Difference between revisions of "Yahoo"

From IMFreedom Wiki
Line 34: Line 34:
  
 
== Login Process ==
 
== Login Process ==
The new Yahoo messenger v9.0 uses ymsg 16 protocol. For login process client sends username and password to yahoo login server: https://login.yahoo.com, and in response server sends Token which is then used for client authentication process on scs.msg.yahoo.com:5050
+
Starting with Yahoo Messenger 9.0, clients use YMSG protocol version 16. The login procedure for protocol version 16 employs an HTTP request, a YMSG packet, two HTTPS requests, then a return to YMSG.  The login process consists of multiple steps as follows:
  
This login process goes through multiple steps as follows
+
=== 1. Request a pager server address ===
 +
Send an HTTP GET request for location "/capacity" to the server vcs1.msg.yahoo.com (or cs1.msg.vip.ogk.yahoo.co.jp for Yahoo JAPAN).
  
=== Step 1: Send username and password to login server ===
+
The server responds with a message containing two lines:
'''Https request url:'''<br>
 
<nowiki>https://login.yahoo.com/config/pwtoken_get?src=ymsgr&login=<username>&passwd=<password></nowiki><br>
 
'''Https response and meaning:'''<br>
 
* Invalid username  : 1235
 
* Wrong password    : 1212
 
* Information Valid : 0 ymsgr=<ymsgr> partnerid=<partnerid>
 
<ymsgr> data is used in step 2 for further processing.<br>
 
'''Note:''' <ymsgr> and <partnerid> seem to appear in pair for given username and password
 
  
=== Step 2: Send <ymsgr> token to login server ===
+
<pre>COLO_CAPACITY=1
'''Https request url:'''<br>
+
CS_IP_ADDRESS=aaa.bbb.ccc.ddd</pre>
<nowiki>https://login.yahoo.com/config/pwtoken_login?src=ymsgr&token=<ymsgr></nowiki><br>
 
'''Https response and meaning:'''<br>
 
* Invalid ymsgr    : 100
 
* Information Valid : 0 crumb=<crumb> Y=<Y_Cookie> T=<T_Cookie> cookievalidfor=<validityInfo>
 
<crumb>, <Y_Cookie>, <T_Cookie> and <B_Cookie> are used in client authentication on receiving challenge string from Pager server.<br>
 
'''Note''': <B_Cookie> is received in header of the reponse.
 
  
=== Step 3: After receiving challenge string from pager server ===
+
The address aaa.bdb.ccc.ddd will be a real IP address usable for standard YMSG connections.  It is currently in correct IPv4 format; that is, no leading zeroes are used.  This is the Pager server the client should connect to.
When client receives challenge string from pager server, it sends encrypted response to server. This response is formed using <crumb> received in '''Step 2''' and challenge received from pager server.<br>
+
 
Process for forming response:
+
The <code>COLO_CAPACITY</code> line's purpose is currently unknown, but it is believed that if the server returns <code>COLO_CAPACITY=0</code> that official clients will not attempt to connect to a pager server.
* crypt = crumb + challenge
+
 
* hash = MD5(crypt)
+
=== 2. Send YMSG packet to Pager server ===
* response = BASE64(hash)
+
Send a packet for service 57 (authentication) to the pager server.  This packet must contain a single key-value pair.  The key is 1 and the value is the Yahoo ID you are trying to connect with.
* replace '+' by '.' in response
+
 
* replace '/' by '_' in response
+
The server will reply with a packet for service 57 that contains 3 key-value pairs:
* replace '=' by '-' in response
+
* Key 1, Value Yahoo ID connecting
Client sends this calculated response for received challenge along with <Y_Cookie>, <T_Cookie> and <B_Cookie>.
+
* Key 13, Value 2.  This key indicates the particular authentication mechanism to use.  Past values are 0 and 1, but these are no longer supported.
 +
* Key 94, Value is a string.  This string is the challenge string used during the first HTTPS request.
 +
 
