Resource icon

Lockpick Version 1.2

In the process of fixing kezplez earlier this year, I decided to do a ground-up rewrite with a lot of support from the community. It's heavily optimized and gets all possible keys in <1 second as of Firmware 6.2.0. It can also dump titlekeys! This may take longer, depending on how many titles you have installed.

Note that as of right now, the ES sysmodule has to be intentionally crashed to dump titlekeys, that's why it's optional - any games launched afterwards will crash until you reboot the console.

How to use:
  1. Use Hekate to dump TSEC and fuses:
    1. Push hekate payload bin using TegraRCMSmash/TegraRCMGUI/modchip/injector
    2. Using the VOL and Power buttons to navigate, select "Console info..."
    3. Select "Print fuse info"
    4. Press Power to save fuse info to SD card
    5. Select "Print TSEC keys"
    6. Press Power to save TSEC keys to SD card
  2. Launch CFW of choice
  3. Open Homebrew Menu
  4. Run Lockpick
  5. Use the resulting prod.keys file as needed and rename if required
You may instead use biskeydump and dump to SD to get all keys prior to the 6.2.0 generation - all keys up to those ending in 05. This will dump all keys up to that point regardless which firmware it's run on.

Notes:
  • To get keys ending in 06, you must have firmware 6.2.0 installed
  • No one knows package1_key_06, it's derived and erased fully within the encrypted TSEC payload. While there's a way to extricate tsec_root_key due to the way it's used, this is unfortunately not true of the package1 key
  • If for some reason you dump TSEC keys on 6.2.0 and not fuses (secure_boot_key) you will still get everything except any of the package1 or keyblob keys (without SBK, you can't decrypt keyblobs and that's where package1 keys live)

Screenshots:

dumpwithtitlekeys.jpg

Source: https://github.com/shchmue/Lockpick

Troubleshooting:
  • Error: "Dumping titlekeys... Failed. Reboot and try again!"
    • Reason: unable to dump titlekeys
      • Cause 1: there are no titlekeys to dump because you have never played or installed a game
      • Cause 2: Lockpick was unable to get the eticket_rsa_kek which is required for titlekey decryption
        • Subcause 1: you dumped titlekeys twice without rebooting, this does not currently work
        • Subcause 2: Lockpick saved limited key set and is missing master_key_00, fix your Hekate dumps

  • Error: "Warning: Saving limited keyset. Dump Tegra keys with payload and run again to get all keys."
    • Reason: Lockpick can't find your TSEC and SBK dump files
      • Cause 1: you viewed the TSEC and fuse info in Hekate but didn't save both to SD card
      • Cause 2: your SD card has corrupt sectors and needs reformatting
      • Cause 3: your SD card is counterfeit and acts like it's saving files but isn't
  • dump.jpg
    dump.jpg
    106.6 KB · Views: 1,015
  • dumpwithtitlekeys.jpg
    dumpwithtitlekeys.jpg
    122.4 KB · Views: 1,015
Author
shchmue
Downloads
1,673
Views
3,369
First release
Last update
Rating
4.17 star(s) 6 ratings

Latest updates

  1. Libnx v2.0.0 compatibility and key speedup

    Update for libnx v2.0.0 compatibility and still runs when built with v1.6.0 The binary got even...
  2. Major update, titlekey dumping longer needs reboot!

    Changed titlekey dump methodology No longer crashes sysmodule, reboot no longer needed Queries...

Latest reviews

Thanks for this utility, helped me a lot.
General chit-chat
Help Users
    Sicklyboy @ Sicklyboy: oh shit where??? :ph34r: :ph34r: :ph34r: