This thread is deprecated
For a faster, easier and more up-to-date way of getting keys use Lockpick_RCM by shchmue
If you still want to follow this tutorial and end up with less keys, continue reading the Thread.

WARNING

• DO NOT GIVE OUT ANY OF YOUR KEYS TO ANYONE! I CANNOT STRESS THAT ENOUGH!
• DO NOT SHARE YOUR KEYS BETWEEN MULTIPLE SWITCHES THAT YOU DO/DON'T OWN! SOME ARE CONSOLE-UNIQUE
• DO NOT ASK ME FOR KEYS

LEGEND

• SBK
  SecureBootKey
• TSEC
  Tegra Security Co-processor Key
• eMMC
  Embedded MultiMediaCard (Switch's Onboard Storage)

GOAL
End up with 83+ keys including SBK and TSEC keys. Get Master Key's 0-5. (Master Keys 6 onwards is not done in this tutorial)
Reminder, if you want more up-to-date and much more convenient way to get your Switch's Keys, use Lockpick by shchmue (available in nx-appstore/homebrew store)

Tutorial — (Outdated for Switch's on firmware 6.x or newer)

#1 - Dumping System Keys (Biskeydump)#2 - Dumping Required Files#3 - Hactool Preparation#4 - Dumping KeysFinal WordsTroubleshooting

1. 
   We need to get your Secure Boot Key (SBK) and Tegra Security Co-processor Key (TSEC) before we can get the main keys.
   These are 100% console unique.
   
   
   1. Download and extract biskeydump.bin from biskeydumpvx.zip
      - Follow this tutorial but instead of using CTCaer's Hekate Mod .bin file, use the biskeydump.bin file
      - If the QR Code is Blue, Scan the QR Code with your Phone, Laptop e.t.c
      - If you cant find a device you can scan with, type them out into your PC/Laptop (Its highly recommended to scan the QR Code, as a lot of characters can look like another, O0, Il, rn can look like m, e.t.c)
   2. Once you have the biskeydump of your System, store all the keys you received somewhere safe, I recommend a secure cloud storage aswell as a USB Stick, perhaps even print it.
      - Don't give this to ANYONE, Seriously.
   
   If you get any errors please go to the Troubleshooting Tab.
   
2. 
   
   1. Follow this tutorial AGAIN but this time use CTCaer's Hekate Mod.
      - "Tools" -> "Backup..." -> "Backup eMMC BOOT0/1"
      - "Tools" -> "Backup..." -> "Backup eMMC SYS"
      - Back all the way to the first menu, and choose "Power off"
   2. Take the microSD Card out of your Switch and into your PC.
   3. Copy both "BOOT0" and "BCPKG2-1-Normal-Main" from "sd:/backup/xxxxxx/" (xxxxxx is different for everyone) to "hactool" on your Desktop (create the "hactool" folder)
      - Rename them with .bin at the end, "BOOT0.bin", "BCPKG2-1-Normal-Main.bin"
3. 
   
   1. Download and install Python 2.7.x - NOT Python 3.x.x
      When installing, it will ask you what features you want installed, scroll to the bottom and make sure "Add Python to Path" has "Entire Feature Installed to HDD" option chose (No Red X Icon), otherwise the scripts wont find Python and WILL fail
   2. Download and extract hactool TO THE DESKTOP AND NAME THE FOLDER "hactool"
      On Linux/MacOS: clone and build hactool manually
   3. Right-click this (script originally by tesnos6921, patched by shadowninja108, jakibaki and shchmue)
      - Click "Save link as" / "save as"
      - Set "Save as type" to "All Files"
      - Name it "keys.py"
      And finally save it to the hactool folder you placed in the Desktop.
      NOTICE TO GBATEMP STAFF: The "keys" inside this file, are NOT keys, they are SHA digest hashes used to search through files to find text that matches, which would be the keys.
4. 
   
   1. Press WIN(Btn)+R to open "Run", type "cmd" and press Ctrl+Shift then Enter to open Command Prompt as an Administrator
   2. Type (in order) or Copy the following and paste into Command Prompt (Some Windows Versions use Right Click to Paste, some use CTRL+C)
      python -m pip install --upgrade pip
      pip install lz4
      cd Desktop/hactool
      python keys.py SBK_Here_From_Biskeydump TSEC_Here_From_Biskeydump
   3. It should say: "Now you can do hactool --keyset=keys.txt to use them!", if it does, and there's no warning messages, you're good to go!
   If you get any errors please go to the Troubleshooting Tab.
   
5. 
   You now have a keys.txt file with your console-specific keys inside.
   Rename as needed by any software that requires a different name or file extension, it doesn't matter.
   Though I highly recommend renaming it to prod.keys as this filename for Key file's is becoming a popular choice with other software
   There may be more keys, as the Switch's lifecycle goes on, more and more keys will be needed as the firmwares grow and grow.
   
