Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[StevensND]

Guys with the help of @Zoria here are a summary of the steps normally used to upgrade the code of LockPick when a new firmware is released.


Lockpick code is heavy based on Hekate, when a new Firmware is released some files must be changed to upgrade values for the new firmware, those values are taken by Hekate and LockPick from the most recent commit of Atmosphère supporting the new firmware. The values used by Atmosphère are found using a script created by SciresM as he shown on the stream about upgrading Atmosphère to FW 20.

So for upgrade LockPic you need to change some files, as far I know:

• /source/keys/crypto.h, for this file you need to upgrade three sections, the values can be extracted from exosphere/program/source/boot/secmon_boot_key_data.s or fusee/program/source/fusee_key_derivation.cpp from Atmosphère repo, the next table summarize the sections where you can get them.

[TABLE=full]
[TR]
[TH]Name on file CRYPTO.H[/TH]
[TH]Section Name on secmon_boot_key_data.s[/TH]
[TH]Function Name on fusee_key_derivation.cpp[/TH]
[/TR]
[TR]
[TD]device_master_kek_sources[/TD]
[TD]Production Device Master Kek Sources.[/TD]
[TD]DeviceMasterKekSources[/TD]
[/TR]
[TR]
[TD]device_master_kek_sources_dev[/TD]
[TD]Development Device Master Kek Sources.[/TD]
[TD]DeviceMasterKekSourcesDev[/TD]
[/TR]
[TR]
[TD]device_master_key_source_sources[/TD]
[TD]Device Master Key Source Sources.[/TD]
[TD]DeviceMasterKeySourceSources[/TD]
[/TR]
[/TABLE]

• source/keys/key_sources.inl, for this file you need to upgrade five sections, the values can be extracted from exosphere/program/source/boot/secmon_boot_key_data.s or fusee/program/source/fusee_key_derivation.cpp from Atmosphère repo, the next table summarize the sections where you can get them.

[TABLE=full]
[TR]
[TH]Name on file KEY_SOURCES.INL[/TH]
[TH]Section Name on secmon_boot_key_data.s[/TH]
[TH]Function Name on fusee_key_derivation.cpp[/TH]
[/TR]
[TR]
[TD]master_kek_sources[/TD]
[TD]*not in secmon_boot_key_data*[/TD]
[TD]EristaMasterKekSource[/TD]
[/TR]
[TR]
[TD]master_key_vectors [/TD]
[TD]Production Master Key Vectors.[/TD]
[TD]MasterKeySources[/TD]
[/TR]
[TR]
[TD]master_key_vectors_dev [/TD]
[TD]Development Master Key Vectors.[/TD]
[TD]MasterKeySourcesDev[/TD]
[/TR]
[TR]
[TD]mariko_master_kek_sources [/TD]
[TD]Mariko Production Master Kek Source.[/TD]
[TD]MarikoMasterKekSource[/TD]
[/TR]
[TR]
[TD]mariko_master_kek_sources_dev[/TD]
[TD]Mariko Development Master Kek Source.[/TD]
[TD]MarikoMasterKekSourceDev[/TD]
[/TR]
[/TABLE]

• /source/hos/hos.h for this file you need to add new KB_FIRMWARE_VERSION_xxxx and update KB_FIRMWARE_VERSION_MAX

• /Versions.inc, modify the version number.

I've been looking at this and checking the updated files.

Everything seems the same for 20.1.0 and Lockpick doesn't need to be updated right?.

 

[impeeza]

I've been looking at this and checking the updated files.

Everything seems the same for 20.1.0 and Lockpick doesn't need to be updated right?.

That is right as stated some post above. 20.1.0 have the same keyset.

 

[OrGoN3]

That is right as stated some post above. 20.1.0 have the same keyset.

Didn't 20 burn the final efuse, making it impossible for there to be more keys?

 

[impeeza]

Didn't 20 burn the final efuse, making it impossible for there to be more keys?

Keys have nothing to do with fuses, and the console have lots of unused fuses which therorically allow 100 firmware.

 

[OrGoN3]

Keys have nothing to do with fuses, and the console have lots of unused fuses which therorically allow 100 firmware.

Perhaps I'm messing terms in my head, but I was pretty sure this was the last possible new master key.

Edit: my bad about the fuses. Yes, there could even be thousands of them. I think I was thinking keyblobs. But I also though I remember reading from farn.....bth that this was the last master key. I just don't remember why.

 

[impeeza]

Perhaps I'm messing terms in my head, but I was pretty sure this was the last possible new master key.

if worth something:

fuses are small fuses INSIDE the tegra chip, they can be burn at will by software, the HOS at startup check the number of burnt fuses and the ones correspondant to actual firmware version. if the burnt fuses are less, the HOS burnt the number of needed fuses to match both numbers. if they are the same continue the loading, but if the number of burnt fuses are greater than the number of current firmware a panic is call and system will Halt, because a downgrade is detected.

Atmosphère put a virtual layer on the reading of the burnt fuses and always report the correct number of fuses matching to current firmware.


