mirror of
https://github.com/shchmue/Lockpick.git
synced 2024-11-04 22:15:07 +01:00
5.7 KiB
5.7 KiB
Lockpick
Lockpick is a ground-up C++17 rewrite of homebrew key derivation software, namely kezplez-nx. It also dumps titlekeys. This will dump all keys through *_key_05 on firmwares below 6.2.0 and through *_key_06 on 6.2.0.
Due to key generation changes introduced in 7.0.0, Lockpick is not able to dump keys ending in 07 at all. Furthermore, unfortunately the public method to dump tsec_root_key is only available on firmware 6.2.0 so 7.x consoles can only dump through keys ending in 05.
What this software does differently
- Dumps
titlekeysand SD seed - Dumps all keys through
6.2.0 - Uses the superfast
xxHashinstead ofsha256when searching exefs for keys for a ~5x speed improvement - Gets all possible keys from running process memory - this means no need to decrypt
Package2at all, let alone decompressKIPs - Gets bis keys and
header_keywithouttsec,sbk,master_key_00oraessources. Shoutout to exelix11 for using this method in SwitchThemeInjector! Homebrew devs should be doing this instead of requiring users to provide key files!
Usage
- Use Hekate v4.5+ to dump TSEC and fuses:
- Push hekate payload bin using TegraRCMSmash/TegraRCMGUI/modchip/injector
- Using the
VOLandPowerbuttons to navigate, selectConsole info... - Select
Print fuse info(notkfuse info) - Press
Powerto save fuse info to SD card - Select
Print TSEC keys - Press
Powerto save TSEC keys to SD card
- Launch CFW of choice
- Open
Homebrew Menu - Run
Lockpick - Use the resulting
/switch/prod.keysfile as needed and rename if required by any software you're using
You may instead use biskeydump and dump to SD to get all keys prior to the 6.2.0 generation - all keys up to those ending in 05. Lockpick will dump all keys up to that point regardless which firmware it's run on.
Notes
- To get keys ending in 06, you must have firmware
6.2.0installed - No one knows
package1_key_06, it's derived and erased fully within the encrypted TSEC payload. While there's a way to extricatetsec_root_keydue to the way it's used, this is unfortunately not true of thepackage1key - If for some reason you dump TSEC keys on
6.2.0and not fuses (secure_boot_key) you will still get everything except any of thepackage1or keyblob keys (withoutsecure_boot_key, you can't decrypt keyblobs and that's wherepackage1keys live)
Building
Release built with libnx v2.0.0 but still builds and runs with v1.6.0.
Uses freetype which comes with switch-portlibs via devkitPro pacman:
pacman -S libnx switch-portlibs
then run:
make
to build.
Special Thanks
- tèsnos! For making kezplez-nx, being an all-around cool and helpful person and open to my contributions, not to mention patient with my enthusiasm. kezplez taught me an absolute TON about homebrew.
- SciresM for hactool, containing to my knowledge the first public key derivation software, and for
get_titlekeys.py - roblabla for the original keys gist and for believing in our habilities
- The folks in the ReSwitched Discord server for answering my innumerable questions while researching this (and having such a useful chat backlog!)
- The memory reading code from jakibaki's sys-netcheat was super useful for getting keys out of running process memory
- The System Save dumping methodology from Adubbz' Compelled Disclosure
- Shouts out to fellow key derivers: shadowninja108 for HACGUI, Thealexbarney for Libhac, and rajkosto 👀
- misson2000 for help with
std::invoketo get the function timer working - Simon for the
eticket_rsa_kekderivation method and for suggesting invokingsplfor faster titlekey derivation - The constantly-improving docs on Switchbrew wiki and libnx
- Literally the friends I made along the way! I came to the scene late and I've still managed to meet some wonderful people :) Thanks for all the help testing, making suggestions, and cheerleading!
Licenses
AESfunctions are from mbedtls 2.13.0 licensed under GPLv2- Aarch64 assembly
sha256is from Atmosphère licensed under GPLv2 esipc code is from Tinfoil licensed under MITFatFs R0.13cis located here and is licensed under its own BSD-style license- Simple
xxHashimplementation is from stbrumme licensed under MIT - Padlock icon is from Icons8 licensed under Creative Commons Attribution-NoDerivs 3.0 Unported