Lockpick_RCM payload - Official Thread


Description

Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage
  • Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
  • Upon completion, keys will be saved to /switch/prod.keys on SD
  • If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)
Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues
  • Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly
 

Attachments

  • AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    11.2 KB · Views: 0
Last edited by shchmue,

LittleBigPadawan

New Member
Newbie
Joined
May 3, 2020
Messages
1
Trophies
0
Age
41
XP
24
Country
Brazil
Yes, same problem here. Nothing happens after being injected into TegraRcmGUI (2.6). I am using hekate 5.2, which according to CTCaer is compatible with Horizon 10.0.2

hi guys ,
is there a problem with newest lockpick rmc 1.8.2 and switch firmware 10.0.2 ?
after injecting the payload i got a black screen and nothing happens ...

version 1.8.1 will boot and i get the menu , but it failed to extract the keys due to incompatibility with fw 10.0.2

anybody else has the same issue ?
 

BlaBla1973

Member
Newcomer
Joined
Jul 4, 2018
Messages
6
Trophies
0
Age
56
XP
374
Country
Netherlands Antilles
My switch is on CFW 10.0.2 and OFW 10.0.3, the last version of Lockpick_RCM gives me a black screen.
Is there a newer version for firmware 10.0.3 needed?
 

shchmue

Developer
OP
Developer
Joined
Dec 23, 2013
Messages
788
Trophies
0
XP
2,248
Country
United States
My switch is on CFW 10.0.2 and OFW 10.0.3, the last version of Lockpick_RCM gives me a black screen.
Is there a newer version for firmware 10.0.3 needed?
i tested it on 10.0.3 with emunand before release. are you launching it directly or from another bootloader like argon or sx
 

PeteP

New Member
Newbie
Joined
Jul 18, 2020
Messages
2
Trophies
0
Age
46
XP
31
Country
United Kingdom
Hi guys, I’m on 10.0.4 and sx 3.0.3

lockpick 1.8.4 rcm boots to screen and when I choose Sysnand for keydump it goes straight to black screen. I have rcm.bin on root of sd and sept folder also on root
Any ideas?
 

shchmue

Developer
OP
Developer
Joined
Dec 23, 2013
Messages
788
Trophies
0
XP
2,248
Country
United States
Hi guys, I’m on 10.0.4 and sx 3.0.3

lockpick 1.8.4 rcm boots to screen and when I choose Sysnand for keydump it goes straight to black screen. I have rcm.bin on root of sd and sept folder also on root
Any ideas?
are you injecting it directly
 

PeteP

New Member
Newbie
Joined
Jul 18, 2020
Messages
2
Trophies
0
Age
46
XP
31
Country
United Kingdom
Via sx os there is a payload injector as part of the options menu.

Is Tegrarcm programme compatible with sx core??
 

Kyle Enkeboll

Member
Newcomer
Joined
Nov 3, 2014
Messages
5
Trophies
0
Age
39
XP
41
Country
United States
SX Core: 1.3 FW
SX OS: 3.0.4 Beta
NSW: 10.1.0 OFW
Lockpick_RCM.bin: 1.8.4

Using the OS to inject payload and it shows it accessing the sept folder but then quickly goes to a black screen. No prod.key file is generated (I have to hold down the PWR button to get it to do anything).
 

Muxi

Well-Known Member
Member
Joined
Jun 1, 2016
Messages
562
Trophies
0
Age
50
XP
1,621
Country
Germany
Using the OS to inject payload and it shows it accessing the sept folder but then quickly goes to a black screen. No prod.key file is generated (I have to hold down the PWR button to get it to do anything).
SX Core does not support RCM payloads!
 

Draxzelex

Well-Known Member
Member
Joined
Aug 6, 2017
Messages
17,806
Trophies
1
Age
27
Location
New York City
XP
11,785
Country
United States
Even for erista patched?
What I think he means is that SX Core does not support directly injecting any payload except the SX one. This causes issues for certain payloads such as Lockpick_RCM as it usually has to be injected directly in order to function. However since your unit is an Erista, you can chainload into Hekate via the SX OS RCM menu which will allow you to chainload into Lockpick_RCM.
 

Kanali

Member
Newcomer
Joined
Feb 7, 2018
Messages
22
Trophies
0
Age
27
XP
84
Country
Sweden
Haven't tinkered with my Switch for a while, but tried using this tool to get my keys, but all I get when I inject it is a black screen.

I'm on 6.0.0 and AMS 0.9.2
 
General chit-chat
Help Users
  • No one is chatting at the moment.
    KenniesNewName @ KenniesNewName: Apple is the new Disney