Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[chrisrlink]

so the keys for lockpick rcm are used for task like 7.x encrypted XCI to NSP correct?

 

[linuxares]

@shchmue gets out a surprise release! Great job and thanks

 

[macia10]

I have 113 keys in Lockpick and 114 in Lockpick_RCM. The difference is master_kek_source_07. I'm on 5.1

 

[Adran_Marit]

@shchmue gets out a surprise release! Great job and thanks

Not a surprise if you checked discord

 

[leon315]

Upon completion, keys will be saved to /switch/prod.keys on SD

promise i know nuffin of console hacking, if now you can lockpick 7.+ keys, should TX makes jump of Hapiness?
TX: finally someone did the job for us and for free?

 

[linuxares]

Not a surprise if you checked discord

Need to check later

 

[larrypretty]

Still not sure, what' this used for?

 

[NFates]

Still not sure, what' this used for?

it dumps and derives all the keys you need to decrypt 7.x files.

That plus the description in the first post is clear enough IMO. What don't you understand?

 

[lordelan]

Still not sure, what' this used for?

It generates a keys file that you need for many things like XCI to NSP conversion or any other hactool based apps.

 

[shchmue]

I haven't really looked into what exactly I need but would this give me the keys for yuzu?

so the keys for lockpick rcm are used for task like 7.x encrypted XCI to NSP correct?

yes and yes

I have 113 keys in Lockpick and 114 in Lockpick_RCM. The difference is master_kek_source_07. I'm on 5.1

this is expected behavior, later master keys are only obtainable from newer firmware and that key is hardcoded.

promise i know nuffin of console hacking, if now you can lockpick 7.+ keys, should TX makes jump of Hapiness?
TX: finally someone did the job for us and for free?

these keys are not sufficient to boot any CFW. I'm positive they've had any keys this can dump for weeks now.

 

[CymraegAce]

Working perfectly, keep up the good work.!

 

[leon315]

they've had any keys

really? are you sure about that? many tempers are whining cauz TX is unable to delivery TX OS 7+

For my joy ofc.

 

[shchmue]

really? are you sure about that? many tempers are whining cauz TX is unable to delivery TX OS 7+

For my joy ofc.

yes the master keys leaked a while ago but what a boot payload needs is the master kek which requires tsec root

 

[Adran_Marit]

Need to check later

Lol I'm only making a small jab

really? are you sure about that? many tempers are whining cauz TX is unable to delivery TX OS 7+

For my joy ofc.

It's my understanding that these keys do not equal the keys needed to sign sept

and those keys are still secret

 

[leon315]

Lol I'm only making a small jab



It's my understanding that these keys do not equal the keys needed to sign sept

and those keys are still secret

NAISU! finally we have a cure for cancer.

 

[KuranKu]

This keys arent Firmware master key for these who wondering , this wont bring 7.x support to SX

These keys are there only for one porpose to encrypt and decrypt data/content like the firmware it self or a game eshop/cartrige dump etc.

Things its usualy used for ...
1.Repack/unpack/install games
2.flash/repack firmware
3.use/create content "could be used with yuzu"

There might be more interesting things this keys can be used for , but not to bring 7.x support to a cfw ^^

In other words you need this keys if you want to install or bypass 7.x checks in game while installing it
1.lets you install 7.x games on lower firmware by pypass the version check
2.allows install 7.x games in general
3.convert xci to nsp / play yuzu

Dumping 7.x keys from your switch .
You must be on 7.x firmware to dump them , otherwise it will just dump keys up to firmware your on now.
If you on firmware 6.2.0
LockpickRCM will dump keys only up to 6.2.0 regarding the fact its creating some data about 7.x even when theres lower firmware , never the less , to actualy dump 7.x keys you must have 7.x cfw special files from latest Atmosphere/Kosmos release


I hope this should clear most of the questions

 

[shchmue]

Lol I'm only making a small jab



It's my understanding that these keys do not equal the keys needed to sign sept

and those keys are still secret

the signing keys are even more secret than the boot keys, those are package1_key_07 and package1_mac_key_01 (i think it's 01, to match the staggered numbering for tsec_root_key)

regardless my software will only ever use public methods, I have neither the aptitude nor the desire to drop 0days, so as soon as any of this is quite public i'm happy to dump it, but by that time it'll likely be academic at best. by that time the most interesting thing you'd be able to do with those is decrypt 7.0 package1.

 

[Adran_Marit]

the signing keys are even more secret than the boot keys, those are package1_key_07 and package1_mac_key_01 (i think it's 01, to match the staggered numbering for tsec_root_key)

OWO

So we have 4 lots of keys then

The secret signing keys
The boot keys
Then the keys this dumps
and biskeys?

 

[shchmue]

i'm not sure what you mean by lots here, and this dumps BIS keys - currently, even Lockpick homebrew can dump BIS keys even without being given TSEC + SBK. in any case, they're kinda just keys for different things. there are a number of keys this doesn't even dump because there's no public use for them at the moment.

 

[MadysoN]

how can I install XCI files using this ?