Switch TLS Dumping Guide (Charles)

THE GUIDE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE GUIDE OR THE USE OR OTHER DEALINGS IN THE GUIDE.

---

This guide is for dumping Switch TLS traffic using the Charles web proxy. Please note that this is paid software.

Most Switch communications are over TLS - this includes NEX and Eagle communications (for Nintendo Switch Online)* as well as other servers such as BAAS (friends/status) and NPNS (notifications)

NPLN, the new Switch online servers that Monster Hunter Rise, Pokémon Legends: Arceus, SPLATOON 3, Pokémon Scarlet/Violet and many other new titles use, cannot be dumped with Charles directly as it doesn't support gRPC - use Proxide to dump these communications.

While many people (myself included) haven't been banned by performing this, this is risky and could get your Switch banned as you must send your own Switch-unique client certificate.

Dumping Console-Unique Certificate

You will need to extract your Switch-unique certificate - you can use the automatic PRODINFO backup Atmosphère creates at sd:/atmosphere/automatic_backups/SERIAL_PRODINFO.bin (you will need to copy this via SD, as Atmosphere doesn't allow this file to be touched to my knowledge), along with prod.keys - this can be dumped from your Switch using Lockpick - with NxCertDump, which will extract your unique certificate. KEEP THIS SAFE, DO NOT SHARE THIS WITH ANYONE ELSE.

eShop traffic has a unique certificate for the host bugyo.hac.lp1.eshop.nintendo.net - this P12 is inside libappshop's NSO, with the password kei8paraeS. If you do not have this certificate, do not open the eShop applet while proxying your Switch!

Charles setup

I'd recommend to make a new profile just for Switch dumping, which you can do by selecting Tools->Profiles and press "Add" and naming it Switch. You also need to then turn off the automatic proxy, which is done in Proxy->Proxy Settings.

Once you've made this profile, and you've ensured the system proxy is disabled (if you're seeing requests, click the ticked option called [OS] Proxy under the Proxy tab to disable), and then go to Proxy->SSL Proxying Settings.

Here, add the following hosts under Include, by pressing Add - leave the port blank.

• *.nintendo.net
• *.nintendo.com
• nintendo.net
• nintendo.com
• (You may wish to add more here, such as *.pokemon-gl.com for Pokémon Mystery Gift code endpoints.

And the following hosts under Exclude:

• .npln.srv.nintendo.net - NPLN cannot be captured by Charles directly, and must be sent to an upstream proxy (see the gRPC section) if you wish to capture it.
• *.lp1.penne.srv.nintendo.net - Penne is the replacement for the XMPP based NPNS service, and cannot be directly captured by Charles.

Then, navigate to Client Certificates, press Add, and enter the host *. Next, press Import P12 and select the Switch certificate you exported previously.

*If you have the eShop certificate and wish to proxy eShop traffic, you need to add this before adding this certificate - to do this, press Add and enter the Host bugyo.hac.lp1.eshop.nintendo.net, and import the P12 and password. This certificate should be above the NX Prod 1 certificate, or you will encounter errors.

Then, enter host * port 443, and then import the Switch PEM you created earlier. Press "OK", and now your Charles proxy is ready, so move onto Switch setup.

NOTE: I highly recommend blocking Nintendo's "receive" domain; playreports are blocked by Atmosphère, but they will not be blocked if you have the proxy running. Go to Tools->Block List and enable the Block List feature, and add the domain receive-lp1.*.srv.nintendo.net.

Setting up the Switch

Your Switch will obviously need to be hacked and running Atmosphère - you will need to use exefs_patches (make sure the disable_browser_ca_verification and disable_ca_verification patches are compatible with the version you run, which would need to be latest), so copy the nro_patches folder to sd:/atmosphere, along with making a folder named exefs_patches and copying the disable_ca_verification folder, and only that folder into it.

Once those two patches have been copied, set your Switch proxy to your computer's IP and port 8888 and allow the Switch to connect in Charles. You should now see traffic!

gRPC (NPLN)

Charles does not currently support gRPC, so you must use Proxide. You will also need marysaka's network_mitm plugin to add Proxide's SSL certificate to the Switch's trust store.

First, create a Proxide cert using proxide config ca --create, and copy this to your SD card as mentioned in network_mitm's setup guide - by default, name this rootCA.pem on the root of the SD card.

Run proxide capture -l 8889 -p "*-lp1.lp1.t.npln.srv.nintendo.net" to start an instance of Proxide, then in Charles navigate to Proxy > External Proxy Settings; tick Use External Proxy Servers, check the 'Secure Web Proxy Server (HTTPS)' box and set it to use 127.0.0.1 port 8889. You are now able to capture both gRPC-based traffic for NPLN, as well as non-gRPC traffic (everything else!)

NOTE: While this is on, you will need to keep Proxide running for your Switch to access the Internet; untick the box when not in use.

NOTE2: NPLN also uses STUN for relaying packets if both sides can't communicate (such as if one is on CGNAT or generally bad NAT - this is why NPLN is better!) - as such, these packets will not be captured with this setup, though it also doesn't capture usual Pia-based communications so this isn't much of a surprise.