This thread is deprecated
For a faster, easier and more up-to-date way of getting keys use Lockpick_RCM by shchmue
If you still want to follow this tutorial and end up with less keys, continue reading the Thread.

WARNING

• DO NOT GIVE OUT ANY OF YOUR KEYS TO ANYONE! I CANNOT STRESS THAT ENOUGH!
• DO NOT SHARE YOUR KEYS BETWEEN MULTIPLE SWITCHES THAT YOU DO/DON'T OWN! SOME ARE CONSOLE-UNIQUE
• DO NOT ASK ME FOR KEYS

LEGEND

• SBK
  SecureBootKey
• TSEC
  Tegra Security Co-processor Key
• eMMC
  Embedded MultiMediaCard (Switch's Onboard Storage)

GOAL
End up with 83+ keys including SBK and TSEC keys. Get Master Key's 0-5. (Master Keys 6 onwards is not done in this tutorial)
Reminder, if you want more up-to-date and much more convenient way to get your Switch's Keys, use Lockpick by shchmue (available in nx-appstore/homebrew store)

Tutorial — (Outdated for Switch's on firmware 6.x or newer)

#1 - Dumping System Keys (Biskeydump)#2 - Dumping Required Files#3 - Hactool Preparation#4 - Dumping KeysFinal WordsTroubleshooting

1. 
   We need to get your Secure Boot Key (SBK) and Tegra Security Co-processor Key (TSEC) before we can get the main keys.
   These are 100% console unique.
   
   
   1. Download and extract biskeydump.bin from biskeydumpvx.zip
      - Follow this tutorial but instead of using CTCaer's Hekate Mod .bin file, use the biskeydump.bin file
      - If the QR Code is Blue, Scan the QR Code with your Phone, Laptop e.t.c
      - If you cant find a device you can scan with, type them out into your PC/Laptop (Its highly recommended to scan the QR Code, as a lot of characters can look like another, O0, Il, rn can look like m, e.t.c)
   2. Once you have the biskeydump of your System, store all the keys you received somewhere safe, I recommend a secure cloud storage aswell as a USB Stick, perhaps even print it.
      - Don't give this to ANYONE, Seriously.
   
   If you get any errors please go to the Troubleshooting Tab.
   
2. 
   
   1. Follow this tutorial AGAIN but this time use CTCaer's Hekate Mod.
      - "Tools" -> "Backup..." -> "Backup eMMC BOOT0/1"
      - "Tools" -> "Backup..." -> "Backup eMMC SYS"
      - Back all the way to the first menu, and choose "Power off"
   2. Take the microSD Card out of your Switch and into your PC.
   3. Copy both "BOOT0" and "BCPKG2-1-Normal-Main" from "sd:/backup/xxxxxx/" (xxxxxx is different for everyone) to "hactool" on your Desktop (create the "hactool" folder)
      - Rename them with .bin at the end, "BOOT0.bin", "BCPKG2-1-Normal-Main.bin"
3. 
   
   1. Download and install Python 2.7.x - NOT Python 3.x.x
      When installing, it will ask you what features you want installed, scroll to the bottom and make sure "Add Python to Path" has "Entire Feature Installed to HDD" option chose (No Red X Icon), otherwise the scripts wont find Python and WILL fail
   2. Download and extract hactool TO THE DESKTOP AND NAME THE FOLDER "hactool"
      On Linux/MacOS: clone and build hactool manually
   3. Right-click this (script originally by tesnos6921, patched by shadowninja108, jakibaki and shchmue)
      - Click "Save link as" / "save as"
      - Set "Save as type" to "All Files"
      - Name it "keys.py"
      And finally save it to the hactool folder you placed in the Desktop.
      NOTICE TO GBATEMP STAFF: The "keys" inside this file, are NOT keys, they are SHA digest hashes used to search through files to find text that matches, which would be the keys.
4. 
   
   1. Press WIN(Btn)+R to open "Run", type "cmd" and press Ctrl+Shift then Enter to open Command Prompt as an Administrator
   2. Type (in order) or Copy the following and paste into Command Prompt (Some Windows Versions use Right Click to Paste, some use CTRL+C)
      python -m pip install --upgrade pip
      pip install lz4
      cd Desktop/hactool
      python keys.py SBK_Here_From_Biskeydump TSEC_Here_From_Biskeydump
   3. It should say: "Now you can do hactool --keyset=keys.txt to use them!", if it does, and there's no warning messages, you're good to go!
   If you get any errors please go to the Troubleshooting Tab.
   
