WTVP/Processes/First-Time Registration
WTVP |
---|
Overview • List of WTVP Services • WTVP-specific Content-Types • Status Codes |
Concepts |
Tokens • Tickets • Capability Flags |
Headers |
Header List • Data Types • Common Request Headers |
Processes |
First-Time Registration • Headwaiter (Login) • Messenger Services • Favorites • Checking for new mail • Retrieving settings • Obtaining new wtv-tickets • Smart Card • Miscellaneous |
URLs for WTVP Services |
wtv-1800 • wtv-aroundtown • wtv-author • wtv-center • wtv-chat • wtv-content • wtv-cookie • wtv-customscript • wtv-disk • wtv-epguide • wtv-favorite • wtv-flashrom • wtv-guide • wtv-head-waiter • wtv-home • wtv-intro • wtv-log • wtv-mail • wtv-news • wtv-notices • wtv-partner • wtv-passport • wtv-register • wtv-setup • wtv-smartcard • wtv-spot • wtv-star • wtv-tricks • wtv-tutorial |
This page currently will only focus on how the first-generation WebTV/MSN TV clients communicated through dial-up. Information on broadband WebTV/MSN TV (not MSNTV 2) will be added later when more information comes out on that.
Starting the Pre-Registration Process
How WebTV/MSN TV clients communicated with the WebTV/MSN TV network for the first time (no TellyScript installed) is by first dialing a toll-free number. For all US production clients, this number was 1-800-613-8199 (this number has since been decommissioned when the MSN TV service shut down). It's been reported that different types of clients (Daily, Weekly, etc.) use different phone numbers, but what these numbers were is currently unknown.
Once the client is able to dial in to the WebTV/MSN TV ISP with this number, it will start connecting to the "frontend" servers, which use WTVP to communicate with clients. On first-time connections, a client will try to connect to a wtv-1800
server at IP 10.0.0.1, port 1615 through the ISP (this has been observed on Sony and Philips Magnavox Classic box, and a Sony WebTV Plus box), although on the Dreamcast version of WebTV, it will connect to the IP 10.0.1.129. On a successful connection attempt, a WTVP GET
request to service URL "wtv-1800:/preregister" will be sent:
GET wtv-1800:/preregister?scriptless-visit-reason=10&0\r\n wtv-request-type: primary\r\n wtv-system-cpuspeed: 166164662\r\n wtv-system-sysconfig: 3116068\r\n wtv-disk-size: 8006\r\n wtv-incarnation: 2\r\n Accept-Language: en\r\n wtv-connect-session-id: cafa1348\r\n wtv-client-serial-number: {SSID}\r\n wtv-system-version: 16276\r\n wtv-capability-flags: {capability-flags}\r\n wtv-client-bootrom-version: 2046\r\n wtv-client-rom-type: US-LC2-disk-0MB-8MB\r\n wtv-system-chipversion: 53608448\r\n User-Agent: Mozilla/4.0 WebTV/2.8.2 (compatible; MSIE 4.0)\r\n wtv-encryption: true\r\n wtv-script-id: 0\r\n wtv-script-mod: 0\r\n \r\n
The response the server sends is something along the lines of:
200 OK\n Connection: Keep-Alive\n wtv-open-isp-disabled: false\n wtv-visit: wtv-1800:/offer-open-isp-suggest-wtv-token-XXXXXXXXXX-YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY?t-baggage-parms=ani-950000000000\n Content-length: 0\n Content-type: text/html\n \n
The purpose of the "wtv-1800:/offer-open-isp-suggest" URL in the wtv-visit
header isn't entirely clear, but the client will go to the URL as instructed by the header and send a GET
request to it. This URL also carries a t-baggage-parms
query string that we cannot figure out, but it contains various "ani" parameters.
"offer-open-isp-suggest"
We don't know what "wtv-1800:/offer-open-isp-suggest" does exactly, but the WebTV/MSN TV client will send a GET
request for this after being instructed to do so by "wtv-1800:/preregister". The response it gets from the request is the following:
200 OK\n Connection: Keep-Alive\n wtv-service: reset\n wtv-service: name=wtv-1800 host=xxx.xxx.xxx.xxx port=1615 flags=0x00000004\n wtv-phone-log-url: wtv-1800:/post-phone-log?t-baggage-parms=ani-950000000000\n Content-length: 0\n Content-type: text/html\n \n
This is the first time we see the wtv-service
command header being used, resetting the service list on the client and adding a service entry for wtv-1800
to an IP address on port 1615. A wtv-phone-log-url
header is also added, pointing to "wtv-1800:/post-phone-log" with another t-baggage-parms
query string.
