Connecting to a device¶
These are the entry points for obtaining a service provider — the object every service is built on top of.
Lockdown (USB / network)¶
pymobiledevice3.lockdown.create_using_usbmux
async
¶
create_using_usbmux(serial: Optional[str] = None, identifier: Optional[str] = None, label: str = DEFAULT_LABEL, autopair: bool = True, connection_type: Optional[str] = None, pair_timeout: Optional[float] = None, local_hostname: Optional[str] = None, pair_record: Optional[dict] = None, pairing_records_cache_folder: Optional[Path] = None, port: int = SERVICE_PORT, usbmux_address: Optional[str] = None) -> UsbmuxLockdownClient
Connect to a device over usbmuxd and return a ready-to-use lockdown client.
Opens a lockdownd connection through usbmuxd, queries the device's values, and (when autopair is set)
validates an existing pairing or performs a new one. Returns a PlistUsbmuxLockdownClient when the
connected usbmuxd speaks the plist protocol, otherwise a UsbmuxLockdownClient. The connection is
closed automatically if setup fails.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
serial
|
Optional[str]
|
usbmux serial of the target device, or |
None
|
identifier
|
Optional[str]
|
Device identifier used to locate the matching pair record; defaults to the device's serial reported by usbmuxd. |
None
|
label
|
str
|
User-agent label included in every request sent to lockdownd. |
DEFAULT_LABEL
|
autopair
|
bool
|
When True, pair with the device (blocking) if it is not already paired. |
True
|
connection_type
|
Optional[str]
|
Restrict to a specific usbmux connection type ( |
None
|
pair_timeout
|
Optional[float]
|
Maximum time in seconds to wait for the user to accept the pairing dialog. |
None
|
local_hostname
|
Optional[str]
|
Seed used to generate the HostID. |
None
|
pair_record
|
Optional[dict]
|
A pre-loaded pair record to use instead of looking one up. |
None
|
pairing_records_cache_folder
|
Optional[Path]
|
Directory used to search for and persist pair records. |
None
|
port
|
int
|
TCP port of the lockdownd service on the device. |
SERVICE_PORT
|
usbmux_address
|
Optional[str]
|
Address of the usbmuxd socket to use, or |
None
|
Returns:
| Type | Description |
|---|---|
UsbmuxLockdownClient
|
A connected usbmux lockdown client. |
Source code in pymobiledevice3/lockdown.py
1335 1336 1337 1338 1339 1340 1341 1342 1343 1344 1345 1346 1347 1348 1349 1350 1351 1352 1353 1354 1355 1356 1357 1358 1359 1360 1361 1362 1363 1364 1365 1366 1367 1368 1369 1370 1371 1372 1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 1385 1386 1387 1388 1389 1390 1391 1392 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 | |
pymobiledevice3.lockdown.LockdownClient ¶
Bases: ABC, LockdownServiceProvider
Client for the device's lockdownd daemon.
lockdownd is the entry-point daemon on an iOS device: it reports device values, manages host pairing,
and starts the other on-device services. This abstract base implements the lockdown protocol (querying
and setting values, pairing, session establishment with optional SSL, and starting named services);
concrete subclasses supply the transport-specific way to open a connection by overriding
create_service_connection.
Do not instantiate directly. Obtain an instance from a create_using_* factory
(create_using_usbmux, create_using_tcp, create_using_remote) or from the
create classmethod. Instances are async context managers; on exit the underlying connection
is closed.
Source code in pymobiledevice3/lockdown.py
84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 | |
product_version
property
¶
The device's iOS/OS version (ProductVersion), e.g. "17.0".
Returns:
| Type | Description |
|---|---|
str
|
The product version, or |
product_build_version
property
¶
The device's OS build version (BuildVersion), e.g. "21A329".
Returns:
| Type | Description |
|---|---|
str
|
The build version, or |
device_class
property
¶
The device family (iPhone, iPad, Watch, ...) derived from the reported DeviceClass value.
Returns:
| Type | Description |
|---|---|
DeviceClass
|
The matching |
wifi_mac_address
property
¶
The device's Wi-Fi MAC address (WiFiAddress).
