MySpaceIM Protocol Reverse Engineering

Document started on 20070329 by Jeff Connelly for a Google Summer of Code 2007 Application. Information in this document is entirely the result of original research; it is not endorsed by MySpace or NewsCorp.

Important: This document will no longer be maintained, in favor of the Pidgin Developer Wiki MySpaceIM page.

Hosts

Connect to im.myspace.akadns.net port 1863 TCP.

If port 1863 is not accessible, the client will try to connect using ports 6660,6661,6662,6665,6668,6669,0080 and 0443 in succession. If successful, the port will be stored in HKCU\Software\MySpace\IM\LastConnectedPort and used for further connections.

User

Users are identified by several means:

User ID - used extensively by protocol. User's web page at http://myspace.com/numeric_user_ID.
Email address - used to sign in, and locate buddies.
Username/IM Name - "Your unique name that can't be changed", shown on buddy lists, and for user's web page at http://myspace.com/username.
Display Name - Shown on your web page, can be changed.
First Name and Last Name - "private and used for search only"

Message Structure

Tokens are separated by backslashes, which alternate as name, value, name, value, etc. For example, a complete message would be:

\lc\1\nc\AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==\id\1\final\\

This message has the following information:

 Name    Value
 =============
 lc      1
 nc      AAAA...
 id      1
 final   (empty)

The end of a message is marked with a key named final and an empty value.

The following data types are present:

Integers    These are just stored as ASCII
Text        Also ASCII
Binary      Base64 encoded
Boolean     Presence of the key indicates 'true', absense 'false'
Dictionary  Multiple key=value's, separated by \x1c (field usually named 'body')
List        Items separated by '|'

Login challenge

The client connects to the server (as described in the Hosts section), and the server immediately sends a "login challenge" message. The important part of this challenge message is the binary nonce field, named nc. The client computes its login response using this field.

How to derive `response` from `nc`

First note, nc is 0x40 bytes and it is split into two parts, after being base64-decoded:

First 0x20 bytes = nonce1
Last 0x20 bytes = nonce2

SHA-1 hash the following concatenated together:

0x14 bytes - the SHA-1 hash of the password as utf16le
0x20 bytes - nonce2

Just to be clear, there are two hashes computed above.

Using the first 0x10 bytes of the hash value as an 128-bit RC4 key, encrypt the following concatenated together:

nonce1
username, in ASCII
00 00 00 00
1 byte = the number of IPv4 addresses this host has
IPv4 addresses of host's network interfaces in network order

The network interface addresses are obtained using the Win32 GetIpAddrTable API call. They should be the actual interface IPs on the system, even if they are RFC1918 private addresses. The server most likely uses these addresses to determine if a connection can be directly initiated to the host, or if it must pass through some kind of NAT device.

After encrypting, base64 the encrypted message to obtain the value for response.

High-level summary:

    response = encrypt(key=hash(hash(pw) + nc2), data=nc1+username+IP_list)

where hash=SHA-1, encrypt(key, data)=RC4. Fairly simple, but took some time to reverse-engineer.

Implementations

The login procedure, as described above, is implemented in msimlogin (251 lines of C++), using similar Win32 CryptoAPI calls that MySpaceIM uses. msimlogin computes response for a specific test vector (username/password: testuser/testpw, as well as certain network interfaces) and verifies the result is correct. No network communication is performed.

Also implemented in Python myc.py—this program is higher-level, in that it uses the simpler PyCrypto library instead of Win32 API calls. This script accepts a username/password on the command line and connects to MySpaceIM's servers to get a login response. Base64 conversion is performed where needed. New tests to the protocol will likely be tested in this Python script first.

The login procedure will (hopefully) ultimately be implemented in a Gaim protocol plugin, using the appropriate libraries and the C programming language.

