Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[c0013r]

from this tool? are you using the latest version?

Yes, using this tool in "payload" mode (Lockpick-RCM v1.1.1) gives error "ERROR FFFFFFFF dumping TSEC"

Trying to dump TSEC with Hekate (latest version) gives such strings:

Found pkg1 (`20181107105733`)
TSEC key: ERROR FFFFFFFF.

Some "history" of my switch.

- Used SX OS from the start
- From 5.1 to 6.2 was updated with saved fuses (now I have 6 burnt, update was done with ChoiDujourNX through atmosphere)
- I have Auto-RCM from ChoiDujourNX
- Now I want to move to atmosphere, but can't launch (want TSEC keys)
- Other "dumps" from Hekate working good
- SX OS working without errors now

P.S. I don't use emunand

 

[shchmue]

Yes, using this tool in "payload" mode (Lockpick-RCM v1.1.1) gives error "ERROR FFFFFFFF dumping TSEC"

Trying to dump TSEC with Hekate (latest version) gives such strings:

Found pkg1 (`20181107105733`)
TSEC key: ERROR FFFFFFFF.

Some "history" of my switch.

- Used SX OS from the start
- From 5.1 to 6.2 was updated with saved fuses (now I have 6 burnt, update was done with ChoiDujourNX through atmosphere)
- I have Auto-RCM from ChoiDujourNX
- Now I want to move to atmosphere, but can't launch (want TSEC keys)
- Other "dumps" from Hekate working good
- SX OS working without errors now

P.S. I don't use emunand

Are you chainloading hekate/lockpick_rcm from SX injector or whatever their software is? IIRC they do something like leave CCPLEX enabled in their hardware init code that makes it impossible to query the TSEC again in subsequent payloads. If that's the case, try injecting directly, if not, let me know.

 

[mattytrog]

Are you chainloading hekate/lockpick_rcm from SX injector or whatever their software is? IIRC they do something like leave CCPLEX enabled in their hardware init code that makes it impossible to query the TSEC again in subsequent payloads. If that's the case, try injecting directly, if not, let me know.

I really really hope you don`t mind but a while ago, I integrated your brilliant payload into my Hekate mod that I use for modchips.

I never even thought to double-check it was OK with you. Sorry about that! I`ve credited you obviously.

 

[c0013r]

Are you chainloading hekate/lockpick_rcm from SX injector or whatever their software is? IIRC they do something like leave CCPLEX enabled in their hardware init code that makes it impossible to query the TSEC again in subsequent payloads. If that's the case, try injecting directly, if not, let me know.

It works! Thank you!

 

[IMnoob]

does Lockpick-RCM v1.1.1 support to dum key for 8.0.1 to get lastestkey ( Key 8 )?

 

[Paulsar99]

does Lockpick-RCM v1.1.1 support to dum key for 8.0.1 to get lastestkey ( Key 8 )?

Yes ver 1.1.1 works.

 

[IMnoob]

just try dump. no master key 8, i just got only masterkey 7 on 8.0.1 with lockpick rcm 1.1.1

 

[Raugo]

just try dump. no master key 8, i just got only masterkey 7 on 8.0.1 with lockpick rcm 1.1.1

Doesn't exist master_key_08, the latest key is master_key_07

 

[IMnoob]

Doesn't exist master_key_08, the latest key is master_key_07

aaah so that's why i can't get masterkey 8.. thank you

 

[shchmue]

7.0.0-8.0.1 have the same keys

 

[almmiron]

my console is 8.0.1, never hacked before, and I was told to come here. I have rcm loader, and with my switch on rcm mode it wont load any payload, still black screen. I inserted lockPick, renamed to payload.bin as rcm loader says, have the proper files on sd, but nothing happens. only black screen

EDIT
dumbest thing: the usb-c was not properly connected.

 

[peteruk]

What is the correct location to store our prod.keys ? Is it the root of the card or in the Switch folder ?

Also should it be renamed keys.dat ?

Sorry but I'm seeing different people saying different things, so wanted to get it clarified please... also seen some people suggesting the keys file needs to be inside tinfoil & goldleaf folders too

If somebody could clear this all up I'd appreciate it - thank you ! Just trying to tidy up my sd card

 

[Draxzelex]

What is the correct location to store our prod.keys ? Is it the root of the card or in the Switch folder ?

Also should it be renamed keys.dat ?

Sorry but I'm seeing different people saying different things, so wanted to get it clarified please... also seen some people suggesting the keys file needs to be inside tinfoil & goldleaf folders too

If somebody could clear this all up I'd appreciate it - thank you ! Just trying to tidy up my sd card

Prod.keys is usually needed for hactool which is used on your computer. Less and less Switch applications are requiring keys and for good reason; because the keys are already in the console. Neither tinfoil nor Goldleaf require keys in order to function so I'm not sure where you got that idea from. And different applications will require the keys to be in different places. Not only that, some tools use different names. So it doesn't matter where you put it or what you name it.

 

[peteruk]

Prod.keys is usually needed for hactool which is used on your computer. Less and less Switch applications are requiring keys and for good reason; because the keys are already in the console. Neither tinfoil nor Goldleaf require keys in order to function so I'm not sure where you got that idea from. And different applications will require the keys to be in different places. Not only that, some tools use different names. So it doesn't matter where you put it or what you name it.

Thanks for replying, you're always helpful without being condescending and it's very much appreciated.

I picked most of it up from reading various threads over the course of the expanding homebrew scene and have ended up with keys files in almost every folder and 2 files on the root (keys.txt and prod.keys).

I suppose as I'm ditching sxos the most important one will be if Atmosphere requires a keys file or not ? Id yes will it be prod.keys or keys.txt and should it be placed in the Atmosphere folder ?

 

[Draxzelex]

Thanks for replying, you're always helpful without being condescending and it's very much appreciated.

I picked most of it up from reading various threads over the course of the expanding homebrew scene and have ended up with keys files in almost every folder and 2 files on the root (keys.txt and prod.keys).

I suppose as I'm ditching sxos the most important one will be if Atmosphere requires a keys file or not ? Id yes will it be prod.keys or keys.txt and should it be placed in the Atmosphere folder ?

Atmosphere doesn't require keys either.

 

[peteruk]

Atmosphere doesn't require keys either.

thank you as ever, have a great weekend

 

[shchmue]

v1.2.0 is here to try and support failed upgrades or downgrades by trying all the package2 keys it can calculate instead of giving up and to correctly name the keyfile for dev consoles

https://github.com/shchmue/Lockpick_RCM/releases

 

[shchmue]

new keys in firmware 8.1.0! new version of Lockpick_RCM to dump them:

https://github.com/shchmue/Lockpick_RCM/releases/tag/v1.3

 

[henkp]

So I'm running my own pegaswitch server on a pc disconnected from the internet as to prevent updating because my switch is i-patched. Is Lockpick_RCM safe to run on an i-patched switch? I'm kinda put off by the name itself, as the recovery module isn't vulnerable in my case...

 

[Draxzelex]

So I'm running my own pegaswitch server on a pc disconnected from the internet as to prevent updating because my switch is i-patched. Is Lockpick_RCM safe to run on an i-patched switch? I'm kinda put off by the name itself, as the recovery module isn't vulnerable in my case...

Absolutely. As per the Atlas guide, its highly recommended to run Lockpick_RCM via Caffeine.