Toggle sidebar

Front-page Hacking RELEASE  Updated

Lockpick_RCM payload - Official Thread


Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage
  • Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
  • Upon completion, keys will be saved to /switch/prod.keys on SD
  • If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)
Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues
  • Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly
 

Attachments

  • AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    11.2 KB · Views: 0
Last edited by shchmue,
  • Like
Reactions: SnowStormAkikaze, FanNintendo, Deleted member 753700 and 78 others
Click to expand...
Muxi said:
I have to correct myself, there must be "243" entries! The ‘eticket_rsa_kek_personalised’ was still missing! I have attached the prod.keys file here, but without the key values.

Edit:
But what would interest me is which of the keys are console-specific?
I found these, but I don't know if they are complete.

secure_boot_key tsec_key device_key bis_key_00 bis_key_01 bis_key_02 bis_key_03 save_mac_key_00 save_mac_key_01 keyblob_key_## keyblob_mac_key_## encrypted_keyblob_## sd_seed save_mac_sd_card_key ssl_rsa_key eticket_rsa_keypair
Click to expand...
I have gone through all my prod.keys dumps through the ages, but I've never had "eticket_rsa_kek_personalised". Is that a big deal that it's missing or no?
 
  • Like
Reactions: impeeza, Blythe93 and draftguy123
Muxi said:
This AMS PrePrePreRelease version 1.9.0 always crashes shortly after booting into the HOS under FW 20.0.1. The Fatal Crash Screen shows “010000000000001F” as the error source. prodinfo blanking is deactivated by the way.

View attachment 503074
Click to expand...
How this have to do with Lock Pick?
Post automatically merged:

hetop said:
I have gone through all my prod.keys dumps through the ages, but I've never had "eticket_rsa_kek_personalised". Is that a big deal that it's missing or no?
Click to expand...

Muxi said:
I don't think this entry is that important. I am only interested in the completeness of the entries/keys.
Click to expand...
That was a Key from Pick Lock 10, later converted to another name.
 
  • Like
Reactions: Tyvar1, hetop, draftguy123 and 1 other person
I made a change to the condition, in keys.c at line 114, adding !key_exists.
C: 
if (!key_exists(keys->temp_key)) {
    EPRINTFARGS("Unable to derive master keys for %s.", is_dev ? "dev" : "prod");
    memset(keys->master_key, 0, sizeof(keys->master_key));
}
I'm using erista first model.
anyone who wants to try on mariko?
 

Attachments

  • Like
  • Love
Reactions: Tyvar1, StevensND, draftguy123 and 3 others
Last edited by Muxi,
  • Like
  • Love
Reactions: Blythe93, hetop and impeeza
Muxi said:
Do you know which one that is?
Click to expand...
I can not remember, was some time ago.
Post automatically merged:

oresterosso said:
I made a change to the condition, in keys.c at line 114, adding !key_exists.
C: 
if (!key_exists(keys->temp_key)) {
    EPRINTFARGS("Unable to derive master keys for %s.", is_dev ? "dev" : "prod");
    memset(keys->master_key, 0, sizeof(keys->master_key));
}
I'm using erista first model.
anyone who wants to try on mariko?
Click to expand...
hello there, do you mind share your full code with us?
 
Last edited by impeeza,
  • Like
Reactions: Blythe93 and Muxi
Guys, have you noticed that some of the old keys, even though there are plenty of them, don't fit with the past...?
:wacko::switch::!:
 
oresterosso said:
here it is.
Click to expand...
Sorry that version of code do not generate the same payload you did attach, and the one generated b that code do not works on my erista,
1746470373258.png

Post automatically merged:

oresterosso said:
here it is.
Click to expand...
well seems the negation of that functions remove the ability of generate some vital patches. and seems like it works because only generate few patches, the current problem is if you generate more than 230 patches something happens and the app freeze or abort returning to main menu. that is the issue we are facing now, and I really have not the knowledge to diagnose it.
 
