Front-page Hacking RELEASE  Updated

Lockpick_RCM payload - Official Thread


Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage
  • Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
  • Upon completion, keys will be saved to /switch/prod.keys on SD
  • If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)
Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues
  • Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly
 

Attachments

  • AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    11.2 KB · Views: 0
Last edited by shchmue,
  • Like
Reactions: NotUsingAnAltAccount, BigOnYa, Blythe93 and 74 others
Click to expand...
miss_nakano

miss_nakano

Well-Known Member
Member
Level 7
Joined
Feb 27, 2016
Messages
179
Trophies
0
Age
28
XP
1,006
Country
Australia
First of all, shchmue, I want say thanks to you for this amazing tool! I am still a newbie..I have a few questions for you regarding this tool.

1)After running lockpick_RCM, I get prod.keys in the /switch folder. It said it found 140 keys. Regarding title keys, it additionaly said "invalid public exponent" and finally it said "found through master_key_09". Did I do everything right? Are those message supposed to be normal?

2) According to your github page, you said that it is recommended to put minerva. But where do I find it?

3)According to your github page, it is said that "Upon completion, keys will be saved to /switch/prod.keys and titlekeys to /switch/title.keys on SD" but I only had prod.keys generated and no title.keys at all. Is this because the invalid message above?

4) how exactly do I use this? Or is this just for back up purpose, since I did this after backing up nand or can you use this prod.keys somewhere for certain other purpose?

My firmware is 8.10, hekate 5.02, AMS 0.9.4.

Thank you very much.
 
Last edited by miss_nakano, , Reason: Forgot to mention my system details
O

OrGoN3

Well-Known Member
Member
Level 12
Joined
Apr 23, 2007
Messages
3,241
Trophies
1
XP
3,253
Country
United States
miss_nakano said:
First of all, shchmue, I want say thanks to you for this amazing tool! I am still a newbie..I have a few questions for you regarding this tool.

1)After running lockpick_RCM, I get prod.keys in the /switch folder. It said it found 140 keys. Regarding title keys, it additionaly said "invalid public exponent" and finally it said "found through master_key_09". Did I do everything right? Are those message supposed to be normal?

2) According to your github page, you said that it is recommended to put minerva. But where do I find it?

3)According to your github page, it is said that "Upon completion, keys will be saved to /switch/prod.keys and titlekeys to /switch/title.keys on SD" but I only had prod.keys generated and no title.keys at all. Is this because the invalid message above?

4) how exactly do I use this? Or is this just for back up purpose, since I did this after backing up nand or can you use this prod.keys somewhere for certain other purpose?

My firmware is 8.10, hekate 5.02, AMS 0.9.4.

Thank you very much.
Click to expand...
1. You probably have nothing installed. Don't worry about it.

2. From hekate (https://github.com/CTCaer/hekate/releases). If you booted with Hekate, like you mentioned, then minerva is already where it is supposed to be. Plus, that's only for titlekeys, so who cares?

3. Do you have any games/apps installed? If not, then there is nothing to dump.

4. You save a backup copy of your prod.keys and keep the prod.keys on your SD card. If any homebrew requires them, you'll have them. However, once you update to 8.x.x or 9.x.x you'll have to run the tool [Lockpick_RCM] again to get the latest keys.
 
  • Like
Reactions: miss_nakano
miss_nakano

miss_nakano

Well-Known Member
Member
Level 7
Joined
Feb 27, 2016
Messages
179
Trophies
0
Age
28
XP
1,006
Country
Australia
OrGoN3 said:
1. You probably have nothing installed. Don't worry about it.

2. From hekate (https://github.com/CTCaer/hekate/releases). If you booted with Hekate, like you mentioned, then minerva is already where it is supposed to be. Plus, that's only for titlekeys, so who cares?

3. Do you have any games/apps installed? If not, then there is nothing to dump.

4. You save a backup copy of your prod.keys and keep the prod.keys on your SD card. If any homebrew requires them, you'll have them. However, once you update to 8.x.x or 9.x.x you'll have to run the tool [Lockpick_RCM] again to get the latest keys.
Click to expand...

1)Actually I have around 14 games installed. Now that you mention it, I actually I just started fresh by copying the newest SD files to my SD and deleting everything except for nintendo folder. I also update my ns atmosphere dongle payload to the newest hekate of 5.02. Since I just did it, I havent run the installed game or any homebrew apps after starting fresh and only have been messing up with hekate because I thought I am stuck in this "lockpick rcm" step till this post.

