Hi folks.
How do they do that? As far as I know Kc shouldn't be extracted (except from
very old cards). I would be better to know to have an open source sw that
allow us to understand...
The Kc is only the session key. The Ki is the key that you can not extract.
I had a similar problem some time ago. I wanted to get the current kc in
realtime. My solution was to sniff the kc from the data stream between
sim and phone. The kc occurs in 2 ways: 1. When RUN-GSM-ALGORITHM is
executed and when the phone stores the Kc back on the simcard.
You can download the sourcecode, layouts for my approach at:
http://www.runningserver.com/software/chipcardlab.tar
The hardest task is to sniff the data because the baudrate of the
communication is not a standard baudrate. You can also try to get
simtrace (
http://bb.osmocom.org/trac/wiki/SIMtrace) running. I did not
test it yet but i think it can achieve the same.
You could also find a phone where you can read the Kc by sending APDUs
through AT-Commands. Some Blackberrys have a netmonitor mode that can
display the Kc.
regards.
Philipp