Introduction

Welcome!

The sysmocom eSIM Manager makes it easy to publish your own eSIMs.

It works like this:

  • Pick an eSIM template to easily start off with a fully usable profile.

  • Choose the number of eSIMs to create, and set your own parameters like service provider name, IMSI range, key material…

  • Publish your personalized eSIM profiles at one of our public SM-DP+, ready for download to any eSIM capable mobile devices, e.g. using an eSIM activation QR code.

The service is charged by sysmocom tokens, which are available at https://shop.sysmocom.de/.

We offer both a GSMA certified SM-DP+ upload for production use, as well as a lab testing SM-DP+ using SGP.26 Test Certificates.

There is no minimum required number of eSIMs: you may publish profiles one by one, or by the thousands.

Get started at: https://esim.sysmocom.de

eSIM Profile Generation FLow

Contact

Tokens to top up your account are available at https://shop.sysmocom.de/.

If you need bigger volumes of tokens than the webshop offers, please contact us at sales@sysmocom.de.

If you have found a bug in sysmo-eSIM-manager, or for any other feedback or requests, please contact us at support@sysmocom.de.

All Steps

Here are all the steps in a neat list:

  • [login] register with your email address.

  • [pgp] set up OpenPGP encryption for your eSIM profile data.

  • [tokens] top up your token balance.

  • [jobs] manage your eSIM batches.

  • [templates] choose an eSIM template.

  • [smdpp] where to publish your eSIMs?

  • [input_csv] optional: pre-load your own eSIM parameter values from a CSV file.

  • [esim_config] configure IMSI, K, OPc, … and all other eSIM parameters.

  • [upload] publish the personalized eSIM profiles.

  • [csv] retrieve the CSV files that you need for eSIM activation, and to feed to your core network’s subscriber database.

  • [activation] how to make use of your published eSIM profiles.

  • [sweep] remove eSIM profile details from our web application’s server storage.

Login

screenshots/login_page.png

Login works via your email address.

As usual, first register your email address:

  • Open https://esim.sysmocom.de in your web browser.

  • Click on the button labeled register a new account and follow the instructions.

  • You need to enter your own, working email address — this will be verified.

From then on, you can login using your email address and password, as entered during registration:

  • Open https://esim.sysmocom.de in your web browser.

  • Enter your full email address for Email:, for example you@example.com.

  • Enter your password for Password:.

  • Click on Sign In.

On first sign in, you will be asked to verify your email address:

  • When you signed in, sysmo-eSIM-manager asks you to verify your email address.

  • Go to your email inbox, and open the latest email from "sysmo-eSIM-manager".

  • Copy the short verification code from the email message to your web browser and submit the form.

Operational Hints

If you get stuck at any step, look for hints under next step:

screenshots/encryption_next_step_enter_pubkey.png

Success notes and warnings may appear near the top:

screenshots/encryption_alert_correct_code_entered.png

OpenPGP encryption

screenshots/encryption_status_empty.png

Using encryption is highly recommended to keep your eSIM profile details secure. We support using OpenPGP encryption for protecting sensitive input/output data of the eSIM profile generating process.

Here is a quick overview, followed by more details in the sections below.

An eSIM personalization job that has encryption enabled will store all sensitive data OpenPGP encrypted:

  • The generated UPP are immediately encrypted so that only the SM-DP+ can decrypt them.

  • The output.csv and activation.csv, containing all eSIM keys and codes, are stored encrypted so that only your private key an decrypt them. Not even sysmocom can read them: the unencrypted record is handled only briefly, in volatile memory.

To enable encryption:

  • Create an OpenPGP public/private keypair, using an OpenPGP agent on your device.

  • Back up your private key and passphrase. If you ever lose it, it is impossible to decrypt your related data, even sysmocom cannot decrypt it. You have been warned!

  • Paste your public key in the eSIM manager’s encryption settings.

  • Verify encryption by downloading, decrypting and re-entering a verifcation code.

  • When creating a new personalization job, place a tick-mark for use OpenPGP encryption — see section [job_create].

In more detail:

Set up GnuPG

We recommend using GnuPG (https://gnupg.org) as OpenPGP agent. In case you don’t already have it installed, use operating system specific procedures to install it. For example, on a Debian GNU/Linux or Ubuntu system, you would install it via
sudo apt install gnupg

pinentry

GnuPG supports various pinentry types to prompt for a secret passphrase. If you are using gpg on a remote or headless system, a graphical pinentry will not be useful. Instead, configure the gpg-agent to prompt on the current terminal.

For example, on a Debian system, you may install the pinentry-curses and/or pinentry-tty packages and append
export GPG_TTY=$(tty)
to your terminal shell profile (depending on the shell, this may be ~/.profile, ~/.bashrc, …).

For graphical pinentry, individual packages like pinentry-gnome3, pinentry-gtk2, pinentry-qt etc. match various window managers.

Create an OpenPGP public/private keypair

The following is an example that you can adapt to create your own private/public key pair:

Generate a key pair

In a terminal window, the following GnuPG command creates a new key pair — make sure to adjust the name and email address! It will ask for a new passphrase using a pinentry dialog.

gpg --quick-gen-key "Dr. Beverly Crusher <beverly@enterprise.dyndns.earth>" ed25519

Identify the fingerprint

To make sure gpg outputs only one single public key, identify the correct key by its fingerprint. First list all your keys:

gpg --list-keys "beverly@enterprise"

In the output, pick the fingerprint of the correct OpenPGP key — in the following example output, the correct (non-revoked) key has the fingerprint E729A93113DAFCFA74E1C9B07D6817D33ED675F9:

$ gpg --list-keys "beverly@enterprise"
pub   rsa4096 2015-02-11 [SC] [revoked: 2022-04-18]
      264CC8D1392D5927636816BCB49C93D864D48439
uid           [ revoked] Dr. Beverly Crusher <beverly@enterprise.dyndns.earth>
uid           [ revoked] Dr. Beverly Crusher (Federation of Planets) <beverly@enterprise.dyndns.earth>

pub   ed25519 2022-05-18 [SC] [expires: 3027-05-17]
      E729A93113DAFCFA74E1C9B07D6817D33ED675F9
uid           [ultimate] Dr. Beverly Crusher <beverly@enterprise.dyndns.earth>
sub   cv25519 2022-05-18 [E] [expires: 3027-05-17]

Backup your private key and passphrase

Protect your assets: the OpenPGP private key and your passphrase must not be lost.

Warning

Make sure to back-up the generated private key as well as the passphrase. If you lose either of them, no-one (short of a state actor with the capability of breaking elliptic curve cryptography using quantum computers) will be able to decrypt the data.
Even sysmocom does not keep any unencrypted backup of your data, and only you have the decryption keys!
You have been warned!

To export your private key, use the fingerprint as in section [pgp_fingerprint]. If, for example, your fingerprint were E729A93113DAFCFA74E1C9B07D6817D33ED675F9, then the following commands export your GnuPG private key to the local filesystem — a pinentry dialog may pop up to request your GnuPG passphrase to confirm the export:

touch ./gnupg_private_key.asc
chmod go-rw ./gnupg_private_key.asc
gpg --export-secret-key --armor E729A93113DAFCFA74E1C9B07D6817D33ED675F9 > ./gnupg_private_key.asc

The resulting file gnupg_private_key.asc is highly confidential. Keep it safe from access by third parties — paired with your passphrase, it allows decrypting all of your OpenPGP guarded secrets.

You must never upload or enter this private key on any website.

Do not enter this private key on the sysmo-eSIM-manager encryption page. Instead, see section [pgp_pubkey].

Setup the public key

After you identified your fingerprint in section [pgp_fingerprint], this command should output your public key:

gpg --armor --export YOURFINGERPRINTHERE123451234512345123451

A public key looks something like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEaxxxxxxxzaYBBAHaRw8BAQxxxxxxxxMBkkvEgIuKHZVi8Nr22+vsxedO2RFO
3aw98xxxxxxxc21vYxxxxGVTSUxxxxxxxxdlciA8aW5mb0BzeXNtb2NvbS5kZT6I
lgQTFggAPhYhBNkQyxxxxypmUTWGhbm8tMdZ5jObBQJoDp5uAhsDBQkFo5qABQsJ
CAcCBxxxxQgLAgQWAgMBAh4BAheAAAxxxxm8tMdZ5jObCFMA+gLzVN7HFQpyB1P4
3Hx4zk9sxxxxxxxxxxxxxxxxxxxxxxx76v6yhT29T/3or5oPEGzykrqSDfxT90oO
sVbLkvw4Aw==
=1Y/4
-----END PGP PUBLIC KEY BLOCK-----
screenshots/encryption_next_step_enter_pubkey.png

  • Copy-and-paste the entire public key block, including the full BEGIN and END lines, to the text field labeled Your own OpenPGP public key, and click on apply.

    Note

    you may safely copy-and-paste more arbitrary text around the PGP block. eSIM manager will crop the PGP block properly as long as it is somewhere in there.

    Troubleshooting

    Make sure that gpg outputs exactly one key. If your key selection is too general, multiple keys will be silently combined into one public key block, which the eSIM manager website will reject.

Verify encryption

screenshots/encryption_next_step_verify.png

This step ensures that you can properly decrypt the eSIM profile details that the eSIM manager produces for you.

To test whether OpenPGP works as expected,

  • eSIM manager provides you with an encrypted challenge.

  • Decrypt this challenge with your private key to show a verification code.

  • Enter the correct code back in eSIM manager’s encryption settings.

If this works out, eSIM manager considers your encryption to be verified.

Note

You are free to solve any number of verification challenges at any time. The eSIM manager will enforce a re-verification after 180 days. We want to make sure that you can actually use your eSIM profiles, as we cannot help you with recovery in case your OpenPGP private key or passphrase are lost.

The steps in detail:

For example:

  • click on download the encrypted challenge and save as Downloads/decrypt-challenge.txt,

  • run gpg --decrypt ~/Downloads/decrypt-challenge.txt.

  • paste the resulting output in the field labeled verification code.

    Note

    you may safely copy-and-paste more arbitrary text before and after the verification code. It will work fine as long as eSIM manager can find the four digit code somewhere in there.

The status shown on top of your encryption settings should now say "Encryption setup is complete", and personalization jobs using encryption can now continue to generate eSIM profiles.

screenshots/encryption_status_setup_complete.png

Token balance

Each successful eSIM profile upload to the SM-DP+ will cost you a fixed amount of sysmocom tokens. The amount per eSIM depends on the SM-DP+.

When your token balance is too low to complete your eSIM upload, you need to top up your token balance first, by entering a voucher code obtained from https://shop.sysmocom.de/.

To check your current token balance:

You should see your current token balance:

screenshots/token_empty_balance.png

Please visit https://shop.sysmocom.de/ to purchase a token amount that is sufficient for your choice of number of eSIMs and SM-DP+.

Sysmocom will provide to you a voucher code, which is a short text that you can copy-and-paste to the eSIM manager:

  • Login on the eSIM manager.

  • Click on the button labeled 1.23 tokens near the top.

  • paste the voucher code to the edit field labeled voucher code

  • click on the redeem button.

screenshots/token_voucher_code.png

You should see your token balance incremented by the voucher’s token amount.

  • Each voucher can be used only once.

  • Voucher codes can be redeemed by anyone, as long as it has not yet been redeemed before. So, keep your voucher codes safe until you have redeemed it. Once you have redeemed the voucher code, your balance is safe and no-one can use your voucher code anymore.

    Note

    If your voucher code does not work for any reason, please contact support@sysmocom.de, your account’s email address as configured on esim.sysmocom.de; we will do our best to resolve any problems.

start an eSIM Personalization Job

One batch of eSIMs to be published is called a Personalization Job.

A personalization is:

  • take a generic eSIM template,

  • turn it into your own series of eSIM profiles using input data provided by you, and

  • publish the personalized profile packages on one of our affiliated SM-DP+ servers.

You will get a CSV of eSIM profile data, and an Activation Code for each published eSIM (typically shown as a QR code to scan with a mobile device).

To start configuring your eSIM profiles, create a personalization job.

new job

  • Login on the eSIM manager.

  • Click on the jobs button near the top.

  • Near the bottom of the page, locate the text field labeled new job name.

screenshots/job_empty_job.png

  • Enter a job name to your own taste — this name is used for listing your jobs on the eSIM manager website, only.

  • Choose now whether the new job will be encrypted, with the checkbox labeled use OpenPGP encryption. See also section [pgp]. If in doubt, we recommend enabling encryption.

  • Click on the create new job button.

The new job shows, and you may continue to configure SM-DP+, template and eSIM parameters.

See also these sections:

choose an SM-DP+

In short:

  • Choose GSMA SM-DP+ for use with normal consumer grade mobile devices, which are typically GSMA certified.

  • For lab tests using a "Test" eUICC, choose Test SM-DP+.

The cost per eSIM for upload to an SM-DP+ is shown in the personalization job dialog.

In more detail:

When an eUICC (e.g. a mobile device) installs an eSIM from an activation code, the eUICC and the SM-DP+ server mutually authenticate based on the GSMA certificate authority. That means, if your eSIM profiles need to work on common consumer devices with built-in GSMA certified eUICC, you need to match that up with a GSMA certified SM-DP+.

An alternative is to use the Test Certificates specified in SGP.26, and download the eSIM profiles to "Test" eUICC. The SGP.26 Test Certificates' private keys are fully disclosed in public, hence they are only useful for lab tests.

Note

If you need eUICC as a replacement for physical SIM cards, sysmocom offers both "GSMA" and "Test" eUICC for online purchase: see https://shop.sysmocom.de/.

choose an eSIM template

screenshots/job_chose_esim_template.png

An eSIM template is a functional eSIM profile that contains placeholder values in all the interesting places.

Creating an eSIM profile package requires many components in a fairly complex structure. To make this step easy, sysmo-eSIM-manager offers templates that fully describe a useful UPP. We apply your parameters on top of such a template to generate your fully individual eSIM profiles.

Many eSIM parameters will always be available: IMSI, PIN, PUK, ADM, K, OPc, etc..

Some specialized eSIM parameters, e.g. specific SDKeys, may not be supported by all eSIM templates. Once you have chosen a template, you will only see those eSIM parameters that are supported by that template.

optional: load an input.csv

Loading an input.csv is entirely optional.

Instead of relying on generative parameter configuration, you can upload pre-composed values for each individual parameter of each eSIM, in form of a CSV file.

Neat

A quick way to exactly match the number of eSIMs to the number of CSV rows in the uploaded input.csv: simply enter 0 for nr of eSIMs and click apply; the number will snap back to match the number of input.csv records.

input.csv format

  • The input.csv file’s first row must contain the column names (more on column names here). The second row is the first actual eSIM record.

  • The encoding should be UTF-8 or plain ASCII.

  • The underlying CSV format is automatically detected. You may use about every CSV variant that exists.
    If in doubt, use a tab character for cell separation, single line feeds for row separation, and do not use quotes.

  • Each eSIM needs a separate CSV row — if multiple eSIMs should have the same values, just repeat those values in multiple CSV rows.

  • For your own convenience, you should prefer shorter column names in the CSV, to keep the column selection drop-down in the personalization job form manageable.

  • There will be a warning about unused CSV columns, but only to help avoid mistakes. It is ok to include more CSV columns than are needed by the personalization job.

input.csv column names

screenshots/job_input_csv.png

automatic CSV column matching

The input.csv file’s column names can match eSIM parameter names, to assign them automatically. For matching CSV columns to eSIM parameters, we ignore all whitespace, punctuation and upper/lowercase differences. For example, a column name of "Pin: 1" will match with eSIM parameter PIN1.

Automatic matching is attempted at these times:

  • once upon first upload of the input.csv file, and

  • when new parameters are first added to a personalization job, e.g. by choosing an eSIM template, and

  • when you click the button Auto-fill eSIM parameters from CSV columns in the personalization job form.

manual CSV column matching

The CSV columns don’t have to match parameters. CSV column names may be chosen arbitrarily, and after upload, columns can be manually assigned to parameters, one by one:

  • for the desired parameter, choose from CSV from the drop-down selection next to the parameter’s input field, and click on apply to refresh the form.

  • pick your CSV column from the drop-down that appears just to the right of the from CSV selection.

Manual column assignments always override the automatic matching, so you may freely mix-and-match automatic and manual column assignments.

If you would like to clean out a parameter to make it available for automatic matching again, you may click the revert icon next to the parameter (small arrow in circle). It only shows when the parameter has been modified.

By the way

When JavaScript is enabled in your browser, the form may refresh automatically upon selecting from CSV, so that clicking on apply is not necessary. It is fine to click on apply anyway.

input.csv example

Here is a full example of using an input.csv file to set up eSIM parameters:

Say, a job has this input.csv CSV file uploaded:

IMSI,Pin-1,Pin 2,Administrative PIN 1,Administrative PIN 2
001010000000001,8254,0182,49029319,91025342
001010000000002,7482,3816,10284019,53759163

The column names "IMSI", "PIN-1", "PIN-2" are automatically matched: eSIM parameters IMSI, PIN1 and PIN2 will automatically show from CSV, and they will be assigned to the "IMSI", "Pin-1" and "Pin 2" columns, respectively.

  • "Pin-1" matches with PIN1, because ignoring the dash and the upper/lowercase differences makes a match.

  • Similarly for "Pin 2" and PIN2, this time ignoring the space.

    Note

    When automatically matching input.csv column names to eSIM parameter names, all non-alphanumeric characters are ignored, as well as all upper/lowercase differences.

Two columns will not match: the "Administrative PIN 1" and "Administrative PIN 2" are too far off from ADM1 and ADM2. Set them up manually:

  • The ADM1 eSIM parameter will still be set to the default of random hexadecimal digits.

  • Instead, choose from CSV and click apply to refresh the form.

  • Then pick Administrative PIN 1 from the selection that appears just to the right of ADM1: from CSV.

Repeat these steps for ADM2 and Administrative PIN 2.

By the way

When JavaScript is enabled in your browser, the form may refresh automatically upon selecting from CSV, so that clicking on apply is not necessary. It is fine to click on apply anyway.

input.csv encryption

The input.csv file may contain key material that must remain confidential. There are two critical points in protecting this data:

  • upload to the server, and

  • storage on the server’s file system.

We always have a layer of encryption in place for both:

  • Upload to sysmo-eSIM-manager is encrypted via SSL (https).

  • We always encrypt your input.csv with OpenPGP before storing it in our file system, regardless of whether you uploaded it in encrypted or in plain text form.

In addition, you may upload the input.csv in OpenPGP encrypted form. This adds another layer of encryption to your data while in transfer to the server.

In short:

Detailed instructions, including shell commands with all the correct keys and fingerprints, can be found on the encryption page:

  • Login on the eSIM manager.

  • Open this link — or click on encryption and scroll down to Encrypt input CSV.

    Neat

    Generated eSIM profile packages need to be just as confidential as the input.csv they were made from. With encryption enabled, your personalization job stores generated eSIM profile packages in encrypted form, so that only the SM-DP+ can decode the resulting profile data — not even sysmo-eSIM-manager can decode them.

configure eSIM parameters

An eSIM template provides the basic structure for your batch of eSIM profiles. Your personal eSIM configuration, like IMSI, PINs, Keys, etc., are applied onto that basic eSIM structure in the form of Parameters.

All available parameters show up on a personalization job form, near the bottom, as soon as an eSIM template has been chosen. Some more specialized parameters will only be available when specific templates are in use.

Each parameter is fed from a Source, which decides whether and how a parameter should vary for each eSIM.

All available Sources are described in section [paramsrc].
All available Parameters are described in section [parameters].

screenshots/job_esim_parameters_example.png

parameter sources

For each adjustable parameter, like IMSI, K, PIN1, etc., you may feed eSIM values from different kinds of sources:

  • a constant; for example, to choose the same Algorithm for all eSIMs.
    See section [paramsrc_constant].

  • an incrementing value; for example, for the IMSI:
    "use N IMSIs starting from 001010000000001".
    See section [paramsrc_incrementing].

  • a random-value source; for example: "individually generate 16 random octets of K for each eSIM".
    See section [paramsrc_random].

  • a CSV-file column; to upload preconfigured values for each eSIM.
    See section [paramsrc_csv].

Each parameter source described in detail:

constant

Choose constant to use the same value for each eSIM.

Algorithm example:

  • add the Algorithm parameter to your personalization job.

  • It should be pre-configured as constant and Milenage (1).

This means that each eSIM in this personalization job will be set to use value 1 for Algorithm, i.e. all eSIMs will use Milenage.

IMSI example: if you run an unusual lab setup where all of your eSIMs should have the same IMSI value:

  • Enter the digits of the actual IMSI to use as value for all eSIMs, e.g. 901700123456789.

  • Finally, choose constant from the dropdown next to the value entry field.

