Author: shchmue

Name: Lockpick_RCM , version: 1.7.1
Author: shchmue
Filesize: 0 MB (83 Bytes), extracted: 0 MB (126 Bytes)
Changelog: v1.7.1

Fixes freezes under certain conditions, now has a Payload menu like Hekate's that allows chainloading to payloads in bootloader/payloads, atmosphere/reboot_payload.bin, or ReiNX.bin


Lockpick_RCM now parses the ES save files correctly for much quicker Titlekey extraction, ie linear in number of titlekeys rather than checking the whole save container

Huge thanks to @Thealexbarney for an excellent source of truth on save parsing in the form of https://github.com/Thealexbarney/LibHac/ and for answering so many questions about it on top of all the hard work reversing FS and constantly improving LibHac

Also corrected a major bug in Hekate's heap code (please do the same if you use Hekate code in your own projects! ref CTCaer/hekate#300 ) and eliminated a few of my own memory leaks, both guaranteed and potential


File write validation is sufficient


Fixes bad directory check preventing writing keyfiles


When I added Minerva and titlekey dumping I moved the key save text buffer from a zero-initialized stack array to the heap, and forgot to zero-initialize, followed by many perilous calls to strlen on the buffer which wasn't guaranteed any nulls to terminate! This resulted in a hang while saving keys and/or corrupt key files


Added titlekey dumping! With CTCaer's Minerva it runs in 20-25s depending on sys/emunand, or 40-50s without.
Also added key generation number display to main menu to help guide your sysnand/emunand dumping decision.


Now lets users choose whether to dump keys from sysNAND or emuMMC. Also a fix for BIS key generation on consoles released after firmware 5.0.0 (presently it's rare that these have code execution, but eventually this will apply to more).


Added Keys for 9.0.0
Also added BPMP overclock


Supports new keys if run on firmware 8.1.0.


The main visible differences are that if it's run on a dev console it will correctly name the key file dev.keys and if an upgrade or downgrade fails to install a matching set of package1 and package2, Lockpick_RCM will try every key it can instead of giving up on finding FS keys.


Fix smmu emulation for tsec on 6.2.0


Now includes support for firmware 8.0.0 along with a big speed increase thanks to advice from CTCaer. Interpolated recent hekate bugfixes as well
Updated: 2020-02-24
Licensed with GPLv2
Details: Description

Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!


Launch Lockpick_RCM.bin using your favorite payload injector
Upon completion, keys will be saved to /switch/prod.keys on SD
If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)
Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly