Toggle sidebar

Front-page Hacking RELEASE  Updated

Lockpick_RCM payload - Official Thread


Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage
  • Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
  • Upon completion, keys will be saved to /switch/prod.keys on SD
  • If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)
Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues
  • Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly
 

Attachments

  • AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    11.2 KB · Views: 0
Last edited by shchmue,
  • Like
Reactions: SnowStormAkikaze, FanNintendo, Deleted member 753700 and 78 others
Click to expand...
impeeza said:
I only have a Erista console and with that I was able to dump 260 Keys includeing 15 ones
Click to expand...
lol. Just dumped it on my erista, and got all 260 keys. And I haven't updated my erista yet at all. sys OR emu...

And reboot to RCM works. No idea what Codi1138 is talking about. Thinks it crashed because it was a black screen? That's what happens when you reboot to RCM, and the system is waiting for a payload (insert dongle or send with tegraRCMsmash, etc...)
 
Last edited by urherenow,
  • Love
Reactions: impeeza
impeeza said:
@Zoria Look at this code, on the file HOS.H you and me have some keys different from the Firmwares 20 and 21 and I just rechecked the values from Atmosphère code and seems yours are mistaken
View attachment 562891
Click to expand...

So are you saying something is wrong with the build you were referencing (which is the same as latest 1.9.19 from his git)? If so, then which proper release to use? It gets confusing for me when there's the Zoria git, the Kofyag git, and your 'DecScots' git & they all seem to have different commits/changes.
Post automatically merged:

@impeeza @Zoria

Comments please, on my above post? To me it appears Impeeza though something is not correct with Zorias keys for FW 20 and 21. So which release from the mentioned gits is 'proper'?
 
Last edited by VioletRose,
VioletRose said:
So are you saying something is wrong with the build you were referencing (which is the same as latest 1.9.19 from his git)? If so, then which proper release to use? It gets confusing for me when there's the Zoria git, the Kofyag git, and your 'DecScots' git & they all seem to have different commits/changes.
Post automatically merged:

@impeeza @Zoria

Comments please, on my above post? To me it appears Impeeza though something is not correct with Zorias keys for FW 20 and 21. So which release from the mentioned gits is 'proper'?
Click to expand...
I usually use Impeeza's Descots fork. If you want to verify if keys are being generated correctly, the place to look (in the absence of having an e-shop title built with the latest key) is the Atmosphere source. That's what most of us non-devs use to update Lockpick on our own, when being impatient.
 
  • Love
  • Like
Reactions: VioletRose and impeeza
Zoria said:
If there are any errors in my source code, feel free to fix them.
I don't have much time right now to work on this project.
I only have time to work on SwitchTools a little bit.
Click to expand...
Submitted a pull request for the fix. I hope you have time to merge because I don't really feel comfortable having a fork of a DMCAd project under my name. I want to delete it as soon as it's merged.
 
  • Like
  • Haha
Reactions: Zoria, impeeza and Blythe93
urherenow said:
Submitted a pull request for the fix. I hope you have time to merge because I don't really feel comfortable having a fork of a DMCAd project under my name. I want to delete it as soon as it's merged.
Click to expand...
I'm really sorry for the lack of time I've been able to devote to LockPick. I'm short on time, and given what's been going on in the scene lately, I'd rather be doing something else.
I've merged the PR :)
 
  • Like
Reactions: Tyvar1, urherenow, Blythe93 and 2 others
For lockpick would it be possible to dump prod and title keys from a newer firmware 22.1 switch and place them on a older firmware switch like 20.5 where the files are normally located to run newer games without updating?
 
cvskid said:
For lockpick would it be possible to dump prod and title keys from a newer firmware 22.1 switch and place them on a older firmware switch like 20.5 where the files are normally located to run newer games without updating?
Click to expand...
the keys dump have two types of keys on it, generic ones, which are the same for all consoles ever made and console specific ones which are needed to read console's own encrypted filesystem.
 
  • Like
Reactions: Tyvar1, Blythe93 and cvskid
cvskid said:
For lockpick would it be possible to dump prod and title keys from a newer firmware 22.1 switch and place them on a older firmware switch like 20.5 where the files are normally located to run newer games without updating?
Click to expand...
The keys aren't what makes a game require newer firmware. It's just a setting that most installers can alter when you install them. If you run the latest lockpick without updating your firmware, you'd still get all of the latest keys. They are derived, not embedded (lockpick doesn't extract them directly from the firmware, it calculates them, and the updated numbers it uses to calculate them, is what gets embedded into lockpick... thus your firmware version doesn't matter for "dumping" keys).

The only time a newer game would ACTUALLY require a newer firmware, is when it uses new syscalls that don't exist on the older firmware. So all you need most of the time is to make your installer alter the minimum firmware setting, and have your sigpatches working.
 
Last edited by urherenow,
  • Love
  • Like
Reactions: cvskid and impeeza
Blythe93 said:
What's the difference between Lockpick_RCM.bin and Lockpick_RCM_unc.bin?
Click to expand...
Core Differences
  • Lockpick_RCM: The standard payload originally created by shchmue to extract encryption keys (prod.keys, title.keys) from the Nintendo Switch. It is heavily based on the Hekate bootloader and works flawlessly on early, unpatched V1 consoles.
  • Lockpick_RCM_unc: Also known as Lockpick_RCM_Unpatched or occasionally modified into Pro builds. It is a fork or specialized version tweaked to work on patched Erista and Mariko (v2, Lite, OLED) consoles. Standard Lockpick can sometimes face obstacles or require chainloading workarounds on newer hardware revisions.
I think the unc stands for unsigned certificate.
 
