Milestone v0.3.0: RNDIS Control Handshake verified on live Samsung device

Author: HelloPrincePal

CHANGELOG.md

@@ -20,6 +20,22 @@ Format:
 
 ---
 
+## v0.3.0 — 2026-03-28
+
+### 2026-03-28 13:51 — Validated RNDIS Handshake on Live Device
+- What: Confirmed RNDIS `INIT`, `QUERY(MAC)`, and `SET` handshake works; retrieved real device MAC address (`ee211e71ab6a`); refined `gousb` field access and control transfer reliability.
+- Why: Complete Milestone v0.3.0; the device is now fully initialized and ready to send/receive network packets.
+- Files: `internal/rndis/rndis.go`, `internal/usb/device.go`, `internal/daemon/daemon.go`
+- Breaking: no
+
+### 2026-03-28 13:50 — Implement RNDIS Handshake State Machine
+- What: Built binary marshalling for `INIT/QUERY/SET` messages (`internal/rndis/messages.go`); implemented RNDIS state machine for `Handshake()` sequence; added `ControlCall` to `usb.Device`.
+- Why: Milestone v0.3.0; allow the daemon to put the phone into data mode and retrieve device MAC address.
+- Files: `internal/rndis/oids.go`, `internal/rndis/messages.go`, `internal/rndis/rndis.go`, `internal/usb/device.go`, `internal/daemon/daemon.go`
+- Breaking: no
+
+---
+
 ## v0.2.0 — 2026-03-28
 
 ### 2026-03-28 13:15 — Validated USB RNDIS Detection on Live Device

VERSIONS.md

@@ -10,6 +10,14 @@ v1.0.0 = MVP complete and working on M1/M2/M3.
 
 ---
 
+## v0.3.0 — 2026-03-28
+- Milestone: RNDIS handshake working (INIT/QUERY/SET)
+- What works: Raw USB Control transfers for RNDIS encapsulated commands; `INIT` handshake; `QUERY MAC` address retrieval; `SET` packet filter to enable promiscuous data mode. **Confirmed on real device.**
+- What's broken: No actual data transfer (bulk transfer) implemented yet.
+- Next: `internal/tun/utun.go` creation and bulk packet relay.
+
+---
+
 ## v0.2.0 — 2026-03-28
 - Milestone: USB device detection + hotplug watcher
 - What works: `libusb` device monitoring, RNDIS hardware identification, and background daemon. **Validated on real Samsung Galaxy hardware.**

internal/daemon/daemon.go

@@ -10,6 +10,7 @@ import (
 	"github.com/rs/zerolog/log"
 
 	"github.com/princePal/droidtether/config"
+	"github.com/princePal/droidtether/internal/rndis"
 	"github.com/princePal/droidtether/internal/usb"
 )
 
@@ -42,9 +43,15 @@ func (d *Daemon) Run() error {
 		log.Info().
 			Str("component", "daemon").
 			Msg("Android RNDIS device connected!")
-		// In the future:
-		// session := NewSession(dev)
-		// session.Start()
+		
+		session := rndis.NewSession(dev)
+		if err := session.Handshake(); err != nil {
+			log.Error().Str("component", "daemon").Err(err).Msg("RNDIS Handshake failed")
+			// Cleanup happens naturally via watcher detach
+		}
+		
+		// Wait a bit to verify logs in dev mode
+		time.Sleep(3 * time.Second)
 	})
 
 	watcher.OnDetach(func() {

internal/rndis/messages.go

@@ -0,0 +1,148 @@
+package rndis
+
+import (
+	"encoding/binary"
+	"fmt"
+)
+
+// CommonHeader is the 8-byte prefix for all RNDIS Control Messages.
+type CommonHeader struct {
+	MessageType   uint32
+	MessageLength uint32
+}
+
+// RemoteNdisInitializeMsg is sent by Host -> Device to start the handshake.
+type RemoteNdisInitializeMsg struct {
+	MessageType    uint32 // MsgInit (0x02)
+	MessageLength  uint32 // 24 bytes
+	RequestID      uint32
+	MajorVersion   uint32 // 1
+	MinorVersion   uint32 // 0
+	MaxTransferSz  uint32 // Recommended: 16384 (16KB)
+}
+
+func (m *RemoteNdisInitializeMsg) Marshal() []byte {
+	b := make([]byte, 24)
+	binary.LittleEndian.PutUint32(b[0:4], MsgInit)
+	binary.LittleEndian.PutUint32(b[4:8], 24)
+	binary.LittleEndian.PutUint32(b[8:12], m.RequestID)
+	binary.LittleEndian.PutUint32(b[12:16], 1) // Major
+	binary.LittleEndian.PutUint32(b[16:20], 0) // Minor
+	binary.LittleEndian.PutUint32(b[20:24], m.MaxTransferSz)
+	return b
+}
+
+// RemoteNdisInitializeCmplt is sent by Device -> Host.
+type RemoteNdisInitializeCmplt struct {
+	RequestID    uint32
+	Status       uint32
+	MajorVersion uint32
+	MinorVersion uint32
+	MaxTransfer  uint32
+	MaxPackets   uint32
+	PacketFormat uint32 // RNDIS_PACKET_FORMAT_ETH
+}
+
+func UnmarshalInitializeCmplt(data []byte) (*RemoteNdisInitializeCmplt, error) {
+	if len(data) < 52 {
+		return nil, fmt.Errorf("init_cmplt: message too short (%d)", len(data))
+	}
+	// Verify it's a Completion for Init
+	msgType := binary.LittleEndian.Uint32(data[0:4])
+	if msgType != MsgInitCmplt {
+		return nil, fmt.Errorf("init_cmplt: wrong message type 0x%08X", msgType)
+	}
+
+	return &RemoteNdisInitializeCmplt{
+		RequestID:    binary.LittleEndian.Uint32(data[8:12]),
+		Status:       binary.LittleEndian.Uint32(data[12:16]),
+		MajorVersion: binary.LittleEndian.Uint32(data[16:20]),
+		MinorVersion: binary.LittleEndian.Uint32(data[20:24]),
+		MaxTransfer:  binary.LittleEndian.Uint32(data[32:36]),
+		MaxPackets:   binary.LittleEndian.Uint32(data[36:40]),
+		PacketFormat: binary.LittleEndian.Uint32(data[44:48]),
+	}, nil
+}
+
+// RemoteNdisQueryMsg is sent by Host -> Device to query OIDs (e.g., getting MAC address).
+type RemoteNdisQueryMsg struct {
+	RequestID           uint32
+	OID                 uint32
+	InformationBufferLength uint32 // for simple queries, usually 0
+}
+
+func (m *RemoteNdisQueryMsg) Marshal() []byte {
+	b := make([]byte, 28)
+	binary.LittleEndian.PutUint32(b[0:4], MsgQuery)
+	binary.LittleEndian.PutUint32(b[4:8], 28)
+	binary.LittleEndian.PutUint32(b[8:12], m.RequestID)
+	binary.LittleEndian.PutUint32(b[12:16], m.OID)
+	binary.LittleEndian.PutUint32(b[16:20], 0) // Info Buffer Length
+	binary.LittleEndian.PutUint32(b[20:24], 20) // Info Buffer Offset (offset from RequestID field, which is 8 index + 12 = 20)
+	binary.LittleEndian.PutUint32(b[24:28], 0) // Device Context
+	return b
+}
+
+// RemoteNdisQueryCmplt is sent by Device -> Host.
+type RemoteNdisQueryCmplt struct {
+	RequestID uint32
+	Status    uint32
+	Payload   []byte
+}
+
+func UnmarshalQueryCmplt(data []byte) (*RemoteNdisQueryCmplt, error) {
+	if len(data) < 24 {
+		return nil, fmt.Errorf("query_cmplt: message too short (%d)", len(data))
+	}
+	msgType := binary.LittleEndian.Uint32(data[0:4])
+	if msgType != MsgQueryCmplt {
+		return nil, fmt.Errorf("query_cmplt: wrong message type 0x%08X", msgType)
+	}
+
+	infoLen := binary.LittleEndian.Uint32(data[16:20])
+	infoOff := binary.LittleEndian.Uint32(data[20:24]) // Offset starts at byte 8 (RequestID)
+
+	start := int(8 + infoOff)
+	end := start + int(infoLen)
+
+	if end > len(data) {
+		return nil, fmt.Errorf("query_cmplt: payload out of bounds")
+	}
+
+	return &RemoteNdisQueryCmplt{
+		RequestID: binary.LittleEndian.Uint32(data[8:12]),
+		Status:    binary.LittleEndian.Uint32(data[12:16]),
+		Payload:   data[start:end],
+	}, nil
+}
+
+// RemoteNdisSetMsg is sent by Host -> Device to set OIDs (e.g., enable packet processing).
+type RemoteNdisSetMsg struct {
+	RequestID uint32
+	OID       uint32
+	Value     uint32
+}
+
+func (m *RemoteNdisSetMsg) Marshal() []byte {
+	b := make([]byte, 32)
+	binary.LittleEndian.PutUint32(b[0:4], MsgSet)
+	binary.LittleEndian.PutUint32(b[4:8], 32)
+	binary.LittleEndian.PutUint32(b[8:12], m.RequestID)
+	binary.LittleEndian.PutUint32(b[12:16], m.OID)
+	binary.LittleEndian.PutUint32(b[16:20], 4)  // Value size (uint32)
+	binary.LittleEndian.PutUint32(b[20:24], 20) // Value offset (from byte 8)
+	binary.LittleEndian.PutUint32(b[24:28], 0)  // Device Context
+	binary.LittleEndian.PutUint32(b[28:32], m.Value)
+	return b
+}
+
+func UnmarshalSetCmplt(data []byte) (uint32, uint32, error) { // returns RequestID, Status
+	if len(data) < 16 {
+		return 0, 0, fmt.Errorf("set_cmplt: too short")
+	}
+	msgType := binary.LittleEndian.Uint32(data[0:4])
+	if msgType != MsgSetCmplt {
+		return 0, 0, fmt.Errorf("set_cmplt: wrong msg type")
+	}
+	return binary.LittleEndian.Uint32(data[8:12]), binary.LittleEndian.Uint32(data[12:16]), nil
+}