Returns:
| Type | Description |
|---|---|
str
|
The Wi-Fi MAC address, or |
short_info
property
¶
A compact subset of the device's values, suitable for listing devices.
Returns:
| Type | Description |
|---|---|
dict
|
A dict containing |
ecid
property
¶
The device's ECID (unique chip identifier), taken from the reported UniqueChipID value.
Returns:
| Type | Description |
|---|---|
int
|
The ECID as an integer. |
Raises:
| Type | Description |
|---|---|
KeyError
|
The device did not report a |
preflight_info
property
¶
The device's PreflightInfo value.
Returns:
| Type | Description |
|---|---|
dict
|
The preflight info dict, or |
firmware_preflight_info
property
¶
The device's FirmwarePreflightInfo value.
Returns:
| Type | Description |
|---|---|
dict
|
The firmware preflight info dict, or |
display_name
property
¶
The human-readable marketing name for the device, resolved from its product type.
Looks the device's ProductType up in the built-in device table.
Returns:
| Type | Description |
|---|---|
Optional[str]
|
The display name, or |
hardware_model
property
¶
The hardware model (e.g. board identifier) for the device, resolved from its product type.
Looks the device's ProductType up in the built-in device table.
Returns:
| Type | Description |
|---|---|
Optional[str]
|
The hardware model, or |
board_id
property
¶
The board ID for the device, resolved from its product type.
Looks the device's ProductType up in the built-in device table.
Returns:
| Type | Description |
|---|---|
Optional[int]
|
The board ID, or |
chip_id
property
¶
The chip ID for the device, resolved from its product type.
Looks the device's ProductType up in the built-in device table.
Returns:
| Type | Description |
|---|---|
Optional[int]
|
The chip ID, or |
create
async
classmethod
¶
create(service: ServiceConnection, identifier: Optional[str] = None, system_buid: str = SYSTEM_BUID, label: str = DEFAULT_LABEL, autopair: bool = True, pair_timeout: Optional[float] = None, local_hostname: Optional[str] = None, pair_record: Optional[dict] = None, pairing_records_cache_folder: Optional[Path] = None, port: int = SERVICE_PORT, private_key: Optional[RSAPrivateKey] = None, **cls_specific_args)
Build a client around an existing service connection, initialize it and optionally pair.
Generates a HostID, resolves the pairing-records cache folder, constructs the client, queries the
device's values, and (when autopair is set) validates an existing pairing or performs a new one.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
service
|
ServiceConnection
|
An already-established lockdownd connection. |
required |
identifier
|
Optional[str]
|
Device identifier (typically its UDID) used to locate the matching pair record. |
None
|
system_buid
|
str
|
The host's SystemBUID, included when starting a session. |
SYSTEM_BUID
|
label
|
str
|
User-agent label included in every request sent to lockdownd. |
DEFAULT_LABEL
|
autopair
|
bool
|
When True, pair with the device (blocking) if it is not already paired. |
True
|
pair_timeout
|
Optional[float]
|
Maximum time in seconds to wait for the user to accept the pairing dialog. A
value of 0 fails immediately if the dialog is pending; |
None
|
local_hostname
|
Optional[str]
|
Seed used to generate the HostID. |
None
|
pair_record
|
Optional[dict]
|
A pre-loaded pair record to use instead of looking one up on the host. |
None
|
pairing_records_cache_folder
|
Optional[Path]
|
Directory used to search for and persist pair records. |
None
|
port
|
int
|
TCP port of the lockdownd service on the device. |
SERVICE_PORT
|
private_key
|
Optional[RSAPrivateKey]
|
RSA private key to use when generating the pairing certificate chain; a new key is generated if omitted. |
None
|
cls_specific_args
|
Extra keyword arguments forwarded to the concrete client's constructor. |
{}
|
Returns:
| Type | Description |
|---|---|
|
A connected, initialized client instance. |
Raises:
| Type | Description |
|---|---|
IncorrectModeError
|
The connected daemon is not lockdownd. |
FatalPairingError
|
Pairing succeeded but the subsequent validation failed. |
Source code in pymobiledevice3/lockdown.py
query_type
async
¶
Query the type of the daemon at the other end of the connection.
Sends a QueryType request; for a real lockdownd connection this returns
"com.apple.mobile.lockdown".
