Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[Zoria]

The + 65 is simply used to reserve, in addition to the “useful” text_buffer_size bytes, a safety margin of 65 bytes to accommodate :
- The string terminator ('\0', 1 byte)
- Additional storage area (64 bytes)
- In many cases, this can be used to store, for example, the hexadecimal representation of a SHA-256 hash (32 bytes → 64 hexadecimal characters), or any other auxiliary data block (metadata, signature, padding, fixed header, etc.).

I'd much rather modify the line above, it's cleaner than adding a safety margin abitrairement this way.

 

[impeeza]

Guys with the help of @Zoria here are a summary of the steps normally used to upgrade the code of LockPick when a new firmware is released.


Lockpick code is heavy based on Hekate, when a new Firmware is released some files must be changed to upgrade values for the new firmware, those values are taken by Hekate and LockPick from the most recent commit of Atmosphère supporting the new firmware. The values used by Atmosphère are found using a script created by SciresM as he shown on the stream about upgrading Atmosphère to FW 20.

So for upgrade LockPic you need to change some files, as far I know:

• /source/keys/crypto.h, for this file you need to upgrade three sections, the values can be extracted from exosphere/program/source/boot/secmon_boot_key_data.s or fusee/program/source/fusee_key_derivation.cpp from Atmosphère repo, the next table summarize the sections where you can get them.

Name on file CRYPTO.H	Section Name on secmon_boot_key_data.s	Function Name on fusee_key_derivation.cpp
device_master_kek_sources	Production Device Master Kek Sources.	DeviceMasterKekSources
device_master_kek_sources_dev	Development Device Master Kek Sources.	DeviceMasterKekSourcesDev
device_master_key_source_sources	Device Master Key Source Sources.	DeviceMasterKeySourceSources

• source/keys/key_sources.inl, for this file you need to upgrade five sections, the values can be extracted from exosphere/program/source/boot/secmon_boot_key_data.s or fusee/program/source/fusee_key_derivation.cpp from Atmosphère repo, the next table summarize the sections where you can get them.

Name on file KEY_SOURCES.INL	Section Name on secmon_boot_key_data.s	Function Name on fusee_key_derivation.cpp
master_kek_sources	*not in secmon_boot_key_data*	EristaMasterKekSource
master_key_vectors	Production Master Key Vectors.	MasterKeySources
master_key_vectors_dev	Development Master Key Vectors.	MasterKeySourcesDev
mariko_master_kek_sources	Mariko Production Master Kek Source.	MarikoMasterKekSource
mariko_master_kek_sources_dev	Mariko Development Master Kek Source.	MarikoMasterKekSourceDev

• /source/hos/hos.h for this file you need to add new KB_FIRMWARE_VERSION_xxxx and update KB_FIRMWARE_VERSION_MAX

• /Versions.inc, modify the version number.

 

[Muxi]

Apparently the keys are not read correctly under an emuMMC on a 2 TB SD card. Can anyone confirm this? I've only heard this because I don't use such a large capacity myself (400 & 512 GB)

 

[impeeza]

Apparently the keys are not read correctly under an emuMMC on a 2 TB SD card. Can anyone confirm this? I've only heard this because I don't use such a large capacity myself (400 & 512 GB)

could be because the code of atmosphère and Hekate had to be tweaked for that capacities and LockPick uses several code from Hekate, Sadly I have not a such large SD to test.

 

[Muxi]

Maybe there is someone here who can test it under a 2 TB SD card?

 

[hippy dave]

Maybe there is someone here who can test it under a 2 TB SD card?

Sure will if you buy me one

 

[Muxi]

LockPick uses several code from Hekate

As far as I know, Hekate now supports SD cards with a capacity of up to 2 TB. It is possible that this adjustment has not yet been incorporated into the Lockpick_RCM code? The same applies to the Tegra Explorer, which currently only supports SD cards up to 1 TB.