  • Love
Reactions: Blythe93
AmeliaFox said:
Core Differences
  • Lockpick_RCM: The standard payload originally created by shchmue to extract encryption keys (prod.keys, title.keys) from the Nintendo Switch. It is heavily based on the Hekate bootloader and works flawlessly on early, unpatched V1 consoles.
  • Lockpick_RCM_unc: Also known as Lockpick_RCM_Unpatched or occasionally modified into Pro builds. It is a fork or specialized version tweaked to work on patched Erista and Mariko (v2, Lite, OLED) consoles. Standard Lockpick can sometimes face obstacles or require chainloading workarounds on newer hardware revisions.
I think the unc stands for unsigned certificate.
Click to expand...
Thanks for the detailed reply!
 
Blythe93 said:
What's the difference between Lockpick_RCM.bin and Lockpick_RCM_unc.bin?
Click to expand...

AmeliaFox said:
Core Differences
  • Lockpick_RCM: The standard payload originally created by shchmue to extract encryption keys (prod.keys, title.keys) from the Nintendo Switch. It is heavily based on the Hekate bootloader and works flawlessly on early, unpatched V1 consoles.
  • Lockpick_RCM_unc: Also known as Lockpick_RCM_Unpatched or occasionally modified into Pro builds. It is a fork or specialized version tweaked to work on patched Erista and Mariko (v2, Lite, OLED) consoles. Standard Lockpick can sometimes face obstacles or require chainloading workarounds on newer hardware revisions.
I think the unc stands for unsigned certificate.
Click to expand...

Blythe93 said:
Thanks for the detailed reply!
Click to expand...

That is the problem of the A.I. : IS ALWAYS WRONG!

Lockpick_RCM and Lockpick_RCM_unc are the same file, but the _unc is UNCOMPRESSED.

As the Lockpick is a payload, there is a size limit for them, when creating binaries for payloads they are compressed using lz77 so they fit on the buffer.

The build process do not delete the uncompressed one for testing and debug.

The max uncompressed payload size is 140288 Bytes and the max compressed payload size is 126296 Bytes
 
  • Like
  • Love
Reactions: Zoria, Tyvar1, Blythe93 and 4 others
impeeza said:
That is the problem of the A.I. : IS ALWAYS WRONG!

Lockpick_RCM and Lockpick_RCM_unc are the same file, but the _unc is UNCOMPRESSED.

As the Lockpick is a payload, there is a size limit for them, when creating binaries for payloads they are compressed using lz77 so they fit on the buffer.

The build process do not delete the uncompressed one for testing and debug.

The max uncompressed payload size is 140288 Bytes and the max compressed payload size is 126296 Bytes
Click to expand...
Yep, it seems Google is broken nowadays. It has been for a while. Now it's just a big advert and full of crap.
 
  • Like
  • Haha
Reactions: Zoria, Tyvar1, Blythe93 and 3 others
I've decided to see if I cannot add a new key derivation path similar to my other projects into lockpick_rcm;

what this does differently compared to what lockpick_rcm did before, is it reads and decrypts the nca headers, identifies system update and the fat32 filesystem nca;
then checks the key revision used in the system update (as FS always master key 0), and compares it against what lockpick already knows about.

if it's lower or equal, lockpick does nothing new.

if it's higher, it attempts to decrypt the FS .nca, finding /nx/package1, decrypts it (hovi kek tsec keygen has also been added because of this), searches for magic to find where master_kek_source is stored;

then processes the new keys for that keygen revision using the master kek source found.


the intent of this change is for lockpick rcm to be able to get the newest keys without lockpick rcm requiring an update to do so, however updating lets the keys generated into prod.keys have example:

_15
_16
_17

instead of lacking updates and a hypothetical list (essentially a gap):

_15
_17

https://github.com/borntohonk/Lockpick_RCMaster/releases/download/test/Lockpick_RCM_current.bin
https://github.com/borntohonk/Lockpick_RCMaster/releases/download/test/Lockpick_RCM_subtracted.bin (latest generation commented out)


I have these two binaries, which needs testing on an actual system, because i'm bit unsure if the codepath is triggered as it currently is, or if i need to add a +1

https://github.com/borntohonk/Lockpick_RCMaster/commit/35f2dd852f3266aa40b0dde77eb8b9e82887f884
 
Last edited by bth,

Site & Scene News

Go to forum More news

Popular threads in this forum

Feedback Homebrew  Essential Homebrew

Homebrew Homebrew game  Lego Star Wars: The Complete Saga · Switch Port

Homebrew Homebrew game Project  So... Dan didn't want to reveal his Vulkan, so I made mine.

Homebrew Homebrew game  GTA: Chinatown Wars - Switch port

Homebrew Homebrew game  Half Life 2 (Source Engine) - Switch Port

running 20.5 Is it worth upgrading my firmware...?

Homebrew Homebrew game  Final Fantasy IV 3D Remake - Switch port

Hacking Hardware Misc  Yo chat! I'm I cooked?