Subspace Protocol Packets

Table of Contents

  1. C2S : Client to Server
    1. Subspace packets
      1. 0x00 - Start of a special header
      2. 0x01 - Arena login
      3. 0x02 - Leave arena
      4. 0x03 - Position packet
      5. 0x04 - Unknown
      6. 0x05 - Death message
      7. 0x06 - Chat message
      8. 0x07 - Unknown
      9. 0x08 - Spectate player
      10. 0x09 - Password packet
      11. 0x0A - Unknown
      12. 0x0B - SSUpdate.EXE Request
      13. 0x0C - Map.lvl Request
      14. 0x0D - News.txt Request
      15. 0x0E - Voice Message
      16. 0x0F - Frequency Change
      17. 0x10 - Attach request
      18. 0x11 - Unknown
      19. 0x12 - Unknown
      20. 0x13 - Flag request
      21. 0x14 - Unknown
      22. 0x15 - Drop Flags
      23. 0x16 - File transfer
      24. 0x17 - Registration Form Response
      25. 0x18 - Set ship type
      26. 0x19 - Set personal banner
      27. 0x1A - Security checksum
      28. 0x1B - Security violation
      29. 0x1C - Drop Brick
      30. 0x1D - Unknown
      31. 0x1E - End Personal KoTH Timer
      32. 0x1F - Fire a Ball
      33. 0x20 - Ball request
      34. 0x21 - Unknown
      35. 0x22 - Unknown
    2. Continuum packets
      1. 0x23 - Unknown
      2. 0x24 - Password packet
  2. S2C : Server to Client
    1. Subspace packets
      1. 0x01 - PlayerID Change
      2. 0x02 - You are now in the game
      3. 0x03 - Player(s) Entering 1
      4. 0x04 - Player Leaving
      5. 0x05 - Large Position Packet (Weapons Packet)
      6. 0x06 - Player Death
      7. 0x07 - Chat
      8. 0x08 - Player got a Prize
      9. 0x09 - Player Score Update
      10. 0x0A - Password Packet Response
      11. 0x0B - Soccer Goal Made
      12. 0x0C - Player Voice
      13. 0x0D - Player Changed Frequency
      14. 0x0E - Create Turret Link
      15. 0x0F - Arena Settings
      16. 0x10 - File Transfer
      17. 0x11 - Unknown

Original source: http://d1st0rt.sscentral.com/packets.html
Copied to twcore.org for further modification and addition.

General notes:

  • Maximum packet size is 520
  • All strings are padded with 0x00 characters


C2S : Client to Server

Subspace packets

0x00 - Start of a special header

Scroll down(Near the end) to the core packets section

0x01 - Arena login

Offset Length Description
0 1 Type Byte 0x01
1 1 Ship type 1
2 2 Allow audio 2
4 2 X Resolution
6 2 Y Resolution
8 2 Main arena number 3
10 16 Arena name (optional)

1 - Ship type is 0 for warbird up to 8 for spectator
2 - When Allow audio = 0, remote messages aren't heard in private arenas (1.34.11f)
3 - Set to Pub Number for Specific Pub, Set to 0xFFFF for Random Pub, Set to 0xFFFD for private arena. Arena name is only used with private arenas.

0x02 - Leave arena

Offset Length Description
0 1 Type Byte 0x02

0x03 - Position packet

Offset Length Description
0 1 Type Byte 0x03
1 1 Direction (0 ... 360)
2 4 Timestamp
6 2 X Velocity
8 2 Y Pixels (0 ... 16384)
10 1 Checksum
11 1 Togglables 1
12 2 X Pixels (0 ... 16384)
14 2 Y Velocity
16 2 Bounty
18 2 Energy
20 2 Weapon Info 2
22 2 Energy 4 (Optional)
24 2 S2C Latency 4 (Optional)
26 2 Timer 4 (Optional)
28 4 Item info 3 4 (Optional)

1 - Togglables:

Each value is one bit in a byte
Bit 1 - Stealth
Bit 2 - Cloak
Bit 4 - XRadar
Bit 8 - Antiwarp
Bit 16 - Flash (Play the cloak/warp flash)
Bit 32 - Safety (In safe)
Bit 64 - UFO (Using UFO)
Bit 128 - ?

