Front-page Hacking RELEASE  Updated

Lockpick_RCM payload - Official Thread


Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage
  • Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
  • Upon completion, keys will be saved to /switch/prod.keys on SD
  • If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)
Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues
  • Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly
 

Attachments

  • AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    11.2 KB · Views: 0
Last edited by shchmue,
  • Like
Reactions: NotUsingAnAltAccount, BigOnYa, Blythe93 and 74 others
Click to expand...
urherenow

urherenow

Well-Known Member
Member
Level 13
Joined
Mar 8, 2009
Messages
4,779
Trophies
2
Age
48
Location
Japan
XP
3,679
Country
United States
Gorkensnorkel said:
How should I go about using Lockpick on a chipped Switch? It boots right to Hekate so I assume I cannot send a payload the way I was accustomed to (using NS-USB Loader).

Edit: I think I figured it out, there is an option to dump from sysnand or emunand, does it matter?
Click to expand...
It does matter, if you don't update both sys and emummc. That should really be self-evident. There are those that think it's a good idea to keep sys on a low firmware, and only update emummc. In that case, using it on sys, is not going to get you the latest keys.
 
  • Like
  • Love
Reactions: BigOnYa and impeeza
impeeza

impeeza

¡Kabito!
Member
Level 27
Joined
Apr 5, 2011
Messages
6,360
Trophies
3
Age
46
Location
At my chair.
XP
18,714
Country
Colombia
urherenow said:
It does matter, if you don't update both sys and emummc. That should really be self-evident. There are those that think it's a good idea to keep sys on a low firmware, and only update emummc. In that case, using it on sys, is not going to get you the latest keys.
Click to expand...
My SysNAND is untouched from the box, The very first time I turn on the console, I injected Hekate and make a backup then converted the backup to an EmuNAND RAW partition (later converted to file based), since then I NEVER started the SysNAND, My EmuNAND got updated from 4.01 to every FW release since then, And has been using 90DNS and Atmosphère's DNSMiTM (when become available) ALL THE TIMES. :P
 
Last edited by impeeza,
  • Love
  • Like
Reactions: Blythe93 and BigOnYa
shchmue

shchmue

Developer
OP
Developer
Level 11
Joined
Dec 23, 2013
Messages
791
Trophies
1
XP
2,367
Country
United States
the difference between what gets dumped from sysnand and emunand is just titlekeys if you have different games installed. this would always generate the latest system keys no matter what version is actually installed
Post automatically merged:

urherenow said:
Back from deployment! And it only took me 10 minutes or so to figure out the question to my last post (but couldn't access this site again until now). 1) That particular bit is only for Erista, and I only brought my OLED with me, and 2) that key does not, in fact, exist in the secmon_boot_key_data.s file that we were told to use for this purpose. It exists in fusee_key_derivation.cpp. So without further ado, here's a cheat sheet I made up of what the keys are called in the various files. I got this thing nailed down now (until the actual crypto changes... then I know where to look to figure things out, but it won't be quick. It'll be quick if it's just new keys and nothing else).
Click to expand...
this comment explains why atmosphere only keeps one of the master kek sources https://github.com/Atmosphere-NX/At...rogram/source/boot/secmon_boot_key_data.s#L84

it will always have only the newest one. if you need older ones check the commit history for this file
 
H

Hassal

Well-Known Member
Member
Level 4
Joined
Apr 22, 2023
Messages
560
Trophies
0
Age
24
XP
509
Country
United Arab Emirates
shchmue said:
the difference between what gets dumped from sysnand and emunand is just titlekeys if you have different games installed. this would always generate the latest system keys no matter what version is actually installed
Post automatically merged:


this comment explains why atmosphere only keeps one of the master kek sources https://github.com/Atmosphere-NX/At...rogram/source/boot/secmon_boot_key_data.s#L84

it will always have only the newest one. if you need older ones check the commit history for this file
Click to expand...
Is there a reason why lockpick cannot dump console keys if exFAT drivers are installed onto the system? This has always bugged me.
 
H

Hassal

Well-Known Member
Member
Level 4
Joined
Apr 22, 2023
Messages
560
Trophies
0
Age
24
XP
509
Country
United Arab Emirates
BigOnYa said:
You should not be using exFAT anyways, always use FAT32 on the Switch.
Click to expand...
Sometimes I receive consoles like so its an extra step for me if I want to dump their keys.
The issue happens when exFAT drivers are installed, the console no longer pairs with the eMMC giving you a false reading.

I reported this a long time ago and nobody seem to give the reason why this is happening.
 
Worldblender

Worldblender

Well-Known Member
Member
Level 10
Joined
May 27, 2019
Messages
326
Trophies
0
Age
27
XP
2,244
Country
United States
I've just discovered that the source repository has went down, and there's apparently no other place of getting it to my knowledge so far, so I uploaded the mudkip repository from 5/2023 (supporting 17.0.x firmware) here. I may consider uploading this to my GitLab profile later for backup purposes. Let me know if this upload becomes an issue.
 

Attachments

  • Lockpick_RCM_mudkip_source.zip
    2.5 MB · Views: 11
  • Like
  • Love
Reactions: hippy dave, Tyvar1, Blythe93 and 2 others
AlamosIT

AlamosIT

Active Member
Newcomer
Level 3
Joined
May 23, 2022
Messages
27
Trophies
0
Location
Sevii Islands
XP
234
Country
Italy
Worldblender said:
I've just discovered that the source repository has went down, and there's apparently no other place of getting it to my knowledge so far, so I uploaded the mudkip repository from 5/2023 (supporting 17.0.x firmware) here. I may consider uploading this to my GitLab profile later for backup purposes. Let me know if this upload becomes an issue.
Click to expand...
I found this fork still online.
 
  • Like
  • Love
Reactions: Tyvar1, Blythe93 and impeeza
Worldblender

Worldblender

Well-Known Member
Member
Level 10
Joined
May 27, 2019
Messages
326
Trophies
0
Age
27
XP
2,244
Country
United States
AlamosIT said:
I found this fork still online.
Click to expand...
Since it's on GitHub, it may be vulnerable to a DMCA takedown since they can affect forks from the original repository unless it was a separate reupload. I specifically mentioned GitLab as it isn't as well known as GitHub is, although it's hosted service is still in the United States. I also already have an account over there.
 
Last edited by Worldblender,
N

Nameless_Mofo

Member
Newcomer
Level 3
Joined
Aug 15, 2022
Messages
14
Trophies
0
Location
Somewhere
XP
284
Country
United States
  • Like
Reactions: Blythe93
Slluxx

Slluxx

GBATemp Mayor
Developer
Level 10
Joined
Jul 17, 2019
Messages
607
Trophies
0
XP
2,147
Country
Germany
Nameless_Mofo said:
Thank you @Slluxx for posting this backup mirror. Even though I have a copy of the bin, I was very upset that mudkip's repo went offline. It's good that the code is still available for now at least.

Unless I absolutely have to, however, I don't ever plan to update f/w beyond 17.0.1.
Click to expand...
Team Neptune will take care of that, dont worry. Aside from us, there are multiple people that can and will update Lockpick and post here so there is no need to worry.
 
  • Like
  • Love
Reactions: hvmtaro, spriteice, BigOnYa and 9 others

Site & Scene News

Go to forum More news

Popular threads in this forum

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

Rumor  April Nintendo Direct Leak + New Ubisoft IP?

April Nintendo Direct Leak

General chit-chat
Help Users
  • No one is chatting at the moment.
    K3Nv2 @ K3Nv2: Lol rappers still promoting crypto