This thread is deprecated
For a faster, easier and more up-to-date way of getting keys use Lockpick_RCM by shchmue
If you still want to follow this tutorial and end up with less keys, continue reading the Thread.

WARNING

• DO NOT GIVE OUT ANY OF YOUR KEYS TO ANYONE! I CANNOT STRESS THAT ENOUGH!
• DO NOT SHARE YOUR KEYS BETWEEN MULTIPLE SWITCHES THAT YOU DO/DON'T OWN! SOME ARE CONSOLE-UNIQUE
• DO NOT ASK ME FOR KEYS

LEGEND

• SBK
  SecureBootKey
• TSEC
  Tegra Security Co-processor Key
• eMMC
  Embedded MultiMediaCard (Switch's Onboard Storage)

GOAL
End up with 83+ keys including SBK and TSEC keys. Get Master Key's 0-5. (Master Keys 6 onwards is not done in this tutorial)
Reminder, if you want more up-to-date and much more convenient way to get your Switch's Keys, use Lockpick by shchmue (available in nx-appstore/homebrew store)

Tutorial — (Outdated for Switch's on firmware 6.x or newer)

#1 - Dumping System Keys (Biskeydump)#2 - Dumping Required Files#3 - Hactool Preparation#4 - Dumping KeysFinal WordsTroubleshooting

1. 
   We need to get your Secure Boot Key (SBK) and Tegra Security Co-processor Key (TSEC) before we can get the main keys.
   These are 100% console unique.
   
   
   1. Download and extract biskeydump.bin from biskeydumpvx.zip
      - Follow this tutorial but instead of using CTCaer's Hekate Mod .bin file, use the biskeydump.bin file
      - If the QR Code is Blue, Scan the QR Code with your Phone, Laptop e.t.c
      - If you cant find a device you can scan with, type them out into your PC/Laptop (Its highly recommended to scan the QR Code, as a lot of characters can look like another, O0, Il, rn can look like m, e.t.c)
   2. Once you have the biskeydump of your System, store all the keys you received somewhere safe, I recommend a secure cloud storage aswell as a USB Stick, perhaps even print it.
      - Don't give this to ANYONE, Seriously.
   
   If you get any errors please go to the Troubleshooting Tab.
   
2. 
   
   1. Follow this tutorial AGAIN but this time use CTCaer's Hekate Mod.
      - "Tools" -> "Backup..." -> "Backup eMMC BOOT0/1"
      - "Tools" -> "Backup..." -> "Backup eMMC SYS"
      - Back all the way to the first menu, and choose "Power off"
   2. Take the microSD Card out of your Switch and into your PC.
   3. Copy both "BOOT0" and "BCPKG2-1-Normal-Main" from "sd:/backup/xxxxxx/" (xxxxxx is different for everyone) to "hactool" on your Desktop (create the "hactool" folder)
      - Rename them with .bin at the end, "BOOT0.bin", "BCPKG2-1-Normal-Main.bin"
3. 
   
   1. Download and install Python 2.7.x - NOT Python 3.x.x
      When installing, it will ask you what features you want installed, scroll to the bottom and make sure "Add Python to Path" has "Entire Feature Installed to HDD" option chose (No Red X Icon), otherwise the scripts wont find Python and WILL fail
   2. Download and extract hactool TO THE DESKTOP AND NAME THE FOLDER "hactool"
      On Linux/MacOS: clone and build hactool manually
   3. Right-click this (script originally by tesnos6921, patched by shadowninja108, jakibaki and shchmue)
      - Click "Save link as" / "save as"
      - Set "Save as type" to "All Files"
      - Name it "keys.py"
      And finally save it to the hactool folder you placed in the Desktop.
      NOTICE TO GBATEMP STAFF: The "keys" inside this file, are NOT keys, they are SHA digest hashes used to search through files to find text that matches, which would be the keys.
4. 
   