 +
=== 3. Send username, password, and challenge string to login server ===
 +
Send an HTTPS GET request for location "/config/pwtoken_get?src=ymsgr&login=<username>&passwd=<password>&chal=<challengestring>" to the server login.yahoo.com (or login.yahoo.co.jp for Yahoo JAPAN accounts).  Substitute the Yahoo ID for <username>, but strip @yahoo.com from any ID sent (other domains, such as sbcglobal.net or rocketmail.com, seem to be OK).  Substitute the password for <password> and the challenge string from the previous step for <challengestring>.  Note that the challenge string is not strictly required to proceed.  The server will respond, but the response will vary depending on whether information supplied is correct or not.  The whole URL is <nowiki>https://login.yahoo.com/config/pwtoken_get?src=ymsgr&login=<username>&passwd=<password>&chal=<challengestring></nowiki> (or <nowiki>https://login.yahoo.co.jp/config/pwtoken_get?src=ymsgr&login=<username>&passwd=<password>&chal=<challengestring></nowiki> for Yahoo JAPAN).
 +
 
 +
The first line of the response will be an ASCII representation of an integer.  This response code's values and meanings are:
 +
* 0: Information supplied is correct.
 +
* 100: Missing required field (username or password)
 +
* 1013: Username contains @yahoo.com or similar but should not; strip this information.
 +
* 1212: The username or password is incorrect.
 +
* 1213: The account is locked because of too many failed login attempts
 +
* 1214: Security lock requiring the use of a CAPTCHA.
 +
* 1218: The account has been deactivated by Yahoo
 +
* 1235: The username does not exist.
 +
* 1236: The account is locked due to too many login attempts (this error code means only the number of attempted logins, including both failed and successful logins).
 +
 
 +
If the response was 0, there will be additional lines in the response:
 +
* The second line of the response will start with "ymsgr=". This value is the token.
 +
* The third line of the response will start with "partnerid=".  The purpose of this value is unknown, but seems to be somehow tied to a given username and password pair.
 +
 
 +
=== 4. Send token to login server ===
 +
Send an HTTPS GET request for location "/config/pwtoken_login?src=ymsgr&token=<token>" to the same login server used in the last step.  The whole url is <nowiki>https://login.yahoo.com/config/pwtoken_login?src=ymsgr&token=<token></nowiki> (or <nowiki>https://login.yahoo.co.jp/config/pwtoken_login?src=ymsgr&token=<token></nowiki> for Yahoo JAPAN).  Substitute <token> with the token from the previous step.
 +
 
 +
Again, the server's response contains necessary information.  The HTTP headers contain a B Cookie. This is not strictly needed to log in, but some clients use it.
 +
 
 +
The first line of the response will again be an ASCII representation of an integer.  0 means the information supplied to the server was correct, and 100 means there's a problem.  If the first line is 0, additional lines will be present:
 +
* Line 2 will start with "crumb=".  This is the crumb needed to calculate a hash later.
 +
* Line 3 will start with "Y=".  This is the Y cookie and is needed later.
 +
* Line 4 will start with "T=".  This is the T cookie and is needed later.
 +
* Line 5 will start with "cookievalidfor=".  This is the life of the cookies in seconds.  Usually this value is 86400 (1 day).
 +
 
 +
=== 5. Calculate a hash to send to the Pager server ===
 +
You now need to send a string to the Pager server.  This string is calculated using the crumb and challenge string, hashed with MD5, and encoded with Yahoo's variant of Base64.
 +
* Concatenate the crumb and the challenge string.  This is "crypt"
 +
* perform and MD5 hash of crypt.  This is "hash"
 +
* Encode hash with Yahoo's Base64 variant.  Some clients, like libpurple, implement their own y64 encoding function, but you can do this instead:
 +
  * Base64-encode hash.  This is "response"
 +
  * Replace all instances of '+' in response with '.'
 +
  * Replace all instances of '/' in response with '_'
 +
  * Replace all instances of '=' in response with '-'
 +
 
