Trac is being migrated to new services! Issues can be found in our new YouTrack instance and WIKI pages can be found on our website.

Version 1 (modified by queueram, 16 years ago) (diff)

--

Unofficial Steam Friends Protocol Specification

Introduction

Steam Friends is an instant messaging protocol that is built into Steam, a game content delivery system developed by Valve. This page details the protocol specification for Steam Friends as was ascertained though reverse-engineering.

Connection

Steam Friends uses UDP on port 27017. Connections have been made to the following servers:

  • 68.142.64.165
  • 68.142.64.164

Layers

On top of UDP, another layer is implemented to keep track of sequencing and splitting of packets. This layers prepends every packet with the following 36-byte structure:

04812
00:"VS01"typedestinationsource
10:sequence #response #split count seq. # of 1st packet
20:data length

Note: These values are little-endian, which is not network order.

FieldtypeLength (bytes)Description
"VS01"string (non-null terminated)4the 4 characters 'V', 'S', '0', '1'
typebit-field4a bit field describing the type of packet (needs further analysis)
destinationinteger4the destination ID of the packet
sourceinteger4the source ID of the packet
sequence #integer4the packet's sequence number. server and client keep track of own numbers
response #integer4if packet is sent as response to another packet, this is that packet sequence #
split countinteger4the number of packets the current message was split in to
seq. # of 1st packetinteger4the sequence number of the first packet for current message
data lengthinteger4the length of the data that follows

Login sequence

  1. Client initiates the login by sending a type '0x00020004' packet to the server with no data, and sequence # 1
    00:   56 53 30 31 00 00 01 04 00 02 00 00 00 00 00 00
    10:   01 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00
    20:   00 00 00 00
    
  2. Server responds with type '0x04020004' (first one ORed with 0x04000000) with 4 bytes of data attached (although the data length field is 0), sequence: 1, response: 1, src: 0x00000200
    00:   56 53 30 31 04 00 02 00 00 00 00 00 00 02 00 00
    10:   01 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00
    20:   00 00 00 00 f9 8d 22 25
    
  3. Client responds with type '0x04030004' (previous ORed with 0x00010000) with 4 bytes of data attached (with 4 as data size). That 4 bytes corresponds to the 4 bytes that the server sent XORed with 0xA426DF2B. sequence: 2, response: 1, dest: 0x00000200
    00:   56 53 30 31 04 00 03 04 00 02 00 00 00 00 00 00
    10:   02 00 00 00 01 00 00 00 01 00 00 00 02 00 00 00
    20:   04 00 00 00 d2 52 04 81
    
  4. Server responds with type '0x04040000' (possibly as some sort of ACK). sequence: 2, response: 2, dest: this becomes the source for all subsequent packets from client
    00:   56 53 30 31 00 00 04 04 00 34 7e fe 00 02 00 00
    10:   02 00 00 00 02 00 00 00 01 00 00 00 02 00 00 00
    20:   00 00 00 00
    
  5. Server sends type '0x0406001c' with the following data stream: "17 05 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 01 00 00 00 01 00 00 00". sequence: 3, response: 2
    00:   56 53 30 31 1c 00 06 04 00 34 7e fe 00 02 00 00
    10:   03 00 00 00 02 00 00 00 01 00 00 00 03 00 00 00
    20:   1c 00 00 00 17 05 00 00 ff ff ff ff ff ff ff ff
    30:   ff ff ff ff ff ff ff ff 01 00 00 00 01 00 00 00
    
  6. Client responds type '0x040600a4' with the following data stream: "18 05 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 01 00 00 00 80 00 00 00 [132 bytes here] 00 00 00 00". The 132 bytes are always different.
    00:   56 53 30 31 a4 00 06 04 00 02 00 00 00 34 7e fe
    10:   03 00 00 00 03 00 00 00 01 00 00 00 03 00 00 00
    20:   a4 00 00 00 18 05 00 00 ff ff ff ff ff ff ff ff
    30:   ff ff ff ff ff ff ff ff 01 00 00 00 80 00 00 00
    40:   xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
    50:   xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
    60:   xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
    70:   xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
    80:   xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
    90:   xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
    a0:   xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
    b0:   xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx
    c0:   xx xx xx xx 00 00 00 00
    
  7. Server responds with type '0x04060018' with the following data: "19 05 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 01 00 00 00"
    00:   56 53 30 31 18 00 06 04 00 34 7e fe 00 02 00 00
    10:   04 00 00 00 03 00 00 00 01 00 00 00 04 00 00 00
    20:   18 00 00 00 19 05 00 00 ff ff ff ff ff ff ff ff
    30:   ff ff ff ff ff ff ff ff 01 00 00 00
    

Encryption

All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!