   1. Press WIN(Btn)+R to open "Run", type "cmd" and press Ctrl+Shift then Enter to open Command Prompt as an Administrator
   2. Type (in order) or Copy the following and paste into Command Prompt (Some Windows Versions use Right Click to Paste, some use CTRL+C)
      python -m pip install --upgrade pip
      pip install lz4
      cd Desktop/hactool
      python keys.py SBK_Here_From_Biskeydump TSEC_Here_From_Biskeydump
   3. It should say: "Now you can do hactool --keyset=keys.txt to use them!", if it does, and there's no warning messages, you're good to go!
   If you get any errors please go to the Troubleshooting Tab.
   
5. 
   You now have a keys.txt file with your console-specific keys inside.
   Rename as needed by any software that requires a different name or file extension, it doesn't matter.
   Though I highly recommend renaming it to prod.keys as this filename for Key file's is becoming a popular choice with other software
   There may be more keys, as the Switch's lifecycle goes on, more and more keys will be needed as the firmwares grow and grow.
   
   • The Hactool warning:

     [WARN] prod.keys does not exist.

     can be safely ignored.
     - if you want to place your "keys.txt" file their, put "keys.txt" on your Desktop and run the following with Administrator Command Prompt (Step #4.1 for instructions):
     

     mkdir -p %USERPROFILE%\.switch
     move "%USERPROFILE%\Desktop\keys.txt" "%USERPROFILE%\.switch\prod.keys"

6. 
   #1 ISSUES:
   

   • Red QR Code Outline

     - The reasons this can occur is quite a rarity, all I can say is to keep rebooting and trying again.
     - If there's a new version of biskeydump out, try using the newer biskeydump.bin

   • QR Code not being scanned by your Reader

     - Align your QR Code Readers alignment overlay with the Blue Square's Corners/Edges, NOT the QR Code's Corners/Edges.
     - Clean your camera lens
     - Be in a bright room
   
   #4 ISSUES:
   

   • File "keys.py", line ...
     print message
     ^
     SyntaxError: Missing parentheses in call to 'print'. Did you mean print(message)?

     - You didn't place SBK and TSEC in the 4th line of the Command in Step #4.2
     - You installed Python 3.x.x when you must use 2.7.x, uninstall python, logout of windows (important it removes python from PATH) and follow Step #3.2 then move back to #4.1

   • import lz4.block
     File "C:\Python27\lib\site-packages\lz4\__init__.py", line 17, in <module>
     from ._version import ( # noqa: F401
     ImportError: DLL load failed: The specified module could not be found.

     - The 2nd line of the Command in Step #4.2 failed without you noticing. Try running the 1st line to upgrade pip and if that goes successfully run the 2nd line to install lz4 and see if it successfully installs.

 

[Cyan]

If someone wants edit access to first post to update it, I can do that.

 

[Andrew-sama]

So I accidentally soft-bricked my Switch (restored earlier rawnand without matching boot files). Now I figured out that there is a possibility to heal it by reinstalling the firmware with another guide (How to install any Switch firmware unofficially), but first I need to get my keys.
I did everything from this guide, but at step 4, the following error occurred:

Using BOOT0.bin to get keys from package1...
Deriving keys...
Decrypting package1...
Using Secure_Monitor.bin to get keys to decrypt package2...
Decrypting package2...
Failed to decrypt PK21! Is correct key present?
Decompressing spl.kip1 and FS.kip1...
Traceback (most recent call last):
File "keys.py", line 409, in <module>
SPL_KIP1_f = open("ini1/spl.kip1", "rb")
IOError: [Errno 2] No such file or directory: 'ini1/spl.kip1'

I have correct SBK and TSEC keys, double checked. It seems that Hactool cannot decrypt package2 for some reason.
When I use the ctcaer/hekate bootloader to dump package1/2, it stucks on package2 as well.

I spent two days trying to figure this out. Can't find anything on the internet. Please help

 

[sk8er000]

Hello,
Actually I'm stuck at step 4.
I'm trying to get the keys of my switch (fw. 1.0.0) in order to update the firmware without fuse burn (the method with ChoiDujourNX is giving me an error). I've dumped all the files and followed the steps but when i run the command:

python keys.py ReplaceMeWithSBK ReplaceMeWithTSEC

using my SBK and TSEC i got this:

Using BOOT=.bin to get keys from package1...
Deriving keys...
Decrypting package1...
Using Secure_Monitor.bin to get keys to decrypt package2...
Decrypting package2...
Decompressing spl.kip1 and FS.kip1...
Getting keys from spl...
Getting keys from FS...
Could not find sd_card_kek_source! Please check the integrity of the data used in the current stage

 

[shchmue]

Hey everyone, I updated the OP with a newer script that should work on both 1.0 and 6.x and everything in-between! Anyone having problems with the script please retry the same procedure with the new link :3

 

[bodefuceta]

No such file or directory: 'package1/Secure_Monitor.bin', from running keys.py.

