Homebrew RELEASE Lockpick - Switch key derivation homebrew

[jorgesd]

hi, i got the error Get Tegra keys.... Error: "Warning: Saving limited keyset. Dump Tegra keys with payload and run again to get all keys." and Dumping tittlekeys... No titlekeys found. Either you've never played or installed a game or dump failed." when opening lockip version 1.2. I print TSEC and Fuse info into my sd card with 4.8 hetake. My sd is not corrupt since i can do everthing normally. ams 8.4 with firmware 7.0.1 | 8 fuses burned. Dumps are in the carpet backup

 

[notimp]

Same here.

 

[KaruzoHikari]

I had the Tegra keys and title keys issue with the latest version (v1.2), and no matter what I did it just wouldn't work. But after trying with the v1.1 it worked just fine

 

[MrAttraction]

Same problem here.
I've dumped tsec keys and fuse info but Lockpick seems to be unable to dump Tegra keys on 7.0.x

 

[xfighter11]

Also have the same problem with current version. Maybe it needs to be updated for 7.0.1? I dumped Fuse + TSEC with Hekate 4.8.

/EDiT: Strange, I downgraded to 6.2 but still not possible

 

[MrAttraction]

On my switch I can dump all keys fine but on my brother's console I'm getting this Tegra keys error

I updated mine offline to 7.0.1 via ChoiDujourNX and he updated his switch accidentally when it asked, but I don't think that would be the reason to this error.. weird

 

[huma_dawii]

On my switch I can dump all keys fine but on my brother's console I'm getting this Tegra keys error

I updated mine offline to 7.0.1 via ChoiDujourNX and he updated his switch accidentally when it asked, but I don't think that would be the reason to this error.. weird

Everybody, use THIS payload to get your KEYS, hekate is not working to get the keys for some reason.

https://files.sshnuke.net/biskeydumpv8.zip after your do that you should get 113 keys, I cant get more that that

 

[xfighter11]

Everybody, use THIS payload to get your KEYS, hekate is not working to get the keys for some reason.

https://files.sshnuke.net/biskeydumpv8.zip after your do that you should get 113 keys, I cant get more that that

Is there a tutorial for it? And does Lockpick work with the keys keys biskeydump?

 

[huma_dawii]

Is there a tutorial for it? And does Lockpick work with the keys keys biskeydump?

Yes it does, I tried it myself, just put the biskeydump inside SD/bootloader/payloads/biskeydump.bin

then run hekate, and launch the payload via the payload menu and it will launch biskeydump, it will open and you will press - to dump the keys, then the switch will turn off. Done

 

[test0000]

This is because Lockpick is expecting a tsec_keys.bin file of 48 bytes long but hekate 4.8 generates a file of 32 bytes.

Line 188 in common.cpp:

else if (!tsec.found() && (p.file_size() == 0x30) &&


This can be worked around easily by adding 16 bytes to tsec_keys.bin file using an hexadecimal editor.

According to source code, only the first 32 bytes seem to be used anyway: (line 194)

fread(temp_key.data(), 0x10, 1, tsec_file);

tsec = Key("tsec_key", 0x10, temp_key);

fread(temp_key.data(), 0x10, 1, tsec_file);


I did that and Lockpick was able to extract 113 keys.


But tinfoil and goldleaf are making atmosphere crash when loading a nsp and Zerotwoxci is returning an error.

Don't know if it is linked to keys or other apps...

 

[xfighter11]

I dumped my keys with biskeydump.bin but Lockpick don't seem to like its key format. Any help? Do I need to format something?

 

[notimp]

Everybody, use THIS payload to get your KEYS, hekate is not working to get the keys for some reason.

https://files.sshnuke.net/biskeydumpv8.zip after your do that you should get 113 keys, I cant get more that that

This is the easiest workaround so far.

Here are detailed steps (to be used with atmosphere 0.8.4+):
- rename reboot_payload.bin in the atmosphere folder to 2reboot_payload.bin
- rename biskeydump.bin to reboot_payload.bin and put it in the atmosphere folder
- use the reboot to rcm nro to reboot into this payload
- follow on screen instructions to write the file to the disk
- shut down the switch, and reboot it with your payload injector
- launch atmosphere and then run lockpick again - this time it should work
- delete reboot_payload.bin from the atmosphere folder and rename 2reboot_payload.bin to reboot_payload.bin again

Use the most current version of Lockpick.

Thats it. Thank you for finding this workaround.