Login Message

After computing response client then the login message, as follows:

\login2\%d\username\%s\response\%s\clientver\%d\reconn\%d\status\%d\id\1\final\

Where %s and %d are placeholders. The %s in \response\%s\ will be replaced by the base64'd response as described in the previous section, for example. The following values are acceptable to cause the MySpaceIM servers to respond:

login2 - 196610
username - ASCII username
response - the base64'd login challenge response calculated in previous section
clientver - 673 (corresponds to 1.0.673.0 in About dialog)
reconn - 0 (don't reconnect)
status - 100
id - 1
final

The server quickly (even before waiting for the client response, above) sends a 'persistr' message, with various information. The 'body' field contains key=value pairs, separated by the \034 characters (the "dictionary" type described earlier in this document). It contains various parameters for the client:

persistr
cmd - 257
dsn - 101
uid - 0 (user ID not yet set?)
lid - 20 (unknown)
rid - varies, (12106440, 12173045...)
body - a packed dictionary of the following:
- AdUnitRefreshInterval - 10
- EnableIMBrowse - False
- MaxAddAllFriends - 100
- ChatRoomUserIDs - 78744676;142663391;142910130;123521495;138528147;140271072;163733130
- MySpaceNowTimer - 720
- WebTicketGoHome - False
- UseWebChallenge - 1
- MaxContacts - 1000
- MinClientVersion - 529
- PersistenceDataTimeout - 900
- CurClientVersion - 595
- AlertPollInterval - 180
final

Login Success Message

In response to the "login response message", the server will send another message. If the login failed, a message will say so. If it succeeded, various information will be sent. (TODO: describe these).

lc - 2
sesskey - 90011556 (session key)
proof - seems to be same as uniquenick
userid - numeric, for example 3656574
profileid - same as userid
uniquenick - the X in myspace.com/X; or username chosen first time logging in. The client uses this information retrived from the server for the screen name, since your MySpace login name is your email address.
id - 1
final

Followed by: (TODO)

persistr
cmd - 257 (login?)
lid - 26
body
- Challenge - 3341347623
- ChallengeData - 30 bytes base64-encoded
persistr
uid - same as userid
dsn - 17
rid - varies, 20028128

TODO: describe the 3 additional Challenge,ChallengeData messages. Web challenge.

FROM SERVER - web challenge

\persistr\\cmd\257\dsn\17\uid\3656574\lid\26\rid\20015794\body\Challenge=2437569020 \034ChallengeData=CTtWmfBzuq4rxoe5GJhk0bfNp7tGQljzsIKaTBOARc21898xR26Y4qs9MBohcn+FlnD/ 1+T9KL/1Ftuo9vd3elbw==\034Challenge=2437569023\034ChallengeData=3PZg0J

on home.myspace.com, client does:

GET /Modules/IM/Pages/UrlRedirector.aspx?challenge=8408570-3656574-267577152&response=5CiUQCLEkz1ryhNZpv/IPxdmXS1tNnZaDk/kGx4cQxM&target=searchfriends&targetid=3656574 HTTP/1.1\r\n

on collect.myspace.com, client does:

GET /index.cfm?fuseaction=im.friendslist&setonlinenow=1&setrsi=1&MyToken=6451502b-0ba5-4805-91b3-b5925d8f1747 HTTP/1.1\r\n

Errors

Error messages:

fatal
id - sometimes present with value of '1'
errmsg - textual error message
err - numeric error code
error
final

Known errors:

260 - The password provided is incorrect.
4352 - Invalid user ID in persistence request. (This occurs when a persist message is sent with an invalid 'userid' field.)

Pick Your Username

If you login without a username/IM name, MySpaceIM will prompt you to select one, very cautiously warning you cannot change it. To check if a username is available, client sends (similar to 'buddy search' message):

persist - 1
sesskey - the session key
cmd - 1
dsn - 5
userid - your user ID
lid - 7
rid - 24
body - dictionary:
- UserName - the username to check if available
final

The server replies with:

persistr
cmd - 257
dsn - 5
userid - your username
lid - 7
rid - 2
body - dictionary of:
- UserName - textual username (always present)
- Fields below only present if user exists:
- UserID - numeric user ID
- ImageURL - profile image URL
- DisplayName - changeable display name
- BandName - currently playing band
- SongName - currently playing song
Final