"post-phone-log"
At least from observing network traffic from a hacked WebTV Viewer, it is assumed a client will immediately POST
to the phone log URL with an entity body of binary nonsense we can't make out at the moment:
POST wtv-1800:/post-phone-log?t-baggage-parms=ani-950000000000\r\n wtv-system-cpuspeed: 166164662\r\n wtv-system-sysconfig: 3116068\r\n wtv-disk-size: 8006\r\n wtv-incarnation: 3\r\n Accept-Language: en\r\n wtv-connect-session-id: cafa1348\r\n wtv-client-serial-number: {SSID}\r\n wtv-system-version: 16276\r\n wtv-capability-flags: {capability-flags}\r\n wtv-client-bootrom-version: 2046\r\n wtv-client-rom-type: US-LC2-disk-0MB-8MB\r\n wtv-system-chipversion: 53608448\r\n User-Agent: Mozilla/4.0 WebTV/2.8.2 (compatible; MSIE 4.0)\r\n wtv-encryption: true\r\n wtv-script-id: 0\r\n wtv-script-mod: 0\r\n Content-type: application/octet-stream\r\n Content-length: 330\r\n \r\n
00 42 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 .B.............. 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0a fe ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 0c 38 07 27 5e c0 ...........8.'^. f5 ab 34 0d 38 07 27 5e 00 10 38 07 27 5e 00 08 ..4.8.'^..8.'^.. 3a 07 27 5e 00 00 00 00 00 00 00 00 10 3a 07 27 :.'^.........:.' 5e 00 06 59 07 27 5e 17 59 07 27 5e 01 06 59 07 ^..Y.'^.Y.'^..Y. 27 5e 0c 33 08 27 5e c0 f5 ab 34 0d 33 08 27 5e '^.3.'^...4.3.'^ 00 10 33 08 27 5e 00 08 63 08 27 5e 00 00 00 00 ..3.'^..c.'^.... 00 00 00 00 06 63 08 27 5e 0c 3d 21 27 5e c0 f5 .....c.'^.=!'^.. ab 34 0d 3d 21 27 5e 00 10 3d 21 27 5e 00 08 41 .4.=!'^..=!'^..A 21 27 5e 00 00 00 00 00 00 00 00 10 41 21 27 5e !'^.........A!'^ 00 10 49 21 27 5e 00 14 57 21 27 5e 49 21 27 5e ..I!'^..W!'^I!'^ 00 00 00 00 00 00 10 57 21 27 5e 00 06 67 21 27 .......W!'^..g!' 5e 17 67 21 27 5e 01 06 67 21 27 5e 0c cc 77 27 ^.g!'^..g!'^..w' 5e c0 f5 ab 34 0d cc 77 27 5e 00 10 cc 77 27 5e ^...4..w'^...w'^ 00 08 f1 77 27 5e 00 00 00 00 00 00 00 00 10 f1 ...w'^.......... 77 27 5e 00 10 0a 78 27 5e 00 w'^...x'^.
Whatever this request does, the server sends back another response to make the client redirect to another wtv-1800
URL, which is the most important one in this transaction:
200 OK\n Connection: Keep-Alive\n wtv-service: reset\n wtv-service: name=wtv-1800 host=xxx.xxx.xxx.xxx port=1615 flags=0x00000004\n wtv-visit: wtv-1800:/finish-prereg-wtv-token-XXXXXXXXXX-YYYYYYYYYYYYYYYYYYYYYYYYYYYYYYYY?t-baggage-parms=ani-950000000000\n Content-length: 0\n Content-type: text/html\n \n
TellyScript/wtv-initial-key retrieval ("wtv-1800:/finish-prereg")
The "wtv-1800:/finish-prereg" URL is now GET
ed by the client, and the server in response gives it two things it needs: the TellyScript and a "wtv-initial-key" value:
200 OK\n Connection: Keep-Alive\n wtv-initial-key: Hpp+AZ85Vbs=\n Content-Type: text/tellyscript\n wtv-service: reset\n wtv-service: name=wtv-head-waiter host=xxx.xxx.xxx.xxx port=1601 flags=0x00000001 connections=1\n wtv-service: name=wtv-* host=xxx.xxx.xxx.xxx port=1603 flags=0x00000007\n wtv-service: name=wtv-flashrom host=xxx.xxx.xxx.xxx port=1618 flags=0x00000040\n wtv-boot-url: wtv-head-waiter:/login?\n wtv-visit: wtv-head-waiter:/login?\n wtv-client-time-zone: PST -0800\n wtv-client-time-dst-rule: PST\n wtv-client-date: Tue, 21 Jan 2020 22:15:43 GMT\n Content-length: xxxx\n \n {TellyScript data}
The TellyScript gives the client a list of local access numbers for the connecting user's area to dial in order to access the WebTV/MSN TV network. Along with the TellyScript, the wtv-1800
server also sends the client a new round robin list for services wtv-head-waiter
, wtv-*
, and wtv-flashrom
. One that'll be important for this process and future connections for when the client is started up again is wtv-head-waiter
. This is the headwaiter server that the client authenticates through to access WebTV/MSN TV services. The "wtv-initial-key" value the server sends is a Base64-encoded 8-byte BLOB that facilitates challenge/response when logging in on the headwaiter. Also sent with the response is the date (presumably the one at the time the response was sent) and corresponding time zone, and wtv-boot-url
and wtv-visit
headers that both point to the URL wtv-head-waiter:/login?
. The presence of wtv-boot-url
is assumed to configure the client to connect directly to headwaiter when it boots up.
Diagram
Notes
It has been observed on real hardware that once this TellyScript is initially downloaded, it'll dial in to the numbers configured in it and then contact the headwaiter if any dialing attempts are successful.