Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[ab760902]

My Switch (RCM) updated from OFW 11.0.0 to OFW 21.2.0 and is now bricked.
The error message says: "Unable to get SD seed." (This seems to be the main issue......).
This happened because I forgot to insert the SD card when I was on OFW 11.0.0.
When I ran Lockpick_RCM v1.9.16 to get my prod.keys, it only found 250 keys. I'm missing the 251st key—the SD_seed!
I currently have the original <prod.keys> and <rawnand.bin> for 21.2.0 from my Switch.
How can I fix this? Thanks for your help. Have a nice day.

 

[Zoria]

Hello
Here is an updated version of LockPick with the compiled payload and source code to support Masterkey 15 in version 22.0.0

 

[hydrabenny]

Hello
Here is an updated version of LockPick with the compiled payload and source code to support Masterkey 15 in version 22.0.0

The Binaire file shows as 170KB and i can't unzip it. Likely I'm doing something wrong. Can someone help me understand what to do

Post automatically merged: Mar 17, 2026

The Binaire file shows as 170KB and i can't unzip it. Likely I'm doing something wrong. Can someone help me understand what to do

I tried with 7zip and managed to extract. Thanks for sharing this =)

 

[Nephiel]

Hello
Here is an updated version of LockPick with the compiled payload and source code to support Masterkey 15 in version 22.0.0

Comparing the resulting prod.keys with the one from 1.9.17, I expected some _15 lines for the new keys, but found some extra differences I wasn't expecting:

• master_kek_13 and master_kek_source_13 changed completely
• master_kek_source_06 through _15 and mariko_master_kek_source_06 through _15 now have an extra 00 at the end

This is on an unpatched Erista. Are those changes also intended?

 

[Muxi]

@Zoria The payload freezes on an Erista v1 (unpatched) when attempting to read the keys from a 22.0.0 sysMMC.

 

[Zoria]

@Zoria The payload freezes on an Erista v1 (unpatched) when attempting to read the keys from a 22.0.0 sysMMC.

I don't have an Erista Switch, so I'm sorry to hear that the payload isn't working.
I've asked a few people for feedback, but they're not available right now.
Feel free to send me a screenshot so I can see exactly what LockPick is showing.

Post automatically merged: Mar 17, 2026

From the feedback I've received, it seems to be working just fine.
Still, I'll take a look at polishing up the code.

 

[Muxi]

Here is the screenshot. On the first attempt, the last two lines weren't displayed, and this is what it looks like on the second attempt. Both times, the program froze. The Prod.keys in the switch folder also don't contain Masterkey_15, and there are only 250 entries. In the previous version, there were 251 entries with Masterkey_14.

 

[Nephiel]

Comparing the resulting prod.keys with the one from 1.9.17, I expected some _15 lines for the new keys, but found some extra differences I wasn't expecting:

• master_kek_13 and master_kek_source_13 changed completely
• master_kek_source_06 through _15 and mariko_master_kek_source_06 through _15 now have an extra 00 at the end

This is on an unpatched Erista. Are those changes also intended?

Tried to reproduce this on a Mariko (OLED), and this time it was only master_kek_source_14 master_kek_source_13 that was completely different compared to the dump from 1.9.17.
That and the extra 00s.

(Both the Erista and the Mariko were on 21.2, in case that matters). edit: just to be clear, neither of them froze for me.

 

[Zoria]

Comparing the resulting prod.keys with the one from 1.9.17, I expected some _15 lines for the new keys, but found some extra differences I wasn't expecting:

• master_kek_13 and master_kek_source_13 changed completely
• master_kek_source_06 through _15 and mariko_master_kek_source_06 through _15 now have an extra 00 at the end

This is on an unpatched Erista. Are those changes also intended?

I've addressed this issue in a new version with a fix for a few keys

 

[Muxi]

I've addressed this issue in a new version with a fix for a few keys

This version works!! All 260 keys are now being read. Does this version also run on SD cards up to 2 TB?

 

[Zoria]

This version works!! All 260 keys are now being read. Does this version also run on SD cards up to 2 TB?

I haven't implemented that fix yet, but if I have time, I'll add it; otherwise, I'm sure another developer will reuse the source code to do it ^^
I'm working on updating the LockPick BDK to make it faster and more optimized, which is taking quite a while ^^

 

[impeeza]

I don't have an Erista Switch, so I'm sorry to hear that the payload isn't working.
I've asked a few people for feedback, but they're not available right now.
Feel free to send me a screenshot so I can see exactly what LockPick is showing.

Post automatically merged: Mar 17, 2026

From the feedback I've received, it seems to be working just fine.
Still, I'll take a look at polishing up the code.

The code you provided have some differences with mine, I am using a merge code between two and testing:

I've addressed this issue in a new version with a fix for a few keys

Hello there I just tested on my Erista the modified code and works fine.

Also tested your binary file and generated a valid prod.keys file.

Post automatically merged: Mar 17, 2026

@Zoria Look at this code, on the file HOS.H you and me have some keys different from the Firmwares 20 and 21 and I just rechecked the values from Atmosphère code and seems yours are mistaken

Also there are other code changes to support SD Cards bigger than 1.5 TB

please take a look and let me to know what do you think.

 

[Codi1138]

Hello
Here is an updated version of LockPick with the compiled payload and source code to support Masterkey 15 in version 22.0.0

I would like to let ya know that the bin causes a crash after using it

 

[browntigerz]

Following

 

[impeeza]

I would like to let ya know that the bin causes a crash after using it

On which console?, on emunand or sysnand?

 

[urherenow]

please take a look and let me to know what do you think.

I just built your latest source and only get 231 prod keys on freshly updated OLED sysnand. I would try on emunand... except I haven't updated my switch in so long that now all of my homebrew is broken. Have to Google what to use now to dump the 22 FW to install on emu...

EDIT: Got the firmware dumped... but I don't think I want to update emu right now, in light of homebrew being so broken on 22... anything I try to launch from the homebrew menu, simply crashes.

 

[StevensND]

I just built your latest source and only get 231 prod keys on freshly updated OLED sysnand. I would try on emunand... except I haven't updated my switch in so long that now all of my homebrew is broken. Have to Google what to use now to dump the 22 FW to install on emu...

I have the same. 231.

 

[Codi1138]

On which console?, on emunand or sysnand?

sysnand CFW, It didnt show a option to return to payload or RCM. I had to force shut it down.

 

[urherenow]

lol... just dumped from emu for funsies (my emu is still on 20.5.0) and still got 231 keys (through 15). That version doesn't have key 15. How?

I get no crash. I can reboot to hekate, or power down, or select payload. But I built it from source, not downloading from here. And I'm still confused because I heard 260 keys mentioned or something like that. Is that only on erista? I didn't break out my erista for this yet...

 

[impeeza]

I only have a Erista console and with that I was able to dump 260 Keys includeing 15 ones