User Information Messages

Both messages from server, sent upon connect for each user on buddy list. \bm\100\f\6221\msg\|s|1|ss|:-)|ls||ip|0|p|0\final\ \bm\100\f\15187323\msg\|s|0|ss|Offline\final\

User status message:

bm - 100 (user status message)
f - 6221, 15187323 (user ID?)
msg - a '|'-separated list of buddy info
1. s
2. 1=online, 0=offline
3. ss
4. Headline if online, headline (Tom's is ":-)", for example). If offline, "Offline" and no further fields follow.
5. ls
6. ip
7. 0
8. p
9. 0

final \body\UserID=3656574\034ImageURL=http:/1/1myspace-513.vo.llnwd.net/100928/131/151/1928941513_m.jpg \034DisplayName=Jeff\034UserName=3656574\034BandName=\034SongName=\034TotalFriends=69

User information message:

persistr
cmd - 257 (login info)
dsn - 4
uid - numeric user ID (same as userid field in other messages)
lid - 5
rid - 29
body - dictionary of:
- UserID - numeric user ID
- UserName - same as UserID
- ImageURL - URL of profile image
- DisplayName - human-readable ASCII name
- BandName - currently playing band
- SongName - currently playing song
- TotalFriends - # of friends
final

Keep Alives

These messages are simply:

ka
final

Sent periodically to keep connection alive.

Buddy Management

Commands related to your buddy list.

Buddy Search

Accessed from "Add" button on official MySpaceIM client. Before a buddy can be added, the buddy must be found. The user enters a username or email address, and the client contacts the server to obtain the numeric user ID used internally throughout the protocol. Buddy search message from client:

persist - 1
sesskey - session key
cmd - 1
dsn - 5
userid - your user ID
lid - 7
rid - 16,125,127,129...increments
body - dictionary with one of the following keys, containing the data entered by the user:
- Email
- UserName
The official client displays one field for the user to type in, and sends its value in Email or UserName depending on the contents ('Email' if contains '@', otherwise UserName, is a good guess.)

Server responds with:

persistr
cmd - 257
dsn - 1
userid - your user ID
lid - 17
rid - 18
body - a dictionary of:
- Email or UserName - copied from search message, always present
- The following fields are only present if the user is found:
- UserID - found user's numeric ID
- Sound - boolean
- PrivacyMode - 0 for not invisible
- ShowOnlyToList - boolean
- OfflineMessageMode - 1
- Headline - user's headline text
- AvatarURL - URL of avatar
- Alert - 1
- ShowAvatar - boolean
- IMName -
- LastLogin - a very large decimal number (timestamp), example: 128200346400000000
- ClientVersion - build number of client
- AllowBrowse - boolean

Add Buddy

addbuddy
sesskey - session key
newprofileid - profileid of user to add
reason - why you wanted to add user? (empty)
final

The client also updates the blocklist, removing from block list (b-) and adding to accept list (a+).

Group Manangement

cmd=258 (group info)

Example messages:

\persistr\\cmd\258\dsn\2\uid\3656574\lid\16\rid\64\body\GroupName=MySpaceIM Rooms\034Position=2\034GroupFlag=196612\final\\persistr\\cmd\258\dsn\2\uid\3656574\lid\16\rid\65\body\GroupName=Recent Contacts\034Position=3\034GroupFlag=196610\f

\persistr\\cmd\257\dsn\0\uid\3656574\lid\2\rid\86\body\ContactID=6221\034ContactID=6221\034Headline=:-)\034Position=1\034GroupName=IM Friends\034Visibility=1\034AvatarUrl=\034ShowAvatar=False\034LastLogin=128182824000000000\034IMName=\034N

\persistr\\cmd\257\dsn\0\uid\3656574\lid\2\rid\87\body\ContactID=15187323\034ContactID=15187323\034Headline=\034Position=0\034GroupName=Recent Contacts\034Visibility=1\034AvatarUrl=\034ShowAvatar=True\034IMName=\034NickName=\034NameSelect=