Keys are a set of numbers used to encrypt the firmware files on the NAND. the keys are generated on each firmware version with a new generation of keys, i really do not know the very process but the bootloader knows the numbers of the current firmware and send that numbers (keys) to the Secure CPU and that CPU read and decrypt the firmware from NAND if you don't provide the correct set of numbers the console will not boot because CPU can not decrypt the files on NAND.

Not all firmware have a new generation of keys, as far I know has been 85 firmware versions and revisions and only 20 key generations ( 0x00 to 0x13)

 

[OrGoN3]

if worth something:

fuses are small fuses INSIDE the tegra chip, they can be burn at will by software, the HOS at startup check the number of burnt fuses and the ones correspondant to actual firmware version. if the burnt fuses are less, the HOS burnt the number of needed fuses to match both numbers. if they are the same continue the loading, but if the number of burnt fuses are greater than the number of current firmware a panic is call and system will Halt, because a downgrade is detected.

Atmosphère put a virtual layer on the reading of the burnt fuses and always report the correct number of fuses matching to current firmware.


Keys are a set of numbers used to encrypt the firmware files on the NAND. the keys are generated on each firmware version with a new generation of keys, i really do not know the very process but the bootloader knows the numbers of the current firmware and send that numbers (keys) to the Secure CPU and that CPU read and decrypt the firmware from NAND if you don't provide the correct set of numbers the console will not boot because CPU can not decrypt the files on NAND.

Not all firmware have a new generation of keys, as far I know has been 85 firmware versions and revisions and only 20 key generations ( 0x00 to 0x13)

And if you check switchbrew you can see that some fuses held pubic and private keys.... Nevertheless, I clarified my previous post.

 

[impeeza]

fuses held pubic and private keys.

I really do not know about this.

Post automatically merged: May 31, 2025

the DO NOT CONTAIN KEYS, they inform if the current system is using private Key0 to key3 to crypt/decrypt data.

 

[Asia81]

Hello, is LockpickRCM [v1.9.15].bin the latest version compatible with the latest firmware ?

 

[impeeza]

Hello, is LockpickRCM [v1.9.15].bin the latest version compatible with the latest firmware ?

yep https://gbatemp.net/download/lockpick_rcm-1-9-15-fw-20-zoria.39129/

 

[yankii]

fuses are small fuses INSIDE the tegra chip, they can be burn at will by software

I'm curious, is there homebrew to burn fuses for... fun?

 

[BaamAlex]

I'm curious, is there homebrew to burn fuses for... fun?

Afaik no. Updating the firmware without using a custom bootloader will burn your fuses.

EDIT: Even if a homebrew like this would exist, don't forget that you can't "unburn" the fuses. Once burnt=no way back.

 

[urherenow]

Afaik no. Updating the firmware without using a custom bootloader will burn your fuses.

EDIT: Even if a homebrew like this would exist, don't forget that you can't "unburn" the fuses. Once burnt=no way back.

Correction: simply booting OFW with a higher version than your number of burnt fuses indicates, will burn them. It’s not part of the installation process, as far as I know.

 

[BaamAlex]

Correction: simply booting OFW with a higher version than your number of burnt fuses indicates, will burn them. It’s not part of the installation process, as far as I know.

I dunno how that works exactly. What i know is, when you update the console normally without a custom bootloader, your fuses are burnt. But not after every firmware update. There are firmware versions which didn't burn your fuses (silent updates or however it is called in english). And you're right, if your ofw expects a higher number of fuses, it will burn all the fuses required for the firmware. Hopefully, I've described that correctly.

 

[impeeza]

Correction: simply booting OFW with a higher version than your number of burnt fuses indicates, will burn them. It’s not part of the installation process, as far as I know.

You are completely right.

As far I read on Atmosphère documentation, the process of check fuses is on HOS at startup:

When HOS is starting the fuses are compared:

• If the console have the same number of burnt fuses than current HOS setting, nothing happens.
• If the number of burnt fuses on the console are high than current HOS setting A KERNEL PANIC IS ISSUED and everything stops.
• If the number of burnt fuses on the console are low than current HOS setting, the fuses are burnt to match.

The fuses are burnt ONLY after a full HOS loading, because if you are updating the HOS version and that fails you should be able to return to previous version by going on Safe Start.

 

[Rauamaak]

I'm having issues, how to fix those errors? Why can't it derive master keys? I'd love to get title keys too.

Post automatically merged: Jul 11, 2025

I'm having issues, how to fix those errors? Why can't it derive master keys? I'd love to get title keys too.

 

[impeeza]

I'm having issues, how to fix those errors? Why can't it derive master keys? I'd love to get title keys too.

Post automatically merged: Jul 11, 2025

Are you using EmuNAND? Tey extract the keys for SysNAND and then for EmuNAND

 

[Rauamaak]

Now I got 212 keys for SysNAND and 213 keys for emuNAND. However, I get error during Titlekeys: "Save header is invalid" two times and "Failed to process es save" once. Unfortunately I don't get titlekeys

 

[impeeza]

Now I got 212 keys for SysNAND and 213 keys for emuNAND. However, I get error during Titlekeys: "Save header is invalid" two times and "Failed to process es save" once. Unfortunately I don't get titlekeys

may be a corrupted game.

 

[Rauamaak]

Tried deleting all games and reinstalling, still the same.