 +
=== 6. Send the response to the Pager server ===
 +
Send a YMSG packet for service Authentication Response (0x54) with the following key-value pairs:
 +
* Key 1, Value Yahoo ID (same as used throughout login process)
 +
* Key 0, Value Yahoo ID (same as key 1 value)
 +
* Key 277, Value Y cookie
 +
* Key 278, Value T cookie
 +
* Key 307, Value "response" calculated in previous step
 +
* Key 244, Value internal Yahoo client build ID.  More on this below.
 +
* Key 2, Value Yahoo ID (same as key 1 value)
 +
* Key 2, Value "1" (treat this as an ASCII character, not an integer)
 +
* Key 59, Value B cookie (note this isn't strictly needed for login)
 +
* Key 98, Value chat locale (This is an assumption.  The US official client puts "us" here; the JAPAN official client puts "jp" here.)
 +
* Key 135, Value Yahoo Messenger client version.  More on this below.
  
 
== Useful Links ==
 
== Useful Links ==

Revision as of 00:41, 4 April 2010

Introduction

The Yahoo! Messenger Protocol is the protocol created by the Yahoo! corporation for use in its instant messaging clients. The protocol is proprietary and centralized in nature with some functionality being peer-to-peer in the newest revisions of the protocol and clients.

Features

The Yahoo protocol has the following features:

  • Avatars
  • Conferencing
  • File transfer
  • Instant messaging
  • Offline messaging
  • Voice chat
  • Webcam support

Network

The Yahoo protocol connects to its servers over the following ports:

  • Chat port (Pager server): 5050 (TCP)
  • File transfer port: 80 (TCP)
  • Peer-to-peer chat: 5101 (TCP)
  • Rooms list: 80 (TCP)
  • Voice chat: 5000-5010 (UDP) or 5000-5001 (TCP)
  • Webcam: 5100 (TCP)
  • Yahoo Phone: 5055
  • Pager server request: 80 (TCP: HTTP)
  • Login server: 443 (TCP: HTTPS)

Known servers are:

  • Login server: login.yahoo.com
  • Pager server request server: vcs1.msg.yahoo.com
  • Pager server request server for Yahoo JAPAN: cs1.msg.vip.ogk.yahoo.co.jp
  • Pager server hostname pool: scsa.msg.yahoo.com
  • File transfer server: filetransfer.msg.yahoo.com
  • File transfer server Japan: filetransfer.msg.yahoo.co.jp

Login Process

Starting with Yahoo Messenger 9.0, clients use YMSG protocol version 16. The login procedure for protocol version 16 employs an HTTP request, a YMSG packet, two HTTPS requests, then a return to YMSG. The login process consists of multiple steps as follows:

1. Request a pager server address

Send an HTTP GET request for location "/capacity" to the server vcs1.msg.yahoo.com (or cs1.msg.vip.ogk.yahoo.co.jp for Yahoo JAPAN).

The server responds with a message containing two lines:

COLO_CAPACITY=1
CS_IP_ADDRESS=aaa.bbb.ccc.ddd

The address aaa.bdb.ccc.ddd will be a real IP address usable for standard YMSG connections. It is currently in correct IPv4 format; that is, no leading zeroes are used. This is the Pager server the client should connect to.

The COLO_CAPACITY line's purpose is currently unknown, but it is believed that if the server returns COLO_CAPACITY=0 that official clients will not attempt to connect to a pager server.

2. Send YMSG packet to Pager server

Send a packet for service 57 (authentication) to the pager server. This packet must contain a single key-value pair. The key is 1 and the value is the Yahoo ID you are trying to connect with.

The server will reply with a packet for service 57 that contains 3 key-value pairs:

  • Key 1, Value Yahoo ID connecting
  • Key 13, Value 2. This key indicates the particular authentication mechanism to use. Past values are 0 and 1, but these are no longer supported.
  • Key 94, Value is a string. This string is the challenge string used during the first HTTPS request.

