From d463a53f0408190ccbfc37f97de582bf777a4991 Mon Sep 17 00:00:00 2001
From: Ylarod <me@ylarod.cn>
Date: Sat, 30 Aug 2025 05:19:25 +0800
Subject: [PATCH] feat: support launch app at ios17- (#23)

* feat: support launch app at ios17-

* cargo fmt

* clippy
---
 idevice/src/services/dvt/mod.rs | 66 ++++++++++++++++++++++++++++++-
 tools/src/process_control.rs    | 70 ++++++++++++++++++++++++++-------
 2 files changed, 121 insertions(+), 15 deletions(-)

diff --git a/idevice/src/services/dvt/mod.rs b/idevice/src/services/dvt/mod.rs
index 90a3bab..d7db667 100644
--- a/idevice/src/services/dvt/mod.rs
+++ b/idevice/src/services/dvt/mod.rs
@@ -1,6 +1,8 @@
 // Jackson Coxson
 
-use crate::{IdeviceError, ReadWrite, RsdService, obf};
+use crate::provider::IdeviceProvider;
+use crate::services::lockdown::LockdownClient;
+use crate::{Idevice, IdeviceError, ReadWrite, RsdService, obf};
 
 #[cfg(feature = "location_simulation")]
 pub mod location_simulation;
@@ -17,3 +19,65 @@ impl RsdService for remote_server::RemoteServerClient<Box<dyn ReadWrite>> {
         Ok(Self::new(stream))
     }
 }
+
+// iOS version support notes:
+// - com.apple.instruments.dtservicehub (RSD/XPC over HTTP2) is used on iOS 17+.
+// - com.apple.instruments.remoteserver is available on pre-iOS 17 (and many older versions).
+// - com.apple.instruments.remoteserver.DVTSecureSocketProxy is used by some iOS 14 builds.
+//
+// This impl enables Lockdown-based connection to Instruments Remote Server for iOS < 17
+// by reusing the same RemoteServerClient but sourcing the transport from StartService.
+impl crate::IdeviceService for remote_server::RemoteServerClient<Box<dyn ReadWrite>> {
+    fn service_name() -> std::borrow::Cow<'static, str> {
+        // Primary name for Instruments Remote Server
+        obf!("com.apple.instruments.remoteserver")
+    }
+
+    #[allow(async_fn_in_trait)]
+    async fn connect(provider: &dyn IdeviceProvider) -> Result<Self, IdeviceError> {
+        // Establish Lockdown session
+        let mut lockdown = LockdownClient::connect(provider).await?;
+        lockdown
+            .start_session(&provider.get_pairing_file().await?)
+            .await?;
+
+        // Try main Instruments service first, then DVTSecureSocketProxy (seen on iOS 14)
+        let try_names = [
+            obf!("com.apple.instruments.remoteserver"),
+            obf!("com.apple.instruments.remoteserver.DVTSecureSocketProxy"),
+        ];
+
+        let mut last_err: Option<IdeviceError> = None;
+        for name in try_names {
+            match lockdown.start_service(name).await {
+                Ok((port, ssl)) => {
+                    let mut idevice = provider.connect(port).await?;
+                    if ssl {
+                        idevice
+                            .start_session(&provider.get_pairing_file().await?)
+                            .await?;
+                    }
+                    // Convert to transport and build client
+                    let socket = idevice
+                        .get_socket()
+                        .ok_or(IdeviceError::NoEstablishedConnection)?;
+                    return Ok(remote_server::RemoteServerClient::new(socket));
+                }
+                Err(e) => {
+                    last_err = Some(e);
+                }
+            }
+        }
+
+        Err(last_err.unwrap_or(IdeviceError::ServiceNotFound))
+    }
+
+    #[allow(async_fn_in_trait)]
+    async fn from_stream(idevice: Idevice) -> Result<Self, IdeviceError> {
+        // Not used in our overridden connect path, but implemented for completeness
+        let socket = idevice
+            .get_socket()
+            .ok_or(IdeviceError::NoEstablishedConnection)?;
+        Ok(remote_server::RemoteServerClient::new(socket))
+    }
+}
diff --git a/tools/src/process_control.rs b/tools/src/process_control.rs
index e74b4e9..eebe59f 100644
--- a/tools/src/process_control.rs
+++ b/tools/src/process_control.rs
@@ -1,6 +1,7 @@
 // Jackson Coxson
 
 use clap::{Arg, Command};
+use idevice::services::lockdown::LockdownClient;
 use idevice::{IdeviceService, RsdService, core_device_proxy::CoreDeviceProxy, rsd::RsdHandshake};
 
 mod common;
@@ -71,29 +72,70 @@ async fn main() {
             }
         };
 
