This thread is deprecated
For a faster, easier and more up-to-date way of getting keys use Lockpick_RCM by shchmue
If you still want to follow this tutorial and end up with less keys, continue reading the Thread.

WARNING

• DO NOT GIVE OUT ANY OF YOUR KEYS TO ANYONE! I CANNOT STRESS THAT ENOUGH!
• DO NOT SHARE YOUR KEYS BETWEEN MULTIPLE SWITCHES THAT YOU DO/DON'T OWN! SOME ARE CONSOLE-UNIQUE
• DO NOT ASK ME FOR KEYS

LEGEND

• SBK
  SecureBootKey
• TSEC
  Tegra Security Co-processor Key
• eMMC
  Embedded MultiMediaCard (Switch's Onboard Storage)

GOAL
End up with 83+ keys including SBK and TSEC keys. Get Master Key's 0-5. (Master Keys 6 onwards is not done in this tutorial)
Reminder, if you want more up-to-date and much more convenient way to get your Switch's Keys, use Lockpick by shchmue (available in nx-appstore/homebrew store)

Tutorial — (Outdated for Switch's on firmware 6.x or newer)

#1 - Dumping System Keys (Biskeydump)#2 - Dumping Required Files#3 - Hactool Preparation#4 - Dumping KeysFinal WordsTroubleshooting

1. 
   We need to get your Secure Boot Key (SBK) and Tegra Security Co-processor Key (TSEC) before we can get the main keys.
   These are 100% console unique.
   
   
   1. Download and extract biskeydump.bin from biskeydumpvx.zip
      - Follow this tutorial but instead of using CTCaer's Hekate Mod .bin file, use the biskeydump.bin file
      - If the QR Code is Blue, Scan the QR Code with your Phone, Laptop e.t.c
      - If you cant find a device you can scan with, type them out into your PC/Laptop (Its highly recommended to scan the QR Code, as a lot of characters can look like another, O0, Il, rn can look like m, e.t.c)
   2. Once you have the biskeydump of your System, store all the keys you received somewhere safe, I recommend a secure cloud storage aswell as a USB Stick, perhaps even print it.
      - Don't give this to ANYONE, Seriously.
   
   If you get any errors please go to the Troubleshooting Tab.
   
2. 
   
   1. Follow this tutorial AGAIN but this time use CTCaer's Hekate Mod.
      - "Tools" -> "Backup..." -> "Backup eMMC BOOT0/1"
      - "Tools" -> "Backup..." -> "Backup eMMC SYS"
      - Back all the way to the first menu, and choose "Power off"
   2. Take the microSD Card out of your Switch and into your PC.
   3. Copy both "BOOT0" and "BCPKG2-1-Normal-Main" from "sd:/backup/xxxxxx/" (xxxxxx is different for everyone) to "hactool" on your Desktop (create the "hactool" folder)
      - Rename them with .bin at the end, "BOOT0.bin", "BCPKG2-1-Normal-Main.bin"
3. 
   
   1. Download and install Python 2.7.x - NOT Python 3.x.x
      When installing, it will ask you what features you want installed, scroll to the bottom and make sure "Add Python to Path" has "Entire Feature Installed to HDD" option chose (No Red X Icon), otherwise the scripts wont find Python and WILL fail
   2. Download and extract hactool TO THE DESKTOP AND NAME THE FOLDER "hactool"
      On Linux/MacOS: clone and build hactool manually
   3. Right-click this (script originally by tesnos6921, patched by shadowninja108, jakibaki and shchmue)
      - Click "Save link as" / "save as"
      - Set "Save as type" to "All Files"
      - Name it "keys.py"
      And finally save it to the hactool folder you placed in the Desktop.
      NOTICE TO GBATEMP STAFF: The "keys" inside this file, are NOT keys, they are SHA digest hashes used to search through files to find text that matches, which would be the keys.
4. 
   
   1. Press WIN(Btn)+R to open "Run", type "cmd" and press Ctrl+Shift then Enter to open Command Prompt as an Administrator
   2. Type (in order) or Copy the following and paste into Command Prompt (Some Windows Versions use Right Click to Paste, some use CTRL+C)
      python -m pip install --upgrade pip
      pip install lz4
      cd Desktop/hactool
      python keys.py SBK_Here_From_Biskeydump TSEC_Here_From_Biskeydump
   3. It should say: "Now you can do hactool --keyset=keys.txt to use them!", if it does, and there's no warning messages, you're good to go!
   If you get any errors please go to the Troubleshooting Tab.
   
