Hi folks.
How do they do that? As far as I know Kc shouldn't be extracted (except from very old cards). I would be better to know to have an open source sw that allow us to understand...
The Kc is only the session key. The Ki is the key that you can not extract.
I had a similar problem some time ago. I wanted to get the current kc in realtime. My solution was to sniff the kc from the data stream between sim and phone. The kc occurs in 2 ways: 1. When RUN-GSM-ALGORITHM is executed and when the phone stores the Kc back on the simcard.
You can download the sourcecode, layouts for my approach at: http://www.runningserver.com/software/chipcardlab.tar
The hardest task is to sniff the data because the baudrate of the communication is not a standard baudrate. You can also try to get simtrace (http://bb.osmocom.org/trac/wiki/SIMtrace) running. I did not test it yet but i think it can achieve the same.
You could also find a phone where you can read the Kc by sending APDUs through AT-Commands. Some Blackberrys have a netmonitor mode that can display the Kc.
regards. Philipp