Suggestion Downloading Switch updates on PC for hacking purposes

Discussion in 'Switch - Hacking & Homebrew' started by Jhynjhiruu, Mar 29, 2017.

  1. Jhynjhiruu
    OP

    Jhynjhiruu GBAtemp Advanced Fan

    Member
    516
    113
    Dec 31, 2016
    By spoofing your user agent to the Switch's web applet, you can get a computer to connect to Nintendo's update servers for the Switch without the 'connection being reset'. Is anyone able to find out the user agent the updater uses? I can't work out how to. If someone could, it might be possible to actually download the update files and possibly at some stage modify them.
     
    supermario18 likes this.


  2. Mr. Wizard

    Mr. Wizard Ending the spread of bullshit one thread at a time

    Member
    1,112
    425
    Mar 20, 2015
    Canada
    10th Dimension
    Last edited by Mr. Wizard, Mar 29, 2017
  3. Jhynjhiruu
    OP

    Jhynjhiruu GBAtemp Advanced Fan

    Member
    516
    113
    Dec 31, 2016
    Yes, but hopefully at some point in the future (possibly years, but likely more) we will be able to decrypt them. If we could modify them and then proxy the updater to download and install the modded FW...
     
  4. lefthandsword

    lefthandsword GBAtemp Fan

    Member
    337
    205
    Apr 6, 2015
    Hong Kong
    root
    When we have the ability to decrypt them we can compare between version to find what Nintendo has patched. It's better to save them now before they're removed from CDN for future use
     
  5. Jhynjhiruu
    OP

    Jhynjhiruu GBAtemp Advanced Fan

    Member
    516
    113
    Dec 31, 2016
    Anyway the point of this thread is essentially to find out if anyone knows the user agent for the OS updater so we can start trying to download stuff

    — Posts automatically merged - Please don't double post! —

    Just an idea - could people start coming up with ideas for possible user agents for people to try?
     
  6. nIxx

    nIxx GBAtemp Advanced Maniac

    Member
    1,537
    81
    Sep 30, 2007
    Gambia, The
    Germany
    Try something like tcpdump, wireshark or similar
     
  7. Poryhack

    Poryhack GBAtemp Fan

    Member
    332
    7
    Oct 18, 2009
    United States
    The Switch update and authentication servers probably require a valid TLS client certificate (and matching key). If they do then off-device downloads won't be possible until the/a key is found.

    All Nintendo consoles dating back to the DSi/Wii have used TLS client certificates--downloads have been possible without a certificate thus far, but only because Nintendo configured their CDN (content distribution network, in this case the servers that host update and eshop downloads) to not require TLS client certificates.

    As far as I'm aware nobody has obtained the/a switch client certificate yet. Doing so isn't possible with the browser exploit alone because the browser process doesn't use the client certificate and doesn't have access to it.
     
  8. mosb3rg

    mosb3rg Newbie

    Newcomer
    9
    8
    Mar 17, 2017
    United States
    well.. speaking from somone who exploits HLS Video and uses cookies and SSL key tricks to bypass, i can tell you that often the ability to accept the cert is infact on the device. i would argue it is.. but our access to the key is restricted because we cannot view the contents of the internal drive/chip if we were able to and the file system was readable, its very likely in root we would see a key or derivative. At least the "cookie values" which are assigned to authenticate the SSL, this is a common misconception. Often correct use of a cookie, will bypass SSL restrictions entirely and files which were authenticated will show these values in there hex or headers in some fashion depending on how we read it or how its stored on disk. But, again we will need to call on the internal contents and examine it better, i dont believe the SSL bypass will solve very much right now. Going to need to find a way into the contents area to view. But, indeed without SSL Traffic we will not see the things everyone wants to see, like direct links to eshop files and downloads and updates.

    We can assume they encrypted the updates.. but we really don't know that for certain. You would be surprised how often these companies put so much stock in there initial methods being viable that they exclude additional protections or means of it being visible down the line, and rush to update.

    If i had to guess.. the first stuff we will see from this. will be just the usual trying to send commands etc, and you will really need to know what your doing, once more of us can view the contents we will see that it might help us more down the line, because often guys like me who studied those SSL bypasses in all situations will perhaps have a way around it, but until we can see the contents of the drive and examine some of it, will be a stretch to expect that.
     
    Last edited by mosb3rg, Mar 29, 2017
  9. Gabriel Mejia

    Gabriel Mejia Advanced Member

    Newcomer
    53
    7
    Oct 5, 2015
    United States
    If you want to get the certificate to access nintendo's update server why not trick the console into thinking it's connected to the nintendo server and just push a certificate request and
    clone said certificate you received from the console?
     
  10. GerbilSoft

    GerbilSoft GBAtemp Addict

    Member
    2,085
    2,309
    Mar 8, 2012
    United States
    Good luck obtaining the server-side certificates. Also, the private key isn't transmitted when establishing a connection, so you can't simply retrieve the certificate with a man-in-the-middle attack.
     
  11. Blitzur

    Blitzur Member

    Newcomer
    14
    1
    Jul 20, 2016
    Gambia, The
    So i understand it correctly that it will never be that easy as a NUS downloader? :(
    I was already sad to see there is nothing like that.
     
  12. Gabriel Mejia

    Gabriel Mejia Advanced Member

    Newcomer
    53
    7
    Oct 5, 2015
    United States
    woah now i didn't say anything about a man in the middle attack, what i said was to trick the console into thinking it's connected to the nintendo server and push a request for the console client certificate.

    you would need a computer with a fake server setup to do that, you wouldn't necessarily need internet to do it though.

    thing is someone would have to click the update option on the console for it to work.
    Trick the console into requesting an update and the fake server would request the client certificate, once the console gives the client certificate you can copy the certificate and close the connection.

    thing is i could be missing a lot of steps on how this could be done since i haven't done something like this before,
    then again this is just a suggestion
    i highly doubt someone's actually going to try this. there is a small chance this could work but i could be missing something.
     
