About eSim cards

laforge · January 5, 2024, 11:22pm

A general update on the state of affairs in tems of sysmocom eUICCs, and open source software for SM-DP+ and LPA.

There is a really nice open source LPA for cosumer eSIM available from GitHub - estkme-group/lpac: C-based eUICC LPA - you can use this with a (test or production) eUICC in plastic form-factor in a pcsc-lite compatible card reader and download profiles from any SM-DP+ you can reach via IP / the internet
I’ve been working on a SM-DP+ implementation in the laforge/sm-dp branch of the pySim git repo: sim-card/pysim: python libraires and command line tools for SIM/UICC/USIM/ISIM card analysis and programming. - pysim - Osmocom gitea - by now it looks like 99% are working, but somehow the test-eUICC I have is claiming a scp03tSecurityError during configureISDP. I’ve validated each step of my crypto code using hex dumps from @mode51software and my implementation produces the same results for ECDSA, ECKA, KDF, BSP crypto and BSP MAC. It’s a real puzzle why it isn’t working yet.
sysmocom is meanwhile able to provide eUICCs with GSMA production certificates/keys. I’ve succesfully installed production eSIM profiles from several operators on it using lpac mentioned above. It supports SAIP (SimAlliance Interoperable Profile) v2.3.1 and is capable of profiles with DF.5GS and SUCI-on-card. If you are interested in purchasing samples, contact sales@sysmocom.de and mention symoEUICC1-C2G.
sysmocom test-eUICCs with custom certificates are stil WIP but will beceome available later on
The idea about sysmocom eUICC with multiple root CI certificates is still under investigation.

laforge · January 7, 2024, 6:45pm

a small update regarding osmo-smdpp.py:

It has meanwhile been fixed and it is installing eSIM profiles into test-eUICCs just fine.

merakli · March 27, 2024, 7:51pm

This would be great. But one question is whether a commerical phone can be made to use a profile downloaded using the private-root CA. So if I have a private-root CA into the ECADS and then download a eSIM profile with 999-99 PLMN. Can a commercial device use this eSIM or is there a check that the eSIM profile has been downloaded using GSMA-production CA? Thanks.

laforge · March 29, 2024, 7:52pm

If your “commercial device” use the described sysmcoom hybrid eUICC, then you can install both production GSMA eSIM profiles and those created within your private CA.

For the built-in/off-the-shelf eUICC of a normal commercial device, you can always only install eSIM profiles signed within those root CAs supported by that eUICC. Normally this is the GSMA consumer root CA; occasionally also some vendor or country specific root CA (see Certificate Issuers (CIs) | eUICC Manual). Only the eUICC manufacturer may be able to install additional certificates into the ECASD.