search

kinnay / NintendoClients

Python package to communicate with Switch, Wii U and 3DS servers
MIT License
537 stars 63 forks source link

Man-in-the-Middle on Vanilla Switch? #119

Open MontyMole98 opened 6 months ago

MontyMole98 commented 6 months ago

Hi, I was just curious if you could retrieve the user ID and password from a vanilla switch using mitm. Dumb question, I know, but I can't find a better place to ask.

kinnay commented 6 months ago

MITM is only possible on a hacked Switch. The reason is that the Switch uses TLS for all requests. To do a MITM, you first have to disable CA verification on your Switch.

I'm not sure what you mean by 'vanilla switch', but there is no way to retrieve the user id and password without atmosphere or hekate.

K4CZP3R commented 6 months ago

How can I retrieve user id and password using atmosphere or hekate? @kinnay

kinnay commented 6 months ago

Unfortunately that requires some experience. I can explain the basics below. If you get stuck, I would advise you to check out the ReSwitched discord server.

Basically, there are two ways to obtain your user id and password for baas.

Using a man-in-the-middle

  1. Make sure that you know how to run Atmosphere on your Switch. There are tutorials for this.
  2. Copy the disable_ca_verification patch to your SD card.
  3. With Atmosphere running, start a proxy such as Charles. Enable SSL proxying for https://e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com/.
  4. In the system settings on your Switch, configure the proxy such that the traffic goes through Charles.
  5. Go online on your Switch and extract the user id and password from Charles.

Dumping your system save data

  1. Run hekate on your Switch.
  2. Dump the relavant data. If I remember correctly, all sava data, including system save data, is stored in the USER partition.
  3. Unpack the system save data from your dump. You'll need hactool for this, and maybe NxNandManager as well (I'm not sure anymore).
  4. Extract the user id and password from the system save data. The example scripts in the NintendoClients repository tell you where to look.

There may be other ways to dump your system save data. I think that JKSV is able to do it as well, but I've never tried it that way.

I hope this helps.

K4CZP3R commented 6 months ago

Yup, this helps. First option is not possible for me because of banned switch. Will def. try the "system save data"one!

nicholasyoannou commented 3 months ago

Is it possible to enable SSL proxying for all of Nintendo's URLs? I'm interested to see what happens behind the scenes, but I'm unsure about enabling it especially for Switch Online.