Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[Magicrafter13]

When I launch Lockpick_RCM.bin from hekate payloads menu (the one on this site, or various GitHub builds), it just launches into a black screen and does nothing until I press power, vol- or vol+, at which point Hekate loads again.

 

[impeeza]

When I launch Lockpick_RCM.bin from hekate payloads menu (the one on this site, or various GitHub builds), it just launches into a black screen and does nothing until I press power, vol- or vol+, at which point Hekate loads again.

try this, remove any other you have on SDMC:/bootloader/payloads, or anywhere on you SD card

 

[Magicrafter13]

try this, remove any other you have on SDMC:/bootloader/payloads, or anywhere on you SD card

No different.

 

[impeeza]

which console do you have, which injection method?

 

[Magicrafter13]

which console do you have, which injection method?

Launch model. Joycon pin bridge (auto RCM now).

 

[impeeza]

Launch model. Joycon pin bridge (auto RCM now).

what if your inject directly the lockpick payload at startup instead of hekate?

 

[Magicrafter13]

what if your inject directly the lockpick payload at startup instead of hekate?

That worked, thank you.

 

[TdogEN]

try this, remove any other you have on SDMC:/bootloader/payloads, or anywhere on you SD card

was wracking my brain trying to find this file (all of the links ive followed just take me to the master file and i have no idea how to compile files and such) TYSM! also Happy New Years

 

[Nynrah]

Does Lockpick_RCM still work on the latest Atmosphere and firmware (19.0.1)? Considering the Github repo was aken down by Nintendo, it's not clear to me. If I can't use Lockpick_RCM for this anymore, what alternatives are available to extract my keys from my Switch?

 

[Blythe93]

Does Lockpick_RCM still work on the latest Atmosphere and firmware (19.0.1)? Considering the Github repo was aken down by Nintendo, it's not clear to me. If I can't use Lockpick_RCM for this anymore, what alternatives are available to extract my keys from my Switch?

The one impeeza posted a few posts above yours should work on 19.0.1 if you inject it directly and allow you to extract your keys.

 

[Nynrah]

The one impeeza posted a few posts above yours should work on 19.0.1 if you inject it directly and allow you to extract your keys.

I see... I'll have to try it out soon. Thanks.

 

[urherenow]

And if you don't require your console-specific keys (such as... you just need the keys to extract and install things with tinfoil, DBI, etc... OR you already have your keys and just need the latest from new firmware) Then the last release of IPS_Patch_Creator will spit out the new keys simply by pointing it to the firmware files.

 

[Nynrah]

And if you don't require your console-specific keys (such as... you just need the keys to extract and install things with tinfoil, DBI, etc... OR you already have your keys and just need the latest from new firmware) Then the last release of IPS_Patch_Creator will spit out the new keys simply by pointing it to the firmware files.

I just gave this a try because it seemed easier. It spit out a keys.dat file, but not a title.keys and prod.keys. Maybe I'm expectating the wrong thing here, but those two files were what I was trying to produce in the hope it'd get my Switch Backup Manager to see the few games it just won't show (like Donkey Kong Country Returns HD). Am I using the wrong tool in this case? I always thought Lockpick_RCM was used to produce these two files and by proxy thought IPS Patch Creator could also do this.

 

[urherenow]

I just gave this a try because it seemed easier. It spit out a keys.dat file, but not a title.keys and prod.keys. Maybe I'm expectating the wrong thing here, but those two files were what I was trying to produce in the hope it'd get my Switch Backup Manager to see the few games it just won't show (like Donkey Kong Country Returns HD). Am I using the wrong tool in this case? I always thought Lockpick_RCM was used to produce these two files and by proxy thought IPS Patch Creator could also do this.

The keys it spits out are the prod.keys. You can rename the file, or copy and paste the keys you need from it. You can view it in a regular text editor like notepad. I like using notepad++ myself...

Or, you can just copy and paste them from the KeyData window. Title keys are irrelevant. If they are on your system, then they're on your system, and if they aren't, you need sys-patch or sigpatches working (to bypass the key check entirely). Emulators don't care about them, that I know of.

 

[Zoria]

Hello
LockPick_RCM 20.0.0
I'm very bad at making this kind of support, the modification on the source code must not be very pretty but at least it works

 

[Muxi]

@Zoria I noticed that a lot of entries are missing after reading the keys via your Lockpick_RCM version. The following entries, which were still included in the previous version, are missing:
key_area_key_application 06-12 (13)
key_area_key_ocean 06-12 (13)
key_area_key_system 06-12 (13)
master_key 06-12 (13)
package1_key 06-12 (13)
package2_key 06-12 (13)
titlekey 06-12 (13)

 

[Zoria]

Ah, that's strange, I am

 

[slimeinacloak]

The version Zoria posted works for me as expected, no missing keys. Same as previously but includes the 9 "_13" keys

 

[Muxi]

Here is the proof that the keys from the 20.0.0 sysMMC are not being read properly. I have read them out via an Erista v1.

 

[linuxares]

So they've added new keys?