Front-page Hacking RELEASE  Updated

Lockpick_RCM payload - Official Thread


Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage
  • Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
  • Upon completion, keys will be saved to /switch/prod.keys on SD
  • If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)
Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues
  • Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly
 

Attachments

  • AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    11.2 KB · Views: 0
Last edited by shchmue,
  • Like
Reactions: NotUsingAnAltAccount, BigOnYa, Blythe93 and 74 others
Click to expand...
Denis_Lissov

Denis_Lissov

Member
Newcomer
Level 1
Joined
Jan 8, 2021
Messages
19
Trophies
0
Age
30
XP
98
Country
Germany
shchmue said:
if you have an older key backup from this console, it's sufficient for your purpose. however, there's also a homebrew program that accomplishes pin reset
Click to expand...
that's what I didn't want to do because I am scared to screw something up and getting the switch banned. But as you said that's the way to go.

Thank you, guys.
 
D-an-W

D-an-W

Well-Known Member
Member
Level 7
Joined
Nov 13, 2002
Messages
170
Trophies
2
Website
Visit site
XP
1,120
Country
Is there a way to fully run Lockpick_RCM on a Lite with SX-OS without having to install Spacecraft NX (Which I think requires the case opening?)?
 
T

thaikhoa

Well-Known Member
Member
Level 11
Joined
Sep 16, 2008
Messages
2,236
Trophies
1
XP
2,590
Country
Australia
C

Casualhacker25

New Member
Newbie
Level 1
Joined
Jul 12, 2021
Messages
1
Trophies
0
Age
26
XP
41
Country
United States
I’m having the same issue as thaikhoa. Here is what it displays after I hit dump key from sysnand. It went by quickly so I had to record a video and pause it on the right frame:

MMC init… done in 9992 US
Write self to /sept/payload.bin… done
Rebooting to sept…

Found FSS0, Atmosphere 0.19.5-DF13781C
Max HOS supported: 12.1.0
Unpacking and loading components… Done!

My switch then turns off. If I remove the sept folder from my SD card it works just fine. I’ve made sure the sept folder is from the latest atmosphere release and even readded all of the files on my sd card.
 
  • Like
Reactions: thaikhoa
OriginalCopycat

OriginalCopycat

Well-Known Member
Newcomer
Level 4
Joined
Jun 23, 2020
Messages
97
Trophies
0
Age
43
XP
528
Country
United Kingdom
D-an-W said:
Just for information I was told this just now and it worked "SX gear boot file + lockpick renamed to payload.bin"
Click to expand...

This doesn't work for me and I'm not sure why. Here's what I did:

Renamed boot.dat -> bootold.dat
Extracted SX Tools to root of SD.
Extracted Hekate and renamed the bin to payload.bin.
Put latest Lockpick_RCM.bin in the bootloader/payloads folder.

The switch turns on and boots Hekate, I can launch Lockpick from within it, but I get the same limited-pick results.

I really don't want to flash the SX CORE's firmware with Spacecraft!

Thanks for any help you can give :)
 
Hayato213

Hayato213

Newcomer
Member
Level 28
Joined
Dec 26, 2015
Messages
20,019
Trophies
1
XP
21,112
Country
United States
OriginalCopycat said:
This doesn't work for me and I'm not sure why. Here's what I did:

Renamed boot.dat -> bootold.dat
Extracted SX Tools to root of SD.
Extracted Hekate and renamed the bin to payload.bin.
Put latest Lockpick_RCM.bin in the bootloader/payloads folder.

The switch turns on and boots Hekate, I can launch Lockpick from within it, but I get the same limited-pick results.

I really don't want to flash the SX CORE's firmware with Spacecraft!

Thanks for any help you can give :)
Click to expand...

You would need Spacecraft-NX
 
OriginalCopycat

OriginalCopycat

Well-Known Member
Newcomer
Level 4
Joined
Jun 23, 2020
Messages
97
Trophies
0
Age
43
XP
528
Country
United Kingdom
Hayato213 said:
If you want to get the key you would have to use Spacecraft-NX, no point of going back if you are moving on from SX OS. No idea on if it is reversable or not.
Click to expand...
Ok, and sorry if this is a stupid question, but do I NEED the keys to move to Atmosphere? I’ve never needed them for SXOS so I’m not familiar with what they’re for.

thanks again!
 
Hayato213

Hayato213

Newcomer
Member
Level 28
Joined
Dec 26, 2015
Messages
20,019
Trophies
1
XP
21,112
Country
United States
OriginalCopycat said:
Ok, and sorry if this is a stupid question, but do I NEED the keys to move to Atmosphere? I’ve never needed them for SXOS so I’m not familiar with what they’re for.

thanks again!
Click to expand...

Keys are needed for like converting games to from XCI to NSP, tinfoil shops need keys, rebuilding a NAND would need the bis_key and device key that come with the keys that is obtain from lockpick_RCM.
 
  • Like
Reactions: OriginalCopycat
Adran_Marit

Adran_Marit

Walküre's Hacker
Member
Level 14
Joined
Oct 3, 2015
Messages
3,781
Trophies
1
Location
42*South
XP
4,557
Country
Australia
OriginalCopycat said:
Ok, and sorry if this is a stupid question, but do I NEED the keys to move to Atmosphere? I’ve never needed them for SXOS so I’m not familiar with what they’re for.

thanks again!
Click to expand...
Hayato213 said:
Keys are needed for like converting games to from XCI to NSP, tinfoil shops need keys, rebuilding a NAND would need the bis_key and device key that come with the keys that is obtain from lockpick_RCM.
Click to expand...


In addition, Make a damn backup :)
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Hacking Misc  Getting the MIG Switch to load an XCI dump without its original Initial Data

Emulation Homebrew  duckstation for Switch

Can you trade in a banned switch for an unbanned one?

Why is Atmosphere so dominant?

Crosscode Hacking thread

Hacking  Weird findings from that DQ trilogy switch port

Migswitch backups without certificate files

switch change sd card, but android start fail

General chit-chat
Help Users
  • No one is chatting at the moment.
    K3Nv2 @ K3Nv2: Lmao that sold out fast +1