Post by Keith Henrickson on Jul 3, 2005 13:38:46 GMT -5
I've actually got a good deal of the protocol understood. My challenge is finding the time to do anything with it.
One challenge to be overcome is understanding the disk file format. There are only 3 'real' programs on the disk. "*", "CHANGE ACCESS", and "DSK". The remaining programs are all loaded through the three letter filenames, as has been discussed on other threads. These files are simply track/sector pointers to the real files to be loaded. However, you ONLY have to learn about this if you want to write your own BASIC games to run inside people connection. Since each file has a header saying what to do with it, and can be lightly compressed/encrypted, this would need some exploration.
However, most people are probably interested in bringing back the service. It's not THAT hard to get your head around the protocol.
The Tymnet/Telenet login stuff is EASY to fake. Simply send the following string. C format for any programmers out there. "IDENTIFIER\xBA\xBA+" That's it. Just use a phone number like "/555-5555" to use the Tymnet (I beleive) login. Don't worry about what the commands mean. It's useless once you get connected.
Next comes layer 2. The client will send "\x5a\x4*\x*1\x4*\x*1\x7F\x7F\x23\x07\x09\x0D"
The 5A and the 0D are framing characters. They were used by the system to pick each packet apart. The stuff with the '*' is the CRC. It is NOT a custom CRC, it is plain jane CRC-16, padded with the 4's and the 1's. Why they did THAT, I have no clue. The next two bytes are sequence numbers. The first byte is the packet # that is being transmitted. The second byte is the last packet number successfully received by the sender of the packet. It ALWAYS starts at 0x7F, and wraps around to 0x10. For instance, if I am sending packet 0x15, and I have most recently received your packet 0x11, then the bytes would be "\x15\x11". This way every time you receive a packet, you know which of YOUR packets the other guy has received so that you can throw away the copies you kept and free up memory. The "\x23\x07\x09" is saying, "I am a confused client, and my version number is 9.7."
To respond to this, the server sends back "\x5A\x4*\x*1\x4*\x*1\x7F\x7F\x24\x0D". The "\x24" tells the client, "You're OK. I understand you, and we'll start all over."
For those of you who have worked at VERY low levels with ISDN, you will recognize some of this from Q.921. Interesting. Of course, all the numbers have changed and stuff, and the CRCs are added. But the concept is the same. LAPM on modems is actually quite similar too. Again, in ISDN terms, "\x23" is like a SABME, and "\x24" is like a UA.
Once you exchange these two packets, layer 2 is up. YAY. The client will switch from "Waiting for access to Q-Link..." to "Verifying your account details".
It will then send a packet like. "\x5A\x4*\x*1\x4*\x*1\x10\x7F\x20DD1234567890ABCD\x0d"
Ok, now "\x20" says that this is a data packet. Data packets, and ONLY data packets increment our packet number. That's why the "\x7F" changed to a "\x10". Yay. Now, the next two bytes are always two alphanumerics. That is the command the client is sending. "DD" means, "logging in with account number and validation code". The first ten digits are your account number, NOT your screen name. The screen name is NEVER sent to the server. The last four letters are a validation code. Sort of a password.
If your account is valid, the server will respond "D3EFGH". D3 says to write a new validation code, and the new code, which will be used on the NEXT login, is "EFGH".
When the client has done so, it will send "D6", saying it wrote the code without errors.
The server will then send either a "DO", to display the main menu, or it will send the welcome text using "SM/SE". All lines but the last are sent with SM, and the last line is sent with SE. That way the client knows you have the whole thing, and lets you press F5 to go to the main menu.
I know a LOT more, and if there is real interest I will write it up.
One challenge to be overcome is understanding the disk file format. There are only 3 'real' programs on the disk. "*", "CHANGE ACCESS", and "DSK". The remaining programs are all loaded through the three letter filenames, as has been discussed on other threads. These files are simply track/sector pointers to the real files to be loaded. However, you ONLY have to learn about this if you want to write your own BASIC games to run inside people connection. Since each file has a header saying what to do with it, and can be lightly compressed/encrypted, this would need some exploration.
However, most people are probably interested in bringing back the service. It's not THAT hard to get your head around the protocol.
The Tymnet/Telenet login stuff is EASY to fake. Simply send the following string. C format for any programmers out there. "IDENTIFIER\xBA\xBA+" That's it. Just use a phone number like "/555-5555" to use the Tymnet (I beleive) login. Don't worry about what the commands mean. It's useless once you get connected.
Next comes layer 2. The client will send "\x5a\x4*\x*1\x4*\x*1\x7F\x7F\x23\x07\x09\x0D"
The 5A and the 0D are framing characters. They were used by the system to pick each packet apart. The stuff with the '*' is the CRC. It is NOT a custom CRC, it is plain jane CRC-16, padded with the 4's and the 1's. Why they did THAT, I have no clue. The next two bytes are sequence numbers. The first byte is the packet # that is being transmitted. The second byte is the last packet number successfully received by the sender of the packet. It ALWAYS starts at 0x7F, and wraps around to 0x10. For instance, if I am sending packet 0x15, and I have most recently received your packet 0x11, then the bytes would be "\x15\x11". This way every time you receive a packet, you know which of YOUR packets the other guy has received so that you can throw away the copies you kept and free up memory. The "\x23\x07\x09" is saying, "I am a confused client, and my version number is 9.7."
To respond to this, the server sends back "\x5A\x4*\x*1\x4*\x*1\x7F\x7F\x24\x0D". The "\x24" tells the client, "You're OK. I understand you, and we'll start all over."
For those of you who have worked at VERY low levels with ISDN, you will recognize some of this from Q.921. Interesting. Of course, all the numbers have changed and stuff, and the CRCs are added. But the concept is the same. LAPM on modems is actually quite similar too. Again, in ISDN terms, "\x23" is like a SABME, and "\x24" is like a UA.
Once you exchange these two packets, layer 2 is up. YAY. The client will switch from "Waiting for access to Q-Link..." to "Verifying your account details".
It will then send a packet like. "\x5A\x4*\x*1\x4*\x*1\x10\x7F\x20DD1234567890ABCD\x0d"
Ok, now "\x20" says that this is a data packet. Data packets, and ONLY data packets increment our packet number. That's why the "\x7F" changed to a "\x10". Yay. Now, the next two bytes are always two alphanumerics. That is the command the client is sending. "DD" means, "logging in with account number and validation code". The first ten digits are your account number, NOT your screen name. The screen name is NEVER sent to the server. The last four letters are a validation code. Sort of a password.
If your account is valid, the server will respond "D3EFGH". D3 says to write a new validation code, and the new code, which will be used on the NEXT login, is "EFGH".
When the client has done so, it will send "D6", saying it wrote the code without errors.
The server will then send either a "DO", to display the main menu, or it will send the welcome text using "SM/SE". All lines but the last are sent with SM, and the last line is sent with SE. That way the client knows you have the whole thing, and lets you press F5 to go to the main menu.
I know a LOT more, and if there is real interest I will write it up.