@basmilius/apple-common 0.10.1 → 0.12.0

package/dist/index.d.mts

@@ -13,61 +13,22 @@ declare function v4(options?: Version4Options, buf?: undefined, offset?: number)
 declare function v4<TBuf extends Uint8Array = Uint8Array>(options: Version4Options | undefined, buf: TBuf, offset?: number): TBuf;
 //#endregion
 //#region src/airplayFeatures.d.ts
-/** Type definition for the AirPlay feature flags bitmask object. */
-type AirPlayFeatureFlagsType = {
-  readonly SupportsAirPlayVideoV1: bigint;
-  readonly SupportsAirPlayPhoto: bigint;
-  readonly SupportsAirPlayVideoFairPlay: bigint;
-  readonly SupportsAirPlayVideoVolumeControl: bigint;
-  readonly SupportsAirPlayVideoHTTPLiveStreams: bigint;
-  readonly SupportsAirPlaySlideShow: bigint;
-  readonly SupportsAirPlayScreen: bigint;
-  readonly SupportsAirPlayAudio: bigint;
-  readonly AudioRedundant: bigint;
-  readonly Authentication_4: bigint;
-  readonly MetadataFeatures_0: bigint;
-  readonly MetadataFeatures_1: bigint;
-  readonly MetadataFeatures_2: bigint;
-  readonly AudioFormats_0: bigint;
-  readonly AudioFormats_1: bigint;
-  readonly AudioFormats_2: bigint;
-  readonly AudioFormats_3: bigint;
-  readonly Authentication_1: bigint;
-  readonly Authentication_8: bigint;
-  readonly SupportsLegacyPairing: bigint;
-  readonly HasUnifiedAdvertiserInfo: bigint;
-  readonly IsCarPlay: bigint;
-  readonly SupportsAirPlayVideoPlayQueue: bigint;
-  readonly SupportsAirPlayFromCloud: bigint;
-  readonly SupportsTLS_PSK: bigint;
-  readonly SupportsUnifiedMediaControl: bigint;
-  readonly SupportsBufferedAudio: bigint;
-  readonly SupportsPTP: bigint;
-  readonly SupportsScreenMultiCodec: bigint;
-  readonly SupportsSystemPairing: bigint;
-  readonly IsAPValeriaScreenSender: bigint;
-  readonly SupportsHKPairingAndAccessControl: bigint;
-  readonly SupportsCoreUtilsPairingAndEncryption: bigint;
-  readonly SupportsAirPlayVideoV2: bigint;
-  readonly MetadataFeatures_3: bigint;
-  readonly SupportsUnifiedPairSetupAndMFi: bigint;
-  readonly SupportsSetPeersExtendedMessage: bigint;
-  readonly SupportsAPSync: bigint;
-  readonly SupportsWoL: bigint;
-  readonly SupportsWoL2: bigint;
-  readonly SupportsHangdogRemoteControl: bigint;
-  readonly SupportsAudioStreamConnectionSetup: bigint;
-  readonly SupportsAudioMetadataControl: bigint;
-  readonly SupportsRFC2198Redundancy: bigint;
-};
 /**
  * AirPlay feature flags as a bitmask of bigint values. Each flag corresponds to a specific
  * capability advertised by an AirPlay device in its mDNS TXT record "features" field.
- * The bit positions match Apple's internal AirPlayFeatureFlags enum.
+ *
+ * Bit positions are derived from Apple's internal `APSFeaturesSetFeature()` calls in the
+ * AirPlayReceiver framework (`sysInfo_createFeaturesInternal`). Flag names follow the
+ * community convention (pyatv, emanuelecozzi.net) with camelCase normalization.
+ *
+ * Sources:
+ * - Apple AirPlayReceiver framework decompilation (sysInfo.c)
+ * - pyatv AirPlayFlags enum (pyatv/protocols/airplay/utils.py)
+ * - https://emanuelecozzi.net/docs/airplay2/features/
  */
-declare const AirPlayFeatureFlags: AirPlayFeatureFlagsType;
-/** String union of all known AirPlay feature flag names. */
-type AirPlayFeatureFlagName = keyof typeof AirPlayFeatureFlags;
+declare const AirPlayFeatureFlags: Record<string, bigint>;
+/** String name of any known AirPlay feature flag. */
+type AirPlayFeatureFlagName = string;
 /** The type of pairing required to connect to an AirPlay device. */
 type PairingRequirement = 'none' | 'pin' | 'transient' | 'homekit';
 /**
@@ -130,6 +91,21 @@ declare function isPasswordRequired(txt: Record<string, string>): boolean;
  * @returns True if remote control is supported (typically Apple TV only).
  */
 declare function isRemoteControlSupported(txt: Record<string, string>): boolean;
+/**
+ * Feature bitmask advertised when connecting for remote control sessions.
+ *
+ * Includes media control, system pairing, encryption, volume, and
+ * hangdog remote control capabilities.
+ */
+declare const SENDER_FEATURES_REMOTE_CONTROL: bigint;
+/**
+ * Feature bitmask advertised when connecting for audio streaming sessions.
+ *
+ * Extends the remote control features with buffered audio, audio stream
+ * connection setup, metadata control, format negotiation, and PTP
+ * synchronization support.
+ */
+declare const SENDER_FEATURES_AUDIO: bigint;
 //#endregion
 //#region src/reporter.d.ts
 /**
@@ -298,7 +274,12 @@ declare class AccessoryPair extends BasePairing {
    * @param context - Shared context for logging and device identity.
    * @param requestHandler - Callback that sends TLV8-encoded data and returns the response.
    */
-  constructor(context: Context, requestHandler: RequestHandler);
+  /**
+   * @param context - Shared context for logging and device identity.
+   * @param requestHandler - Callback that sends TLV8-encoded data and returns the response.
+   * @param useAes - Use AES-128-CTR instead of ChaCha20-Poly1305 for M5/M6 encryption (legacy devices).
+   */
+  constructor(context: Context, requestHandler: RequestHandler, useAes?: boolean);
   /** Generates a new Ed25519 key pair for long-term identity. Must be called before pin() or transient(). */
   start(): Promise<void>;
   /**
@@ -385,8 +366,9 @@ declare class AccessoryVerify extends BasePairing {
   /**
    * @param context - Shared context for logging and device identity.
