Toggle sidebar

Front-page Hacking RELEASE  Updated

Lockpick_RCM payload - Official Thread


Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage
  • Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
  • Upon completion, keys will be saved to /switch/prod.keys on SD
  • If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)
Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues
  • Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly
 

Attachments

  • AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    AB1248EA-8BB9-448B-83F5-FF68C2579FB1.jpeg
    11.2 KB · Views: 0
Last edited by shchmue,
  • Like
Reactions: FanNintendo, Deleted member 753700, DefenderOfHyrule and 77 others
Click to expand...
duckbill007 said:
Just check build id of USB title
Click to expand...
How that values are created?

I have a python script which read all NCAs and if one of them have a specific Title ID, extract the main file and uncompress it, then can search values on that file and based on the offset create a IPS patch. that script can be used to create that values for the source files.
 
  • Like
Reactions: Blythe93
Last edited by RealYoti,
  • Like
  • Love
Reactions: Tyvar1, Blythe93, josete2k and 1 other person
  • Like
Reactions: Blythe93
impeeza said:
Guys with the help of @Zoria here are a summary of the steps normally used to upgrade the code of LockPick when a new firmware is released.


Lockpick code is heavy based on Hekate, when a new Firmware is released some files must be changed to upgrade values for the new firmware, those values are taken by Hekate and LockPick from the most recent commit of Atmosphère supporting the new firmware. The values used by Atmosphère are found using a script created by SciresM as he shown on the stream about upgrading Atmosphère to FW 20.

So for upgrade LockPic you need to change some files, as far I know:

  • /source/keys/crypto.h, for this file you need to upgrade three sections, the values can be extracted from exosphere/program/source/boot/secmon_boot_key_data.s or fusee/program/source/fusee_key_derivation.cpp from Atmosphère repo, the next table summarize the sections where you can get them.
[TABLE=full]
[TR]
[TH]Name on file CRYPTO.H[/TH]
[TH]Section Name on secmon_boot_key_data.s[/TH]
[TH]Function Name on fusee_key_derivation.cpp[/TH]
[/TR]
[TR]
[TD]device_master_kek_sources[/TD]
[TD]Production Device Master Kek Sources.[/TD]
[TD]DeviceMasterKekSources[/TD]
[/TR]
[TR]
[TD]device_master_kek_sources_dev[/TD]
[TD]Development Device Master Kek Sources.[/TD]
[TD]DeviceMasterKekSourcesDev[/TD]
[/TR]
[TR]
[TD]device_master_key_source_sources[/TD]
[TD]Device Master Key Source Sources.[/TD]
[TD]DeviceMasterKeySourceSources[/TD]
[/TR]
[/TABLE]

  • source/keys/key_sources.inl, for this file you need to upgrade five sections, the values can be extracted from exosphere/program/source/boot/secmon_boot_key_data.s or fusee/program/source/fusee_key_derivation.cpp from Atmosphère repo, the next table summarize the sections where you can get them.
[TABLE=full]
[TR]
[TH]Name on file KEY_SOURCES.INL[/TH]
[TH]Section Name on secmon_boot_key_data.s[/TH]
[TH]Function Name on fusee_key_derivation.cpp[/TH]
[/TR]
[TR]
[TD]master_kek_sources[/TD]
[TD]*not in secmon_boot_key_data*[/TD]
[TD]EristaMasterKekSource[/TD]
[/TR]
[TR]
[TD]master_key_vectors [/TD]
[TD]Production Master Key Vectors.[/TD]
[TD]MasterKeySources[/TD]
[/TR]
[TR]
[TD]master_key_vectors_dev [/TD]
[TD]Development Master Key Vectors.[/TD]
[TD]MasterKeySourcesDev[/TD]
[/TR]
[TR]
[TD]mariko_master_kek_sources [/TD]
[TD]Mariko Production Master Kek Source.[/TD]
[TD]MarikoMasterKekSource[/TD]
[/TR]
[TR]
[TD]mariko_master_kek_sources_dev[/TD]
[TD]Mariko Development Master Kek Source.[/TD]
[TD]MarikoMasterKekSourceDev[/TD]
[/TR]
[/TABLE]

  • /source/hos/hos.h for this file you need to add new KB_FIRMWARE_VERSION_xxxx and update KB_FIRMWARE_VERSION_MAX

  • /Versions.inc, modify the version number.
Click to expand...

This post looks weird now. I guess due to GBATemp changes?
 
What gets me is that I posted this information a long time ago, when I figured it out myself. Attached a text file, I think. And to say “with the help of <not me> in 2025… :nayps3:
 
  • Love
  • Like
Reactions: Blythe93 and impeeza
urherenow said:
What gets me is that I posted this information a long time ago, when I figured it out myself. Attached a text file, I think. And to say “with the help of <not me> in 2025… :nayps3:
Click to expand...
I did not remember to see that attachment, do you remember the post? I really like to read it.
 
  • Like
Reactions: Blythe93
urherenow said:
I’m having trouble finding it. Extremely low bandwidth as I’m out to sea. I’ll repost it when I get back home. Would help if the search function allowed searching attachments by user…
Click to expand...
I have needing that function long time ago.

don't worry have a nice time.
 
  • Like
Reactions: Blythe93

Attachments

  • Like
Reactions: Tyvar1, Blythe93 and StevensND
impeeza said:
Wow, I remember it now. Even we in some moment talk about that file, I have a copy of that file on my local copy of the code!!

he he he. Thanks a lot mate.

I am attaching my version; It was changed over time, adding and sorting things
Click to expand...
Is there anywhere I can get the latest lockpick_rcm for 20.3.0
 
Welp, fw 21.0.0 got released some time ago. :angry: Can't wait for everyone who updates to complain and cry that Atmos isn't working bla bla bla. :rofl2: Hopefully updating Lockpick to the newer version once the new set of keys are found won't be too hard.
 
Here is the source code for LockPick_RCM corrected for 21.0.0, as well as the compiled binary for recovering master key 14.
 

Attachments

  • Like
  • Love
Reactions: Thujone, oresterosso, Worldblender and 9 others

Site & Scene News

Go to forum More news

Popular threads in this forum

Dusk for switch (TLoZ Twilight Princess port)

Homebrew  New Homebrew "Foil Server"?

Homebrew  Full List of N64 Recompilation Switch ports

Hacking  WiFi chip failing and can't boot. is it possible to enable Airplane Mode by editing system save files directly?

Homebrew Tutorial Translation Project  CS2SX — Write Nintendo Switch Homebrew in C#

Is it fixable

Homebrew  Sonic Unleashed Recompiled (Homebrew Port)

Hacking Emulation  Switch Prod Keys downloading from sites okay?