BNETDocs
Battle.net Chat Server Protocol Overview

The Battle.Net Chat Server ("BNCS") is the unofficial name of the protocol that Blizzard's Battle.net-enabled games used to communicate. The games that historically used this protocol are Diablo, StarCraft, WarCraft II, Diablo II, WarCraft III, and their expansions. This is now referred to as "Classic" or "Classic Battle.net" these days. The protocol operates on TCP port 6112 (and UDP port 6112 for pre-Diablo II player-to-player communication).

It is a binary protocol with very little encryption (it's there for password and product key exchanges, but otherwise absent), stemming from the age where every byte mattered back in 1996.

BNCS Headers

Every BNCS message has the same header:

 (UINT8) Always 0xFF
 (UINT8) Message ID
(UINT16) Message length, including this header
  (VOID) Message data

The BNCS protocol is aggressively enforced by Battle.net - at least, for clients - and violations of the protocol generally result in an IP ban.

Protocol Byte

When connecting to a BNCS server, you must first tell the server which protocol you wish to use by sending a protocol ID byte before any messages. Some of the protocol IDs are:

  • Game: 0x01 (see below for the logon sequences)
  • BNFTP: 0x02 (see BNFTPv1 or BNFTPv2 for the protocols)
  • Telnet (Chat): 0x03, 0x63 (see Telnet Protocol for the protocol) DEFUNCT

Other Battle.net protocol IDs exist. We know of MCP to BNCS communication (0x04). There is also the 0x06 and 0x81 protocols, which we know almost nothing about. At a guess, 0x06 is used for interserver synchronization (see this thread).

Logon Sequences

This section documents the sequences of messages that must be sent, and should be received, in order to log on using a particular product. Products may be able to use methods other than the ones shown here: this page documents the sequences observed in the official clients. These sequences may vary from time to time, as product updates are released.

You will also need the Product Identification document to understand how to identify as each product.

Prior to initiating any of the game protocol logon sequences, you will need to send the game protocol byte (0x01).

Starcraft and Brood War (pre-1.18)

StarCraft 1.18 and later versions no longer use the BNCS protocol as detailed here. StarCraft Shareware and StarCraft Japanese products present a required update to the now-free StarCraft 1.18 client.

  1. C > S [0x50] SID_AUTH_INFO
  2. S > C [0x25] SID_PING
  3. C > S [0x25] SID_PING (optional)
  4. S > C [0x50] SID_AUTH_INFO
  5. C > S [0x51] SID_AUTH_CHECK
  6. S > C [0x51] SID_AUTH_CHECK
  7. Client gets icons file, TOS file, and server list file:
    1. C > S [0x2D] SID_GETICONDATA (optional)
    2. S > C [0x2D] SID_GETICONDATA (optional response)
    3. C > S [0x33] SID_GETFILETIME (returned icons file name) (optional)
    4. C > S [0x33] SID_GETFILETIME ("tos_USA.txt") (optional)
    5. C > S [0x33] SID_GETFILETIME ("bnserver.ini") (optional)
    6. S > C [0x33] SID_GETFILETIME (one for each request)
    7. Connection to BNFTPv1 to do file downloads
  8. Client waits for user to enter account information (standard logon shown):
    1. C > S [0x3A] SID_LOGONRESPONSE2
    2. S > C [0x3A] SID_LOGONRESPONSE2
  9. C > S [0x14] SID_UDPPINGRESPONSE (optional)
  10. Client then enters chat.

Diablo II and Lord of Destruction

  1. C > S [0x50] SID_AUTH_INFO
  2. S > C [0x25] SID_PING
  3. C > S [0x25] SID_PING (optional)
  4. S > C [0x50] SID_AUTH_INFO
  5. C > S [0x51] SID_AUTH_CHECK
  6. S > C [0x51] SID_AUTH_CHECK
  7. Client gets TOS file:
    1. C > S [0x33] SID_GETFILETIME ("tos_USA.txt") (optional)
    2. S > C [0x33] SID_GETFILETIME (one for each request)
    3. Connection to BNFTPv1 to do file downloads
  8. Client waits for user to enter account information (standard logon shown):
    1. C > S [0x3A] SID_LOGONRESPONSE2
    2. S > C [0x3A] SID_LOGONRESPONSE2
  9. Client does realm logon here for closed Battle.net:
    1. C > S [0x40] SID_QUERYREALMS2
    2. S > C [0x40] SID_QUERYREALMS2
    3. C > S [0x3E] SID_LOGONREALMEX
    4. S > C [0x3E] SID_LOGONREALMEX
    5. Connection to MCP Realm server follows
  10. C > S [0x0B] SID_GETCHANNELLIST
  11. C > S [0x0A] SID_ENTERCHAT
  12. S > C [0x0B] SID_GETCHANNELLIST
  13. S > C [0x0A] SID_ENTERCHAT
  14. C > S [0x46] SID_NEWS_INFO (optional)
  15. S > C [0x46] SID_NEWS_INFO (optional response)
  16. Client waits until user wants to Enter Chat.
  17. C > S [0x0C] SID_JOINCHANNEL (D2 First Join if no home channel set)
  18. S > C [0x0F] SID_CHATEVENT
  19. A sequence of chat events for entering chat follow.