5. 
   You now have a keys.txt file with your console-specific keys inside.
   Rename as needed by any software that requires a different name or file extension, it doesn't matter.
   Though I highly recommend renaming it to prod.keys as this filename for Key file's is becoming a popular choice with other software
   There may be more keys, as the Switch's lifecycle goes on, more and more keys will be needed as the firmwares grow and grow.
   
   • The Hactool warning:

     [WARN] prod.keys does not exist.

     can be safely ignored.
     - if you want to place your "keys.txt" file their, put "keys.txt" on your Desktop and run the following with Administrator Command Prompt (Step #4.1 for instructions):
     

     mkdir -p %USERPROFILE%\.switch
     move "%USERPROFILE%\Desktop\keys.txt" "%USERPROFILE%\.switch\prod.keys"

6. 
   #1 ISSUES:
   

   • Red QR Code Outline

     - The reasons this can occur is quite a rarity, all I can say is to keep rebooting and trying again.
     - If there's a new version of biskeydump out, try using the newer biskeydump.bin

   • QR Code not being scanned by your Reader

     - Align your QR Code Readers alignment overlay with the Blue Square's Corners/Edges, NOT the QR Code's Corners/Edges.
     - Clean your camera lens
     - Be in a bright room
   
   #4 ISSUES:
   

   • File "keys.py", line ...
     print message
     ^
     SyntaxError: Missing parentheses in call to 'print'. Did you mean print(message)?

     - You didn't place SBK and TSEC in the 4th line of the Command in Step #4.2
     - You installed Python 3.x.x when you must use 2.7.x, uninstall python, logout of windows (important it removes python from PATH) and follow Step #3.2 then move back to #4.1

   • import lz4.block
     File "C:\Python27\lib\site-packages\lz4\__init__.py", line 17, in <module>
     from ._version import ( # noqa: F401
     ImportError: DLL load failed: The specified module could not be found.

     - The 2nd line of the Command in Step #4.2 failed without you noticing. Try running the 1st line to upgrade pip and if that goes successfully run the 2nd line to install lz4 and see if it successfully installs.

 

[kingraa777]

C:\WINDOWS\system32>cd desktop/hactool
The system cannot find the path specified.

?????

it clearly is a hactool folder on my desktop ??

any help ?

 

[Deleted member 456320]

C:\WINDOWS\system32>cd desktop/hactool
The system cannot find the path specified.

?????

it clearly is a hactool folder on my desktop ??

any help ?

Use the full path, or just use keplez-nx

 

[kingraa777]

worked many thanks

 

[Deleted member 456320]

worked many thanks

Also, you might not get the full keys. If you do not, use this script https://gist.github.com/tesnos/531c3fdf68bb936aadd9add6d071558a

 

[kingraa777]

many thanks for your help

 

[shchmue]

Also, you might not get the full keys. If you do not, use this script https://gist.github.com/tesnos/531c3fdf68bb936aadd9add6d071558a

that's the same script that's in OP

 

[MikeAtom]

Guys please help!

Using BOOT0.bin to get keys from package1...
Deriving keys...
Traceback (most recent call last):
File "keys.py", line 374, in <module>
stage0_results = subprocess.check_output([HACTOOL_PATH, "--keyset=keys.txt", "--intype=keygen", "BOOT0.bin"])
File "C:\Python27\lib\subprocess.py", line 566, in check_output
process = Popen(stdout=PIPE, *popenargs, **kwargs)
File "C:\Python27\lib\subprocess.py", line 710, in __init__
errread, errwrite)
File "C:\Python27\lib\subprocess.py", line 958, in _execute_child
startupinfo)
WindowsError: [Error 2]

 

[mario6714]

Fix?

Using BOOT0.bin to get keys from package1...
Injecting keyblob_key_sources
Deriving keys...
Key (ReplaceMeWithTSEC) must be 32 hex digits!
Traceback (most recent call last):
File "kezplez.py", line 388, in <module>
stage0_results = subprocess.check_output([HACTOOL_PATH, "--keyset=keys.txt", "--intype=keygen", "BOOT0.bin"])
File "C:\Python27\lib\subprocess.py", line 219, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command '['hactool', '--keyset=keys.txt', '--intype=keygen', 'BOOT0.bin']' returned non-zero exit status 1

Already fixed Thx

 

[Hoini]

Hi i have a problem.
My switch firmware version is 1.0.0. And i have a integrity BOOT0 & BCPKG2-1-Normal-Main File!.
Using hekate_ctcaer_4.1.bin payload.

Already i am patched keys.py file like this.

Hello,

I have had the same problem, and I think I have solved it.

