From MultimediaWiki
Revision as of 07:56, 26 June 2012 by Suxen drol (talk | contribs) (Key Exchange Obfuscation)
Jump to navigation Jump to search

PCoIP is a real-time Audio/Video/Keyboard/Mouse/USB streaming protocol intended for remote desktop access to physical and virtual machines. It exists primarily in the form of a Terradici hardware encoder/decoder ASIC that may be integrated into graphics cards and thin-clients. A software implementation exists within recent versions of the VMware View Agent and VMware View Client products. According to the website, PCoIP protocol continuously analyzes and decomposes image elements – graphics, text, icons, photographs, video, etc – and compresses them with the right codec for each and every pixel.

Management Channel (MGMT)

The management channel establishes a PCoIP session between the client and server. The channel is created when the client connects to the server via SSL on port 4172. Existing PCoIP clients and servers perform validation of the SSL keys against the PCoIP Root Certificate Authority (see below). The channel is closed following negotiation of the data channel parameters. Parameters are listed below.

PCoIP Root Certificate Authority

//FIXME: Public key
//FIXME: Private key

Management Packet

//FIXME: Document

Primary FourCC Codes

FourCC Length (Bytes) Name Data type
psec 4 security type Integer; 0=NULL, 1=AES-128-GCM, 2=AES-256-GCM, 3=Salsa20-256-round12
1key 16 AES 128 key
1slt 4 AES 128 salt
1spi 4 AES 128 spi
2key 32 AES 256 key
2slt 4 AES 256 salt
2spi 4 AES 256 spi
s12k 32 Salsa20-256-round12 key
s12s 4 Salsa20-256-round12 salt
s12t 4 Salsa20-256-round12 spi
cipa <= 255 Connection IP address
cmac 6 Connection MAC address
cpri 4 Connection PRI address
ctag <= 127 Connection tag VMware View Client 'token'
cprt 2 Connection port Integer
pca1 32 AES-128-GCM key
pca2 48 AES-256-GCM key
pcs2 48 Salsa20-256-round12 key
penc <= 64 PCoIP encoding Array of bytes, where 0=pcoip_data_1, 1=pcoip_data_2
pcap <= 64 PCoIP encapsulation Array of bytes, where 0=IP, 1=UDP, 2=TCP
pclr 1 Cleartext transport header supported Boolean
psak 1 Selective ACK supported Boolean
plnk 4 PCoIP link rate Integer; BPS
pmtu 4 MTU size Integer
pprf <= 96 PCoIP packet preference Array of 3-byte records

Media-specific FourCC Codes

When describing a specific media type (e.g. Audio), the following chunks are present, followed by chunks specific to the media.

FourCC Length (Bytes) Name Data type
mtyp 4 Media type 0=USB, 1=Audio, 2=Video, 3=DDC, 4=KMP, 5=VChan
menc var Media encoding
menb 4 Media enable




FourCC Length (Bytes) Name Data type
audf 1 FEC mode
audi 4 Audio input enable


FourCC Length (Bytes) Name Data type
vidv ? Vertical extended motion enable
vidh ? Horizontal extended motion enable
vidp ? SACK enable
vidm ? Monitor power saving enable




FourCC Length (Bytes) Name Data type
kmpa 4 Auto repeat mode
kmpb 4 Pointer shape bitmap type (alpha,color)
kmpc 4 Pointer shape caches
kmpx 4 Pointer shape cache size
kmps 4 Pointer shape max size (x,y)


FourCC Length (Bytes) Name Data type
vchc 4 Number of channels

Key Exchange Obfuscation

PCoIP supports an optional method to obfuscate the the key exchange with the management channel. Obfuscation is achieved by xoring the client and server keys with values derived from a shared secret. The shared secret is communicated to the client and server via the VMware View Client Protocol. The shared secret is called as the 'reservation_vcs_tag' or 'PCoIP token'. The shared secret also contains a unique connection identified called the 'reservation_ssig_tag' or 'connection tag'. This is communicated over the management channel via the 'ctag' chunk.

 if (reservation_vcs_tag starts with "SCS1" && strlen(reservation_vcs_tag) >= 104) {
   server key xor value = decodebase64(reservation_vcs_tag[4..47])
   client key xor value = decodebase64(reservation_vcs_tag[48..91])
   reservation_ssig_tag = reservation_vcs_tag[92..]
 } else {
   //server and client keys are published verbatim in the MGMT PDUs
   reservation_ssig_tag = reservation_vcs_tag

Data Channel (DATA)

The data channel exists to exchange encrypted data packets between the client and server. The channel is configured by the 'pcap' and 'penc' parameters negotiated in the MGMT channel. The following subsections relate to the (UDP, pcoip_data_2) configuration. In the default configuration, UDP messages are sent from client-to-server on UDP port 4172, and sent from the server-to-client on UDP port 50002. The network address and port are specified via the cipa and cprt chunks in the management channel.

Encrypted Data Packet

PCoIP supports Salsa20/12, AES-128 and AES-256 encryption algorithms. Different algorithm and key may be used in each directions of the channel. Each encrypted data packet is sent as a UDP datagram and (when decrypted) contains a single data message. Note that each encryption algorithm uses a different packet format, but the resulting plaintext message is the same format.

Salsa20/12 Encapsulated Packet

A reference Salsa20/12 algorithm can be found here: http://cr.yp.to/snuffle/salsa20/ref/salsa20.c. Note the final four bytes of the plaintext data message is always equal to 0xDEADBEEF. These bytes are not considered part of the data message.

 uint32_t    spi;          Unique indicator
 uint32_t    serial;       Packet serial number, starts at zero
 uint8_t     iv[8];        Crypto IV
 variable    payload[]     Ciphertext message

AES-128 Encapsulation Packet

//FIXME: Document

AES-256 Encapsulation Packet

//FIXME: Document

Data Message Format

//FIXME: Document
Packet Type Name Description Source(s)
2 IMG Video Channel Server
6 ? Client,Server
8 DDC Display Data Channel Client,Server
9 ? Client,Server
10 ? Client,Server
12 HDA Audio Channel Client,Server