    * @param requestHandler - Callback that sends TLV8-encoded data and returns the response.
+   * @param useAes - Use AES-128-CTR instead of ChaCha20-Poly1305 for encryption (legacy devices).
    */
-  constructor(context: Context, requestHandler: RequestHandler);
+  constructor(context: Context, requestHandler: RequestHandler, useAes?: boolean);
   /**
    * Performs the full pair-verify flow (M1 through M4) using stored credentials
    * from a previous pair-setup. Establishes a new session with forward secrecy
@@ -962,10 +944,20 @@ declare class EncryptionState {
 }
 //#endregion
 //#region src/const.d.ts
+/** Default number of bytes per audio channel sample (16-bit PCM). */
+declare const AUDIO_BYTES_PER_CHANNEL = 2;
+/** Default number of audio channels (stereo). */
+declare const AUDIO_CHANNELS = 2;
+/** Number of PCM audio frames packed into a single RTP packet (ALAC/RAOP standard). */
+declare const AUDIO_FRAMES_PER_PACKET = 352;
+/** Default audio sample rate in Hz (CD quality). */
+declare const AUDIO_SAMPLE_RATE = 44100;
 /** Default PIN used for transient (non-persistent) AirPlay pairing sessions. */
 declare const AIRPLAY_TRANSIENT_PIN = "3939";
 /** Timeout in milliseconds for HTTP requests during setup and control. */
 declare const HTTP_TIMEOUT = 6000;
+/** Timeout in milliseconds for TCP socket connections during initial connect. Matches Apple's 30s default. */
+declare const SOCKET_TIMEOUT = 30000;
 /** mDNS service type for AirPlay device discovery. */
 declare const AIRPLAY_SERVICE = "_airplay._tcp.local";
 /** mDNS service type for Companion Link (remote control protocol) device discovery. */
@@ -973,6 +965,26 @@ declare const COMPANION_LINK_SERVICE = "_companion-link._tcp.local";
 /** mDNS service type for RAOP (Remote Audio Output Protocol) device discovery. */
 declare const RAOP_SERVICE = "_raop._tcp.local";
 //#endregion
+//#region src/hkdf.d.ts
+/**
+ * Derives a pair of ChaCha20 encryption keys (read + write) from a shared secret
+ * using HKDF-SHA512 with direction-specific info strings.
+ *
+ * This is a shared helper used across AirPlay, Companion Link, and RAOP pairing
+ * flows to eliminate repeated HKDF boilerplate. The salt and info strings vary
+ * per protocol and stream type.
+ *
+ * @param sharedSecret - The shared secret from a pair-verify or pair-setup flow.
+ * @param salt - HKDF salt string (protocol-specific, e.g. 'Control-Salt').
+ * @param readInfo - HKDF info string for the read (decrypt) key.
+ * @param writeInfo - HKDF info string for the write (encrypt) key.
+ * @returns An object with `readKey` and `writeKey` as 32-byte Buffers.
+ */
+declare function deriveEncryptionKeys(sharedSecret: Buffer, salt: string, readInfo: string, writeInfo: string): {
+  readKey: Buffer;
+  writeKey: Buffer;
+};
+//#endregion
 //#region src/symbols.d.ts
 /**
  * Unique symbol used as a key for accessing encryption state on connection instances.
@@ -1056,10 +1068,6 @@ declare class TimingServer {
    * @throws If the socket fails to bind.
    */
   listen(): Promise<void>;
-  /**
-   * Handles the socket 'connect' event by configuring buffer sizes.
-   */
-  onConnect(): void;
   /**
    * Handles socket errors by logging them.
    *
@@ -1167,42 +1175,42 @@ declare enum DeviceType {
  * @param identifier - Model identifier (e.g. "AppleTV6,2") or internal name (e.g. "J305AP").
  * @returns The matching device model, or {@link DeviceModel.Unknown} if unrecognized.
  */
-declare const lookupDeviceModel: (identifier: string) => DeviceModel;
+declare function lookupDeviceModel(identifier: string): DeviceModel;
 /**
  * Returns the human-readable display name for a device model.
  *
  * @param model - The device model to look up.
  * @returns A display name like "Apple TV 4K (2nd generation)", or "Unknown".
  */
-declare const getDeviceModelName: (model: DeviceModel) => string;
+declare function getDeviceModelName(model: DeviceModel): string;
 /**
  * Returns the high-level device type category for a device model.
  *
  * @param model - The device model to categorize.
  * @returns The device type (AppleTV, HomePod, AirPort, or Unknown).
  */
-declare const getDeviceType: (model: DeviceModel) => DeviceType;
+declare function getDeviceType(model: DeviceModel): DeviceType;
 /**
  * Checks whether the given model is an Apple TV.
  *
  * @param model - The device model to check.
  * @returns True if the model is any Apple TV generation.
  */
-declare const isAppleTV: (model: DeviceModel) => boolean;
+declare function isAppleTV(model: DeviceModel): boolean;
 /**
  * Checks whether the given model is a HomePod.
  *
  * @param model - The device model to check.
  * @returns True if the model is any HomePod variant.
  */
-declare const isHomePod: (model: DeviceModel) => boolean;
+declare function isHomePod(model: DeviceModel): boolean;
 /**
  * Checks whether the given model is an AirPort Express.
  *
  * @param model - The device model to check.
  * @returns True if the model is any AirPort Express generation.
