MTProto Protocol Layer in Teamgram Server
Skill Type
This is a reference/knowledge skill. It contains no executable code. It documents the MTProto protocol handling internals of Teamgram Server (open-source, Apache-2.0 licensed) for developers who need to understand, debug, or extend the protocol layer.
Overview
KHF client and Teamgram Server communicate via Telegram's MTProto binary protocol. The Teamgram gateway layer (gnetway) performs 3 key operations:
- Handshake / auth_key generation (unauthenticated phase: auth_key_id=0 -> handshake)
- Authenticated message decryption (AES-IGE)
- Forward decrypted payload (TLMessage2.Object) to session service via gRPC
Runtime Environment (for Teamgram Server operators)
If you are deploying Teamgram Server (not just reading this skill), the MTProto layer requires:
| Component | Purpose | Configuration |
|---|---|---|
| gnetway service | TCP/WS gateway, listens on ports 10443/5222/11443 | app/interface/gnetway/etc/gnetway.yaml |
| session service | Manages auth sessions, routes RPCs | app/interface/session/etc/session.yaml |
| MySQL | Stores auth_key records (auth_keys, auth_key_infos tables) | Configured in service YAML files |
| Redis | Caches auth_key for fast lookup | Configured in service YAML files |
| etcd | Service discovery between gnetway and session | etcd.hosts in YAML config |
No credentials are required to read or install this skill. The above table is for reference only when operating the actual Teamgram Server.
Core Data Structure
The decrypted data structure is mtproto.TLMessage2, whose Object field contains the specific TL RPC call (e.g., auth.sendCode, messages.sendMessage, etc.).
QuickAck Mechanism
gnetway implements QuickAck token computation. ACKs must be encoded through the codec to avoid obfuscated CTR counter desync (otherwise Android clients will fail at decryptServerResponse).
Reference function (from app/interface/gnetway/internal/server/gnet/server_gnet.go:298-305 in teamgram-server):
func computeQuickAckToken(authKey []byte, encryptedData []byte) uint32 {
h := sha256.New()
h.Write(authKey[88 : 88+32])
h.Write(encryptedData)
var sum [32]byte
h.Sum(sum[:0])
return binary.LittleEndian.Uint32(sum[:4]) | 0x80000000
}
Encrypted Message Processing Flow
- Decrypt via
authKey.AesIgeDecrypt - Extract from decrypted payload header:
salt,sessionId,msgId - Forward
payload[16:]to session service viaSessionDispatcher.SendData(gRPC)
auth_key Caching and QueryAuthKey
When connContext lacks an authKey, gnetway asynchronously calls the session service's QueryAuthKey RPC, then proceeds with onEncryptedMessage after receiving the key.
Key management note: auth_keys are generated during the DH handshake, stored in MySQL (auth_keys table), and cached in Redis. They are never exposed outside the server process. The gnetway service holds keys only in memory during active connections.
KHF Client Protocol Constants (must match server)
Extracted from KHF client source code:
TLRPC.LAYER = 222BuildVars.APP_ID = 4BuildVars.APP_HASH = "014b35b6184100b085b0d0572f9b5103"
These are public application identifiers, not secrets. They must match between client and server for TL schema compatibility.
Important Notes
- QuickAck must be encoded through codec, otherwise obfuscated CTR counter will desync
- Messages with auth_key_id=0 go through handshake flow; non-zero go through decryption flow
- After AES-IGE decryption, the first 16 bytes of payload are salt+sessionId, followed by TLMessage2 data
Source Code References
All code referenced in this skill is from the open-source Teamgram Server project:
- Repository: https://github.com/teamgram/teamgram-server
- License: Apache-2.0
- Gateway code:
app/interface/gnetway/ - Session code:
app/interface/session/ - MTProto codec:
mtproto/package