This means that each eSIM in this personalization job will have the same IMSI, i.e. exactly 901700123456789.

incrementing decimal digits

Choose incrementing decimal digits to add +1 to this value for each next eSIM.

IMSI example:

  • Set to incrementing decimal digits, and click apply.

  • Enter the digits of the actual IMSI to use for the first eSIM, e.g. 001019999990001.

This means that the first eSIM of this personalization job will use 001019999990001 as IMSI, the second will use 001019999990002, the third 001019999990003 and so on.

By the way

When JavaScript is enabled in your browser, the form may refresh automatically upon selecting incrementing decimal digits, so that clicking on apply is not necessary. It is fine to click on apply anyway.

random decimal digits

Choose random decimal digits for values that should be different for each eSIM, where the value is represented in digits 0-9. (For hexadecimal 0-f digits, see [paramsrc_random_hex] instead.)

Your input value usually sets only the count of digits, not the actual value. For example, a value of "0000" has four digits, so it would randomly assign four-digit values to each eSIM, like 9281, 0591, 4235, …
The chosen value for each eSIM is returned in the final output.csv file.

There is a shorthand notation for random decimal digits, so you don’t need to manually count digits in the web form:
you can append * and a number to repeat the entered digits as many times. For example, a value of 0*4 will expand to 0000 and result in random values that are four digits long.

It is possible to specify a range in which to choose random values, using two dots to separate the start and end value of the desired range. For example, 1000..9999 generates four-digit codes that never start with zero.

PIN1 example, long notation:

  • Go to the PIN1 parameter of your personalization job.

  • Set to random decimal digits and click apply.

  • Enter 0000 as value.

This means that PIN1 will be four digits long for all of the eSIMs, but will have an unpredictable, distinct value for each individual eSIM.

PUK1 example, shorthand notation:

  • Go to the PUK1 parameter of your personalization job.

  • Set to random decimal digits and click apply.

  • Enter 0*8 as value.

This means that PUK1 will be eight digits long for all of the eSIMs, but will have an unpredictable, distinct value for each individual eSIM.

Note

The usual placeholder for random digits is 0. In fact, any letter or digit is equivalent; for a random decimal digit, all of these inputs produce identical results: 0000 = 0*4 = 1234 = XXXX = X*4.

IMSI example, range notation:

  • Set the IMSI parameter to random decimal digits, and click apply.

  • Enter 001010000009000..001010000009999 as value.

This means that all IMSIs will start with 001010000009, each ending in hopefully distinct randomized digits 000 to 999.

By the way

When JavaScript is enabled in your browser, the form may refresh automatically upon changing parameter to random decimal digits, so that clicking on apply is not necessary. It is fine to click on apply anyway.

random hexadecimal digits

Choose random hexadecimal digits for values that should be different for each eSIM, where the value is represented in digits 0-F. (For decimal 0-9 digits, see [paramsrc_random] instead.)

Your input value usually sets only the number of digits, not the actual value. For example, a value of "0000" would randomly assign four-digit values to each eSIM, like 9a8f, 0e91, 4235, …
The chosen value for each eSIM is returned in the final output.csv file.

There is a shorthand notation for random hexadecimal digits, so you don’t need to manually count digits in the web form:
you can append * and a number to repeat the entered digits as many times. For example, a value of 00*16 will repeat 00 a total of 16 times. So it expands to 00000000000000000000000000000000.
This will result in random values that are 32 hex digits or 128 bits long.

It is possible to specify a range in which to choose random values, using two dots to separate the start and end value of the desired range. For example, entering 1000..ffff generates four-digit codes that never start with zero.

OPc example, shorthand notation:

  • Go to the OPc parameter of your personalization job.

  • Set to random hexadecimal digits and click apply.

  • Enter 00*16 as value.

This means that OPc will be two times sixteen, i.e. 32 hex digits long for all of the eSIMs, but will have an unpredictable, distinct value for each individual eSIM.

By the way

When JavaScript is enabled in your browser, the form may refresh automatically upon selecting random hexadecimal digits, so that clicking on apply is not necessary. It is fine to click on apply anyway.

from CSV

Instead of generating values, you may feed pre-generated values per individual eSIM, by uploading an input CSV file.

The input.csv file format and how to match columns to parameters is described in section [input_csv].

all eSIM parameters

ICCID

The ICCID is assigned automatically and cannot be configured.

We assign ICCID to your eSIM profiles internally, drawing from the ICCID range officially assigned to sysmocom.

IMSI

The IMSI, the International Mobile Subscriber Identity, identifies a subscriber on a mobile network.

A valid IMSI value consists of 6 to 15 decimal 0-9 digits, a contrived example:

001020000000003

Here,

  • 001 is the MCC (Mobile Country Code),

  • 02 is the MNC (Mobile Network Code); MCC-MNC form the PLMN code "001-02".

  • 0000000003 identifies one subscriber within the 001-02 PLMN.

Typically, each eSIM has a unique IMSI.

In production networks, IMSI ranges are officially assigned to countries and vendors. You should only use IMSI ranges that are assigned to you, and that are guaranteed to not be in use by anyone else. This is entirely your own responsibility.

In testing networks, you may choose IMSIs freely.

Note

001-01 is the official testing PLMN. However, some devices are known to change their behavior when encountering an IMSI indicating 001-01, so for realistic lab testing, it may be desirable to avoid 001-01.

To use a specific IMSI range:

  • In the IMSI edit field, enter the first valid IMSI of the range, as decimal 0-9 digits without spaces or dashes.

  • Choose incrementing decimal digits for IMSI.

  • Make sure that [the first IMSI] + [number of eSIMs] - 1 is still within your available IMSI range.

For example, to apply IMSIs 001019999990001 through 001019999990100 to 100 new eSIM profiles:

  • Set nr of eSIMs to 100.

  • Set IMSI to incrementing decimal digits and click apply.

  • Enter the first IMSI in the edit field, here 001019999990001.

This means that:

  • the first eSIM of this personalization job will use 001019999990001 as IMSI,

  • the second will use 001019999990002,

  • and so on,

  • the last one will use 001019999990100.

PIN1

PIN1 is the code that most users encounter when they switch on their mobile device, when PIN1 is required to unlock a SIM card for mobile operation.

It consists of four to eight decimal 0-9 digits, which should be random.

PIN1 is usually configured as random decimal digits, so that each eSIM gets its own random PIN1. You will merely indicate the number of digits in the personalization job form.

The chosen value for each eSIM is returned in the final output.csv file.

For example, if all eSIMs should have the same identical PIN1, recommended only for lab test eSIMs:

  • Go to the PIN1 parameter of your personalization job.

  • Set PIN1 to constant and click apply.

  • Enter 1234 in the edit field.

This means that all eSIMs will have the same PIN1 of literally 1234. This is not secure and must not be used in this way in a production network.

To configure each eSIM to have a distinct randomized four digit PIN1:

  • Go to the PIN1 parameter of your personalization job.

  • Set PIN1 to random decimal digits and click apply.

  • Enter 0000 in the edit field — four characters indicate a PIN length of four digits.