  */
-declare const isAirPort: (model: DeviceModel) => boolean;
+declare function isAirPort(model: DeviceModel): boolean;
 //#endregion
 //#region src/errors.d.ts
 /**
@@ -1315,4 +1323,4 @@ interface AudioSource {
   stop(): Promise<void>;
 }
 //#endregion
-export { AIRPLAY_SERVICE, AIRPLAY_TRANSIENT_PIN, type AccessoryCredentials, type AccessoryKeys, AccessoryPair, AccessoryVerify, type AirPlayFeatureFlagName, AirPlayFeatureFlags, AppleProtocolError, type AudioSource, AuthenticationError, COMPANION_LINK_SERVICE, type CombinedDiscoveryResult, CommandError, Connection, ConnectionClosedError, ConnectionError, ConnectionRecovery, type ConnectionRecoveryOptions, type ConnectionState, ConnectionTimeoutError, Context, CredentialsError, type DeviceIdentity, DeviceModel, DeviceType, Discovery, DiscoveryError, type DiscoveryResult, ENCRYPTION, EncryptionAwareConnection, EncryptionError, EncryptionState, type EventMap, HTTP_TIMEOUT, InvalidResponseError, JsonStorage, type Logger, type MdnsService, MemoryStorage, PairingError, type PairingRequirement, PlaybackError, type ProtocolType, RAOP_SERVICE, type Reporter, SetupError, Storage, type StorageData, type StoredDevice, TimeoutError, TimingServer, describeFlags, generateActiveRemoteId, generateDacpId, generateSessionId, getDeviceModelName, getDeviceType, getLocalIP, getMacAddress, getPairingRequirement, getProtocolVersion, hasFeatureFlag, isAirPort, isAppleTV, isHomePod, isPasswordRequired, isRemoteControlSupported, lookupDeviceModel, multicast as mdnsMulticast, unicast as mdnsUnicast, parseFeatures, prompt, randomInt32, randomInt64, reporter, uint16ToBE, uint53ToLE, v4 as uuid, waitFor };
+export { AIRPLAY_SERVICE, AIRPLAY_TRANSIENT_PIN, AUDIO_BYTES_PER_CHANNEL, AUDIO_CHANNELS, AUDIO_FRAMES_PER_PACKET, AUDIO_SAMPLE_RATE, type AccessoryCredentials, type AccessoryKeys, AccessoryPair, AccessoryVerify, type AirPlayFeatureFlagName, AirPlayFeatureFlags, AppleProtocolError, type AudioSource, AuthenticationError, COMPANION_LINK_SERVICE, type CombinedDiscoveryResult, CommandError, Connection, ConnectionClosedError, ConnectionError, ConnectionRecovery, type ConnectionRecoveryOptions, type ConnectionState, ConnectionTimeoutError, Context, CredentialsError, type DeviceIdentity, DeviceModel, DeviceType, Discovery, DiscoveryError, type DiscoveryResult, ENCRYPTION, EncryptionAwareConnection, EncryptionError, EncryptionState, type EventMap, HTTP_TIMEOUT, InvalidResponseError, JsonStorage, type Logger, type MdnsService, MemoryStorage, PairingError, type PairingRequirement, PlaybackError, type ProtocolType, RAOP_SERVICE, type Reporter, SENDER_FEATURES_AUDIO, SENDER_FEATURES_REMOTE_CONTROL, SOCKET_TIMEOUT, SetupError, Storage, type StorageData, type StoredDevice, TimeoutError, TimingServer, deriveEncryptionKeys, describeFlags, generateActiveRemoteId, generateDacpId, generateSessionId, getDeviceModelName, getDeviceType, getLocalIP, getMacAddress, getPairingRequirement, getProtocolVersion, hasFeatureFlag, isAirPort, isAppleTV, isHomePod, isPasswordRequired, isRemoteControlSupported, lookupDeviceModel, multicast as mdnsMulticast, unicast as mdnsUnicast, parseFeatures, prompt, randomInt32, randomInt64, reporter, uint16ToBE, uint53ToLE, v4 as uuid, waitFor };

package/dist/index.mjs

@@ -2,13 +2,13 @@ import { createRequire } from "node:module";
 import { randomBytes, randomFillSync, randomUUID } from "node:crypto";
 import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
-import { Socket, createConnection } from "node:net";
 import { createInterface } from "node:readline";
 import { createSocket } from "node:dgram";
+import { Socket, createConnection } from "node:net";
 import { networkInterfaces } from "node:os";
 import { EventEmitter } from "node:events";
+import { Aes, Chacha20, Curve25519, Ed25519, hkdf } from "@basmilius/apple-encryption";
 import { NTP, OPack, TLV8 } from "@basmilius/apple-encoding";
-import { Chacha20, Curve25519, Ed25519, hkdf } from "@basmilius/apple-encryption";
 
 //#region \0rolldown/runtime.js
 var __commonJSMin = (cb, mod) => () => (mod || cb((mod = { exports: {} }).exports, mod), mod.exports);
@@ -64,7 +64,15 @@ function v4(options, buf, offset) {
 /**
 * AirPlay feature flags as a bitmask of bigint values. Each flag corresponds to a specific
 * capability advertised by an AirPlay device in its mDNS TXT record "features" field.
-* The bit positions match Apple's internal AirPlayFeatureFlags enum.
+*
+* Bit positions are derived from Apple's internal `APSFeaturesSetFeature()` calls in the
+* AirPlayReceiver framework (`sysInfo_createFeaturesInternal`). Flag names follow the
+* community convention (pyatv, emanuelecozzi.net) with camelCase normalization.
