initial commit

client-certificates/account.nintendo.net.pem

@@ -0,0 +1 @@
+ctr-common-1.pem

client-certificates/ccs.c.shop.nintendowifi.net.pem

@@ -0,0 +1 @@
+ctr-common-1.pem

client-certificates/ctr-common-1.pem

@@ -0,0 +1,55 @@
+-----BEGIN CERTIFICATE-----
+MIIEwzCCA6ugAwIBAgIBBjANBgkqhkiG9w0BAQsFADBtMQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKV2FzaGluZ3RvbjEhMB8GA1UEChMYTmludGVuZG8gb2YgQW1lcmlj
+YSBJbmMuMQswCQYDVQQLEwJJUzEZMBcGA1UEAxMQTmludGVuZG8gQ0EgLSBHMzAe
+Fw0xMDA1MTMxOTE5NDZaFw0zNzEyMjIxOTE5NDZaMIGlMQswCQYDVQQGEwJVUzET
+MBEGA1UECBMKV2FzaGluZ3RvbjEQMA4GA1UEBxMHUmVkbW9uZDEiMCAGA1UEChMZ
+TmludGVuZG8gb2YgQW1lcmljYSwgSW5jLjELMAkGA1UECxMCSVMxGjAYBgNVBAMT
+EUNUUiBDb21tb24gUHJvZCAxMSIwIAYJKoZIhvcNAQkBFhNjYUBub2EubmludGVu
+ZG8uY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA81Vzs324jZwc
+NpbFESgDNooVTRP1TlxvYwz8bbHnJHhImjEJNO29YSTpjmF7wonczooeKXfE/Ry2
++ey9mk92UhzSnvuSHQ6P2zFBbcPnE8eBi73oDnErgixiWe1TKP1G5LvwOqrEkVmX
+LN/qnLrsfFp4QNyFc+PLvJ9IAfRSBwdRJHAiSgE9nB9eI7AGcM6DCw7+p9zEz6rN
+RHUVRc5I132wJpQa8aoWaqPW7LE8exEC3VSfDHRVPjZUMRhfoBVSi2NfiA3xYsqk
+v+Ct3E+bzW8y1aAQ7wIshQ/RGcLtVZE+tkoAznXewVLdKtcC67Vy4awhJ/BqK1tv
+c26qV3zIJwIDAQABo4IBMzCCAS8wCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYd
+T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIzG7XO5Ojx2
+G45r5dTszWF1rcFtMIGXBgNVHSMEgY8wgYyAFATT3tP98MjrwlmSh/sf1z5y+O35
+oXGkbzBtMQswCQYDVQQGEwJVUzETMBEGA1UECBMKV2FzaGluZ3RvbjEhMB8GA1UE
+ChMYTmludGVuZG8gb2YgQW1lcmljYSBJbmMuMQswCQYDVQQLEwJJUzEZMBcGA1UE
+AxMQTmludGVuZG8gQ0EgLSBHM4IBATA7BgNVHR8ENDAyMDCgLqAshipodHRwOi8v
+Y3JsLm5pbnRlbmRvLmNvbS9uaW50ZW5kby1jYS1nMy5jcmwwDQYJKoZIhvcNAQEL
+BQADggEBAEOXZ/3IkNuFUfdxHpP0vrcSCTnDqMk8gsLVbN39BJT8Wqm8e3MFNhS/
+Y1YOWgoIPtJp4cd2tXM3cXWzUZgm3SKd1XX/B81PFLEYlk+metUqB4jpF0ApCZs6
+RNoXDBTx6XzsC07CA3uaxEdeWjC5Nl29AHuZ1YC/Z+7Da57TwBaa+/APj4y5mGUa
+ahbvwpe1t3GSNOS5nBDSeCHAKLmzfnXpliA5qQZxo94RSXIVWK8hilXoFDQCL904