-    let proxy = CoreDeviceProxy::connect(&*provider)
+    let mut rs_client_opt: Option<
+        idevice::dvt::remote_server::RemoteServerClient<Box<dyn idevice::ReadWrite>>,
+    > = None;
+
+    if let Ok(proxy) = CoreDeviceProxy::connect(&*provider).await {
+        let rsd_port = proxy.handshake.server_rsd_port;
+        let adapter = proxy.create_software_tunnel().expect("no software tunnel");
+        let mut adapter = adapter.to_async_handle();
+        let stream = adapter.connect(rsd_port).await.expect("no RSD connect");
+
+        // Make the connection to RemoteXPC (iOS 17+)
+        let mut handshake = RsdHandshake::new(stream).await.unwrap();
+        let mut rs_client = idevice::dvt::remote_server::RemoteServerClient::connect_rsd(
+            &mut adapter,
+            &mut handshake,
+        )
         .await
-        .expect("no core proxy");
-    let rsd_port = proxy.handshake.server_rsd_port;
+        .expect("no connect");
+        rs_client.read_message(0).await.expect("no read??");
+        rs_client_opt = Some(rs_client);
+    }
 
-    let adapter = proxy.create_software_tunnel().expect("no software tunnel");
-    let mut adapter = adapter.to_async_handle();
-    let stream = adapter.connect(rsd_port).await.expect("no RSD connect");
-
-    // Make the connection to RemoteXPC
-    let mut handshake = RsdHandshake::new(stream).await.unwrap();
-
-    let mut rs_client =
-        idevice::dvt::remote_server::RemoteServerClient::connect_rsd(&mut adapter, &mut handshake)
+    let mut rs_client = if let Some(c) = rs_client_opt {
+        c
+    } else {
+        // Read iOS version to decide whether we can fallback to remoteserver
+        let mut lockdown = LockdownClient::connect(&*provider)
             .await
-            .expect("no connect");
+            .expect("lockdown connect failed");
+        lockdown
+            .start_session(&provider.get_pairing_file().await.expect("pairing file"))
+            .await
+            .expect("lockdown start_session failed");
+        let pv = lockdown
+            .get_value(Some("ProductVersion"), None)
+            .await
+            .ok()
+            .and_then(|v| v.as_string().map(|s| s.to_string()))
+            .unwrap_or_default();
+        let major: u32 = pv
+            .split('.')
+            .next()
+            .and_then(|s| s.parse().ok())
+            .unwrap_or(0);
+
+        if major >= 17 {
+            // iOS 17+ with no CoreDeviceProxy: do not attempt remoteserver (would return InvalidService)
+            panic!("iOS {pv} detected and CoreDeviceProxy unavailable. RemoteXPC tunnel required.");
+        }
+
+        // iOS 16 and earlier: fallback to Lockdown remoteserver (or DVTSecureSocketProxy)
+        idevice::dvt::remote_server::RemoteServerClient::connect(&*provider)
+            .await
+            .expect("failed to connect to Instruments Remote Server over Lockdown (iOS16-). Ensure Developer Disk Image is mounted.")
+    };
+
+    // Note: On both transports, protocol requires reading the initial message on root channel (0)
     rs_client.read_message(0).await.expect("no read??");
     let mut pc_client = idevice::dvt::process_control::ProcessControlClient::new(&mut rs_client)
         .await
         .unwrap();
 
     let pid = pc_client
-        .launch_app(bundle_id, None, None, true, false)
+        .launch_app(bundle_id, None, None, false, false)
         .await
         .expect("no launch??");
     pc_client