2 - Weapon info:

Unsigned Integer Values or Booleans

Weapon type 5 bits a1
Weapon level 2 bits
Bouncing (Boolean) 1 bit
EMP (Boolean) 1 bit
Is bomb (Boolean) 1 bit
Shrapnel 5 bits
Alternate (Boolean) 1 bit a2

a1 - Weapon types:

0x00 - None
0x01 - Bullet
0x02 - Bouncing bullet
0x03 - Bomb
0x04 - Proximity bomb
0x05 - Repel
0x06 - Decoy
0x07 - Burst
0x08 - Thor

a2 - Alternate:

Bombs -> Mines
Bullets -> Multifire

3 - Item info:

Unsigned Integer Values or Booleans

Shields (Boolean) 1 bit
Super (Boolean) 1 bit
Burst Count 4 bits
Repel Count 4 bits
Thor Count 4 bits
Brick Count 4 bits
Decoy Count 4 bits
Rocket Count 4 bits
Portal Count 4 bits
? Unknown 2 bits

4 - These are supposed to be optional, but I'm not certain what dictates if you should send them or not.

0x04 - Unknown

0x05 - Death message

Offset Length Description
0 1 Type Byte 0x05
1 2 Killer's Player ID
3 2 Your bounty at time of death

0x06 - Chat message

Offset Length Description
0 1 Type Byte 0x06
1 1 Chat Type 1
2 1 Sound Byte
3 2 Target Player's Player ID 2
5 * Text...

1 - Chat types:

0x00 - Message in green text [*arena, *zone, ...]
0x01 - Public macro
0x02 - Public message
0x03 - Team message [// or ']
0x04 - Player to all members of another team ["Whatever]
0x05 - Private message [/Whatever]
0x06 - Red warning message [MODERATOR WARNING: Whatever -Whoever]
0x07 - Remote private message 3 [(Whoever)> Whatever]
0x08 - Red server errors, without a name tag (S2C only)
0x09 - Channel message 3 [X;Whatever]

2 - Target player's player ID is 0x00 for the Following Chat Types: 0x00, 0x01, 0x02, 0x03, 0x06, 0x07, 0x08, 0x09. It is PlayerID for 0x05 and 0x04.

3 - These are formatted much as you’d expect. To send a Remote Message, you include the name of the person you are sending the message to in the Text of the message like so: ":Name:Message" and with Channel Messages you include the Number of the Channel you are sending to, like so: "#;Message".

0x07 - Unknown

0x08 - Spectate player

Offset Length Description
0 1 Type Byte 0x08
1 2 Spectated Player's Player ID

0x09 - Password packet

Offset Length Description
0 1 Type Byte 0x09
1 1 New user (Boolean) 1
2 32 Name 2
34 32 Password 2
66 4 MachineID 3
70 1 ConnectType 4
71 2 Timezone bias 5
73 2 ? Unknown
75 2 Client version 6
77 4 Mem Checksums [0x01BC] or [444]
81 4 Mem Checksums [0x022B] or [555]
85 4 PermissionID
89 12 ? Unknown

1 - New user is 1 if you want to create a new user, otherwise 0

2 - Name and password are trimmed down to 20/24 characters on some servers/billers

3 - MachineID is the drive serial of C:

4 - Connect types:

0x00 - Unknown
0x01 - SlowModem
0x02 - FastModem
0x03 - UnknownModem
0x04 - UnknownNotRAS

5 - Time Zone Bias

240 = Eastern Standard Time (Safe Value)

6 - Client versions:

0x24 - Continuum .36
0x86 - Subspace 1.34 And 1.35

0x0A - Unknown

0x0B - SSUpdate.EXE Request

Offset Length Description
0 1 Type Byte 0x0B

0x0C - Map.lvl Request

Offset Length Description
0 1 Type Byte 0x0C

0x0D - News.txt Request

Offset Length Description
0 1 Type Byte 0x0D

0x0E - Voice Message

Offset Length Description
0 1 Type Byte 0x0E
1 4 Size of Wav File (In Bytes)
5 * Wav File...

