Switch
5 files
-
Lockpick_RCM
By Retrohacked
Lockpick_RCM
Lockpick_RCM is a bare metal Nintendo Switch payload that derives encryption keys for use in Switch file handling software like hactool, hactoolnet/LibHac, ChoiDujour, etc. without booting Horizon OS.
Due to changes imposed by firmware 7.0.0, Lockpick homebrew can no longer derive the latest keys. In the boot-time environment however, there is no such limitation.
Usage
It is highly recommended, but not required, to place Minerva on SD from the latest Hekate for best performance, especially while dumping titlekeys - the file and path is /bootloader/sys/libsys_minerva.bso Launch Lockpick_RCM.bin using your favorite payload injector or chainloader Upon completion, keys will be saved to /switch/prod.keys and titlekeys to /switch/title.keys on SD This release bundles the Falcon keygen from Atmosphère-NX Mariko-Specific Keys
Mariko consoles have several unique keys and protected keyslots. To get your SBK or the Mariko specific keys, you will need to use the /switch/partialaes.keys file along with a brute forcing tool such as https://files.sshnuke.net/PartialAesKeyCrack.zip. The contents of this file are the keyslot number followed by the result of that keyslot encrypting 16 null bytes. With the tool linked above, enter them in sequence for a given keyslot you want the contents of, for example: PartialAesKeyCrack.exe <num1> <num2> <num3> <num4> with the --numthreads=N where N is the number of threads you can dedicate to the brute force.
The keyslots are as follows, with names recognized by hactool:
0-11 - mariko_aes_class_key_xx (this is not used by the Switch but is set by the bootrom; hactoolnet recognizes it but it serves no purpose) 12 - mariko_kek (not unique - this is used for master key derivation) 13 - mariko_bek (not unique - this is used for BCT and package1 decryption) 14 - secure_boot_key (console unique - this isn't needed for further key derivation than what Lockpick_RCM does but might be nice to have for your records) 15 - Secure storage key (console unique - this is not used on retail or dev consoles and not recognized by any tools) So if you want to brute force the mariko_kek, open your partialaes.keys and observe the numbers beneath keyslot 12. Here's an example with fake numbers:
12 11111111111111111111111111111111 22222222222222222222222222222222 33333333333333333333333333333333 44444444444444444444444444444444 Then take those numbers and open a command prompt window at the location of the exe linked above and type:PartialAesKeyCrack.exe 11111111111111111111111111111111 22222222222222222222222222222222 33333333333333333333333333333333 44444444444444444444444444444444 and if you're on a powerful enough multicore system, add --numthreads=[whatever number of threads], ideally not your system's maximum if it's, for example, an older laptop with a low-end dual core CPU. On a Ryzen 3900x with 24 threads this generates a lot of heat but finishes in about 45 seconds.
These keys never change so a brute force need only be conducted once.
This works due to the security engine immediately flushing writes to keyslots which can be written one 32-bit chunk at a time. See: https://switchbrew.org/wiki/Switch_System_Flaws#Hardware
Building
Install devkitARM and run make.
Massive Thanks to CTCaer!
This software is heavily based on Hekate. Beyond that, CTCaer was exceptionally helpful in the development of this project, lending loads of advice, expertise, and humor.
License
This project is under the GPLv2 license. The Save processing module is adapted from hactool code under ISC.
32 downloads
(0 reviews)0 comments
Submitted
-
Retrohacked Tinfoil Theme - OLED Edition
By Retrohacked
Extract to /Switch/tinfoil/themes, boot tinfoil and select the theme from options.
Enjoy!