2)So it is supposed to be included already by running the hekate 5.02 payload?

3)I have things installed but I havent run them at all since I started fresh and want to finish the important things to do with hekate(back up, lockpick etc) first. I have the nintendo folder though.

4)I see.. you have to get the keys every time you update..so the purpose of this key is for homebrew? How do I use this then? Where do I put it?

Thanks again.
 
O

OrGoN3

Well-Known Member
Member
Level 12
Joined
Apr 23, 2007
Messages
3,241
Trophies
1
XP
3,253
Country
United States
miss_nakano said:
1)Actually I have around 14 games installed. Now that you mention it, I actually I just started fresh by copying the newest SD files to my SD and deleting everything except for nintendo folder. I also update my ns atmosphere dongle payload to the newest hekate of 5.02. Since I just did it, I havent run the installed game or any homebrew apps after starting fresh and only have been messing up with hekate because I thought I am stuck in this "lockpick rcm" step till this post.

2)So it is supposed to be included already by running the hekate 5.02 payload?

3)I have things installed but I havent run them at all since I started fresh and want to finish the important things to do with hekate(back up, lockpick etc) first. I have the nintendo folder though.

4)I see.. you have to get the keys every time you update..so the purpose of this key is for homebrew? How do I use this then? Where do I put it?

Thanks again.
Click to expand...
2. Hekate is the payload. The release contains files for your SD card as well. If you didn't update your sd card with those files, then please do so.

3. Are they installed to SD card or nand?

4. I already told you what to do with your keys and where to put them. I don't know what else you can be meaning.
 
  • Like
Reactions: miss_nakano
miss_nakano

miss_nakano

Well-Known Member
Member
Level 7
Joined
Feb 27, 2016
Messages
179
Trophies
0
Age
28
XP
1,006
Country
Australia
OrGoN3 said:
2. Hekate is the payload. The release contains files for your SD card as well. If you didn't update your sd card with those files, then please do so.

3. Are they installed to SD card or nand?

4. I already told you what to do with your keys and where to put them. I don't know what else you can be meaning.
Click to expand...

1) yes, I know hekate is the payload. I used ns programmer thing from the ns atmoaphere dongle website to overwrite the obsolete hekate version to the 5.02 one. I did copy the newest sd files that contain the updated ams and homebrews. Thanks for your concern.

2)the games and homebrew are all in the sd card(the games are in nintendo folder in sd card). I didnt even know you could Install things in NAND.

3) sorry if i wasnt being clear. Maybe an example would be better. Let's say goldleaf and edizon need this prod.keys. So, where do you put the prod.keys in order for goldlead/edizon to be able to use it?

Thanks again :)
 
O

OrGoN3

Well-Known Member
Member
Level 12
Joined
Apr 23, 2007
Messages
3,241
Trophies
1
XP
3,253
Country
United States
miss_nakano said:
1) yes, I know hekate is the payload. I used ns programmer thing from the ns atmoaphere dongle website to overwrite the obsolete hekate version to the 5.02 one. I did copy the newest sd files that contain the updated ams and homebrews. Thanks for your concern.

2)the games and homebrew are all in the sd card(the games are in nintendo folder in sd card). I didnt even know you could Install things in NAND.

3) sorry if i wasnt being clear. Maybe an example would be better. Let's say goldleaf and edizon need this prod.keys. So, where do you put the prod.keys in order for goldlead/edizon to be able to use it?

Thanks again :)
Click to expand...
1. Thanks for your patience and kindness. Both are very much appreciated and often not shown. :)

1. Just making sure. Minerva is under sdcard://bootloader/sys/libsys_minerva.bso

2. You can install to nand, it's just not recommended.

3. Again, if Homebrew needed it, it would look under sdcard://switch/prod.keys, then sdcard://switch/keys.txt. that is where lockpick_rcm puts the file. No need to move it aside from backing it up.
 
  • Like
Reactions: miss_nakano
miss_nakano

miss_nakano

Well-Known Member
Member
Level 7
Joined
Feb 27, 2016
Messages
179
Trophies
0
Age
28
XP
1,006
Country
Australia
OrGoN3 said:
1. Thanks for your patience and kindness. Both are very much appreciated and often not shown. :)

1. Just making sure. Minerva is under sdcard://bootloader/sys/libsys_minerva.bso

2. You can install to nand, it's just not recommended.

3. Again, if Homebrew needed it, it would look under sdcard://switch/prod.keys, then sdcard://switch/keys.txt. that is where lockpick_rcm puts the file. No need to move it aside from backing it up.
Click to expand...