Returns:
| Type | Description |
|---|---|
str
|
The reported daemon type string. |
Source code in pymobiledevice3/lockdown.py
set_language
async
¶
Set the device's language (Language key in the com.apple.international domain).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
language
|
str
|
The language code to set (e.g. |
required |
Source code in pymobiledevice3/lockdown.py
get_language
async
¶
Get the device's language (Language key in the com.apple.international domain).
Returns:
| Type | Description |
|---|---|
str
|
The language code, or an empty string when the value is missing or not a string. |
Source code in pymobiledevice3/lockdown.py
set_locale
async
¶
Set the device's locale (Locale key in the com.apple.international domain).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
locale
|
str
|
The locale string to set (e.g. |
required |
Source code in pymobiledevice3/lockdown.py
get_locale
async
¶
Get the device's locale (Locale key in the com.apple.international domain).
Returns:
| Type | Description |
|---|---|
str
|
The locale string, or an empty string when the value is missing or not a string. |
Source code in pymobiledevice3/lockdown.py
set_timezone
async
¶
Set the device's time zone (TimeZone key, default domain).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
timezone
|
str
|
The time zone identifier to set (e.g. |
required |
Source code in pymobiledevice3/lockdown.py
set_uses24h_clock
async
¶
Set whether the device uses the 24-hour clock format (Uses24HourClock key, default domain).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
value
|
bool
|
True for 24-hour format, False for 12-hour format. |
required |
Source code in pymobiledevice3/lockdown.py
set_uses24hClock
async
¶
Alias of set_uses24h_clock.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
value
|
bool
|
True for 24-hour format, False for 12-hour format. |
required |
set_assistive_touch
async
¶
Enable or disable AssistiveTouch (AssistiveTouchEnabledByiTunes key in the
com.apple.Accessibility domain).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
value
|
bool
|
True to enable AssistiveTouch, False to disable it. |
required |
Source code in pymobiledevice3/lockdown.py
get_assistive_touch
async
¶
Get whether AssistiveTouch is enabled (AssistiveTouchEnabledByiTunes key in the
com.apple.Accessibility domain).
Returns:
| Type | Description |
|---|---|
bool
|
True if AssistiveTouch is enabled, False otherwise. |
Source code in pymobiledevice3/lockdown.py
set_voice_over
async
¶
Enable or disable VoiceOver (VoiceOverTouchEnabledByiTunes key in the
com.apple.Accessibility domain).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
value
|
bool
|
True to enable VoiceOver, False to disable it. |
required |
Source code in pymobiledevice3/lockdown.py
get_voice_over
async
¶
Get whether VoiceOver is enabled (VoiceOverTouchEnabledByiTunes key in the
com.apple.Accessibility domain).
Returns:
| Type | Description |
|---|---|
bool
|
True if VoiceOver is enabled, False otherwise. |
Source code in pymobiledevice3/lockdown.py
set_invert_display
async
¶
Enable or disable display color inversion (InvertDisplayEnabledByiTunes key in the
com.apple.Accessibility domain).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
value
|
bool
|
True to enable display inversion, False to disable it. |
required |
Source code in pymobiledevice3/lockdown.py
get_invert_display
async
¶
Get whether display color inversion is enabled (InvertDisplayEnabledByiTunes key in the
com.apple.Accessibility domain).
Returns:
| Type | Description |
|---|---|
bool
|
True if display inversion is enabled, False otherwise. |
Source code in pymobiledevice3/lockdown.py
set_enable_wifi_connections
async
¶
Enable or disable Wi-Fi (wireless) lockdown connections to the device
(EnableWifiConnections key in the com.apple.mobile.wireless_lockdown domain).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
value
|
bool
|
True to allow connecting to the device over Wi-Fi, False to disallow it. |
required |
Source code in pymobiledevice3/lockdown.py
get_enable_wifi_connections
async
¶
Get whether Wi-Fi (wireless) lockdown connections are enabled (EnableWifiConnections key in the
com.apple.mobile.wireless_lockdown domain).
Returns:
| Type | Description |
|---|---|
bool
|
True if Wi-Fi connections are enabled, False otherwise. |
Source code in pymobiledevice3/lockdown.py
get_developer_mode_status
async
¶
Get whether Developer Mode is enabled on the device (DeveloperModeStatus key in the
com.apple.security.mac.amfi domain).