   • The Hactool warning:

     [WARN] prod.keys does not exist.

     can be safely ignored.
     - if you want to place your "keys.txt" file their, put "keys.txt" on your Desktop and run the following with Administrator Command Prompt (Step #4.1 for instructions):
     

     mkdir -p %USERPROFILE%\.switch
     move "%USERPROFILE%\Desktop\keys.txt" "%USERPROFILE%\.switch\prod.keys"

6. 
   #1 ISSUES:
   

   • Red QR Code Outline

     - The reasons this can occur is quite a rarity, all I can say is to keep rebooting and trying again.
     - If there's a new version of biskeydump out, try using the newer biskeydump.bin

   • QR Code not being scanned by your Reader

     - Align your QR Code Readers alignment overlay with the Blue Square's Corners/Edges, NOT the QR Code's Corners/Edges.
     - Clean your camera lens
     - Be in a bright room
   
   #4 ISSUES:
   

   • File "keys.py", line ...
     print message
     ^
     SyntaxError: Missing parentheses in call to 'print'. Did you mean print(message)?

     - You didn't place SBK and TSEC in the 4th line of the Command in Step #4.2
     - You installed Python 3.x.x when you must use 2.7.x, uninstall python, logout of windows (important it removes python from PATH) and follow Step #3.2 then move back to #4.1

   • import lz4.block
     File "C:\Python27\lib\site-packages\lz4\__init__.py", line 17, in <module>
     from ._version import ( # noqa: F401
     ImportError: DLL load failed: The specified module could not be found.

     - The 2nd line of the Command in Step #4.2 failed without you noticing. Try running the 1st line to upgrade pip and if that goes successfully run the 2nd line to install lz4 and see if it successfully installs.

 

[kokoxp]

oye, que pena volverte a molestar me sale esto

hactool --keyset= keys.txt
Failed to read NCA header!
Invalid NCA header! Are keys correct?
Done!

Do you get that error when executing the script?, or you are using the incomplete keys.txt (without the execution of the script ending).

Spanish:
¿Te da ese error al ejecutar el script?, o estás usando el keys.txt incompleto (sin que terminara el script).

 

[jacobfernando]

Do you get that error when executing the script?, or you are using the incomplete keys.txt (without the execution of the script ending).

Spanish:
¿Te da ese error al ejecutar el script?, o estás usando el keys.txt incompleto (sin que terminara el script).

only when i do
hactool --keyset= keys.txt

 

[kokoxp]

only when i do
hactool --keyset= keys.txt

Run the keys.py script again because you are missing keys. If it ends with an error the keys.txt file will be incomplete.
Check that the SBK and TSEC keys are correct.

Spanish:
Vuelve a ejecutar el script keys.py, porque te faltan keys. Si el script termina con un error el archivo keys.txt no contendrá todas las keys necesarias.
Comprueba que las keys SBK y TSEC sean correctas (necesarias para decodificar los archivos que contienen el resto de keys).

 

[jacobfernando]

Run the keys.py script again because you are missing keys. If it ends with an error the keys.txt file will be incomplete.
Check that the SBK and TSEC keys are correct.

Spanish:
Vuelve a ejecutar el script keys.py, porque te faltan keys. Si el script termina con un error el archivo keys.txt no contendrá todas las keys necesarias.
Comprueba que las keys SBK y TSEC sean correctas (necesarias para decodificar los archivos que contienen el resto de keys).

i got 21 keys how many are there?

i didnt get any errors or warnings

 

[kokoxp]

i got 21 keys how many are there?

i didnt get any errors or warnings

I got 29 keys.

Spoiler: list of keys

header_key_source =
key_area_key_system_00 =
tsec_key =
aes_key_generation_source =
sd_card_nca_key_source =
titlekek_00 =
keyblob_mac_key_00 =
master_key_00 =
key_area_key_system_source =
aes_kek_generation_source =
encrypted_header_key =
keyblob_mac_key_source =
sd_card_kek_source =
key_area_key_ocean_00 =
keyblob_00 =
key_area_key_application_source =
package1_key_00 =
package2_key_source =
key_area_key_ocean_source =
key_area_key_application_00 =
sd_card_save_key_source =
header_kek_source =
secure_boot_key =
header_key =
titlekek_source =
keyblob_key_00 =
keyblob_key_source_00 =
master_key_source =
package2_key_00 =

What are you missing?

 

[jacobfernando]

i got 21 keys how many are there?

i didnt get any errors or warnings

now i dont know what i have done but is showing me this.

