From SynCE-Wiki

Contents 1 Overview 2 NSPSession 2.1 LookupBeginRequest 2.2 LookupBeginResponse 2.3 LookupNextRequest 2.4 LookupNextResponse 2.5 LookupEndRequest 3 ConnectionSession 3.1 ConnectRequest 3.2 ConnectResponse 4 Encodings 4.1 Packed fields 4.2 WSAQUERYSET serialized 4.3 sockaddr_in serialized 4.4 sockaddr_in6 serialized

Overview

DTPT, or DeskTop PassThrough is a protocol used for sharing the host's internet connection with the device, ie. a proprietary proxy protocol (yes, another one). The host listens on TCP port 5721 and the device connects to it with one or more clients. The MessageType of the first request initializes the connection to either a NSPSession or a ConnectionSession. A NSPSession is used to perform DNS lookups, whilst a ConnectionSession is used to connect to a given host (a new session is created for every external host that the device wishes to have a session with).

NSPSession

All requests and responses have a fixed size of 20 bytes.

Name	Size	Description
Version	1	Set to 1.
MessageType	1	Message type identifier.
Padding	2	Padding.
QValue	8	A QWORD.
DValue1	4	A DWORD.
DValue2	4	A DWORD.

LookupBeginRequest

RPC version of WSALookupServiceBegin, where the payload is WSAQUERYSET serialized (see below).

Name	Size	Description
Version	1	Set to 1.
MessageType	1	Set to 9.
Padding	2	Padding.
QValue	8	Unused.
dwControlFlags	4	Flags as documented for WSALookupServiceBegin.
PayloadSize	4	Number of bytes of payload following, containing the serialized WSAQUERYSET (documented below).

LookupBeginResponse

Name	Size	Description
Version	1	Set to 1.
MessageType	1	Set to 10.
Padding	2	Padding.
Handle	8	The handle returned by WSALookupServiceBegin.
LastError	4	Last error, set to a non-zero value in case of failure.
DValue2	4	Unused.

LookupNextRequest

RPC version of WSALookupServiceNext.

Name	Size	Description
Version	1	Set to 1.
MessageType	1	Set to 11.
Padding	2	Padding.
Handle	8	The handle returned in the LookupBeginResponse.
DValue1	4	Unused.
BufferSize	4	Number of bytes of buffer space allocated for the response. The response' LastError will be set to WSAEFAULT (0x271e) and DataSize will be set to the minimum size required.

LookupNextResponse

Name	Size	Description
Version	1	Set to 1.
MessageType	1	Set to 12.
Padding	2	Padding.
QValue	8	Unused.
LastError	4	Last error, set to a non-zero value in case of failure.
DataSize	4	Contains the number of bytes of payload if LastError is 0, elsewise it contains the minimum buffer space required if LastError is set to WSAEFAULT. On success, the payload contains a serialized WSAQUERYSET (documented below).

LookupEndRequest

RPC version of WSALookupServiceEnd.

Name	Size	Description
Version	1	Set to 1.
MessageType	1	Set to 13.
Padding	2	Padding.
Handle	8	The handle returned in the LookupBeginResponse.
DValue1	4	Unused.
DValue2	4	Unused.

ConnectionSession

ConnectRequest

This request has a fixed size of 36 bytes.

Name	Size	Description
Version	1	Set to 1.
MessageType	1	Set to 1.
Address	30	sockaddr_in or sockaddr_in6, serialized (see below).
LastError	4	Last error, set to 0 in this case.

ConnectResponse

This response has a fixed size of 36 bytes.

Name	Size	Description
Version	1	Set to 1.
MessageType	1	Set to 0x5A on success, 0x5B on failure.
Address	30	The address of the local socket, as returned from getsockname, sockaddr_in or sockaddr_in6, serialized (see below).
LastError	4	Last error, set to a non-zero value in case of failure.

Encodings

Packed fields

Each packed field contains a little-endian DWORD specifying the number of bytes following, followed by that many bytes of data. All fields have to end on 4 byte boundary, so trailing padding is added to ensure this.

WSAQUERYSET serialized

It has mostly packed fields (denoted PF in the Type column) following one another:

Name	Type	Description
WSAQUERYSET	PF, Raw	Contains a flat representation of the WSAQUERYSET, and will thus be 60 bytes big (sizeof(WSAQUERYSET)).
WSAQUERYSET.lpszServiceInstanceName	PF, Unicode C-string	The lpszServiceInstanceName of the WSAQUERYSET.
WSAQUERYSET.lpServiceClassId	PF, Raw GUID (16 bytes)	The lpServiceClassId of the WSAQUERYSET.
WSAQUERYSET.lpszComment	PF, Unicode C-string	The lpszComment of the WSAQUERYSET.
WSAQUERYSET.lpNSProviderId	PF, Raw GUID (16 bytes)	The lpNSProviderId of the WSAQUERYSET.
WSAQUERYSET.lpszContext	PF, Unicode C-string	The lpszContext of the WSAQUERYSET.
WSAQUERYSET.dwNumberOfProtocols	UINT32LE	A UINT32 (little-endian) containing the number of AFPROTOCOL structures following in the next packet field.
WSAQUERYSET.lpafpProtocols	PF, AFPROTOCOL[]	AFPROTOCOL structures following each other.
WSAQUERYSET.lpszQueryString	PF, Unicode C-string	The lpszQueryString of the WSAQUERYSET.
WSAQUERYSET.dwNumberOfCsAddrs	UINT32LE	A UINT32 (little-endian) containing the number of CSADDR_INFO structures following in the next packet field.
WSAQUERYSET.lpcsaBuffer	PF, CSADDR_INFO[]	CSADDR_INFO structures following each other. The next fields contain the LocalAddr and RemoteAddr for SOCKET_ADDRESS structure 0 to n.
WSAQUERYSET.lpcsaBuffer[n].LocalAddr	PF, SOCKET_ADDRESS	SOCKET_ADDRESS structure for CSADDR_INFO n.
WSAQUERYSET.lpcsaBuffer[n].RemoteAddr	PF, SOCKET_ADDRESS	SOCKET_ADDRESS structure for CSADDR_INFO n.
WSAQUERYSET.lpBlob	PF, BLOB (8 bytes)	The BLOB structure.
WSAQUERYSET.lpBlob->pBlobData	PF, byte[] (WSAQUERYSET.lpBlob->cbSize bytes long)	The pBlobData member of the BLOB.

sockaddr_in serialized

Name	Size	Description
sin_family	4	Family in little-endian -- AF_INET (2) in this case.
Padding	4	Padding bytes.
sin_port	2	Port in big-endian.
sin_addr	4	Address in big-endian.
Reserved	16

sockaddr_in6 serialized

Name	Size	Description
sin6_family	4	Family in little-endian -- AF_INET6 (23) in this case.
Padding	4	Padding bytes.
sin6_port	2	Port in big-endian.
sin6_addr	16	Address in big-endian.
sin6_scope_id	4	Scope id in big-endian.