Hacking Suggestion Downloading Switch updates on PC for hacking purposes

Jhynjhiruu

Well-Known Member
OP
Member
Joined
Dec 31, 2016
Messages
817
Trophies
0
Age
21
XP
1,708
Country
By spoofing your user agent to the Switch's web applet, you can get a computer to connect to Nintendo's update servers for the Switch without the 'connection being reset'. Is anyone able to find out the user agent the updater uses? I can't work out how to. If someone could, it might be possible to actually download the update files and possibly at some stage modify them.
 
  • Like
Reactions: supermario18

lefthandsword

Well-Known Member
Member
Joined
Apr 6, 2015
Messages
352
Trophies
0
Age
26
Location
root
XP
478
Country
Hong Kong
Everything seems to be encrypted by a master auth server from what I've seen.
When we have the ability to decrypt them we can compare between version to find what Nintendo has patched. It's better to save them now before they're removed from CDN for future use
 

Jhynjhiruu

Well-Known Member
OP
Member
Joined
Dec 31, 2016
Messages
817
Trophies
0
Age
21
XP
1,708
Country
Anyway the point of this thread is essentially to find out if anyone knows the user agent for the OS updater so we can start trying to download stuff

--------------------- MERGED ---------------------------

Just an idea - could people start coming up with ideas for possible user agents for people to try?
 

Poryhack

Well-Known Member
Member
Joined
Oct 18, 2009
Messages
332
Trophies
0
Age
32
XP
253
Country
United States
The Switch update and authentication servers probably require a valid TLS client certificate (and matching key). If they do then off-device downloads won't be possible until the/a key is found.

All Nintendo consoles dating back to the DSi/Wii have used TLS client certificates--downloads have been possible without a certificate thus far, but only because Nintendo configured their CDN (content distribution network, in this case the servers that host update and eshop downloads) to not require TLS client certificates.

As far as I'm aware nobody has obtained the/a switch client certificate yet. Doing so isn't possible with the browser exploit alone because the browser process doesn't use the client certificate and doesn't have access to it.
 

mosb3rg

Member
Newcomer
Joined
Mar 17, 2017
Messages
9
Trophies
0
Age
40
XP
56
Country
United States
well.. speaking from somone who exploits HLS Video and uses cookies and SSL key tricks to bypass, i can tell you that often the ability to accept the cert is infact on the device. i would argue it is.. but our access to the key is restricted because we cannot view the contents of the internal drive/chip if we were able to and the file system was readable, its very likely in root we would see a key or derivative. At least the "cookie values" which are assigned to authenticate the SSL, this is a common misconception. Often correct use of a cookie, will bypass SSL restrictions entirely and files which were authenticated will show these values in there hex or headers in some fashion depending on how we read it or how its stored on disk. But, again we will need to call on the internal contents and examine it better, i dont believe the SSL bypass will solve very much right now. Going to need to find a way into the contents area to view. But, indeed without SSL Traffic we will not see the things everyone wants to see, like direct links to eshop files and downloads and updates.

We can assume they encrypted the updates.. but we really don't know that for certain. You would be surprised how often these companies put so much stock in there initial methods being viable that they exclude additional protections or means of it being visible down the line, and rush to update.

If i had to guess.. the first stuff we will see from this. will be just the usual trying to send commands etc, and you will really need to know what your doing, once more of us can view the contents we will see that it might help us more down the line, because often guys like me who studied those SSL bypasses in all situations will perhaps have a way around it, but until we can see the contents of the drive and examine some of it, will be a stretch to expect that.
 
Last edited by mosb3rg,

Gabriel Mejia

Well-Known Member
Newcomer
Joined
Oct 5, 2015
Messages
53
Trophies
0
Age
32
XP
96
Country
United States
If you want to get the certificate to access nintendo's update server why not trick the console into thinking it's connected to the nintendo server and just push a certificate request and
clone said certificate you received from the console?
 

GerbilSoft

Well-Known Member
Member
Joined
Mar 8, 2012
Messages
2,395
Trophies
2
Age
34
XP
4,249
Country
United States
If you want to get the certificate to access nintendo's update server why not trick the console into thinking it's connected to the nintendo server and just push a certificate request and
clone said certificate you received from the console?
Good luck obtaining the server-side certificates. Also, the private key isn't transmitted when establishing a connection, so you can't simply retrieve the certificate with a man-in-the-middle attack.
 

