean
vidl		? (deprecated)
vidb	4	Image cache size
vidu	4	User config	Boolean
vidy	4	Standby mode	Boolean
vidm	4	Monitor power saving	Boolean
vidC	4	?
viCA	4	?

DDC

Always media encoding value 0

FourCC	Length (Bytes)	Name	Data type
ddce	4	Asynchronous EDID Update	Boolean

KMP

Always media encoding value 0

FourCC	Length (Bytes)	Name	Data type
kmpa	<= 100	Auto repeat modes	array of bytes, where 0=client auto repeat
kmpb	<= 100	Pointer shape bitmap types	array of bytes, where 0=alpha, 1=color, 2=xor, 3=compressed alpha, 4=compressed color, 5=compressed xor
kmpc	4	Pointer shape caches
kmpx	4	Pointer shape cache size
kmps	4	Pointer shape max size	(x,y)
kmpf	4	Pointer fadeout	Boolean
kmpl	4	Multiple locale	Boolean
kmpu	4	Unicode key	Boolean
kmpk	4	Key block	Boolean

VChan

Always media encoding value 0

FourCC	Length (Bytes)	Name	Data type
vchc	4	Number of channels
vchs	4	Buffer size

Key Exchange Obfuscation

PCoIP supports an optional method to obfuscate the the key exchange with the management channel. Obfuscation is achieved by xoring the client and server keys with values derived from a shared secret. The shared secret is communicated to the client and server via the VMware View Client Protocol. The shared secret is called the reservation_vcs_tag or PCoIP token. The shared secret also contains a unique connection identifier called the reservation_ssig_tag or connection tag. This is exchanged over the management channel via the 'ctag' chunk.

 if (reservation_vcs_tag starts with "SCS1" && strlen(reservation_vcs_tag) >= 104) {
   server key xor value = decodebase64(reservation_vcs_tag[4..47])
   client key xor value = decodebase64(reservation_vcs_tag[48..91])
   reservation_ssig_tag = reservation_vcs_tag[92..]
 } else {
   //server and client keys are exchanged verbatim
   reservation_ssig_tag = reservation_vcs_tag
 }

Data Channel (DATA)

The data channel exists to exchange encrypted data packets between the client and server. The channel is configured by the 'pcap' and 'penc' parameters negotiated in the MGMT channel. The following subsections relate to the (UDP, pcoip_data_2) configuration. In the default configuration, UDP messages are sent from client-to-server on UDP port 4172, and sent from the server-to-client on UDP port 50002. The network address and port are specified via the cipa and cprt chunks in the management channel.

Encrypted Data Packet

PCoIP supports Salsa20/12, AES-128 and AES-256 encryption algorithms. Different algorithm and key may be used in each directions of the channel. Each encrypted data packet is sent as a UDP datagram and (when decrypted) contains a single data message. Note that each encryption algorithm uses a different packet format, but the resulting plaintext message is the same format.

Salsa20/12 Encapsulated Packet

A reference Salsa20/12 algorithm can be found here: http://cr.yp.to/snuffle/salsa20/ref/salsa20.c. Note the final four bytes of the plaintext data message is always equal to 0xDEADBEEF. These bytes are not considered part of the data message.

 uint32_t    spi;          Unique indicator
 uint32_t    serial;       Packet serial number, starts at zero
 uint8_t     iv[8];        Crypto IV
 variable    payload[]     Ciphertext message

AES-128 Encapsulation Packet

//FIXME: Document

AES-256 Encapsulation Packet

//FIXME: Document

Data Message Format

Data message consist of a header followed by message-specific body.

Header

 uint8_t   type;         Message type (see table below)
 uint8_t   unknown[3];
 uint16_t  serial_no;    Serial number; separate serial numbers maintained for each message type

Packet Type

Packet Type	Name	Description	Source(s)
2	IMG	Video Channel	Server
6	?	Redirection services	Client,Server
8	DDC	Display Data Channel	Client,Server
9	?		Client,Server
10	?		Client,Server
12	HDA	Audio Channel	Client,Server