Protocols/MSNP/MSNP8/Authentication
Overview
The first step into authenticating yourself on the MSN Messenger network is to connect to the Dispatch Server, decide on which version of protocol you are using, and retrieve the IP address of the proper Notification Server.
When you first connect to a notification server, you are in the "login stage", which involves agreeing on a protocol version to use, authenticating yourself to the MSN server, and possibly being redirected to another notification server if the current one is overloaded.
During the login stage, the server behaves different from normal. Communication is essentially synchronous - the client sends a command to the server, the server responds, the client sends another command, and so on. If you send a command at the wrong time, the server will send Error 715, then close the connection. If you send a command which has no meaning during the login stage, the connection will close immediately with no error. None of these rules apply outside of the login stage.
Negotiating MSNP & Client Version
VER
The VER command notifies the server which protocol versions the client supports. The VER command is a standard command and lists the supported protocol versions as parameters (note that protocol versions are case sensitive). If the server supports at least one of these protocols the parameter(s) recieved will be a list of the supported protocol(s), otherwise the response will contain a single parameter of 0, and will disconnect you immediately (this shouldn't normally happen).
Successful protocol negotiation
- Open connection to messenger.hotmail.com:1863 < VER 1 MSNP11 CVR0\r\n > VER 1 MSNP11 CVR0\r\n - Continue authentication
Unsuccessful protocol negotiation
- Open connection to messenger.hotmail.com:1863 < VER 1 Unsupported CVR0\r\n > VER 1 CVR0\r\n - Server closes connection
Sending multiple versions, server supports one
- Open connection to messenger.hotmail.com:1863 < VER 1 MSNP11 Unsupported CVR0\r\n > VER 1 MSNP11 CVR0\r\n - Continue authentication
Sending multiple versions, server picks its favorite
- Open connection to messenger.hotmail.com:1863 < VER 1 MSNP9 MSNP10 MSNP11 MSNP12 CVR0\r\n > VER 1 MSNP12 MSNP11 MSNP10 MSNP9 CVR0\r\n - Continue authentication
CVR
The CVR command is also a standard command, that is used to send version information about a client and operating system to the server. The server will reply with information about the version of the client that users are currently recommended to use (which may be the same as the version currently being used).
The CVR command includes information about the language you speak, the name and version of your client, and the name and version of your OS. You can send a CVR command to the NS at any time after you have finished logging in, but the official client always sends it immediately after sending the initial CHG. You can send CVR as many or as few times as you like. CVR has a TrID and 8 parameters.
- The first parameter is hexadecimal number specifying your locale ID (e.g. "0x0409" For U.S. English).
- The second parameter is your OS type (e.g. "win" for Windows).
- The third parameter is your OS version (e.g. "4.10" for Windows 98).
- The fourth parameter is the architecture of your computer (e.g. "i386" for Intel-comaptible PCs of type 386 or above).
- The fifth parameter is your client name (e.g. "MSMSGR" for the official MSN Messenger client).
- The sixth parameter is your client version (e.g. "6.0.0602").
- The seventh parameter is always "MSMSGS" in the official client. Your guess about what this means is as good as mine.
- The eighth parameter is your passport.
Like with any other command, the server will reply to a CVR command with a CVR reply. For some reason, though, the official client would be just as happy if you replaced CVR with CVQ in the reply. The reply command will contain 5 parameters:
- The first parameter is a recommended version of the client for you to use, or "1.0.0000" if your client information is not recognised.
- The second parameter is identical to the first.
- The third parameter is the minimum version of the client it's safe for you to use, or the current version if your client information is not recognised..
- The fourth parameter is a URL you can download the recommended version of the client from.
- The fifth parameter is a URL the user can go to to get more information about the client.
If your current client version is less than the minimum safe version, that means MS is forcing a mandatory update or to update security holes..
Example using version 6.0.0602 of the official client
>>> CVR 2 0x0409 win 4.10 i386 MSNMSGR 5.0.0544 MSMSGS example@passport.com\r\n <<< CVR 2 6.0.0602 6.0.0602 1.0.0000 http://download.microsoft.com/download/8/a/4/8a42bcae-f533-4468-b871-d2bc8dd32e9e/SETUP9x.EXE http://messenger.msn.com\r\n
Authentication
Initial USR
After receiving the response to CVR, you must send the USR command. It has a TrID.
- The first parameter is the authentication system (always TWN).
- The second parameter is always the letter I (standing for initiating authentication).
- The third parameter is the account name that you want to log on with.
If the server does not like your USR, it will close the connection with no reply, or possibly send an error first, Error 911 is sent when sending invalid account names such as "hotmail.com".
Sometimes, when the server is having problems or is down for maintenance, it will reply with an error instead of logging you in. Some possible errors include error 500, error 601, error 910, and error 921.
Otherwise, the server will either respond with a XFR (transferring you to another notification server) or a subsequent USR.