+*
+* Sources:
+* - Apple AirPlayReceiver framework decompilation (sysInfo.c)
+* - pyatv AirPlayFlags enum (pyatv/protocols/airplay/utils.py)
+* - https://emanuelecozzi.net/docs/airplay2/features/
 */
 const AirPlayFeatureFlags = {
 	SupportsAirPlayVideoV1: 1n << 0n,
@@ -76,22 +84,22 @@ const AirPlayFeatureFlags = {
 	SupportsAirPlayScreen: 1n << 7n,
 	SupportsAirPlayAudio: 1n << 9n,
 	AudioRedundant: 1n << 11n,
-	Authentication_4: 1n << 14n,
-	MetadataFeatures_0: 1n << 15n,
-	MetadataFeatures_1: 1n << 16n,
-	MetadataFeatures_2: 1n << 17n,
-	AudioFormats_0: 1n << 18n,
-	AudioFormats_1: 1n << 19n,
-	AudioFormats_2: 1n << 20n,
-	AudioFormats_3: 1n << 21n,
-	Authentication_1: 1n << 23n,
-	Authentication_8: 1n << 26n,
+	Authentication4: 1n << 14n,
+	MetadataFeatures0: 1n << 15n,
+	MetadataFeatures1: 1n << 16n,
+	MetadataFeatures2: 1n << 17n,
+	AudioFormats0: 1n << 18n,
+	AudioFormats1: 1n << 19n,
+	AudioFormats2: 1n << 20n,
+	AudioFormats3: 1n << 21n,
+	Authentication1: 1n << 23n,
+	Authentication8: 1n << 26n,
 	SupportsLegacyPairing: 1n << 27n,
 	HasUnifiedAdvertiserInfo: 1n << 30n,
-	IsCarPlay: 1n << 32n,
+	SupportsVolume: 1n << 32n,
 	SupportsAirPlayVideoPlayQueue: 1n << 33n,
 	SupportsAirPlayFromCloud: 1n << 34n,
-	SupportsTLS_PSK: 1n << 35n,
+	SupportsTLSPSK: 1n << 35n,
 	SupportsUnifiedMediaControl: 1n << 38n,
 	SupportsBufferedAudio: 1n << 40n,
 	SupportsPTP: 1n << 41n,
@@ -101,7 +109,7 @@ const AirPlayFeatureFlags = {
 	SupportsHKPairingAndAccessControl: 1n << 46n,
 	SupportsCoreUtilsPairingAndEncryption: 1n << 48n,
 	SupportsAirPlayVideoV2: 1n << 49n,
-	MetadataFeatures_3: 1n << 50n,
+	MetadataFeatures3: 1n << 50n,
 	SupportsUnifiedPairSetupAndMFi: 1n << 51n,
 	SupportsSetPeersExtendedMessage: 1n << 52n,
 	SupportsAPSync: 1n << 54n,
@@ -144,7 +152,7 @@ function parseFeatures(features) {
 * @returns True if the flag is set.
 */
 function hasFeatureFlag(features, flag) {
-	return (features & flag) !== 0n;
+	return (features & flag) === flag;
 }
 /**
 * Returns the names of all feature flags that are set in the given bitmask.
@@ -216,6 +224,21 @@ function isRemoteControlSupported(txt) {
 	if (!featuresStr) return false;
 	return hasFeatureFlag(parseFeatures(featuresStr), AirPlayFeatureFlags.SupportsHangdogRemoteControl);
 }
+/**
+* Feature bitmask advertised when connecting for remote control sessions.
+*
+* Includes media control, system pairing, encryption, volume, and
+* hangdog remote control capabilities.
+*/
+const SENDER_FEATURES_REMOTE_CONTROL = AirPlayFeatureFlags.SupportsAirPlayAudio | AirPlayFeatureFlags.AudioRedundant | AirPlayFeatureFlags.MetadataFeatures0 | AirPlayFeatureFlags.MetadataFeatures1 | AirPlayFeatureFlags.MetadataFeatures2 | AirPlayFeatureFlags.MetadataFeatures3 | AirPlayFeatureFlags.Authentication4 | AirPlayFeatureFlags.Authentication1 | AirPlayFeatureFlags.HasUnifiedAdvertiserInfo | AirPlayFeatureFlags.SupportsUnifiedMediaControl | AirPlayFeatureFlags.SupportsSystemPairing | AirPlayFeatureFlags.SupportsCoreUtilsPairingAndEncryption | AirPlayFeatureFlags.SupportsHKPairingAndAccessControl | AirPlayFeatureFlags.SupportsHangdogRemoteControl | AirPlayFeatureFlags.SupportsAPSync | AirPlayFeatureFlags.SupportsSetPeersExtendedMessage | AirPlayFeatureFlags.SupportsVolume;
+/**
+* Feature bitmask advertised when connecting for audio streaming sessions.
+*
+* Extends the remote control features with buffered audio, audio stream
+* connection setup, metadata control, format negotiation, and PTP
+* synchronization support.
+*/
+const SENDER_FEATURES_AUDIO = SENDER_FEATURES_REMOTE_CONTROL | AirPlayFeatureFlags.SupportsBufferedAudio | AirPlayFeatureFlags.SupportsAudioStreamConnectionSetup | AirPlayFeatureFlags.SupportsAudioMetadataControl | AirPlayFeatureFlags.AudioFormats0 | AirPlayFeatureFlags.AudioFormats1 | AirPlayFeatureFlags.AudioFormats2 | AirPlayFeatureFlags.AudioFormats3 | AirPlayFeatureFlags.SupportsPTP;
 
 //#endregion
 //#region src/storage.ts
@@ -418,12 +441,20 @@ async function waitFor(ms) {
 
 //#endregion
 //#region src/const.ts
+/** Default number of bytes per audio channel sample (16-bit PCM). */
+const AUDIO_BYTES_PER_CHANNEL = 2;
+/** Default number of audio channels (stereo). */
+const AUDIO_CHANNELS = 2;
+/** Number of PCM audio frames packed into a single RTP packet (ALAC/RAOP standard). */
+const AUDIO_FRAMES_PER_PACKET = 352;
+/** Default audio sample rate in Hz (CD quality). */
+const AUDIO_SAMPLE_RATE = 44100;
 /** Default PIN used for transient (non-persistent) AirPlay pairing sessions. */
 const AIRPLAY_TRANSIENT_PIN = "3939";
 /** Timeout in milliseconds for HTTP requests during setup and control. */
 const HTTP_TIMEOUT = 6e3;
-/** Timeout in milliseconds for TCP socket connections during initial connect. */
-const SOCKET_TIMEOUT = 1e4;
+/** Timeout in milliseconds for TCP socket connections during initial connect. Matches Apple's 30s default. */
+const SOCKET_TIMEOUT = 3e4;
 /** mDNS service type for AirPlay device discovery. */
 const AIRPLAY_SERVICE = "_airplay._tcp.local";
 /** mDNS service type for Companion Link (remote control protocol) device discovery. */
@@ -788,6 +819,7 @@ const decodeSrvRecord = (buf, offset) => {
 */
 const decodeResource = (buf, offset) => {
 	const [qname, nameEnd] = decodeQName(buf, offset);
+	if (nameEnd + 10 > buf.byteLength) return null;
 	const qtype = buf.readUInt16BE(nameEnd);
 	const qclass = buf.readUInt16BE(nameEnd + 2);
 	const ttl = buf.readUInt32BE(nameEnd + 4);
@@ -832,7 +864,7 @@ const decodeResource = (buf, offset) => {
 * @param buf - The raw DNS response packet.
