xfangfang

Switch TLS Dumping Guide (Charles)

This guide is for dumping Switch TLS traffic using the Charles web proxy. Please note that this is paid software.

Most Switch communications are over TLS - this includes NEX and Eagle communications (for Nintendo Switch Online)* as well as other servers such as BAAS (friends/status) and NPNS (notifications)

_{*NPLN, the new Switch online servers that Monster Hunter Rise demo used, cannot be dumped with Charles currently as it doesn't support gRPC - use grpc-dump to dump these communications - the gPRC section will explain this better.}

While this doesn't carry much risk in theory, this is risky and could get your Switch banned as you must send your own Switch-unique client certificate.

Dumping Console-Unique Certificate

xfangfang

This is a mini-tutorial of sorts for getting started with gdb on the Switch, with the target audience being people who want to mod and/or reverse games, with no prerequisite knowledge of gdb. The goal will be to walk you through some of the basic workflows needed to use a debugger on the Switch, while being brief enough for skimming for when you forget things.

If some part is unclear, your OS doesn't have install instructions, or you feel part of your workflow should be added here, feel free to comment any additions.

(If you only need a quick reference Jump to the Appendix)

Installing GDB

First off you'll need a version of GDB compatible with aarch64. This can be obtained via either a distribution of

xfangfang

Patching the Youtube App

In short

1. Extract the main NSO
2. Convert it into an ELF (to strip header/hashes)
3. Load it into Ida, find the function and patch the bytes back into the binary
4. Convert the ELF back into NSO
5. Use the nso as exefs patch or re-import it into the NCA/NSP