Lockpick Switch: Difference between revisions

Lockpick
General
Author	shchmue
Type	Utilities
Version	1.2.6
License	GPL-2.0
Last Updated	2019/09/19
Links
Download
Website
Source

This application has been obsoleted by one or more applications that serve the same purpose, but are more stable or maintained.

Lockpick is a ground-up C++17 rewrite of homebrew key derivation software, namely kezplez-nx. It also dumps titlekeys. This will dump all keys through *_key_05 on firmwares below 6.2.0 and through *_key_06 on 6.2.0.

Note: Due to changes in firmware 7.0.0 dumping new keys from homebrew is infeasible. Check out the RCM payload that can dump the new keys, Lockpick RCM.

• Dumps titlekeys and SD seed.
• Dumps all keys through 6.2.0.
• Uses the superfast xxHash instead of sha256 when searching exefs for keys for a ~5x speed improvement.
• Gets all possible keys from running process memory - this means no need to decrypt Package2 at all, let alone decompress KIPs.
• Gets bis keys and header_key without tsec, sbk, master_key_00 or aes sources. Shoutout to exelix11 for using this method in SwitchThemeInjector. Homebrew devs should be doing this instead of requiring users to provide key files.

• Use Hekate v4.5+ to dump TSEC and fuses:
  • Push hekate payload bin using TegraRCMSmash/TegraRCMGUI/modchip/injector.
  • Using the VOL and Power buttons to navigate, select Console info...
  • Select Print fuse info (not kfuse info).
  • Press Power to save fuse info to SD card.
  • Select Print TSEC keys.
  • Press Power to save TSEC keys to SD card.
• Launch CFW of choice.
• Open Homebrew Menu.
• Run Lockpick.
• Use the resulting /switch/prod.keys file as needed and rename if required by any software you're using.

You may instead use [https://github.com/rajkosto/biskeydump biskeydump and dump to SD to get all keys prior to the 6.2.0 generation - all keys up to those ending in 05. Lockpick will dump all keys up to that point regardless which firmware it's run on.

Notes

• To get keys ending in 06, you must have firmware 6.2.0 installed
• No one knows package1_key_06, it's derived and erased fully within the encrypted TSEC payload. While there's a way to extricate tsec_root_key due to the way it's used, this is unfortunately not true of the package1 key
• If for some reason you dump TSEC keys on 6.2.0 and not fuses (secure_boot_key) you will still get everything except any of the package1 or keyblob keys (without secure_boot_key, you can't decrypt keyblobs and that's where package1 keys live)

v1.2.6 2019/09/11

• Fix bis key generation on newer hardware.

v1.2.5 2019/07/10

• Support Hekate v5 fuse dump format.
• Make names consistent with libnx v2.2.0.
• Adjust text alignment and coloring in Lockpick_RCM note.

v1.2.4 2019/06/17

• Support new emunand FS memory layout.
• No longer save header_key if empty.

v1.2.3 2019/04/16

• Remove mbedtls dependency in favor of new libnx crypto library.
• Remove libnx 1.6.0 support since crypto requires later commit.
• Skip contradictory messaging if skipping keyfile save.

v1.2.2 2019/03/06

• Do not overwrite existing keyfile that contains master_key_07.
• Read eticket_rsa_kek from existing keyfile in case user is only running this for titlekeys.
• Create /switch folder if needed.

v1.2.1 2019/02/26

• Generate bis keys without master keys.
• Update file size check to support Hekate v4.8 TSEC dump.
• Fixed prod.keys alphabetization error.
• Fixed build warning for ff.c.
• Added in-app disclaimer about which keys can be dumped.

v1.2 2019/01/05

• Update for libnx v2.0.0 compatibility and still runs when built with v1.6.0.
  • The binary got even smaller.
• Accelerate finding FS keys.
  • No longer find BIS sources as they're hardcoded (whoops).
  • Find all keys on first pass hashing FS instead of hashing the whole thing from the beginning repeatedly (whoops).

v1.1.1 2019/01/01

• Prevent from trying to dump SD seed and ES keys on 1.0.0 as they're not available until 2.0.0.

v1.1 2018/12/29

• Changed titlekey dump methodology.
  • No longer crashes sysmodule, reboot no longer needed.
  • Queries ES to verify ticket list is accurate.
  • May take slightly longer than before on systems with hundreds of tickets.
• Now dumps SD seed.
• Reorganized and clarified UI text.
  • Now indicates if no titles are installed to dump titlekeys from.
• Swapped C++ stream functions for C I/O to reclaim some speed and binary size.
• Tightened up dependencies.

v1.0 2018/12/08

• Initial release.
• It's here. See readme for instructions. Huge shoutout to everyone who got the 6.2.0 CFW fixes out.

Special Thanks:

• tèsnos! For making kezplez-nx, being an all-around cool and helpful person and open to my contributions, not to mention patient with my enthusiasm. kezplez taught me an absolute TON about homebrew.
• SciresM for hactool, containing to my knowledge the first public key derivation software, and for get_titlekeys.py.
• roblabla for the original keys gist and for believing in our habilities.
• The folks in the ReSwitched Discord server for answering my innumerable questions while researching this (and having such a useful chat backlog!).
• The memory reading code from jakibaki's sys-netcheat was super useful for getting keys out of running process memory.
• The System Save dumping methodology from Adubbz' Compelled Disclosure.
• Shouts out to fellow key derivers: shadowninja108 for HACGUI, Thealexbarney for Libhac, and rajkosto.
• misson2000 for help with std::invoke to get the function timer working.
• Simon for the eticket_rsa_kek derivation method and for suggesting invoking spl for faster titlekey derivation.
• SciresM for the libnx aes library.
• The constantly-improving docs on Switchbrew wiki and libnx.
• Literally the friends I made along the way! I came to the scene late and I've still managed to meet some wonderful people :) Thanks for all the help testing, making suggestions, and cheerleading.

Licenses:

• es ipc code is from Tinfoil licensed under MIT.
• FatFs R0.13c is located here and is licensed under its own BSD-style license.
• Simple xxHash implementation is from stbrumme licensed under MIT.
• Padlock icon is from Icons8 licensed under Creative Commons Attribution-NoDerivs 3.0 Unported.

• GitHub - https://github.com/shchmue/Lockpick
• GBAtemp - https://gbatemp.net/threads/lockpick-switch-key-derivation-homebrew.525575/