Warcraft II BNE

  1. C > S [0x1E] SID_CLIENTID2
  2. C > S [0x12] SID_LOCALEINFO
  3. C > S [0x06] SID_STARTVERSIONING
  4. S > C [0x1D] SID_LOGONCHALLENGEEX
  5. S > C [0x25] SID_PING
  6. C > S [0x25] SID_PING (optional)
  7. S > C [0x06] SID_STARTVERSIONING
  8. C > S [0x07] SID_REPORTVERSION
  9. S > C [0x07] SID_REPORTVERSION
  10. C > S [0x14] SID_UDPPINGRESPONSE (optional)
  11. C > S [0x36] SID_CDKEY2
  12. S > C [0x36] SID_CDKEY2
  13. Client gets icons file, TOS file, and server list file:
    1. C > S [0x2D] SID_GETICONDATA (optional)
    2. S > C [0x2D] SID_GETICONDATA (optional response)
    3. C > S [0x33] SID_GETFILETIME (returned icons file name) (optional)
    4. C > S [0x33] SID_GETFILETIME ("tos_USA.txt") (optional)
    5. C > S [0x33] SID_GETFILETIME ("bnserver.ini") (optional)
    6. S > C [0x33] SID_GETFILETIME (one for each request)
    7. Connection to BNFTPv1 to do file downloads
  14. Client waits for user to enter account information (standard logon shown):
    1. C > S [0x29] SID_LOGONRESPONSE
    2. S > C [0x29] SID_LOGONRESPONSE
  15. Client then enters chat.

Warcraft III Reign of Chaos and The Frozen Throne

  1. C > S [0x50] SID_AUTH_INFO
  2. S > C [0x25] SID_PING
  3. C > S [0x25] SID_PING (optional)
  4. S > C [0x50] SID_AUTH_INFO
  5. C > S [0x51] SID_AUTH_CHECK
  6. S > C [0x51] SID_AUTH_CHECK
  7. Client gets icons file, TOS file, and server list file:
    1. C > S [0x2D] SID_GETICONDATA (optional)
    2. S > C [0x2D] SID_GETICONDATA (optional response)
    3. C > S [0x33] SID_GETFILETIME (returned icons file name) (optional)
    4. C > S [0x33] SID_GETFILETIME ("tos_USA.txt") (optional)
    5. C > S [0x33] SID_GETFILETIME ("bnserver.ini") (optional)
    6. S > C [0x33] SID_GETFILETIME (one for each request)
    7. Connection to BNFTPv2 to do file downloads
  8. Client waits for user to enter account information (standard logon shown, uses NLS):
    1. C > S [0x53] SID_AUTH_ACCOUNTLOGON
    2. S > C [0x53] SID_AUTH_ACCOUNTLOGON
    3. C > S [0x54] SID_AUTH_ACCOUNTLOGONPROOF
    4. S > C [0x54] SID_AUTH_ACCOUNTLOGONPROOF
  9. C > S [0x45] SID_NETGAMEPORT (optional)
  10. C > S [0x0A] SID_ENTERCHAT
  11. S > C [0x0A] SID_ENTERCHAT
  12. C > S [0x44] SID_WARCRAFTGENERAL (WID_TOURNAMENT) (optional)
  13. S > C [0x44] SID_WARCRAFTGENERAL (WID_TOURNAMENT) (optional response)
  14. C > S [0x46] SID_NEWS_INFO (optional)
  15. S > C [0x46] SID_NEWS_INFO (optional response)
  16. Client waits until user wants to Enter Chat.
  17. C > S [0x0C] SID_JOINCHANNEL (First Join, "W3")
  18. S > C [0x0F] SID_CHATEVENT
  19. A sequence of chat events for entering chat follow.

Warcraft III Demo (defunct)

  1. C > S [0x50] SID_AUTH_INFO
  2. S > C [0x25] SID_PING
  3. C > S [0x25] SID_PING (optional)
  4. S > C [0x50] SID_AUTH_INFO
  5. C > S [0x51] SID_AUTH_CHECK
  6. S > C [0x51] SID_AUTH_CHECK
  7. C > S [0x53] SID_AUTH_ACCOUNTLOGON*
  8. S > C [0x54] SID_AUTH_ACCOUNTLOGONPROOF
  9. C > S [0x45] SID_NETGAMEPORT (optional)

Note: W3DM does not enter chat, nor does it validate account passwords.