0x0F - Frequency Change

Offset Length Description
0 1 Type Byte 0x0F
1 2 New Frequency

0x10 - Attach request

Offset Length Description
0 1 Type Byte 0x10
1 2 Player ID of Turretee

0x11 - Unknown

0x12 - Unknown

0x13 - Flag request

Offset Length Description
0 1 Type Byte 0x13
1 2 Flag ID

0x14 - Unknown

0x15 - Drop Flags

Offset Length Description
0 1 Type Byte 0x15

0x16 - File transfer

Offset Length Description
0 1 Type Byte 0x16
1 16 File Name
17 * ZLib Compressed File...

0x17 - Registration Form Response

Offset Length Description
0 1 Type Byte 0x17
1 32 Real Name 1
33 64 E-Mail 1
97 32 City 1
129 24 State 1
153 1 Sex 2
154 1 Age
155 1 Connecting From: Home (Boolean)
156 1 Connecting From: Work (Boolean)
157 1 Connecting From: School (Boolean)
158 4 Processor Type
162 4 ? Unknown
166 40 Windows Registration: Real Name
206 40 Windows Registration: Organization

The following are registry entries and can be found in the following key:
SystemCurrentControlSetServicesClass
246 40 Display000:DriverDesc
286 40 Monitor000:DriverDesc
326 40 Modem000:DriverDesc
366 40 Modem001:DriverDesc
406 40 Mouse000:DriverDesc
446 40 Net000:DriverDesc
486 40 Net001:DriverDesc
526 40 Printer000:DriverDesc
566 40 MEDIA000:DriverDesc
606 40 MEDIA001:DriverDesc
646 40 MEDIA002:DriverDesc
686 40 MEDIA003:DriverDesc
726 40 MEDIA004:DriverDesc

1 - Real name, E-mail, City, State are null-terminated strings

2 - Sex is either 'F' or 'M'

0x18 - Set ship type

Offset Length Description
0 1 Type Byte 0x18
1 1 Ship Type 1

1 - Ship type is 0 for Warbird through 8 for Spectator

0x19 - Set personal banner

Offset Length Description
0 1 Type Byte 0x19
1 96 Banner Data 1

1 - Banner data is the value for each pixel in the banner. (Banner size is 12x8 pixels = 96 pixels.) Uncompressed BMP Files follow this format.

0x1A - Security checksum

The checksums are generated after a server-sent seed

Offset Length Description
0 1 Type Byte 0x1A
1 4 Weapon Count
5 4 Settings Checksum 1
9 4 Subspace.EXE Checksum
13 4 Map.LVL Checksum
17 4 S2CSlowTotal
21 4 S2CFastTotal
25 2 S2CSlowCurrent
27 2 S2CFastCurrent
29 2 S2CRelOut (?Unsure?)
31 2 Ping
33 2 Ping Average
35 2 Ping Low
37 2 Ping High
39 1 Slow Frame Detected (Boolean)

1 - Settings checksum is the checksum of the contents of the settings packet

0x1B - Security violation

Offset Length Description
0 1 Type Byte 0x1B
1 1 Violation ID 1

1 - Violation IDs:

These may only be sent in response to a security checksum request

0x00 - Nothing wrong
0x01 - Slow framerate
0x02 - Current energy is higher than top energy
0x03 - Top energy higher than max energy
0x04 - Max energy without getting prizes
0x05 - Recharge rate higher than max recharge rate
0x06 - Max recharge rate without getting prizes
0x07 - Too many burst used (More than you have)
0x08 - Too many repel used
0x09 - Too many decoy used (More than you have)
0x0A - Too many thor used (More than you have)
0x0B - Too many wall blocks used (More than you have)
0x0C - Stealth on but never greened it
0x0D - Cloak on but never greened it
0x0E - XRadar on but never greened it
0x0F - AntiWarp on but never greened it
0x10 - Proximity bombs but never greened it
0x11 - Bouncing bullets but never greened it
0x12 - Max guns without greening
0x13 - Max bombs without greening
0x14 - Shields or Super on longer than possible

These can be sent any time

0x15 - Saved ship weapon limits too high (burst/repel/etc)
0x16 - Saved ship weapon level too high (guns/bombs)
0x17 - Login checksum mismatch (program exited)
0x18 - Unknown
0x19 - Saved ship checksum mismatch

