Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[henkp]

Absolutely. As per the Atlas guide, its highly recommended to run Lockpick_RCM via Caffeine.

Yeah well i kinda found out the hard way... but after keeping my switch at 4.1 for about a year, playing nothing but zelda, mario vs rabbids, mario and puyo puyo tetris, it hits me with the supernag. Time to sell this one after all :-(

 

[Draxzelex]

Yeah well i kinda found out the hard way... but after keeping my switch at 4.1 for about a year, playing nothing but zelda, mario vs rabbids, mario and puyo puyo tetris, it hits me with the supernag. Time to sell this one after all :-(

Use Gag-Order which was specifically designed to remove the supernag on firmware versions 4.1 and lower. Setup DNS settings before using Gag-Order to avoid redownloading the supernag.

 

[ZachyCatGames]

Use Gag-Order which was specifically designed to remove the supernag on firmware versions 4.1 and lower. Setup DNS settings before using Gag-Order to avoid redownloading the supernag.

How can they use Gag-Order if they are on a patched unit which can only use browserhax (which the supernag blocks) to access homebrew :/

 

[Draxzelex]

How can they use Gag-Order if they are on a patched unit which can only use browserhax (which the supernag blocks) to access homebrew :/

Whoops, messed up the order of events. Guess right now they can update to 5.X with a cartridge and wait for Deja Vu on 5.X

 

[ganons]

Doesnt seem to work on SX OS on 7.0.1?

 

[shchmue]

Doesnt seem to work on SX OS on 7.0.1?

did you launch the payload directly instead of chainloading from the SX menu

 

[hippy dave]

Whoops, messed up the order of events. Guess right now they can update to 5.X with a cartridge and wait for Deja Vu on 5.X

If they only just got the super nag, then their Switch probably knows about 8.x, so 5.x might not clear the nag? I know this stuff is still being worked out, but it sounded like that's how it works.

 

[ganons]

did you launch the payload directly instead of chainloading from the SX menu

Yes directly. How do you chainload?

 

[Sack148]

Hey,
one question regarding lockpick and emuNAND (Atmosphere/KOSMOS):
My OFW is currently on 3.0.1 and i want to keep it there in case someone finds a way for a cold boot exploit.
To be able to play newer games I've upgraded in emunand to 8.1 with ChoiDujourNX. Now I am facing the issue that I need the newer keys to convert XCI to NSP.
Now it looks like that i am only able to extract the keys from my real NAND (up to master key 05).

Is there any way to get the newer keys? Unforunately I cannot find any answer online. (What might mean that it's not possible...)

 

[shchmue]

Hey,
one question regarding lockpick and emuNAND (Atmosphere/KOSMOS):
My OFW is currently on 3.0.1 and i want to keep it there in case someone finds a way for a cold boot exploit.
To be able to play newer games I've upgraded in emunand to 8.1 with ChoiDujourNX. Now I am facing the issue that I need the newer keys to convert XCI to NSP.
Now it looks like that i am only able to extract the keys from my real NAND (up to master key 05).

Is there any way to get the newer keys? Unforunately I cannot find any answer online. (What might mean that it's not possible...)

here's a version that only derives keys from emummc, i haven't worked out how i want to do an interface option to choose and i've been working on trying to integrate Lockpick with Nyx and running into some roadblocks so sorry everyone. here it is in the meantime

 

[ataraxis]

here's a version that only derives keys from emummc, i haven't worked out how i want to do an interface option to choose and i've been working on trying to integrate Lockpick with Nyx and running into some roadblocks so sorry everyone. here it is in the meantime

Thanks for the release. Would like to know if this needs to be chain loaded in hekate or can straight inject using tegraRCM?

 

[shchmue]

Thanks for the release. Would like to know if this needs to be chain loaded in hekate or can straight inject using tegraRCM?

both work

 

[ataraxis]

both work

Thanks

 

[sushi4u]

here's a version that only derives keys from emummc, i haven't worked out how i want to do an interface option to choose and i've been working on trying to integrate Lockpick with Nyx and running into some roadblocks so sorry everyone. here it is in the meantime

I have a question.
I tried both chain loading the Lockpick_RCM Emummc and running it through Tegra.

Unfortunatly when i ran tegra it just freezes my switch.
When i run it through the payloader option off hekate its says

Firmware 7.x or higher detected.
Renamed /sept/payload.bin to /sept/payload.bak
Copied self to /sept/payload/bin.
Press power or vol +/- to Reboot to Sept...

Then when i press power. It shows a sept atmosphere splash screen. Then black screen.

Any idea what i am doing wrong.

Thanks

 

[shchmue]

I have a question.
I tried both chain loading the Lockpick_RCM Emummc and running it through Tegra.

Unfortunatly when i ran tegra it just freezes my switch.
When i run it through the payloader option off hekate its says

Firmware 7.x or higher detected.
Renamed /sept/payload.bin to /sept/payload.bak
Copied self to /sept/payload/bin.
Press power or vol +/- to Reboot to Sept...

Then when i press power. It shows a sept atmosphere splash screen. Then black screen.

Any idea what i am doing wrong.

Thanks

does the regular payload work? if so there might be something up with your emunand

 

[sushi4u]

does the regular payload work? if so there might be something up with your emunand

Thanks for replying back.

Yes. Running clean 2.3 sysnand and created a partition for emunand and updated to 8.1.0 with ChoiDujour.

I am able to get keys no problem on stock 2.3 with lockpick_rcm. Also able to run lockpick.nro off the homebrew channel as well when on emmunand. But fails to get the new keys cause it’s not lockpick_rcm.

So I am pretty stumped. Not sure if I should just recreate a new emummc with hekate and see if that fixes it.

 

[xmatr1x]

I've got the same issue at sushi4u.

Tegrasmash and payload loader both freeze when I try to use the emummc lockpick rcm app.

*edit* I'll add some more information. I'm on 3.0 stock and 8.1/Atmos 0.9.3 for emummc. Running the regular lockpick_rcm works to get my 3.0 keys, the file you posted above for retrieving emummc keys does not. I set up the partition on my SD card from the guide to do so, used hekate to copy over stock FW to emummc, then updated to 8.1 with choidujournx. I'm a bit surprised no one else has run into this issue but sushi4u and myself.

 

[shchmue]

that sucks, i'm not super confident in that build anyway. i have some ideas but i'm not gonna half-ass them and it's going to take a lot of work to come to get it where i want it, which i haven't really had to time to do.

in testing, i have the program even faster, and optionally launching within Nyx for a much sleeker experience that doesn't require rebooting afterwards, that will have the capability to choose emu or sysnand. i just need to finish it all up; there are a ton of changes from last commit and it's not finished heh

 

[romsenin]

I made a quick patch (bad code but it's works for me) for lockpick_rcm to support emuMMC (RAW1) on GitHub : Frogomeli/Lockpick_RCM

 

[shchmue]

is all of that hardcoded stuff necessary? mine just calls hekate's emummc api, eg instead of sdmmc_storage_read, emummc_storage_read