Closed erew70 closed 2 months ago
also i have everything setup and have my nx_tls_client_cert.pfx certificate and it does not work with the eshop :(
certificate name is: NintendoNXCA2Prod10
no clue how to dump can you please help? you guys dumped switch traffic before so you must know! 🙏
There are two different certificates:
Here is a guide that explains how to dump the certificates: https://gist.github.com/InternalLoss/363356b26e3cb45d680d08ac99e8ff6d
The SwitchShop certificate is indeed stored in the LibAppletShop NSO. Try opening it in IDA. In the 18.1.0 version, you will find the certificate at 0x7100961C29
. You can also try searching for the bytes 30 82 0A F1
in IDA to find it.
Here is a guide that explains how to dump the certificates: gist.github.com/InternalLoss/363356b26e3cb45d680d08ac99e8ff6d
I'll contact Billy on Discord about this, but it should be noted that this guide is a bit outdated and the links to the lockpick repos are no longer available due to the DMCA takedowns a while ago. So this guide alone is not enough for what @erew70 wants to do
(also they did know about this guide already, they commented on it a week ago)
Here is a guide that explains how to dump the certificates: gist.github.com/InternalLoss/363356b26e3cb45d680d08ac99e8ff6d
I'll contact Billy on Discord about this, but it should be noted that this guide is a bit outdated and the links to the lockpick repos are no longer available due to the DMCA takedowns a while ago. So this guide alone is not enough for what @erew70 wants to do
(also they did know about this guide already, they commented on it a week ago)
thx alot this is like the last step for me to unban my switch bc i was working on making patches and stuff for it and the eshop wasnt proxying. Thanks a lot dude! 🙏
There are two different certificates:
- The SwitchShop certificate, which is used for https://bugyo.hac.lp1.eshop.nintendo.net
- The device certificate, which is used for other servers.
Here is a guide that explains how to dump the certificates: https://gist.github.com/InternalLoss/363356b26e3cb45d680d08ac99e8ff6d
The SwitchShop certificate is indeed stored in the LibAppletShop NSO. Try opening it in IDA. In the 18.1.0 version, you will find the certificate at
0x7100961C29
. You can also try searching for the bytes30 82 0A F1
in IDA to find it.
Thx. Is there another way? I dont have ida im not gonna pay for it sry
Certificate name is: NXCA2Prod10 i think, also how to dump libappshop nso????
There are two different certificates:
- The SwitchShop certificate, which is used for https://bugyo.hac.lp1.eshop.nintendo.net
- The device certificate, which is used for other servers.
Here is a guide that explains how to dump the certificates: https://gist.github.com/InternalLoss/363356b26e3cb45d680d08ac99e8ff6d
The SwitchShop certificate is indeed stored in the LibAppletShop NSO. Try opening it in IDA. In the 18.1.0 version, you will find the certificate at
0x7100961C29
. You can also try searching for the bytes30 82 0A F1
in IDA to find it.
How to dump Libappshop nso? Also i dont have ida and i don't have license to use it sooo....
You can use Ghidra if you don't want to use IDA.
Not sure what's the easiest way to dump the applet. Personally, I'm using the example script from this repo to download a system update, and hactool to unpack it.
And NXCA2Prod10 is not the name of the SwitchShop certificate. NXCA2Prod10 sounds more like the device certificate.
Also, proxying the eshop will not help you with unbanning your Switch in any way...
You can use Ghidra if you don't want to use IDA.
Not sure what's the easiest way to dump the applet. Personally, I'm using the example script from this repo to download a system update, and hactool to unpack it.
And NXCA2Prod10 is not the name of the SwitchShop certificate. NXCA2Prod10 sounds more like the device certificate.
Also, proxying the eshop will not help you with unbanning your Switch in any way...
Nxca2prod10 isnt device certificate. Nx prod 1 is also im aware certificate isnt the only thing. Is ghidra free?
Yes, Ghidra is free. You can download it here: https://ghidra-sre.org/. You will also have to find a plugin for it for loading NSO files.
Alternatively, if you just want to extract the certificate, you could try looking up the NSO file format on switchbrew, and decompress the sections manually.
Where did you hear about NintendoNXCA2Prod10? The device certificate is issued by NintendoNXCA2Prod1. The SwitchShop certificate has nothing to do with that though. SwitchShop is issued by Nintendo CA - G3.
Yes, Ghidra is free. You can download it here: https://ghidra-sre.org/. You will also have to find a plugin for it for loading NSO files.