Blitzur

Member
Newcomer
Joined
Jul 20, 2016
Messages
19
Trophies
0
Age
29
XP
91
Country
Gambia, The
So i understand it correctly that it will never be that easy as a NUS downloader? :(
I was already sad to see there is nothing like that.
 

Gabriel Mejia

Well-Known Member
Newcomer
Joined
Oct 5, 2015
Messages
53
Trophies
0
Age
32
XP
96
Country
United States
woah now i didn't say anything about a man in the middle attack, what i said was to trick the console into thinking it's connected to the nintendo server and push a request for the console client certificate.

you would need a computer with a fake server setup to do that, you wouldn't necessarily need internet to do it though.

thing is someone would have to click the update option on the console for it to work.
Trick the console into requesting an update and the fake server would request the client certificate, once the console gives the client certificate you can copy the certificate and close the connection.

thing is i could be missing a lot of steps on how this could be done since i haven't done something like this before,
then again this is just a suggestion
i highly doubt someone's actually going to try this. there is a small chance this could work but i could be missing something.
 
Last edited by Gabriel Mejia,

mikeg504

Member
Newcomer
Joined
May 27, 2017
Messages
12
Trophies
0
Age
39
XP
64
Country
United States
I'm considering working with hacking the switch. I mainly just wanna be able to modify my Zelda BoTW save games.. (durability, etc, etc)

It seems people abused older Nintendo products by manipulating save files to exploit games which had employees who were not security savvy... so they decided to not allow copying them off to SD, and back. I noticed in some other places that the code exists to download data from the cloud. It must check whenever it is online. Someone sent in their switch to get updated, and it had a cloud icon next to it..try to google find it..

Anyways,

I'm considering using DNS to hijack the domains, or setting it up to use my PC as a gateway.. I'm hoping it either doesnt' use SSL for everything... or I can trick it somehow. It'd be nice if it has SSL implementation bugs or something so I can monitor easily. If it sends requests to my hostname, then I hope I can at least get the information, and pass it on to their server to request the same URLs. It depends if they have client side SSL certificates, ,etc..

All of this trouble, and I really just want to edit save games =/

Anyone have any comments, or thoughts? I need to get a second network adapter to host a different WiFi to take a shot.. (I'm traveling)

I considered manipulating the RAM while its executing.. although it's BGA, and in layers on the PCB. If I decide to hack the switch then I'll have to order a second one for sure...


If there is no client side SSL, then the server (nintendo) should answer all requests.. replacing those requests to the swlitch, and having it accept them depends on whether its certificate authority verification is enabled, and how its configured.. I hope theres some way to add a CA which would alllow self signed.. otherwise it depends if its trust some MD5, or has bugs in validation of parameters.. no idea at this moment until I can MiTM (man in the middle) its traffic...


I know if I can get access to the ram chips pins on the board while its executing.. then itll allow dumping it. I'll check everything on the PCB to determine if something has DMA access.. it migth be a bit before I can order what I need.. so the software side (SSL) is best...

If anyone has ideas, comments, or is considering working on it .. LMK
 
Last edited by mikeg504,
  • Like
Reactions: peteruk

NWPlayer123

Well-Known Member
Member
Joined
Feb 17, 2012
Messages
2,642
Trophies
0
Location
The Everfree Forest
XP
6,693
Country
United States
I'm considering working with hacking the switch. I mainly just wanna be able to modify my Zelda BoTW save games.. (durability, etc, etc)

It seems people abused older Nintendo products by manipulating save files to exploit games which had employees who were not security savvy... so they decided to not allow copying them off to SD, and back. I noticed in some other places that the code exists to download data from the cloud. It must check whenever it is online. Someone sent in their switch to get updated, and it had a cloud icon next to it..try to google find it..

Anyways,

I'm considering using DNS to hijack the domains, or setting it up to use my PC as a gateway.. I'm hoping it either doesnt' use SSL for everything... or I can trick it somehow. It'd be nice if it has SSL implementation bugs or something so I can monitor easily. If it sends requests to my hostname, then I hope I can at least get the information, and pass it on to their server to request the same URLs. It depends if they have client side SSL certificates, ,etc..

