RELEASE Lockpick - Switch key derivation homebrew

shchmue Dec 8, 2018.

  1. shchmue
    OP

    shchmue GBAtemp Advanced Fan

    Member
    8
    Dec 23, 2013
    United States
    Update March 4 2019:
    Due to changes in firmware 7.0.0 dumping new keys from homebrew is infeasible. Check out the RCM payload that can dump the new keys, Lockpick_RCM!

    Purpose:

    To obtain a key set for manipulation of Nintendo Switch file formats, particularly for use in tools that require it, whether that's hactool, hactoolnet/libhac, title management software, xci -> nsp converters, ChoiDujour (PC), etc.

    Background:

    In the process of fixing kezplez earlier this year, I decided to do a ground-up rewrite with a lot of support from the community. It's heavily optimized and gets all possible keys in <1 second as of Firmware 6.2.0. It can also dump titlekeys! This may take longer, depending on how many titles you have installed.

    How to use:
    1. Use Hekate to dump TSEC and fuses:
      1. Push hekate payload bin using TegraRCMSmash/TegraRCMGUI/modchip/injector
      2. Using the VOL and Power buttons to navigate, select "Console info..."
      3. Select "Print fuse info"
      4. Press Power to save fuse info to SD card
      5. Select "Print TSEC keys"
      6. Press Power to save TSEC keys to SD card
    2. Launch CFW of choice
    3. Open Homebrew Menu
    4. Run Lockpick
    5. Use the resulting prod.keys file as needed and rename if required
    You may instead use biskeydump and dump to SD to get all keys prior to the 6.2.0 generation - all keys up to those ending in 05. This will dump all keys up to that point regardless which firmware it's run on.

    Notes:
    • To get keys ending in 00-06, you must have firmware 6.2.0 installed. All other versions will dump all keys ending in 00-05.
    • No one knows package1_key_06, it's derived and erased fully within the encrypted TSEC payload. While there's a way to extricate tsec_root_key due to the way it's used, this is unfortunately not true of the package1 key.
    • If for some reason you dump TSEC keys on 6.2.0 and not fuses (secure_boot_key) you will still get everything except any of the package1 or keyblob keys (without SBK, you can't decrypt keyblobs and that's where package1 keys live).
    • The max keys this can get right now is 120, but don't worry too much about the exact number, not all of those are actually useful for most purposes. If you're missing any particular ones you want just let me know.
    • ChoiDujour will complain about extra keys and fail. for this just provide a key file edited to contain only the following:
      • master_key_00 = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      • master_key_01 = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      • [... all master_keys through the latest one required by the firmware you're trying to install]
      • header_key = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      • aes_kek_generation_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      • aes_key_generation_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      • key_area_key_application_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXX
      • key_area_key_ocean_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
      • key_area_key_system_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXX
      • package2_key_source = XXXXXXXXXXXXXXXXXXXXXXXXXXXX

    Screenshot:
    dumpwithtitlekeys.

    Source:
    https://github.com/shchmue/Lockpick
    Release: https://github.com/shchmue/Lockpick/releases

    GBATemp download center xref: https://gbatemp.net/download/lockpick.35298/

    Troubleshooting:
    • Error: You didn't get the 06 keys even though you did your Hekate dumps on firmware 6.2.0
      • Reason: Lockpick wasn't given tsec_root_key
        • Cause 1: the only 6.2.0 firmware you have is on SX emunand, which does not currently offer a way to dump that key. The ball is in their court on this.
        • Cause 2: Hekate didn't overwrite your existing TSEC dump. Delete your /backup/<hex number>/dumps/ folder from SD and re-dump TSEC and fuse info with Hekate version 4.5 or later before re-running Lockpick.
    • Error: "No titlekeys found. Either you've never played or installed a game or dump failed."
      • Reason: unable to dump titlekeys
        • Cause 1: there are no titlekeys to dump because you have never played or installed a game
        • Cause 2: Lockpick was unable to derive the eticket_rsa_kek which is required for titlekey decryption
          • Subcause 1: Lockpick saved limited key set and is missing master_key_00, fix your Hekate dumps
    • Error: "Warning: Saving limited keyset. Dump Tegra keys with payload and run again to get all keys."
      • Reason: Lockpick can't find your TSEC and SBK dump files
        • Cause 1: you viewed the TSEC and fuse info in Hekate but didn't save both to SD card
        • Cause 2: your SD card has corrupt sectors and needs reformatting
        • Cause 3: your SD card is counterfeit and acts like it's saving files but isn't
     

    Attached Files:

    • dump.
      dump.jpg
      File size:
      106.6 KB
      Views:
      3,181
    Last edited by shchmue, Mar 4, 2019
  2. sageharpuiahx

    sageharpuiahx Member

    Newcomer
    1
    Nov 14, 2018
    United States
    What's the catch? :thonking:
     
  3. shchmue
    OP

    shchmue GBAtemp Advanced Fan

    Member
    8
    Dec 23, 2013
    United States
    What do you mean? I mean, there is a catch, it crashes ES so you've got to reboot your Switch to run games afterwards, but otherwise, it's just the same algorithm every other titlekey deriver uses.
     