These may only be sent in response to a security checksum request

0x1A - Softice Debugger Running
0x1B - Data checksum mismatch
0x1C - Parameter mismatch
0x.... - Unknown integrity violation
0x3C - Unknown integrity violation (High latency in Continuum)

0x1C - Drop Brick

Offset Length Description
0 1 Type Byte 0x1C
1 2 X Tiles
3 2 Y Tiles

0x1D - Unknown

0x1E - End Personal KoTH Timer

Offset Length Description
0 1 Type Byte 0x1E

0x1F - Fire a Ball

Offset Length Description
0 1 Type Byte 0x1F
1 1 Ball ID
2 2 X Pixels
4 2 Y Pixels
6 2 X Velocity
8 2 Y Velocity
10 2 Your Player ID
12 4 Timestamp

0x20 - Ball request

Offset Length Description
0 1 Type Byte 0x20
1 1 Ball ID
2 4 Timestamp

0x21 - Unknown

0x22 - Unknown


Continuum packets

0x23 - Unknown

0x24 - Password packet

Don't use this, its just here for completeness. Use the 0x09 Password Packet instead.

Offset Length Description
0 1 Type Byte
1 1 Boolean: New user
2 32 Name
34 32 Password
66 4 Machine ID
70 1 ConnectType (*info)
71 2 Time Zone Bias
73 2 ?
75 2 Client Version
77 87 ?



S2C : Server to Client

Subspace packets

0x01 - PlayerID Change

Offset Length Description
0 1 Type Byte 0x01
1 2 New Player ID 1

1 - This is used to notify you of what your Player ID is.

0x02 - You are now in the game

Offset Length Description
0 1 Type Byte 0x02 1

1 - At this point you can start sending position packets.

0x03 - Player(s) Entering 1

Offset Length Description
0 1 Type Byte 0x03
1 1 Ship Type
2 1 ? Unknown (0x00)
3 20 Name
23 20 Squad
43 4 Kill Points
47 4 Flag Points
51 2 User ID
53 2 Frequency
55 2 Wins
57 2 Losses
59 2 Attachee ID
61 2 Flags Held
63 1 Has KOTH Timer

1 - Upon entering an arena (or possibly some other instances) several of these packets (including the Type Byte) are stacked on top of each other and sent as one packet. Be sure to process this packet in 64 byte chunks until there are no chunks left.

0x04 - Player Leaving

Offset Length Description
0 1 Type Byte 0x04
1 2 Player ID

0x05 - Large Position Packet (Weapons Packet)

Offset Length Description
0 1 Type Byte 0x05
1 1 Direction (0-360)
2 2 Time Stamp
4 2 X Pixels (0-16384)
6 2 Y Velocity
8 2 Player ID
10 2 X Velocity
12 1 Checksum
13 1 Togglables 1
14 1 Ping
15 2 Y Pixels (0-16384)
17 2 Bounty
19 1 Weapon Parameters
20 1 Weapon Type
21 2 Energy 2 3 (Optional)
23 2 S2C Lag 2 (Optional)
25 2 Timer 2 (Optional)
27 4 Item Info 2 (Optional)

1 - Bit flags for the Togglables byte in bit order.

Stealth: 1;
Cloaked: 2;
XRadar: 4; (XRadar calcs are done client-side)
Antiwarp: 8; (Antiwarp calcs are done client-side)
WarpFlash: 16; (Uncloaking, portaling, etc.)
UNKNOWN1: 32; ?
UFO: 64; (*ufo - Illegal usage caught in sg9+)
UNKNOWN2: 128; ?

2 - This data is only sent if the ExtraPositionData flag is set to true in the zone settings.

3 - This data is sent if either the ExtraPositionData flag is set to true, or if you are using the Energy Password.

0x06 - Player Death

Offset Length Description
0 1 Type Byte 0x06
1 1 ID of green left by death
2 2 Killer ID
4 2 Killed ID
6 2 Bounty 1
8 2 Number of flags transferred

1 - Add this to the killer's kill points.

The death green is the ID of the green that is left by this players death. Killed ID is the ID of the player that got killed. The bounty, along with the other kill score modifiers in settings are added to the players kill points. The flags are how many flags were transferred as a result of the kill.

