Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.
Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations.
- Launch Lockpick_RCM.bin using your favorite payload injector
- Upon completion, keys will be saved to /switch/prod.keys on SD
- If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)
Que novedades incluye la versión 1.9.0
Big release! If you can load payloads on your Mariko or patched Erista console, you can now dump keys with Lockpick_RCM!
Thanks loads to CTCaer, SciresM, Shadów, balika011, and averne for information, advice, and help testing!
To get your SBK or the Mariko specific keys, you will need to use the /switch/partialaes.keys file along with a brute forcing tool such as https://files.sshnuke.net/PartialAesKeyCrack.zip. I will test out a userland homebrew for this purpose soon. The contents of this file are the keyslot number followed by the result of that keyslot encrypting 16 null bytes. With the tool linked above, enter them in sequence for a given keyslot you want the contents of, for example: PartialAesKeyCrack.exe <num1> <num2> <num3> <num4> with the --numthreads=N where N is the number of threads you can dedicate to the brute force.
The keyslots are as follows:
- 12 - Mariko KEK (this is used for master key derivation)
- 13 - Mariko BEK (this is used for package1 decryption)
- 14 - console unique SBK (this isn't needed for further key derivation)
- 15 - console unique SSK (this is used on dev only)