Can I install an uncertified eSIM profile provisioned by myself on Android?

Question

I would like to set up an SM-DP+ server to provision my own eSIM profiles. These usually get certified by GSMA and are used for large-scale Remote SIM Provisioning, but I would want to use this for home testing only, so getting official certification would be overkill.

I understand that I will need my own mobile network to work with it, which I also want to set up at home. My main concern is that either Android or the device manufacturers impose limitations that would only allow certified eSIM profiles to be installed on a device. I was thinking of using a Google Pixel 3A for testing, so I would be installing the eSIM profiles on this phone.

I also tried to find information on what's inside a SIM profile but there isn't much on the internet. I know it contains ISMI and some shared keys which it uses to connect to the MNOs network.

I would like to know what else is needed to create a functional eSIM profile and set up a server that provisions these to a Google Pixel 3A for a mock cellular network.

Answer 1

Short answer: No.

Long answer: Changing your configuration and/or working in commercial space might work out.

Technical specifications regarding eSIM and Remote SIM Provisioning are provided by GSMA. They are freely available on the GSMA website.

Information regarding profiles can be found in SGP.22:

Profile - A combination of data and applications to be provisioned on an eUICC for the purpose of providing services.

Profile Component - A Profile Component is an element of the Profile, when installed in the eUICC, and MAY be one of the following:

• An element of the file system like an MF, EF or DF;
• An Application, including NAA and Security Domain;
• Profile Metadata, including Profile Policy Rules;
• An MNO-SD.

You can get examples for test profiles from the Android Open Source Project:

Android provides downloadable test profiles for testing the radio implementation of devices supporting eSIM. For testers that need to download a test profile defined in TS.48, Android provides a mechanism in its SM-DP+ to facilitate the download of up-to-date test profiles. When a tester scans a QR code for a test profile, the SM-DP+ downloads the test profile to the target device. Because there are no download or profile policy rules implemented, there are no limits to the number of downloads or the devices that can download the profiles. The device downloading the test profiles must have a test certificate issued by a GSMA CI.

A very nice and detailed RSP overview is also given by Kigen. It shows which components are involved and how they relate to each other. In your case: Dp+ server <--> Cellular Network <--> Device (Google Pixel 3a) with Local Profile Assistant <--> eUICC (eSIM chip) already in device.

End-to-end security is built into RSP. All exchanges between the SM-DP, SM-SR, and eUICC rely on digital certificates (PKIs) or pre-shared keys (PSKs), which can be revoked at any time if security concerns arise. An eUICC receiving SMS messages uses AES encryption, and HTTPS card to server data sessions use Transport Layer Security (TLS) to protect over-the-air communication.

Usually, only the eUICC manufacturer/provider has the keys necessary to modify the concerned eUICC's content. Therefore, you will not be able to install your TLS certificate or your key(s) into it. This means that your DP+ needs to have a certificate which is issued by the GSMA Certificate Issuer in order to install a profile on your Google Pixel 3a. (This is the way the Android Open Source Project went. You ruled it out as overkill.)

Additionally, as far as I know, there are no open or free SM-DP+ server implementations available.

You might take a look at companies which offer DP+ as a cloud service and connect your mock cellular network to it.

For completeness, as far as I know, there are no open or free eSIM-capable eUICCs available. Therefore, it is not possible to circumvent the issue from that side.

A test environment matching your set-up is also described by Cellnetrix (acquired by Truphone) on Slideshare.

Answer 2

There is a solution to your problem: You could use a Test-eUICC that's packaged in plastic card form-factor (like a normal SIM/USIM), and use that in a SIM reader or in a smartphone whose built-in LPAd supports eSIM features not just for the built-in (soldered) eUICC but also for the additinal physical card slot.

The Test-eUICC has 3GPP test key material (specified in SGP.26) installed on it. Using the private key of the test key root CA you can then sign your own eSIM profiles as well as generate the derived SM-DP+ TLS certificate. That way you can then install your own eSIM certificates using your own SM-DP+ on your own eUICCs.

Comprion is selling related test-eUICCs for GSMA Consumer eSIM; there might be more suppliers. You'd still need a SM-DP+. There are SM-DP+ simulators from a number of vendors (Comprion and UL, for example). Or you could also write your own, as all the related specs for the interfaces and procedures are published by GSMA (like the ES9+ and ES10x interfaces) and the Trusted Connectivity Alliance (RSP format).