Last edited by impeeza,
  • Like
Reactions: Blythe93
oresterosso said:
I made a change to the condition, in keys.c at line 114, adding !key_exists.
C: 
if (!key_exists(keys->temp_key)) {
    EPRINTFARGS("Unable to derive master keys for %s.", is_dev ? "dev" : "prod");
    memset(keys->master_key, 0, sizeof(keys->master_key));
}
I'm using erista first model.
anyone who wants to try on mariko?
Click to expand...
Is this version of lockpick_rcm safe to use? I don't mind not being able to have the title.keys generated as I only care for the prod.keys to be able extract a game's exefs to make cheat codes & analyze it using IDA Pro. I'm using an unpatched v1 switch.
 
I'm bringing another Lockpick_RCM variant into play here, edited and compiled by my friend kempa/dezem. Unfortunately I do not have the source code. This version reads the keys correctly from a Mariko revision, but it freezes under my Erista v1, although it works perfectly under my friend's Erista v1.

Here are the correctly read keys under a Mariko revision under this Lockpick_RCM variant.

lockpick_rcm_mariko.jpg
 

Attachments

Last edited by Muxi,
  • Like
Reactions: Blythe93
Muxi said:
I'm bringing another Lockpick_RCM variant into play here, edited and compiled by my friend @kempa . Unfortunately I do not have the source code. This version reads the keys correctly from a Mariko revision, but it freezes under my Erista v1, although it works perfectly under my friend's Erista v1.
Click to expand...
if freeze on erista is the same version post on the previous page, I really Haven't been able to find the bug, my C knowledge is almost null.
 
  • Like
Reactions: Blythe93
@impeeza It is also a mystery to me that it apparently works on my friend's Erista v1 and apparently not on mine or yours. It would be at least halfway explainable if it worked every now and then without freezes, but it doesn't (unfortunately).
 
  • Love
  • Like
Reactions: Blythe93 and impeeza
Muxi said:
@impeeza It is also a mystery to me that it apparently works on my friend's Erista v1 and apparently not on mine or yours. It would be at least halfway explainable if it worked every now and then without freezes, but it doesn't (unfortunately).
Click to expand...
The max diagnose I could do was On my Erista freeze if I enable more than 230 keys to be dumped. the last try was created two versions of the payload each one with different set of keys commented on the code, merging the two files I could get all 243 keys found on my console.

I created a Payload with this keys.c file:
1746513230029.png
and another with this other:
1746513362462.png


but if I leave all keys un-commented the dump process fails and return to main menu.

if I put several file saves in between save keys calls sometimes the app freeze.
 
  • Like
Reactions: Muxi and Blythe93
I don't know anything about programming either...
There must be someone who can compile Lockpick_RCM satisfactorily. What about the thread creator @shchmue ?
Post automatically merged:

impeeza said:
The max diagnose I could do was On my Erista freeze if I enable more than 230 keys to be dumped
Click to expand...
Perhaps you can simply omit unimportant entries so as not to exceed this limit? Perhaps the keys can then be read out properly. On the other hand, the previous version also read more than 230 keys without errors or freezing.
 
Last edited by Muxi,
Muxi said:
I'm bringing another Lockpick_RCM variant into play here, edited and compiled by my friend kempa/dezem. Unfortunately I do not have the source code. This version reads the keys correctly from a Mariko revision, but it freezes under my Erista v1, although it works perfectly under my friend's Erista v1.

Here are the correctly read keys under a Mariko revision under this Lockpick_RCM variant.

View attachment 503246
Click to expand...
can you try this review on your Erista v1?
 

Attachments

Site & Scene News

Go to forum More news

Popular threads in this forum

Feedback Homebrew  Essential Homebrew

Homebrew Homebrew game  Lego Star Wars: The Complete Saga · Switch Port

Homebrew Homebrew game Project  So... Dan didn't want to reveal his Vulkan, so I made mine.

Homebrew Homebrew game  GTA: Chinatown Wars - Switch port

Homebrew Homebrew game  Half Life 2 (Source Engine) - Switch Port

running 20.5 Is it worth upgrading my firmware...?

Homebrew Homebrew game  Final Fantasy IV 3D Remake - Switch port

Hacking Hardware Misc  Yo chat! I'm I cooked?