# WCF OpenConnection Evidence

Command:

```powershell
dotnet run --no-build --project tools\AVEVA.Historian.ReverseEngineering -- wcf-open localhost 32568
```

Confirmed:

- `Hist.OpenConnection` is reachable through fully managed WCF/MDAS.
- Correcting WCF parameter names to match the decompiled contract changed the
  result from a server-side null-reference fault to normal AVEVA return codes.
- An empty password buffer returns `31`, which maps to `BufferTooSmall`.
- Non-empty and 513-wide-char-sized password buffers return `73`, which maps to
  `InvalidPacketVersion`.
- Varying client type `0..7` and client versions `0,1,2,4,11` did not produce a
  successful session open.
- Packet-version guesses using little-endian `ushort` and `uint` values `1..4`
  at the start of a 1026-byte buffer also returned `InvalidPacketVersion`.
- The native string table contains `CClientInfo::SerializeOpenConnectionInParams3`
  and `CClientInfo::EncryptWithClientKey`, so simple literal password buffers
  are not enough.

Interpretation:

- The managed WCF envelope and endpoint are correct enough to invoke server
  operation logic.
- Session open is blocked on the exact native password/session packet encoding,
  not on TCP, endpoint routing, or service-contract discovery.
- The native WCF client uses the byte-buffer `Open2` path for normal WCF session
  setup. See `wcf-open2-localhost.md` for confirmed `Open2` framing evidence.