0x07 - Chat

Offset Length Description
0 1 Type Byte 0x07
1 1 Chat Type 1
2 1 Sound Byte
3 2 Originator ID 2
5 * Chat Message

1 - Chat types:

0x00 - Message in green text [*arena, *zone, ...]
0x01 - Public macro
0x02 - Public message
0x03 - Team message [// or ']
0x04 - Player to all members of another team ["Whatever]
0x05 - Private message [/Whatever or :playername:Whatever]
0x06 - Red warning message [MODERATOR WARNING: Whatever -Whoever]
0x07 - Remote private message [(Whoever)> Whatever]
0x08 - Red server errors, without a name tag (S2C only)
0x09 - Channel message [;X;Whatever]

2 - Target player's player ID is 0 for public messages (0x02)

0x08 - Player got a Prize

Offset Length Description
0 1 Type Byte 0x08
1 4 Timestamp
5 2 X Tiles
7 2 Y Tiles
9 2 Prize
11 2 Player ID

0x09 - Player Score Update

Offset Length Description
0 1 Type Byte 0x09
1 2 Player ID
3 4 Kill Points
7 4 Flag Points
11 2 Wins
13 2 Losses

0x0A - Password Packet Response

Offset Length Description
0 1 Type Byte 0x0A
1 1 Login Response 1
2 4 Server Version 2
6 4 ? Unknown
10 4 Subspace.exe Checksum 3
14 4 ? Unknown
18 1 ? Unknown
19 1 Registration Form Request (Boolean)
20 4 ? Unknown
24 4 News.txt Checksum 4
28 8 ? Unknown

1 - The following is a list of what all the different Response codes mean:

0x00 - Login OK
0x01 - Unregistered Player a1
0x02 - Bad Password
0x03 - Arena is Full
0x04 - Locked Out of Zone
0x05 - Permission Only Arena
0x06 - Permission to Spectate Only
0x07 - Too many points to Play here
0x08 - Connection is too Slow
0x09 - Permission Only Arena
0x0A - Server is Full
0x0B - Invalid Name
0x0C - Offensive Name
0x0D - No Active Biller a2
0x0E - Server Busy, try Later
0x10 - Restricted Zone a3
0x11 - Demo Version Detected
0x12 - Too many Demo users
0x13 - Demo Versions not Allowed
0xFF - Restricted Zone, Mod Access Required

a1 - Some Billers require you to register and will kick you out after a short time if you do not send the Registration form.
a2 - You can still log in, but scores are not being permanently recorded.
a3 - This restriction is usually based on insufficient hours of Usage.

2 - Returns the Major and the Minor version as a single number (so 1.34.12a returns 134) does not return Sub Version..
3 - Compare against local Subspace.exe to determine if an Update is needed. (obviously useless with a bot)
4 - Compare against local News.txt to determine if there is a new News.txt to be downloaded.

0x0B - Soccer Goal Made

Offset Length Description
0 1 Type Byte 0x0B
1 2 Frequency that made the goal
3 4 Team Points

0x0C - Player Voice

Offset Length Description
0 1 Type Byte 0x0C
1 2 Player ID
3 * Wav File...

0x0D - Player Changed Frequency

Offset Length Description
0 1 Type Byte 0x0D
1 2 Player ID
3 2 Frequency
Offset Length Description
0 1 Type Byte 0x0E
1 2 Turreter Requester Player ID
3 2 Turreter Destination Player ID 1

1 - If this value is left blank, you will be detached from whoever you are attached to.

0x0F - Arena Settings

Offset Length Description
0 1 Type Byte 0x0F
1 1428 Arena Settings Struct 1

1 - This information has been lost (maybe it can be retrieved from Mervbot?)

0x10 - File Transfer

Offset Length Description
0 1 Type Byte 0x10
1 16 File Name 1
17 * File Data... 2

1 - If no File Name is specified, then it's the News.txt
2 - If the file is the News.txt it must be Uncompressed first. According to Snrrrub, all other files are sent Uncompressed.

0x11 - Unknown

...

0x09 Player Score Update
Watch out by this packet -> Flag Points and Kill Points are reversed

0x03 Player Entering
Watch out -> Flag Points and Kill Points are reversed

TODO: FINISH