Toggle sidebar

Front-page Hacking RELEASE  Updated

Lockpick_RCM payload - Official Thread


Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage
  • Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
  • Upon completion, keys will be saved to /switch/prod.keys on SD
  • If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)
Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues
  • Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly
 

Attachments

  • AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    11.2 KB · Views: 0
Last edited by shchmue,
  • Like
Reactions: FanNintendo, Deleted member 753700, DefenderOfHyrule and 77 others
Click to expand...
Zoria said:
Honestly, I used this commit to modify the LockPick source code.
https://github.com/Atmosphere-NX/At...mits/4bce7efec739552c58694956eb7d6ee2a95cc3de

Source code : https://cdn.discordapp.com/attachme...83737f4353260a9e1a50536cf86267291e9668ce01ec&
Click to expand...
Thank you for the source. I have used that and added on to it with @impeeza's "Add comments to Keys to identify them" commit on Github to make it easier for me to understand and to learn what is what when I'm building it for myself. :D
 
  • Love
Reactions: impeeza
hetop said:
Thank you for the source. I have used that and added on to it with @impeeza's "Add comments to Keys to identify them" commit on Github to make it easier for me to understand and to learn what is what when I'm building it for myself. :D
Click to expand...
I only have the next comment, on the file"\Lockpick_RCM\source\hos\hos.h the lines

C++: 
#define KB_FIRMWARE_VERSION_1900 18
#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1800 //!TODO: Update on mkey changes.
#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1900 //!TODO: Update on mkey changes.

define two times the same variable, should be only the last one, leaving that duplicate redefinition you get the warnings:
1728428656108.png
should be only the last one left on the code?
Post automatically merged:

And @Zoria Thanks a lot for update the github with that files which we can not name here :D
Post automatically merged:

Zoria said:
Honestly, I used this commit to modify the LockPick source code.
https://github.com/Atmosphere-NX/At...mits/4bce7efec739552c58694956eb7d6ee2a95cc3de

Source code : https://cdn.discordapp.com/attachme...83737f4353260a9e1a50536cf86267291e9668ce01ec&
Click to expand...
Uploaded a copy to Downloads section:

https://gbatemp.net/download/lockpick_rcm-1-9-13-fw-19-zoria-source.38837/
 
Last edited by impeeza,
  • Like
  • Love
Reactions: laz305 and Zoria
  • Wow
Reactions: impeeza and jkyoho
impeeza said:
I only have the next comment, on the file"\Lockpick_RCM\source\hos\hos.h the lines

C++: 
#define KB_FIRMWARE_VERSION_1900 18
#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1800 //!TODO: Update on mkey changes.
#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1900 //!TODO: Update on mkey changes.

define two times the same variable, should be only the last one, leaving that duplicate redefinition you get the warnings:
View attachment 463579should be only the last one left on the code?
Click to expand...
Yesterday I had only gotten as far as to finish editing it, not building it, because it was getting too late into the night, but when building it I encountered the same issue as you, @impeeza, I did some searching around and here is what I found:


Yes, only the last line should be there. When Descots updated From 16.0.0 to 17.0.0 and from 17.0.0 to 18.0.0 they always removed the old "#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_XX00 //!TODO: Update on mkey changes." and replaced it the the newest "#define KB_FIRMWARE_VERSION_MAX KB_FIRMWARE_VERSION_XX00 //!TODO: Update on mkey changes." in the file ./source/hos/hos.h

I'm tagging @Zoria as well, because when I look at their source the "hos.h" file has, as you @impeeza noticed, both lines:
Code: 
#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1800 //!TODO: Update on mkey changes.
#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1900 //!TODO: Update on mkey changes.
Near the end of the file, when it should only be the latest one:
Code: 
#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1900 //!TODO: Update on mkey changes.

And when Nintendo sometime pushes out FW 20.0.0, that line should be removed and replaced with:
Code: 
#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_2000 //!TODO: Update on mkey changes.
 
