# Table of contents:

• Introduction
• Command information
• Known changes
• Client-server communication example

# Introduction

MSNP15 is the fourteenth released version of the Messenger Service Notification Protocol.
It was introduced officially in Client Version 8.1.0178.

# Command information

No commands for any service were known to be introduced in this version.

No commands were known to be removed in this version.

# Known changes

(from MSNP14):

• Introduced the SSO authentication scheme, which uses Passport over HTTPS. You will need to generate a response if the authentication policy is MBI_KEY or MBI_KEY_OLD.
  This is done by:

  1. Using the challenge nonce (provided by the USR SSO S's fourth parameter, 64 characters.)
  2. Using the binary secret (provided by the Passport SOAP (RST) response for messengerclear.live.com, 32 characters.)
  3. Generating an IV (8 bytes, 12 characters).
  4. First, the binary secret should be base64 decoded into a buffer of 24 bytes.
     NOTE: Do not decode the challenge nonce. It is treated as 64 bytes already.
     NOTE: If replaying a generation, the IV is required to be extracted from the challenge response.
  5. Instance a HMAC-SHA1 hash function with the 24-byte binary secret as the parameter. Call this hashProvider.
  6. Then compute hashes using the decoded binary secret (key1):
  7. Using hashProvider, generate a hash with the constant WS-SecureConversationSESSION KEY HASH. Save this as hash1.
  8. Concatenate hash1 with the constant WS-SecureConversationSESSION KEY HASH. Save this as hash1constant.
  9. Using hashProvider, generate a hash of hash1constant. Save this as hash2, and keep for key2.
  10. Using hashProvider, generate a hash of hash1. Save this as hash3.
  11. Concatenate hash3 with the constant WS-SecureConversationSESSION KEY HASH. Save this as hash3constant.
  12. Using hashProvider, generate a hash of hash1constant. Save this as hash4, and keep for key2.
  13. To create key2, create a 24 byte buffer.
      The first 20 bytes should be the entirity of hash2, and the remaining 4 bytes should be the first 4 bytes of hash4.
  14. Then compute more hashes using the decoded binary secret (key1).
      Use the constant WS-SecureConversationSESSION KEY ENCRYPTION instead.
      This should provide hash5, hash6, hash7 and hash8.
  15. To create key3, create a 24 byte buffer.
      The first 20 bytes should be the entirity of hash6. the remaining 4 bytes should be the first 4 bytes of hash8.
  16. Instance a HMAC-SHA1 hash function for key2.
  17. Use the key2 HMAC-SHA1 to compute the hash for the challenge nonce. Save this as hash9.
  18. Create a 72-byte buffer called inputBuffer. The last 8 bytes should be all the value 8.
  19. Copy the whole nonce (64 bytes) into the first 64 bytes of inputBuffer.
  20. Using 3DES-CBC, encrypt the first 64 bytes of inputBuffer with your IV. Call this tdesBlock.
  21. Create a 128-byte buffer called result.
      The first 28 bytes should be: 28, 0, 0, 0, 1, 0, 0, 0, 3, 102, 0, 0, 4, 128, 0, 0, 8, 0, 0, 0, 20, 0, 0, 0, 72, 0, 0, and finally 0.
  22. The next 8 bytes of result should be your IV.
  23. The next 20 bytes of result should be hash9.
  24. The next 72 bytes of result should be tdesBlock.
  25. Encode result in base64. This is your challenge response.

  An example of doing this is provided as SolveSSOChallenge in msnp_challenges.cs.

• Official Client: User profiles can now "roam". The client uses the Schematized Storage Service for this.

• Official Client: The SOAP action for Offline Instant Messages has changed to http://messenger.live.com/ws/2006/09/oim/Store2.

# Client-server communication example

NOTE: This has been line-broken. Lines beginning with .. followed by a space are continuations of the previous line.

C: VER 1 MSNP15 MSNP14 MSNP13 CVR0
S: VER 1 MSNP15
C: CVR 2 0x0409 winnt 5.1 i386 MSNMSGR 8.1.0178 msmsgs example@hotmail.com
S: CVR 2 8.5.1302 8.5.1302 8.1.0178
.. http://msgr.dlservice.microsoft.com/download/5/6/4/5646481F-33EF-4B08-AF00-4904F7677B89/EN/Install_WLMessenger.exe
.. http://get.live.com
C: USR 3 SSO I example@hotmail.com
S: XFR 3 NS 10.0.0.5:1863 U D

Client disconnects from server.

Client opens a connection to 10.0.0.5:1863.

C: VER 4 MSNP15 MSNP14 MSNP13 CVR0
S: VER 4 MSNP15
C: CVR 5 0x0409 winnt 5.1 i386 MSNMSGR 8.1.0178 msmsgs example@hotmail.com
S: CVR 5 8.5.1302 8.5.1302 8.1.0178
.. http://msgr.dlservice.microsoft.com/download/5/6/4/5646481F-33EF-4B08-AF00-4904F7677B89/EN/Install_WLMessenger.exe
.. http://get.live.com
C: USR 6 SSO I example@hotmail.com
S: GCF 0 245
<Policies>
	<Policy type="SHIELDS" checksum="83B30425941CE296DED998A20861F87B">
		<config>
			<shield>
				<cli maj="7" min="0" minbld="0" maxbld="9999" deny=" " />
			</shield>
			<block>
			</block>
		</config>
	</Policy>
</Policies>
S: USR 6 SSO S MBI_KEY_OLD AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

The HTTPS interlude is described in the Passport SOAP (RST) article. *

C: USR 7 SSO S $(xmldecode(RequestSecurityTokenResponse.BinarySecurityToken#Compact1)) $(base64(key_challenge_response))
S: USR 7 OK example@hotmail.com 1 0
S: SBS 0 null
S: MSG Hotmail Hotmail 465
MIME-Version: 1.0
Content-Type: text/x-msmsgsprofile; charset=UTF-8
LoginTime: 1732890086
EmailEnabled: 1
MemberIdHigh: 1
MemberIdLow: 2
lang_preference: 1033
PreferredEmail: example@hotmail.com
country: US
PostalCode: 
Gender: 
Kid: 0
Age: 
BDayPre: 
Birthday: 
Wallet: 
Flags: 1027
sid: 507
kv: 11
MSPAuth: whatever+t+is+in+your+passport+login+ticket+that+you+sent+for+USR+SSO+S$
ClientIP: 192.168.1.111
ClientPort: 18183
ABCHMigrated: 1

The Client now uses both the ABFindAll and the FindMembership actions to get the current state of all lists and the last stored name and privacy mode.

NOTE: The following ADL and UUX payloads have been exploded for visibility and formatting reasons.
No whitespace is allowed in ADL's payload and the payload size reflects this, and is set to the correct value.

C: BLP 8 AL
S: BLP 8 AL
C: ADL 9 110
<ml l="1">
	<d n="hotmail.com">
		<c n="anotheruser" l="3" t="1" />
	</d>
	<t>
		<c n="tel:+15551111222" l="3" />
	</t>
</ml>
S: ADL 9 OK
C: PRP 10 MFN example%20user
S: PRP 10 MFN example%20user
C: CHG 11 NLN
S: CHG 11 NLN
C: UUX 12 118
<Data>
	<PSM></PSM>
	<CurrentMedia></CurrentMedia>
	<MachineGuid>{44BFD5A4-7450-4BDA-BA3A-C51B3031126D}</MachineGuid>
</Data>
S: UUX 12 0
C: OUT

Client disconnects from server.
Server disconnects client.