+OGpgZnAhz4p3rcJYTq9ub8n6NYr9OJKKbWXfJY1QK4pXFVcIuAph0o/EyzDIEXuT
+J4Q4b2km8uI0H4yxsQwUX9Epw6Vbujc=
+-----END CERTIFICATE-----
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpgIBAAKCAQEA81Vzs324jZwcNpbFESgDNooVTRP1TlxvYwz8bbHnJHhImjEJ
+NO29YSTpjmF7wonczooeKXfE/Ry2+ey9mk92UhzSnvuSHQ6P2zFBbcPnE8eBi73o
+DnErgixiWe1TKP1G5LvwOqrEkVmXLN/qnLrsfFp4QNyFc+PLvJ9IAfRSBwdRJHAi
+SgE9nB9eI7AGcM6DCw7+p9zEz6rNRHUVRc5I132wJpQa8aoWaqPW7LE8exEC3VSf
+DHRVPjZUMRhfoBVSi2NfiA3xYsqkv+Ct3E+bzW8y1aAQ7wIshQ/RGcLtVZE+tkoA
+znXewVLdKtcC67Vy4awhJ/BqK1tvc26qV3zIJwIDAQABAoIBAQDBTk4m9iYJoU2s
+dCPDmFTNG+8GF2fVw4rdVjCmeCDWkROkInZc7Mx4gtljub+WcOzPy1tgt/vu08Ps
+UYziLGQjoTAVCmct3CaeC8gdifZleSVJvSi/aFoXBGlxZR6ePm72QPL7uDOGAHUf
+OhboQXqi40AKzuTZhsqQYrzSiKQtXa8M0jMj3XWb7q+wLEyCtGJvUsFjfXiuxdrg
+ZMwJ3jroDkxAIatmZzzAcjbY6U78P574DQAeFJM/6KJrZXgmsPdkqEpUJWBs1Zro
+b7eEKjkM0tVfk6GrlIZgD5lhBxdyCci9UomO1JjJakKBhVeiB+HMC4sJtcJPyBdb
+ZH70dIJhAoGBAP74UyWJ/xnd12NrZrybOab5pCSYDcaoLpzghWcaxsX+AS70BpEZ
+wZU+DMxWtSfGTbVOlTlW0LEu3A9JHtisr+a3bf+ytv2zXRuDnJ3fhnFqRLRfopNs
+BEAePBUL2EkJ/8OTSsiZcmDoVyhnt14U4sleawsIi30T/KcQDtMS81YXAoGBAPRR
+F/oZcWHYNm1X8foHiPbltAji4u5M3McZT4wb3RZbWLJbUjSz/tATah36dxuT1v1z
+EwHWZ0vdN94MuIy1OnwIHvBXJy8m4Rq6VTQpzGPgy0clbZbtX3Cih+fQSvxJUe2m
+psaicsNSTtmd+btudZyG5qzILOU8afGmeB1wr3hxAoGBANZkcm3XSoUyj8FOdxXS
+pDiuI4KNxM+tbXyGIkZfMpMbkV0s3jS2ZpuakGJl6m/mhEMXL80GHfdOwsWro19o
+XYRv6vOeD9bmMj1HfrMVWFQXmmvdGrRBmJVdlwHPcu9/k+uc974ToSSxWVBlXb+j
+aksOtI2Tgs8KtmC31O9ROQHDAoGBAI0OnPdK5UmGmbX7xruCyjMyYAWZaUgInJdf
+J6xPEhCsYMNpMkc3fPEJpIT2bPpBGylt3RV8glsst+q+EXc70y51SdedmgQBQIo7
+9qGNWHJ6ASNsmp8/IZFYZXsTqZeLhX/ebf/VHsliph/Cs8LhfYoH4Pr0/+bCQLDC
+Wis1OjohAoGBAJSivkSk2MKrg/t4CqNYLBiPp0fegm9ZL3187I/leVJGXIXsNqTq
+oa6qT5JxiJRQnkw2IzfI6icl+BJYydRU3oH4X0nvl0eyjiIfG/nfn4H7ckSKdzP/
+wVBdRbcC+/PX/1WpGiJM+kXrf/vLQN1B6iihrYEkS/ZIkzFWMuuKQRvQ
+-----END RSA PRIVATE KEY-----

