There's a specific website only accessible from a closed source nro on the switch that I would like see the HTTPS traffic for. The goal is to recreate the web calls to have access from a PC. I've gotten most of the way there but I'm having some trouble. It has always been helpful for me to talk to people who have an idea what I'm talking about so I thought I'd post here. Also, I really do not want to reinvent the wheel if there's something out there that can help me. I know very little C that I studied 10+ years ago so I don't really understand that part of it.
First I started off with pointing the DNS for the site to my own webserver. I added both sites (theirs and mine) to the app and started to capture the packets. There doesn't seem to be anything special, no hardcoded well known url for xlm or anything it just hits the base page with some specific headers.
Confirmed by some documentation on the nro app website,
The goal is to see the HTTPS traffic so I can get Both the HAUTH and UAUTH for the website and recreate these calls in python. At first I was hopeful that the secret auth values would be the same for HTTP and HTTPS. However, they are not for my domain and I've assumed it's true for the other one. Meaning, I really do need to man in the middle. From here I only see two options.
I found misson20000's exefs_patches with some PRs for 'disable_ca_verification' and 'disable_browser_ca_verification' version 17.0.0. With these on my SD Card I setup Charles by following InternalLoss switch_tls_charles steps. This worked for the OS services but with a selfsigned SSL cert I get an untrusted ssl cert in the console of the app. I'm not sure if this is something I'm doing wrong or what but I've never seen an atmosphere nro_patches directory before. I'm booting from hekate, is there any special I need to do here?
The other option I can see is to get into homebrew, dust off the C book, and try and install my self signed SSL cert to the Switch trusted cert store. I cant link but I believe switchbrew has a section on SSL_services to import certs. To me, with my current knowledge, I dont understand what it's saying but I believe it's what I'm looking for. From here I'd use that private key on my webserver, proxy requests to the real site while capturing the requests there.
Truly, It would be nice if I could debug the NRO, step though the work it's doing so I can recreate the HAUTH and UAUTH generation in python but all the guides I'm finding are how to do similar on a PC.
The secrets for the http version of the site:
Anyone have some thoughts or suggestions for me? I doubt I'm the only one looking to do this so maybe there's already something out there? I'm not going to stop going down this path and my next step is to get a dev environment setup for homebrew on the switch to try and install the ssl cert and proxy the requests though my webserver.
First I started off with pointing the DNS for the site to my own webserver. I added both sites (theirs and mine) to the app and started to capture the packets. There doesn't seem to be anything special, no hardcoded well known url for xlm or anything it just hits the base page with some specific headers.
Code:
GET / HTTP/1.1
Host: 10.0.0.22
Accept: */*
Accept-Encoding: deflate, gzip
Theme: 0000000000000000000000000000000000000000000000000000000000000000
UID: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Version: 17.0
Revision: 3
Language: en
Stream: 1
HAUTH: 77D2259784855C5B3B77DE499957B90A
UAUTH: C5E43066E5A7C1D8CE224CD70FA9F906Confirmed by some documentation on the nro app website,
- UID is unique per switch
- HAUTH is unique per domain
- UAUTH is unique per path on that domain.
The goal is to see the HTTPS traffic so I can get Both the HAUTH and UAUTH for the website and recreate these calls in python. At first I was hopeful that the secret auth values would be the same for HTTP and HTTPS. However, they are not for my domain and I've assumed it's true for the other one. Meaning, I really do need to man in the middle. From here I only see two options.
I found misson20000's exefs_patches with some PRs for 'disable_ca_verification' and 'disable_browser_ca_verification' version 17.0.0. With these on my SD Card I setup Charles by following InternalLoss switch_tls_charles steps. This worked for the OS services but with a selfsigned SSL cert I get an untrusted ssl cert in the console of the app. I'm not sure if this is something I'm doing wrong or what but I've never seen an atmosphere nro_patches directory before. I'm booting from hekate, is there any special I need to do here?
The other option I can see is to get into homebrew, dust off the C book, and try and install my self signed SSL cert to the Switch trusted cert store. I cant link but I believe switchbrew has a section on SSL_services to import certs. To me, with my current knowledge, I dont understand what it's saying but I believe it's what I'm looking for. From here I'd use that private key on my webserver, proxy requests to the real site while capturing the requests there.
Truly, It would be nice if I could debug the NRO, step though the work it's doing so I can recreate the HAUTH and UAUTH generation in python but all the guides I'm finding are how to do similar on a PC.
The secrets for the http version of the site:
Code:
HAUTH: 2A3982D79A8D699A8E3758C0E42A21A0
UAUTH: 3A0523CAEEACF0B7EBA08ED2F24D0FC5Anyone have some thoughts or suggestions for me? I doubt I'm the only one looking to do this so maybe there's already something out there? I'm not going to stop going down this path and my next step is to get a dev environment setup for homebrew on the switch to try and install the ssl cert and proxy the requests though my webserver.
