Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

Lockpick Switch: Difference between revisions

From GameBrew
(Created page with "{{Infobox Switch Homebrews |title=Lockpick |image=lockpickswitch.png |description=Nintendo Switch encryption key derivation homebrew. |author=shchmue |lastupdated=2019/09/19 |type=Utilities |version=1.2.6 |license=GPL-2.0 |download=https://dlhb.gamebrew.org/switchhomebrews/lockpickswitch.7z |website=https://gbatemp.net/threads/lockpick-switch-key-derivation-homebrew.525575/ |source=https://github.com/shchmue/Lockpick |donation= }} {{#seo: |title=Switch Homebrew Apps (Ut...")
 
No edit summary
 
(6 intermediate revisions by the same user not shown)
Line 1: Line 1:
{{Infobox Switch Homebrews
{{Infobox Switch Homebrews
|title=Lockpick
|title=Lockpick
|image=lockpickswitch.png
|image=lockpicknx.png
|description=Nintendo Switch encryption key derivation homebrew.
|description=Nintendo Switch encryption key derivation homebrew.
|author=shchmue
|author=shchmue
|lastupdated=2019/09/19
|lastupdated=2019/09/19
Line 9: Line 8:
|version=1.2.6
|version=1.2.6
|license=GPL-2.0
|license=GPL-2.0
|download=https://dlhb.gamebrew.org/switchhomebrews/lockpickswitch.7z
|download=
|website=https://gbatemp.net/threads/lockpick-switch-key-derivation-homebrew.525575/
|website=https://gbatemp.net/threads/lockpick-switch-key-derivation-homebrew.525575/
|source=https://github.com/shchmue/Lockpick
|source=https://github.com/shchmue/Lockpick
|donation=
|donation=
}}
}}
{{#seo:
{{obsolete}}
|title=Switch Homebrew Apps (Utilities) - GameBrew
Lockpick is a ground-up C++17 rewrite of homebrew key derivation software, namely [[Kezplez-NX Switch|kezplez-nx]]. It also dumps titlekeys. This will dump all keys through <code>*_key_05</code> on firmwares below <code>6.2.0</code> and through <code>*_key_06</code> on <code>6.2.0</code>.
|title_mode=append
 
|image=lockpickswitch.png
It was showcased in the GBAtemp Switch Homebrew Bounty 2018 (Switch application).
|image_alt=Lockpick
 
}}
'''Note:''' Due to changes in firmware 7.0.0 dumping new keys from homebrew is infeasible. Check out the RCM payload that can dump the new keys, [[Lockpick_RCM Switch|Lockpick RCM]].
{{cleanup|article|Needs cleanup}}
 
Nintendo Switch encryption key derivation homebrew.
==Features==
*Dumps <code>titlekeys</code> and SD seed.
*Dumps all keys through <code>6.2.0</code>.
*Uses the superfast <code>xxHash</code> instead of <code>sha256</code> when searching exefs for keys for a ~5x speed improvement.
*Gets all possible keys from running process memory - this means no need to decrypt <code>Package2</code> at all, let alone decompress <code>KIPs</code>.
*Gets bis keys and <code>header_key</code> without <code>tsec</code>, <code>sbk</code>, <code>master_key_00</code> or <code>aes</code> sources. Shoutout to exelix11 for using this method in [[NXThemes Installer Switch|SwitchThemeInjector]]. Homebrew devs should be doing this instead of requiring users to provide key files.


==User guide==
*Use Hekate v4.5+ to dump TSEC and fuses:
**Push hekate payload bin using [[TegraRcmSmash Switch|TegraRCMSmash]]/[[TegraRcmGUI Switch|TegraRCMGUI]]/modchip/injector.
**Using the VOL and Power buttons to navigate, select <code>Console info...</code>
**Select <code>Print fuse info</code> (not <code>kfuse info</code>).
**Press Power to save fuse info to SD card.
**Select <code>Print TSEC keys</code>.
**Press Power to save TSEC keys to SD card.
*Launch CFW of choice.
*Open Homebrew Menu.
*Run Lockpick.
*Use the resulting <code>/switch/prod.keys</code> file as needed and rename if required by any software you're using.


