Description
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Source: https://github.com/shchmue/Lockpick_RCM
Payload: https://github.com/shchmue/Lockpick_RCM/releases

Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there are fewer limitations. That means the new keys are finally easy to dump!

Usage

• Launch Lockpick_RCM.bin using your favorite payload injector or chainload from Hekate by placing it in /bootloader/payloads
• Upon completion, keys will be saved to /switch/prod.keys on SD
• If the console has Firmware 7.x, the /sept/ folder from Atmosphère or Kosmos release zip containing both sept-primary.bin and sept-secondary.enc must be present on SD or else only keyblob master key derivation is possible (ie. up to master_key_05 only)

Big thanks to CTCaer
For Hekate and all the advice while developing this!

Known Issues

• Chainloading from SX will hang immediately due to quirks in their hwinit code, please launch payload directly

 

[Lumince]

Because the people at wiidatabase.de dislike this thread/my payload because there is no source code (even though they link and feature DBI, which is closed source), i will give any person that is somewhat known in the scene permission for the private github repo (just hit me up). I don't like it being private but its just what it is after the DMCA attacks.

Also wiidatabase, fix the crooked moral compass you got going on lmao.

As long as it works and I dont see smoke coming out of my switch. I (and many others) don't care about source code for this lol This project is something that the scene will need with every major update.

 

[8BitWonder]

You seem to be misunderstanding something. I did not ask them nor wanted them to host my payload. I don't care about that.
Their note about my comment (that the payload can be found here), can be translated to "yeah sure, and download a binary without sourcecode". Which simply is double standard when featuring DBI.

It does not matter how much known someone is, how long a piece of software existed and how well established whatever happens to be. The source is private. There is absolutely no difference.

To play devil's advocate, running a payload whose source is private is much more dangerous than running a homebrew application whose source is private. It's understandable they'd have less issue with DBI binaries vs Lockpick_RCM.

While it's good that more than one person is keeping Lockpick_RCM updated, it's sensible that they're not encouraging folks to use a payload binary without its source vs the public repository/builds that suchmememanyskill is hosting.

 

[impeeza]

Wouldnt it be possible to program the software to check a folder with the latest code from Ams to decipher the keys?

I am not sure where or even if the keys are somewhere in a compiled atmosphere release (never checked it). But yeah, something automated should be possible (either by providing the files from ams to lockpick and building or grabbing the keys somewhere at "runtime")

I get a little bit confused about this, but I think Sys-Patch (https://github.com/ITotalJustice/sys-patch) is a sysmodule which do that "On the fly"

Atmosphère, will never include no code to bypass some type of security which enable arggh, "piracy"

 

[Slluxx]

I get a little bit confused about this, but I think Sys-Patch (https://github.com/ITotalJustice/sys-patch) is a sysmodule which do that "On the fly"

Atmosphère, will never include no code to bypass some type of security which enable arggh, "piracy"

No, sys-patch is generating fs/es patches on boot, not extracting or doing anything with prod or titlekeys.
I looked a bit into it and the keys needed should be somewhere in AMS package3 file, which hekate can read and extract if fss0 is defined in the settings. Ive been looking at that to get a gist of whats going on. I bet other devs could whip out something really fast but i am not that deep into C or how AMS works. Ill keep poking at it though.

 

[Brawl345]

Because the people at wiidatabase.de dislike this thread/my payload because there is no source code (even though they link and feature DBI, which is closed source), i will give any person that is somewhat known in the scene permission for the private github repo (just hit me up). I don't like it being private but its just what it is after the DMCA attacks.

Also wiidatabase, fix the crooked moral compass you got going on lmao.

I explained to you that I have no problem hosting proprietary homebrews. The problem is that you distribute GPLv2 software without the source code. If you are (rightfully) scared of the DMCA you should not host on GitHub.
I don't even understand why you felt the need to post the comment on WiiDatabase.de ("or you could just go to the GBATemp thread where it continues as normal") when a) it's a completely different website and b) I already posted the update by suchmememanyskill who provided source code directly and c) many people read WiiDB *because* they don't (want to) follow GBATemp threads.