37 downloads
(0 reviews)0 comments
Updated
-
Retrohacked Switch Theme - OLED Edition
By Retrohacked
Copy to the themes folder on your sd card
27 downloads
(0 reviews)0 comments
Updated
-
(0 reviews)
0 comments
Submitted
-
GUI for NSP Forwarder tool
By Retrohacked
New Version (v0.12 Beta) 4th Oct 2021 - See Changelog For Updates - AIO Version Includes All files from @mpham & @Meliodas2255 Massive Thanks to @shadow256 for Updates
I've added an option to skip image conversion you WILL need to provide the Icon file as a 256 x 256 Pixel JPG and if you use it the Logo file it must be a 160 x 40 Pixel PNG
NOTE!! You MUST tick the Disable Image Conversion option BEFORE choosing your image files
GUI for the NSP Forwarder Tool for 12+ that @mpham posted. I'm not the best at programming so this is done with AutoIT I've attached a Compiled exe version and the Script to compile it yourself
Important you WILL need the prod.keys file generated by Lockpick_RCM
15th Sept 2021 - Big thank you to @shadow256 for continuing to update this in my absence, I've got some ongoing health issues which have meant I'm not able to get on the PC as much as I'd like, I've just put together an updated v0.10b AIO version from the script (AU3) posted by @shadow256 I've only had time to do a quick test but it seems to be working well.
Features
Build NSP Forwarders for NRO and RetroArch Rom's Accepts PNG, JPG/JPEG, BMP, GIF and TIF Images for the Icon and Logo Automatically Resizes and Converts Icon and Logo to the correct dimensions (The Icon should be at least roughly square and the Logo should be wider than tall to look acceptable) but any will work Allows prod.keys to be located anywhere Generates a Random TitleID or can be entered manually
Change Log
0.1
First Release 0.2
Fixed Random Key generation Added error checks for Name, Author and Icon Path have been entered 0.3
Switched from creating a batch file and running it to running the commands directly Fixed missing prod.key custom path options 0.4
Cleaning up after creating the forwarder, Restores NintendoLogo.png to default, Create new blank versions of nextArgv and nextNroPath Delete nacbrewpack_backup Directory Delete icon_AmericanEnglish.dat Delete TempIcon and TempLogo 0.5
Added Image conversion to the correct format and resolution Tidy up menu allignment 0.6
Added error checks on Path Lengths above 256 Characters long to Icon, Logo and Prod.key browse dialogs Added error check that Icon and Logo images are converted correctly Added option to open Icon and Logo in MSPaint as a sanity check also adds the suggestion to save out as a png, MSPaint Seems to be less fussy over filee types than the fuctions built into AutoIt Added changelog & known issues to Script
0.6_Diagnose
Copy TempIcon, TempLogo, icon_AmericanEnglish.dat, NintendoLogo and creates a txt file with the command string passed to hactool in out.txt 0.7
Diabled Diagnose Routine in standard, see notes in script to enable Error in TitleID generation (hopefully fixed) TitleID will now start 02-09 then random and end 2000, this should fix NSP generation Thank you @duckbill007 for pointing out my error 0.8 Beta
Reorganize GUI to be More usable with screen readers, tested with NVDA Changes provided by @shadow256 (Thank You) Removed Old Unused code 0.9 Beta Updates by @shadow256
Change some path treatements, should fix some bugs like the bug of custom prod.keys path not always working Path for files pointed by the forwarder doesn't require anymore the "/" at the beginning of them Rewrite text of some labels Other minor changes 0.10 Beta Updates by @shadow256
Prod.keys should work properly. Special characters should be displayed correctly Fix some other bugs 0.11 Beta Updates by @shadow256
Default logo file and his backup will not be deleted anymore at the end of the process, should prevent for some big problems 0.12 Beta
Tidied up Menu Title Added option to disable icon conversion, Tick the checkbox BEFORE selecting your images (I need to rework the menu to make this option easier) Cleanup of files also added to the close (X) button
Known Issues
Some forwarders are created with ? logo when installed on the switch, 0.12 Beta adds an option to disable the image conversion completely as a workaround as no rootcause has been identified
There's probably 100's of ways to break it so backup any files first
Added a couple of Logo.png files I created
LibRetroLogo.png and HBMenu.png, use them with the Logo Path option, they show up top left when you start the forwarder
179 downloads
(0 reviews)0 comments
Submitted
