WTVP/Processes/First-Time Registration

From WebTV Wiki
Jump to navigation Jump to search
WTVP
OverviewList of WTVP ServicesWTVP-specific Content-TypesStatus Codes
Concepts
TokensTicketsCapability Flags
Headers
Header ListData TypesCommon Request Headers
Processes
First-Time RegistrationHeadwaiter (Login)Messenger ServicesFavoritesChecking for new mailRetrieving settingsObtaining new wtv-ticketsSmart CardMiscellaneous
URLs for WTVP Services
wtv-1800wtv-aroundtownwtv-authorwtv-centerwtv-chatwtv-contentwtv-cookiewtv-customscriptwtv-diskwtv-epguidewtv-favoritewtv-flashromwtv-guidewtv-head-waiterwtv-homewtv-introwtv-logwtv-mailwtv-newswtv-noticeswtv-partnerwtv-passportwtv-registerwtv-setupwtv-smartcardwtv-spotwtv-starwtv-trickswtv-tutorial

This page currently will only focus on how the first-generation WebTV/MSN TV clients communicated through dial-up. Information on broadband WebTV/MSN TV (not MSNTV 2) will be added later when more information comes out on that.



Starting the Pre-Registration Process

How WebTV/MSN TV clients communicated with the WebTV/MSN TV network for the first time (no TellyScript installed) is by first dialing a toll-free number. For all US production clients, this number was 1-800-613-8199 (this number has since been decommissioned when the MSN TV service shut down). It's been reported that different types of clients (Daily, Weekly, etc.) use different phone numbers, but what these numbers were is currently unknown.

Once the client is able to dial in to the WebTV/MSN TV ISP with this number, it will start connecting to the "frontend" servers, which use WTVP to communicate with clients. On first-time connections, a client will try to connect to a wtv-1800 server at IP 10.0.0.1, port 1615 through the ISP (this has been observed on Sony and Philips Magnavox Classic box, and a Sony WebTV Plus box), although on the Dreamcast version of WebTV, it will connect to the IP 10.0.1.129. On a successful connection attempt, a WTVP GET request to service URL "wtv-1800:/preregister" will be sent:

GET wtv-1800:/preregister?scriptless-visit-reason=10&0\r\n
wtv-request-type: primary\r\n
wtv-system-cpuspeed: 166164662\r\n
wtv-system-sysconfig: 3116068\r\n
wtv-disk-size: 8006\r\n
wtv-incarnation: 2\r\n
Accept-Language: en\r\n
wtv-connect-session-id: cafa1348\r\n
wtv-client-serial-number: {SSID}\r\n
wtv-system-version: 16276\r\n
wtv-capability-flags: {capability-flags}\r\n
wtv-client-bootrom-version: 2046\r\n
wtv-client-rom-type: US-LC2-disk-0MB-8MB\r\n
wtv-system-chipversion: 53608448\r\n
User-Agent: Mozilla/4.0 WebTV/2.8.2 (compatible; MSIE 4.0)\r\n
wtv-encryption: true\r\n
wtv-script-id: 0\r\n
wtv-script-mod: 0\r\n
\r\n

The response the server sends is something along the lines of:

200 OK\n
Connection: Keep-Alive\n
wtv-open-isp-disabled: false\n
wtv-visit: wtv-1800:/offer-open-isp-suggest-wtv-token-XXXXXXXXXX-YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY?t-baggage-parms=ani-950000000000\n
Content-length: 0\n
Content-type: text/html\n
\n

The purpose of the "wtv-1800:/offer-open-isp-suggest" URL in the wtv-visit header isn't entirely clear, but the client will go to the URL as instructed by the header and send a GET request to it. This URL also carries a t-baggage-parms query string that we cannot figure out, but it contains various "ani" parameters.

"offer-open-isp-suggest"

We don't know what "wtv-1800:/offer-open-isp-suggest" does exactly, but the WebTV/MSN TV client will send a GET request for this after being instructed to do so by "wtv-1800:/preregister". The response it gets from the request is the following:

200 OK\n
Connection: Keep-Alive\n
wtv-service: reset\n
wtv-service: name=wtv-1800 host=xxx.xxx.xxx.xxx port=1615 flags=0x00000004\n
wtv-phone-log-url: wtv-1800:/post-phone-log?t-baggage-parms=ani-950000000000\n
Content-length: 0\n
Content-type: text/html\n
\n

This is the first time we see the wtv-service command header being used, resetting the service list on the client and adding a service entry for wtv-1800 to an IP address on port 1615. A wtv-phone-log-url header is also added, pointing to "wtv-1800:/post-phone-log" with another t-baggage-parms query string.