"I will give any person that is somewhat known in the scene permission" is still a violation btw.

I also don't get why you feel the need to attack me here (without even mentioning me). Completely unnecessary.

There is just a difference between you and the dev from dbi

I don't make a difference. I've also hosting tools from people completely new to the scene when it meets my quality standards.

So i wont respond to other comments about this.

Then don't start a discussion if you don't want to discuss, otherwise it's just an attack.

don't care about source code for this

But I do because a software license violation (as simple as "not stating the license") led to a different German homebrew site getting taken down by their webhoster in the past. Also, sharing is caring

 

[Slluxx]

I explained to you that I have no problem hosting proprietary homebrews. The problem is that you distribute GPLv2 software without the source code. If you are (rightfully) scared of the DMCA you should not host on GitHub.
I don't even understand why you felt the need to post the comment on WiiDatabase.de ("or you could just go to the GBATemp thread where it continues as normal") when a) it's a completely different website and b) I already posted the update by suchmememanyskill who provided source code directly and c) many people read WiiDB *because* they don't (want to) follow GBATemp threads.

"I will give any person that is somewhat known in the scene permission" is still a violation btw.

I also don't get why you feel the need to attack me here (without even mentioning me). Completely unnecessary.


I don't make a difference. I've also hosting tools from people completely new to the scene when it meets my quality standards.


Then don't start a discussion if you don't want to discuss, otherwise it's just an attack.


But I do because a software license violation (as simple as "not stating the license") led to a different German homebrew site getting taken down by their webhoster in the past. Also, sharing is caring

Well, if you would have said that in your first comment, I would have somewhat understood. However you invented a reason in the second comment, which was created/seen after I made this post and anyone can say anything afterwards. Your first comment (again, it's only about that) is clearly generally against everything without source - no mention about anything else.

About not mentioning you, that's just because how am I supposed to know that you are here or who you are if you don't share the same Username? I don't care enough to look it up if it is mentioned somewhere.

Then don't start a discussion

It was never a discussion. It was an information that, because of your first comment, anyone who wants the source can get it. And it was one sentence of my personal opinion, which I had and have no further intention to talk about. Apparently others feel the need to discuss that though.




I'll publish a mirror of my source somewhere. I didn't do it because it is a pain but I have no intention of keeping it private just so it's private.

 

[Brawl345]

invented a reason

Your first comment (again, it's only about that) is clearly generally against everything without source

Isn't it more like you invented this reason in your head for me instead of asking what the problem is? You gave a snarky comment first and I followed it up with a snarky reply.

anyone can say anything afterwards

This is not the level on which I discuss. Why should I?

how am I supposed to know that you are here or who you are if you don't share the same Username

That was a trick question - then why bring it up here at all if all you want is to attack me?

It was an information that

No it was an attack because you could just not have mentioned the discussion on WiiDB and the outcome would've been the same.

 

[Slluxx]

instead of asking what the problem is?

In what world do i have to read your comment, which gives a reason/problem, and then have to ask what the actual problem is?
The problem you had was clearly the sourcecode not being available. It is literally what you wrote. Why would i expect and ask for another reason?

I just wanted to inform that things are moving here too. It wasn't intended as a snarky comment or a jab at anyone else continuing the project. If you feel that way, sorry.

This is not the level on which I discuss. Why should I?

I can just say again that i created the post in regards to your first comment and even linking that one, where no mention about any issues regarding to the license have taken place. Yet you defend yourself (in your first post here) with a comment you made on wiidb after the one i am talking about.

then why bring it up here at all if all you want is to attack me?

You were right with there being no source and i wanted at least give partial access if someone is interested. The reason for that being your comment, which, just based on that single comment, is still morally crooked. At the very least its poor communication if your reason was always licensing yet you commented just about no source being available.