1) Thank you, I'll check if it is there.

2)it is not recommended, huh? I suppose this is why I never really hear about installing things to NAND. Thanks.

3)Now this is the information I want! Thanks for explaining it so clearly! Just one more question, where do the keys.txt come from? I only have prod.keys in the switch folder.

Thanks again :)
 
O

OrGoN3

Well-Known Member
Member
Level 12
Joined
Apr 23, 2007
Messages
3,241
Trophies
1
XP
3,253
Country
United States
miss_nakano said:
1) Thank you, I'll check if it is there.

2)it is not recommended, huh? I suppose this is why I never really hear about installing things to NAND. Thanks.

3)Now this is the information I want! Thanks for explaining it so clearly! Just one more question, where do the keys.txt come from? I only have prod.keys in the switch folder.

Thanks again :)
Click to expand...
You can rename prod.keys to keys.txt. I'm not sure where the different names stem from.

Well I mean you can install to nand. Just realize it'll fill up quickly. Also if you're using emunand/emummc then it's installing to SD card no matter what. Just install everything to sd and you'll be good.

You're welcome. :D
 
  • Like
Reactions: miss_nakano
miss_nakano

miss_nakano

Well-Known Member
Member
Level 7
Joined
Feb 27, 2016
Messages
179
Trophies
0
Age
28
XP
1,006
Country
Australia
OrGoN3 said:
You can rename prod.keys to keys.txt. I'm not sure where the different names stem from.

Well I mean you can install to nand. Just realize it'll fill up quickly. Also if you're using emunand/emummc then it's installing to SD card no matter what. Just install everything to sd and you'll be good.

You're welcome. :D
Click to expand...

So that's how you get the keys.txt! About the installing things to the nand , I think I'll stick to sd card installing for more safety.

Thanks again for everything, OrGoN3! I look forward for your helps again in the future! :)
 
  • Like
Reactions: OrGoN3
shchmue

shchmue

Developer
OP
Developer
Level 11
Joined
Dec 23, 2013
Messages
791
Trophies
1
XP
2,367
Country
United States
miss_nakano said:
First of all, shchmue, I want say thanks to you for this amazing tool! I am still a newbie..I have a few questions for you regarding this tool.

1)After running lockpick_RCM, I get prod.keys in the /switch folder. It said it found 140 keys. Regarding title keys, it additionaly said "invalid public exponent" and finally it said "found through master_key_09". Did I do everything right? Are those message supposed to be normal?

2) According to your github page, you said that it is recommended to put minerva. But where do I find it?

3)According to your github page, it is said that "Upon completion, keys will be saved to /switch/prod.keys and titlekeys to /switch/title.keys on SD" but I only had prod.keys generated and no title.keys at all. Is this because the invalid message above?

4) how exactly do I use this? Or is this just for back up purpose, since I did this after backing up nand or can you use this prod.keys somewhere for certain other purpose?

My firmware is 8.10, hekate 5.02, AMS 0.9.4.

Thank you very much.
Click to expand...
that’s odd. it means your prodinfo decrypted successfully and it derived eticket_rsa_kek but the result of decrypting the keypair was off. huh. yes, that’s why there’s no title.keys file

minerva is part of the hekate release package in the sd files

some programs require keys. they’ll include instructions if so. as far as i know, homebrew doesn’t require keys anymore as there are ways they can get keys they need during runtime. these are mostly required by programs that run off console.
 
  • Like
Reactions: miss_nakano
miss_nakano

miss_nakano

Well-Known Member
Member
Level 7
Joined
Feb 27, 2016
Messages
179
Trophies
0
Age
28
XP
1,006
Country
Australia
shchmue said:
that’s odd. it means your prodinfo decrypted successfully and it derived eticket_rsa_kek but the result of decrypting the keypair was off. huh. yes, that’s why there’s no title.keys file

minerva is part of the hekate release package in the sd files

some programs require keys. they’ll include instructions if so. as far as i know, homebrew doesn’t require keys anymore as there are ways they can get keys they need during runtime. these are mostly required by programs that run off console.
Click to expand...

Thank you very much for answering my questions!