Alternatively, if you just want to extract the certificate, you could try looking up the NSO file format on switchbrew, and decompress the sections manually.
Where did you hear about NintendoNXCA2Prod10? The device certificate is issued by NintendoNXCA2Prod1. The SwitchShop certificate has nothing to do with that though. SwitchShop is issued by Nintendo CA - G3.
Look at prodinfo.bin you will see it. Also how do i dump that one too then? (NintendoNXCA2Prod10) Or is it the same as NX Prod 1
Yes, Ghidra is free. You can download it here: https://ghidra-sre.org/. You will also have to find a plugin for it for loading NSO files.
Alternatively, if you just want to extract the certificate, you could try looking up the NSO file format on switchbrew, and decompress the sections manually.
Where did you hear about NintendoNXCA2Prod10? The device certificate is issued by NintendoNXCA2Prod1. The SwitchShop certificate has nothing to do with that though. SwitchShop is issued by Nintendo CA - G3.
I can dump fw with tegraexplorer. Is nca same thing? Thats the format used for fw
Yes, Ghidra is free. You can download it here: https://ghidra-sre.org/. You will also have to find a plugin for it for loading NSO files.
Alternatively, if you just want to extract the certificate, you could try looking up the NSO file format on switchbrew, and decompress the sections manually.
Where did you hear about NintendoNXCA2Prod10? The device certificate is issued by NintendoNXCA2Prod1. The SwitchShop certificate has nothing to do with that though. SwitchShop is issued by Nintendo CA - G3.
Reference: (My prodinfo)
XAW40011448705
NintendoNXCA1Prod1 NX6365A166C75C1413
207D8ED7CDF454D001802CDD5BCE784128C2E650201B210F7E3F5E83A826C3273FB7D265C3B2AE9F26B9FE72C269CDBBED05DC50C24C625FFE0C499EF817269D189A2E6268F6B309D53AE0CA5788A7C14674AE3CFED32D7250BD8A31AD0AB313F5CE966A9D6446BE96DAA15B9FFE2827BDFF90EBC1B3C8EE7E543B70B64565E0796FD35DCBB7DC7EE5DA29C82FB51A49260AB8CFCEED83A3EB86D9BD5D7FAAFAD67C9CACFED15FB4EF52A0F404ADC7B5556CC2B708E8DA63C1AA815CCC4691C351EC1DA8A026D9C7F0DDC9768F6B3C535F22B2A2DE14196B3952FDA0D58401A9981EBC23A22ACE3CA84B045288C768853BD5C50C27BFDB735D823C36B776C8240
Nintendo Co.,Ltd.10U NintendoNXCA2Prod10 180206212923Z 491208120000Z01 0 JP1Kyoto1 Kyoto1 Nintendo Co.,Ltd.1503NX Prod 1 - 911316E0E296284BAE566B98E9B3531500
You can use Ghidra if you don't want to use IDA.
Not sure what's the easiest way to dump the applet. Personally, I'm using the example script from this repo to download a system update, and hactool to unpack it.
And NXCA2Prod10 is not the name of the SwitchShop certificate. NXCA2Prod10 sounds more like the device certificate.
Also, proxying the eshop will not help you with unbanning your Switch in any way...
how to unpack? i have extracted nca from the update (libappshop) am i suppose to decrypt the nca? can you tell me what to do with it exactly to extract the nso?
Ah I see what you mean. That '0' at the end of not part of the name actually. The '0' is there because of the way that certificates are encoded. This tool visualizes it quite well: https://lapo.it/asn1js/. It's really just NXCA2Prod1
.
You can use hactool to unpack the NCA. Something like this should work:
hactool -t nca --exefsdir=exefs <hash.nca>
You will have to place prod.keys in the right location for it work. See 'External Keys' in the hactool README.
Ah I see what you mean. That '0' at the end of not part of the name actually. The '0' is there because of the way that certificates are encoded. This tool visualizes it quite well: https://lapo.it/asn1js/. It's really just
NXCA2Prod1
.You can use hactool to unpack the NCA. Something like this should work:
hactool -t nca --exefsdir=exefs <hash.nca>
You will have to place prod.keys in the right location for it work. See 'External Keys' in the hactool README.
Alr thanks a lot. Could you explain what Nxca2prod1 is for and how to extract it? (I believe its for npln, correct me if im wrong)
The device certificate (NXCA2Prod1) is required for DAuth and a few other servers. This is the certificate that is banned. The NPLN server doens't require a certificate, but to do anything useful on NPLN, you have to go through DAuth, which does require a certificate.
