Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[ZachyCatGames]

well, they might if they either patch a security flaw or think of another layer of security to add for future console horizon use. like what if the next hardware ends up with some vuln that doesn't apply to the current ones?

They've done a few fixes since 9.1.0 shrugs
> future hardware
I said "on NX"

 

[pcwizard7]

Biskeydump didn't worked for me, that's why I used Lockpick in the first place.
But thank you, I just need to split the extracted biskey. What an easy way...

yea the one long key is upper and lower in one. So copy and paste what doesn't fit in the first box. this is how u know where the break is

 

[Wvrd182]

yes because gateway drm clears key before you access it.
go flash spacecraft, extract your keys and wait for atmosphere 0.17.0 drops.

or if you wish a functional HOS at the moment, by flashing the bootloader backup back and use the "updater" tool on gw site, you are also able to go back gw firmware. no further instructions i wish to provide.

My mariko finally unbrickef from prodinfo sysnand disaster thanks to lockpick_rcm.

Got it working by flashing gateway firmware to spacecraft-nx then from there all biskeys obtained fine!

Ive never been happier in 2020 for this day! Thanks all and thanks Shchmue.

Additionally shoutout to BL4K3Y which never stopped trying to help me to unbrick since the day of the disaster and to the guys at Switchway discord

 

[regnad]

I don't seem to be able to get my prod.keys. I have Atmosphere 0.17.1, and the sept folder is on the SD with the sept-primary.bin as OP says. OP also says there should be sept-secondary.enc. In my sept folder are four files called sept-secondary_00.enc, sept-secondary_01.enc, sept-secondary_dev_00.enc, and sept-secondary_dev_01.enc. Is this not what I need? What can I do to get my prod.keys that I'm not doing?

 

[Adran_Marit]

I don't seem to be able to get my prod.keys. I have Atmosphere 0.17.1, and the sept folder is on the SD with the sept-primary.bin as OP says. OP also says there should be sept-secondary.enc. In my sept folder are four files called sept-secondary_00.enc, sept-secondary_01.enc, sept-secondary_dev_00.enc, and sept-secondary_dev_01.enc. Is this not what I need? What can I do to get my prod.keys that I'm not doing?

so in the sept folder on your sd card there should be
Sept-secondary_00.enc
Sept-secondary_01.enc
Sept-Primary.bin
Sept-Seconary.bin
payload.bin

the dev files don't matter for a retail switch

From there you insert your microSD card then inject the latest version of lockpick_rcm then choose sysmmc or emummc depending on what your setup is using

 

[shchmue]

I don't seem to be able to get my prod.keys. I have Atmosphere 0.17.1, and the sept folder is on the SD with the sept-primary.bin as OP says. OP also says there should be sept-secondary.enc. In my sept folder are four files called sept-secondary_00.enc, sept-secondary_01.enc, sept-secondary_dev_00.enc, and sept-secondary_dev_01.enc. Is this not what I need? What can I do to get my prod.keys that I'm not doing?

yeah you have the right files they’ve just changed a bit since sept launch. send a photo of the screen after lockpick runs and i can help diagnose the problem

 

[SheriffBuck]

I've got a Switch mid-repair. Unknown origin. Boots with black screen. Unit is unpatched and fires up Hekate fine and everything checks out OK, although unable to launch Atmosphere.

Trying to do a rebuild of the NAND, but unable to use Lockpick_RCM. The keys are partially built, but when sept is launched, it goes to a blackscreen. Lockpick is v1.9 and latest sept package from Atmosphere loaded onto SD.

Any ideas on what could be happening? I've videoed the text before the screen goes black and it says:

Rebooting to sept....
Found SS0, Atmosphere 0.17.1-49F07B06
Max HOS supported: 11.0.1
Unpacking and reading components.... Done!

Press power or Vol +/- to Reboot to sept....

Screen goes blank just after this bit. Help!

UPDATE

Been doing a bit more debug and reading the code for Lockpick_RCM and sept. It seems my CPU buck MAX77621 has failed causing hand-over from BPMP to CCPLEX to fail. Lockpick enables this before launching the sept payload. On another board this buck fires up, on this one it doesn't.... Will change it out and report back.

 

[TheWolfLord]

Sorry to bump this thread and if it's the wrong one... woops.

When running Lockpick to dump sysnand keys ... it seems to work fine except one part that gets skipped.

"Unable to open SD seed vector. Skipping."
"Unable to get SD seed."

Any ideas? My card probably isn't corrupted. Ran h2wtest(4 hours) go the all clear.

 

[LyuboA]

Sorry to bump this thread and if it's the wrong one... woops.

When running Lockpick to dump sysnand keys ... it seems to work fine except one part that gets skipped.

"Unable to open SD seed vector. Skipping."
"Unable to get SD seed."

