CarPlay iAP2附件协议

CarPlay only supports USB before iOS 8.3, maximum NCM packet size is 64KB (40 x 1514-byte MTU). USB CarPlay uses H.264 HP3.1/3.2 Profile, 25Mbps.
Wireless CarPlay uses iAP2 over Bluetooth profile. It uses H.264 HP3.1/3.2 Profile, 10Mbps.
Download Data Center Software from Total Phase.

1 Lightning
1.1 Lightning线缆方向发现
Figure 1-1 Apple Lightning Cable Orientation Discovery 

watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3pvb3NlbnBpbg==,size_16,color_FFFFFF,t_70

ID0或者ID1的通信位速率大概为85kbps,USB PD协议的CC线BMC编码位速率是600Kbps。

1.2 BQ25890
Figure 1-2 CDP探测波形

watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3pvb3NlbnBpbg==,size_16,color_FFFFFF,t_70

1.3 Apple charger mode
divider 1: 5W, DP = 2 V, DM = 2.7 V
divider 2: 10W, DP = 2.7 V, DM = 2 V
divider 3: 12W, DP = 2.7 V, DM = 2.7 V

1.4 iPhone 15 USB-C
https://support.apple.com/en-us/HT213839

2 libusb库的使用
Read my blog “Android libusb库的使用”。

3 iAP2协议细节
iPhone USB configuration 2 is for HID and UAC.
3.1 包格式
iAP2函数库有250多个函数。
iAP2的header长度是9个字节。
HID包从第11个字节(从0索引开始数)开始是Payload Data;第15和16字节表示Message ID。

iAP2 Control Session数据包格式:
offset 0:0xFF
offset 1:0x5a
offset 2:Packet Length MSB
offset 3:Packet Length LSB
offset 4:Control Byte - SYN / ACK / EAK / RST / SLP
offset 5:Packet Sequence Number, from 0 to 255
offset 6:Packet Acknowledgement Number, depending on Control Byte
offset 7:Session Identifier
offset 8:Header Checksum
offset 9-N:Payload Data, Maximum size is 65,525 bytes
- offset 9,HID offset 11;Start of message MSB (Control 0x40)
- offset 10,HID offset 12;Start of message LSB (Control 0x40)
- offset 11,HID offset 13;Message Length MSB
- offset 12,HID offset 14;Message Length LSB
- offset 13,HID offset 15;Message ID MSB
- offset 14,HID offset 16;Message ID LSB
- Parameter 1
- Parameter 2
- [...]
- Parameter N
Last byte:Payload Checksum

ATS软件中iAP2 Control session只显示offset 9-N;而iAP2 Link Packets over USB Bulk Pipe显示offset 0-N。
PowerSourceUpdate的消息ID是0xAE03。

3.2 常见Message ID
1)AUTH
AA表示Accessory Authentication
0xAA00:RequestAuthenticationCertificate
0xAA01:AuthenticationCertificate
0xAA02:RequestAuthenticationChallengeResponse
0xAA03:AuthenticationResponse
0xAA04:AuthenticationFailed
0xAA05:AuthenticationSucceeded

2)Identification
1D表示Identification
0x1D00:StartIdentification
0x1D01:IdentificationInformation
0x1D02:IdentificationAccepted
0x1D03:IdentificationRejected

3)HID over iAP2
0x6800:StartHID
0x6802:AccessoryHIDReport
0x6803:StopHID

4)iPod音频播放模式
DA表示Digital Audio
0xDA00:StartUSBDeviceModeAudio
0xDA01:USBDeviceModeAudioInformation
0xDA02:StopUSBDeviceModeAudio

5)媒体库访问
- 媒体库信息
0x4C00:StartMediaLibraryInformation
0x4C01:MediaLibraryInformation
0x4C02:StopMediaLibraryInformation

- 媒体库信息更新
0x4C03:StartMediaLibraryUpdates
0x4C04:MediaLibraryUpdate
0x4C05:StopMediaLibraryUpdates