No it was an attack because you could just not have mentioned the discussion on WiiDB and the outcome would've been the same.

I could have brought this up, sure. However unlike you, i never saw it as discussion nor wanted a discussion about my personal opinion. You framing my opinion as an attack that could have gotten under very fast is just something else. If i really wanted to attack you, i would have created a blogpost or something that far more people would see and comment on. If anything, it wasn't more than a small vent.

 

[Lumince]

But I do because a software license violation (as simple as "not stating the license") led to a different German homebrew site getting taken down by their webhoster in the past. Also, sharing is caring

Id rather have the project exist over a DMCA take down happened elsewhere. What happens then? We risk losing another dev that is willing to actually update forced abandoned projects like this that are needed. I care more about the project that actually helps people over a license violation. It all comes down to one thing really "Fuck Nintendo"

 

[Brawl345]

Why would i expect and ask for another reason?

Not my problem? You shoud not assume something that was never said.

I just wanted to inform that things are moving here too

You did so in a rude way that was completely unnecessary because I already posted the update by another dev. I don't even know who of you were first but a) suchmememanyskill had the code public and b) someone notified me about his fork.

nor wanted a discussion about my personal opinion

You did because you literally said this:

Also wiidatabase, fix the crooked moral compass you got going on lmao.

If this is not an attack, then what is it? Don't start a fight if you can't handle the backslash.

DMCA take down

Nintendo could still issue a takedown for the binarys, no source code needed (besides Nintendo didn't issue the takedown but it's more or less the same outcome).

 

[[Truth]]

Leute... nutzt eure Energie für was produktiveres!

 

[urherenow]

The keys to update lockpick/picklock are right here in the Atmosphere repository. You just have to update /source/keys/crypto.h and /source/keys/key_sources.inl with the new keys provided by atmosphere. If you look at my commits, they make it pretty clear what goes where.

Thank you so much for this info!

Only... it's a bit hard to see what went where in a commit since the github pages are gone. For the inexperienced like myself, I can only think of listing commits in the command line to find an appropriate one, checkout the older commit then copy the directory somewhere, then go back to the latest, and run a diff. Is there an easier way to do this locally in a terminal/command line? I'm sure once I figure it out once, it will be a piece of cake from then on.

Edit: started to make the changes myself, but can't seem to find mariko_master_kek sources in the ATM repo. Also not quite sure If I got the correct master_kek_sources... would that be the "Device Master Key Source Kek Source"? Please DM me if you would be so kind, but don't care to make it a public post.

Edit2: well, I at least successfully made changes and built with zero errors. Took a minute to figure out some excess elements warnings. The initializers seem to use major versions to determine the number of keys, I guess, but there was a +1 in those spots instead of +2 (because there's 2 new keys for 6 (6.0.0, 6.2.0) AND for 9 (9.0.0, 9.1.0)). Now I guess I wait until my port call is over to see if I did it correctly. Didn't carry my Switch with me. My laptop is heavy enough.

Edit3: lol... the quoted post didn't mention fixing hos.h. I was wrong about changing +1 to +2... even though it would *work*. Figured out how to make a diff patch between commits so my initial "Only..." point is no longer relevant to me. Love figuring out new things without being spoon-fed

 

[Slluxx]

Thank you so much for this info!

Only... it's a bit hard to see what went where in a commit since the github pages are gone. For the inexperienced like myself, I can only think of listing commits in the command line to find an appropriate one, checkout the older commit then copy the directory somewhere, then go back to the latest, and run a diff. Is there an easier way to do this locally in a terminal/command line? I'm sure once I figure it out once, it will be a piece of cake from then on.

Edit: started to make the changes myself, but can't seem to find mariko_master_kek sources in the ATM repo. Also not quite sure If I got the correct master_kek_sources... would that be the "Device Master Key Source Kek Source"? Please DM me if you would be so kind, but don't care to make it a public post.

