source | ||
icon.jpg | ||
LICENSE | ||
Makefile | ||
README.md |
Lockpick
This is a ground-up C++17 rewrite of homebrew key derivation software, namely kezplez-nx. It also dumps titlekeys. This will dump all keys through *_key_05
on firmwares below 6.2.0
and through *_key_06
on 6.2.0
and above.
What this software does differently
- Dumps
titlekeys
- Dumps
6.2.0
keys - Uses the superfast
xxHash
instead ofsha256
when searching exefs for keys for a ~5x speed improvement - Gets all possible keys from running process memory - this means no need to decrypt
Package2
at all, let alone decompressKIP
s - Gets
header_key
withouttsec
,sbk
,master_key_00
oraes
sources - which may or may not be the same wayChoiDujourNX
does it 👀 (and I'm gonna issue a challenge to homebrew title installers to implement similar code so you don't need your users to use separate software like this 😜 it's up to you to figure out if the same can be done forkey_area_keys
if needed)
Usage
- Use Hekate v4.5+ to dump TSEC and fuses:
- Push hekate payload bin using TegraRCMSmash/TegraRCMGUI/modchip/injector
- Using the
VOL
andPower
buttons to navigate, selectConsole info...
- Select
Print fuse info
- Press
Power
to save fuse info to SD card - Select
Print TSEC keys
- Press
Power
to save TSEC keys to SD card
- Launch CFW of choice
- Open
Homebrew Menu
- Run
Lockpick
- Use the resulting
prod.keys
file as needed and rename if required
You may instead use biskeydump and dump to SD to get all keys prior to the 6.2.0 generation - all keys up to those ending in 05. This will dump all keys up to that point regardless which firmware it's run on.
Notes
- To get keys ending in 06, you must have firmware
6.2.0
installed - No one knows
package1_key_06
, it's derived and erased fully within the encrypted TSEC payload. While there's a way to extricatetsec_root_key
due to the way it's used, this is unfortunately not true of thepackage1
key - If for some reason you dump TSEC keys on
6.2.0
and not fuses (secure_boot_key
) you will still get everything except any of thepackage1
or keyblob keys (withoutsecure_boot_key
, you can't decrypt keyblobs and that's wherepackage1
keys live)
Building
Release built with libnx v1.6.0
.
Uses freetype
which comes with switch-portlibs
via devkitPro pacman
:
pacman -S libnx switch-portlibs
then run:
make
to build.
Special Thanks
- tèsnos! For making kezplez-nx, being an all-around cool and helpful person and open to my contributions, not to mention patient with my enthusiasm. kezplez taught me an absolute TON about homebrew.
- SciresM for hactool, containing to my knowledge the first public key derivation software, and for
get_titlekeys.py
- roblabla for the original keys gist and for believing in our habilities
- The folks in the ReSwitched Discord server for answering my innumerable questions while researching this (and having such a useful chat backlog!)
- The memory reading code from jakibaki's sys-netcheat was super useful for getting keys out of running process memory
- The System Save dumping methodology from Adubbz' Compelled Disclosure
- Shouts out to fellow key derivers: shadowninja108 for HACGUI, Thealexbarney for Libhac, and rajkosto 👀
- The constantly-improving docs on Switchbrew wiki and libnx
- misson2000 for help with
std::invoke
to get the function timer working - Literally the friends I made along the way! I came to the scene late and I've still managed to meet some wonderful people :) Thanks for all the help testing, making suggestions, and cheerleading!
Licenses
AES
functions are from mbedtls licensed under GPLv2)creport_debug_types
and fastsha256
implementation are from Atmosphère licensed under GPLv2- Simple
xxHash
implementation is from stbrumme licensed under MIT - Padlock icon is from Icons8 licensed under Creative Commons Attribution-NoDerivs 3.0 Unported