So something was wrong after all..
.actually I suspect it is my weird switch. My switch was made in 2019(supposed to be ipatched) and its serial number is in the "certainly patched" category like the one here:

https://gbatemp.net/threads/my-switch-is-a-2019-v6-2-0-xaj4008278-unpatched-unit.546996/

Just like his switch, mine is probably an anomaly as well. But it is really unpatched though since I can use autorcm. It's just that I dont understand what "invalid public exponent" meant. I wonder what can be done with the keys.txt not being generated..

Thanks again shchmue for your amazing tools!
 
shchmue

shchmue

Developer
OP
Developer
Level 11
Joined
Dec 23, 2013
Messages
791
Trophies
1
XP
2,367
Country
United States
miss_nakano said:
Thank you very much for answering my questions!

So something was wrong after all..
.actually I suspect it is my weird switch. My switch was made in 2019(supposed to be ipatched) and its serial number is in the "certainly patched" category like the one here:

https://gbatemp.net/threads/my-switch-is-a-2019-v6-2-0-xaj4008278-unpatched-unit.546996/

Just like his switch, mine is probably an anomaly as well. But it is really unpatched though since I can use autorcm. It's just that I dont understand what "invalid public exponent" meant. I wonder what can be done with the keys.txt not being generated..

Thanks again shchmue for your amazing tools!
Click to expand...
oh! interesting. could you leave the prod.keys file where it is and try running Lockpick homebrew and see if that is able to get your titlekeys?

--------------------- MERGED ---------------------------

incidentally, bugfix release. this doesn't address anything you're dealing with though.

Catch uncommon errors reading Sept files. Also added a few new SD Save keys that aren't really useful to anyone except researchers. See LibHac for usage. Reduced size of large module for future expansion.
edit: fixed the fix
https://github.com/shchmue/Lockpick_RCM/releases/tag/v1.6.3
 
Last edited by shchmue,
  • Like
Reactions: hausa51 and miss_nakano
SMVB64

SMVB64

Now your playing with power! Super power!
Member
Level 7
Joined
Feb 13, 2013
Messages
230
Trophies
1
XP
1,053
Country
Canada
Hello all,

I have an issue using Lock pick RCM.
it does find the keys but is unable to save them
The error I am getting is "unable to create /switch folder on SD"

Thanks,
SM
 
miss_nakano

miss_nakano

Well-Known Member
Member
Level 7
Joined
Feb 27, 2016
Messages
179
Trophies
0
Age
28
XP
1,006
Country
Australia
shchmue said:
oh! interesting. could you leave the prod.keys file where it is and try running Lockpick homebrew and see if that is able to get your titlekeys?

--------------------- MERGED ---------------------------

incidentally, bugfix release. this doesn't address anything you're dealing with though.

Catch uncommon errors reading Sept files. Also added a few new SD Save keys that aren't really useful to anyone except researchers. See LibHac for usage. Reduced size of large module for future expansion.
edit: fixed the fix
https://github.com/shchmue/Lockpick_RCM/releases/tag/v1.6.3
Click to expand...

Thank you very much for your amazing 1.6.4 fix!
 
shchmue

shchmue

Developer
OP
Developer
Level 11
Joined
Dec 23, 2013
Messages
791
Trophies
1
XP
2,367
Country
United States
https://github.com/shchmue/Lockpick_RCM/releases/tag/v1.7.0 Zoom update

Lockpick_RCM now parses the ES save files correctly for much quicker Titlekey extraction, ie linear in number of titlekeys rather than checking the whole save container

Huge thanks to @minibar for an excellent source of truth on save parsing in the form of https://github.com/Thealexbarney/LibHac/ and for answering so many questions about it on top of all the hard work reversing FS and constantly improving LibHac

Also corrected a major bug in Hekate's heap code (please do the same if you use Hekate code in your own projects! ref https://github.com/CTCaer/hekate/pull/300 ) and eliminated a few of my own memory leaks, both guaranteed and potential
 
Last edited by shchmue,
  • Like
Reactions: hippy dave and ChaosEternal

Site & Scene News

Go to forum More news

Popular threads in this forum

The MIG Switch Thread

Kingdom Come Deliverance Nswitch MOD

Homebrew Tutorial  Building Pagascape from source to running Self Hosted mode on Windows and MSYS

mig switch not working/updating??

Hacking Homebrew Tutorial  Portable PegaScape (Win32)

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Fusee.bin with the new Pre-release of Atmoshere 1.7.0

DBI language error

General chit-chat
Help Users
    realtimesave @ realtimesave: got a mig switch here, freshly smuggled in from China