Returns:
| Type | Description |
|---|---|
bool
|
True if Developer Mode is enabled, False otherwise. |
Source code in pymobiledevice3/lockdown.py
get_date
async
¶
Get the device's current date and time.
Reads the device's TimeIntervalSince1970 value and converts it to a local
datetime. Falls back to the Unix epoch when the value is missing.
Returns:
| Type | Description |
|---|---|
datetime
|
The device's current date and time. |
Source code in pymobiledevice3/lockdown.py
enter_recovery
async
¶
Request that the device reboot into recovery mode.
Sends an EnterRecovery request to lockdownd.
Returns:
| Type | Description |
|---|---|
|
The lockdownd response to the request. |
Source code in pymobiledevice3/lockdown.py
stop_session
async
¶
Stop the current lockdownd session.
Sends a StopSession request for the active session and clears the local session id.
Returns:
| Type | Description |
|---|---|
dict
|
The lockdownd response to the request. |
Raises:
| Type | Description |
|---|---|
CannotStopSessionError
|
There is no active session, or lockdownd did not report success. |
Source code in pymobiledevice3/lockdown.py
validate_pairing
async
¶
Validate the existing pairing and establish a session with the device.
Loads a pair record if one is not already set, validates it (using the legacy ValidatePair
request for devices older than iOS 7), starts a session and, when the device requests it, upgrades
the connection to SSL. On success, marks the client paired and reloads the device's values. If the
pair record turns out to be missing or rejected on-device, the connection is re-established and the
method returns False.
Returns:
| Type | Description |
|---|---|
bool
|
True if pairing was validated and a session established; False otherwise (e.g. no pair record, an invalid host id, or an on-device pairing that was removed). |
Source code in pymobiledevice3/lockdown.py
pair
async
¶
Pair this host with the device.
Retrieves the device's public key, generates a host key and certificate chain, builds a pair record
and sends a Pair request. On success the pair record (including any returned escrow bag) is saved
to the cache folder and the client is marked paired. Pairing requires the user to accept the on-device
trust dialog.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
timeout
|
Optional[float]
|
Maximum time in seconds to wait for the user to accept the pairing dialog. A value of
0 fails immediately if the dialog is pending; |
None
|
private_key
|
Optional[RSAPrivateKey]
|
RSA private key to use when generating the pairing certificate chain; a new key is generated if omitted. |
None
|
Raises:
| Type | Description |
|---|---|
PairingError
|
The device public key could not be retrieved. |
PairingDialogResponsePendingError
|
The user did not accept the pairing dialog in time. |
UserDeniedPairingError
|
The user declined the pairing request. |
Source code in pymobiledevice3/lockdown.py
pair_supervised
async
¶
Pair this host with a supervised device using a supervision identity.
Loads the supervisor private key and certificate from keybag_file and performs the supervised
pairing flow: it sends an initial Pair request carrying the supervisor certificate and, if the
device responds with an MCChallengeRequired challenge, signs the challenge (PKCS#7) and sends a
second request with the challenge response. On success the pair record (including any returned escrow
bag) is saved and the client is marked paired. Because supervision authorizes the host, this does not
require the user to accept an on-device dialog.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
keybag_file
|
Path
|
Path to a PEM file containing both the supervisor private key and certificate. |
required |
timeout
|
Optional[float]
|
Maximum time in seconds to wait for each pairing request; |
None
|
Raises:
| Type | Description |
|---|---|
PairingError
|
The device public key could not be retrieved. |
Source code in pymobiledevice3/lockdown.py
673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 | |
unpair
async
¶
Remove a pairing from the device.
Sends an Unpair request. With no host_id the current pair record is unpaired; otherwise the
pairing identified by host_id is removed.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
host_id
|
Optional[str]
|
HostID of the pairing to remove; defaults to the current pair record. |
None
|
Source code in pymobiledevice3/lockdown.py
reset_pairing
async
¶
Reset all pairings on the device.
Sends a ResetPairing request with FullReset set, clearing the device's pairing state.
