Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[renanbianchi]

What firmware version? Does your console boot? Sysnand or Emunand?

Sysnand 9.0.1

 

[shchmue]

Sysnand 9.0.1

do you have the current sept folder and files from atmosphere on your sd

 

[renanbianchi]

do you have the current sept folder and files from atmosphere on your sd

I don't, i use SX OS. Could this be the issue?

 

[shchmue]

I don't, i use SX OS. Could this be the issue?

yes you need to copy the sept folder from atmosphere release zip to sd to get keys over version 7.0.0

 

[renanbianchi]

yes you need to copy the sept folder from atmosphere release zip to sd to get keys over version 7.0.0

Thanks! Worked like a charm.

 

[greggyspleens]

Hey everyone, im having a problem trying to use lockpick rcm but im having the problem that it doesnt recognise the files in my sept folder? it know it recognises the folder because it copies the payload in there. Im copying the sept folder straight from the latest atmosphere. Anyone able to help me out?
Im on sxos 2.9.2, ive tried both the sx launcher and chainloading hekate then using lockpick but still doesnt work

 

[shchmue]

Hey everyone, im having a problem trying to use lockpick rcm but im having the problem that it doesnt recognise the files in my sept folder? it know it recognises the folder because it copies the payload in there. Im copying the sept folder straight from the latest atmosphere. Anyone able to help me out?
Im on sxos 2.9.2, ive tried both the sx launcher and chainloading hekate then using lockpick but still doesnt work

try injecting directly, sx does something weird for hwinit that can cause unusual behavior

 

[linuxares]

@shchmue do you wish to have your topic renamed?

 

[shchmue]

@shchmue do you wish to have your topic renamed?

Ah yeah that's a good idea, it was just called that for a snappy title for the frontpage on release

 

[greggyspleens]

try injecting directly, sx does something weird for hwinit that can cause unusual behavior

Hey thankyou for the reply i tried injecting the payload directly over usb, still doesn't recognise the files within the sept folder still. I tried also copying the entire atmosphere folder over but then it only does the lower fw keys (it fails due to corruption). Im on sysnand 9.01 and sx 2.9.2.

 

[shchmue]

Hey thankyou for the reply i tried injecting the payload directly over usb, still doesn't recognise the files within the sept folder still. I tried also copying the entire atmosphere folder over but then it only does the lower fw keys (it fails due to corruption). Im on sysnand 9.01 and sx 2.9.2.

when you say it doesn’t recognize the sept folder, what is the error you see?

 

[greggyspleens]

when you say it doesn’t recognize the sept folder, what is the error you see?

This was the same error i was getting, i fixed it now. you have to use the sept folder from kosmos, atmposhere's current release on github has a different sept folder. I think current atmosphere makes the binary on the run after finding make files, no .bin's in them like the kosmos.

aHR0cHM6Ly9nYmF0ZW1wLmItY2RuLm5ldC9hdHRhY2htZW50cy8yMDE5MDgzMV8xOTAyMDEtanBnLjE3ODAzNS8=
(image is bse 64 cause wont let me post link, its a picture thats in this thread)

 

[shchmue]

they're identical

 

[urherenow]

some combinations of Antivirus/WIndows settings 'block' downloaded .zip files. Try right-clicking on the .zip file and go to properties. If there is an option at the bottom to UNBLOCK, do that, then open and extract afterwards. Make sure none of the files on the SD end up being 0 byte files...

 

[greggyspleens]

yeah...right, i must be stupit as lol. When i download atmosphere from github its different so i probably just have no idea how to use github. Thanks anyway!! maybe this well help someone in the future

 

[shchmue]

oh. you downloaded the source code, not the release from the release page

 

[Scried]

Thanks for your work @shchmue, but it's not working for me and I'm not sure what I'm doing wrong. I have put the /sept folder from the latest Atmosphere 0.9.4 on the root of my SD-card, containing the payload.bin, sept-primary.bin, sept-secondary.bin, sept-secondary_00.enc and sept-secondary_01.enc files (replaced them a few times already) and launch the latest Lockpick_RCM.bin v1.7.1 payload using TegraRcmGUI. The payload launches just fine, but when I select the Dump from SysNAND | Key generation 9 options, it says the following:

MMC init... done int **** us
On firmware 7.x+ but Sept is missing.
Skipping new key derivation...
TSEC key(s)... done in ***** us
Master keys... done in **** us
Unable to derive Package2 key.

And then it just hangs and I have to turn off my Switch and there is nothing in my /switch folder on my SD-card. Any idea what I'm doing wrong?

Edit: So I thought maybe there was something wrong with my SD-card, but when I select Payloads within the menu is does say it is unable to find any payloads or modules, but when I remove the SD-card it says it failed to initialise the SD-card. So it does recognise that the SC-card is there. I also tried an older version of Lockpick_RCM, version 1.4.0, which unfortunately did not work as well. It does run, but it again states /sept is missing and again fails to derive Package2 key. This time it did state it wrote the to switch/prod.keys, but when I checked myself the file is not there.

 

[shchmue]

Can you try on another card? Or at least run chkdsk on this card? It doesn't bode well that it can't stat the sept folder.

 

[Scried]

Can you try on another card? Or at least run chkdsk on this card? It doesn't bode well that it can't stat the sept folder.

I don't have one at this moment, but I'm planning to buy one with a decent size this holiday. This card is an old, original 2GB SD-card (no SDHC or SDXC) which I had still lying around and it's working fine since ChkDsk and H2testw completed without errors.

 

[shchmue]

I don't have one at this moment, but I'm planning to buy one with a decent size this holiday. This card is an old, original 2GB SD-card (no SDHC or SDXC) which I had still lying around and it's working fine since ChkDsk and H2testw completed without errors.

none of the switch tools support below 4gb