  4. 8BitWonder

    8BitWonder Small Homebrew Dev

    Member
    11
    Jan 23, 2016
    United States
    47 4F 54 20 45 45 4D
    Awesome work! :yay:
    I appreciate the work you've put into updating kezplez and now this.
     
  5. palantine
    This message by palantine has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  6. roflpwnt
    This message by roflpwnt has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  7. shchmue
    OP

    shchmue GBAtemp Advanced Fan

    Member
    8
    Dec 23, 2013
    United States
    No agenda, enjoy the keys :)
     
  8. blawar

    blawar Developer

    pip Developer
    11
    Nov 21, 2016
    United States
    you don’t need to crash es to dump the title keys. Tibfoil DZ uses bis with a fat32 driver to extract the title keys without crashing ES.
     
  9. KazoWAR

    KazoWAR GBAtemp Advanced Maniac

    Member
    8
    Aug 12, 2008
    United States
    Winter Haven
    is it not possible to dump all the keys in rcm mode alone?
     
  10. blawar

    blawar Developer

    pip Developer
    11
    Nov 21, 2016
    United States
    it is possible, and probably easier to do that yes.
     
  11. palantine
    This message by palantine has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  12. KazoWAR

    KazoWAR GBAtemp Advanced Maniac

    Member
    8
    Aug 12, 2008
    United States
    Winter Haven
    ok, i only ask because I am afraid to boot cfw for fear of ban.
     
  13. AnalogMan
    This message by AnalogMan has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  14. blawar
    This message by blawar has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  15. Adran_Marit

    Adran_Marit Walküre's Hacker

    Member
    9
    Oct 3, 2015
    Australia
    42*South
  16. shchmue
    OP

    shchmue GBAtemp Advanced Fan

    Member
    8
    Dec 23, 2013
    United States
    flag is a tribute to kezplez and to all the great LGBT people in my life etc. I don't remember seeing these comments on kezplez and the whole dang screen was a rainbow, but idc either so
    so it just mounts System without FS? hmm
     
    klock and osaka35 like this.
  17. palantine

    palantine GBAtemp Regular

    Member
    5
    Oct 5, 2014
    Italy
    What do you think of my fork? I'm going to publish it but I will make sure to leave your name on it.
     
    General_Hate and 210modz like this.
  18. shchmue
    OP

    shchmue GBAtemp Advanced Fan

    Member
    8
    Dec 23, 2013
    United States
    low effort
     
    8BitWonder and AveSatanas like this.
  19. sageharpuiahx

    sageharpuiahx Member

    Newcomer
    1
    Nov 14, 2018
    United States
    To be fair, I just assumed it was just a tacky colored background when it was canvased accross the whole screen
     
    cearp and AveSatanas like this.
  20. sj33
    This message by sj33 has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  21. palantine

    palantine GBAtemp Regular

    Member
    5
    Oct 5, 2014
    Italy
    I know that giving kezplz a new GUI is a little lame but you should give yourself credit instead of calling it low effort. I honestly see some cool ideas there and a decent effort was made to learn about coding for the switch. As long as you are trying your best don't let anyone tear you down.
     
    sageharpuiahx likes this.
  22. Huntereb
    This message by Huntereb has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  23. sageharpuiahx
    This message by sageharpuiahx has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  24. blawar

    blawar Developer

    pip Developer
    11
    Nov 21, 2016
    United States
    yes.
     
  25. palantine

    palantine GBAtemp Regular

    Member
    5
    Oct 5, 2014
    Italy
    snails1221 and Huntereb like this.
  26. 210modz
    This message by 210modz has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  27. blawar

    blawar Developer

    pip Developer
    11
    Nov 21, 2016
    United States
    I never polished the code, but here it is. system:/ is mapped to the raw bis system partition (not file system). Id give you more code but it would be useless to you as its too ingrained into my framework.

    https://pastebin.com/qj6gfTEd
     
    Tommy084 likes this.
  28. AliciaBurrito
    This message by AliciaBurrito has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  29. blawar
    This message by blawar has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  30. AliciaBurrito
    This message by AliciaBurrito has been removed from public view by osaka35, Dec 8, 2018, Reason: off-topic.
    Dec 8, 2018
  31. osaka35

    osaka35 Instructional Designer

    Moderator
    12
    GBAtemp Patron
    osaka35 is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Nov 20, 2009
    United States
    Silent Hill
    Please stop flame-baiting with the nonsense and focus on the release itself.

    Thanks for the effort! It works and works well.
     
    Last edited by osaka35, Dec 8, 2018
  32. AnalogMan

    AnalogMan ultraSuMoFramework Dev

    Member
    12
    Apr 20, 2007
    United States
    Code:
    error("Faile dto open system partition\n");
    Lol
     
    0000ff likes this.
Quick Reply
Draft saved Draft deleted
Loading...