MOVE ALONG NOTHING TO SEE HERE
All new docs are being written in the github msndevs wiki
The old contents are left here for historical reference
old contents
This page contains random ramblings and partially dissected traffic dumps.
Example gateway open flow
Request
Boring http headers removed. Newlines added before commands for clarity
POST https://geo.gateway.messenger.live.com/gateway/gateway.dll?Version=1&Protocol=mtp&Action=open&Server=NS&IP=none HTTP/1.1
Host: geo.gateway.messenger.live.com
X-MSN-Auth: Use-Cookie
Cookie: MSPAuth=...; MSPProf=...; WLSSC=...;
Content-Length: ...
Payload:
CNT 1 CON 114
<connect><ver>2</ver><agent><os>winnt</os><osVer>5.2</osVer><proc>x86</proc><lcid>en-us</lcid></agent></connect>
ATH 2 CON\USER 312
<user><uic>[very long base64 string]</uic><web-compact-ticket /></user>
BND 3 CON\MSGR 140
<msgr><ver>2</ver><client><name>msgrliboutlook</name><ver>6.4.0.0</ver></client><epid>{006213cd-00b8-7e9c-0022-df0d0013802a}</epid></msgr>
Notes:
Version=1&Protocol=mtp- what the hell is mtp?X-MSN-Auth: Use-Cookieis in all request, along with a massive bunch of cookies which I removed above.- Outlook.com has an absurd amount of apparently useless cookies. The ones required for auth are
MSPAuth,MSPProfandWLSSC - Outlook.com sends a header
X-Requested-Session-Content-Type: text/htmlthat does what it says on the tin. Useful to workaround browser issues, I guess. If not specified,application/x-msn-messengeris used instead.
Response
HTTP/1.1 200 OK
Content-Length: 959
Content-Type: application/x-msn-messenger
X-MSN-Messenger: SessionID=870507030.2139024470; GW-IP=134.170.19.30:443
X-MSNSERVER: BN1MSGR1011605
X-MSN-Host: BN1MSGR1011605.gateway.messenger.live.com
X-MSN-SessionTimeout: 120
X-MSN-SkypeId: live:maxint32
Date: Thu, 02 Oct 2014 04:27:30 GMT
Payload:
CNT 1 CON 126
<connect-response><ver>2</ver><qostest>false</qostest><nonce>xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx</nonce></connect-response>
ATH 2 CON 131
<auth-response><new-thread-allowed>false</new-thread-allowed><p2p-migration-allowed>false</p2p-migration-allowed></auth-response>
BND 3 CON 657
UtcTime: 1412224051
Set-Registration: [very long base64 string]
Registration-Token-Expiry: 1412310451
Context: xxxxxxxxxxxxxxxx
<msgr-response><ver>2</ver><utctime>1412224051</utctime><nonce>xxxxxxxxxxxxxxxxxxxxxxxxxxxxx</nonce><sample-window>0</sample-window></msgr-response>
Previous requests
The cookies used for authentication come from previous requests. Since I'm testing with outlook.com, it's a mess of unrelated requests.
Noteworthy ones:
login.live.com/login.srf
GET https://login.live.com/login.srf?wa=wsignin1.0&ct=1412223901&rver=6.1.6206.0&sa=1&ntprob=-1&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2F%3Fowa%3D1%26owasuffix%3Dowa%252f&id=64855&snsc=1&cbcxt=mail HTTP/1.1
This is actually the normal login page. It mentions the MBI_SSL_SHARED policy, another hint that this might be the same old SSO.
Cookies set by response: MSPRequ, MSPOK.
login.live.com/ppsecure/post.srf
POST https://login.live.com/ppsecure/post.srf?wa=wsignin1.0&ct=1412223901&rver=6.1.6206.0&sa=1&ntprob=-1&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2F%3Fowa%3D1%26owasuffix%3Dowa%252f&id=64855&snsc=1&cbcxt=mail&bk=1412223905&uaid=b8f959b6af984e13a52d69619a4a3fff HTTP/1.1
Clicking the login button. The urlencoded payload has login, passwd, and a few other potentially (un)interesting fields.
Cookies set by response: MSPOK, PPAuth, PPLState, MSPShared, MSPPre, MSPCID, MSPAuth, MSPProf, MH, MHW, MHList, NAP, ANON, pres, LOpt, WLSSC, SDIDC, MSPSoftVis
Other stuff
- Some mentions of "skype web experience", whatever that is. Seem to point at the websocket connection to trouter.io. Doesn't seem to be used for msn related traffic. I guess they really want to keep using the same gateway they've used for 15 years.
- Should look more into these requests to
mail.live.com/Handlers/ScenarioQos.mvc - Also
https://geo.gateway.messenger.live.com/xmlProxy.htm?vn=9.090515.0&domain=live.com, which seems to be the referer to most gateway requests.