client-certificates/ecs.c.shop.nintendowifi.net.pem

@@ -0,0 +1 @@
+ctr-common-1.pem

client-certificates/nasc.nintendowifi.net.pem

@@ -0,0 +1 @@
+ctr-common-1.pem

client-certificates/ninja.ctr.shop.nintendo.net.pem

@@ -0,0 +1 @@
+ctr-common-1.pem

client-certificates/nppl.c.app.nintendowifi.net.pem

@@ -0,0 +1 @@
+ctr-common-1.pem

client-certificates/nus.c.shop.nintendowifi.net.pem

@@ -0,0 +1 @@
+ctr-common-1.pem

configuration/.gitignore

@@ -0,0 +1,7 @@
+# .gitignore
+mitmproxy-ca-cert.p12
+mitmproxy-ca.p12
+mitmproxy-dhparam.pem
+mitmproxy-ca-cert.cer
+mitmproxy-ca-cert.pem
+mitmproxy-ca.pem

configuration/config.yaml

@@ -0,0 +1,292 @@
+
+# Add all certificates of the upstream server to the certificate chain
+# that will be served to the proxy client, as extras. Type bool.
+add_upstream_certs_to_client_chain: false
+
+# Opposite of --ignore-hosts. Type sequence of str.
+allow_hosts: []
+
+# Strip out request headers that might cause the server to return
+# 304-not-modified. Type bool.
+anticache: false
+
+# Try to convince servers to send us un-compressed data. Type bool.
+anticomp: false
+
+# Block connections from globally reachable networks, as defined in the
+# IANA special purpose registries. Type bool.
+block_global: true
+
+# Block connections from private networks, as defined in the IANA
+# special purpose registries. This option does not affect loopback
+# addresses. Type bool.
+block_private: false
+
+# Byte size limit of HTTP request and response bodies. Understands k/m/g
+# suffixes, i.e. 3m for 3 megabytes. Type optional str.
+body_size_limit:
+
+# SSL certificates of the form "[domain=]path". The domain may include a
+# wildcard, and is equal to "*" if not specified. The file at path is a
+# certificate in PEM format. If a private key is included in the PEM, it
+# is used, else the default key in the conf dir is used. The PEM file
+# should contain the full certificate chain, with the leaf certificate
+# as the first entry. Type sequence of str.
+certs: []
+
+# Set supported ciphers for client connections using OpenSSL syntax.
+# Type optional str.
+ciphers_client:
+
+# Set supported ciphers for server connections using OpenSSL syntax.
+# Type optional str.
+ciphers_server:
+
+# Client certificate file or directory. Type optional str.
+client_certs: "./client-certificates"
+
+# Replay client requests from a saved file. Type sequence of str.
+client_replay: []
+
+# Persist command history between mitmproxy invocations. Type bool.
+command_history: true
+
+# Location of the default mitmproxy configuration files. Type str.
+confdir: ./confdir
+
+# The default content view mode. Valid values are 'auto', 'raw', 'hex',
+# 'json', 'xml/html', 'wbxml', 'javascript', 'css', 'url-encoded',
+# 'multipart form', 'image', 'query', 'protocol buffer'.
+console_default_contentview: auto
+
+# EventLog verbosity. Valid values are 'error', 'warn', 'info', 'alert',
+# 'debug'.
+console_eventlog_verbosity: info
+
+# Set the flowlist layout Valid values are 'default', 'list', 'table'.
+console_flowlist_layout: default
+
+# Focus follows new flows. Type bool.
+console_focus_follow: false
+
+# Console layout. Valid values are 'horizontal', 'single', 'vertical'.
+console_layout: single
+
+# Show layout component headers Type bool.
+console_layout_headers: true
+
+# Console mouse interaction. Type bool.
+console_mouse: true
+
+# Color palette. Valid values are 'dark', 'light', 'lowdark',
+# 'lowlight', 'solarized_dark', 'solarized_light'.
+console_palette: solarized_dark
+
+# Set transparent background for palette. Type bool.
+console_palette_transparent: false
+
+# Flow content view lines limit. Limit is enabled by default to speedup
+# flows browsing. Type int.
+content_view_lines_cutoff: 512
+
+# Enable/disable HTTP/2 support. HTTP/2 support is enabled by default.
+# Type bool.
+http2: true
+
+# PRIORITY forwarding for HTTP/2 connections. Disabled by default to
+# ensure compatibility with misbehaving servers. Type bool.
+http2_priority: false
+
+# Ignore host and forward all traffic without processing it. In
+# transparent mode, it is recommended to use an IP address (range), not
+# the hostname. In regular mode, only SSL traffic is ignored and the
+# hostname should be used. The supplied value is interpreted as a
+# regular expression and matched on the ip or the hostname. Type
+# sequence of str.
+ignore_hosts: []
+
+# Intercept filter expression. Type optional str.
+intercept:
+
+# Intercept toggle Type bool.
+intercept_active: false
+
+# Reverse Proxy: Keep the original host header instead of rewriting it
+# to the reverse proxy target. Type bool.
+keep_host_header: false
+
+# TLS key size for certificates and CA. Type int.
+key_size: 2048
+
+# Address to bind proxy to. Type str.
+listen_host: ''
+
+# Proxy service port. Type int.
+listen_port: 8080
+
+# Mode can be "regular", "transparent", "socks5", "reverse:SPEC", or
+# "upstream:SPEC". For reverse and upstream proxy modes, SPEC is host
+# specification in the form of "http[s]://host[:port]". Type str.
+mode: regular
+
+# Toggle the mitmproxy onboarding app. Type bool.
+onboarding: true
+
+# Onboarding app domain. For transparent mode, use an IP when a DNS
+# entry for the app domain is not present. Type str.
+onboarding_host: mitm.it
+