For example, to use six randomized digits:

  • Go to the PIN1 parameter of your personalization job.

  • Set PIN1 to random decimal digits and click apply.

  • Enter 000000 or 0*6 in the edit field — 0*6 is shorthand for 000000.

PIN2

PIN2 is used for mobile operator security features, such as limiting calls to specific numbers or call cost control.

PIN2 is configured exactly like PIN1, please see [PIN1].

ADM1

ADM1 is the code that usually allows (depending on the eSIM template) write access to the files, usually not disclosed to consumers.

ADM1 consists of four to eight decimal 0-9 digits, which should be random.

It is configured exactly like PIN1, please see section [PIN1].

ADM2

ADM2 is configured identically to ADM1 and PIN1, please see section [PIN1].

PUK1

PUK1 is the main PIN unlocking code, which a user needs when the PIN1 has been entered incorrectly for too many times in a row.

It consists of exactly eight decimal 0-9 digits, which should be random.

Like PIN1, PUK1 is usually configured as random decimal digits, so that each eSIM gets its own random PUK1. For PUK1, you need to configure exactly eight decimal 0-9 digits.

The chosen value for each eSIM is returned in the final output.csv file.

To configure each eSIM to have a distinct randomized PUK1:

  • Go to the PUK1 parameter of your personalization job.

  • Set PUK1 to random decimal digits and click apply.

  • Enter 0*8 in the edit field.

If all eSIMs should have an identical PUK1, recommended only for lab testing:

  • Go to the PUK1 parameter of your personalization job.

  • Set PUK1 to constant and click apply.

  • Enter 12345678.

This means that all eSIMs will have a PUK1 of 12345678. This is not secure and must not be used in this way in a production network.

PUK2

PUK2 is the PIN2 unlocking code.

PUK2 is configured identically to PUK1, please see section [PUK1].

Algorithm

Algorithm selects the authentication and key agreement (AKA) algorithm that the uSIM uses to authenticate and encrypt signalling on the mobile network.

These AKA algorithms are available, as specified by 3GPP:

  • Milenage, also known as "UMTS-" or "3G authentication". The subscriber and the mobile network mutually authenticate to each other, using the K and OP / OPC keys. This should be the default choice for most use cases.

  • TUAK, a second example algorithm for 3GPP authentication, as specified in 3GPP TS 35.231.

  • usim-test, also known as XOR-3G. This algorithm is used in the context of UE (conformance) testing. If you want to use the eSIM profiles with a cellular network simulator / measurement device, you may need to select it. Check the manual of your simulator to confirm the requirements.

See also [K], [OPc].

K / Ki

K (or Ki) is the subscriber’s personal key that is used for the algorithms described in [Algorithm].

It consists of 32 hexadecimal 0-f digits (16 octets), and should be random.

K is usually configured as random hexadecimal digits, so that each eSIM gets its own random key.

The chosen value for each eSIM is returned in the final output.csv file.

For example, to configure each eSIM to have a distinct value for K:

  • Go to the K parameter of your personalization job.

  • Set K to random hexadecimal digits, and click on apply to refresh the form,

  • Enter 00*16 in the edit field.

This will produce 32 hexadecimal 0-f digits (16 octets), randomly chosen for each individual eSIM.

If all eSIMs should have an identical K, recommended only for lab testing:

  • Go to the K parameter of your personalization job.

  • Set K to constant.

  • Enter 0102030405060708090a0b0c0d0e0f10 in the edit field.

This means that all eSIMs will have an identical K of 0102030405060708090a0b0c0d0e0f10. This is not secure and must not be used in this way in a production network.

OP / OPC

Like K, OPc is used by the algorithm chosen for parameter Algorithm.

OPc can be used as OP, or as OPC, which depends entirely on the mobile operator. Historically, OP was the "Operator Key" and was identical for all subscribers. OPC is a combination of the unique K and the common OP, to form an OPC that is again unique for each subscriber.

OPc is the same length as and configured exactly like K, please see section [K].

Security Domain Keys

Security domain keys usually come in three components: ENC, MAC and DEK (indicated by the Key ID). Each of ENC, MAC, DEK is a key that is either 16, 24 or 32 octets long — that is, either 32, 48 or 64 hexadecimal 0-f digits, corresponding to 128, 192 and 256 bit key lengths, respectively. Each of these keys should be random and unique in a production environment.

Security domain keys are specific to a given Secure Channel Protocol (SCP) and a Key Version Number (KVN).

Each SCP type can have multiple instances, indicated by differing KVN. Each SCP-KVN pair in turn has its components identified by key-ids (usually indicating ENC, MAC and DEK).

Note

GlobalPlatform uses ENC, MAC and DEK naming, while 3GPP OTA uses alternative naming (KIC, KID, KIK): ENC = KIC, MAC = KID, DEK = KIK

Here is a list of some common SDKey configurations:

security domain

reserved KVN range

spec

algorithm

components (bit lengths)

SCP80

0x01 .. 0x0f

ETSI TS 102 225

DES or AES

ENC, MAC, DEK (128 each for DES, 128/192/256 for AES)

SCP81

0x81 .. 0x8f

GP v2.3 Amd. B

n/a

TLS-PSK (128/256), DEK (128/192/256)

SCP02

0x20 .. 0x2f, 0xff

GP v2.3 App. E

DES

ENC, MAC, DEK (128 each)

SCP03

0x30 .. 0x3f

GP v2.3 Amd. D

AES

ENC, MAC, DEK (128/192/256 each)

The personalization job form will display only those keys that are useful in the chosen eSIM template.

For each SDKey, there are as many eSIM parameters as there are key components. For example, for SCP80-KVN01-AES, you will find:

  • SCP80-KVN01-AES-ENC

  • SCP80-KVN01-AES-MAC

  • SCP80-KVN01-AES-DEK

Make sure you configure all three of them.

For example, to set up an SCP80 KVN 0x01 key of AES type using the maximum supported key length:

  • Choose a template featuring the SCP80-KVN01-AES-* parameters.

  • Go to the SCP80-KVN01-AES-ENC parameter of your personalization job.

  • Choose random hexadecimal digits and click apply.

  • Enter 00*64 in the edit field (resulting in 256bit).

  • Do the same steps for SCP80-KVN01-AES-MAC,

  • and again for SCP80-KVN01-AES-DEK.

This means that each eSIM will have its own distinct SCP80 KVN 0x01 key material, generated randomly and individually for each eSIM and each key component.

If all the eSIMs should have identical keys for SCP80 KVN 0x01, recommended only for lab tests:

  • Choose a template featuring the SCP80-KVN01-AES-* parameters.

  • Go to the SCP80-KVN01-AES-ENC parameter of your personalization job.

  • Choose constant and click apply.

  • Enter 00112233445566778899aabbccddeeff in the edit field.

  • Do the same steps for SCP80-KVN01-AES-MAC,

  • and again for SCP80-KVN01-AES-DEK.