5. 
   You now have a keys.txt file with your console-specific keys inside.
   Rename as needed by any software that requires a different name or file extension, it doesn't matter.
   Though I highly recommend renaming it to prod.keys as this filename for Key file's is becoming a popular choice with other software
   There may be more keys, as the Switch's lifecycle goes on, more and more keys will be needed as the firmwares grow and grow.
   
   • The Hactool warning:

     [WARN] prod.keys does not exist.

     can be safely ignored.
     - if you want to place your "keys.txt" file their, put "keys.txt" on your Desktop and run the following with Administrator Command Prompt (Step #4.1 for instructions):
     

     mkdir -p %USERPROFILE%\.switch
     move "%USERPROFILE%\Desktop\keys.txt" "%USERPROFILE%\.switch\prod.keys"

6. 
   #1 ISSUES:
   

   • Red QR Code Outline

     - The reasons this can occur is quite a rarity, all I can say is to keep rebooting and trying again.
     - If there's a new version of biskeydump out, try using the newer biskeydump.bin

   • QR Code not being scanned by your Reader

     - Align your QR Code Readers alignment overlay with the Blue Square's Corners/Edges, NOT the QR Code's Corners/Edges.
     - Clean your camera lens
     - Be in a bright room
   
   #4 ISSUES:
   

   • File "keys.py", line ...
     print message
     ^
     SyntaxError: Missing parentheses in call to 'print'. Did you mean print(message)?

     - You didn't place SBK and TSEC in the 4th line of the Command in Step #4.2
     - You installed Python 3.x.x when you must use 2.7.x, uninstall python, logout of windows (important it removes python from PATH) and follow Step #3.2 then move back to #4.1

   • import lz4.block
     File "C:\Python27\lib\site-packages\lz4\__init__.py", line 17, in <module>
     from ._version import ( # noqa: F401
     ImportError: DLL load failed: The specified module could not be found.

     - The 2nd line of the Command in Step #4.2 failed without you noticing. Try running the 1st line to upgrade pip and if that goes successfully run the 2nd line to install lz4 and see if it successfully installs.

 

[Cerealz]

Yeah, seems to be confusion over this. For me personally I only have 00 and 04, and it worked fine for me once I'd set up the keys.ini properly

what's the process? just renaming keys.txt to keys.ini isn't working.. what else you have to do?

 

[Nitsuka]

maybe your keys.ini is correct but your .xci or .nca is corrupted. I had to dump a second time in order to make xci extract work (I didn't change my keys.ini)

 

[Manarte]

Help Using Python 2.7.15 get the following error:

C:\Users\-------\Desktop\hactool>python keys.py ReplaceMeWithSBK ReplaceMeWithTS
EC
Traceback (most recent call last):
File "keys.py", line 25, in <module>
import lz4.block
File "C:\Users\-------\Desktop\hactool\lib\site-packages\lz4\__init__.py", lin
e 11, in <module>
from ._version import ( # noqa: F401
ImportError: DLL load failed: The specified module could not be found.

 

[Cerealz]

maybe your keys.ini is correct but your .xci or .nca is corrupted. I had to dump a second time in order to make xci extract work (I didn't change my keys.ini)

Can you share how you extracted? hactool command line

 

[Ty_]

what's the process? just renaming keys.txt to keys.ini isn't working.. what else you have to do?

copy the text from keys.txt but don't just rename the file. Open up notepad to create a new file, paste the contents of keys.txt in there, save that as keys.ini but make sure it's saved as "all types", not "text file". If it's right it should display as a "configuration settings" file, not a text file

 

[Cerealz]

copy the text from keys.txt but don't just rename the file. Open up notepad to create a new file, paste the contents of keys.txt in there, save that as keys.ini but make sure it's saved as "all types", not "text file". If it's right it should display as a "configuration settings" file, not a text file

I tried that before, but hactool doesn't accept that.. neither HacToolGui.
If i rename it to keys.dat .. HacToolGui accepts it but misplaces some keys (ex. it fills with non-key string, "Master Key 01" field without having that on keys.data)