To get the certificate, first dump your PRODINFO, then extract it. I believe that NxCertDump is able to extract the certificate from PRODINFO, although I've never tried that tool myself. Alternatively, here is a way to extract it from PRODINFO with the NintendoClients package: https://github.com/kinnay/NintendoClients/issues/32#issuecomment-1409919863.
I'm curious how all of this is going to help you with unbanning your Switch. Unless you are able to get a new certificate somehow, unbanning a Switch is impossible.
The device certificate (NXCA2Prod1) is required for DAuth and a few other servers. This is the certificate that is banned. The NPLN server doens't require a certificate, but to do anything useful on NPLN, you have to go through DAuth, which does require a certificate.
To get the certificate, first dump your PRODINFO, then extract it. I believe that NxCertDump is able to extract the certificate from PRODINFO, although I've never tried that tool myself. Alternatively, here is a way to extract it from PRODINFO with the NintendoClients package: #32 (comment).
I'm curious how all of this is going to help you with unbanning your Switch. Unless you are able to get a new certificate somehow, unbanning a Switch is impossible.
NX Prod 1 is also used for authentication and that one i believe. Also if NXCA2Prod1 is used for authentication then what is NX Prod 1 for?
- hactool -t nca --exefsdir=exefs
Invalid NCA header! Are keys correct?
i get this error? the update was dumped via tegraexplorer
The device certificate (NXCA2Prod1) is required for DAuth and a few other servers. This is the certificate that is banned. The NPLN server doens't require a certificate, but to do anything useful on NPLN, you have to go through DAuth, which does require a certificate.
To get the certificate, first dump your PRODINFO, then extract it. I believe that NxCertDump is able to extract the certificate from PRODINFO, although I've never tried that tool myself. Alternatively, here is a way to extract it from PRODINFO with the NintendoClients package: #32 (comment).
I'm curious how all of this is going to help you with unbanning your Switch. Unless you are able to get a new certificate somehow, unbanning a Switch is impossible.
You can spoof everything with charles. You would have to patch prodinfo to trust the new cert. Npln not supported. Also you can turn off all play reports with homebrew. Not hard
0x7100961C29
i tried doing that with ghirda using the hactool to unpack it, i dumped with tegra explorer and cant find anything. Help?
Ah I see what you mean. That '0' at the end of not part of the name actually. The '0' is there because of the way that certificates are encoded. This tool visualizes it quite well: https://lapo.it/asn1js/. It's really just
NXCA2Prod1
.You can use hactool to unpack the NCA. Something like this should work:
hactool -t nca --exefsdir=exefs <hash.nca>
You will have to place prod.keys in the right location for it work. See 'External Keys' in the hactool README.
i have unpacked it and have used ghirda to find the certificate i used the first default option that popped up. i searched for bytes and everything and nothing shows up. can you help please?
Also if NXCA2Prod1 is used for authentication then what is NX Prod 1 for?
NX Prod 1 is the device certificate. This one is stored on your Switch, and can be dumped.
NXCA2Prod1 is the certificate authority. The authority is a certificate that is used by Nintendo to sign and verify device certificates. No one outside of Nintendo has access to it.
i searched for bytes and everything and nothing shows up. can you help please?
If you correctly loaded the NSO into Ghidra, then searching for the bytes that I mentioned should bring you to the certificate. Maybe people on the Reswitched discord are able to help you more: https://discordapp.com/invite/ZdqEhed
Also if NXCA2Prod1 is used for authentication then what is NX Prod 1 for?
NX Prod 1 is the device certificate. This one is stored on your Switch, and can be dumped.
NXCA2Prod1 is the certificate authority. The authority is a certificate that is used by Nintendo to sign and verify device certificates. No one outside of Nintendo has access to it.
i searched for bytes and everything and nothing shows up. can you help please?
If you correctly loaded the NSO into Ghidra, then searching for the bytes that I mentioned should bring you to the certificate. Maybe people on the Reswitched discord are able to help you more: https://discordapp.com/invite/ZdqEhed
So server side cert that verifies NX Prod 1. I extracted the nca like you todld me and there isnt any certificate
Can we talk elsewhere? My discord is yannik9647.
I'm going to close this because issues are not meant for this kind of user support.
hello, i am trying to proxy traffic with charles and was wondering how do you obtain the certificate? i heard you need to extract it from libappshop NSO but idk can someone help me please? Thank you