Jump to content

Switch - Lockpick_RCM v1.9.0: Support Mariko, patched Erista, and bugfix


Recommended Posts

Big release! If you can load payloads on your Mariko or patched Erista console, you can now dump keys with Lockpick_RCM!

Thanks loads to CTCaer, SciresM, Shadów, balika011, and averne for information, advice, and help testing!

The following section is only for research purposes - all keys needed for normal use are dumped by the program with no further action required

To get your SBK or the Mariko specific keys (the kek which is used for master key derivation or the bek which is used to encrypt package1 and the BCT), you will need to use the /switch/partialaes.keys file along with a brute forcing tool such as https://files.sshnuke.net/PartialAesKeyCrack.zip. I will test out a userland homebrew for this purpose soon. The contents of this file are the keyslot number followed by the result of that keyslot encrypting 16 null bytes. With the tool linked above, enter them in sequence for a given keyslot you want the contents of, for example: PartialAesKeyCrack.exe <num1> <num2> <num3> <num4> with the --numthreads=N where N is the number of threads you can dedicate to the brute force.

The keyslots are as follows, with names recognized by hactool:
12 - mariko_kek (not unique - this is used for master key derivation)
13 - mariko_bek (not unique - this is used for package1 decryption)
14 - secure_boot_key (console unique - this isn't needed for further key derivation than what Lockpick_RCM does but might be nice to have for your records)
15 - Secure storage key (console unique - this is not used on retail or dev consoles and there's nothing useful to do with it)

So if you want to brute force the mariko_kek, open your partialaes.keys and observe the numbers beneath keyslot 12. Here's an example with fake numbers:


Then take those numbers and open a command prompt window at the location of the exe linked above and type:
PartialAesKeyCrack.exe 11111111111111111111111111111111 22222222222222222222222222222222 33333333333333333333333333333333 44444444444444444444444444444444 and if you're on a powerful enough multicore system, add --numthreads=[whatever number of threads], ideally not your system's maximum if it's, for example, an older laptop with a low-end dual core CPU. On my Ryzen 3900x with 24 threads this generates a lot of heat but finishes in about 45 seconds.

View the full article

Link to comment
Share on other sites

  • Create New...