Oh well..... for curiosity, what's the vulnerability using other keys file that's floating around the internet?
I'll try this layeredfs thing disconnected from internet. (but going back online on normal boot)

 

[BlastedGuy9905]

IMPORTANT:

• DO NOT GIVE OUT ANY OF YOUR KEYS TO ANYONE! I CANNOT STRESS THAT ENOUGH!
• DO NOT SHARE YOUR KEYS BETWEEN MULTIPLE SWITCHES THAT YOU DO/DONT OWN! THEY ARE UNIQUE
• DO NOT ASK ME FOR KEYS

NOTES:

• This currently only results in 40 keys including SBK and TSEC while there are a total of 80 keys currently documented.
  While 40 will do for most decrypting, you MIGHT need more keys for some titles.
  Any tips to get the other 40 would be appreciated.
  [topic=499218]Source[/topic]
• This does give you Master Key 0-4.

Tutorial — RISEofProBB

Step 1 - Key PreparationStep 2 - Dumping Required FilesStep 3 - File PreparationStep 4 - Dumping KeysStep 5 - Finalizing

1. 
   
   1. We need your SBK (Secure Boot Key) and TSEC (Tegra X1's Security Co-processor Keys) before we can get the main keys. These are 100% console unique.
   2. Download biskeydump from https://switchtools.sshnuke.net/ and load it like a hekate payload. It will present you with a QR code. If the bg behind the QR code is red, it failed, re-boot and try until its blue.
   3. Scan the QR code with your phone, laptop, e.t.c to easilly copy and paste it to your PC. You can just type it out onto your laptop, but its faster and more efficient (you dont want to have an O when its actually a 0 or l when its an I).
   4. Save SBK and TSEC from biskeydump on your system somewhere. Make sure you remember which one is for SBK and TSEC.
   5. You now have SBK and TSEC. We now have the main keys to continue onwards!
2. 
   
   1. Download CTCaer's AMAZING Hekate mod here, this lets you dump specific stuff without it taking hours to do a full dump when we dont need to do a full dump.
   2. Dumping BOOT0 - Load CTCaer's AMAZING Hekate mod as usual (RCM Smasher e.t.c). Now go to "Tools" -> "Dump eMMC BOOT". We now have BOOT0 and BOOT1
   3. Dumping BCPKG2-1-Normal-Main - Load CTCaer's AMAZING Hekate mod as usual (RCM Smasher e.t.c). Now go to "Tools" -> "Dump eMMC SYS". We now have BCPKG2-1-Normal-Main aswell as a couple other things we dont need. But it still spares us time from dumping the entire nand with regular hekate.
   4. We now have both required switch-nand based files we need to get and derive keys from.
3. 
   
   1. Go here and right-click > save as > save as type - All Files > Name keys.py > Save. (script by reswitched)
   2. NOTICE TO GBATEMP STAFF: The "keys" inside this file, are NOT keys, they are SHA digest hashes used to search through files to find text that matches, which would be the keys.
   3. Download and install Python 2.7.x (IMPORTANT: When installing, it will ask you what features you want installed, if you scroll to the bottom you should see a RED X where the rest are grey HDD icons. Click that red X and change it to "Entire feature installed to HDD". This sets Python in your environment path. I cannot stress how important this is. If you dont do this, you cannot continue)
   4. Download and extract hactool TO THE DESKTOP AND NAME THE FOLDER "hactool"
   5. Put the keys.py inside the folder for hactool, next to hactool.exe
   6. Copy the "BOOT0" file from Switch's SD card to the folder for hactool, next to hactool.exe and rename BOOT0 to BOOT0.bin to give it an extension of .bin
   7. Copy the "BCPKG2-1-Normal-Main" file from Switch's SD card to the folder for hactool, next to hactool.exe and rename BCPKG2-1-Normal-Main to BCPKG2-1-Normal-Main.bin to give it an extension of .bin
4. 
   