Starcraft Shareware (defunct)

StarCraft 1.18 and later versions no longer use the BNCS protocol as detailed here. StarCraft Shareware and StarCraft Japanese products present a required update to the now-free StarCraft 1.18 client.

  1. C > S [0x05] SID_CLIENTID
  2. C > S [0x12] SID_LOCALEINFO (optional)
  3. C > S [0x2B] SID_SYSTEMINFO (optional)
  4. C > S [0x06] SID_STARTVERSIONING
  5. S > C [0x05] SID_CLIENTID
  6. S > C [0x28] SID_LOGONCHALLENGE
  7. S > C [0x25] SID_PING
  8. C > S [0x25] SID_PING (optional)
  9. S > C [0x06] SID_STARTVERSIONING
  10. C > S [0x07] SID_REPORTVERSION
  11. S > C [0x07] SID_REPORTVERSION
  12. Client waits for user to enter account information (standard logon shown):
    1. C > S [0x29] SID_LOGONRESPONSE
    2. S > C [0x29] SID_LOGONRESPONSE
  13. C > S [0x14] SID_UDPPINGRESPONSE (optional)
  14. Client then enters chat.

Starcraft Japanese (defunct)

StarCraft 1.18 and later versions no longer use the BNCS protocol as detailed here. StarCraft Shareware and StarCraft Japanese products present a required update to the now-free StarCraft 1.18 client.

  1. C > S [0x05] SID_CLIENTID
  2. C > S [0x12] SID_LOCALEINFO (optional)
  3. C > S [0x2B] SID_SYSTEMINFO (optional)
  4. C > S [0x06] SID_STARTVERSIONING
  5. S > C [0x05] SID_CLIENTID
  6. S > C [0x28] SID_LOGONCHALLENGE
  7. S > C [0x25] SID_PING
  8. C > S [0x25] SID_PING (optional)
  9. S > C [0x06] SID_STARTVERSIONING
  10. C > S [0x07] SID_REPORTVERSION
  11. S > C [0x07] SID_REPORTVERSION
  12. C > S [0x30] SID_CDKEY
  13. S > C [0x30] SID_CDKEY
  14. Client waits for user to enter account information (standard logon shown):
    1. C > S [0x29] SID_LOGONRESPONSE
    2. S > C [0x29] SID_LOGONRESPONSE
  15. C > S [0x14] SID_UDPPINGRESPONSE (optional)
  16. Client then enters chat.

Diablo Shareware and Diablo Retail

  1. C > S [0x1E] SID_CLIENTID2
  2. C > S [0x12] SID_LOCALEINFO
  3. C > S [0x06] SID_STARTVERSIONING
  4. S > C [0x05] SID_CLIENTID
  5. S > C [0x1D] SID_LOGONCHALLENGEEX
  6. S > C [0x25] SID_PING
  7. C > S [0x25] SID_PING (optional)
  8. S > C [0x06] SID_STARTVERSIONING
  9. C > S [0x07] SID_REPORTVERSION
  10. S > C [0x07] SID_REPORTVERSION
  11. Client waits for user to enter account information (standard logon shown):
    1. C > S [0x29] SID_LOGONRESPONSE
    2. S > C [0x29] SID_LOGONRESPONSE
  12. C > S [0x14] SID_UDPPINGRESPONSE (optional)
  13. Client then enters chat.

Enter Chat Sequence (pre-Diablo II)

  1. C > S [0x0A] SID_ENTERCHAT
  2. C > S [0x0B] SID_GETCHANNELLIST
  3. C > S [0x0C] SID_JOINCHANNEL (First Join)
  4. S > C [0x0A] SID_ENTERCHAT
  5. S > C [0x0B] SID_GETCHANNELLIST
  6. S > C [0x0F] SID_CHATEVENT
  7. A sequence of chat events for entering chat follow.
| Edited: Kyro
Comments
Unknown

mmm should i say you need to send game protocol byte (0x01) before starting sending the logon sequence.

Kyro

Added. While that is more of a widely known necessity, I can see the need to point out the need, so developers will not have to deal with this issue as much from people new to Battle.net bot development.