==Media==
You may instead use [https://github.com/rajkosto/biskeydump biskeydump] and dump to SD to get all keys prior to the 6.2.0 generation - all keys up to those ending in 05. Lockpick will dump all keys up to that point regardless which firmware it's run on.
<youtube></youtube>


===Notes===
*To get keys ending in 06, you must have firmware 6.2.0 installed
*No one knows <code>package1_key_06</code>, it's derived and erased fully within the encrypted TSEC payload. While there's a way to extricate <code>tsec_root_key</code> due to the way it's used, this is unfortunately not true of the <code>package1</code> key
*If for some reason you dump TSEC keys on 6.2.0 and not fuses (<code>secure_boot_key</code>) you will still get everything except any of the <code>package1</code> or keyblob keys (without <code>secure_boot_key</code>, you can't decrypt keyblobs and that's where <code>package1</code> keys live)


==Screenshots==
==Screenshots==
https://dlhb.gamebrew.org/switchhomebrews/lockpickswitch-01.png
https://dlhb.gamebrew.org/switchhomebrews/lockpicknx2.png
https://dlhb.gamebrew.org/switchhomebrews/lockpickswitch-02.png
https://dlhb.gamebrew.org/switchhomebrews/lockpicknx.png
https://dlhb.gamebrew.org/switchhomebrews/lockpickswitch-03.png
 
https://dlhb.gamebrew.org/switchhomebrews/lockpickswitch-04.png
==Compatibility==
https://dlhb.gamebrew.org/switchhomebrews/lockpickswitch-05.png
Support up to FW 6.2.0.
https://dlhb.gamebrew.org/switchhomebrews/lockpickswitch-06.png
https://dlhb.gamebrew.org/switchhomebrews/lockpickswitch-07.png
https://dlhb.gamebrew.org/switchhomebrews/lockpickswitch-08.png


==Changelog==
==Changelog==
'''v.1.0'''
'''v1.2.6 2019/09/11'''
* First Release.
*Fix bis key generation on newer hardware.
'''v1.2.5 2019/07/10'''
*Support Hekate v5 fuse dump format.
*Make names consistent with libnx v2.2.0.
*Adjust text alignment and coloring in Lockpick_RCM note.
'''v1.2.4 2019/06/17'''
*Support new emunand FS memory layout.
*No longer save header_key if empty.
'''v1.2.3 2019/04/16'''
*Remove mbedtls dependency in favor of new libnx crypto library.
*Remove libnx 1.6.0 support since crypto requires later commit.
*Skip contradictory messaging if skipping keyfile save.
'''v1.2.2 2019/03/06'''
*Do not overwrite existing keyfile that contains master_key_07.
*Read eticket_rsa_kek from existing keyfile in case user is only running this for titlekeys.
*Create /switch folder if needed.
'''v1.2.1 2019/02/26'''
*Generate bis keys without master keys.
*Update file size check to support Hekate v4.8 TSEC dump.
*Fixed prod.keys alphabetization error.
*Fixed build warning for ff.c.
*Added in-app disclaimer about which keys can be dumped.
'''v1.2 2019/01/05'''
*Update for libnx v2.0.0 compatibility and still runs when built with v1.6.0.
**The binary got even smaller.
*Accelerate finding FS keys.
**No longer find BIS sources as they're hardcoded (whoops).
**Find all keys on first pass hashing FS instead of hashing the whole thing from the beginning repeatedly (whoops).
'''v1.1.1 2019/01/01'''
*Prevent from trying to dump SD seed and ES keys on 1.0.0 as they're not available until 2.0.0.
'''v1.1 2018/12/29'''
*Changed titlekey dump methodology.
**No longer crashes sysmodule, reboot no longer needed.
**Queries ES to verify ticket list is accurate.
**May take slightly longer than before on systems with hundreds of tickets.
*Now dumps SD seed.
*Reorganized and clarified UI text.
**Now indicates if no titles are installed to dump titlekeys from.
*Swapped C++ stream functions for C I/O to reclaim some speed and binary size.
*Tightened up dependencies.
'''v1.0 2018/12/08'''
*Initial release.
*It's here. See readme for instructions. Huge shoutout to everyone who got the 6.2.0 CFW fixes out.
 