The problem is in the script, which tries to find keys "keyblob_key_source_xx" from higher versions of the firm, and if it does not find them it gives the error: "Could not find keyblob_key_source_xx! Please check the integrity of the data used in the current stage!".

keyblob_key_source_00 is for master_key_00, which is the firmware version 1.0.0-2.3.0, the others keyblob_key_source_xx do not exist in these firmware versions.

More information about the keys: "https: //gist. github. com /roblabla/d8358ab058bbe3b00614740dcba4f208" (delete spaces)


The quick solution (only for versions 1.0.0-2.3.0),

comment the following lines (366 and 367):

keyblob_key_source_id, keyblob_key_source_xx = checkfound(find_via_hashset(PKG11_data, KEY_HASHES["keyblob_key_sources"], KEY_SIZES["keyblob_key_sources"]), "keyblob_key_source_xx")
keyz[keyblob_key_source_id] = keyblob_key_source_xx

result:

#keyblob_key_source_id, keyblob_key_source_xx = checkfound(find_via_hashset(PKG11_data, KEY_HASHES["keyblob_key_sources"], KEY_SIZES["keyblob_key_sources"]), "keyblob_key_source_xx")
#keyz[keyblob_key_source_id] = keyblob_key_source_xx

Bye.

And i have error like this.

Using BOOT0.bin to get keys from package1...
Deriving keys...
Decrypting package1...
Using Secure_Monitor.bin to get keys to decrypt package2...
Decrypting package2...
Decompressing spl.kip1 and FS.kip1...
Getting keys from spl...
Getting keys from FS...
Could not find sd_card_save_key_source! Please check the integrity of the data used in the current stage!

I don't know "Could not find sd_card_save_key_source! Please check the integrity of the data used in the current stage!" error Message.
What is sd_card_kek_source, sd_card_save_key_source, sd_card_nca_key_source ??

FYI)
I am using sd card for only backup my switch binary file.

Please help me.
Thanks & Regrads All.

 

[shchmue]

Hi i have a problem.
My switch firmware version is 1.0.0. And i have a integrity BOOT0 & BCPKG2-1-Normal-Main File!.
Using hekate_ctcaer_4.1.bin payload.

Already i am patched keys.py file like this.




And i have error like this.

Using BOOT0.bin to get keys from package1...
Deriving keys...
Decrypting package1...
Using Secure_Monitor.bin to get keys to decrypt package2...
Decrypting package2...
Decompressing spl.kip1 and FS.kip1...
Getting keys from spl...
Getting keys from FS...
Could not find sd_card_save_key_source! Please check the integrity of the data used in the current stage!

I don't know "Could not find sd_card_save_key_source! Please check the integrity of the data used in the current stage!" error Message.
What is sd_card_kek_source, sd_card_save_key_source, sd_card_nca_key_source ??

FYI)
I am using sd card for only backup my switch binary file.

Please help me.
Thanks & Regrads All.

1.0.0 doesn't actually have those keys! they were added in 2.0.0. might need to do more edits to lower the script's expectations

 

[Deleted member 456320]

that's the same script that's in OP

It's updated to get more keys. OP script is outdated

 

[shchmue]

It's updated to get more keys. OP script is outdated

ah so it is, it does it how the homebrew version kezplez-nx does it so you can get all the key generations on any firmware

 

[Hoini]

1.0.0 doesn't actually have those keys! they were added in 2.0.0. might need to do more edits to lower the script's expectations

Thx bro!

Where can I get that information?

My future plan is to downgrade to firmware version 1.0.0 after updating to firmware version 5.1.0.
Do you think it is possible?

It's available here1 and here2, but i'm stuck in the get firmware 1.0.0 using my keys. (I have only 25 keys without sd_card_kek_source, sd_card_save_key_source, sd_card_nca_key_source)
Also i already have Puyo Puyo Tetris(firmware 1.0.0) xci file.

Link is not working sorry.
In GbaTemp.
Here1: ChoiDujourNX - a system firmware installer homebrew for the Nintendo Switch
Here2: How to install/run ANY Switch firmware UNOFFICIALLY (WITHOUT burning any fuses)

The values are as follows: (totally 25 keys)

header_key_source
key_area_key_system_00
tsec_key
aes_key_generation_source
titlekek_00
keyblob_mac_key_00
master_key_00
key_area_key_system_source
aes_kek_generation_source
keyblob_mac_key_source
key_area_key_ocean_00
keyblob_00
key_area_key_application_source
package1_key_00
package2_key_source
key_area_key_ocean_source
key_area_key_application_00
header_kek_source
secure_boot_key
header_key
titlekek_source
keyblob_key_00
keyblob_key_source_00
master_key_source
package2_key_00

 

[shchmue]

Thx bro!

Where can I get that information?

My future plan is to downgrade to firmware version 1.0.0 after updating to firmware version 5.1.0.
Do you think it is possible?

It's available here1 and here2, but i'm stuck in the get firmware 1.0.0 using my keys. (I have only 25 keys without sd_card_kek_source, sd_card_save_key_source, sd_card_nca_key_source)
Also i already have Puyo Puyo Tetris(firmware 1.0.0) xci file.

Link is not working sorry.
In GbaTemp.
Here1: ChoiDujourNX - a system firmware installer homebrew for the Nintendo Switch
Here2: How to install/run ANY Switch firmware UNOFFICIALLY (WITHOUT burning any fuses)

The values are as follows: (totally 25 keys)

header_key_source
key_area_key_system_00
tsec_key
aes_key_generation_source
titlekek_00
keyblob_mac_key_00
master_key_00
key_area_key_system_source
aes_kek_generation_source
keyblob_mac_key_source
key_area_key_ocean_00
keyblob_00
key_area_key_application_source
package1_key_00
package2_key_source
key_area_key_ocean_source
key_area_key_application_00
header_kek_source
secure_boot_key
header_key
titlekek_source
keyblob_key_00
keyblob_key_source_00
master_key_source
package2_key_00

looks like it shouldn't need them to continue, so be sure you're using the latest script: https://gist.githubusercontent.com/...048a030122165acda2e3389fedc664c4e2/kezplez.py

and just comment out lines 444-446 by changing

find_and_add_key(FS_KIP1_data, "sd_card_kek_source")
find_and_add_key(FS_KIP1_data, "sd_card_save_key_source")
find_and_add_key(FS_KIP1_data, "sd_card_nca_key_source")

to

# find_and_add_key(FS_KIP1_data, "sd_card_kek_source")
# find_and_add_key(FS_KIP1_data, "sd_card_save_key_source")
# find_and_add_key(FS_KIP1_data, "sd_card_nca_key_source")

 

[Hoini]

looks like it shouldn't need them to continue, so be sure you're using the latest script: kezplez.py

and just comment out lines 444-446 by changing

find_and_add_key(FS_KIP1_data, "sd_card_kek_source")
find_and_add_key(FS_KIP1_data, "sd_card_save_key_source")
find_and_add_key(FS_KIP1_data, "sd_card_nca_key_source")

to

# find_and_add_key(FS_KIP1_data, "sd_card_kek_source")
# find_and_add_key(FS_KIP1_data, "sd_card_save_key_source")
# find_and_add_key(FS_KIP1_data, "sd_card_nca_key_source")

Finally i got 69 keys.
And it's working extract all firmware version except 1.0.0 version.
I don't know why it's not, but let me figure it out.

Thanks Bro!!

 

[Deleted member 456320]

ah so it is, it does it how the homebrew version kezplez-nx does it so you can get all the key generations on any firmware

Pretty sure it just hardcodes keyblob_key_source_0X. Normally you can only get keyblob_key_source_00 and another depending on your firmware version. This allows you to decrypt the other keyblobs not on your firmware version. Kezplez-nx also does this

 

[shchmue]

Pretty sure it just hardcodes keyblob_key_source_0X. Normally you can only get keyblob_key_source_00 and another depending on your firmware version. This allows you to decrypt the other keyblobs not on your firmware version. Kezplez-nx also does this

that's what i said lol i've been elbow-deep in kezplez-nx for weeks now
00 and current installed are the versions you can get

 

[Esquerdinio]

Hey guys one question, when I am trying toPrint TSEC keys it shows me an erros whom says: Could not identify package1 version to read TSEC firmware <= ´2018 and some other numbers ´> How can I fix it? and why does it happen to me?
Thanks

 

[HungNswitch]

I am on firmware 6.0.0 and using the latest script from kezplez.py.

Any suggestions?

 

[jenyserhan]

when I type
C:\Users\kanwil lampung\Desktop\hactool>python keys.py SBKKEY TSECKEY
then it show :
Using BOOT0.bin to get keys from package1...
Deriving keys...
Decrypting package1...
Failed to decrypt PK11! Is correct key present?
Using Secure_Monitor.bin to get keys to decrypt package2...
Traceback (most recent call last):
File "keys.py", line 391, in <module>
TZ_f = open("package1/Secure_Monitor.bin", "rb")
IOError: [Errno 2] No such file or directory: 'package1/Secure_Monitor.bin'

what should I do?

I scan the QR COde (blue background) and get bunch of code