Skip to content

Instantly share code, notes, and snippets.

@InternalLoss
Last active November 16, 2024 18:36
Show Gist options
  • Save InternalLoss/363356b26e3cb45d680d08ac99e8ff6d to your computer and use it in GitHub Desktop.
Save InternalLoss/363356b26e3cb45d680d08ac99e8ff6d to your computer and use it in GitHub Desktop.

Switch TLS Dumping Guide (Charles)

This guide is for dumping Switch TLS traffic using the Charles web proxy. Please note that this is paid software.

Most Switch communications are over TLS - this includes NEX and Eagle communications (for Nintendo Switch Online)* as well as other servers such as BAAS (friends/status) and NPNS (notifications)

*NPLN, the new Switch online servers that Monster Hunter Rise demo used, cannot be dumped with Charles currently as it doesn't support gRPC - use grpc-dump to dump these communications - the gPRC section will explain this better.

While this doesn't carry much risk in theory, this is risky and could get your Switch banned as you must send your own Switch-unique client certificate.

Dumping Console-Unique Certificate

You will need to extract your Switch-unique certificate - you can use the automatic PRODINFO backup Atmosphère creates at sd:/atmosphere/automatic_backups/SERIAL_PRODINFO.bin (you will need to copy this via SD, as Atmosphere doesn't allow this file to be touched to my knowledge), along with prod.keys - this can be dumped from your Switch using Lockpick - with NxCertDump, which will extract your unique certificate. KEEP THIS SAFE AND SECURE, DO NOT SHARE THIS WITH ANYONE ELSE.

eShop traffic has a unique certificate for the host bugyo.hac.lp1.eshop.nintendo.net - this P12 is inside libappshop's NSO, with the password kei8paraeS. If you do not have this certificate, do not open the eShop applet while proxying your Switch!

Charles setup

I'd recommend to make a new profile just for Switch dumping, which you can do by selecting Tools->Profiles and press "Add" and naming it Switch. You also need to then turn off the automatic proxy, which is done in Proxy->Proxy Settings.

Once you've made this profile, and you've ensured the system proxy is disabled (if you're seeing requests, click the ticked option called [OS] Proxy under the Proxy tab to disable), and then go to Proxy->SSL Proxying Settings.

Here, press "Add" underneath Include, and enter host * with port 443, and press OK. Next, navigate to Client Certificates.

Press Add, and enter the host * and port 443. Next, press Import P12 and select the Switch certificate you exported previously.

*If you have the eShop certificate and wish to proxy eShop traffic, you need to add this before adding this certificate - to do this, press Add and enter the Host bugyo.hac.lp1.eshop.nintendo.net, and import the P12 and password. This certificate should be above the NX Prod 1 certificate, or you will encounter errors.

Then, enter host * port 443, and then import the Switch PEM you created earlier. Press "OK", and now your Charles proxy is ready, so move onto Switch setup.

NOTE: I also recommend blocking Nintendo's "receive" domain; playreports are blocked by Atmosphère, but they will not be blocked if you have the proxy running. Go to Tools->Block List and enable the Block List feature, and add the domain receive-lp1.*.srv.nintendo.net (lp1 is production, so if by some special grace of god you have a development switch, change lp1 to dd1).

Setting up the Switch

Your Switch will obviously need to be hacked and running Atmosphère - you will need to use exefs_patches (make sure the disable_browser_ca_verification and disable_ca_verification patches are compatible with the version you run, which would need to be latest), so copy the nro_patches folder to sd:/atmosphere, along with making a folder named exefs_patches and copying the disable_ca_verification folder, and only that folder into it.

Once those two patches have been copied, set your Switch proxy to your computer's IP and port 8888 and allow the Switch to connect in Charles. You should now see traffic!

gRPC (NPLN)

NOTE: Please do not use this on Splatoon 3 - it is almost 100% guaranteed to get you banned, as you will be patching the executable (and this caused bans during the Splatfest World Premiere). Please await further instructions for Splatoon 3 capturing.

Charles does not currently support gRPC, so you must use grpc-dump from grpc-tools. You need to know the host the game uses; an example would be Monster Hunter Rise Demo's server, t-f124d2cb-lp1.lp1.t.npln.srv.nintendo.net

First, make a certificate with mkcert - mkcert t-f124d2cb-lp1.lp1.t.npln.srv.nintendo.net. Then, use this cert with gRPC-dump: grpc-dump -interface 127.0.0.1 -port 8889 -cert t-f124d2cb-lp1.lp1.t.npln.srv.nintendo.net.pem -key t-f124d2cb-lp1.lp1.t.npln.srv.nintendo.net-key.pem > output.log

In Charles, navigate to Proxy > External Proxy Settings, tick Use External Proxy Servers, check the 'Secure Web Proxy Server (HTTPS)' box and set it to use 127.0.0.1 port 8889. You are now able to capture both gRPC-based traffic for NPLN, as well as non-gRPC traffic (BCAT, BAAS, etc).

You will also need to ensure the game (and update!) is appropriately patched - you can do this using Kinnay's Python script to generate an IPS patch from the main exefs, then place these in sd:/atmosphere/exefs_patches//*.ips, then launch the game.

NOTE: While this is on, you will need grpc-dump running for your Switch to access the Internet; untick the box when not in use.

NOTE2: NPLN also uses STUN for relaying packets if both sides can't communicate (such as if one is on CGNAT or generally bad NAT - this is why NPLN is better!) - as such, these packets will not be capturable with this setup, though it also doesn't capture usual Pia-based communications so this isn't much of a surprise.

@erew70
Copy link

erew70 commented Aug 5, 2024

how do i get the libappshop certificate? idk where to find it??

@nerdifly
Copy link

nerdifly commented Oct 29, 2024

the part that sais

NOTE: I also recommend blocking Nintendo's "receive" domain; playreports are blocked by Atmosphère, but they will not be blocked if you have the proxy running. Go to Tools->Block List and enable the Block List feature, and add the domain receive-lp1.*.srv.nintendo.net (lp1 is production, so if by some special grace of god you have a development switch, change lp1 to dd1).

doos that mean that it can only receive data like a sofware update but it can not send data like logs

@InternalLoss
Copy link
Author

the part that sais

NOTE: I also recommend blocking Nintendo's "receive" domain; playreports are blocked by Atmosphère, but they will not be blocked if you have the proxy running. Go to Tools->Block List and enable the Block List feature, and add the domain receive-lp1.*.srv.nintendo.net (lp1 is production, so if by some special grace of god you have a development switch, change lp1 to dd1).

doos that mean that it can only receive data like a sofware update but it can not send data like logs

The "receive" endpoint is used for log sending, yes. This endpoint is usually blocked by Atmosphère, but since the proxy does DNS resolution (instead of the Switch), the block does not function.

@G4-Synix
Copy link

cert password is "switch" btw

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment