Update March 4 2019:
Due to changes in firmware 7.0.0 dumping new keys from homebrew is infeasible. Check out the RCM payload that can dump the new keys, Lockpick_RCM!
Purpose:
To obtain a key set for manipulation of Nintendo Switch file formats, particularly for use in tools that require it, whether that's hactool, hactoolnet/libhac, title management software, xci -> nsp converters, ChoiDujour (PC), etc.
Background:
In the process of fixing kezplez earlier this year, I decided to do a ground-up rewrite with a lot of support from the community. It's heavily optimized and gets all possible keys in <1 second as of Firmware 6.2.0. It can also dump titlekeys! This may take longer, depending on how many titles you have installed.
How to use:
Notes:
Screenshot:
Source: https://github.com/shchmue/Lockpick
Release: https://github.com/shchmue/Lockpick/releases
GBATemp download center xref: https://gbatemp.net/download/lockpick.35298/
Troubleshooting:
Due to changes in firmware 7.0.0 dumping new keys from homebrew is infeasible. Check out the RCM payload that can dump the new keys, Lockpick_RCM!
Purpose:
To obtain a key set for manipulation of Nintendo Switch file formats, particularly for use in tools that require it, whether that's hactool, hactoolnet/libhac, title management software, xci -> nsp converters, ChoiDujour (PC), etc.
Background:
In the process of fixing kezplez earlier this year, I decided to do a ground-up rewrite with a lot of support from the community. It's heavily optimized and gets all possible keys in <1 second as of Firmware 6.2.0. It can also dump titlekeys! This may take longer, depending on how many titles you have installed.
How to use:
- Use Hekate to dump TSEC and fuses:
- Push hekate payload bin using TegraRCMSmash/TegraRCMGUI/modchip/injector
- Using the VOL and Power buttons to navigate, select "Console info..."
- Select "Print fuse info"
- Press Power to save fuse info to SD card
- Select "Print TSEC keys"
- Press Power to save TSEC keys to SD card
- Launch CFW of choice
- Open Homebrew Menu
- Run Lockpick
- Use the resulting prod.keys file as needed and rename if required
Notes:
- To get keys ending in 00-06, you must have firmware 6.2.0 installed. All other versions will dump all keys ending in 00-05.
- No one knows package1_key_06, it's derived and erased fully within the encrypted TSEC payload. While there's a way to extricate tsec_root_key due to the way it's used, this is unfortunately not true of the package1 key.
- If for some reason you dump TSEC keys on 6.2.0 and not fuses (secure_boot_key) you will still get everything except any of the package1 or keyblob keys (without SBK, you can't decrypt keyblobs and that's where package1 keys live).
- The max keys this can get right now is 120, but don't worry too much about the exact number, not all of those are actually useful for most purposes. If you're missing any particular ones you want just let me know.
- ChoiDujour will complain about extra keys and fail. for this just provide a key file edited to contain only the following:
- master_key_00 = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- master_key_01 = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- [... all master_keys through the latest one required by the firmware you're trying to install]
- header_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- aes_kek_generation_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- aes_key_generation_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- key_area_key_application_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXX
- key_area_key_ocean_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- key_area_key_system_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXX
- package2_key_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXX
Screenshot:
Source: https://github.com/shchmue/Lockpick
Release: https://github.com/shchmue/Lockpick/releases
GBATemp download center xref: https://gbatemp.net/download/lockpick.35298/
Troubleshooting:
- Error: You didn't get the 06 keys even though you did your Hekate dumps on firmware 6.2.0
- Reason: Lockpick wasn't given tsec_root_key
- Cause 1: the only 6.2.0 firmware you have is on SX emunand, which does not currently offer a way to dump that key. The ball is in their court on this.
- Cause 2: Hekate didn't overwrite your existing TSEC dump. Delete your /backup/<hex number>/dumps/ folder from SD and re-dump TSEC and fuse info with Hekate version 4.5 or later before re-running Lockpick.
- Reason: Lockpick wasn't given tsec_root_key
- Error: "No titlekeys found. Either you've never played or installed a game or dump failed."
- Reason: unable to dump titlekeys
- Cause 1: there are no titlekeys to dump because you have never played or installed a game
- Cause 2: Lockpick was unable to derive the eticket_rsa_kek which is required for titlekey decryption
- Subcause 1: Lockpick saved limited key set and is missing master_key_00, fix your Hekate dumps
- Reason: unable to dump titlekeys
- Error: "Warning: Saving limited keyset. Dump Tegra keys with payload and run again to get all keys."
- Reason: Lockpick can't find your TSEC and SBK dump files
- Cause 1: you viewed the TSEC and fuse info in Hekate but didn't save both to SD card
- Cause 2: your SD card has corrupt sectors and needs reformatting
- Cause 3: your SD card is counterfeit and acts like it's saving files but isn't
- Reason: Lockpick can't find your TSEC and SBK dump files
Attachments
Last edited by shchmue,