This means that all eSIMs will have the same, identical key for all of SCP80 KVN 0x1 ENC, MAC and DEK, which will all be exactly 16 bytes of 00112233445566778899aabbccddeeff. This is not secure and must not be used in this way in a production network.

job config

screenshots/job_job_config_example.png

In the personalization job form, the job config section configures settings that generally apply to all eSIM profiles. The following subsections describe each setting.

Service Provider Name

This name is shown to the end user upon installing an eSIM on a consumer device. You may freely choose an arbitrary name, like the name of your event, or the name of your company.

Profile Class

The GSMA specified profile class that the produced eSIMs should indicate to the eUICC device.

Profile Class

use

Operational

normal production eSIMs, useful for consumers

Test

used to test compliance and interoperability

Provisioning

used to first connect to a network in order to install a proper operational eSIM profile via Remote SIM Provisioning

nr of eSIMs

Choose a number. The eSIM parameter generators are run repeatedly to produce and publish this many eSIM profiles.

Depending on the SM-DP+ chosen to publish at, a fixed amount is charged from your token account for each generated and published eSIM profile. Your token balance needs to be sufficient for this number of eSIM profiles before you may generate and publish eSIM profiles.

Upload to SM-DP+

Choose an SM-DP+ to publish at.

GSMA certified SM-DP+ (Invigo)

For real-world production use of your eSIM profiles, choose GSMA certified SM-DP+ (Invigo).

The usual eUICC in consumer devices require eSIM profiles to be signed by the GSMA certificate authority. This is why eSIM profiles intended for production use need to be published at a GSMA certified SM-DP+.

Test SM-DP+ (sysmocom)

For lab testing environments, where privacy and authentication is not a concern, it is cheaper to use the Test SM-DP+ (sysmocom).

The Test SM-DP+ uses testing certificates as specified in GSMA SGP.26. It can be installed on eUICC We offer both a GSMA certified SM-DP+ upload for production use, as well as a lab testing SM-DP+ using SGP.26 Test Certificates.

publish eSIM profiles

The first step of publishing eSIM profiles: click on the >> generate eSIMs button.

This button is disabled at first, and it becomes active once you have:

  • configured all eSIM parameters,

  • verified encryption (only when encryption was enabled for your personalization job),

  • ensured a sufficient token balance.

If you find the button greyed out, the above items still need attention.

generate final eSIM profile packages

screenshots/job_next_step_generate.png

Once the job is correctly set up, click on the >> generate eSIMs button.

The job’s status will show a progress indicator until generating the eSIM profile packages is complete.

When done, we have generated all the eSIM profile packages ready for upload to the SM-DP+, and the final output.csv with your eSIM data is ready (see [csv]). The next aim is to click on the >> upload to SM-DP+ button, but first, it is time to check on the generated results.

fix possible problems

While generating the final eSIM profiles, sysmo-eSIM-manager also runs an audit across all eSIM profiles, and collects possible problems that might need your attention. Before you can continue to upload, you need to acknowledge each of the warnings shown.

You may download the output.csv file to check on eSIM details.

If there is a problem that needs fixing, you can go back to editing the job: click on discard generated profiles. This completely deletes all generated profiles, as well as the output.csv.

Note

Before uploading is complete, the output.csv file is still considered preliminary, because you may choose to discard the generated profiles instead of uploading them. Re-generating eSIM profiles produces different random values every time.

upload

When the personalization job has successfully generated eSIM profiles, the >> upload to SM-DP+ button becomes active. Click this button to proceed to the final confirmation.

screenshots/job_output_csv_available.png

The upload confirmation again shows all open and acknowledged alerts. To be able to confirm the upload, all blocking alerts will have to be resolved:

  • Any warning should be studied thoroughly. If you are certain that the implications of the described issue are acceptable, you may place a tick mark to acknowledge it, and click on apply. The acknowledged warning will no longer block the upload.

  • Some problem alerts cannot be acknowledged. This happens when the problem is severe, so that uploading cannot possibly continue. Depending on the problem description, you may have to discard the generated eSIM profiles again and reconfigure the personalization job. If problems persist, please contact support@sysmocom.de.

  • Most info and error alerts show past failure and success messages. They do not block eSIM profile upload and can be dismissed at your own discretion.

Once all alerts have been resolved, please consider this checklist:

  • have you chosen an SM-DP+ to match your eUICC device? — usual devices require a GSMA certified SM-DP+; special Test eUICC require an SGP.26 Test SM-DP+.

  • is the generated profile data acceptable? — download the output.csv, decrypt and look at the data.

  • is the amount of tokens we will charge acceptable?

screenshots/job_upload_confirmation_page.png

If you are satisfied with the above, place a tick mark for yes, I am sure and click the upload button at the bottom of the page: >> upload N eSIMs and charge N.NN tokens.

This will:

  • immediately upload the final eSIM profile packages to the SM-DP+,

  • immediately publish the eSIMs for activation in mobile devices worldwide,

  • and charge your token account with the amount shown.

When the upload was successful, you can immediately load your subscriber database with the output.csv data, and customers can immediately start to use the fresh eSIM activation codes from the activation.csv. Both are now available for download, see section [csv].

If, however, there were problems during the upload, this is what happens:

  • If none of your eSIM profiles have been published successfully, your account will not be charged, and the personalization job remains as if you never pressed the upload button. You can retry the upload any time and as often as you desire without additional charge, until at least one eSIM upload succeeds.

  • If some of your eSIM profiles failed, but some others were uploaded successfully, we will charge your token account only for the number of profiles that were published successfully.
    The activation.csv will only list those eSIMs that were uploaded successfully — however, the output.csv will still show all of the eSIM profiles, including those that were not uploaded successfully. The personalization job will remain in the "uploaded" state indefinitely. It is not possible to retry an upload after a partial failure.

    TODO

    SYS#7638 make this atomic instead: rather delete the successful part again and not charge at all

download eSIM profile CSV data

When your eSIMs are uploaded and published, you need to download two CSV files to use them:

  • Download the output.csv to feed to your subscriber database.

  • Download the activation.csv to produce the QR-codes that your users will install eSIM profiles with / to obtain the activation codes that you need to install your eSIM profiles on eUICC.

The personalization job form shows buttons download output.csv and download activation.csv as soon as these files are ready. Click each button to download each file.

screenshots/job_downloads_available.png

To use these files:

decrypt eSIM CSV data

If a personalization job was set to use encryption, the output.csv and activation.csv files that you download will need to be decrypted with your private OpenPGP key.

This example decodes two downloaded files:

cat ~/Downloads/output.csv.gpg | gpg --decrypt > decrypted_output.csv
cat ~/Downloads/activation.csv.gpg | gpg --decrypt > decrypted_activation.csv

The gpg command may open a passphrase prompt, if your private key needs a passphrase.

Note

It may be necessary to configure your gpg passphrase prompt, see section [pgp_pinentry].

CSV format

CSV ("Comma Separated Values") is a common data format that can be imported to spreadsheet programs.

sysmo-eSIM-manager writes all CSV files in UTF-8 encoding, but, depending on the parameters you entered, usually needs only the plain ASCII subset.

The first line lists column names like IMSI, PIN1, …

Each following line represents one eSIM profile, with the column values in the same order as indicated on the first line of the file.

output.csv columns

output.csv is a CSV file, see [csv_format].

