The name changes but not the substance, and for this reason the Lockpick RCM payload becomes Picklock RCM allowing us to obtain the encryption keys of the Switch console again which can be used within other apps and emulators.

A risky choice also because the same application was always uploaded on the Github hosting service by the developer Slluxx (alias Calvin), while among the details of the last commit we read You aint taking this downthat translated means Non lo toglierai.

Picklock_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file management software such as hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.

Due to the changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. However, there are no such restrictions in the boot environment.

Usage

Note: It is highly recommended, but not mandatory, to place Minerva on the SD card contained in the latest version of Hekate for best performance, especially when dumping titlekeys: the file and path are /bootloader/sys/libsys_minerva.bso.

Inject the payload Picklock_RCM.bininto the Switch through any program.
Once executed the keys will be saved within the directory /switch/prod.keyswhile the title keys in /switch/title.keysthe SD card.
This release also bundles the Atmosphère-NX Falcon keygen

Specific keys for Mariko

Mariko consoles have several unique keys and protected key slots. To get your own SBK or Mariko unit specific keys, you will need to use the file /switch/partialaes.keysin conjunction with a brute-forcing tool like https://files.sshnuke.net/PartialAesKeyCrack.zip .

The contents of this file is the number of keyslots followed by the result of that keyslot which encrypts 16 null bytes. With the tool linked above, enter them in sequence for a given slot you want the contents of, for example:

PartialAesKeyCrack.exe <num1> <num2> <num3> <num4>where is --numthreads=Nthe Nnumber of threads you can brute force.

The keyslots are as follows, with names recognized by hactool:

0-11 – mariko_aes_class_key_xx(this is not used by the Switch console but is set by the bootrom; hactoolnet recognizes this but doesn’t need it).
12 – mariko_kek(non-unique – is used for master key derivation).
13 – mariko_bek(non-unique – is used for decryption of BCT and package1)
14 – secure_boot_key(unique console – this is not needed for further key derivation than Picklock_RCM does but it might be useful to have it for your own records).
15 – Secure storage key (console unique – not used on retail or development consoles and not recognized by any tools).

So, if you intend to brute-force mariko_kek, open the file partialaes.keysand look at the numbers under slot 12. Here’s an example with fake numbers:

12
11111111111111111111111111111111 22222222222222222222222222222222 33333333333333333333333333333333 44444444444444444444444444444444

Then take these numbers and open a command prompt window in the same directory as the executable linked above and type:

PartialAesKeyCrack.exe 1111111111111111111111111111111 2222222222222222222222222222222 33333333333333333333333 333333333 44444444444444444444444444444444.

If you’re running a powerful enough multicore system you can add --numthreads=[qualsiasi numero di thread], ideally it might not be the best if it’s for example an older laptop with a low-end dual core CPU.

On a Ryzen 3900x with 24 threads this generates a lot of heat but finishes in about 45 seconds. These keys never change, so you only need to brute force once.

This works by having the security engine offload writes immediately to keyslots that can be written one 32-bit block at a time. See: https://switchbrew.org/wiki/Switch_System_Flaws#Hardware

Changelog

Works with 16.0.2.

Big thanks to AngelDavil88 for reporting .

Download: Picklock RCM v1.9.10

Download: Source code Picklock RCM v1.9.10

Source: github.com