I have used 'make' from hactool 1.2 and indeed there is no 'package1', just a 'package1.bin'. What's the fix for this?

Also I had a problem importing 'nt' in keys.py, I figured it's a Windows thing and renamed it to os. I'm using GNU/Linux. Is there a tutorial for my OS, by the way?

 

[shchmue]

No such file or directory: 'package1/Secure_Monitor.bin', from running keys.py.

I have used 'make' from hactool 1.2 and indeed there is no 'package1', just a 'package1.bin'. What's the fix for this?

Also I had a problem importing 'nt' in keys.py, I figured it's a Windows thing and renamed it to os. I'm using GNU/Linux. Is there a tutorial for my OS, by the way?

i've only tested it on windows. i'll look into that when i have a free moment, but in the meantime you should be able to find and replace all filepath operations (calls to hactool and open(" ) with relative filepaths for example "./hactool" instead of "hactool" in your text editor and that should get it going

 

[bodefuceta]

i've only tested it on windows. i'll look into that when i have a free moment, but in the meantime you should be able to find and replace all filepath operations (calls to hactool and open(" ) with relative filepaths for example "./hactool" instead of "hactool" in your text editor and that should get it going

Thank you for responding, indeed it would be trivial to edit:
TZ_f = open("package1/Secure_Monitor.bin", "rb")
The problem is I have no idea what that file is. It's not present in the Hactool 1.2 Source release, master, or Windows zip, or after running make. What am I missing here?

Also I don't think there's any reason to add "./" on filepaths for Python's filing methods in any system.

 

[OrGoN3]

Will kezplez-nx get us the same amount of keys? If so, how would be go about obtaining the last 5 keys, or do we just wait until later firms?

 

[shchmue]

Thank you for responding, indeed it would be trivial to edit:
TZ_f = open("package1/Secure_Monitor.bin", "rb")
The problem is I have no idea what that file is. It's not present in the Hactool 1.2 Source release, master, or Windows zip, or after running make. What am I missing here?

Also I don't think there's any reason to add "./" on filepaths for Python's filing methods in any system.

those get created by hactool unpacking the BCPKG2 file so the call to hactool is failing. i’ll have a moment to troubleshoot on linux today so i’ll figure it out

Will kezplez-nx get us the same amount of keys? If so, how would be go about obtaining the last 5 keys, or do we just wait until later firms?

kezplez gets eticket_rsa_kek and has a duplicate key encrypted_header_key which is an old name for header_key_source so it saves both. otherwise the output is the same. which 5 keys do you mean? and indeed we won’t have the new generations of keys until firmwares come out with new keyblob seeds.

 

[bodefuceta]

those get created by hactool unpacking the BCPKG2 file so the call to hactool is failing. i’ll have a moment to troubleshoot on linux today so i’ll figure it out

I kinda screwed up my files, sorry. keys.py actually ran without any warnings, all I had to do was renaming 'nt' to 'os' and put './' before 'hactool'.

When I ran hactool --keyset, it returned an error "prod.keys does not exist", which I cannot find manually. Somehow my keys.txt has 83 keys even with that error, it's probably all correct right? I did the backups while my firmware was 5.1.

 

[shchmue]

I kinda screwed up my files, sorry. keys.py actually ran without any warnings, all I had to do was renaming 'nt' to 'os' and put './' before 'hactool'.
Then I ran hactool --keyset, but I got an error "prod.keys does not exist". Indeed I cannot find it. Somehow my keys.txt has 83 keys now, is that all? I did the backups while my firmware was 5.1.

hactool gives that warning no matter what if you don’t name the key file that and put it in ~/.switch and when you run hactool —keyset you have to specify the key file name after that. but if you have that many keys you’re fine and you needn’t mess with hactool any further unless you want

 

[bodefuceta]

hactool gives that warning no matter what if you don’t name the key file that and put it in ~/.switch and when you run hactool —keyset you have to specify the key file name after that. but if you have that many keys you’re fine and you needn’t mess with hactool any further unless you want

I can confirm everything works fine on GNU/Linux with minor changes, I even tested installing my .xci backup. Should be easy to make the guide cross-platform. I can perform more testing if you want.

