Hacking Suggestion Downloading Switch updates on PC for hacking purposes

[Darthsternie]

In fact, the ClCertA cert from 3DS worked. You just need to know Switch's UA and the URL (can be found with fiddler).

Huh... You mean we can actually download the Firmwares with the 3DS CiCertA? xD
Well if that's true that's quite a nice fail

 

[punderino]

Yes, but hopefully at some point in the future (possibly years, but likely more) we will be able to decrypt them. If we could modify them and then proxy the updater to download and install the modded FW...

Uhmm.... You do realize they sign everything? You can't just patch or change something and put it on the console. It will never work. Never ever ever without the bootrom being leaked or hacked.

 

[Jhynjhiruu]

Uhmm.... You do realize they sign everything? You can't just patch or change something and put it on the console. It will never work. Never ever ever without the bootrom being leaked or hacked.

True, but I can dream.

 

[SocraticBliss]

Ok.. I setup an android with tethering, rooted it and used tcpdump.. (no access to router right now) I have two packet captures of the data.. I know people have access to them on the forum, etc but I didn't, and nobody has shared them.. Feel free to let me know if you need them... Anyways, the SSL hierarchy has some certificates using SHA-1, and possibly other older, co algorithms algorithms... its a last option if all else fails..

I'll give SSLStrip a shot soon to see if the switch will allow communications through non-nintendo SSL certs and maybe trying to force HTTP instead of HTTPS, etc.. ill see if I can use a HTTP proxy, or anything like that

If anyone knows or has tried any of these things let me know...

Hey Mike,

I don't have the ability to send PM's yet, but I need a bit of help finding the specific URL (or maybe the post request?) for the firmware.

I scoured the web yesterday and found the following SSL certs you can use to help, the password for the keys is alpine, I downloaded and added the CTR Common Prod 1 and Nintendo Class 2 CA - G3 to my personal cert store, I hope this helps...

I managed to get a switch UA from reddit... not sure if its the right one for firmware downloads though...

"Mozilla/5.0 (Nintendo Switch; ShareApplet) AppleWebKit/601.6 (KHTML, like Gecko) NF/4.0.0.5.9 NintendoBrowser/5.1.0.13341"

Then the URL I tried using was the one everyone is blocking...

http://sun.hac.lp1.d4c.nintendo.net:443/



In the end my final wget command looks something like this so far, but I am still unable to download any firmware files, can you let me know if you have any luck with this or the next steps I should be trying? Thanks!

wget --user-agent="Mozilla/5.0 (Nintendo Switch; ShareApplet) AppleWebKit/601.6 (KHTML, like Gecko) NF/4.0.0.5.9 NintendoBrowser/5.1.0.13341" http://sun.hac.lp1.d4c.nintendo.net:443/

 

[punderino]

True, but I can dream.

Dreaming won't change anything, don't work towards a goal that's almost impossible at this point, maybe in a few years once we have read into the console a bit more, but this early? It'll never happen.

 

[mosb3rg]

that isn't going to work. because your user agent isn't the only factor here. Likely, theres also some CORS happening, so custom headers are probably being used to give access to these domains from the device. so despite that url your mentioning not being https its not going to work that way.