Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[Hayato213]

Correct and that's what is puzzling me.

That is weird I would expect Sysnand keys to atleast work fine, what you on right now exFAT or FAT32?

 

[Hassal]

That is weird I would expect Sysnand keys to atleast work fine, what you on right now exFAT or FAT32?

FAT32. I'm going to assume this system update has done some shenanigans because all the keys I've dumped for other consoles before using exFAT were without issues.

 

[mrdude]

FAT32. I'm going to assume this system update has done some shenanigans because all the keys I've dumped for other consoles before using exFAT were without issues.

Just reinstall the firmware then, you can google this "darthsternie firmware" to get the firmware, flash it with daybreak then reboot to make sure everything is working, then try dumping the keys again.

 

[Hassal]

Just reinstall the firmware then, you can google this "darthsternie firmware" to get the firmware, flash it with daybreak then reboot to make sure everything is working, then try dumping the keys again.

I no longer have that switch but I checked with another without downloading the firmware update and the keys dump fine, so there's definitely something fishy about that updates that cripples the functionality of lockpick.

 

[ahmedal_]

Can someone make the Lockpick for Version 16.1.0

 

[Jayro]

The OP needs to update the first page with working Lockpick links, the originals are dead.

 

[Hassal]

I no longer have that switch but I checked with another without downloading the firmware update and the keys dump fine, so there's definitely something fishy about that updates that cripples the functionality of lockpick.

I'd like to add this piece of information, if you try to dump your keys on an exFAT system update lockpick will blank eticket_rsa_keypair
eticket_rsa_kek_personalized

If this happens your file will shrink in size that's when you know you got fucked and your keys are useless.

 

[Dust2dust]

Can someone make the Lockpick for Version 16.1.0

Is there a new masterkey for the new firmware? Strange that the new firmware hasn't been announced yet on the front page.

 

[Slluxx]

Can someone make the Lockpick for Version 16.1.0

The OP needs to update the first page with working Lockpick links, the originals are dead.

Is there a new masterkey for the new firmware? Strange that the new firmware hasn't been announced yet on the front page.

As far as i can tell, the lockpick i posted here should still work. You usually only have to expect new master keys when jumping from 16.x.x to 17.x.x etc. Also, i am pretty much certain that the first post will never be edited anymore, due to the DMCA shchmue recieved. Dont expect official updates anymore.

 

[Slluxx]

Can someone test this 17.0.0 update? My switch downloads the update extremely slowly so i can only test in an hour or so.
Be aware that Atmosphere didn't update yet so don't just wing it just to test the payload.

Picklock (Rebranded Lockpick after DMCA), compatible with 17.0.0

 

[jkyoho]

Can someone test this 17.0.0 update? My switch downloads the update extremely slowly so i can only test in an hour or so.
Be aware that Atmosphere didn't update yet so don't just wing it just to test the payload.

Mariko confirmed v1.9.11(above) successful dump 17.0.0 key_area_key_application_10 and ect NEW KEY

 

[Slluxx]

Mariko confirmed v1.9.11(above) successful dump 17.0.0 key_area_key_application_10 and ect NEW KEY

Thank you!

 

[Hobojoe007]

Will there also need to be a new version of NXDumpTool to work with the new keys/latest firmware? I accidently updated to 17.0.0 and haven't been able to use NXDumpTool at all since, even with the new keys generated by picklock

 

[petspeed]

Will there also need to be a new version of NXDumpTool to work with the new keys/latest firmware? I accidently updated to 17.0.0 and haven't been able to use NXDumpTool at all since, even with the new keys generated by picklock

Yes it seems NXDumpTool need an update to work with 17.0.0

 

[Slluxx]

Because the people at wiidatabase.de dislike this thread/my payload because there is no source code (even though they link and feature DBI, which is closed source), i will give any person that is somewhat known in the scene permission for the private github repo (just hit me up). I don't like it being private but its just what it is after the DMCA attacks.

Also wiidatabase, fix the crooked moral compass you got going on lmao.

 

[ghjfdtg]

They do have a point regarding the GPL license but i understand that making a new repo public won't last long with the DMCA trolls out there.

 

[BaamAlex]

Because the people at wiidatabase.de dislike this thread/my payload because there is no source code (even though they link and feature DBI, which is closed source), i will give any person that is somewhat known in the scene permission for the private github repo (just hit me up). I don't like it being private but its just what it is after the DMCA attacks.

Also wiidatabase, fix the crooked moral compass you got going on lmao.

Their moral compass isn't crooked. There is just a difference between you and the dev from dbi. Dbi has more or less "manifested" itself in the scene over time (yeah it's bullshit that it isn't open source, but some people use it). And you just randomly hosted the lockpick payload which was not necessary at all at that time because it worked until 17.0.0. And wiidatabase did nothing else. So there was no real reason to offer your payload for download.

 

[Slluxx]

Their moral compass isn't crooked. There is just a difference between you and the dev from dbi. Dbi has more or less "manifested" itself in the scene over time (yeah it's bullshit that it isn't open source, but some people use it). And you just randomly hosted the lockpick payload which was not necessary at all at that time because it worked until 17.0.0. And wiidatabase did nothing else. So there was no real reason to offer your payload for download.

You seem to be misunderstanding something. I did not ask them nor wanted them to host my payload. I don't care about that.
Their note about my comment (that the payload can be found here), can be translated to "yeah sure, and download a binary without sourcecode". Which simply is double standard when featuring DBI.

It does not matter how much known someone is, how long a piece of software existed and how well established whatever happens to be. The source is private. There is absolutely no difference.

And you just randomly hosted the lockpick payload which was not necessary at all

I hosted the payload because the original source was already gone due to the DMCA and i wanted to make clear that i will still maintain it into the future. It was an attempt to change a few things so it wont get immediately tackled by another DMCA. The repository of the 17.0.0 payload is based on is a private mirror of that exact repository.

So you are wrong on 2 or 3 things in your post (depending on how you view it).

Besides, my comment about wiidatabase was no invitation to discuss this, more an open info. So i wont respond to other comments about this.

 

[linuxares]

Wouldnt it be possible to program the software to check a folder with the latest code from Ams to decipher the keys?

 

[Slluxx]

Wouldnt it be possible to program the software to check a folder with the latest code from Ams to decipher the keys?

I am not sure where or even if the keys are somewhere in a compiled atmosphere release (never checked it). But yeah, something automated should be possible (either by providing the files from ams to lockpick and building or grabbing the keys somewhere at "runtime")