- 媒体库播放命令
0x4C06:PlayMediaLibraryCurrentSelection
0x4C07:PlayMediaLibraryItems
0x4C08:PlayMediaLibraryCollection
0x4C09:PlayMediaLibrarySpecial

6)Now Playing - 显示正在播放歌曲的metadata信息
0x5000:StartNowPlayingUpdates
0x5001:NowPlayingUpdate
0x5002:StartNowPlayingUpdates

7)External Accessory Protocol
EA表示External Accessory
0xEA00:StartExternalAccessoryProtocolSession
0xEA01:StopExternalAccessoryProtocolSession
0xEA02:RequestAppLaunch

8)DOCS
MFi Accessory Interface Specification R18_NoRestriction.pdf
http://www.doc88.com/p-9813111381853.html

4 USB host抓包方法
4.1 sniff原理
binary格式路径:/dev/usbmonX
text格式路径:/sys/kernel/debug/usb/usbmon

获得usbmon的主设备号:cat /proc/devices
创建binary节点:
mknod /dev/usbmon0 c $major 0
mknod /dev/usbmon1 c $major 1
mknod /dev/usbmon2 c $major 2

Android ueventd进程根据uevent事件创建设备节点,其配置文件ueventd.rc不起实际作用,只是对创建的设备节点文件属性做设置。usbmon的子系统就是usbmon,而ueventd只处理了子系统usb并且在目录/dev/bus/usb下创建设备节点,为了使ueventd自动创建/dev/usbmonN节点,需要在ueventd中增加处理usbmon子系统。

4.2 usbmon tcpdump
1)mount -t debugfs none_debugs /sys/kernel/debug
2)cat /sys/kernel/debug/usb/devices - 确定usb的总线号
3)tcpdump -D
4)tcpdump -i usbmon1 -s 128 -w /data/usb_sniff.pcap &
5)killall tcpdump
6)wireshark工具打开usb_sniff.pcap
7)wireshark过滤:usb.src == "1.6.1" and usb.dst == "host" - 改到对应的USB bus_no.addr.ep_no

Intel APL (Gen9, A39X0) 8-port MPH xHCI
usbmon1: xHCI LS/FS/HS
usbmon2: xHCI SS

4.3 USB眼图差导致ATS解析报文异常
USB packet format: SYNC | PID | DATA | CRC | EOP
1) SYNC error: 32 bit, 15 pairs KJ, 2-bit K, PHY will lost the whole packet
2) PID error
3) CRC error

5 CarPlay
5.1 CarPlay USB控制传输
5.1.1 iPod和CarPlay模式切换
1)能力测试Control Transfer
- 0xC0 0x53 0x0000 0x0000 0x0004
- 返回0x00000001,表示支持Carplay

2)模式切换Control Transfer
bmRequestType = VENDOR|DIR_OUT = 0x40
bRequest = 0x51
wValue = 1
wIndex = 0
wLength = 0
- 请求失败(stall),iPhone维持在iPod模式,iPhone作为USB slave;控制iAP1/2数据走HID
- 成功表示iPhone已经切换到USB Host mode - Carplay;Cluster相关显示和GPS NMEA走iAP2,UI H264、audio LPCM、触摸事件走USB NCM,网络接口名字是usb0

5.1.2 充电电流设置
bmRequestType = 0x40
bRequest = 0x40
wValue = 0、100、500,USB suspend时额外吸收的电流,单位mA
wIndex = 500、1600,正常充电时额外吸收的电流,单位mA
wLength = 0