Last edited by hetop,
  • Like
  • Love
Reactions: NotUsingAnAltAccount, Tyvar1, Zoria and 2 others
hetop said:
Yesterday I had only gotten as far as to finish editing it, not building it, because it was getting too late into the night, but when building it I encountered the same issue as you, @impeeza, I did some searching around and here is what I found:
Click to expand...
he he he, that happen to some of us.
Post automatically merged:

duckbill007 said:
So, you just hardcode master_key_12 to lockpick? Because I run it on FW 17.0.0 and it "dump" me all the keys up to 19.0.0

Is this allowed by GBATemp rules?
Click to expand...
the code on lockpick is the same on atmosphere the seeds are on the file exosphere/program/source/boot/secmon_boot_key_data.s of the atmosphere code by example, the next time a fw is release you can copy the new code from that file to the source of picklock.

and by example my SYSNAND is on FW 4.0.1 but with the last version of LockPick you can extract any keys, the keys are extracted using the seeds which you only will know each time Big N release a new Firmware.
 
Last edited by impeeza,
  • Like
Reactions: NoxiousNinja, hetop and Blythe93
impeeza said:
Most sites for DMCAed
Click to expand...
What do you mean by that? I get that most sites got DMCAd by the big N cuz they can, but aren't some sites hosted in other countries that can't be taken down since the USA law doesn't apply to them? If so, then people who are able to update the source code & compile them should release the updated versions whenever they get the new set of FW keys.
 
impeeza said:
I only have the next comment, on the file"\Lockpick_RCM\source\hos\hos.h the lines

C++: 
#define KB_FIRMWARE_VERSION_1900 18
#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1800 //!TODO: Update on mkey changes.
#define KB_FIRMWARE_VERSION_MAX  KB_FIRMWARE_VERSION_1900 //!TODO: Update on mkey changes.

define two times the same variable, should be only the last one, leaving that duplicate redefinition you get the warnings:
View attachment 463579should be only the last one left on the code?
Post automatically merged:

And @Zoria Thanks a lot for update the github with that files which we can not name here :D
Post automatically merged:


Uploaded a copy to Downloads section:

https://gbatemp.net/download/lockpick_rcm-1-9-13-fw-19-zoria-source.38837/
Click to expand...

I would like to ask can we use the devkitpro installer to install ?
 
Once again the same question - this Lockpick "extracts" all keys up to master_key_12 when run on 17.0.0

Does those keys embedded to binary?
 
duckbill007 said:
Once again the same question - this Lockpick "extracts" all keys up to master_key_12 when run on 17.0.0

Does those keys embedded to binary?
Click to expand...
No they are not, you can see on the source of Atmosphère the SEEDs The keys are the resultant of run the seeds on the firmware so you can extract them. the link to the Atmosphère's code is on previous Posts. By the Way this new file is bit by bit the same generated for the source code published by zoria on the last page.
 
  • Like
Reactions: Blythe93
impeeza said:
No they are not, you can see on the source of Atmosphère the SEEDs The keys are the resultant of run the seeds on the firmware so you can extract them. the link to the Atmosphère's code is on previous Posts. By the Way this new file is bit by bit the same generated for the source code published by zoria on the last page.
Click to expand...

Correct, just reposting this since all the links were dead. Was there an issue with this build that I'm not aware of?
 
  • Like
  • Love
Reactions: Tyvar1, Blythe93 and impeeza
  • Like
Reactions: Tyvar1, Blythe93, FanboyKilla and 1 other person
  • Like
Reactions: Blythe93
FanboyKilla said:
Did you already post a link to the binary in the previous pages? I could only find where you posted the link to the "source" code but not the "binary".
Click to expand...
you are right, the binary was uploaded few hours ago, but I hadn't time to put the url here. thanks.
 
  • Like
Reactions: FanboyKilla

Site & Scene News

Go to forum More news

Popular threads in this forum

Dusk for switch (TLoZ Twilight Princess port)

Homebrew  New Homebrew "Foil Server"?

Homebrew  Full List of N64 Recompilation Switch ports

Hacking  WiFi chip failing and can't boot. is it possible to enable Airplane Mode by editing system save files directly?

Homebrew Tutorial Translation Project  CS2SX — Write Nintendo Switch Homebrew in C#

Homebrew  Sonic Unleashed Recompiled (Homebrew Port)

Is it fixable

Hacking Emulation  Switch Prod Keys downloading from sites okay?