 

[impeeza]

As far as I know, Hekate now supports SD cards with a capacity of up to 2 TB. It is possible that this adjustment has not yet been incorporated into the Lockpick_RCM code. The same applies to the Tegra Explorer, which currently only supports SD cards up to 1 TB.

very possible, but we need somebody which understand the code implemented on Hekate and translate to LockPick.

 

[urherenow]

I'm brain-farting and my wife says it's time to go, so no time to search the thread. How many kays is Mariko supposed to have? I'm definitely not getting 242 (or any errors... and it says keys were found up to 13). I do get 242 on Erista.

 

[impeeza]

I'm brain-farting and my wife says it's time to go, so no time to search the thread. How many kays is Mariko supposed to have? I'm definitely not getting 242 (or any errors... and it says keys were found up to 13). I do get 242 on Erista.

I really do not know about Mariko but 242 are for Erista. Mariko have different set, and there are some you need to generate offline.
https://github.com/impeeza/Lockpick_RCMDecScots#mariko-specific-keys
Sadly I have not mariko unit to test.

 

[deejay87]

hi, on my Oled


View attachment 504077

 

[StevensND]

I'm brain-farting and my wife says it's time to go, so no time to search the thread. How many kays is Mariko supposed to have? I'm definitely not getting 242 (or any errors... and it says keys were found up to 13). I do get 242 on Erista.

 

[urherenow]

Ok, 213 is what I got as well. So my own build is good then. Thanks.

Post automatically merged: May 11, 2025

I really do not know about Mariko but 242 are for Erista. Mariko have different set, and there are some you need to generate offline.
https://github.com/impeeza/Lockpick_RCMDecScots#mariko-specific-keys
Sadly I have not mariko unit to test.

Yea, I did the mariko specific ones a while back, just because I was bored. Nothing at all makes use of them, as far as I know. Wonder what the actual purpose is/was...

 

[Project_Paradise]

i had a different value on my V1 switch, hmmmm normal ?

 

[impeeza]

View attachment 504196


i had a different value on my V1 switch, hmmmm normal ?

yes, mariko and erista have different set of keys.

 

[Project_Paradise]

yes, mariko and erista have different set of keys.

Im on erista as well

 

[BooshinatorAbdou]

Hello! So I recently dumped my keys to my Nintendo Switch, so that I can dumped my legally owned games to emuMMC using GoldLeaf. However, when I'm at GoldLeaf, despite saying that I'm at the latest firmware, the key generation is stuck to 9. I contact the creator of GoldLeaf about it, but he told me that it isn't an issue with GoldLeaf. So I want to ask you guys if you see anything that's off with my prod.keys file (I got rid of the sensitive information).

 

[StevensND]

Hello! So I recently dumped my keys to my Nintendo Switch, so that I can dumped my legally owned games to emuMMC using GoldLeaf. However, when I'm at GoldLeaf, despite saying that I'm at the latest firmware, the key generation is stuck to 9. I contact the creator of GoldLeaf about it, but he told me that it isn't an issue with GoldLeaf. So I want to ask you guys if you see anything that's off with my prod.keys file (I got rid of the sensitive information).

Why don't you just use DBI instead?.

 

[BooshinatorAbdou]

Why don't you just use DBI instead?.

I have difficulties using the platform when I first use it a few months ago due to the language barrier. Plus, I feel the GoldLeaf is more safer in terms of avoiding bans, since I do want to play online on my switch.

 

[impeeza]

Hello! So I recently dumped my keys to my Nintendo Switch, so that I can dumped my legally owned games to emuMMC using GoldLeaf. However, when I'm at GoldLeaf, despite saying that I'm at the latest firmware, the key generation is stuck to 9. I contact the creator of GoldLeaf about it, but he told me that it isn't an issue with GoldLeaf. So I want to ask you guys if you see anything that's off with my prod.keys file (I got rid of the sensitive information).

Are you using latest goldleaf? There is a new version supporting firmware 20. Also you can use NXDumpTool to dump installed apps