Lockpick_RCM is a bare-metal Nintendo Switch payload that extracts encryption keys for use in file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc., all without booting into Horizon OS. 🚀
⚠️ Note : Due to changes in firmware 7.0.0 and beyond, the Lockpick homebrew can no longer derive the latest keys. However, this limitation doesn't apply in the boot-time environment, allowing Lockpick_RCM to function properly.
- 🗄️ Recommended : Place Minerva on your SD card for optimal performance, especially when dumping titlekeys. You can get it from the latest Hekate release. Place the file at :
/bootloader/sys/libsys_minerva.bso - 🎮 Launch
Lockpick_RCM.binusing your preferred payload injector or chainloader. - 💾 Keys will be saved to:
/switch/prod.keys/switch/title.keyson your SD card.
This release also includes the Falcon keygen from Atmosphère-NX.
Mariko consoles (Switch V2 and Switch Lite) contain unique keys and protected keyslots. To extract these keys, you will need to use the /switch/partialaes.keys file along with a brute-forcing tool like PartialAesKeyCrack. The process involves :
- Open
partialaes.keysand observe the keyslot data. - Use the following command format :
Replace
PartialAesKeyCrack.exe <num1> <num2> <num3> <num4> --numthreads=[N][N]with the number of threads to utilize (not exceeding your CPU's core count).
| Keyslot | Name | Notes |
|---|---|---|
| 0-11 | mariko_aes_class_key_xx |
Not used by the Switch (set by bootrom) |
| 12 | mariko_kek |
Used for master key derivation |
| 13 | mariko_bek |
Used for BCT and package1 decryption |
| 14 | secure_boot_key |
Console unique (for personal records) |
| 15 | Secure storage key | Console unique (not used on retail/dev units) |
Example:
12
11111111111111111111111111111111 22222222222222222222222222222222 33333333333333333333333333333333 44444444444444444444444444444444
To brute force mariko_kek, run :
PartialAesKeyCrack.exe 11111111111111111111111111111111 22222222222222222222222222222222 33333333333333333333333333333333 44444444444444444444444444444444 --numthreads=12
💡 On a high-performance CPU like the Ryzen 3900x, this process takes about 45 seconds using 24 threads.
🔗 For more details on the hardware flaw utilized : Switch System Flaws - Hardware
- Install devkitARM.
- Run :
make
This project owes a lot to Hekate, and special thanks go to CTCaer for his valuable advice, expertise, and humor throughout the development process. 🎉
Lockpick_RCM is licensed under the GPLv2. The save processing module is adapted from hactool, licensed under ISC.
This repository is a clone of the DMCA'd Lockpick_RCM by shchmue. The modifications here are based on the source code shared on the ReSwitched Discord server.