 * @returns The parsed header, answer records, and additional resource records.
 */
-const decodeDnsResponse = (buf) => {
+function decodeDnsResponse(buf) {
 	const header = decodeDnsHeader(buf);
 	let offset = 12;
 	for (let i = 0; i < header.qdcount; i++) {
@@ -841,17 +873,22 @@ const decodeDnsResponse = (buf) => {
 	}
 	const answers = [];
 	for (let i = 0; i < header.ancount; i++) {
-		const [record, newOffset] = decodeResource(buf, offset);
+		const result = decodeResource(buf, offset);
+		if (!result) break;
+		const [record, newOffset] = result;
 		answers.push(record);
 		offset = newOffset;
 	}
 	for (let i = 0; i < header.nscount; i++) {
-		const [, newOffset] = decodeResource(buf, offset);
-		offset = newOffset;
+		const result = decodeResource(buf, offset);
+		if (!result) break;
+		offset = result[1];
 	}
 	const resources = [];
 	for (let i = 0; i < header.arcount; i++) {
-		const [record, newOffset] = decodeResource(buf, offset);
+		const result = decodeResource(buf, offset);
+		if (!result) break;
+		const [record, newOffset] = result;
 		resources.push(record);
 		offset = newOffset;
 	}
@@ -860,7 +897,7 @@ const decodeDnsResponse = (buf) => {
 		answers,
 		resources
 	};
-};
+}
 /**
 * Aggregates DNS records from multiple mDNS responses and resolves them
 * into complete service descriptions. Correlates PTR, SRV, TXT, and A records
@@ -927,7 +964,7 @@ var ServiceCollector = class {
 	}
 };
 /** Well-known ports used to wake sleeping Apple devices via TCP SYN. */
-const WAKE_PORTS$1 = [
+const WAKE_PORTS = [
 	7e3,
 	3689,
 	49152,
@@ -940,8 +977,8 @@ const WAKE_PORTS$1 = [
 * @param address - The IP address of the device to wake.
 * @returns A promise that resolves when all knock attempts complete (success or failure).
 */
-const knock = (address) => {
-	const promises = WAKE_PORTS$1.map((port) => new Promise((resolve) => {
+function knock(address) {
+	const promises = WAKE_PORTS.map((port) => new Promise((resolve) => {
 		const socket = createConnection({
 			host: address,
 			port,
@@ -961,7 +998,7 @@ const knock = (address) => {
 		});
 	}));
 	return Promise.all(promises).then(() => {});
-};
+}
 /**
 * Performs unicast DNS-SD queries to specific hosts. First wakes the devices
 * via TCP knocking, then repeatedly sends DNS queries via UDP to port 5353 on
@@ -1274,13 +1311,6 @@ const reporter = new Reporter();
 //#region src/discovery.ts
 /** Cache time-to-live in milliseconds. */
 const CACHE_TTL = 3e4;
-/** Ports used for wake-on-network "knocking" to wake sleeping Apple devices. */
-const WAKE_PORTS = [
-	7e3,
-	3689,
-	49152,
-	32498
-];
 /**
 * Converts a raw mDNS service record into a {@link DiscoveryResult}.
 *
@@ -1393,27 +1423,8 @@ var Discovery = class Discovery {
 	*
 	* @param address - The IP address of the device to wake.
 	*/
-	static async wake(address) {
-		const promises = WAKE_PORTS.map((port) => new Promise((resolve) => {
-			const socket = createConnection({
-				host: address,
-				port,
-				timeout: 500
-			});
-			socket.on("connect", () => {
-				socket.destroy();
-				resolve();
-			});
-			socket.on("error", () => {
-				socket.destroy();
-				resolve();
-			});
-			socket.on("timeout", () => {
-				socket.destroy();
-				resolve();
-			});
-		}));
-		await Promise.all(promises);
+	static wake(address) {
+		return knock(address);
 	}
 	/**
 	* Discovers all Apple devices on the network across all supported service types
@@ -1892,6 +1903,42 @@ var Context = class {
 	}
 };
 
+//#endregion
+//#region src/hkdf.ts
+/**
+* Derives a pair of ChaCha20 encryption keys (read + write) from a shared secret
+* using HKDF-SHA512 with direction-specific info strings.
+*
+* This is a shared helper used across AirPlay, Companion Link, and RAOP pairing
+* flows to eliminate repeated HKDF boilerplate. The salt and info strings vary
+* per protocol and stream type.
+*
+* @param sharedSecret - The shared secret from a pair-verify or pair-setup flow.
+* @param salt - HKDF salt string (protocol-specific, e.g. 'Control-Salt').
+* @param readInfo - HKDF info string for the read (decrypt) key.
+* @param writeInfo - HKDF info string for the write (encrypt) key.
+* @returns An object with `readKey` and `writeKey` as 32-byte Buffers.
+*/
+function deriveEncryptionKeys(sharedSecret, salt, readInfo, writeInfo) {
+	const saltBuffer = Buffer.from(salt);
+	return {
+		readKey: hkdf({
+			hash: "sha512",
+			key: sharedSecret,
+			length: 32,
+			salt: saltBuffer,
+			info: Buffer.from(readInfo)
+		}),
+		writeKey: hkdf({
+			hash: "sha512",
+			key: sharedSecret,
+			length: 32,
+			salt: saltBuffer,
+			info: Buffer.from(writeInfo)
+		})
+	};
+}
+
 //#endregion
 //#region ../../node_modules/.bun/fast-srp-hap@2.0.4/node_modules/fast-srp-hap/jsbn/jsbn.js
 var require_jsbn = /* @__PURE__ */ __commonJSMin(((exports, module) => {
@@ -3965,6 +4012,8 @@ var AccessoryPair = class extends BasePairing {
 	#pairingId;
 	/** Protocol-specific callback for sending TLV8-encoded pair-setup requests. */
 	#requestHandler;
+	/** Whether to use AES-128-CTR instead of ChaCha20-Poly1305 for M5/M6 encryption. */
+	#useAes;
 	/** Ed25519 public key for long-term identity. */
 	#publicKey;
 	/** Ed25519 secret key for signing identity proofs. */
@@ -3975,11 +4024,17 @@ var AccessoryPair = class extends BasePairing {
 	* @param context - Shared context for logging and device identity.
