This document attempts to descibe the Yahoo! Instant Messenging protocol currently supported by Yahoo!'s servers and used by gtkyhoo There are two stages to using the Yahoo! Instant Messenging (YIM) servers to chat with other users: 1) Get some cookies from a cookie server 2) Send and receive packets from the chat server 1) Get some cookies from a cookie server ============================================= Making an HTTP 1.1 request to: *1* http://msg.edit.yahoo.com/config/ncclogin?&n=1&login=&passwd= ( with substitued with your Yahoo! ID and likewise substituted with your password ) Yes, I know, that's your password being sent in clear text in a URL. This is version 2 of the protocol. Work in underway to support version 3 (that I beleive send the password encrypted by an equivalent to BSD's crypt. So, you've now received by HTTP a cookie of the form: Y=v=1&n=5liucman434ue&l=kh0d42s/o&p=n23vvuk4020004&r=83&lg=us&intl=us As you can see, this cookie has a structure that is kind of sub-cookies. Y= v=1 n=5liucman434ue l=kh0d42s/o p=n23vvuk4020004 r=83 lg=us intl=us and the important "sub"-cookie is the one with name 'n'. We shall be sending that to the chat server with every packet we send. From this URL we also receive information about your identity. We'll get told who your friends are, what your aliases are (and which one your using to logon with) and whether or not you have a Yahoo! email account. e.g. The user 'tranec2' (one of my test accounts) gets the following back. OK BEGIN BUDDYLIST Friends:tranec END BUDDYLIST BEGIN IGNORELIST END IGNORELIST BEGIN IDENTITIES tranec2 END IDENTITIES Mail=0 Login=tranec2 From this we can see that tranec2 has logged on as tranec2, has a friend called tranec in the group 'Friends', has no aliases and doesn't have an email account at Yahoo! Parsing this wouldn't seem to be a problem. I'm not sure about the next bit but it seems that this cookie needs to be seen by another Yahoo server and so we get via HTTP 1.1: *2* http://msg.edit.yahoo.com/config/get_buddylist?.src=bl but we supply the cookie retreived from *1* and we'll get another cookie back: B=91nihh0tje3td&b=3 B=91nihh0tje3td b=3 The HTTP 1.1 request to *2* also returns the same data as the HTTP 1.1 request to *1* Okay, now we have some cookies we can open a socket to the **real** chat server and "log on" to it. There are two ways in which we can do **real** chatting. 1) Open a socket to cs.yhoo.com on port 5050 2) Use an HTTP 1.1 "tunnel" at http://http.pager.yahoo.com:80