Any ideas? My card probably isn't corrupted. Ran h2wtest(4 hours) go the all clear.

its your sd card try with another one or run error checking in windows

 

[TheWolfLord]

No error came up in windows check. What exactly is sd seed vector anyway? Important?

 

[RuqeT]

I've got a Switch mid-repair. Unknown origin. Boots with black screen. Unit is unpatched and fires up Hekate fine and everything checks out OK, although unable to launch Atmosphere.

Trying to do a rebuild of the NAND, but unable to use Lockpick_RCM. The keys are partially built, but when sept is launched, it goes to a blackscreen. Lockpick is v1.9 and latest sept package from Atmosphere loaded onto SD.

Any ideas on what could be happening? I've videoed the text before the screen goes black and it says:

Rebooting to sept....
Found SS0, Atmosphere 0.17.1-49F07B06
Max HOS supported: 11.0.1
Unpacking and reading components.... Done!

Press power or Vol +/- to Reboot to sept....

Screen goes blank just after this bit. Help!

UPDATE

Been doing a bit more debug and reading the code for Lockpick_RCM and sept. It seems my CPU buck MAX77621 has failed causing hand-over from BPMP to CCPLEX to fail. Lockpick enables this before launching the sept payload. On another board this buck fires up, on this one it doesn't.... Will change it out and report back.

i have exactly the same problem, did you solve it?

 

[shchmue]

Sorry to bump this thread and if it's the wrong one... woops.

When running Lockpick to dump sysnand keys ... it seems to work fine except one part that gets skipped.

"Unable to open SD seed vector. Skipping."
"Unable to get SD seed."

Any ideas? My card probably isn't corrupted. Ran h2wtest(4 hours) go the all clear.

just means you’ve never used the SD in the OS. it’s just used to decrypt game files on SD using hactool. most people don’t need it

 

[TheWolfLord]

just means you’ve never used the SD in the OS. it’s just used to decrypt game files on SD using hactool. most people don’t need it

Thanks! Yes, it was brand new when I formatted and used it. Had never been in the switch until I started the CFW setup.

 

[shchmue]

Lockpick_RCM now supports dumping keys after updating console to 12.0.0 (note: there are no new keys)

https://github.com/shchmue/Lockpick_RCM/releases/tag/v1.9.1

 

[shchmue]

Updated to support 12.0.2. No new keys again. Re-enabled the battery status bar.

https://github.com/shchmue/Lockpick_RCM/releases/tag/v1.9.2

 

[Denis_Lissov]

Hello friends,

today I tried to dump the keys. FW 12.0.2.

As mentioned before if I don't have the sept folder I am able to dump the keys, but not all the keys. It says the sept folder is missing if I remember correctly.

If I put the folder in the right place the console shuts off with the following messages:

MMC init .... done in 11980uS
write self to /sept/payload.bin... done
Rebooting to sept...

and the console shuts down. As said before if the sept folder is not there it is working fine besides I am not getting all the keys.

I am trying to do it because there is a parental pin and I want to remove it.

best regards

 

[spotanjo3]

Hello friends,

today I tried to dump the keys. FW 12.0.2.

As mentioned before if I don't have the sept folder I am able to dump the keys, but not all the keys. It says the sept folder is missing if I remember correctly.

If I put the folder in the right place the console shuts off with the following messages:

MMC init .... done in 11980uS
write self to /sept/payload.bin... done
Rebooting to sept...

and the console shuts down. As said before if the sept folder is not there it is working fine besides I am not getting all the keys.

I am trying to do it because there is a parental pin and I want to remove it.

best regards

Hello. Don't bother. The last few Lockpick_RCM updates have been to support new firmwares which don’t contain any new master keys, so you’ll find if you dump keys again after updating, the dump will be the same.

 

[Denis_Lissov]

Hello. Don't bother. The last few Lockpick_RCM updates have been to support new firmwares which don’t contain any new master keys, so you’ll find if you dump keys again after updating, the dump will be the same.

Thank you for your response sir.
But I was thinking the keys are saved in the console? And the shutting down of the console is normal as well because there no new keys contained? Or the firmware doesn't contain any masterkeys? I think I am misreading your answer.

Best regards

 

[shchmue]

Thank you for your response sir.
But I was thinking the keys are saved in the console? And the shutting down of the console is normal as well because there no new keys contained? Or the firmware doesn't contain any masterkeys? I think I am misreading your answer.

Best regards

if you have an older key backup from this console, it's sufficient for your purpose. however, there's also a homebrew program that accomplishes pin reset

 

[spotanjo3]

Thank you for your response sir.
But I was thinking the keys are saved in the console? And the shutting down of the console is normal as well because there no new keys contained? Or the firmware doesn't contain any masterkeys? I think I am misreading your answer.

Best regards

You are welcome. And..Look here:

if you have an older key backup from this console, it's sufficient for your purpose. however, there's also a homebrew program that accomplishes pin reset