 	* @param requestHandler - Callback that sends TLV8-encoded data and returns the response.
 	*/
-	constructor(context, requestHandler) {
+	/**
+	* @param context - Shared context for logging and device identity.
+	* @param requestHandler - Callback that sends TLV8-encoded data and returns the response.
+	* @param useAes - Use AES-128-CTR instead of ChaCha20-Poly1305 for M5/M6 encryption (legacy devices).
+	*/
+	constructor(context, requestHandler, useAes = false) {
 		super(context);
 		this.#name = "basmilius/apple-protocols";
 		this.#pairingId = Buffer.from(v4().toUpperCase());
 		this.#requestHandler = requestHandler;
+		this.#useAes = useAes;
 	}
 	/** Generates a new Ed25519 key pair for long-term identity. Must be called before pin() or transient(). */
 	async start() {
@@ -4020,20 +4075,7 @@ var AccessoryPair = class extends BasePairing {
 		const m2 = await this.m2(m1);
 		const m3 = await this.m3(m2);
 		const m4 = await this.m4(m3);
-		const accessoryToControllerKey = hkdf({
-			hash: "sha512",
-			key: m4.sharedSecret,
-			length: 32,
-			salt: Buffer.from("Control-Salt"),
-			info: Buffer.from("Control-Read-Encryption-Key")
-		});
-		const controllerToAccessoryKey = hkdf({
-			hash: "sha512",
-			key: m4.sharedSecret,
-			length: 32,
-			salt: Buffer.from("Control-Salt"),
-			info: Buffer.from("Control-Write-Encryption-Key")
-		});
+		const { readKey: accessoryToControllerKey, writeKey: controllerToAccessoryKey } = deriveEncryptionKeys(m4.sharedSecret, "Control-Salt", "Control-Read-Encryption-Key", "Control-Write-Encryption-Key");
 		return {
 			pairingId: this.#pairingId,
 			sharedSecret: m4.sharedSecret,
@@ -4135,10 +4177,34 @@ var AccessoryPair = class extends BasePairing {
 			[TLV8.Value.Signature, Buffer.from(signature)],
 			[TLV8.Value.Name, OPack.encode({ name: this.#name })]
 		]);
-		const { authTag, ciphertext } = Chacha20.encrypt(sessionKey, Buffer.from("PS-Msg05"), null, innerTlv);
-		const encrypted = Buffer.concat([ciphertext, authTag]);
+		let encrypted;
+		if (this.#useAes) {
+			const aesKey = hkdf({
+				hash: "sha512",
+				key: m4.sharedSecret,
+				length: 16,
+				salt: Buffer.alloc(0),
+				info: Buffer.from("Pair-Setup-AES-Key")
+			});
+			const aesIv = hkdf({
+				hash: "sha512",
+				key: m4.sharedSecret,
+				length: 16,
+				salt: Buffer.alloc(0),
+				info: Buffer.from("Pair-Setup-AES-IV")
+			});
+			encrypted = Aes.encrypt(aesKey, aesIv, innerTlv);
+		} else {
+			const { authTag, ciphertext } = Chacha20.encrypt(sessionKey, Buffer.from("PS-Msg05"), null, innerTlv);
+			encrypted = Buffer.concat([ciphertext, authTag]);
+		}
 		const response = await this.#requestHandler("m5", TLV8.encode([[TLV8.Value.State, TLV8.State.M5], [TLV8.Value.EncryptedData, encrypted]]));
 		const encryptedDataRaw = this.tlv(response).get(TLV8.Value.EncryptedData);
+		if (this.#useAes) return {
+			authTag: Buffer.alloc(0),
+			data: encryptedDataRaw,
+			sessionKey
+		};
 		const encryptedData = encryptedDataRaw.subarray(0, -16);
 		return {
 			authTag: encryptedDataRaw.subarray(-16),
@@ -4156,7 +4222,24 @@ var AccessoryPair = class extends BasePairing {
 	* Returns the accessory's long-term public key and identifier for future Pair-Verify sessions.
 	*/
 	async m6(m4, m5) {
-		const data = Chacha20.decrypt(m5.sessionKey, Buffer.from("PS-Msg06"), null, m5.data, m5.authTag);
+		let data;
+		if (this.#useAes) {
+			const aesKey = hkdf({
+				hash: "sha512",
+				key: m4.sharedSecret,
+				length: 16,
+				salt: Buffer.alloc(0),
+				info: Buffer.from("Pair-Setup-AES-Key")
+			});
+			const aesIv = hkdf({
+				hash: "sha512",
+				key: m4.sharedSecret,
+				length: 16,
+				salt: Buffer.alloc(0),
+				info: Buffer.from("Pair-Setup-AES-IV")
+			});
+			data = Aes.decrypt(aesKey, aesIv, m5.data);
+		} else data = Chacha20.decrypt(m5.sessionKey, Buffer.from("PS-Msg06"), null, m5.data, m5.authTag);
 		const tlv = TLV8.decode(data);
 		const accessoryIdentifier = tlv.get(TLV8.Value.Identifier);
 		const accessoryLongTermPublicKey = tlv.get(TLV8.Value.PublicKey);
@@ -4197,14 +4280,18 @@ var AccessoryVerify = class extends BasePairing {
 	#ephemeralKeyPair;
 	/** Protocol-specific callback for sending TLV8-encoded pair-verify requests. */
 	#requestHandler;
+	/** Whether to use AES-128-CTR instead of ChaCha20-Poly1305 for encryption. */
+	#useAes;
 	/**
 	* @param context - Shared context for logging and device identity.
 	* @param requestHandler - Callback that sends TLV8-encoded data and returns the response.
+	* @param useAes - Use AES-128-CTR instead of ChaCha20-Poly1305 for encryption (legacy devices).