All of this trouble, and I really just want to edit save games =/

Anyone have any comments, or thoughts? I need to get a second network adapter to host a different WiFi to take a shot.. (I'm traveling)

I considered manipulating the RAM while its executing.. although it's BGA, and in layers on the PCB. If I decide to hack the switch then I'll have to order a second one for sure...


If there is no client side SSL, then the server (nintendo) should answer all requests.. replacing those requests to the swlitch, and having it accept them depends on whether its certificate authority verification is enabled, and how its configured.. I hope theres some way to add a CA which would alllow self signed.. otherwise it depends if its trust some MD5, or has bugs in validation of parameters.. no idea at this moment until I can MiTM (man in the middle) its traffic...


I know if I can get access to the ram chips pins on the board while its executing.. then itll allow dumping it. I'll check everything on the PCB to determine if something has DMA access.. it migth be a bit before I can order what I need.. so the software side (SSL) is best...

If anyone has ideas, comments, or is considering working on it .. LMK
except with the 3DS we were able to abuse gspwn to gain code execution, there's nothing like that (that we know of) to allow for it so all savegames have to be *entirely* rop-based, and the browser applet has no JIT so we can't use that either right now
just use PegaSwitch's stuff if you want to DNS route stuff
The cloud is just for eShop downloaded/installed stuff vs cartridges, nothing more to it, all the dev software has to be installed too
 

mikeg504

Member
Newcomer
Joined
May 27, 2017
Messages
12
Trophies
0
Age
39
XP
64
Country
United States
Ok.. I setup an android with tethering, rooted it and used tcpdump.. (no access to router right now) I have two packet captures of the data.. I know people have access to them on the forum, etc but I didn't, and nobody has shared them.. Feel free to let me know if you need them... Anyways, the SSL hierarchy has some certificates using SHA-1, and possibly other older, co algorithms algorithms... its a last option if all else fails..

I'll give SSLStrip a shot soon to see if the switch will allow communications through non-nintendo SSL certs and maybe trying to force HTTP instead of HTTPS, etc.. ill see if I can use a HTTP proxy, or anything like that

If anyone knows or has tried any of these things let me know...
 

Jhynjhiruu

Well-Known Member
OP
Member
Joined
Dec 31, 2016
Messages
817
Trophies
0
Age
21
XP
1,708
Country
Ok.. I setup an android with tethering, rooted it and used tcpdump.. (no access to router right now) I have two packet captures of the data.. I know people have access to them on the forum, etc but I didn't, and nobody has shared them.. Feel free to let me know if you need them... Anyways, the SSL hierarchy has some certificates using SHA-1, and possibly other older, co algorithms algorithms... its a last option if all else fails..

I'll give SSLStrip a shot soon to see if the switch will allow communications through non-nintendo SSL certs and maybe trying to force HTTP instead of HTTPS, etc.. ill see if I can use a HTTP proxy, or anything like that

If anyone knows or has tried any of these things let me know...
If you do get this to work, that would be amazing.
 

chaoskagami

G̷̘̫̍̈́̊̓̈l̴̙͔̞͠i̵̳͊ţ̸̙͇͒̓c̵̬̪̯̥̳͒͌̚h̵̹̭͛̒̊̽̚
Developer
Joined
Mar 26, 2016
Messages
1,365
Trophies
1
Location
↑↑↓↓←→←→BA
Website
github.com
XP
2,262
Country
United States
Yes, but hopefully at some point in the future (possibly years, but likely more) we will be able to decrypt them. If we could modify them and then proxy the updater to download and install the modded FW...

How many times will this stupid suggestion come up? Every platform. Every single one.

It didn't work for the Wii, the Xbox, the Vita, the 360, the PS3, the PS4, the WiiU, the 3DS, and it's not going to work for the Switch.

Please read how asymmetric cryptography works.

Ok.. I setup an android with tethering, rooted it and used tcpdump.. (no access to router right now) I have two packet captures of the data.. I know people have access to them on the forum, etc but I didn't, and nobody has shared them.. Feel free to let me know if you need them... Anyways, the SSL hierarchy has some certificates using SHA-1, and possibly other older, co algorithms algorithms... its a last option if all else fails..