   1. Open Windows Search Bar and type "cmd" or "command prompt", right click and run as admin.
      
   2. Type the following in Bold:
      cd Desktop/hactool
   3. You should now be in the "hactool" folder.
      
   4. Type the following:
      pip install lz4
   5. Once installed, type the following (Replace as it says):
      python keys.py ReplaceMeWithSBK ReplaceMeWithTSEC
   6. It will now execute the key extractor. In simple terms, what it's doing is extracting Package1 from BOOT0 -> Extracting keys from Package1 -> Using those keys to get other keys.
   7. It should say: "Now you can do hactool --keyset=keys.txt to use them!", if it does, and theres no warning messages, your good to go!
   If you get the following error on Part 5:
   

   File "keys.py", line 259
   print message
   ^
   SyntaxError: Missing parentheses in call to 'print'. Did you mean print(message)?

   Then you typed: python keys.py SBK TSEC literally when your meant to replace SBK and TSEC with the keys you got.
   Then your using Python 3.x.x when I told you to use 2.7.x, uninstall python, reboot (important) and install 2.7.x
   
5. 
   
   1. You now have a keys.txt file. Rename this to keys.ini to change it to an ini.
   2. Your done. You now have all the keys you need and your good to go.
   You can now follow my XCI Decrypting tutorial to use Backups on Ryujinx or Yuzu, or if you just want to extract XCI's RomFS for datamining e.t.c
   

As I'm having trouble decrypting Donkey Kong Tropical Freeze, can you please release a tutorial on how to get the other 40 keys? People say 80/80 keys were found. (not asking for keys themselves)

 

[CuriousTommy]

Hello, I am stuck doing this tutorial because I am using mac. If I run "python keys.py ReplaceMeWithSBK ReplaceMeWithTSEC" (Yes, I replaced them with SBK and TSEC) I am getting this error:

Using BOOT0.bin to get keys from package1...
Deriving keys...
Traceback (most recent call last):
File "keys.py", line 374, in <module>
stage0_results = subprocess.check_output([HACTOOL_PATH, "--keyset=keys.txt", "--intype=keygen", "BOOT0.bin"])
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 216, in check_output
process = Popen(stdout=PIPE, *popenargs, **kwargs)
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 394, in __init__
errread, errwrite)
File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 1047, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory.

Can someone help me, please?
I appreciate every answer!

Give my solution a try. This solution should also work on Mac too.

Okay, so I figured out why it was not working. If you look at the python script, the path to the hactool is set like this:

HACTOOL_PATH = "hactool"

You need to set it to this

HACTOOL_PATH = "./hactool"

Once you fix that, the python script works great!

 

[Neuil49]

*/SOLVED/*

I've found the solution, you've got to install the 32bit version of python and not the x64

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Like others, I've got the DLL load error when launching the keys.pi script (with my own keys as arguments, python 2.7.15 and lz4 installed).

Anyone has a solution?

 

[SexiestManAlive]

how the hell do i get master keys 1 through 3, because the xci decrypter isnt working, and im guessing its because of them

 

[lenn0x]

Hello guys,

Im getting stuck with the python script. Ive obtained the keys from Biskeydump (blue background), dumped BOOT0.bin and BCPKG2-1-Normal-Main.bin. Any pointers would be appreciated!

C:\Users\lenn0\Desktop\hactool>python keys.py MyactualSBKkey Myactualtseckey
Using BOOT0.bin to get keys from package1...
Deriving keys...
[WARN]: Failed to match key "tsec_key", (value "")
[WARN]: Failed to match key "secure_boot_key", (value "")
[WARN]: Failed to match key "keyblob_key_source_04", (value "")
[WARN]: Failed to match key "keyblob_key_source_00", (value "")
[WARN]: Failed to match key "master_key_source", (value "")
[WARN]: Failed to match key "keyblob_mac_key_source", (value "")
Invalid NCA header! Are keys correct?
Decrypting package1...
[WARN]: Failed to match key "tsec_key", (value ")
[WARN]: Failed to match key "secure_boot_key", (value "")
[WARN]: Failed to match key "keyblob_key_source_04", (value "")
[WARN]: Failed to match key "keyblob_key_source_00", (value "")
[WARN]: Failed to match key "master_key_source", (value "")
[WARN]: Failed to match key "keyblob_mac_key_source", (value "")
Failed to decrypt PK11! Is correct key present?
Using Secure_Monitor.bin to get keys to decrypt package2...
Traceback (most recent call last):
File "keys.py", line 391, in <module>
TZ_f = open("package1/Secure_Monitor.bin", "rb")
IOError: [Errno 2] No such file or directory: 'package1/Secure_Monitor.bin'

 

[Deleted User]

how the hell do i get master keys 1 through 3, because the xci decrypter isnt working, and im guessing its because of them

Wondering this. I've ran the py script many times but I just can't get master key 1, 2 and 3

 

[ElCamo]

Give my solution a try. This solution should also work on Mac too.