"post-phone-log"

At least from observing network traffic from a hacked WebTV Viewer, it is assumed a client will immediately POST to the phone log URL with an entity body of binary nonsense we can't make out at the moment:

POST wtv-1800:/post-phone-log?t-baggage-parms=ani-950000000000\r\n
wtv-system-cpuspeed: 166164662\r\n
wtv-system-sysconfig: 3116068\r\n
wtv-disk-size: 8006\r\n
wtv-incarnation: 3\r\n
Accept-Language: en\r\n
wtv-connect-session-id: cafa1348\r\n
wtv-client-serial-number: {SSID}\r\n
wtv-system-version: 16276\r\n
wtv-capability-flags: {capability-flags}\r\n
wtv-client-bootrom-version: 2046\r\n
wtv-client-rom-type: US-LC2-disk-0MB-8MB\r\n
wtv-system-chipversion: 53608448\r\n
User-Agent: Mozilla/4.0 WebTV/2.8.2 (compatible; MSIE 4.0)\r\n
wtv-encryption: true\r\n
wtv-script-id: 0\r\n
wtv-script-mod: 0\r\n
Content-type: application/octet-stream\r\n
Content-length: 330\r\n
\r\n
00 42 00 1e 00 00 00 00 00 00 00 00 00 00 00 00   .B..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a fe   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 0c 38 07 27 5e c0   ...........8.'^.
f5 ab 34 0d 38 07 27 5e 00 10 38 07 27 5e 00 08   ..4.8.'^..8.'^..
3a 07 27 5e 00 00 00 00 00 00 00 00 10 3a 07 27   :.'^.........:.'
5e 00 06 59 07 27 5e 17 59 07 27 5e 01 06 59 07   ^..Y.'^.Y.'^..Y.
27 5e 0c 33 08 27 5e c0 f5 ab 34 0d 33 08 27 5e   '^.3.'^...4.3.'^
00 10 33 08 27 5e 00 08 63 08 27 5e 00 00 00 00   ..3.'^..c.'^....
00 00 00 00 06 63 08 27 5e 0c 3d 21 27 5e c0 f5   .....c.'^.=!'^..
ab 34 0d 3d 21 27 5e 00 10 3d 21 27 5e 00 08 41   .4.=!'^..=!'^..A
21 27 5e 00 00 00 00 00 00 00 00 10 41 21 27 5e   !'^.........A!'^
00 10 49 21 27 5e 00 14 57 21 27 5e 49 21 27 5e   ..I!'^..W!'^I!'^
00 00 00 00 00 00 10 57 21 27 5e 00 06 67 21 27   .......W!'^..g!'
5e 17 67 21 27 5e 01 06 67 21 27 5e 0c cc 77 27   ^.g!'^..g!'^..w'
5e c0 f5 ab 34 0d cc 77 27 5e 00 10 cc 77 27 5e   ^...4..w'^...w'^
00 08 f1 77 27 5e 00 00 00 00 00 00 00 00 10 f1   ...w'^..........
77 27 5e 00 10 0a 78 27 5e 00                     w'^...x'^.

Whatever this request does, the server sends back another response to make the client redirect to another wtv-1800 URL, which is the most important one in this transaction:

200 OK\n
Connection: Keep-Alive\n
wtv-service: reset\n
wtv-service: name=wtv-1800 host=xxx.xxx.xxx.xxx port=1615 flags=0x00000004\n
wtv-visit: wtv-1800:/finish-prereg-wtv-token-XXXXXXXXXX-YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY?t-baggage-parms=ani-950000000000\n
Content-length: 0\n
Content-type: text/html\n
\n

TellyScript/wtv-initial-key retrieval ("wtv-1800:/finish-prereg")

The "wtv-1800:/finish-prereg" URL is now GETed by the client, and the server in response gives it two things it needs: the TellyScript and a "wtv-initial-key" value:

200 OK\n
Connection: Keep-Alive\n
wtv-initial-key: Hpp+AZ85Vbs=\n
Content-Type: text/tellyscript\n
wtv-service: reset\n
wtv-service: name=wtv-head-waiter host=xxx.xxx.xxx.xxx port=1601 flags=0x00000001 connections=1\n
wtv-service: name=wtv-* host=xxx.xxx.xxx.xxx port=1603 flags=0x00000007\n
wtv-service: name=wtv-flashrom host=xxx.xxx.xxx.xxx port=1618 flags=0x00000040\n
wtv-boot-url: wtv-head-waiter:/login?\n
wtv-visit: wtv-head-waiter:/login?\n
wtv-client-time-zone: PST -0800\n
wtv-client-time-dst-rule: PST\n
wtv-client-date: Tue, 21 Jan 2020 22:15:43 GMT\n
Content-length: xxxx\n
\n
{TellyScript data}

The TellyScript gives the client a list of local access numbers for the connecting user's area to dial in order to access the WebTV/MSN TV network. Along with the TellyScript, the wtv-1800 server also sends the client a new round robin list for services wtv-head-waiter, wtv-*, and wtv-flashrom. One that'll be important for this process and future connections for when the client is started up again is wtv-head-waiter. This is the headwaiter server that the client authenticates through to access WebTV/MSN TV services. The "wtv-initial-key" value the server sends is a Base64-encoded 8-byte BLOB that facilitates challenge/response when logging in on the headwaiter. Also sent with the response is the date (presumably the one at the time the response was sent) and corresponding time zone, and wtv-boot-url and wtv-visit headers that both point to the URL wtv-head-waiter:/login?. The presence of wtv-boot-url is assumed to configure the client to connect directly to headwaiter when it boots up.

Diagram

Diagram of first-time connection

Notes

It has been observed on real hardware that once this TellyScript is initially downloaded, it'll dial in to the numbers configured in it and then contact the headwaiter if any dialing attempts are successful.