The columns in the output.csv file depend on the parameters configured in the personalization job form.

Usually, you will have at least these columns:

  • ICCID

  • IMSI

  • Algorithm

  • K

  • OPc

  • PIN1

  • PIN2

  • PUK1

  • PUK2

  • ADM1

  • ADM2

These may be followed by columns for Security Domain Keys, etc.

The eSIM entry rows are ordered by ICCID.

The data cells have the following format:

  • ICCID, IMSI, PIN, PUK, ADM:
    Decimal digit fields of varying lengths. A data cell will consist simply of decimal digits representing the value in human readable form.

  • Algorithm:
    Selection field, says either Milenage, TUAK or usim-test.

  • K, OPc, SCP…:
    Hexadecimal fields of varying but even-numbered lengths, where two hexadecimal digits represent one octet in the binary representation of the key.

  • IMSI-ACC:
    raw hexadecimal EF format value: four hexadecimal digits.

Value examples

  • ICCID: 8949449000000000348

  • IMSI: 901704242423235

  • ADM1: 45193781

  • ADM2: 94827010

  • Algorithm: Milenage

  • IMSI-ACC: 0200

  • K: 3b19d0fa7832e0b482c092b10a4837e1

  • OPc: 9f9e35a1b2a5178e3c20ba81103380c2

  • PIN1: 0123

  • PIN2: 1730

  • PUK1: 11820245

  • PUK2: 32761302

  • SCP80-KVN01-AES-ENC: 23718a3718aab23882d02302eb5ab23882d02323718a3718a02eb59234b2fb85

  • SCP80-KVN01-AES-MAC: 02eb592eb59234b2fb823718aab234b2fb823702eb592eb5918aab23882d0230

  • SCP80-KVN01-AES-DEK: fb8237b823718aab23882d0202e18aab23882dfb8237b82370202eb59234b28a

Full output.csv Example

ADM1,ADM2,Algorithm,ICCID,IMSI,K,OPc,PIN1,PIN2,PUK1,PUK2,SCP80-KVN01-AES-DEK,SCP80-KVN01-AES-ENC,SCP80-KVN01-AES-MAC
71036711,28794856,Milenage,8949449000000000330,001010000009698,ec33bc8dd7594155c723e1fce715a211,b9667150debf27c7df3a70bddde3bfbe,3720,2436,55845724,74687461,2cf6aa8442f45478fe9d0403e6e365494f3a25f75350e9fcb438f02f9df0d2e6,8a13d5713ed9a95446efbe998bd31cb514fff9f71a0b266a1dc3f045a2c0b3cd,0684002c54e57be5faec58a527b3405afc6c70b8b2afa2f5fb5f21ae4e9d83dd
91392200,94251422,Milenage,8949449000000000348,001010000009728,5ff3ea5be5341064155abf7dcb9c02c3,0a11cc37d42916fbae0c289aff19f43e,1271,7505,80164157,15521531,56764773123988e7e72bcc85bb03e5f950fa3a85db42b3d05420e4a8d262fa63,89708568273077642d69c88360604426d1023d979680aa2548af9879216c8fdd,68a713cd5bc60cc1163963c56ae8a922714433250bcb3123695cefc16d9be74f
85769292,52026360,Milenage,8949449000000000355,001010000009227,144c1e5a5fd18eb3734b63554c575d9f,9f901ab2415ea1b4b967117dcbb0704d,9427,8341,07267305,94051063,833e0a1b7f2d2b442037c6609fed12e0aab2aa8a67b5735f7d0af6eb4fab7470,3b292de3ab01ca4c2a6d01587ded1d1ede2482288ac025708abc58c1d3aa24ab,9abcb7a98750abe069140b91ffc6e26a9cd84bad6bc791d835ea77b96af99fa7

activation.csv columns

activation.csv contains the columns:

  • ICCID

  • IMSI

  • activation_code — the full activation code.

  • smdpp_hostname — just the SM-DP+ hostname part of the activation code, a useful value for lpac -s.

  • smdpp_oid — just the OID part of the activation code.

  • matching_id — just the Matching ID part of the activation code.

  • confirmation_code — just the Confirmation Code part of the activation code.

Value examples

  • ICCID: 8949449000000000330

  • IMSI: 001010000009698

  • activation_code:
    1$smdpp.test.rsp.sysmocom.de$8949449000000000330

  • smdpp_hostname:
    smdpp.test.rsp.sysmocom.de

  • smdpp_oid: empty

  • matching_id: 8949449000000000330

  • confirmation_code: empty

Full activation.csv Example

ICCID,IMSI,activation_code,smdpp_hostname,smdpp_oid,matching_id,confirmation_code
8949449000000000900,001010000000000,1$smdpp.example.com$8949449000000000900,smdpp.example.com,,8949449000000000900,
8949449000000000918,001010000000001,1$smdpp.example.com$8949449000000000918,smdpp.example.com,,8949449000000000918,
8949449000000000926,001010000000002,1$smdpp.example.com$8949449000000000926,smdpp.example.com,,8949449000000000926,
8949449000000000934,001010000000003,1$smdpp.example.com$8949449000000000934,smdpp.example.com,,8949449000000000934,

activation

Once you have the activation data ready from the activation.csv, this is how an eSIM profile gets installed on a mobile device:

  • go to device Network/Internet settings,

  • choose to add a SIM via download,

  • now scan the QR code as instructed.

    Note

    A normal Camera / QR code scanner app will just yield the activation string, and will not bring up the SIM card settings.

You can get the QR code in various ways:

QR code on sysmo-eSIM-manager

  • Go to the personalization job.

  • In the list of uploaded eSIMs, click on the desired eSIM profile.

  • The eSIM detail page should show the activation QR code.

screenshots/esim_info.png
Note

After "sweeping" a job, the activation code no longer shows.

generate QR code from activation code

To generate a QR code for an eSIM profile, put LPA: before the start of the activation_code obtained from the activation.csv.

For example, if the activation code is
1$smdpp.test.rsp.sysmocom.de$8949449000000000330, then feed LPA:1$smdpp.test.rsp.sysmocom.de$8949449000000000330
to a QR code generator.