Using BOOT0.bin to get keys from package1...
Deriving keys...
Decrypting package1...
Failed to decrypt PK11! Is correct key present?
Using Secure_Monitor.bin to get keys to decrypt package2...
Traceback (most recent call last):
File "keys.py", line 390, in <module>
TZ_f = open("package1/Secure_Monitor.bin", "rb")
IOError: [Errno 2] No such file or directory: 'package1/Secure_Monitor.bin'

 

[kokoxp]

now i dont know what i have done but is showing me this.

Using BOOT0.bin to get keys from package1...
Deriving keys...
Decrypting package1...
Failed to decrypt PK11! Is correct key present?
Using Secure_Monitor.bin to get keys to decrypt package2...
Traceback (most recent call last):
File "keys.py", line 390, in <module>
TZ_f = open("package1/Secure_Monitor.bin", "rb")
IOError: [Errno 2] No such file or directory: 'package1/Secure_Monitor.bin'

Obtain the SBK and TSEC_KEY keys again from the Switch and check that they are OK.

 

[jacobfernando]

Obtain the SBK and TSEC_KEY keys again from the Switch and check that they are OK.

yep they are...

now i triedagain and this came up

Using BOOT0.bin to get keys from package1...
Deriving keys...
Decrypting package1...
Using Secure_Monitor.bin to get keys to decrypt package2...
Decrypting package2...
Decompressing spl.kip1 and FS.kip1...
Getting keys from spl...
Getting keys from FS...
Doing final key derivation...
If there were no warnings, we found all the keys!
Now you can do hactool --keyset=keys.txt to use them!


i think i got all from the list now

 

[kokoxp]

yep they are...

now i triedagain and this came up

Using BOOT0.bin to get keys from package1...
Deriving keys...
Decrypting package1...
Using Secure_Monitor.bin to get keys to decrypt package2...
Decrypting package2...
Decompressing spl.kip1 and FS.kip1...
Getting keys from spl...
Getting keys from FS...
Doing final key derivation...
If there were no warnings, we found all the keys!
Now you can do hactool --keyset=keys.txt to use them!

Ufffff.
I'm happy.

 

[jacobfernando]

Ufffff.
I'm happy.

thanks for your help

so what do i do now?

just

hactool --keyset=keys.txt

 

[kokoxp]

thanks for your help

so what do i do now?

just

hactool --keyset=keys.txt

You're welcome!

With "hactool --keyset = keys.txt" you indicate where the file with the keys is, but it depends on what you want to do. Run "hactool" without options so you can see the possibilities.
Save the keys.txt file in a safe place.

 

[jacobfernando]

You're welcome!

With "hactool --keyset = keys.txt" you indicate where the file with the keys is, but it depends on what you want to do. Run "hactool" without options so you can see the possibilities.
Save the keys.txt file in a safe place.

im trying to use the keys for choidujour
but i get this error
Input source firmware package path C:\Users\****\Desktop\NintendoSwitch\ChoiDujour102\firmware doesn't exist!

and i thoght it was the keys

 

[Naster]

While 40 will do for most decrypting, you MIGHT need more keys for some titles.

Is there a list of these titles? Just to be sure. It seems that Axiom Verge and Lego Incredibles require these keys.

 

[Deleted User]

helpp

(I've installed python 2.7.15 and uninstalled 3.5)

 

[tyler004]

so question I have the other keys how would I place them do I have to place all the list of keys in or just the master keys 1-3 cuz trying to decrypt skryim and section 0 fails one thing I used said need master key 002

 

[PEKKA4597]

EDIT: I am not having that problem anymore, but I only seem to have master key 0 and 4, not 0 through 4

 

[tyler004]

so I figured out the problem I had with master keys 1-3 take the file it gives you, add the keys from google at the bottom and make sure it`s not just one giant line separate all the different keys in the text file you got from the first steps

 

[Deleted member 399513]

It seems like The End is Nigh, Owlboy and Voez need all 80 keys to be decrypted, is there a way to obtain the other 40? Also, is there a list of games that work with just 40 keys?

 

[tyler004]

that's not true ppl have voez running mods with this regular keys it gives u plus the extra master keys 1-3 cuz section 0 will be corrupt if you don`t have the right master code that's how I made skyrim decrypt cuz I was missing master code 2 ,use xci explorer it will tell u wats missing

 

[Deleted member 399513]

that's not true ppl have voez running mods with this regular keys it gives u plus the extra master keys 1-3 cuz section 0 will be corrupt if you don`t have the right master code that's how I made skyrim decrypt cuz I was missing master code 2 ,use xci explorer it will tell u wats missing

Thanks for the advice, I'm gonna try it later.
Edit: So I loaded the Owlboy .xci file and it tells me that the master key 03 is missing, what do I do now?