Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[Muxi]

So they've added new keys?

Yes, but they are incomplete in my case. I only have new keys for:

mariko_master_kek_source_13
master_kek_13
master_kek_source_13

In addition, many entries that were still read out under the previous version are missing.

 

[linuxares]

Probably need to wait for updated offsets from Atmosphere.

 

[Zoria]

Voici la preuve que les clés de la sysMMC 20.0.0 ne sont pas lues correctement. Je les ai lues via une clé Erista v1.

View attachment 501581

I've got a Switch Lite, which is probably why I don't have any problems of my own.
I saw that 2 SciresM offsets had been corrected by borntohonk, if it's indeed a mistake I'd redo a version of LockPick_RCM with the right offsets that would work for Erista.

 

[oresterosso]

So they've added new keys?

probably yes, new keys have been added.

 

[Zoria]

Yes, Masterkeys 13

 

[oresterosso]

Yes, Masterkeys 13

are you working on this commit?
https://github.com/Atmosphere-NX/At...re/program/source/boot/secmon_boot_key_data.s

 

[Zoria]

are you working on this commit?
https://github.com/Atmosphere-NX/At...re/program/source/boot/secmon_boot_key_data.s

Yes, I used this as a basis for modifying LockPick, and I may have figured out what was wrong, but I'm still checking.

 

[Muxi]

@Zoria Under Lockpick_RCM version 1.9.13, “233” keys were read out on my Erista with FW 19.0.1. If I see this correctly, and apart from the 13 keys generation under the new Lockpick_RCM version for FW 20.0.0 no other keys are read out, it should then be “242” keys.

There are 9 keys entries that end with 12 and therefore the key generation 13 must be added.

 

[impeeza]

So they've added new keys?

they always do on new firmware, even sometimes do on minor version update.

 

[linuxares]

they always do on new firmware, even sometimes do on minor version update.

I know, I thought maybe they wouldn't add one when its more or less one of the last Switch firmwares

 

[impeeza]

Hello
LockPick_RCM 20.0.0
I'm very bad at making this kind of support, the modification on the source code must not be very pretty but at least it works

Here is the proof that the keys from the 20.0.0 sysMMC are not being read properly. I have read them out via an Erista v1.

View attachment 501581

I've got a Switch Lite, which is probably why I don't have any problems of my own.
I saw that 2 SciresM offsets had been corrected by borntohonk, if it's indeed a mistake I'd redo a version of LockPick_RCM with the right offsets that would work for Erista.

Yes, I used this as a basis for modifying LockPick, and I may have figured out what was wrong, but I'm still checking.

Hello there, First at all Thanks a lot @Zoria for all your work and effort. With the LockPick you posted I had the same error on my Erista V1 Unpatched.

I have a SysNAND UNTOUCHED SINCE I BROUGHT THE CONSOLE. so have no titles and is on FW 4.1, also I have a EmuNAND on FW 19.0.1 with several titles.

I changed the code (is attached to the post) and now dumping keys from EmuNAND works fine but «ssl_rsa_key» is not dump (that key never had been dumped on the past)

However, dumping the keys for SysNAND start and and the process jump to main screen not dumping any key. and trying to Reboot to hekate after that you get the error (sorry I tried long time and was no able to focus the screen with my phone)

hekate exception occurred (LR 40015786);
DABRT
Press any key...

Using trial and error I determined what the offending key for my SysNAND is «titlekek_source» commenting the line 643 of the "source/keys/keys.c" file (with the content «SAVE_KEY(titlekek_source);» ) generate a payload which dumps the prod.keys file without problem on my SYSNAND. and reboot to hekate without error

The strange thing is using the previous version of LockPick my SysNAND export ALL the keys without problem. Please tell me how can I help to diagnose this strange problem.

The changes I made to your code was:

On «source\hos\hos.h»

• I removed some commented definitions

On «source\keys\crypto.h»

• I corrected the values of «Production Device Master Kek Sources»
• added some comments to find easy the values on the Atmosphère's files
• remove a leadin space on line 94
• removed the extra line 101 which was the correct values of «Production Device Master Kek Sources» above
• removed some comas of the last array member on some definitions.

On «source\keys\key_sources.inl»

• Added some comments to find the values on Atmosphère's files
• Corrcted the values for «EristaMasterKekSource»
• Removed the line 95 I couldn't find that values on any Atmosphère source files from version 0.7.0.0 to latest commit for FW 20, please letme to know if that line is really needed as is for Mariko and I have not mariko console.
• Also removed some comas of the last array member on some definitions.

 

[oresterosso]

something is wrong, I compiled from the source code adding the new missing keys, I get the same result.
note 6 titles.
I calmly try to recheck for any errors even if I think I did everything correctly.
can the fact that Hekate is not updated compromise the reading of the new keys?

 

[impeeza]

qualcosa non va, ho compilato dal codice sorgente aggiungendo le nuove chiavi mamcanti, ottengo lo stesso risultato.
nota 6 titoli.
Con calma cerco di ricontrollare eventuali errori anche se penso di aver fatto tutto correttamente.
il fatto che Hekate non sia aggiornato può compromettere la lettura delle nuove chiavi?

Hello there, please remember this is a English only forum.

Post automatically merged: May 1, 2025

something is wrong, I compiled from the source code adding the new missing keys, I get the same result.
note 6 titles.
I calmly try to recheck for any errors even if I think I did everything correctly.
can the fact that Hekate is not updated compromise the reading of the new keys?

Yes on the post before yours is a code which is WIP and so far works on Erista consoles. We are waiting for Zoria comments about these changes. try the payload on the post before yours.

 

[Muxi]

@impeeza Thanks for your modification! Apparently all keys are now read from the sysNand (Found 242 prod keys), but Lockpick freezes and can no longer be closed or exited.

 

[impeeza]

@impeeza Thanks for your modification! Apparently all keys are now read from the sysNand (Found 242 prod keys), but Lockpick freezes and can no longer be closed or exited.

Yes I don't know why, the version before that worked fine. but I can not get it to work again ;(

 

[Zoria]

I don't have an Erista any more, but we're experiencing the same malfunction with community members.

 

[impeeza]

I don't have an Erista any more, but we're experiencing the same malfunction with community members.

View attachment 501828

I really don't know where the intermim code which worked on the SYSNAND ended I really made almost 150 builds and i don't know when i broke everything I supposed tomorrow morning will try again (its 3 am for me). so far only works for EmuNAND and dump all keys. sorry guys, should be I am so tired and messed up everything.

 

[Muxi]

Here is the screenshot of the frozen tool. On the second attempt, the Lockpick_RCM screen popped up briefly and was reloaded without anything happening.

In the end, the keys were not saved on the SD card either.

 

[impeeza]

arrrggg I really do not know what I did! after eject the SD card put it again on the console and use the attached payload, I was able to dump SysNAND keys!!! I am loosing it,

please test the attached files and let me to know how go for you.

good night mates.

 

[Zoria]

Bug but yes
This kind of bug is exhausting
I should point out that we still have SD errors on my side, but the prod is recovered on the SD and it has all the keys, unlike my build.