For example, using the qrencode tool:

$ qrencode -t UTF8i 'LPA:1$smdpp.test.rsp.sysmocom.de$8949449000000000330'


    █▀▀▀▀▀█ ███ ▀  █▄ ▀   █▀▀▀▀▀█
    █ ███ █ █▄▀█ ▄█▄▄▄█▄▀ █ ███ █
    █ ▀▀▀ █ ▄  ▄▄▀ ▀ ▀▀▀  █ ▀▀▀ █
    ▀▀▀▀▀▀▀ ▀▄▀ █ ▀▄█ █ ▀ ▀▀▀▀▀▀▀
    ▀▀▄▄▀▀▀ ▄▄▄▀▄▀▀▀ ▀▀ ▄▄ █ ▀██▀
    █ ▀▀ ▄▀▀█ ▄█▀ ▀ █▀█▀ ▀█▄▄ ▄██
    ▄▄▄▀▀▄▀█▀▄▀ ▀▄█▄▀█▀█▀▄▀▀ ▄██▀
    ▀▀▄███▀▀▄▄█ ▄  ██▀█▀█ ██ ▄
    ▄▄   ▄▀ █▀▀▀▄██  ▄█▄▀▀▀▄▀█  ▄
      ▄▄▀█▀▄█▄██▀  ▄▀▀█▀▀ ▄▄ █▄█▄
    ▀▀ ▀▀▀▀ ▄▄▄ ▀██ ▀█▀▄█▀▀▀█▀▀██
    █▀▀▀▀▀█ ▄█▀ ▄  ▄▄▀█▄█ ▀ █▀▄▀▀
    █ ███ █ ▀ ▀▀███ ▀▀▀ ███▀█ ▄
    █ ▀▀▀ █ ▄▀▄█  ▀▄▄▀▀▄█▄█ ▀▀▄█▀
    ▀▀▀▀▀▀▀ ▀▀▀ ▀ ▀▀▀▀▀▀    ▀ ▀

activation via lpac

If you are using an eUICC directly with the lpac client, you need to pass the SMDP address and the Matching ID separately on the lpac command line:

For an activation_code of
1$smdpp.test.rsp.sysmocom.de$8949449000000000330-1587ded1d1ede2482
you would invoke

lpac profile download -s smdpp.test.rsp.sysmocom.de -m 8949449000000000330-1587ded1d1ede2482

For further details on usage, please refer to the lpac documentation. Find a link in the glossary.

Note

Besides the complete activation code, the activation.csv also has separate columns with just the SM-DP+ address, Matching ID, etc, for easier machine processing.

sweep: delete eSIM profile details

When a job is complete, you may want to remove all eSIM profile details from our server, for additional security of your eSIM profile data.

  • When a personalization job has successfully published eSIM profiles and is in the uploaded state,

  • you will find a button labeled sweep this job: discard all eSIM profile details on the job’s detail page.

  • When you click this button, a confirmation page lists the effects of a sweep.

It is crucial that you have downloaded both the output.csv and activation.csv files and backed them up safely. After a sweep, we can no longer provide this data to you.

Once you have read the details,

  • place a tick-mark for yes, I am sure, and

  • click on the big button labeled sweep personalization job.

After a sweep, a personalization job no longer has any encrypted or unencrypted record of your eSIM data, apart from the ICCID list and the token transaction showing in your balance. Only the published eSIM records remain at the SM-DP+ service that you have chosen.

Glossary

activation code

Combination of the SM-DP+ address and the Matching ID.

Example:
1$smdpp.test.rsp.sysmocom.de$8949449000000000330

See [activation].

CSV

Comma Separated Values, a specific DSV (Delimiter Separated Values) format.

DSV is a text-based file format useful to store arbitrary data in tabular rows and columns, often used in conjunction with spreadsheet and database applications.

Originally, CSV uses a comma character to separate values of a dataset, and the newline character to separate dataset rows.

Variants of CSV using alternative characters like tab and carriage-return, as well as various ways of escaping separator characters have become de-facto standards. Though precise alternate names exist, like "TSV" for tab separated values, "CSV" remains the most commonly used name for any DSV variants, regardless of the actual choice of separators.

sysmo-eSIM-manager handles eSIM profile details in the form of CSV files. Usually, the plain-text CSV data file is OpenPGP encrypted and must first be decoded to obtain useful data.

See sections:

eSIM

Embedded SIM (subscriber identity module).

A non-physical subscriber profile, which can be downloaded from an SM-DP+ server to an eUICC device.

eUICC

Embedded UICC (universal integrated circuit card).

A physical, secure device that is able to load personalized eSIM profiles. It is either a chip embedded in a mobile device, or a physical UICC chip card. The eUICC verifies all eSIM profiles it receives, i.e. your published eSIM profiles need to match the certificate authority embedded in your eUICC device. This is done by choosing an SM-DP+ that matches your intended target eUICC: for usual consumer devices, you need to publish your eSIM profiles on a GSMA certified SM-DP+. For test eUICC, using the SGP.26 test certificates, you need to publish on a Test SM-DP+.

See also activation via lpac.

GnuPG

OpenPGP implementation by the GNU project, providing the gpg program.

We recommend using GnuPG as OpenPGP agent.

See https://gnupg.org

GSMA

The GSM Association.

A non-profit trade association that coordinates mobile network standards worldwide.

Usual consumer eUICC are GSMA certified, which means that the SM-DP+ server must also be GSMA certified in order for an eSIM download to succeed.

ICCID

The ICCID, the Integrated Circuit Card Identifier, identifies the eSIM profile.

Trivia

The ICCID’s name bears legacy to a time before virtualized eSIM: for an eSIM profile, the eUICC is the actual integrated circuit, and the ICCID identifies a virtualized entity, despite having "Integrated Circuit" in its name. It does however still need an actual eUICC circuit to become useful, which is built into each eSIM capable device.

See also the ICCID parameter.

IMSI

International Mobile Subscriber Identity. See the IMSI parameter.

LPA

Local Profile Assistant: an entity defined by GSMA SGP.22.

In simple terms, the LPA can be seen as the client program that you run on your local system to download an eSIM profile from a remote SM-DP+ to your local eUICC device.

See also lpac.

lpac

Open source LPA implementation, see https://github.com/estkme-group/lpac.

See also this usage example.

Matching ID

Identifier used to download a published eSIM profile. Usually, a Matching ID serves as both identifier and verification secret.

An activation code combines a Matching ID with the corresponding SM-DP+ address, which is all the information needed to download and activate an eSIM profile from an SM-DP+ onto an eUICC device.

See [activation].

OpenPGP

OpenPGP (Open Pretty Good Privacy) is a public standard for data encryption and signing, using a public/private key schema.

We recommend GnuPG as OpenPGP agent.

See https://openpgp.org

Osmocom

Open Source Mobile Communications.

A Free/Libre software project hosting the pySim project, which the sysmo-eSIM-manager makes heavy use of.

SDKey / Security Domain Key

An eSIM profile can contain various key material, for arbitrary purposes, in the form of Security Domain Keys. See section [SdKeys].

SM-DP+

The SM-DP+ is a public server, which an eUICC (e.g. a mobile device) talks to when installing an eSIM via an activation code.

SM-DP means "Subscription Manager - Data Preparation", which means to say that it makes eSIMs available to the general public.

The "+" indicates that it is used for SGP.21/22 consumer eSIM and not SGP.01/02 M2M eSIM.

See also: choose an SM-DP+.

sysmocom tokens

A sysmocom-specific credit balance.

sysmocom token voucher codes are available for purchase at https://shop.sysmocom.de/.

Such voucher codes can be redeemed to top up your sysmocom token balance after logging in at https://esim.sysmocom.de/balance/. The token balance is then bound to your user account.

Voucher codes and token balances cannot be transferred or refunded.

UPP

Unprotected Profile Package.

The raw binary eSIM data that is sent to the SM-DP+ in order to publish an eSIM profile.