Returns:
| Type | Description |
|---|---|
|
The lockdownd response to the request. |
Source code in pymobiledevice3/lockdown.py
get_value
async
¶
Read a value from the device via a GetValue request.
With neither domain nor key given, returns the full values dict and also refreshes the cached
all_values. Otherwise narrows the lookup to the given domain and/or key. Binary blobs are
returned as their raw bytes.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
domain
|
Optional[str]
|
Domain to read from, or |
None
|
key
|
Optional[str]
|
Specific key to read, or |
None
|
Returns:
| Type | Description |
|---|---|
|
The requested value, or |
Source code in pymobiledevice3/lockdown.py
remove_value
async
¶
Remove a value on the device via a RemoveValue request.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
domain
|
Optional[str]
|
Domain to remove from, or |
None
|
key
|
Optional[str]
|
Specific key to remove, or |
None
|
Returns:
| Type | Description |
|---|---|
dict
|
The lockdownd response to the request. |
Source code in pymobiledevice3/lockdown.py
set_value
async
¶
Write a value to the device via a SetValue request.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
value
|
The value to write. |
required | |
domain
|
Optional[str]
|
Domain to write to, or |
None
|
key
|
Optional[str]
|
Specific key to write, or |
None
|
Returns:
| Type | Description |
|---|---|
dict
|
The lockdownd response to the request. |
Source code in pymobiledevice3/lockdown.py
get_service_connection_attributes
async
¶
Ask lockdownd to start a named service and return its connection attributes.
Sends a StartService request for the given service. The returned dict includes the Port to
connect on and whether SSL must be enabled (EnableServiceSSL). Use start_lockdown_service
to also open the connection.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name
|
str
|
The lockdownd service name to start (e.g. |
required |
include_escrow_bag
|
bool
|
When True, include the pair record's escrow bag in the request (required by some services to operate while the device is locked). |
False
|
Returns:
| Type | Description |
|---|---|
dict
|
The service connection attributes (including |
Raises:
| Type | Description |
|---|---|
NotPairedError
|
The client is not paired with the device. |
PasswordRequiredError
|
The device is passcode-protected and must be unlocked first. |
StartServiceError
|
lockdownd refused to start the service. |
Source code in pymobiledevice3/lockdown.py
start_lockdown_service
async
¶
Start a named lockdownd service and open a connection to it.
Asks lockdownd to start the service (see get_service_connection_attributes), opens a new
connection to the reported port, and upgrades it to SSL when the service requires it.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name
|
str
|
The lockdownd service name to start (e.g. |
required |
include_escrow_bag
|
bool
|
When True, include the pair record's escrow bag in the start request (required by some services to operate while the device is locked). |
False
|
Returns:
| Type | Description |
|---|---|
ServiceConnection
|
A connected |
Raises:
| Type | Description |
|---|---|
NotPairedError
|
The client is not paired with the device. |
PasswordRequiredError
|
The device is passcode-protected and must be unlocked first. |
StartServiceError
|
lockdownd refused to start the service. |
Source code in pymobiledevice3/lockdown.py
close
async
¶
Close the underlying lockdownd connection.
Called automatically when the client is used as an async context manager.
ssl_file ¶
Yield a temporary file holding the host certificate and private key for SSL handshakes.
Writes the pair record's host certificate and private key (PEM) to a temporary file for the duration
of the with block and deletes it on exit, even if an exception is raised.
:yield: Path to the temporary PEM file containing the host certificate followed by its private key.
Source code in pymobiledevice3/lockdown.py
create_service_connection
abstractmethod
async
¶
Open a new connection to the device on the given port.
Abstract: each concrete client implements this for its transport (usbmux, TCP, ...). Used to open service connections and to re-establish the lockdownd connection after it drops.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
port
|
int
|
The device-side port to connect to. |
required |
Returns:
| Type | Description |
|---|---|
ServiceConnection
|
A connected |
Source code in pymobiledevice3/lockdown.py
fetch_pair_record
async
¶
Load the preferred pair record for this device into pair_record.
Looks up the record matching identifier in the cache folder (and other known locations). Does
nothing if identifier is not set.
Source code in pymobiledevice3/lockdown.py
save_pair_record
async
¶
Persist the current pair record to the cache folder.