Tried. Still getting the same errors.

Deriving keys...
Traceback (most recent call last):
File "keys.py", line 374, in <module>
stage0_results = subprocess.check_output([HACTOOL_PATH, "--keyset=keys.txt", "--intype=keygen", "BOOT0.bin"])
File "/usr/lib/python2.7/subprocess.py", line 216, in check_output
process = Popen(stdout=PIPE, *popenargs, **kwargs)
File "/usr/lib/python2.7/subprocess.py", line 394, in __init__
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory

 

[CuriousTommy]

Tried. Still getting the same errors.

Deriving keys...
Traceback (most recent call last):
File "keys.py", line 374, in <module>
stage0_results = subprocess.check_output([HACTOOL_PATH, "--keyset=keys.txt", "--intype=keygen", "BOOT0.bin"])
File "/usr/lib/python2.7/subprocess.py", line 216, in check_output
process = Popen(stdout=PIPE, *popenargs, **kwargs)
File "/usr/lib/python2.7/subprocess.py", line 394, in __init__
errread, errwrite)
File "/usr/lib/python2.7/subprocess.py", line 1047, in _execute_child
raise child_exception
OSError: [Errno 2] No such file or directory

Did you compile the source code of the hactool tool on your mac?

Edit: I tested this on my MacBook Pro, I was able to get the python script working. Make sure that you compile the hactool source and copy the binary file to wherever the keys.py file is.

 

[Ofdas23]

Give my solution a try. This solution should also work on Mac too.

No, that didnt work for me :/

 

[CuriousTommy]

No, that didnt work for me :/

Did you also compile the hactool source code and put the binary file next to keys.py?

 

[Ofdas23]

Did you also compile the hactool source code and put the binary file next to keys.py?

Hello, yes I compiled it and I managed to fix that issue but now I have another one.. oh and thank you very much for your help. The error:

python keys.py mySBK myTSECKEY
Using BOOT0.bin to get keys from package1...
Deriving keys...
[ WARN ] Keyblob MAC 00 is invalid. Are SBK/TSEC key correct?
[ WARN ] Keyblob MAC 04 is invalid. Are SBK/TSEC key correct?
Decrypting package1...
Failed to decrypt PK11! Is correct key present?
Using Secure_Monitor.bin to get keys to decrypt package2...
Traceback (most recent call last):
File "keys.py", line 391, in <module>
TZ_f = open("package1/Secure_Monitor.bin", "rb")
IOError: [Errno 2] No such file or directory: 'package1/Secure_Monitor.bin'

I hope you can help me out.

 

[gamemasteru03]

I keep trying to run step 3 in the Dumping Keys section but each time I type in the command it returns "The system can not find the path specified". Anybody willing to help?

 

[Deleted User]

My key dumps keep missing master keys of 01-03. 00 exists, and so does 04 but not the rest. Can someone help me out here? Because this is driving me insane.

 

[CuriousTommy]

Hello, yes I compiled it and I managed to fix that issue but now I have another one.. oh and thank you very much for your help. The error:

python keys.py mySBK myTSECKEY
Using BOOT0.bin to get keys from package1...
Deriving keys...
[ WARN ] Keyblob MAC 00 is invalid. Are SBK/TSEC key correct?
[ WARN ] Keyblob MAC 04 is invalid. Are SBK/TSEC key correct?
Decrypting package1...
Failed to decrypt PK11! Is correct key present?
Using Secure_Monitor.bin to get keys to decrypt package2...
Traceback (most recent call last):
File "keys.py", line 391, in <module>
TZ_f = open("package1/Secure_Monitor.bin", "rb")
IOError: [Errno 2] No such file or directory: 'package1/Secure_Monitor.bin'

I hope you can help me out.

No problem!

I haven't run into that issue, but going off of the error message, did you supply the correct SBK and TSEC key? You made sure to replace mySBK and myTSECKEY with the actual keys you got, right?