 

[xfighter11]

This is the easiest workaround so far.

Here are detailed steps (to be used with atmosphere 0.8.4+):
- rename reboot_payload.bin in the atmosphere folder to 2reboot_payload.bin
- rename biskeydump.bin to reboot_payload.bin and put it in the atmosphere folder
- use the reboot to rcm nro to reboot into this payload
- follow on screen instructions to write the file to the disk
- shut down the switch, and reboot it with your payload injector
- run lockpick again - this time it should work
- delete reboot_payload.bin from the atmosphere folder and rename 2reboot_payload.bin to reboot_payload.bin again

Use the most current version of Lockpick.

Thats it. Thank you for finding this workaround.

This guide it totally useless I guess. Did you even try it? First of all it won't work with AutoRCM enabled (what the most people are using). Furthermore Lockpick won't find any with biskeydump generated keys since they are stored in a different format on a different location on the SD card. Pls let me know if I'm wrong.

 

[test0000]

This guide it totally useless I guess. Did you even try it? First of all it won't work with AutoRCM enabled (what the most people are using). Furthermore Lockpick won't find any with biskeydump generated keys since they are stored in a different format on a different location on the SD card. Pls let me know if I'm wrong.

You can try what I posted juste above. Adding 16 bytes (all 0) to tsec_keys.bin is very easy. You can use Frhed editor for example.

 

[notimp]

I have Autorcm enabled. Thats not an issue.
Also, I've wrote the 'guide' after I did all of the steps myself.

Atmosphere boots into the reboot_payload.bin firmware - when you use the reboot to rcm nro. Thats part of its featureset.

This allows you to reboot into the biskeydumpv8 payload once renamed.

This allows you to write the device.keys file to the sdcard.

After the next reboot into atmosphere, lockpick worked for me.

(Had generated both fuse info and TSEC keys - with hekate before)
--

If this is another case of "lockpick suddently working" - then I apologize, but this is what worked for me on my second try with Lockpick. When on the first try (just with hekate dumping fuse info and TSEC) it didn't work. FW: 7.0.1
--

As for the "totally useless part" - everything worked as described. There are NO issues with autorcm. You'd have known that if you had read atmosphere changelogs for the past few releases. And all of this worked. No path issues - nothing.

If this should turn out to be a case of Lockpick suddenly working for no reason, as it did for one other user - thats not my fault. But I presume it was biskeydumpv8 at work, that made Lockpick work afterwards.

 

[xfighter11]

You can try what I posted juste above. Adding 16 bytes (all 0) to tsec_keys.bin is very easy. You can use Frhed editor for example.

I could, yes. But I guess something is fishy with the Hekate dumped keys. Maybe those are incomplete. So I doubt it will work

--------------------- MERGED ---------------------------

If this is another case of "lockpick suddently working" - then I appologise, but this is what worked for me on my second try with Lockpick. When on the first try (just with hekate dumping fuse info and TSEC) didn't work.

Yeah, I think it is another case of spontaneous working. If I understand everything correctly Lockpick is only scanning the keys in the backup folder dumped by Hekate. So it doesn't even touch the device.keys dumped by biskeydump.

 

[huma_dawii]

After getting 113 keys what else you need? I think is enough xD

 

[test0000]

I could, yes. But I guess something is fishy with the Hekate dumped keys. Maybe those are incomplete. So I doubt it will work

As I said, Lockpick code is only using 32 bytes out of 48, so it should not be an issue.
I guess hekate developers just removed the extra bytes for consistency. Next version of Lockpick will align for sure.

But is Lockpick extracting the correct keys for 7.0.x ? Let's wait for shchmue's confirmation

 

[ZachyCatGames]

I want muh tsec_root_key_01 and master_kek_07 :feelsbaguetteman:

 

[shchmue]

Error: "Warning: Saving limited keyset. Dump Tegra keys with payload and run again to get all keys."

• Reason: Lockpick can't find your TSEC and SBK dump files
  • Cause 1: you viewed the TSEC and fuse info in Hekate but didn't save both to SD card
  • Cause 2: your SD card has corrupt sectors and needs reformatting
  • Cause 3: your SD card is counterfeit and acts like it's saving files but isn't

Where does the TSEC and SBK need to be dumped to? Root, same folder as lockpick?

we spoke on Discord but for those playing at home, i'll be pushing a fix for Lockpick not finding TSEC keys dumped with Hekate 4.8, i had a strict file size check in place and Hekate rightfully changed the file size for it.