Portfolio Blog Code Repository Contact
March 01, 2026 1 min read

The Chameleon Engine: How XTLS-REALITY and VMess Make Traffic Invisible

Black Phoenix Protocol Series
Building Black Phoenix Protocol A Security Engineering Blog

The Core Insight: Don't Hide Become Something Else

If you've read the previous posts, you know that encryption alone won't save you from a state-level adversary. DPI systems don't need to decrypt your traffic they identify it by shape, timing, and statistical fingerprint.

So BPP takes a fundamentally different approach. Instead of inventing a new protocol that might get fingerprinted next month, we built the Chameleon Engine a multi-protocol obfuscation system that disguises BPP traffic as existing, legitimate protocols. Not "inspired by" or "similar to." Byte-for-byte identical on the wire.

Today we'll cover the first two transports: XTLS-REALITY and VMess.

XTLS-REALITY: Borrowing Someone Else's Identity

The Genius of REALITY

XTLS-REALITY, developed by the Xray community, represents arguably the most elegant anti-censorship technique ever devised. The core idea is deceptively simple:

Use a real website's certificate for the TLS handshake.

When a BPP client connects to a BPP server in REALITY mode, the traffic looks exactly like a connection to www.google-analytics.com (or any other chosen cover domain). Not approximately. Not kinda-sorta. The ClientHello contains real TLS 1.3 cipher suites, real extensions, and the real SNI of the cover domain.

How It Works Under the Hood

  1. The client sends a TLS 1.3 ClientHello it starts with the standard 0x16 0x03 0x01 header, contains the cipher suites TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384, and TLS_CHACHA20_POLY1305_SHA256, and sets the SNI to a legitimate domain.
  2. The server recognizes BPP traffic via a hidden discriminator in the ClientHello a specific pattern embedded in fields that DPI systems don't inspect closely. To any observer, it's just another TLS handshake.
  3. If a non-BPP client connects (say, a DPI probe), the server acts as a transparent proxy to the real cover site. The probe gets back the actual content of www.google-analytics.com. It literally can't tell the difference, because there is none.
  4. Once authenticated, the BPP session begins inside what looks like standard TLS Application Data records.

Why This Defeats Active Probing

Active probing is the DPI's nuclear option. China's GFW does it: when suspicious traffic is detected, the firewall itself connects to your server and sends test requests. If the server responds differently from a real web server, it gets blocked.

REALITY makes this impossible. When the GFW probes the BPP server, it gets back a legitimate web page. The BPP server IS a legitimate web server from the probe's perspective. There's nothing to differentiate.

The Entropy Match

Here's where it gets technically beautiful. The entropy of BPP traffic in REALITY mode averages 7.52 bits/byte sitting squarely inside the expected range of legitimate TLS 1.3 traffic (7.3 7.8 bits/byte). This isn't accidental. The TLS record headers (content_type, version, length fields) inject structured, non-random bytes into the stream, pulling the entropy down from the encrypted payload's ~8.0 to a natural-looking ~7.5.

A DPI system running entropy analysis will see exactly what it expects from HTTPS traffic. Nothing more, nothing less.

VMess: The Binary Chameleon

What Is VMess?

VMess (V2Ray's Mess protocol) is a binary proxy protocol from the V2Ray project. It uses AEAD authentication with a UUID-based identity system. BPP's VMess transport generates traffic that is wire-compatible with real VMess implementations.

The VMess Wire Format

A VMess frame in BPP follows the exact specification:

  1. 16-byte UUID identifies the session
  2. AEAD-encrypted payload the actual BPP data, wrapped in VMess-standard encryption
  3. Length field encoded in the VMess format

The key challenge was getting every byte right. VMess implementations are widely deployed, and DPI systems have existing signatures for "fake" VMess that doesn't match the real spec. One wrong byte order, one missing field, and the disguise falls apart.

The PeekConn Innovation

Here's a problem: the BPP server needs to support multiple transports simultaneously on the same port. A client might connect with REALITY, VMess, Trojan, or Shadowsocks. How does the server know which one?

We built PeekConn a wrapper around Go's net.Conn that reads the first 64 bytes of a connection without consuming them. This "peek" buffer is analyzed by each obfuscator's Match() function in order:

  1. Does it look like a TLS ClientHello? → XTLS-REALITY
  2. Does it start with a valid VMess UUID pattern? → VMess
  3. Does it contain a 56-byte hex HMAC hash? → Trojan
  4. Does it have a 32-byte random salt? → Shadowsocks

The bytes are then "unread" pushed back into the connection buffer so the matched obfuscator can process them normally. This cascade detection happens in microseconds and requires zero configuration from the user.

The Manager: Orchestrating the Disguise

Server-Side Detection

When a new connection arrives, the Manager runs the PeekConn cascade: each registered obfuscator examines the peek buffer, the first match wins. If nothing matches, the connection is dropped silently (no error response that might help a probe).

Client-Side Selection

The client can choose its transport via three strategies:

  • Explicit: User specifies the transport (e.g., -transport reality)
  • Smart Selection: BPP automatically chooses based on heuristics
  • Fallback Chain: Try the most stealthy first; if blocked, fall to the next

The default order is: XTLS-REALITY → uTLS → VMess → Trojan → Shadowsocks

This order isn't arbitrary. REALITY provides the strongest DPI resistance (indistinguishable from real HTTPS). If that fails perhaps TLS traffic is being throttled VMess and Trojan offer different evasion profiles. Shadowsocks, while the most "classic," still provides a viable fallback as its traffic has no protocol signature at all.

Real-World Impact: Wireshark Can't Tell

We captured BPP traffic in REALITY mode and analyzed it with Wireshark the gold standard network protocol analyzer used by both defenders and attackers worldwide.

The results:

  • Wireshark identifies the traffic as TLSv1.3
  • The ClientHello is parsed correctly with standard cipher suites ✓
  • The SNI field shows a legitimate domain (e.g., www.google-analytics.com) ✓
  • Application Data records follow the standard TLS format ✓
  • Verdict: Indistinguishable from legitimate HTTPS

We also tested with nDPI (the open-source DPI engine). It classified BPP-REALITY traffic as TLS.GoogleAnalytics. Not "suspicious." Not "unknown proxy." Just regular Google traffic.

Sources

  1. XTLS Community. "Xray-core, XTLS & REALITY." github.com/XTLS/Xray-core
  2. V2Ray Community. "Project V: Platform for building proxies to bypass network restrictions." v2fly.org
  3. Rescorla, E. "The Transport Layer Security (TLS) Protocol Version 1.3." RFC 8446, IETF, 2018.
  4. GFW Report. "How China Detects and Blocks Fully Encrypted Traffic." gfw.report (2023)
  5. Shannon, C. E. "A Mathematical Theory of Communication." Bell System Technical Journal, vol. 27, 1948.
  6. The Wireshark Foundation. "Wireshark Network Protocol Analyzer." wireshark.org
  7. ntop. "nDPI Open Source Deep Packet Inspection." ntop.org

Amine Boutouil

Security Architect · Technical Polymath

boutouil.me →