 	*/
-	constructor(context, requestHandler) {
+	constructor(context, requestHandler, useAes = false) {
 		super(context);
 		this.#ephemeralKeyPair = Curve25519.generateKeyPair();
 		this.#requestHandler = requestHandler;
+		this.#useAes = useAes;
 	}
 	/**
 	* Performs the full pair-verify flow (M1 through M4) using stored credentials
@@ -4255,9 +4342,28 @@ var AccessoryVerify = class extends BasePairing {
 			salt: Buffer.from("Pair-Verify-Encrypt-Salt"),
 			info: Buffer.from("Pair-Verify-Encrypt-Info")
 		});
-		const encryptedData = m1.encryptedData.subarray(0, -16);
-		const encryptedTag = m1.encryptedData.subarray(-16);
-		const data = Chacha20.decrypt(sessionKey, Buffer.from("PV-Msg02"), null, encryptedData, encryptedTag);
+		let data;
+		if (this.#useAes) {
+			const aesKey = hkdf({
+				hash: "sha512",
+				key: sharedSecret,
+				length: 16,
+				salt: Buffer.alloc(0),
+				info: Buffer.from("Pair-Verify-AES-Key")
+			});
+			const aesIv = hkdf({
+				hash: "sha512",
+				key: sharedSecret,
+				length: 16,
+				salt: Buffer.alloc(0),
+				info: Buffer.from("Pair-Verify-AES-IV")
+			});
+			data = Aes.decrypt(aesKey, aesIv, m1.encryptedData);
+		} else {
+			const encryptedData = m1.encryptedData.subarray(0, -16);
+			const encryptedTag = m1.encryptedData.subarray(-16);
+			data = Chacha20.decrypt(sessionKey, Buffer.from("PV-Msg02"), null, encryptedData, encryptedTag);
+		}
 		const tlv = TLV8.decode(data);
 		const accessoryIdentifier = tlv.get(TLV8.Value.Identifier);
 		const accessorySignature = tlv.get(TLV8.Value.Signature);
@@ -4289,8 +4395,27 @@ var AccessoryVerify = class extends BasePairing {
 		]);
 		const iosDeviceSignature = Buffer.from(Ed25519.sign(iosDeviceInfo, secretKey));
 		const innerTlv = TLV8.encode([[TLV8.Value.Identifier, pairingId], [TLV8.Value.Signature, iosDeviceSignature]]);
-		const { authTag, ciphertext } = Chacha20.encrypt(m2.sessionKey, Buffer.from("PV-Msg03"), null, innerTlv);
-		const encrypted = Buffer.concat([ciphertext, authTag]);
+		let encrypted;
+		if (this.#useAes) {
+			const aesKey = hkdf({
+				hash: "sha512",
+				key: m2.sharedSecret,
+				length: 16,
+				salt: Buffer.alloc(0),
+				info: Buffer.from("Pair-Verify-AES-Key")
+			});
+			const aesIv = hkdf({
+				hash: "sha512",
+				key: m2.sharedSecret,
+				length: 16,
+				salt: Buffer.alloc(0),
+				info: Buffer.from("Pair-Verify-AES-IV")
+			});
+			encrypted = Aes.encrypt(aesKey, aesIv, innerTlv);
+		} else {
+			const { authTag, ciphertext } = Chacha20.encrypt(m2.sessionKey, Buffer.from("PV-Msg03"), null, innerTlv);
+			encrypted = Buffer.concat([ciphertext, authTag]);
+		}
 		await this.#requestHandler("m3", TLV8.encode([[TLV8.Value.State, TLV8.State.M3], [TLV8.Value.EncryptedData, encrypted]]));
 		return {};
 	}
@@ -4488,16 +4613,16 @@ var TimingServer = class {
 	constructor() {
 		this.#logger = new Logger("timing-server");
 		this.#socket = createSocket("udp4");
-		this.onConnect = this.onConnect.bind(this);
 		this.onError = this.onError.bind(this);
 		this.onMessage = this.onMessage.bind(this);
-		this.#socket.on("connect", this.onConnect);
 		this.#socket.on("error", this.onError);
 		this.#socket.on("message", this.onMessage);
 	}
 	/** Closes the UDP socket and resets the port. */
 	close() {
-		this.#socket.close();
+		try {
+			this.#socket.close();
+		} catch {}
 		this.#port = 0;
 	}
 	/**
@@ -4523,13 +4648,6 @@ var TimingServer = class {
 		});
 	}
 	/**
-	* Handles the socket 'connect' event by configuring buffer sizes.
-	*/
-	onConnect() {
-		this.#socket.setRecvBufferSize(16384);
-		this.#socket.setSendBufferSize(16384);
-	}
-	/**
 	* Handles socket errors by logging them.
 	*
 	* @param err - The error that occurred.
@@ -4589,7 +4707,7 @@ var TimingServer = class {
 * @returns A random 32-bit unsigned integer as a decimal string.
 */
 function generateActiveRemoteId() {
-	return Math.floor(Math.random() * 2 ** 32).toString(10);
+	return randomBytes(4).readUInt32BE(0).toString(10);
 }
 /**
 * Generates a random DACP-ID for identifying this controller in DACP sessions.
@@ -4597,7 +4715,7 @@ function generateActiveRemoteId() {
 * @returns A random 64-bit integer as an uppercase hexadecimal string.
 */
 function generateDacpId() {
-	return Math.floor(Math.random() * 2 ** 64).toString(16).toUpperCase();
+	return randomBytes(8).toString("hex").toUpperCase();
 }
 /**
 * Generates a random session identifier for RTSP and AirPlay sessions.
@@ -4605,7 +4723,7 @@ function generateDacpId() {
 * @returns A random 32-bit unsigned integer as a decimal string.
 */
 function generateSessionId() {
-	return Math.floor(Math.random() * 2 ** 32).toString(10);
+	return randomBytes(4).readUInt32BE(0).toString(10);
 }
 /**
 * Finds the first non-internal IPv4 address on this machine.
@@ -4789,42 +4907,54 @@ const MODEL_TYPES = {
 * @param identifier - Model identifier (e.g. "AppleTV6,2") or internal name (e.g. "J305AP").