+# Port to serve the onboarding app from. Type int.
+onboarding_port: 80
+
+# Require proxy authentication. Format: "username:pass", "any" to accept
+# any user/pass combination, "@path" to use an Apache htpasswd file, or
+# "ldap[s]:url_server_ldap:dn_auth:password:dn_subtree" for LDAP
+# authentication. Type optional str.
+proxyauth:
+
+# Enable/disable experimental raw TCP support. TCP connections starting
+# with non-ascii bytes are treated as if they would match tcp_hosts. The
+# heuristic is very rough, use with caution. Disabled by default. Type
+# bool.
+rawtcp: false
+
+# Read only matching flows. Type optional str.
+readfile_filter:
+
+# Replacement patterns of the form "/pattern/regex/replacement", where
+# the separator can be any character. Type sequence of str.
+replacements: []
+
+# Read flows from file. Type optional str.
+rfile:
+
+# Stream flows to file as they arrive. Prefix path with + to append.
+# Type optional str.
+save_stream_file:
+
+# Filter which flows are written to file. Type optional str.
+save_stream_filter:
+
+# Execute a script. Type sequence of str.
+scripts: []
+
+# Start a proxy server. Enabled by default. Type bool.
+server: true
+
+# Replay server responses from a saved file. Type sequence of str.
+server_replay: []
+
+# Ignore request's content while searching for a saved flow to replay.
+# Type bool.
+server_replay_ignore_content: false
+
+# Ignore request's destination host while searching for a saved flow to
+# replay. Type bool.
+server_replay_ignore_host: false
+
+# Request's parameters to be ignored while searching for a saved flow to
+# replay. Type sequence of str.
+server_replay_ignore_params: []
+
+# Request's payload parameters (application/x-www-form-urlencoded or
+# multipart/form-data) to be ignored while searching for a saved flow to
+# replay. Type sequence of str.
+server_replay_ignore_payload_params: []
+
+# Ignore request's destination port while searching for a saved flow to
+# replay. Type bool.
+server_replay_ignore_port: false
+
+# Kill extra requests during replay. Type bool.
+server_replay_kill_extra: false
+
+# Don't remove flows from server replay state after use. This makes it
+# possible to replay same response multiple times. Type bool.
+server_replay_nopop: false
+
+# Refresh server replay responses by adjusting date, expires and last-
+# modified headers, as well as adjusting cookie expiration. Type bool.
+server_replay_refresh: true
+
+# Request headers to be considered during replay. Type sequence of str.
+server_replay_use_headers: []
+
+# Header set pattern of the form "/pattern/header/value", where the
+# separator can be any character. Type sequence of str.
+setheaders: []
+
+# Use the Host header to construct URLs for display. Type bool.
+showhost: false
+
+# Use the client's IP for server-side connections. Combine with
+# --upstream-bind-address to spoof a fixed source address. Type bool.
+spoof_source_address: false
+
+# Do not verify upstream server SSL/TLS certificates. Type bool.
+ssl_insecure: true
+
+# Path to a PEM formatted trusted CA certificate. Type optional str.
+ssl_verify_upstream_trusted_ca:
+
+# Path to a directory of trusted CA certificates for upstream server
+# verification prepared using the c_rehash tool. Type optional str.
+ssl_verify_upstream_trusted_confdir:
+
+# Set supported SSL/TLS versions for client connections. SSLv2, SSLv3
+# and 'all' are INSECURE. Defaults to secure, which is TLS1.0+. Valid
+# values are 'all', 'secure', 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1',
+# 'TLSv1_2'.
+ssl_version_client: secure
+
+# Set supported SSL/TLS versions for server connections. SSLv2, SSLv3
+# and 'all' are INSECURE. Defaults to secure, which is TLS1.0+. Valid
+# values are 'all', 'secure', 'SSLv2', 'SSLv3', 'TLSv1', 'TLSv1_1',
+# 'TLSv1_2'.
+ssl_version_server: secure
+
+# Set sticky auth filter. Matched against requests. Type optional str.
+stickyauth:
+
+# Set sticky cookie filter. Matched against requests. Type optional str.
+stickycookie:
+
+# Stream data to the client if response body exceeds the given
+# threshold. If streamed, the body will not be stored in any way.
+# Understands k/m/g suffixes, i.e. 3m for 3 megabytes. Type optional
+# str.
+stream_large_bodies:
+
+# Stream WebSocket messages between client and server. Messages are
+# captured and cannot be modified. Type bool.
+stream_websockets: false
+
+# Generic TCP SSL proxy mode for all hosts that match the pattern.
+# Similar to --ignore, but SSL connections are intercepted. The
+# communication contents are printed to the log in verbose mode. Type
+# sequence of str.
+tcp_hosts: []
+
+# Add HTTP Basic authentication to upstream proxy and reverse proxy
+# requests. Format: username:password. Type optional str.
+upstream_auth:
+
+# Address to bind upstream requests to. Type str.
+upstream_bind_address: ''
+
+# Connect to upstream server to look up certificate details. Type bool.
+upstream_cert: false
+
+# Limit the view to matching flows. Type optional str.
+view_filter:
+
+# Flow sort order. Valid values are 'time', 'method', 'url', 'size'.
+view_order: time
+
+# Reverse the sorting order. Type bool.
+view_order_reversed: false
+
+# Enable/disable WebSocket support. WebSocket support is enabled by
+# default. Type bool.
+websocket: true
+