Accused

Warcraft III

SEND ->  SID_AUTH_INFO (0x50)
RECV <-  SID_PING (0x25)
RECV <-  SID_AUTH_INFO (0x50)
SEND ->  SID_PING (0x25) (Optional)
SEND ->  SID_AUTH_CHECK (0x51)
RECV <-  SID_AUTH_CHECK (0x51)
SEND ->  SID_AUTH_ACCOUNTLOGON (0x53)
RECV <-  SID_AUTH_ACCOUNTLOGON (0x53)
SEND ->  SID_AUTH_ACCOUNTLOGONPROOF (0x54)
RECV <-  SID_AUTH_ACCOUNTLOGONPROOF (0x54)
SEND ->  SID_NETGAMEPORT (0x45)
SEND ->  SID_ENTERCHAT (0x0A)

I noticed there are some gaps in the current sequences as well.

Leaky

added the wc3 login sequence

Hdx

SC/BW

C->S: 0x50
S->C: 0x25
C->S: 0x25
S->C: 0x50
C->S: 0x51
S->C: 0x51
C->S: 0x2d
C->S: 0x33 - icons_star.bni
C->S: 0x14
C->S: 0x33 - tos_USA.txt
C->S: 0x33 - bnserver.ini
C->S: 0x26 - profile\sex
             profile\age
             profile\description
             Record\GAME\0\wins
             Record\GAME\0\losses
             Record\GAME\0\dissconnects
             Record\GAME\0\last game
             Record\GAME\0\last game result
             Record\GAME\1\wins
             Record\GAME\1\losses
             Record\GAME\1\dissconnects
             Record\GAME\1\rating
             Record\GAME\1\high rating
             DynKey\GAME\1\rank
             Record\GAME\1\high rank
             Record\GAME\1\last game
             Record\GAME\1\last game result
S->C: 0x2d
S->C: 0x33 - icons_STAR.bni
S->C: 0x33 - tos_USA.txt
S->C: 0x33 - bnserver.ini
S->C: 0x26
C->S: 0x3a
S->C: 0x3a
C->S: 0x0a
C->S: 0x0b
C->S: 0x0C - "StarCraft", "BroowWar"
S->C: 0x0b
S->C: 0x0a
Caaaaarrrrlll

Telnet/Chat:

  • New lines are either 0x0A or 0x0D
  • When you send a message with multiple lines, it sends it like a queue without a wait, so don't flood offline by doing this
  • For a full list of packets, contact me
* Connect.
C>S: 0x03 (Telnet)
C>S: 0x04 (Login)
C>S: New line
S>C: "Enter your account name and password."
S>C: New line
S>C: "Username: "
C>S: "Jailout2000"
C>S: New line
S>C: "Password: "
C>S: "Password"
C>S: New line
S>C: "Connection from [127.0.0.1]"
S>C: New line

From here on, each packet will be on a new line, and will be regular ascii strings, not surrounded by quotes and not ending with a null-terminator

S>C: 2010 NAME Jailout2000
S>C: 1007 CHANNEL "Public Chat 1"
- Server will send 1001 USER to you for each user in the channel -
S>C: 1001 USER Jailout2000 0010 [CHAT]
- Server will send 1002 JOIN to everyone in the channel except you -
C>S: /join Public Chat 100
S>C: 1007 CHANNEL "Public Chat 100"
S>C: 1001 USER Jailout2000 0010 [CHAT]
S>C: 1005 TALK Jailout2000 0010 "It's just me in this channel."

I know Telnet was deprecated and can no longer be used, but what the heck, why not add it? You never know when someone will want to implement it... :P

LordVader

D2DV, D2XP:

C>S 0x50
S>C 0x25
C>S 0x25
S>C 0x50
C>S 0x51
S>C 0x51
C>S 0x33
S>C 0x33
C>S 0x3A
S>C 0x3A
C>S 0x0B
C>S 0x0A
-- At this point you're in the lobby and you can send 0x0C to enter a channel
S>C 0x0B
S>C 0x0A

This is logging into an open character thru the client.

Caaaaarrrrlll

This list is pretty and all, but its missing quite a bit of important packets in ALL of the sequences. Try <a href="http://www.bnetdocs.com/old/sequence.html"; target="_blank">http://www.bnetdocs.com/old/sequence.html</a>; if you want a good list of sequences.

Vector

I suggest adding links to these packets, so users will find it a lot easier to find the exact packet.

Caaaaarrrrlll

@Myself: Fixed that, copied most of it from the older one. The STAR/SEXP/WAR3/W3XP are taken from actual logs I have on my local computer.

@Vector: Added links to all of the packets, I agree - it helps.

Caaaaarrrrlll

Hmmm... Diablo I can have a SID_UDPPINGRESPONSE (0x14) too... or at least, I think? I get a UDP plug when using it, and when I send 0x14, I don't.

Sixen

Possibly add W3DM and shortened Telnet reference.

Caaaaarrrrlll

@Sixen: Added.