    Last edited by Gabriel Mejia, Mar 31, 2017
  13. mikeg504

    mikeg504 Member

    Newcomer
    12
    13
    May 27, 2017
    United States
    I'm considering working with hacking the switch. I mainly just wanna be able to modify my Zelda BoTW save games.. (durability, etc, etc)

    It seems people abused older Nintendo products by manipulating save files to exploit games which had employees who were not security savvy... so they decided to not allow copying them off to SD, and back. I noticed in some other places that the code exists to download data from the cloud. It must check whenever it is online. Someone sent in their switch to get updated, and it had a cloud icon next to it..try to google find it..

    Anyways,

    I'm considering using DNS to hijack the domains, or setting it up to use my PC as a gateway.. I'm hoping it either doesnt' use SSL for everything... or I can trick it somehow. It'd be nice if it has SSL implementation bugs or something so I can monitor easily. If it sends requests to my hostname, then I hope I can at least get the information, and pass it on to their server to request the same URLs. It depends if they have client side SSL certificates, ,etc..

    All of this trouble, and I really just want to edit save games =/

    Anyone have any comments, or thoughts? I need to get a second network adapter to host a different WiFi to take a shot.. (I'm traveling)

    I considered manipulating the RAM while its executing.. although it's BGA, and in layers on the PCB. If I decide to hack the switch then I'll have to order a second one for sure...


    If there is no client side SSL, then the server (nintendo) should answer all requests.. replacing those requests to the swlitch, and having it accept them depends on whether its certificate authority verification is enabled, and how its configured.. I hope theres some way to add a CA which would alllow self signed.. otherwise it depends if its trust some MD5, or has bugs in validation of parameters.. no idea at this moment until I can MiTM (man in the middle) its traffic...


    I know if I can get access to the ram chips pins on the board while its executing.. then itll allow dumping it. I'll check everything on the PCB to determine if something has DMA access.. it migth be a bit before I can order what I need.. so the software side (SSL) is best...

    If anyone has ideas, comments, or is considering working on it .. LMK
     
    Last edited by mikeg504, May 27, 2017
    peteruk likes this.
  14. NWPlayer123

    NWPlayer123 GBAtemp Addict

    Member
    2,632
    6,232
    Feb 17, 2012
    United States
    The Everfree Forest
    except with the 3DS we were able to abuse gspwn to gain code execution, there's nothing like that (that we know of) to allow for it so all savegames have to be *entirely* rop-based, and the browser applet has no JIT so we can't use that either right now
    just use PegaSwitch's stuff if you want to DNS route stuff
    The cloud is just for eShop downloaded/installed stuff vs cartridges, nothing more to it, all the dev software has to be installed too
     
  15. mikeg504

    mikeg504 Member

    Newcomer
    12
    13
    May 27, 2017
    United States
    Ok.. I setup an android with tethering, rooted it and used tcpdump.. (no access to router right now) I have two packet captures of the data.. I know people have access to them on the forum, etc but I didn't, and nobody has shared them.. Feel free to let me know if you need them... Anyways, the SSL hierarchy has some certificates using SHA-1, and possibly other older, co algorithms algorithms... its a last option if all else fails..

    I'll give SSLStrip a shot soon to see if the switch will allow communications through non-nintendo SSL certs and maybe trying to force HTTP instead of HTTPS, etc.. ill see if I can use a HTTP proxy, or anything like that

    If anyone knows or has tried any of these things let me know...
     
  16. Jhynjhiruu
    OP

    Jhynjhiruu GBAtemp Advanced Fan

    Member
    516
    113
    Dec 31, 2016
    If you do get this to work, that would be amazing.
     
  17. chaoskagami

    chaoskagami Rawr

    Member
    1,024
    1,360
    Mar 26, 2016
    United States
    ↑↑↓↓←→←→BA
    How many times will this stupid suggestion come up? Every platform. Every single one.

    It didn't work for the Wii, the Xbox, the Vita, the 360, the PS3, the PS4, the WiiU, the 3DS, and it's not going to work for the Switch.

    Please read how asymmetric cryptography works.

    Did you notice the big red "invalid certificate" warning on the CDN when attempting to use a PC, followed by a nonsensical error about an "invalid CC" or such? Nintendo self-signs the certificate, meaning there's no hierarchy of trust. You'll likely need the certificate from a Swirch to succeed in connecting; this is the same reason you needed the cert from a 3DS for tools like PlaiCDN.
     
    DayVeeBoi and InTheBeef like this.
  18. Darthsternie

    Darthsternie Advanced Member

    Newcomer
    52
    52
    May 18, 2015
    Germany
    Not to be rude but I have asked the exact same Question just when this Switch Forum was opened since I would love to backup the Firmwares for archival purposes and I got the exact same answers you have got. A tiny search would have given you the same answers :)
     
  19. thomasnet

    thomasnet Advanced Member

    Newcomer
    91
    80
    Mar 6, 2016
    France
    In fact, the ClCertA cert from 3DS worked. You just need to know Switch's UA and the URL (can be found with fiddler).
     
  20. chaoskagami

    chaoskagami Rawr

    Member
    1,024
    1,360
    Mar 26, 2016
    United States
    ↑↑↓↓←→←→BA
    ...Are you kidding me? Has Nintendo learned nothing? Why would they reuse the certs? I mean, sure, we don't have the common keys needed to decrypt anything (at least, we shouldn't) but still, why would they reuse that?