I was looking for the same on a NEOTRON Viaccess cam, used here for DVB-T
I know the firmware are transmitted as update in the ts as a SSU
I the NIT I do see a 0x09 "System Software Update" service
OUI: 0x237C => Neotion
Sector lenght: 0x22
Sector_bytes: 08000001123456780..............
This kind of data are send as a carousel and I never found a way to capture the firmware, and if it was possible I guess it's encrypted and then hard to find the RSA.
Another way could be to open the cam and unsolder the flash are read it and hope the FW are non encrypted.
I was expecting to place a legal card in a OSCAM server and the let different receivers share that card.
But that does not work since the ECM in the ts does have the RSA key flagged so I expect the RSA are needed.
I did a complete record of the ts and at the same time I had logging running between the card and the cam on 2 the different TV's
Both log on card / cam are exact the same during eg a timeslot on 1 min where the cw changed like every 10 sec.
Since I did record the whole TS on a USB tuner at the same time I could now extract the same program and do a BF on the CW and have a clear picture...but the CW are not shown in plain in the return from the card /cam log so I'm a bit surprised on what part the RSA actually are used in the CI
Any way I like to know how to get RSA as well