KutaroKazuki/network_mitm
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions
No description
2 commits 1 branch 2 tags 3.6 MiB
  • C++ 83.5%
  • C 14.9%
  • POV-Ray SDL 0.6%
  • Assembly 0.5%
  • Makefile 0.4%
Find a file
Exact
KutaroKazuki 7a9b542c36
All checks were successful
Build and Release / build (push) Successful in 2m8s
Details
network_mitm/include/networkmitm_version.h aktualisiert
2026-05-31 10:16:28 +02:00
.forgejo/workflows initial commit: network_mitm sysmodule 2026-05-21 11:06:15 +02:00
Atmosphere-libs initial commit: network_mitm sysmodule 2026-05-21 11:06:15 +02:00
network_mitm network_mitm/include/networkmitm_version.h aktualisiert 2026-05-31 10:16:28 +02:00
.gitignore initial commit: network_mitm sysmodule 2026-05-21 11:06:15 +02:00
.gitmodules initial commit: network_mitm sysmodule 2026-05-21 11:06:15 +02:00
ca.pem initial commit: network_mitm sysmodule 2026-05-21 11:06:15 +02:00
LICENSE initial commit: network_mitm sysmodule 2026-05-21 11:06:15 +02:00
Makefile initial commit: network_mitm sysmodule 2026-05-21 11:06:15 +02:00
network_mitm.ini initial commit: network_mitm sysmodule 2026-05-21 11:06:15 +02:00
README.md initial commit: network_mitm sysmodule 2026-05-21 11:06:15 +02:00
server.key initial commit: network_mitm sysmodule 2026-05-21 11:06:15 +02:00
server.pem initial commit: network_mitm sysmodule 2026-05-21 11:06:15 +02:00

README.md

network_mitm

Nintendo Switch Network MITM sysmodule.

network_mitm allows you to:

  • Domain Swap Redirect Nintendo server domains to your private servers (SSL hostname replacement before TLS handshake)
  • Traffic Dump Capture decrypted SSL traffic (NEX, etc.) in PCAP files
  • Certificate MITM Replace NintendoClass2CAG3 CA with a user-provided one (useful for NPLN traffic capture)
  • SSL Verification Bypass Disable SSL certificate validation (DANGEROUS, but required for private servers)

Features

Domain Swap (New!)

The domain swap feature intercepts SSL SetHostName calls and replaces Nintendo hostnames with your private server domains before the TLS handshake. This allows the Switch to connect to your servers while thinking it's talking to Nintendo.

How it works:

  1. Switch calls ssl:SetHostName("accounts.nintendo.com")
  2. network_mitm intercepts and replaces with account.it-geek.at
  3. TLS handshake happens with your server
  4. Your server presents a valid certificate for account.it-geek.at
  5. Switch accepts the connection (with enable_ssl_client_disable_verification = 1)

Configuration file: network_mitm.ini on the SD card root

Supported mappings:

  • Exact match: accounts.nintendo.comaccount.it-geek.at
  • Wildcard: *.lp1.s.n.srv.nintendo.netnex.it-geek.at (preserves subdomain)

SSL Traffic Dump

Dumps decrypted SSL traffic to PCAP files on the SD card. Useful for debugging protocol implementations.

Certificate Replacement

Replace Nintendo's root CA with your own. Required for full MITM of encrypted traffic.

Configuration

System Settings (/atmosphere/config/system_settings.ini)

; network_mitm config
[network_mitm]
; Enable SSL MITM (required for all features)
enable_ssl = u8!0x1

; Enable MITM for all processes (including system titles)
should_mitm_all = u8!0x1

; Disable SSL certificate verification (DANGEROUS  but required for private servers)
; When enabled, the Switch accepts any certificate (including self-signed)
should_disable_ssl_verification = u8!0x1

; Custom CA certificate for MITM (PEM format, placed at SD root)
; custom_ca_public_cert = str!rootCA.pem

; Enable/disable SSL traffic dump to PCAP files
; should_dump_ssl_traffic = u8!0x1

; PCAP link type: "ethernet", "ip", or "user"
; pcap_link_type = str!user

Domain Swap Config (/sdcard/network_mitm.ini)

; network_mitm Domain Swap Configuration
; Place this file at the root of your SD card as: network_mitm.ini
;
; Format: [mappings] section with key=value pairs
;   key   = original Nintendo domain
;   value = your private server domain
;
; Wildcards (*) match any subdomain prefix:
;   *.lp1.s.n.srv.nintendo.net = *.nex.it-geek.at
;   "2B309E01.lp1.s.n.srv.nintendo.net" → "2B309E01.nex.it-geek.at"