Writes pair_record as a plist named <identifier>.plist in the pairing-records cache folder.
When running under sudo, the file's ownership is handed back to the invoking user so a later
unprivileged run can rewrite it.
Source code in pymobiledevice3/lockdown.py
areestablish_connection
async
¶
Re-establish the lockdownd connection after it has dropped.
Closes the current connection, clears the session, opens a fresh connection on port, and
re-validates pairing if a pair record is present. Called internally to recover from connection
errors mid-request.
Source code in pymobiledevice3/lockdown.py
pymobiledevice3.lockdown.UsbmuxLockdownClient ¶
Bases: LockdownClient
Lockdown client that reaches the device through a usbmuxd connection (USB or network).
Obtain an instance from create_using_usbmux. Service connections are opened through usbmuxd via
create_using_usbmux.
Source code in pymobiledevice3/lockdown.py
1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 | |
short_info
property
¶
A compact subset of the device's values, plus the usbmux connection type.
Returns:
| Type | Description |
|---|---|
dict
|
The base |
fetch_pair_record
async
¶
Load the preferred pair record for this device into pair_record.
Like fetch_pair_record, but also consults usbmuxd (at
usbmux_address) as a source of pair records. Does nothing if identifier is not set.
Source code in pymobiledevice3/lockdown.py
create_service_connection
async
¶
Open a new connection to the device on the given port through usbmuxd.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
port
|
int
|
The device-side port to connect to. |
required |
Returns:
| Type | Description |
|---|---|
ServiceConnection
|
A connected |
Source code in pymobiledevice3/lockdown.py
RemoteServiceDiscovery (iOS 17+ tunnel)¶
pymobiledevice3.remote.remote_service_discovery.RemoteServiceDiscoveryService ¶
Bases: LockdownServiceProvider
Service provider for the iOS 17+ RemoteServiceDiscovery (RSD) endpoint exposed over a tunnel.
On modern devices, services are no longer started through lockdownd's StartService RPC.
Instead a RemoteXPC handshake against the RSD port yields peer_info describing every
available service and the TCP port it listens on. This class connects to that endpoint,
discovers those services, and acts as a
LockdownServiceProvider, letting callers
open both RemoteXPC and lockdown-style service connections.
The RSD address is only reachable over an active tunnel (a kernel-routable interface or an
in-process userspace tunnel; see is_in_process_tunnel). Instances may be used as async
context managers, which connect on entry and close on exit.
Attributes:
| Name | Type | Description |
|---|---|---|
service |
the underlying RemoteXPC connection to the RSD endpoint. |
|
peer_info |
Optional[dict]
|
handshake response describing device properties and available services;
populated by |
lockdown |
Optional[LockdownClient]
|
lockdown client created over the remote endpoint, or |
Source code in pymobiledevice3/remote/remote_service_discovery.py
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 | |
is_in_process_tunnel
property
¶
True when this RSD reaches the device through an in-process dialer (the userspace
tunnel) rather than a kernel-routable interface. The device address (self.service.address)
is then only reachable from THIS process, so it must not be handed to external tools such as
lldb as a connect endpoint.
product_version
property
¶
Device OS version, taken from the RSD handshake peer_info.
product_build_version
property
¶
Device OS build string, taken from the RSD handshake peer_info.
ecid
property
¶
Device ECID (unique chip identifier), taken from the RSD handshake peer_info.
connect
async
¶
Connect to the RSD endpoint and perform the RemoteXPC handshake.
Populates peer_info, udid, and product_type from the handshake, then
attempts to open a remote lockdown connection (preferring the trusted variant, falling back
to the untrusted one). If neither is available the device is treated as offering no lockdown
service and lockdown is left None. On any failure the connection is closed.
Raises:
| Type | Description |
|---|---|
Exception
|
re-raises after closing if the handshake or connection fails. |
Source code in pymobiledevice3/remote/remote_service_discovery.py
start_lockdown_service_without_checkin
async
¶
Open a raw connection to a service's port without performing the RSD check-in handshake.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name
|
str
|
name of the service to connect to. |
required |
Returns:
| Type | Description |
|---|---|
ServiceConnection
|
an unstarted connection to the service's port. |
Raises:
| Type | Description |
|---|---|
InvalidServiceError
|
if the device does not offer a service with this name. |
Source code in pymobiledevice3/remote/remote_service_discovery.py
get_service_connection_attributes
async
¶
Return the connection attributes for a service.