< USR 3 TWN I example@passport.com\r\n
XFR
When talking to the Protocols/MSNP/Dispatch server, it will always respond to the initial USR with an XFR. Other Protocols/MSNP/Notification servers very rarely send XFR - presumably, they send it when they are overloaded or going down for maintenance. Be prepared to gracefully handle this weird situation!
The XFR command will have the same TrID as the previous USR and four parameters.
- The first parameter is NS, telling you that it is transferring you to a notification server.
- The second parameter is the IP and port of the notification server, separated by a colon. The port seems to always be 1863, but it's best not to rely on that always being the case.
- The third parameter is always 0 (zero).
- The fourth parameter is the IP address and port (separated by a colon) of the server that you are currently connected to.
Example USR command and XFR reply
< USR 2 TWN I example@passport.com\r\n > XFR 2 NS 207.46.106.145:1863 0 207.46.104.20:1863\r\n
After you receive the XFR, the server will close the connection. You must connect to the specified notification server and start the login process again. There is no communication between notification servers, so you could specify a different protocol version, name and so on when logging into the new notification server.
Subsequent USR
After negotiating the MSN protocol version and redirecting to a proper Protocols/MSNP/Notification server, the server will send a subsequent USR. It is a standard command with 3 parameters.
- The first parameter should be TWN if using MSNP8 and onwards
- The second parameter is always an S, meaning subsequent
- The last parameter is used in TWN authentication
< USR 3 TWN I example@passport.com\r\n > USR 3 TWN S lc=1033,id=507,tw=40,fs=1,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1062764229,kpp=1,kv=5,ver=2.1.0173.1,tpf=43f8a4c8ed940c04e3740be46c4d1619\r\n
Tweener (TWN) Authentication
Now the client must actually authenticate with the server, in MSNP11 this is done with Protocols/MSNP/Tweener which is MSN Messengers method of tying into the Microsoft .NET Passport system.
Final USR
After getting your ticket, you must send the final USR command. It has a TrID, the first parameter is TWN, the second parameter is S, and the third parameter is your ticket.
If the ticket is correct, the server will respond with a USR with OK as the first parameter, your account name as the second parameter, your URL-encoded display name as the third parameter, 0 or 1 as the fourth parameter, and 0 as the fifth. The fourth parameter represents whether or not your Passport has been verified (1 is true, 0 is false). We don't yet know what the fifth parameter means.
If your your ticket is incorrect, the server will respond with error 911 and close the connection. If anything else is wrong (including an invalid digest size), the server will close the connection with no error.
Sometimes, when the server is having problems or is down for maintenance, it will reply with an error instead of logging you in. Some possible errors include error 500, error 601, error 910, and error 921.
Example Session
Client connects to the Protocols/MSNP/Dispatch server
>>> VER 1 MSNP11 CVR0\r\n <<< VER 1 MSNP11 CVR0\r\n
>>> CVR 2 0x0409 win 4.10 i386 MSNMSGR 5.0.0544 MSMSGS example@passport.com\r\n <<< CVR 2 6.0.0602 6.0.0602 1.0.0000 http://download.microsoft.com/download/8/a/4/8a42bcae-f533-4468-b871-d2bc8dd32e9e/SETUP9x.EXE http://messenger.msn.com\r\n
>>> USR 3 TWN I example@passport.com\r\n <<< XFR 3 NS 207.46.106.35:1863 0 207.46.104.20:1863\r\n
Client closes connection and connects to 207.46.106.35, port 1863
>>> VER 1 MSNP11 CVR0\r\n <<< VER 1 MSNP11 CVR0\r\n
>>> CVR 2 0x0409 win 4.10 i386 MSNMSGR 5.0.0544 MSMSGS example@passport.com\r\n <<< CVR 2 6.0.0602 6.0.0602 1.0.0000 http://download.microsoft.com/download/8/a/4/8a42bcae-f533-4468-b871-d2bc8dd32e9e/SETUP9x.EXE http://messenger.msn.com\r\n
>>> USR 3 TWN I example@passport.com\r\n <<< USR 3 TWN S lc=1033,id=507,tw=40,fs=1,ru=http%3A%2F%2Fmessenger%2Emsn%2Ecom,ct=1062764229,kpp=1,kv=5,ver=2.1.0173.1,tpf=43f8a4c8ed940c04e3740be46c4d1619\r\n
Client authenticates with Protocols/MSNP/Tweener
>>> USR 4 TWN S t=53*1hAu8ADuD3TEwdXoOMi08sD*2!cMrntTwVMTjoB3p6stWTqzbkKZPVQzA5NOt19SLI60PY!b8K4YhC!Ooo5ug$$&p=5eKBBC!yBH6ex5mftp!a9DrSb0B3hU8aqAWpaPn07iCGBw5akemiWSd7t2ot!okPvIR!Wqk!MKvi1IMpxfhkao9wpxlMWYAZ!DqRfACmyQGG112Bp9xrk04!BVBUa9*H9mJLoWw39m63YQRE1yHnYNv08nyz43D3OnMcaCoeSaEHVM7LpR*LWDme29qq2X3j8N\r\n <<< USR 4 OK example@passport.com example%20display%20name 1 0\r\n