I've extracted the RAM EMM keys from two consecutive packets on 39°E, encrypted with different ROM EMM keys. Although the encrypted payload is obviously different the decrypted payloads (RAM keys block index 1x) are identical. So perhaps they do not change too often.
Code:
82 70 8A 00 51 17 E3 F0 84 E4 82 FF FD 92 B6 D3.....
82 70 8A 00 52 C5 DE F0 84 E4 82 FF FD FA F2 0E.....
The question remains. Where are the encrypted ECM keys (normally located in EMM 83 70 40....) to be found?
They are not in the EMM stream nor in the ECM stream. I also checked the Bulcrypt (simulcrypted) EMM stream and they were not their either - although I didn't think they would be!
Has anyone any idea about this?