Unlike lockdownd, RSD services are discovered from peer_info and need no StartService
RPC, so this resolves the port locally and reports SSL as disabled.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name
|
str
|
name of the service. |
required |
include_escrow_bag
|
bool
|
accepted for interface compatibility; ignored. |
False
|
Returns:
| Type | Description |
|---|---|
dict
|
a dict with the service |
Raises:
| Type | Description |
|---|---|
InvalidServiceError
|
if the device does not offer a service with this name. |
Source code in pymobiledevice3/remote/remote_service_discovery.py
create_service_connection
async
¶
Create a TCP service connection to a port on the device through this RSD.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
port
|
int
|
device-side TCP port to connect to. |
required |
Returns:
| Type | Description |
|---|---|
ServiceConnection
|
a connection routed through this RSD's dialer. |
Source code in pymobiledevice3/remote/remote_service_discovery.py
start_lockdown_service
async
¶
Open a service connection and complete the RSD check-in handshake.
Connects to the service port, performs the RSDCheckin exchange (optionally attaching the
host escrow bag for unlock), and returns the started connection.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name
|
str
|
name of the service to start. |
required |
include_escrow_bag
|
bool
|
when True, attach the local pairing record's escrow bag to the check-in, allowing the connection to unlock the device. |
False
|
Returns:
| Type | Description |
|---|---|
ServiceConnection
|
a started, checked-in service connection. |
Raises:
| Type | Description |
|---|---|
InvalidServiceError
|
if the device does not offer a service with this name. |
StartServiceError
|
if the device reports an error starting the service. |
PyMobileDevice3Exception
|
if the check-in handshake returns an unexpected response. |
Source code in pymobiledevice3/remote/remote_service_discovery.py
start_lockdown_developer_service
async
¶
Open a connection to a developer service (without RSD check-in).
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name
|
name of the developer service. |
required | |
include_escrow_bag
|
bool
|
accepted for interface compatibility; ignored. |
False
|
Returns:
| Type | Description |
|---|---|
ServiceConnection
|
an unstarted connection to the service's port. |
Raises:
| Type | Description |
|---|---|
StartServiceError
|
if the service cannot be reached; logs a hint that the DeveloperDiskImage may need to be mounted. |
Source code in pymobiledevice3/remote/remote_service_discovery.py
start_remote_service ¶
Create (but do not connect) a RemoteXPC connection to a service.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name
|
str
|
name of the service. |
required |
Returns:
| Type | Description |
|---|---|
RemoteXPCConnection
|
an unconnected RemoteXPC connection to the service's port. |
Raises:
| Type | Description |
|---|---|
InvalidServiceError
|
if the device does not offer a service with this name. |
Source code in pymobiledevice3/remote/remote_service_discovery.py
start_service
async
¶
Start a service using the transport it advertises in peer_info.
Services flagged with UsesRemoteXPC are opened as RemoteXPC connections via
start_remote_service; all others are opened as lockdown-style connections via
start_lockdown_service.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name
|
str
|
name of the service to start. |
required |
Returns:
| Type | Description |
|---|---|
Union[RemoteXPCConnection, ServiceConnection]
|
a RemoteXPC connection or a started lockdown service connection, per the service's advertised transport. |
Raises:
| Type | Description |
|---|---|
InvalidServiceError
|
if the device does not offer a service with this name. |
Source code in pymobiledevice3/remote/remote_service_discovery.py
get_service_port ¶
Resolve the TCP port a service listens on from the RSD handshake peer_info.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
name
|
str
|
name of the service. |
required |
Returns:
| Type | Description |
|---|---|
int
|
the device-side TCP port for the service. |
Raises:
| Type | Description |
|---|---|
InvalidServiceError
|
if the device does not offer a service with this name. |
Source code in pymobiledevice3/remote/remote_service_discovery.py
close
async
¶
Close the lockdown client (if any) and the underlying RemoteXPC connection.