launch

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+cd $(realpath --no-symlinks $(dirname $0))
+$(basename $0) --set confdir="./configuration" $*

mitmdump

@@ -0,0 +1 @@
+launch

mitmproxy

@@ -0,0 +1 @@
+launch

mitmweb

@@ -0,0 +1 @@
+launch

readme.md

@@ -0,0 +1,26 @@
+# mitmproxy-nintedo
+
+a package for intercepting traffic from nintendo consoles (currently only the 3ds)
+
+## prerequisites
+
+- a working mitmproxy install
+- the nintendo console to intercept traffic from
+- a *nix computer (macos, linux, maybe bsd)
+
+## usage
+
+- clone (or download) this repo to your computer
+- run one of the launcher scripts to launch a proxy server
+- configure your console to connect to the proxy
+- hope that it works
+
+## troubleshooting
+
+### my console says that it cannot do x!
+
+check the logs. does the proxy say that it is having a certificate issue?
+if so, go into the `client-certificate` directory of this repository and
+create a symbolic link to the `ctr-common-1.pem` file named
+`<nintendo domain that it cannot connect to>.pem` and try again. if this
+does not work, file an issue

unlicense.txt

@@ -0,0 +1,24 @@
+This is free and unencumbered software released into the public domain.
+
+Anyone is free to copy, modify, publish, use, compile, sell, or
+distribute this software, either in source code form or as a compiled
+binary, for any purpose, commercial or non-commercial, and by any
+means.
+
+In jurisdictions that recognize copyright laws, the author or authors
+of this software dedicate any and all copyright interest in the
+software to the public domain. We make this dedication for the benefit
+of the public at large and to the detriment of our heirs and
+successors. We intend this dedication to be an overt act of
+relinquishment in perpetuity of all present and future rights to this
+software under copyright law.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR
+OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
+ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
+OTHER DEALINGS IN THE SOFTWARE.
+
+For more information, please refer to <http://unlicense.org/>