The embedded SIM device testing challenge

by donpedro

eSIM on the path of becoming mainstream

In recent years the telecom industry has seen the emergence of a new type of SIM card, the embedded SIM, or eSIM; essentially a UICC (Universal Integrated Circuit Card) soldered onto the circuit board which cannot be removed. The use of eSIMs has been driven by two types of applications:  Size reduction and water proofing for wearables, such as smartwatches, and the pursuit for a rugged telecom module with always-on connectivity in automotive. Tablet and smartphone vendors have also started to adopt this technology.

Figure 1: SIM evolution (© Anritsu)

Remote Provisioning, who is in control?

Due to their non-removable nature, an eSIM cannot be swapped. Hence, to change the network operator subscription, a mechanism called RSP (Remote SIM Provisioning) has been defined by GSMA. This allows the manipulation of profiles on the card to carry out operations such as: Download, enable, disable, edit, …

Figure 2: Remote SIM Provisioning device type (simplified) (© Anritsu)

The RSP specification distinguishes between two types of device which defines who has control over the eSIM:

An M2M device where the service provider has control over the network. In this context, a service provider could be the eSIM manufacturer, the operator, or the device maker.

A consumer device, where each end user can proactively update the SIM information such as the subscriber contract.

Despite the soldered eSIM being its main use case, RSP can also be used for removable types of UICC eSIM featuring the RSP applet.

Figure 3: Example of a local trigger to switch an eUICC from live to test mode (© Anritsu)

M2M device architecture, shown in figure 2 is operator driven. This means that the operator controls the SIM profile on the UICC and is the only one who can change the information located on the hardware. This delivers the highest security as the network is managed entirely by the mobile network operator (MNO), who can bring dedicated services to a specific hardware. This is the case for car manufacturers who strike deals with MNOs to ensure the optimal quality of service for their cloud connectivity.  However, for the general public, the use of this architecture can be perceived as a continuation of a hostile operator sales strategy, where the consumer is essentially tied to one operator for their services.

The second architecture is the ‘consumer device’. This allows the user to change the profile if desired. This architecture is favoured by device and software manufacturers offering different network plans as they can also gain a share of the revenue. Once the user has chosen his or her plan, the MNO assumes control of the profile.

eSIM Certificates, the key to security.

Introducing the capability to remotely change the parameters of a SIM creates obvious security concerns. However, the RSP M2M Architecture has been designed with security in mind; relying on trust certificates issued by the GSMA Authority to certify each actor in the chain to ensure there is no security breach within live ecosystems.

Device testing, how to define and access a test profile?

With security being essential in the RSP architecture, an M2M device cannot establish a connection if has not been provisioned by means of a live operator network certified by GSMA.

This architecture is challenging for device testing as the industry relies on dummy virtual operators to establish a connection to test devices, using the variety of test profiles, throughout the entire life cycle of the device:

During product development to validate the chipset, RF characteristics and protocols.

At the conformance level to certify devices will work according to standard.

On the production line to verify consistency in quality.

In repair centres.

Unfortunately, using live certificates prevents the usage of laboratory network simulators. One solution, to ensure that it is possible to test a device during these life cycle stages, is to use a provisioned test certificate and test profile on the eUICC. This enables devices to be directly connected to network simulators. Recently a working group at GSMA busy has defined the test profile to be used by the testing industry. The methodology for switching to a test profile or enabling a test certificate is also still under discussion. One typical methodology is to use special production batches where test profiles are provisioned. This is not an ideal solution and a standardised approach is demanded by the industry.

Another solution is to locally trigger the test mode via a secure interface (AT commands, SPI, SSH, Adb …)

Figure 4: eUICC test bench to verify eUICC and DUT (© Anritsu)

Anritsu/COMPRION Solution for M2M and Consumer devices

Using the Anritsu network Simulator MD8475B in combination with the COMPRION eUICC Profile Manager, however, allows over-the-air updating of eUICCs, and their profiles, by means of a simulated network.

Figure 5: GUI to control eUICC: Update /Load / Enable / Disable/ Remove … (© Anritsu)

The COMPRION eUICC Profile Manager simulates an SM-SR and SM-DP (Subscription Manager Secure Routing and Subscription Manager Data Preparation) remote management server and directly controls the Anritsu network simulator.

Different networks can be configured directly from the GUI and there is no need to be an expert in cellular networks to achieve a connection. The test scenarios include Profile Management operations; a set of functions related to the download of a new profile onto the eUICC and verification of its contents. This laboratory test bench is, for example, used in the conformance tests for Automatic emergency calls (ERA-GLONASS GOST chapter 9).

The Signalling Tester MD8475B is an all-in-one base station simulator supporting 2g/3G/LTE and 5G anchors. It supports connectivity to the cloud, VoLTE and call-processing. This is an ideal tool for validation purposes where all levels of tracing are available from the Physical layer to the IP layer.

One major advantage of test networks is the possibility to configure any country network to test roaming. This alleviates the need to go into the field to test the switching between operators across national borders.


Many non-standardised approaches currently exist to test cellular devices using M2M eUICCs using network simulators. These vary from eUICC manufacturer to device maker. However, once the test profile and test certificate are provisioned on a device, the standardised communication GSMA RSP link can be established. The Anritsu/COMPRION solution is the ideal tool to establish the RSP link and comprehensively test this communication channel and your devices for a variety of scenarios such as roaming agreements.



Anritsu Corporation

Related Articles

Leave a Comment