Userspace tunnel (no root)¶
The preferred way to obtain an iOS 17+ RSD from your own code: an in-process tunnel that needs no
root and no separate tunneld daemon.
pymobiledevice3.remote.userspace_tunnel.UserspaceRsdTunnel ¶
A no-root, in-process iOS 17+ RSD tunnel and its connected RSD, as one closeable handle.
Replaces the kernel utun (which needs root/admin) with a pure-Python PyTCP stack, so the
tunnel and every host-initiated developer service run as a normal user. Use it either way:
Async context manager (closes automatically)::
async with UserspaceRsdTunnel(serial=udid) as rsd:
... # rsd is a connected RemoteServiceDiscoveryService
Open / close handle::
tunnel = UserspaceRsdTunnel(serial=udid)
rsd = await tunnel.aopen()
try:
...
finally:
await tunnel.aclose()
serial selects the target device (None => first USB device); autopair sets up the
pairing on the fly if the device is not yet paired. Device selection (e.g. the CLI --udid /
PYMOBILEDEVICE3_UDID resolution) and the usbmux socket location (incl. a remote usbmuxd)
are resolved by the caller / usbmux layer, not here.
Constraints:
- One tunnel per process. PyTCP's stack is a process-global singleton; :meth:
aopenraises if a userspace tunnel is already active. Not re-entrant or thread-safe. - The device address is in-process only, reachable only from this process's userspace
stack — never by an external tool. The RSD reports this via
:attr:
RemoteServiceDiscoveryService.is_in_process_tunnel; don't hand its address to lldb.
Host-initiated developer services all work. Device-initiated inbound UDP (the AV media streams
behind display serve-web) also works: the receiver is bound on the PyTCP stack via
:class:UserspaceUdp and the stack address is advertised to the device, so its RTP terminates
on the userspace stack instead of an unreachable host kernel socket.
The tunnel provider is selected like remote start-tunnel but restricted to the root-free
paths (see :func:_create_no_root_tunnel_provider): CoreDeviceTunnelProxy over lockdown on
iOS 17.4+, falling back to RemotePairing over bonjour on iOS 17.0-17.3 / Wi-Fi.
Source code in pymobiledevice3/remote/userspace_tunnel.py
503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 | |
aopen
async
¶
Establish the tunnel and return the connected RSD. Idempotent on this handle; raises
:class:PyMobileDevice3Exception if another userspace tunnel is already active.
Source code in pymobiledevice3/remote/userspace_tunnel.py
aclose
async
¶
Tear down the tunnel and its RSD, releasing every resource in LIFO order and restoring the kernel-tunnel factory default. Idempotent.
After this returns, no background thread remains blocked (closing the tun wakes the parked
reader), so the process can exit normally — embedders do NOT need :func:force_exit.
Source code in pymobiledevice3/remote/userspace_tunnel.py
pymobiledevice3.remote.userspace_tunnel.establish_userspace_rsd
async
¶
establish_userspace_rsd(serial: Optional[str] = None, autopair: bool = True) -> RemoteServiceDiscoveryService
CLI convenience: establish a userspace tunnel, keep it alive, and return its connected RSD.
Embedders should use :class:UserspaceRsdTunnel directly — it is a closeable handle / async
context manager. This wrapper exists for the CLI, which has no teardown hook: it stashes the
tunnel for the process lifetime and registers :func:force_exit so the CLI exits promptly at
the end without awaiting teardown (see :func:_register_clean_exit).
Source code in pymobiledevice3/remote/userspace_tunnel.py
tunneld discovery¶
pymobiledevice3.tunneld.api.get_tunneld_devices
async
¶
get_tunneld_devices(tunneld_address: tuple[str, int] = TUNNELD_DEFAULT_ADDRESS) -> list[RemoteServiceDiscoveryService]
Query a running tunneld instance over HTTP for all active tunnels and connect to each.
Parameters:
| Name | Type | Description | Default |
|---|---|---|---|
tunneld_address
|
tuple[str, int]
|
|
TUNNELD_DEFAULT_ADDRESS
|
Returns:
| Type | Description |
|---|---|
list[RemoteServiceDiscoveryService]
|
a connected |
Raises:
| Type | Description |
|---|---|
TunneldConnectionError
|
if the |