Wednesday, April 16, 2008

Skype times again

(follow up on previous post about skype.)

So, i'm getting asked to explain the calculations for skype timer overflow date.
Note: to understand this post, you need to know some mathematics, especially different bases numbers (such as binary (base 2) and hexadecimal (base 16))

There you can find sample data (in hex) from skype log: http://dmytry.pandromeda.com/texts/skype_chatlogs_friday_13.html

To get nice data to analyze, you can send messages to echo123 (aka "Echo / Sound Test Service") with text ` (backward quote, the key left of 1).
If you're lucky, echo123 will reply to you with something like this:
Echo / Sound Test Service : yournickname 2008.04.12 12:42:22
so that in chatmsg256.dbb you have both skype's binary timestamp, and human readable time in message text. (Note, this time is in GMT+1 now, not GMT, dunno why.)

The binary timestamp in that sample message is 0x85 0xA4 0x82 0xC0 . I located timestamp by comparing multiple messages in the log and looking what is different between those.

As you can see all bytes are bigger than 0x80 . That means first bits of those bytes are 1. As i found out (again, by looking at many messages in the log), them are always set to 1, for all times, and whole thing increments as if those bits are not present here at all. So, these bits have to be ignored to get the number that skype actually stores there. In whole number, we get only 28 bits (4 bytes, each has one bit that is ignored and 7 data bits. Total 28 data bits).

The skype's time number can be obtained as
(0x85-0x80) + (0xA4-0x80)*27 + (0x82-0x80)*214+ (0xC0-0x80)*221 = 134 255 109
The subtraction of 0x80 is to compensate for those first bits being always set to 1 . Multiplications by power of two are to get those 4x7 bits together into single 28 bit number.

Sample message, for which we got the skype's timestamp number, was sent on 2008.04.12 12:42:22 as we can see in the message itself (the message was automated reply from echo123 with current time), and GMT+1 , not GMT . so thats 11:42:22 GMT

The time overflow date is
T = [2008.04.12 11:42:22] - 134255109 seconds + 228 seconds
where first part is the date of message, second part is skype's timestamp value (we subtract timestamp value from date to find from which date the skype counts seconds), and 228-1 is maximal number that can be storen in 28 bits, next number causing overflow.

It is bit difficult to add and subtract large numers of seconds from datetimes. As far as i know, Google calculator does not support datetime values.
Fortunately, theres tools on the web which can do that. You can simply convert date to standard unix timestamp (seconds elapsed since 1970), then add your seconds, then convert back to year/month/day etc
Using
http://www.epochconverter.com/
to convert [2008.04.12 12:42:22] we get Epoch timestamp: 1208000542
Using google calculator again, we get
1208000542 - 134255109 + 2^28 = 1342180889
and last step, converting it to human readable date using http://www.epochconverter.com/
we get Fri, 13 Jul 2012 12:01:29 GMT

I think it came out 1 and half minute off because skype used one clocks to set timestamp, and another clocks were used by echo123 when replying; also echo123 replies with large delay. In the converter program, i use 12:00:00 GMT exactly.

notes:
numbers like 0x1ABCD2 and so on are in hexadecimal, i.e. base-16 notation. 0x is standard prefix for hexadecimal numbers, used to tell those apart from decimal. the rest is number itself. For digits past 9, alphabet is used. A=10 , B=11 , C=12 and so on.

The echo123 bot does not always reply, you can check without echo123 but then you need to yourself get date and time as skype shows them to you.

Sunday, April 13, 2008

Friday, 13th July 2012, 12:00 GMT - the apocalypse is about 5 months closer than mayans believed


Maya were possibly the first to have their calendar end in 2012 , but sure they weren't last.
Today i found that popular internet telephony program Skype followed the trend.
On Friday, 13th July 2012, 12:00 GMT , the skype's time counter gonna overflow ! Or at least its gonna enter the New Byte Epoch, or how skype developers call their equivalent of mayan "Galactic Day".
(Unfortunately, skype seem to use server time to store timestamps, rather than client computer's own clock time. I tried setting time to past 13th July 2012, 12:00 GMT, but the times in the log were correct times of today. We'll either have to wait till 2012 to see what happens, or reverse engineer skype's binaries, or set up some fake server, or something like that.)
More on this:

There wasnt any good tools avaliable for converting skype logs (which are binary) to text, and i needed to convert a few logs, so i had to write tool myself.

On my website, you can get more information about skype chat log format.
Development of tool:
Extracting sender and messages themselves from logs was easy, the harder part was decoding message timestamps.
I found that timestamp is stored in 4 bytes, and all bytes have their first (sign) bit set, which looked quite weird. Ignoring first bits and interpreting it as 28-bit number, i got some number that looked like number of seconds since some date.
Then, comparing time to skype timestamp, i found that e.g. 2008-04-12 17:33:43 corresponds to skype timestamp 134276281
From now on finding times was easy job :-)
Standard unix epoch time (seconds since 1970) for [2008-04-12 17:33:43] is 1208021623, and the difference between standard and skype's timestamps is about 1073745342 . In other words, skype's timestamp is number of seconds since approximately Sat 10 Jan 2004 14:35:42 (the difference converted to human readable format).
That date and time looks like pretty strange choice of time to count seconds from. Not a midnight or midday...
I got curious, when does it overflow? As quick calculation showed, it overflows on friday 13th july 2012 , 12:00 GMT (my time was few seconds off, but thats allright). Which is obviously by design.
So, i thought, wow, thats first class blogging material! So there we go :)

This also explained weird thing about first bits of all bytes being set. If you interpret the bytes as signed 8 bit numbers, they're all negative. So if you add them like first byte + second byte*27 + third byte*214+fourth byte*221, you get negative number which is number of seconds to friday 13th july 2012 , 12:00 GMT

This also means that skype timestamps will probably continue working after friday 13th july 2012 , 12:00 GMT , just they wont have first bits set anymore.

For geek readers, in skype (version 2.0.0.13 for linux, at least) the timestamps in skype .dbb files are fairy easy to spot in hex viewer. Them are placed between list of people in the "chatroom", and the sender's skype name. The timestamp is prefixed with E5 03 . It is 4(?) bytes long. The fifth byte after those four is always equal to 4 so i dont know if fifth is part of timestamp and timestamp is actually 5 bytes long, or fifth byte is just some sort of delimeter or control character. It is followed by 03 , like all other skype's delimiters, so i think it probably is just a delimiter.

p.s. i used http://www.epochconverter.com/ to convert seconds to time and back during testing.

p.p.s if you found this interesting, visit my website on http://dmytry.pandromeda.com