Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[shchmue]

Lockpick_RCM now supports dumping keys on all consoles that can run payloads, including Mariko and patched Erista!

https://github.com/shchmue/Lockpick_RCM/releases/tag/v1.9.0

 

[LyuboA]

Lockpick_RCM now supports dumping keys on all consoles that can run payloads, including Mariko and patched Erista!

https://github.com/shchmue/Lockpick_RCM/releases/tag/v1.9.0

thx for the update and all your hard work

 

[cai_miao]

thank you for you hard work. verified working on mariko.

a note to average mariko users, you have to use alternative firmware of tx/gateway modchip (specifically Spacecraft-NX at the moment) in order to extract correct keyset

 

[nickveldrin]

thank you for you hard work. verified working on mariko.

a note to average mariko users, you have to use alternative firmware of tx/gateway modchip (specifically Spacecraft-NX at the moment) in order to extract correct keyset

What does this mean? We cannot do it natively on sx core?

 

[nickveldrin]

Spoiler

Above pic is on my mariko with SX Core, so i guess it is not clear to me which of the keysets in the prod.keys are proper for the partialaeskeycrack.exe ?

Here are notes from the github:

The contents of this file are the keyslot number followed by the result of that keyslot encrypting 16 null bytes. With the tool linked above, enter them in sequence for a given keyslot you want the contents of, for example: PartialAesKeyCrack.exe <num1> <num2> <num3> <num4> with the --numthreads=N where N is the number of threads you can dedicate to the brute force.

The keyslots are as follows:
12 - Mariko KEK (this is used for master key derivation)
13 - Mariko BEK (this is used for package1 decryption)
14 - console unique SBK (this isn't needed for further key derivation)
15 - console unique SSK (this is used on dev only)

Does anyone know which specific keynames are the right ones?

 

[Kadin]

Lockpick_RCM now supports dumping keys on all consoles that can run payloads, including Mariko and patched Erista!

https://github.com/shchmue/Lockpick_RCM/releases/tag/v1.9.0

Thank you!! No more error like I was getting with the last version. Keys extracted fine!

 

[cai_miao]

What does this mean? We cannot do it natively on sx core?

yes because gateway drm clears key before you access it.
go flash spacecraft, extract your keys and wait for atmosphere 0.17.0 drops.

or if you wish a functional HOS at the moment, by flashing the bootloader backup back and use the "updater" tool on gw site, you are also able to go back gw firmware. no further instructions i wish to provide.

 

[kenton6]

hi, I'm kinda new. I was halfway through modifying my first switch when I was hit with the key extraction bug with 1.8.5 and system 11.0.

There doesn't seem to be the lockpick_rcm.bin file in the 1.9.0 release I need to copy to the SD card to extract the keys?


Also, DesignGears? Same guy from the ATT Captivate ROMs like... a decade ago!? I knew I remembered that name from somewhere!

 

[LyuboA]

hi, I'm kinda new. I was halfway through modifying my first switch when I was hit with the key extraction bug with 1.8.5 and system 11.0.

There doesn't seem to be the lockpick_rcm.bin file in the 1.9.0 release I need to copy to the SD card to extract the keys?


Also, DesignGears? Same guy from the ATT Captivate ROMs like... a decade ago!? I knew I remembered that name from somewhere!

really you sure theres no bin file

https://github.com/shchmue/Lockpick_RCM/releases/download/v1.9.0/Lockpick_RCM.bin

 

[shchmue]

Does anyone know which specific keynames are the right ones?

oh, i will add those to the repo. these are the names recognized by hactool:
mariko_kek
mariko_bek
secure_boot_key
secure_storage_key (i don't think any tools recognize this)

 

[mrdude]

@shchmue - thanks for updating.

I see there's no new keys added - 0b for example. I was expecting a new key would be added with the 11.0 firmware update. It's been a while since any new keys were added - do you have any knowledge why this could be?

 

[cai_miao]

@shchmue - thanks for updating.

I see there's no new keys added - 0b for example. I was expecting a new key would be added with the 11.0 firmware update. It's been a while since any new keys were added - do you have any knowledge why this could be?

new key extraction is sept dependent iirc

 

[kenton6]

why am I unable to find that bin? github is so confusing at times it's stupid. i have no idea how you found that bin, all I found was the damn source

 

[0x3000027E]

Oops...Nevermind

 

[shchmue]

@shchmue - thanks for updating.

I see there's no new keys added - 0b for example. I was expecting a new key would be added with the 11.0 firmware update. It's been a while since any new keys were added - do you have any knowledge why this could be?

they simply don’t always change key generation in major updates. i don’t know why they didn’t this time, but firmware updates from them do often require compatibility updates from me so i provide them.

why am I unable to find that bin? github is so confusing at times it's stupid. i have no idea how you found that bin, all I found was the damn source

under the description at the release link. releases are on the right hand side of the main repo page, else scroll in the thread back to where i linked the specific recent release

 

[ZachyCatGames]

I see there's no new keys added - 0b for example. I was expecting a new key would be added with the 11.0 firmware update. It's been a while since any new keys were added - do you have any knowledge why this could be?

Changing keys at this point would be completely pointless.
I’m guessing they won’t ever go past 0x0A on NX.

 

[shchmue]

well, they might if they either patch a security flaw or think of another layer of security to add for future console horizon use. like what if the next hardware ends up with some vuln that doesn't apply to the current ones?

 

[shiro1811]

Hi,

I used 1.9.0 and it extrated the keys just fine, but I need a upper and lower biskey 3 for HacDiskMount and I can't find them in my key file. Is the designation just different?

 

[pcwizard7]

Hi,

I used 1.9.0 and it extrated the keys just fine, but I need a upper and lower biskey 3 for HacDiskMount and I can't find them in my key file. Is the designation just different?

It just one key. half of it upper and the rest is the lower,

and the biskey is grab using this payload
https://files.sshnuke.net/biskeydumpv9.zip

 

[shiro1811]

Biskeydump didn't worked for me, that's why I used Lockpick in the first place.
But thank you, I just need to split the extracted biskey. What an easy way...