==Credits==
Special Thanks:
*tèsnos! For making [https://github.com/tesnos/kezplez-nx kezplez-nx], being an all-around cool and helpful person and open to my contributions, not to mention patient with my enthusiasm. kezplez taught me an absolute TON about homebrew.
*SciresM for [https://github.com/SciresM/hactool hactool], containing to my knowledge the first public key derivation software, and for <code>get_titlekeys.py</code>.
*roblabla for the original keys [https://gist.github.com/roblabla/d8358ab058bbe3b00614740dcba4f208 gist] and for believing in our habilities.
*The folks in the [https://reswitched.team/ ReSwitched] Discord server for answering my innumerable questions while researching this (and having such a useful chat backlog!).
*The memory reading code from jakibaki's [https://github.com/jakibaki/sys-netcheat sys-netcheat] was super useful for getting keys out of running process memory.
*The System Save dumping methodology from Adubbz' [https://github.com/Adubbz/Compelled-Disclosure Compelled Disclosure].
*Shouts out to fellow key derivers: shadowninja108 for [https://github.com/shadowninja108/HACGUI HACGUI], Thealexbarney for [https://github.com/Thealexbarney/LibHac Libhac], and [https://github.com/rajkosto/ rajkosto].
*[https://github.com/misson20000 misson2000] for help with <code>std::invoke</code> to get the function timer working.
*[https://github.com/simontime Simon] for the <code>eticket_rsa_kek</code> derivation method and for suggesting invoking <code>spl</code> for faster titlekey derivation.
*[https://github.com/SciresM SciresM] for the libnx aes library.
*The constantly-improving docs on [https://switchbrew.org/wiki/ Switchbrew wiki] and [https://switchbrew.github.io/libnx/files.html libnx].
*Literally the friends I made along the way! I came to the scene late and I've still managed to meet some wonderful people :) Thanks for all the help testing, making suggestions, and cheerleading.
 
Licenses:
*<code>es</code> ipc code is from [https://github.com/Adubbz/Tinfoil Tinfoil] licensed under [https://github.com/Adubbz/Tinfoil/blob/master/LICENSE MIT].
*<code>FatFs R0.13c</code> is located here and is licensed under its own [https://github.com/shchmue/Lockpick/blob/master/source/fatfs/LICENSE.txt BSD-style license].
*Simple <code>xxHash</code> implementation is from [https://github.com/stbrumme/xxhash stbrumme] licensed under [https://github.com/stbrumme/xxhash/blob/master/LICENSE MIT].
*Padlock icon is from [https://icons8.com/ Icons8] licensed under [https://creativecommons.org/licenses/by-nd/3.0/ Creative Commons Attribution-NoDerivs 3.0 Unported].


== External links ==
== External links ==
* Gbatemp - https://gbatemp.net/threads/lockpick-switch-key-derivation-homebrew.525575/
* GitHub - https://github.com/shchmue/Lockpick
* Github - https://github.com/shchmue/Lockpick
* GBAtemp - https://gbatemp.net/threads/lockpick-switch-key-derivation-homebrew.525575/
* Reddit -
 
[[Category:GBAtemp Homebrew Bounty 2018]]

Latest revision as of 12:56, 4 Haziran 2024

Lockpick
Lockpicknx.png
General
Authorshchmue
TypeUtilities
Version1.2.6
LicenseGPL-2.0
Last Updated2019/09/19
Links
Website
Source

Lockpick is a ground-up C++17 rewrite of homebrew key derivation software, namely kezplez-nx. It also dumps titlekeys. This will dump all keys through *_key_05 on firmwares below 6.2.0 and through *_key_06 on 6.2.0.

It was showcased in the GBAtemp Switch Homebrew Bounty 2018 (Switch application).

Note: Due to changes in firmware 7.0.0 dumping new keys from homebrew is infeasible. Check out the RCM payload that can dump the new keys, Lockpick RCM.

Features

  • Dumps titlekeys and SD seed.
  • Dumps all keys through 6.2.0.
  • Uses the superfast xxHash instead of sha256 when searching exefs for keys for a ~5x speed improvement.
  • Gets all possible keys from running process memory - this means no need to decrypt Package2 at all, let alone decompress KIPs.
  • Gets bis keys and header_key without tsec, sbk, master_key_00 or aes sources. Shoutout to exelix11 for using this method in SwitchThemeInjector. Homebrew devs should be doing this instead of requiring users to provide key files.

User guide

  • Use Hekate v4.5+ to dump TSEC and fuses:
    • Push hekate payload bin using TegraRCMSmash/TegraRCMGUI/modchip/injector.
    • Using the VOL and Power buttons to navigate, select Console info...
    • Select Print fuse info (not kfuse info).
    • Press Power to save fuse info to SD card.
    • Select Print TSEC keys.
    • Press Power to save TSEC keys to SD card.
  • Launch CFW of choice.
  • Open Homebrew Menu.
  • Run Lockpick.
  • Use the resulting /switch/prod.keys file as needed and rename if required by any software you're using.

