Switch TLS Dumping Guide (Charles)
This guide is for dumping Switch TLS traffic using the Charles web proxy. Please note that this is paid software.
Most Switch communications are over TLS - this includes NEX and Eagle communications (for Nintendo Switch Online)* as well as other servers such as BAAS (friends/status) and NPNS (notifications)
*NPLN, the new Switch online servers that Monster Hunter Rise demo used, cannot be dumped with Charles currently as it doesn't support gRPC - use grpc-dump to dump these communications - the gPRC section will explain this better.
While this doesn't carry much risk in theory, this is risky and could get your Switch banned as you must send your own Switch-unique client certificate.
Dumping Console-Unique Certificate
You will need to extract your Switch-unique certificate - you can use the automatic PRODINFO backup Atmosphère creates at
sd:/atmosphere/automatic_backups/SERIAL_PRODINFO.bin (you will need to copy this via SD, as Atmosphere doesn't allow this file to be touched to my knowledge), along with
prod.keys - this can be dumped from your Switch using Lockpick - with NxCertDump, which will extract your unique certificate. KEEP THIS SAFE AND SECURE, DO NOT SHARE THIS WITH ANYONE ELSE.
eShop traffic has a unique certificate for the host
bugyo.hac.lp1.eshop.nintendo.net - this P12 is inside libappshop's NSO, with the password
kei8paraeS. If you do not have this certificate, do not open the eShop applet while proxying your Switch!
I'd recommend to make a new profile just for Switch dumping, which you can do by selecting Tools->Profiles and press "Add" and naming it Switch. You also need to then turn off the automatic proxy, which is done in Proxy->Proxy Settings.
Once you've made this profile, and you've ensured the system proxy is disabled (if you're seeing requests, click the ticked option called [OS] Proxy under the Proxy tab to disable), and then go to Proxy->SSL Proxying Settings.
Here, press "Add" underneath Include, and enter host
* with port 443, and press OK. Next, navigate to Client Certificates.
Press Add, and enter the host
* and port 443. Next, press Import P12 and select the Switch certificate you exported previously.
*If you have the eShop certificate and wish to proxy eShop traffic, you need to add this before adding this certificate - to do this, press Add and enter the Host
bugyo.hac.lp1.eshop.nintendo.net, and import the P12 and password. This certificate should be above the NX Prod 1 certificate, or you will encounter errors.
Then, enter host * port 443, and then import the Switch PEM you created earlier. Press "OK", and now your Charles proxy is ready, so move onto Switch setup.
NOTE: I also recommend blocking Nintendo's "receive" domain; playreports are blocked by Atmosphère, but they will not be blocked if you have the proxy running. Go to Tools->Block List and enable the Block List feature, and add the domain
receive-lp1.*.srv.nintendo.net (lp1 is production, so if by some special grace of god you have a development switch, change
Setting up the Switch
Your Switch will obviously need to be hacked and running Atmosphère - you will need to use exefs_patches (make sure the
disable_ca_verification patches are compatible with the version you run, which would need to be latest), so copy the nro_patches folder to
sd:/atmosphere, along with making a folder named
exefs_patches and copying the
disable_ca_verification folder, and only that folder into it.
Once those two patches have been copied, set your Switch proxy to your computer's IP and port 8888 and allow the Switch to connect in Charles. You should now see traffic!
NOTE: Please do not use this on Splatoon 3 - it is almost 100% guaranteed to get you banned, as you will be patching the executable (and this caused bans during the Splatfest World Premiere). Please await further instructions for Splatoon 3 capturing.
Charles does not currently support gRPC, so you must use grpc-dump from grpc-tools. You need to know the host the game uses; an example would be Monster Hunter Rise Demo's server,
First, make a certificate with mkcert -
mkcert t-f124d2cb-lp1.lp1.t.npln.srv.nintendo.net. Then, use this cert with gRPC-dump:
grpc-dump -interface 127.0.0.1 -port 8889 -cert t-f124d2cb-lp1.lp1.t.npln.srv.nintendo.net.pem -key t-f124d2cb-lp1.lp1.t.npln.srv.nintendo.net-key.pem > output.log
In Charles, navigate to Proxy > External Proxy Settings, tick Use External Proxy Servers, check the 'Secure Web Proxy Server (HTTPS)' box and set it to use
8889. You are now able to capture both gRPC-based traffic for NPLN, as well as non-gRPC traffic (BCAT, BAAS, etc).
You will also need to ensure the game (and update!) is appropriately patched - you can do this using Kinnay's Python script to generate an IPS patch from the main exefs, then place these in sd:/atmosphere/exefs_patches//*.ips, then launch the game.
NOTE: While this is on, you will need grpc-dump running for your Switch to access the Internet; untick the box when not in use.
NOTE2: NPLN also uses STUN for relaying packets if both sides can't communicate (such as if one is on CGNAT or generally bad NAT - this is why NPLN is better!) - as such, these packets will not be capturable with this setup, though it also doesn't capture usual Pia-based communications so this isn't much of a surprise.