This repository documents the complete reverse engineering of Logitech Flow's Marconi protocol β the encrypted TCP/UDP protocol that Logitech Options+ uses to share mouse, keyboard, and clipboard between computers on a LAN.
Logitech Flow is proprietary, Windows/macOS-only, and encrypted end-to-end with no public documentation. This documents:
- How the encrypted protocol works end-to-end
- The cryptographic handshake and session key derivation
- The packet structure and serialization format
- A practical reference for anyone building interoperable Flow software
- Protocol name: "Marconi" (internal Logitech codename)
- Transport: UDP 59870-59871 (discovery) + TCP 59869 (encrypted tunnel)
- Crypto: AES-256-GCM with bootstrap key hardcoded in the Windows binary, session keys derived via X25519 ECDH + PBKDF1-style SHA-512
- Serialization: thekogans serialization format (FARS) (Flow Application Remote Serialization)
- Session key extraction: Via CDB/WinDbg breakpoints on
DeriveSharedSymmetricKeyor post-pairing memory dumps
ReverseEngineering/
βββ README.md β You are here
βββ GUIDE.md β Full methodology guide
βββ STATUS.md β Current protocol understanding status
βββ docs/ β Protocol reference & operational notes
β βββ protocol.md β Protocol overview, frame format, handshake
β βββ crypto.md β Bootstrap key, session key derivation, tools
β βββ packet-reference.md β Definitive wire-level packet reference
β βββ protocol-behavior-notes.md β Quirks discovered during testing
β βββ app-architecture.md β Logi Options+ internals, protobuf, endpoints
β βββ appbroker-crypto-re.md β AppBroker IPC crypto analysis
βββ tools/ β Python capture/decrypt/analysis tools
β βββ README.md β Tool usage guide
|ββ ClientHelloPacket βββββββββββββ>| (bootstrap-encrypted)
| | Contains: X25519 public key, cipher suite
| |
|<ββ ServerHelloPacket βββββββββββββ| (bootstrap-encrypted)
| | Contains: X25519 public key, session keyId
| |
|ββ PromoteConnectionPacket βββββββ>| (bootstrap-encrypted)
| | Confirms session key established
| |
|ββ All subsequent frames use ββββββ| (session-key encrypted)
| session key |
| |
|ββ ClientDeviceConnectPacket βββββ>| "I'm device X, here are my capabilities"
|<ββ ServerDeviceConnectPacket βββββ| "I'm device Y, here are mine"
| |
|ββ SettingsPacket ββββββββββββββββ>| "These are my Flow settings and peers"
|<ββ SettingsPacket ββββββββββββββββ| "These are mine"
| |
|ββ GlobalData(SetOwnerPacket) ββββ>| "I'm the owner"
|<ββ HeartbeatPacket βββββββββββββββ| Keepalive
|ββ HeartbeatPacket βββββββββββββββ>|
Read the guide: GUIDE.md
Want to capture your own Flow session?
# On Windows (administrator shell)
cd <repo-root>
python tools\capture_flow_session.py --peer <ip> --name my_captureThen decrypt:
python3 tools/flow_crypto.py decrypt captures/my_capture/my_capture.pcapng \
--key-log captures/my_capture/flow_keys.log \
--outdir captures/my_capture/decrypted| Document | What it covers |
|---|---|
| GUIDE.md | Step-by-step methodology: how we reversed it |
| docs/protocol.md | Protocol architecture, frame format, handshake, discovery |
| docs/crypto.md | Key hierarchy, bootstrap, session key derivation, extraction methods |
| docs/packet-reference.md | Complete wire-level packet layout reference |
| docs/protocol-behavior-notes.md | Runtime evidence and behavioral quirks corroborated during testing |
| docs/app-architecture.md | Logi Options+ app architecture, protobuf summary, HTTP endpoints |
| docs/appbroker-crypto-re.md | AppBroker IPC crypto protocol analysis |
| tools/README.md | Tool usage: capture, decrypt, memory dump |
| STATUS.md | Current protocol understanding status |
Current protocol status, open questions, and artifact caveats live in STATUS.md.