Extract Kc from Phone?

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/baseband-devel@lists.osmocom.org/.

dexter zero-kelvin at gmx.de
Thu Feb 17 00:02:21 UTC 2011


Hi folks.
>
> How do they do that? As far as I know Kc shouldn't be extracted (except from
> very old cards). I would be better to know to have an open source sw that
> allow us to understand...
>   
The Kc is only the session key. The Ki is the key that you can not extract.

I had a similar problem some time ago. I wanted to get the current kc in
realtime. My solution was to sniff the kc from the data stream between
sim and phone. The kc occurs in 2 ways: 1. When RUN-GSM-ALGORITHM is
executed and when the phone stores the Kc back on the simcard.

You can download the sourcecode, layouts for my approach at:
http://www.runningserver.com/software/chipcardlab.tar

The hardest task is to sniff the data because the baudrate of the
communication is not a standard baudrate. You can also try to get
simtrace (http://bb.osmocom.org/trac/wiki/SIMtrace) running. I did not
test it yet but i think it can achieve the same.

You could also find a phone where you can read the Kc by sending APDUs
through AT-Commands. Some Blackberrys have a netmonitor mode that can
display the Kc.

regards.
Philipp






More information about the baseband-devel mailing list