Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[LittleBigPadawan]

Yes, same problem here. Nothing happens after being injected into TegraRcmGUI (2.6). I am using hekate 5.2, which according to CTCaer is compatible with Horizon 10.0.2

hi guys ,
is there a problem with newest lockpick rmc 1.8.2 and switch firmware 10.0.2 ?
after injecting the payload i got a black screen and nothing happens ...

version 1.8.1 will boot and i get the menu , but it failed to extract the keys due to incompatibility with fw 10.0.2

anybody else has the same issue ?

 

[mspy]

So this does not work with 10.0.2 ?

 

[shchmue]

Both Hekate and Lockpick_RCM work with firmware 10.0.2.

 

[shchmue]

v1.8.3 is out, it's faster, especially on file-based emummc and it also supports getting sept via FSS0
https://github.com/shchmue/Lockpick_RCM/releases/tag/v1.8.3

 

[BlaBla1973]

My switch is on CFW 10.0.2 and OFW 10.0.3, the last version of Lockpick_RCM gives me a black screen.
Is there a newer version for firmware 10.0.3 needed?

 

[SkullHex2]

My switch is on CFW 10.0.2 and OFW 10.0.3, the last version of Lockpick_RCM gives me a black screen.
Is there a newer version for firmware 10.0.3 needed?

I used the latest version like two days ago on 10.0.3 and it worked flawlessly

 

[shchmue]

My switch is on CFW 10.0.2 and OFW 10.0.3, the last version of Lockpick_RCM gives me a black screen.
Is there a newer version for firmware 10.0.3 needed?

i tested it on 10.0.3 with emunand before release. are you launching it directly or from another bootloader like argon or sx

 

[BlaBla1973]

I'm using emunand (sx) but launching it directly.

 

[shchmue]

Atmosphere changed sept keyslots so this is a bugfix release to support Atmosphere 0.13.0:
https://github.com/shchmue/Lockpick_RCM/releases/latest

 

[PeteP]

Hi guys, I’m on 10.0.4 and sx 3.0.3

lockpick 1.8.4 rcm boots to screen and when I choose Sysnand for keydump it goes straight to black screen. I have rcm.bin on root of sd and sept folder also on root
Any ideas?

 

[shchmue]

Hi guys, I’m on 10.0.4 and sx 3.0.3

lockpick 1.8.4 rcm boots to screen and when I choose Sysnand for keydump it goes straight to black screen. I have rcm.bin on root of sd and sept folder also on root
Any ideas?

are you injecting it directly

 

[PeteP]

Via sx os there is a payload injector as part of the options menu.

Is Tegrarcm programme compatible with sx core??

 

[LogicalMadness]

SX Core: 1.3 FW
SX OS: 3.0.4 Beta
NSW: 10.1.0 OFW
Lockpick_RCM.bin: 1.8.4

Using the OS to inject payload and it shows it accessing the sept folder but then quickly goes to a black screen. No prod.key file is generated (I have to hold down the PWR button to get it to do anything).

 

[shchmue]

I don’t know anything about the SX products but Lockpick RCM does not support Mariko

 

[Muxi]

Using the OS to inject payload and it shows it accessing the sept folder but then quickly goes to a black screen. No prod.key file is generated (I have to hold down the PWR button to get it to do anything).

SX Core does not support RCM payloads!

 

[Gobracket]

SX Core does not support RCM payloads!

Even for erista patched?

 

[Draxzelex]

Even for erista patched?

What I think he means is that SX Core does not support directly injecting any payload except the SX one. This causes issues for certain payloads such as Lockpick_RCM as it usually has to be injected directly in order to function. However since your unit is an Erista, you can chainload into Hekate via the SX OS RCM menu which will allow you to chainload into Lockpick_RCM.

 

[Tatz]

hi, i am unable to get my prod.keys unless i have no sept or switch folder.

 

[Draxzelex]

hi, i am unable to get my prod.keys unless i have no sept or switch folder.

You only need sept if your firmware is 7.0 or higher and the Switch folder is not really necessary.

 

[Kanali]

Haven't tinkered with my Switch for a while, but tried using this tool to get my keys, but all I get when I inject it is a black screen.

I'm on 6.0.0 and AMS 0.9.2