Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[impeeza]

Hey, thanks for the fast reply. Is there any practical purpose for Picklock_RCM_unc.bin? Could I chainload such an uncompressed payload from, say, hekate's payload launch menu? I was vaguely aware that there is a size limit for payloads injected via the RCM exploit, but I don't know if that applies to all payloads loaded through other means as well.

Though, I am not sure why I would want to do such a thing. Is the uncompressed payload simply a build artifact, or is it there for another reason?

Nop, is just a step on the build of the payload, if the final payload is to big. Then is compared with the unc one, in some rare cases the unc version ciuld be smaller than the compressed one

 

[linuxares]

It tell you right here what the unc is for

all: $(OUTPUTDIR)/$(TARGET).bin $(LDRDIR)
    @echo "--------------------------------------"
    @echo -n "Uncompr size: "
    $(eval BIN_SIZE = $(shell wc -c < $(OUTPUTDIR)/$(TARGET)_unc.bin))
    @echo $(BIN_SIZE)" Bytes"
    @echo "Uncompr Max:  140288 Bytes + 3 KiB BSS"
    @if [ ${BIN_SIZE} -gt 140288 ]; then echo "\e[1;33mUncompr size exceeds limit!\e[0m"; fi
    @echo -n "Payload size: "
    $(eval BIN_SIZE = $(shell wc -c < $(OUTPUTDIR)/$(TARGET).bin))
    @echo $(BIN_SIZE)" Bytes"
    @echo "Payload Max:  126296 Bytes"
    @if [ ${BIN_SIZE} -gt 126296 ]; then echo "\e[1;33mPayload size exceeds limit!\e[0m"; fi
    @echo "--------------------------------------"

To clarify, read from there and down and you will see what it does

 

[rave420]

It tell you right here what the unc is for

all: $(OUTPUTDIR)/$(TARGET).bin $(LDRDIR)
    @echo "--------------------------------------"
    @echo -n "Uncompr size: "
    $(eval BIN_SIZE = $(shell wc -c < $(OUTPUTDIR)/$(TARGET)_unc.bin))
    @echo $(BIN_SIZE)" Bytes"
    @echo "Uncompr Max:  140288 Bytes + 3 KiB BSS"
    @if [ ${BIN_SIZE} -gt 140288 ]; then echo "\e[1;33mUncompr size exceeds limit!\e[0m"; fi
    @echo -n "Payload size: "
    $(eval BIN_SIZE = $(shell wc -c < $(OUTPUTDIR)/$(TARGET).bin))
    @echo $(BIN_SIZE)" Bytes"
    @echo "Payload Max:  126296 Bytes"
    @if [ ${BIN_SIZE} -gt 126296 ]; then echo "\e[1;33mPayload size exceeds limit!\e[0m"; fi
    @echo "--------------------------------------"

To clarify, read from there and down and you will see what it does

What are you suggesting, that I read the contents of the makefile, like I am some sort of programmer? Surely you must be jesting!

In all seriousness, thanks for pointing me in that direction, it is all much clearer now ♥.

 

[linuxares]

It's more or less used to create a working payload with the help of the unc file.

 

[mspy]

Is Lockpick working on the latest 17.0.1 firmware, anyone?

 

[impeeza]

Is Lockpick working on the latest 17.0.1 firmware, anyone?

Lockpick NOT is not working since firmware 4 or something, LockPick_RCM and PickLock_RCM are working fine on 17
https://vps.suchmeme.nl/git/mudkip/Lockpick_RCM/releases

 

[mspy]

Lockpick NOT is not working since firmware 4 or something, LockPick_RCM and PickLock_RCM are working fine on 17
https://vps.suchmeme.nl/git/mudkip/Lockpick_RCM/releases

I meant to say LockPick_RCM! Does the one from that link work on 17.0.1 firmware or just 17.0.0 ?
Btw what is the link for PickLock_RCM ?

 

[linuxares]

Picklock is the same as Lockpick, just renamed.

It will work on 17.0.1 since no new keys updated from 17.0.0

 

[mspy]

Interesting. so now this is the link to get Lockpick updates https://vps.suchmeme.nl/git/mudkip/Lockpick_RCM/releases or theres more up to date sources ?

 

[impeeza]

Interesting. so now this is the link to get Lockpick updates https://vps.suchmeme.nl/git/mudkip/Lockpick_RCM/releases or theres more up to date sources ?

yeah reading this tread past and future posts

 

[linuxares]

Interesting. so now this is the link to get Lockpick updates https://vps.suchmeme.nl/git/mudkip/Lockpick_RCM/releases or theres more up to date sources ?

Those are the two you want

The one fro Sllux and the other from Mudkip. Then it's just to pick your poison. They do the same.

 

[Gorkensnorkel]

How should I go about using Lockpick on a chipped Switch? It boots right to Hekate so I assume I cannot send a payload the way I was accustomed to (using NS-USB Loader).

Edit: I think I figured it out, there is an option to dump from sysnand or emunand, does it matter?

 

[BigOnYa]

How should I go about using Lockpick on a chipped Switch? It boots right to Hekate so I assume I cannot send a payload the way I was accustomed to (using NS-USB Loader).

Edit: I think I figured it out, there is an option to dump from sysnand or emunand, does it matter?

You use the Lockpick.bin as a payload thru Hekate. Dump sysnand.

 

[Slluxx]

Just informing your guys that i will be stepping down and out of the switch scene. I had to sell my switch and thus i am unable to continue homebrewing and what not. The Lockpick by Mudkip is exactly the same i had so there is no reason not to switch over to that one. I will take my Git instance down and reuse my pi for other projects, so the source will be gone too (But again, mudkips is the same source)

 

[impeeza]

Just informing your guys that i will be stepping down and out of the switch scene. I had to sell my switch and thus i am unable to continue homebrewing and what not. The Lockpick by Mudkip is exactly the same i had so there is no reason not to switch over to that one. I will take my Git instance down and reuse my pi for other projects, so the source will be gone too (But again, mudkips is the same source)

Sorry to hear that but We have to thank you so much for all your work, effort and gifts you have give us for so long time.

Regards from Colombia.

 

[BigOnYa]

Just informing your guys that i will be stepping down and out of the switch scene. I had to sell my switch and thus i am unable to continue homebrewing and what not. The Lockpick by Mudkip is exactly the same i had so there is no reason not to switch over to that one. I will take my Git instance down and reuse my pi for other projects, so the source will be gone too (But again, mudkips is the same source)

Yes sorry to hear. Thanks for all your hard work and dedication. Hope your next step is awesome!

 

[linuxares]

Thanks for all you've done @Slluxx

 

[jkyoho]

Thank you for all hard work and wish you have best year 2024

 

[Slluxx]

Thank you all, i really appreciate that!

 

[Blythe93]

Really sad to hear that, good luck with your next endeavors! Happy New Year and, with it, new beginnings.