[mappings]
; Account Server (OAuth login)
accounts.nintendo.com=account.it-geek.at
api.accounts.nintendo.com=account.it-geek.at

; DAuth (Device Authentication)
dauth-lp1.ndas.srv.nintendo.net=baas.it-geek.at

; AAuth (Application Authentication)
aauth-lp1.ndas.srv.nintendo.net=baas.it-geek.at

; BAAS (User Authentication)
e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com=baas.it-geek.at
m-lp1.baas.nintendo.com=baas.it-geek.at

; Friends Server
api-lp1.frs.srv.nintendo.net=friends.it-geek.at

; NEX Game Servers (wildcard  any game server ID)
*.lp1.s.n.srv.nintendo.net=nex.it-geek.at
; P2P Relay Servers (wildcard)
*.lp1.r.n.srv.nintendo.net=nex.it-geek.at

; BCAT Content Delivery
bcat-topics-lp1.cdn.nintendo.net=bcat.it-geek.at
bcat-list-lp1.cdn.nintendo.net=bcat.it-geek.at
bcat-data-lp1.cdn.nintendo.net=bcat.it-geek.at

; Legacy domains
nex.nintendowifi.net=nex.it-geek.at
account.nintendo.net=account.it-geek.at

If no config file is found, a default mapping is loaded:

  • nex.nintendowifi.netnex.it-geek.at

Setup Guide

Prerequisites

  1. Atmosphère CFW installed on your Switch
  2. Private servers running (Account, BAAS, NEX, Friends, etc.)
  3. Nginx Proxy Manager or similar for TLS termination
  4. Valid TLS certificates for your domains (Let's Encrypt)

Step 1: Build the Sysmodule

# With Docker
docker compose up --build

# Without Docker (requires devkitPro)
make

Step 2: Install on Switch

Copy the built files to your SD card:

sd:/atmosphere/contents/4200000000000666/exefs/main.nsp
sd:/atmosphere/contents/4200000000000666/flags/boot2.flag
sd:/atmosphere/contents/4200000000000666/mitm.lst

Or simply copy the contents of the release zip to your SD card root.

Step 3: Configure System Settings

Add to /atmosphere/config/system_settings.ini:

[network_mitm]
enable_ssl = u8!0x1
should_mitm_all = u8!0x1
should_disable_ssl_verification = u8!0x1

Important: should_mitm_all = u8!0x1 is required for domain swap to work with system services like Account Login, DAuth, AAuth, and BAAS. Without it, only user applications (games) are intercepted.

Setting Description
enable_ssl Enable SSL MITM (required for all features)
should_mitm_all MITM all processes including system titles (required for Account/DAuth/AAuth/BAAS)
should_disable_ssl_verification Accept any certificate (required for private servers with custom CA)

Step 4: Create Domain Swap Config

Create /sdcard/network_mitm.ini with your domain mappings (see above).

Step 5: Disable SSL Verification (Atmosphère)

Add to /atmosphere/config/system_settings.ini:

[ssl]
enable_ssl_client_disable_verification = u8!0x1

Step 6: Reboot

Reboot your Switch. The sysmodule will load automatically and intercept SSL connections.

Troubleshooting

Check if sysmodule is running

# Check logs on SD card
cat /atmosphere/logs/network_mitm_observer.log

Common Issues

Issue Solution
SSL connection fails Ensure should_disable_ssl_verification = u8!0x1
Domain not swapped Check network_mitm.ini syntax and path
Account/DAuth/BAAS not working Enable should_mitm_all = u8!0x1 (system services need this)
No PCAP files Enable should_dump_ssl_traffic = u8!0x1
System crashes Disable should_mitm_all only MITM user titles

Building

Make sure that the submodules are initialized and up to date.

git submodule update --init --recursive

With Docker

  1. Install Docker and docker compose (or docker-compose).
  2. Run docker compose up --build (or docker-compose up --build).

Without Docker

  1. Install devkitPro and the following dependencies:

    • switch-dev
    • switch-mbedtls
    • switch-libjpeg-turbo
    • libnx (Currently requires master branch)

  2. Run make command.

Licensing

This software is licensed under the terms of the GPLv2.

You can find a copy of the license in the LICENSE file.