 

[OrGoN3]

those get created by hactool unpacking the BCPKG2 file so the call to hactool is failing. i’ll have a moment to troubleshoot on linux today so i’ll figure it out

kezplez gets eticket_rsa_kek and has a duplicate key encrypted_header_key which is an old name for header_key_source so it saves both. otherwise the output is the same. which 5 keys do you mean? and indeed we won’t have the new generations of keys until firmwares come out with new keyblob seeds.

https://gbatemp.net/threads/number-of-switch-keys-dont-ask-for-them.499218/ OP says there are 88 keys currently. OP here says you get 83 keys.

 

[shchmue]

https://gbatemp.net/threads/number-of-switch-keys-dont-ask-for-them.499218/ OP says there are 88 keys currently. OP here says you get 83 keys.

ahh those. those are all in Pkg1loader iirc and i don’t know exactly what they’re for. they’re all in atmosphere if you really need them but :shrug: there are others in that list too like eticket_rsa_kek_source for example that are only useful to derive other keys, the actual list that most software actually needs is tiny by comparison. that said, this doesn’t and can’t and won’t dump eticket_rsa_kek so if you want that you have to use one of the other solutions linked in OP.

 

[OrGoN3]

ahh those. those are all in Pkg1loader iirc and i don’t know exactly what they’re for. they’re all in atmosphere if you really need them but :shrug: the more are others in that list too like eticket_rsa_kek_source for example that are only useful to derive other keys, the actual list that most software actually needs is tiny by comparison. that said, this doesn’t and can’t and won’t dump eticket_rsa_kek so if you want that you have to use one of the other solutions linked in OP.

So I'll stick with kezplez-nx. Thanks for letting me pick your brain and for explaining!

 

[uncommandable]

i manage to get the keys but when i use them to generate the firmware i want to install to my switch, it gives me this error

File "ChoiDujour.py", line 517, in <module>
File "ChoiDujour.py", line 225, in call_hactool
Exception: Invalid NCA header! Are keys correct?

 

[Dylos]

I keep getting the same error,
Using BOOT0.bin to get keys from package1...
Could not find keyblob_key_source_xx! Please check the integrity of the data used in the current stage!
I've tried multiple times to redump the BOOT0 file but every time I get the same error, I'm on 6.0.1

 

[shchmue]

updated the script again to use platform agnostic filepaths and tested on Win + Mac + Ubuntu. you must still build hactool yourself on Linux and MacOS.

(internal thing: I also fixed the script trying to look for the keyblob seeds in pkg1loader even though it's already going to grab them from Atmosphere github, and it only had then through 5.1.0. this prevented it from working on 6.0 afaict)

I keep getting the same error,
Using BOOT0.bin to get keys from package1...
Could not find keyblob_key_source_xx! Please check the integrity of the data used in the current stage!
I've tried multiple times to redump the BOOT0 file but every time I get the same error, I'm on 6.0.1

if you don't mind, grab the new script and try again and let me know if it works

 

[sangweb]

I've downloaded the Hekate 4.2 and it boot directly to the NSW with hbc etc..., I don't get the options like the older version such as 3.2. What am I missing here? TIA.

 

[Andrew-sama]

updated the script again to use platform agnostic filepaths and tested on Win + Mac + Ubuntu. you must still build hactool yourself on Linux and MacOS.

(internal thing: I also fixed the script trying to look for the keyblob seeds in pkg1loader even though it's already going to grab them from Atmosphere github, and it only had then through 5.1.0. this prevented it from working on 6.0 afaict)


if you don't mind, grab the new script and try again and let me know if it works

WOW! It worked for my problem! Thanks! You saved me!
Now it says:

[WARN] prod.keys does not exist.
unable to open : Invalid argument

Where can I get prod.keys?