This is a mitmproxy script for safecerthax. You can use it to spoof official 3DS NUS servers and exploit safecerthax only on O3DS/2DS SAFE_FIRM to run SafeB9SInstaller.

For more information on safecerthax, please visit the safecerthax website.

Note: this repository only contains the python script for mitmproxy, please check out the safecerthax repository for the actual exploit code.

• Python 3
• mitmproxy

To start the proxy server, run the following command:

mitmproxy -s safecerthax.py \
  -s tls_whitelist.py \
  --certs c.shop.nintendowifi.net=<*.c.shop.nintendowifi.net_fake_certificate> \
  --certs cdn.nintendo.net=<*.cdn.nintendo.net_fake_certificate> \
  --set client_certs=<client_certificate> \
  --ssl-insecure \
  --set relax_http_form_validation \
  --set certhax_payload=<safecerthax_binary> \
  --set arm9_payload=<kernelhaxcode_3ds_binary> \
  --set tls_version_client_min=TLS1

With:

• fake_certificate: the path to your fake certificate (in PEM format) created with SSLoth that mimics the certificate for *.c.shop.nintendowifi.net and *.cdn.nintendo.net domains.
• client_certificate: the path to the ClCertA ctr-common-1-cert (in PEM format).
• safecerthax_binary: the path to the safecerthax.bin binary file.
• kernelhaxcode_3ds_binary: the path to the kernelhaxcode_3ds.bin binary file.

This will start the safecerthax proxy on port 8080.

Follow these steps:

1. Put the SafeB9SInstaller.bin at the root of your SD card.
2. In the system settings, edit your network configuration to add the proxy server (IP of your computer + port 8080).
3. Reboot in recovery mode (press L+R+Up+A at startup).
4. Confirm you want to update.
5. An error message should pop up. Close it.
6. The exploit should run and launch SafeB9SInstaller.