3. Send username, password, and challenge string to login server

Send an HTTPS GET request for location "/config/pwtoken_get?src=ymsgr&login=<username>&passwd=<password>&chal=<challengestring>" to the server login.yahoo.com (or login.yahoo.co.jp for Yahoo JAPAN accounts). Substitute the Yahoo ID for <username>, but strip @yahoo.com from any ID sent (other domains, such as sbcglobal.net or rocketmail.com, seem to be OK). Substitute the password for <password> and the challenge string from the previous step for <challengestring>. Note that the challenge string is not strictly required to proceed. The server will respond, but the response will vary depending on whether information supplied is correct or not. The whole URL is https://login.yahoo.com/config/pwtoken_get?src=ymsgr&login=<username>&passwd=<password>&chal=<challengestring> (or https://login.yahoo.co.jp/config/pwtoken_get?src=ymsgr&login=<username>&passwd=<password>&chal=<challengestring> for Yahoo JAPAN).

The first line of the response will be an ASCII representation of an integer. This response code's values and meanings are:

  • 0: Information supplied is correct.
  • 100: Missing required field (username or password)
  • 1013: Username contains @yahoo.com or similar but should not; strip this information.
  • 1212: The username or password is incorrect.
  • 1213: The account is locked because of too many failed login attempts
  • 1214: Security lock requiring the use of a CAPTCHA.
  • 1218: The account has been deactivated by Yahoo
  • 1235: The username does not exist.
  • 1236: The account is locked due to too many login attempts (this error code means only the number of attempted logins, including both failed and successful logins).

If the response was 0, there will be additional lines in the response:

  • The second line of the response will start with "ymsgr=". This value is the token.
  • The third line of the response will start with "partnerid=". The purpose of this value is unknown, but seems to be somehow tied to a given username and password pair.

4. Send token to login server

Send an HTTPS GET request for location "/config/pwtoken_login?src=ymsgr&token=<token>" to the same login server used in the last step. The whole url is https://login.yahoo.com/config/pwtoken_login?src=ymsgr&token=<token> (or https://login.yahoo.co.jp/config/pwtoken_login?src=ymsgr&token=<token> for Yahoo JAPAN). Substitute <token> with the token from the previous step.

Again, the server's response contains necessary information. The HTTP headers contain a B Cookie. This is not strictly needed to log in, but some clients use it.

The first line of the response will again be an ASCII representation of an integer. 0 means the information supplied to the server was correct, and 100 means there's a problem. If the first line is 0, additional lines will be present:

  • Line 2 will start with "crumb=". This is the crumb needed to calculate a hash later.
  • Line 3 will start with "Y=". This is the Y cookie and is needed later.
  • Line 4 will start with "T=". This is the T cookie and is needed later.
  • Line 5 will start with "cookievalidfor=". This is the life of the cookies in seconds. Usually this value is 86400 (1 day).

5. Calculate a hash to send to the Pager server

You now need to send a string to the Pager server. This string is calculated using the crumb and challenge string, hashed with MD5, and encoded with Yahoo's variant of Base64.

  • Concatenate the crumb and the challenge string. This is "crypt"
  • perform and MD5 hash of crypt. This is "hash"
  • Encode hash with Yahoo's Base64 variant. Some clients, like libpurple, implement their own y64 encoding function, but you can do this instead:
 * Base64-encode hash.  This is "response"
 * Replace all instances of '+' in response with '.'
 * Replace all instances of '/' in response with '_'
 * Replace all instances of '=' in response with '-'

6. Send the response to the Pager server

Send a YMSG packet for service Authentication Response (0x54) with the following key-value pairs:

  • Key 1, Value Yahoo ID (same as used throughout login process)
  • Key 0, Value Yahoo ID (same as key 1 value)
  • Key 277, Value Y cookie
  • Key 278, Value T cookie
  • Key 307, Value "response" calculated in previous step
  • Key 244, Value internal Yahoo client build ID. More on this below.
  • Key 2, Value Yahoo ID (same as key 1 value)
  • Key 2, Value "1" (treat this as an ASCII character, not an integer)
  • Key 59, Value B cookie (note this isn't strictly needed for login)
  • Key 98, Value chat locale (This is an assumption. The US official client puts "us" here; the JAPAN official client puts "jp" here.)
  • Key 135, Value Yahoo Messenger client version. More on this below.

Useful Links