Front-page Hacking RELEASE  Updated

Lockpick_RCM payload - Official Thread


Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage
  • Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
  • Upon completion, keys will be saved to /switch/prod.keys on SD
  • If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)
Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues
  • Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly
 

Attachments

  • AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    11.2 KB · Views: 0
Last edited by shchmue,
  • Like
Reactions: NotUsingAnAltAccount, BigOnYa, Blythe93 and 74 others
Click to expand...
c0013r

c0013r

Member
Newcomer
Level 2
Joined
Apr 28, 2019
Messages
13
Trophies
0
Age
34
XP
191
Country
Russia
shchmue said:
from this tool? are you using the latest version?
Click to expand...

Yes, using this tool in "payload" mode (Lockpick-RCM v1.1.1) gives error "ERROR FFFFFFFF dumping TSEC"

Trying to dump TSEC with Hekate (latest version) gives such strings:

Found pkg1 (`20181107105733`)
TSEC key: ERROR FFFFFFFF.

Some "history" of my switch.

- Used SX OS from the start
- From 5.1 to 6.2 was updated with saved fuses (now I have 6 burnt, update was done with ChoiDujourNX through atmosphere)
- I have Auto-RCM from ChoiDujourNX
- Now I want to move to atmosphere, but can't launch (want TSEC keys)
- Other "dumps" from Hekate working good
- SX OS working without errors now

P.S. I don't use emunand
 
Last edited by c0013r,
shchmue

shchmue

Developer
OP
Developer
Level 11
Joined
Dec 23, 2013
Messages
791
Trophies
1
XP
2,367
Country
United States
c0013r said:
Yes, using this tool in "payload" mode (Lockpick-RCM v1.1.1) gives error "ERROR FFFFFFFF dumping TSEC"

Trying to dump TSEC with Hekate (latest version) gives such strings:

Found pkg1 (`20181107105733`)
TSEC key: ERROR FFFFFFFF.

Some "history" of my switch.

- Used SX OS from the start
- From 5.1 to 6.2 was updated with saved fuses (now I have 6 burnt, update was done with ChoiDujourNX through atmosphere)
- I have Auto-RCM from ChoiDujourNX
- Now I want to move to atmosphere, but can't launch (want TSEC keys)
- Other "dumps" from Hekate working good
- SX OS working without errors now

P.S. I don't use emunand
Click to expand...
Are you chainloading hekate/lockpick_rcm from SX injector or whatever their software is? IIRC they do something like leave CCPLEX enabled in their hardware init code that makes it impossible to query the TSEC again in subsequent payloads. If that's the case, try injecting directly, if not, let me know.
 
mattytrog

mattytrog

You don`t want to listen to anything I say.
Member
Level 14
Joined
Apr 27, 2018
Messages
3,708
Trophies
0
Age
48
XP
4,328
Country
United Kingdom
shchmue said:
Are you chainloading hekate/lockpick_rcm from SX injector or whatever their software is? IIRC they do something like leave CCPLEX enabled in their hardware init code that makes it impossible to query the TSEC again in subsequent payloads. If that's the case, try injecting directly, if not, let me know.
Click to expand...

I really really hope you don`t mind but a while ago, I integrated your brilliant payload into my Hekate mod that I use for modchips.

I never even thought to double-check it was OK with you. Sorry about that! I`ve credited you obviously.
 
Last edited by mattytrog,
c0013r

c0013r

Member
Newcomer
Level 2
Joined
Apr 28, 2019
Messages
13
Trophies
0
Age
34
XP
191
Country
Russia
shchmue said:
Are you chainloading hekate/lockpick_rcm from SX injector or whatever their software is? IIRC they do something like leave CCPLEX enabled in their hardware init code that makes it impossible to query the TSEC again in subsequent payloads. If that's the case, try injecting directly, if not, let me know.
Click to expand...
It works! Thank you! :-)
 
almmiron

almmiron

Well-Known Member
Member
Level 10
Joined
Jan 9, 2012
Messages
423
Trophies
1
XP
1,981
Country
Brazil
my console is 8.0.1, never hacked before, and I was told to come here. I have rcm loader, and with my switch on rcm mode it wont load any payload, still black screen. I inserted lockPick, renamed to payload.bin as rcm loader says, have the proper files on sd, but nothing happens. only black screen

EDIT
dumbest thing: the usb-c was not properly connected.
 
Last edited by almmiron,
peteruk

peteruk

Well-Known Member
Member
Level 18
Joined
Jun 26, 2015
Messages
3,003
Trophies
2
XP
7,330
Country
United Kingdom
What is the correct location to store our prod.keys ? Is it the root of the card or in the Switch folder ?