internal/rndis/oids.go

@@ -0,0 +1,69 @@
+package rndis
+
+// RNDIS message types (Host -> Device)
+const (
+	MsgInit          uint32 = 0x00000002
+	MsgQuery         uint32 = 0x00000004
+	MsgSet           uint32 = 0x00000005
+	MsgReset         uint32 = 0x00000006
+	MsgKeepAlive     uint32 = 0x00000008
+	MsgPacket        uint32 = 0x00000001
+)
+
+// RNDIS message completion types (Device -> Host)
+const (
+	MsgInitCmplt      uint32 = 0x80000002
+	MsgQueryCmplt     uint32 = 0x80000004
+	MsgSetCmplt       uint32 = 0x80000005
+	MsgResetCmplt     uint32 = 0x80000006
+	MsgKeepAliveCmplt uint32 = 0x80000008
+)
+
+// RNDIS Object Identifiers (OIDs)
+const (
+	OID_GEN_SUPPORTED_LIST        uint32 = 0x00010101
+	OID_GEN_HARDWARE_STATUS       uint32 = 0x00010102
+	OID_GEN_MEDIA_SUPPORTED       uint32 = 0x00010103
+	OID_GEN_MEDIA_IN_USE          uint32 = 0x00010104
+	OID_GEN_MAXIMUM_LOOKAHEAD     uint32 = 0x00010105
+	OID_GEN_MAXIMUM_FRAME_SIZE    uint32 = 0x00010106
+	OID_GEN_LINK_SPEED            uint32 = 0x00010107
+	OID_GEN_TRANSMIT_BUFFER_SPACE uint32 = 0x00010108
+	OID_GEN_RECEIVE_BUFFER_SPACE  uint32 = 0x00010109
+	OID_GEN_TRANSMIT_BLOCK_SIZE   uint32 = 0x0001010A
+	OID_GEN_RECEIVE_BLOCK_SIZE    uint32 = 0x0001010B
+	OID_GEN_VENDOR_ID             uint32 = 0x0001010C
+	OID_GEN_VENDOR_DESCRIPTION    uint32 = 0x0001010D
+	OID_GEN_CURRENT_PACKET_FILTER uint32 = 0x0001010E
+	OID_GEN_MAXIMUM_TOTAL_SIZE    uint32 = 0x00010111
+
+	OID_802_3_PERMANENT_ADDRESS   uint32 = 0x01010101
+	OID_802_3_CURRENT_ADDRESS     uint32 = 0x01010102
+	OID_802_3_MULTICAST_LIST      uint32 = 0x01010103
+	OID_802_3_MAXIMUM_LIST_SIZE   uint32 = 0x01010104
+)
+
+// RNDIS Packet Filters
+const (
+	PacketTypeDirected      uint32 = 0x00000001
+	PacketTypeMulticast     uint32 = 0x00000002
+	PacketTypeAllMulticast  uint32 = 0x00000004
+	PacketTypeBroadcast     uint32 = 0x00000008
+	PacketTypeSourceRouting uint32 = 0x00000010
+	PacketTypePromiscuous   uint32 = 0x00000020
+	PacketTypeSMT           uint32 = 0x00000040
+	PacketTypeAllLocal      uint32 = 0x00000080
+	PacketTypeAllFunctional uint32 = 0x00000100
+	PacketTypeFunctional    uint32 = 0x00000200
+	PacketTypeGroup         uint32 = 0x00000400
+)
+
+// RNDIS Status Codes
+const (
+	StatusSuccess          uint32 = 0x00000000
+	StatusFailure          uint32 = 0xC0000001
+	StatusNotSupported     uint32 = 0xC00000BB
+	StatusInvalidData      uint32 = 0xC0010015
+	StatusInvalidLength    uint32 = 0xC0010014
+	StatusResources        uint32 = 0xC000009A
+)