Comes predefined with groups (ways to organize contacts):

IM Friends
MySpaceIM Rooms
Recent Contacts
Offline

Block List

Sent from client to server, to tell server to not relay messages from these users:

blocklist - empty
sesskey - session key
idlist - a '|' separated list of unknown information, appears to be list of users and parameters. 'b-|6221|a+|6221', 'w0|c0|a-|*|b-|*'. Accept, block? + means remove, - means add? When add user 15187323, send an idlist of 'b-|15187323|a+|15187323' - this could be interpreted to mean "remove this user from the block list, add the same user to the accept list". The "w0|c0|a-|*|b-|*" is also sent when changing text window image backgrounds.
final

Delete Buddy

delbuddy
sesskey - session key
delprofileid - numeric ID of user to add
final

The client also sends a persist message and updates the block list when deleting a buddy. Example message sequence:

\delbuddy\\sesskey\97309878\delprofileid\175349942\final\ - delete buddy with numeric ID 175349942
\persist\1\sesskey\97309878\cmd\515\dsn\0\uid\3656574\lid\8\rid\18\body\ContactID=175349942\final\ - ???
\blocklist\\sesskey\97309878\idlist\a-|175349942|b-|175349942\final\ - update block list; remove user (-) from accept (a) and block (b) list?

Actions and Instant Messages

Example messages:

\bm\121\sesskey\92362186\t\15187323\cv\673\msg\%typing%\final\ - typing notification
\bm\1\sesskey\267577152\t\15187323\cv\673\msg\<f f='Times' h='16'><c v='black'>hello world</1b></1c></1f></1p>\final\ - incoming message

Fields:

bm - 1 (message), 100 (status message), 121 (action)
sesskey - session key
t - numeric user ID to send message to (outgoing messages only)
f - numeric user ID of user that send message (incoming messages only)
cv - client version (673)
msg - %typing% or %stoptyping% for typing notification, the message text for messages (see markup below), !!!ZAP!!! for zaps (see below)
final

Instant messages are sent by specifying the user's numeric ID in the 't' field, and received with the sender's numeric ID in the 'f' field.

Message Markup Code

Messages are sent with a 'bm' of '1'. Outgoing messages have the to ('t') field set to the numeric user ID, incoming messages have 'f' (from) se.

Message text is formatted using "tags", not quite like HTML. Tags and attribute names are single letters to save space. Attributes are either quoted with ' or `. For unknown reasons, the client uses ' but the server translates it to `.

Tags end as /(number)(tag), for example /1b, /1c, /1f, /1p. I suspect the number could be the nesting level or how many tags to close (not investigated).

Example: <f f='Times' h='16'><c v='black'>hello</1b></1c></1f></1p>

= paragraph
<f> = font tag
- f = font face (Arial, Arial Black, Comic Sans MS, Courier New, Tahoma, Times, Verdana, or another)
- h = height
 - 8pt = 11
 - 10pt = 13
 - 12pt = 16
 - 16pt = 21
- s = bit field of text decoration; add together:
 - 1 = bold
 - 2 = italic
 - 4 = underline
<c> = text color tag
- v = color (a name like "black", "white", or "rgb(253,0,0)")
= background color tag
- v = color
= image (emoticon)
- n - name: laugh, straight, tongue, kiss, growl, ...

Zaps

"Zaps" are actions, sent with bm=121, with msg text of !!!ZAP_SEND!!!=RTE_BTN_ZAPS_n, where n is the zero-based index in the array. 0 is just a regular "zap", up to 9 which is "raspberry" (whatever that means...)

Status

For bm=100, 'f' is set to the numeric user ID of the user the message is from. 'msg' is set to an array string such as |s|0|ss|Offline (user is offline).

Set Status

status - 0=hidden, 1=online, 5=away
sesskey - session key
statstring - user-editable status string or away message
locstring
final

Logout

Simply:

logout
sesskey
final