 * @returns The matching device model, or {@link DeviceModel.Unknown} if unrecognized.
 */
-const lookupDeviceModel = (identifier) => MODEL_IDENTIFIERS[identifier] ?? INTERNAL_NAMES[identifier] ?? DeviceModel.Unknown;
+function lookupDeviceModel(identifier) {
+	return MODEL_IDENTIFIERS[identifier] ?? INTERNAL_NAMES[identifier] ?? DeviceModel.Unknown;
+}
 /**
 * Returns the human-readable display name for a device model.
 *
 * @param model - The device model to look up.
 * @returns A display name like "Apple TV 4K (2nd generation)", or "Unknown".
 */
-const getDeviceModelName = (model) => MODEL_NAMES[model] ?? "Unknown";
+function getDeviceModelName(model) {
+	return MODEL_NAMES[model] ?? "Unknown";
+}
 /**
 * Returns the high-level device type category for a device model.
 *
 * @param model - The device model to categorize.
 * @returns The device type (AppleTV, HomePod, AirPort, or Unknown).
 */
-const getDeviceType = (model) => MODEL_TYPES[model] ?? DeviceType.Unknown;
+function getDeviceType(model) {
+	return MODEL_TYPES[model] ?? DeviceType.Unknown;
+}
 /**
 * Checks whether the given model is an Apple TV.
 *
 * @param model - The device model to check.
 * @returns True if the model is any Apple TV generation.
 */
-const isAppleTV = (model) => getDeviceType(model) === DeviceType.AppleTV;
+function isAppleTV(model) {
+	return getDeviceType(model) === DeviceType.AppleTV;
+}
 /**
 * Checks whether the given model is a HomePod.
 *
 * @param model - The device model to check.
 * @returns True if the model is any HomePod variant.
 */
-const isHomePod = (model) => getDeviceType(model) === DeviceType.HomePod;
+function isHomePod(model) {
+	return getDeviceType(model) === DeviceType.HomePod;
+}
 /**
 * Checks whether the given model is an AirPort Express.
 *
 * @param model - The device model to check.
 * @returns True if the model is any AirPort Express generation.
 */
-const isAirPort = (model) => getDeviceType(model) === DeviceType.AirPort;
+function isAirPort(model) {
+	return getDeviceType(model) === DeviceType.AirPort;
+}
 
 //#endregion
-export { AIRPLAY_SERVICE, AIRPLAY_TRANSIENT_PIN, AccessoryPair, AccessoryVerify, AirPlayFeatureFlags, AppleProtocolError, AuthenticationError, COMPANION_LINK_SERVICE, CommandError, Connection, ConnectionClosedError, ConnectionError, ConnectionRecovery, ConnectionTimeoutError, Context, CredentialsError, DeviceModel, DeviceType, Discovery, DiscoveryError, ENCRYPTION, EncryptionAwareConnection, EncryptionError, EncryptionState, HTTP_TIMEOUT, InvalidResponseError, JsonStorage, MemoryStorage, PairingError, PlaybackError, RAOP_SERVICE, SetupError, Storage, TimeoutError, TimingServer, describeFlags, generateActiveRemoteId, generateDacpId, generateSessionId, getDeviceModelName, getDeviceType, getLocalIP, getMacAddress, getPairingRequirement, getProtocolVersion, hasFeatureFlag, isAirPort, isAppleTV, isHomePod, isPasswordRequired, isRemoteControlSupported, lookupDeviceModel, multicast as mdnsMulticast, unicast as mdnsUnicast, parseFeatures, prompt, randomInt32, randomInt64, reporter, uint16ToBE, uint53ToLE, v4 as uuid, waitFor };
+export { AIRPLAY_SERVICE, AIRPLAY_TRANSIENT_PIN, AUDIO_BYTES_PER_CHANNEL, AUDIO_CHANNELS, AUDIO_FRAMES_PER_PACKET, AUDIO_SAMPLE_RATE, AccessoryPair, AccessoryVerify, AirPlayFeatureFlags, AppleProtocolError, AuthenticationError, COMPANION_LINK_SERVICE, CommandError, Connection, ConnectionClosedError, ConnectionError, ConnectionRecovery, ConnectionTimeoutError, Context, CredentialsError, DeviceModel, DeviceType, Discovery, DiscoveryError, ENCRYPTION, EncryptionAwareConnection, EncryptionError, EncryptionState, HTTP_TIMEOUT, InvalidResponseError, JsonStorage, MemoryStorage, PairingError, PlaybackError, RAOP_SERVICE, SENDER_FEATURES_AUDIO, SENDER_FEATURES_REMOTE_CONTROL, SOCKET_TIMEOUT, SetupError, Storage, TimeoutError, TimingServer, deriveEncryptionKeys, describeFlags, generateActiveRemoteId, generateDacpId, generateSessionId, getDeviceModelName, getDeviceType, getLocalIP, getMacAddress, getPairingRequirement, getProtocolVersion, hasFeatureFlag, isAirPort, isAppleTV, isHomePod, isPasswordRequired, isRemoteControlSupported, lookupDeviceModel, multicast as mdnsMulticast, unicast as mdnsUnicast, parseFeatures, prompt, randomInt32, randomInt64, reporter, uint16ToBE, uint53ToLE, v4 as uuid, waitFor };

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@basmilius/apple-common",
     "description": "Common features shared across various apple protocol packages.",
-    "version": "0.10.1",
+    "version": "0.12.0",
     "type": "module",
     "license": "MIT",
     "author": {
@@ -45,14 +45,14 @@
         }
     },
     "dependencies": {
-        "@basmilius/apple-encoding": "0.10.1",
-        "@basmilius/apple-encryption": "0.10.1"
+        "@basmilius/apple-encoding": "0.12.0",
+        "@basmilius/apple-encryption": "0.12.0"
     },
     "devDependencies": {
         "@types/bun": "^1.3.11",
         "@types/node": "^25.5.0",
         "fast-srp-hap": "^2.0.4",
-        "tsdown": "^0.21.4",
+        "tsdown": "^0.21.6",
         "uuid": "^13.0.0"
     }
 }