Also should it be renamed keys.dat ?

Sorry but I'm seeing different people saying different things, so wanted to get it clarified please... also seen some people suggesting the keys file needs to be inside tinfoil & goldleaf folders too

If somebody could clear this all up I'd appreciate it - thank you ! Just trying to tidy up my sd card
 
  • Like
Reactions: kop365, Citrus-Hombre and Alex-Kidd
Draxzelex

Draxzelex

Well-Known Member
Member
Level 23
Joined
Aug 6, 2017
Messages
19,011
Trophies
2
Age
29
Location
New York City
XP
13,378
Country
United States
peteruk said:
What is the correct location to store our prod.keys ? Is it the root of the card or in the Switch folder ?

Also should it be renamed keys.dat ?

Sorry but I'm seeing different people saying different things, so wanted to get it clarified please... also seen some people suggesting the keys file needs to be inside tinfoil & goldleaf folders too

If somebody could clear this all up I'd appreciate it - thank you ! Just trying to tidy up my sd card
Click to expand...
Prod.keys is usually needed for hactool which is used on your computer. Less and less Switch applications are requiring keys and for good reason; because the keys are already in the console. Neither tinfoil nor Goldleaf require keys in order to function so I'm not sure where you got that idea from. And different applications will require the keys to be in different places. Not only that, some tools use different names. So it doesn't matter where you put it or what you name it.
 
  • Like
Reactions: peteruk
peteruk

peteruk

Well-Known Member
Member
Level 18
Joined
Jun 26, 2015
Messages
3,003
Trophies
2
XP
7,330
Country
United Kingdom
Draxzelex said:
Prod.keys is usually needed for hactool which is used on your computer. Less and less Switch applications are requiring keys and for good reason; because the keys are already in the console. Neither tinfoil nor Goldleaf require keys in order to function so I'm not sure where you got that idea from. And different applications will require the keys to be in different places. Not only that, some tools use different names. So it doesn't matter where you put it or what you name it.
Click to expand...


Thanks for replying, you're always helpful without being condescending and it's very much appreciated.

I picked most of it up from reading various threads over the course of the expanding homebrew scene and have ended up with keys files in almost every folder and 2 files on the root (keys.txt and prod.keys).

I suppose as I'm ditching sxos the most important one will be if Atmosphere requires a keys file or not ? Id yes will it be prod.keys or keys.txt and should it be placed in the Atmosphere folder ?
 
  • Like
Reactions: kop365, Citrus-Hombre and Alex-Kidd
Draxzelex

Draxzelex

Well-Known Member
Member
Level 23
Joined
Aug 6, 2017
Messages
19,011
Trophies
2
Age
29
Location
New York City
XP
13,378
Country
United States
peteruk said:
Thanks for replying, you're always helpful without being condescending and it's very much appreciated.

I picked most of it up from reading various threads over the course of the expanding homebrew scene and have ended up with keys files in almost every folder and 2 files on the root (keys.txt and prod.keys).

I suppose as I'm ditching sxos the most important one will be if Atmosphere requires a keys file or not ? Id yes will it be prod.keys or keys.txt and should it be placed in the Atmosphere folder ?
Click to expand...
Atmosphere doesn't require keys either.
 
  • Like
Reactions: peteruk
H

henkp

Well-Known Member
Newcomer
Level 5
Joined
Mar 19, 2007
Messages
74
Trophies
0
XP
697
Country
Netherlands
So I'm running my own pegaswitch server on a pc disconnected from the internet as to prevent updating because my switch is i-patched. Is Lockpick_RCM safe to run on an i-patched switch? I'm kinda put off by the name itself, as the recovery module isn't vulnerable in my case...
 
  • Like
Reactions: fisticuffs
Draxzelex

Draxzelex

Well-Known Member
Member
Level 23
Joined
Aug 6, 2017
Messages
19,011
Trophies
2
Age
29
Location
New York City
XP
13,378
Country
United States
henkp said:
So I'm running my own pegaswitch server on a pc disconnected from the internet as to prevent updating because my switch is i-patched. Is Lockpick_RCM safe to run on an i-patched switch? I'm kinda put off by the name itself, as the recovery module isn't vulnerable in my case...
Click to expand...
Absolutely. As per the Atlas guide, its highly recommended to run Lockpick_RCM via Caffeine.
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

Homebrew Tutorial  Setup a DevKitPro environment on Windows.

Homebrew  I accidentally updated to fw 18.0 on my switch in cfw and now I am getting an error that says unknown pkg1 version. please help me find a solution

General chit-chat
Help Users
    Psionic Roshambo @ Psionic Roshambo: https://www.youtube.com/watch?v=W6ckbBpSKhw