I'll give SSLStrip a shot soon to see if the switch will allow communications through non-nintendo SSL certs and maybe trying to force HTTP instead of HTTPS, etc.. ill see if I can use a HTTP proxy, or anything like that

If anyone knows or has tried any of these things let me know...

Did you notice the big red "invalid certificate" warning on the CDN when attempting to use a PC, followed by a nonsensical error about an "invalid CC" or such? Nintendo self-signs the certificate, meaning there's no hierarchy of trust. You'll likely need the certificate from a Swirch to succeed in connecting; this is the same reason you needed the cert from a 3DS for tools like PlaiCDN.
 

Darthsternie

Well-Known Member
Newcomer
Joined
May 18, 2015
Messages
65
Trophies
0
Location
Somewhere
Website
www.darthsternie.net
XP
321
Country
Germany
Not to be rude but I have asked the exact same Question just when this Switch Forum was opened since I would love to backup the Firmwares for archival purposes and I got the exact same answers you have got. A tiny search would have given you the same answers :)
 

thomasnet

Well-Known Member
Member
Joined
Mar 6, 2016
Messages
175
Trophies
0
XP
579
Country
France
In fact, the ClCertA cert from 3DS worked. You just need to know Switch's UA and the URL (can be found with fiddler).
 

chaoskagami

G̷̘̫̍̈́̊̓̈l̴̙͔̞͠i̵̳͊ţ̸̙͇͒̓c̵̬̪̯̥̳͒͌̚h̵̹̭͛̒̊̽̚
Developer
Joined
Mar 26, 2016
Messages
1,365
Trophies
1
Location
↑↑↓↓←→←→BA
Website
github.com
XP
2,262
Country
United States
In fact, the ClCertA cert from 3DS worked. You just need to know Switch's UA and the URL (can be found with fiddler).

...Are you kidding me? Has Nintendo learned nothing? Why would they reuse the certs? I mean, sure, we don't have the common keys needed to decrypt anything (at least, we shouldn't) but still, why would they reuse that?
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
  • Veho @ Veho:
    Mkay.
  • Veho @ Veho:
    I just ordered another package from China just to spite you.
  • SylverReZ @ SylverReZ:
    Communism lol
  • SylverReZ @ SylverReZ:
    OUR products
  • The Real Jdbye @ The Real Jdbye:
    @LeoTCK actually good quality products are dying out because they can't compete with dropshipped chinese crap
    +2
  • BakerMan @ BakerMan:
    @LeoTCK is your partner the sascrotch or smth?
  • Xdqwerty @ Xdqwerty:
    Good morning
  • Xdqwerty @ Xdqwerty:
    Out of nowhere I got several scars on my forearm and part of my arm and it really itches.
  • AdRoz78 @ AdRoz78:
    Hey, I bought a modchip today and it says "New 2040plus" in the top left corner. Is this a legit chip or was I scammed?
  • Veho @ Veho:
    @AdRoz78 start a thread and post a photo of the chip.
    +2
  • Xdqwerty @ Xdqwerty:
    Yawn
  • S @ salazarcosplay:
    and good morning everyone
    +1
  • K3Nv2 @ K3Nv2:
    @BakerMan, his partner is Luke
  • Sicklyboy @ Sicklyboy:
    Sup nerds
    +1
  • Flame @ Flame:
    oh hi, Sickly
  • K3Nv2 @ K3Nv2:
    Oh hi flame
  • S @ salazarcosplay:
    @K3Nv2 what was your ps4 situation
  • S @ salazarcosplay:
    did you always have a ps4 you never updated
  • S @ salazarcosplay:
    or were you able to get new ps4 tracking it \
    as soon as the hack was announced
  • S @ salazarcosplay:
    or did you have to find a used one with the lower firm ware that was not updated
  • K3Nv2 @ K3Nv2:
    I got this ps4 at launch and never updated since 9.0
  • K3Nv2 @ K3Nv2:
    You got a good chance of buying a used one and asking the seller how often they used or even ask for a picteof not updating just tell them don't update
    K3Nv2 @ K3Nv2: You got a good chance of buying a used one and asking the seller how often they used or even ask...