Edit2: well, I at least successfully made changes and built with zero errors. Took a minute to figure out some excess elements warnings. The initializers seem to use major versions to determine the number of keys, I guess, but there was a +1 in those spots instead of +2 (because there's 2 new keys for 6 (6.0.0, 6.2.0) AND for 9 (9.0.0, 9.1.0)). Now I guess I wait until my port call is over to see if I did it correctly. Didn't carry my Switch with me. My laptop is heavy enough.

Edit3: lol... the quoted post didn't mention fixing hos.h. I was wrong about changing +1 to +2... even though it would *work*. Figured out how to make a diff patch between commits so my initial "Only..." point is no longer relevant to me. Love figuring out new things without being spoon-fed

I will make a public mirror of my repo next week. I dont have my laptop/pc with me either so doing that now or guiding you there would be a pain which i dont really want to deal with (sorry). Once my repo is public, you will see and understand everything.

May i ask why you are trying to do this yourself?

 

[urherenow]

May i ask why you are trying to do this yourself?

I always do (well… git pull and rebuild, but it’s not that simple without access to a repo). Mostly because I spend half of the year out to sea, where I can’t access most sites, to include gbatemp. I’m actually at a port call right now and very soon won’t be seen back here until late November.

Edit: couldn't sleep so I grabbed the ATM release source for 16.1.0 to sanity check a couple of my assumptions, and I'm pretty sure I did it all correctly. I'll know what to do when new keys come out again, as long as there aren't any keygen changes...

 

[Slluxx]

The source for picklock can be found here: https://git.slx.lag.tf/Slluxx/Picklock_RCM
I am really not happy with this free domain but thats just what it is for now. I am a poor man lmao.

 

[urherenow]

Aand… had a chance to test my build against yours, and the produced prod.key was identical except for master_kek_source_10. How is just that one thing wrong? Need to figure that out…

 

[urherenow]

Back from deployment! And it only took me 10 minutes or so to figure out the question to my last post (but couldn't access this site again until now). 1) That particular bit is only for Erista, and I only brought my OLED with me, and 2) that key does not, in fact, exist in the secmon_boot_key_data.s file that we were told to use for this purpose. It exists in fusee_key_derivation.cpp. So without further ado, here's a cheat sheet I made up of what the keys are called in the various files. I got this thing nailed down now (until the actual crypto changes... then I know where to look to figure things out, but it won't be quick. It'll be quick if it's just new keys and nothing else).

 

[rave420]

Maybe this is the place to ask, when I run 'make' on the code found within https://git.slx.lag.tf/Slluxx/Picklock_RCM with DevKitPro, I get two payloads, one called "Picklock_RCM.bin", and another called "Picklock_RCM_unc.bin", what's the difference besides the later being slightly larger in size (130kb vs 106kb), and failing to inject?

 

[impeeza]

Maybe this is the place to ask, when I run 'make' on the code found within https://git.slx.lag.tf/Slluxx/Picklock_RCM with DevKitPro, I get two payloads, one called "Picklock_RCM.bin", and another called "Picklock_RCM_unc.bin", what's the difference besides the later being slightly larger in size (130kb vs 106kb), and failing to inject?

Unc is the uncompressed version. In order to use like a payload a size constrain must be fulfilled that's why the payload is compressed. You must to inject the picklock_RCM.bin

 

[rave420]

Unc is the uncompressed version. In order to use like a payload a size constrain must be fulfilled that's why the payload is compressed. You must to inject the picklock_RCM.bin

Hey, thanks for the fast reply. Is there any practical purpose for Picklock_RCM_unc.bin? Could I chainload such an uncompressed payload from, say, hekate's payload launch menu? I was vaguely aware that there is a size limit for payloads injected via the RCM exploit, but I don't know if that applies to all payloads loaded through other means as well.

Though, I am not sure why I would want to do such a thing. Is the uncompressed payload simply a build artifact, or is it there for another reason?