Every ten seconds or so, the ECM is sent and responded to. Here’s the response:
01 05 9d 00 38 00 00 0e ff 55 00 01 ff ff 1b 79 1b e8 ce a6 12 7a 9e
= This breaks down to:
01 05 9d 00 38 00 00 0e
= This indicates a correct response to an 05 instruction. The sixth byte is NOT a length byte in this case but indicates what key was decrypted. Its inverted so here it shows the second key was decrypted. The eighth byte 0e(h) indicates 14 bytes to follow.
ff 55
= The Channel ID being evaluated.
00
= Filler byte
01
= The key that was used for decryption in the original string (the second, here) and the inverse of the sixth byte referred to above.
ff ff
= Filler bytes, always ff ff, it seems.
1b 79 1b e8 ce a6 12 7a
= The decrypted 8 byte data, in this instance. Not of any immediate use to us, at present.
9e
= Checksum, again. Remember, its not counted in the length bytes.
Notes

Almost all the information needed to analyse scripts can be found in Activate. It can take some searching and it does need you to get a basic grasp of the concepts before you can fully interpret everything.
We could go on and analyse some more stuff but it is starting to get tedious so I will do something different. As an exercise have a look at the following logged communications and see if you can work out what is happening. Some nanos are underlined.

Logged from the box, about every minute at the moment:
01 01 00 00 00 23 02 04 f2 00 00 1d 40 02 05 d8 50 52 02 df e7 44 fe f4 91 13 02 04 a1 fe ff 15 44 0e cf f2 26 b1 1d a7 c3 05
Answer from the card:
01 01 00 00 3f 00 00 03 00 00 00 03
As a clue, this is an EMM update command.
If you are going to write scripts yourself you are advised to find a tool to help you do it. They can take the drudgery out of things like length byte counts. Many programs capable of scripting come with a lot of capability built in and can more than cater for most card programming needs. You can write or edit them from cold using WindowsÓ Notepad if you are so inclined. Programs like CardWizard are capable of more complex scripting and provide aids to help assemble the scripts.
5.0Memory Mapping on Smart-cards
I have mentioned the idea of memory mapping on smart cards. Whilst this is an advanced concept it is worthwhile that you have some idea of what is going on so at least you will know what other people are referring to!
Actually there are at least two ways that card commands can “talk” to smart card memory. The first is simply by using the key numbers (00, 02, 04, 06 etc) and is most normally used by the providers. The smart-card software knows where to place keys based on their number. The second mode is to directly address card locations. This is done by the ‘5f’ nano command. “Activate” only partly covers this so I will illustrate both modes with some simple examples. Since writing plain-keys in Australia is pretty much a waste of time, I will be brief with this bit. It is useful to recognise what the providers are doing
First Method
Here’s a script that writes key updates.
01 01 00 00 00 23 02 pg pg 00 00 1d 40 02 dd dd 50 52 02 kk kk kk kk kk kk kk kk 04 kk kk kk kk kk kk kk kk ss ss ss ss ss 05
This is broken down to the following:
01 01 00 00 00 23 02 pg pg 00 00
= The normal 6 byte command, 23(h) bytes to follow. The 02 indicates that Provider Group is the addressing mode so its there along with two 00 filler bytes.
1d
= 1d is the length of the rest of the string (29 bytes)
40 02 dd dd
= This sets the 2 byte card date, dd dd.
50 52
= This nano sets instructs the card that 2 keys are to be decrypted and written to the indicated locations. Note this is the same nano as 10 52 or 90 52.(The 40(h) offset)
02 kk kk kk kk kk kk kk kk
04 kk kk kk kk kk kk kk kk
= Next the two keys to go to locations 02 and 04 as indicated, once they have been decrypted. (A valid PMK for the group must be on the card). Software exists to readily decrypt these to PlainKeys.
ss ss ss ss ss
= the 5 byte signature, which concludes the total of 23(h) or 35 bytes of the string.
05 at the end, of course, is the checksum.
In Section 3 of this document I suggested you might want to analyse a string and the card response. Well, the above analysis is what you should have discovered if you did the suggested exercise!!