You may instead use biskeydump and dump to SD to get all keys prior to the 6.2.0 generation - all keys up to those ending in 05. Lockpick will dump all keys up to that point regardless which firmware it's run on.

Notes

  • To get keys ending in 06, you must have firmware 6.2.0 installed
  • No one knows package1_key_06, it's derived and erased fully within the encrypted TSEC payload. While there's a way to extricate tsec_root_key due to the way it's used, this is unfortunately not true of the package1 key
  • If for some reason you dump TSEC keys on 6.2.0 and not fuses (secure_boot_key) you will still get everything except any of the package1 or keyblob keys (without secure_boot_key, you can't decrypt keyblobs and that's where package1 keys live)

Screenshots

lockpicknx2.png lockpicknx.png

Compatibility

Support up to FW 6.2.0.

Changelog

v1.2.6 2019/09/11

  • Fix bis key generation on newer hardware.

v1.2.5 2019/07/10

  • Support Hekate v5 fuse dump format.
  • Make names consistent with libnx v2.2.0.
  • Adjust text alignment and coloring in Lockpick_RCM note.

v1.2.4 2019/06/17

  • Support new emunand FS memory layout.
  • No longer save header_key if empty.

v1.2.3 2019/04/16

  • Remove mbedtls dependency in favor of new libnx crypto library.
  • Remove libnx 1.6.0 support since crypto requires later commit.
  • Skip contradictory messaging if skipping keyfile save.

v1.2.2 2019/03/06

  • Do not overwrite existing keyfile that contains master_key_07.
  • Read eticket_rsa_kek from existing keyfile in case user is only running this for titlekeys.
  • Create /switch folder if needed.

v1.2.1 2019/02/26

  • Generate bis keys without master keys.
  • Update file size check to support Hekate v4.8 TSEC dump.
  • Fixed prod.keys alphabetization error.
  • Fixed build warning for ff.c.
  • Added in-app disclaimer about which keys can be dumped.

v1.2 2019/01/05

  • Update for libnx v2.0.0 compatibility and still runs when built with v1.6.0.
    • The binary got even smaller.
  • Accelerate finding FS keys.
    • No longer find BIS sources as they're hardcoded (whoops).
    • Find all keys on first pass hashing FS instead of hashing the whole thing from the beginning repeatedly (whoops).

v1.1.1 2019/01/01

  • Prevent from trying to dump SD seed and ES keys on 1.0.0 as they're not available until 2.0.0.

v1.1 2018/12/29

  • Changed titlekey dump methodology.
    • No longer crashes sysmodule, reboot no longer needed.
    • Queries ES to verify ticket list is accurate.
    • May take slightly longer than before on systems with hundreds of tickets.
  • Now dumps SD seed.
  • Reorganized and clarified UI text.
    • Now indicates if no titles are installed to dump titlekeys from.
  • Swapped C++ stream functions for C I/O to reclaim some speed and binary size.
  • Tightened up dependencies.

v1.0 2018/12/08

  • Initial release.
  • It's here. See readme for instructions. Huge shoutout to everyone who got the 6.2.0 CFW fixes out.

Credits

Special Thanks:

  • tèsnos! For making kezplez-nx, being an all-around cool and helpful person and open to my contributions, not to mention patient with my enthusiasm. kezplez taught me an absolute TON about homebrew.
  • SciresM for hactool, containing to my knowledge the first public key derivation software, and for get_titlekeys.py.
  • roblabla for the original keys gist and for believing in our habilities.
  • The folks in the ReSwitched Discord server for answering my innumerable questions while researching this (and having such a useful chat backlog!).
  • The memory reading code from jakibaki's sys-netcheat was super useful for getting keys out of running process memory.
  • The System Save dumping methodology from Adubbz' Compelled Disclosure.
  • Shouts out to fellow key derivers: shadowninja108 for HACGUI, Thealexbarney for Libhac, and rajkosto.
  • misson2000 for help with std::invoke to get the function timer working.
  • Simon for the eticket_rsa_kek derivation method and for suggesting invoking spl for faster titlekey derivation.
  • SciresM for the libnx aes library.
  • The constantly-improving docs on Switchbrew wiki and libnx.
  • Literally the friends I made along the way! I came to the scene late and I've still managed to meet some wonderful people :) Thanks for all the help testing, making suggestions, and cheerleading.

Licenses:

External links

Advertising: