Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[Masana]

Hello,
thank you very much for this payload,
i wanted to know, i get an error when launching tinfoild: BAD KEY HASH: master key 07 etc. can you help me please correct this error?
thanks in advance

--------------------- MERGED ---------------------------

I wanted to clarify that I am in 7.01 I got 126 key with the payload

 

[shchmue]

Hello,
thank you very much for this payload,
i wanted to know, i get an error when launching tinfoild: BAD KEY HASH: master key 07 etc. can you help me please correct this error?
thanks in advance

--------------------- MERGED ---------------------------

I wanted to clarify that I am in 7.01 I got 126 key with the payload

that is a problem with that program, not Lockpick. make sure it's up to date, if it still fails check with the maintainer.

 

[Masana]

well understood, thanks for this quick response

 

[deenergy]

thank you so much

 

[starburst]

yes that's the count for 7.x

though I'd caution generally not to be too focused on key count as long as you have those you need. for example, consoles on 6.2.0 can dump a master kek and tsec root key that can't be dumped on any other firmware but those are just intermediate calculations and aren't as important as their result for anyone using this software

Thank you for this application.
I just dumped my keys on 6.2.0 / Atmosphere 0.8.5 and the application informed that 126 keys had been obtained (no error messages were displayed.) Upon opening the prod.keys file, it contains 122 lines. though.
Per your message, I assume that the count is correct. I understand that purpose is more important than count, but I do not even know what keys to look for, I only got them for safety.

 

[vree]

Just dropped by to say thanks. Worked perfectly for my 6.2 keys. Used them convert a xci to nsp so all is well.

 

[shchmue]

Thank you for this application.
I just dumped my keys on 6.2.0 / Atmosphere 0.8.5 and the application informed that 126 keys had been obtained (no error messages were displayed.) Upon opening the prod.keys file, it contains 122 lines. though.
Per your message, I assume that the count is correct. I understand that purpose is more important than count, but I do not even know what keys to look for, I only got them for safety.

that's weird, it only increments the key counter if it successfully writes the key to the buffer hrrmmmm

 

[starburst]

that's weird, it only increments the key counter if it successfully writes the key to the buffer hrrmmmm

For different reasons, I decided to start over and restored the console to its factory settings and formatted the SD card. After my first boot, I ran Lockpick RCM; this time it printed that 122 keys had been acquired and the text file indeed consists of 122 lines.

 

[ChaosEnergy]

hi
i m using sx os (please no complaints,was the easiest way for an old man)
i know they have a payload option, and i read not to use it

but i have a dongle with several folders to inject paylaods..
will this be fine?

 

[shchmue]

you can certainly try, it won't hurt anything

 

[Muxi]

hi
i m using sx os (please no complaints,was the easiest way for an old man)
i know they have a payload option, and i read not to use it

but i have a dongle with several folders to inject paylaods..
will this be fine?

The magic word is Argon-NX or Payload Launcher! If you use SX OS 2.6.1, you can copy the folders from the attachment to your SD card and reboot from the album into the payload of your choice!

 

[markmcrobie]

I've used WebFuseeLauncher and TegraRCMSmash to inject Lockpick_RCM.bin, and I have the sept folder on root of my SD, but as soon as it says Payload successfully injected, nothing happens. Switch screen stays blank, and when I take out the SD and look, there's no prod.keys generated.

I'm on 7.0.1

 

[shchmue]

I've used WebFuseeLauncher and TegraRCMSmash to inject Lockpick_RCM.bin, and I have the sept folder on root of my SD, but as soon as it says Payload successfully injected, nothing happens. Switch screen stays blank, and when I take out the SD and look, there's no prod.keys generated.

I'm on 7.0.1

Try putting Lockpick_RCM.bin on SD in bootloader/payloads and chainload it from Hekate

 

[designgears]

Worth noting that key issues in tinfoil were resolved a while ago, @Masana you need to update, tinfoil.io

 

[MKwitch13]

I am using a program that wants master_key_07, but I didn't get it with Lockpick_RCM. How do I get master_key_07?

 

[8BitWonder]

I am using a program that wants master_key_07, but I didn't get it with Lockpick_RCM. How do I get master_key_07?

Did you have Sept on your SD card when pushing Lockpick_RCM?

 

[DaveLister]

Thank you .

 

[markmcrobie]

Try putting Lockpick_RCM.bin on SD in bootloader/payloads and chainload it from Hekate

Sorry, I'm not sure how to load Hekate

 

[markmcrobie]

Sorry, I'm not sure how to load Hekate

Got it working, Lockpick_RCM works fine when chain loaded from Hekate

 

[EmeraldB]

When I launch the payload using Hecate, it just shows this screen and freezes and doesn't give me any keys.