Apple charger utility
https://github.com/mkorenkov/ipad_charge/

5.2 CarPlay移植
1)移植Apple Bonjour,Bonjour是法语Hello的意思,实现multicast DNS的ZeroConf,Android 4.1开始自带,库名libdns_sd.so
2)移植CarPlay Plugin到Android
3)Carplay server端打开tcp_tw_recycle(socket方式可以设置SO_LINGER = 0),有可能会导致server端因为时间戳异常直接丢弃client发过来的SYN报文 - tcp_peer_is_proven(req, dst, true),导致client连接超时,可以使用命令netstat -s确认。特别是有多个client位于路由器NAT之后,虽然有多个client连接服务器,因为路由器要做SNAT转换,所以server只看到一个源IP地址,由于不同client机器的时间不同步,一个client的断开,可能会导致其它client无法连接,实际是不同client发送过来的SYN报文,因此server端一般不要使能tcp_tw_recycle选项。

5.3 NCM
netd setcfg command is used to bring up network (ifconfig usb0 up).

NTB-16: 64KB
NTB-32: 4GB
bRequest: GET_NTB_PARAMETERS
wValue: 0x0000
wLength: 28
gadget ncm_close(), host netif_carrier_off()
bRequest: NETWORK_CONNECTION
wValue: Disconnect
wLength: 0
bRequest: CONNECTION_SPEED_CHANGE
wValue: 0x0000
wLength: 8
gadget ncm_open(), host netif_carrier_on()
bRequest: NETWORK_CONNECTION
wValue: Connect
wLength: 0
Microchip USB7002 Hub发现其连接iPhone端的NCM2设备处于SUSPEND时(J状态),就周期性监控D-线,一旦其电压升至1.3V时,1.3V是瞬时反射电压,即表示iPhone host断开了。

5.4 iPhone USB storage
iAP2 EA inteface-0, alt-0 and inteface-0, alt-1. alt-1 is for iPhone BOT device.

6 Wireless CarPlay
6.1 WiFi P2P
AGO (Autonomous Group Owner) as AP, another device as P2P client (STA).
P2P Probe Request
DA/SA/BSSID: DA = FF:FF:FF:FF:FF:FF or target P2P Device Address, BSSID = FF:FF:FF:FF:FF:FF

6.2 Role
Head Unit: WiFi AP
iPhone: WiFi STA

6.3 information Element
IEEE802.11 Interworking IE
Apple Device IE

6.4 QoS
Refer to IEEE 802.1p.
AC_VO
AC_VI

7 Abbreviations
AFE:USB PHY Analog Front-end
ATS:Accessory Test System
BYOD:bring-your-own-device,CarPlay和Android Auto就属于BYOD
Chime Module:汽车提示音输出模块
DAD:IPv6 Duplicate Address Detection
dirana:di rei nə
EAK: iAP2 Extended Acknowledge
ESS ES8380:Electronic Speech Systems
FTDI_SIO:FTDI Serial Input/Output
HiCar:HUAWEI intelligence Car
HUB3CV:USB 3 Hub Command Verifier Ver. 2.1.12.1
iAP1:iPod Accessory Protocol,适配30pin
iAP2:适配Lightning
IDB-1394: Intelligent Transportation System Data Bus 1394 for Automotive, released before 2010
IDPS:Identify Device Preferences and Settings
iUI:iPod USB Interface,配置2,车机用该接口播放音乐,提供HID接口走iAP协议
suspendM:UTMI suspend Macrocell
USB BH reset:Bigger Hammer or Brad Hosler,表示warm reset;you may be confused why the USB 3.0 spec calls the same type of reset "warm reset" in some places and "BH reset" in other places. "BH" reset is supposed to stand for "Big Hammer" reset, but it also stands for "Brad Hosler". Brad died shortly after the USB 3.0 bus specification was started, and they decided to name the reset after him. The suggestion was made shortly before the spec was finalized, so the wording is a bit inconsistent
WiFi AGO: Autonomous Group Owner, AGO means P2P, for CarPlay
xECP:xHCI Extended Capabilities Pointer
XMOS: ex-INMOS. represented both the International founding of the company as well as the basis for VLSI components: n-channel MOS, or NMOS technology. Thus, it became known as International MOS or INMOS