eSIM activation support and configuration

[ProactivePhilomath]

I'm creating this issue to discuss and track the implementation of eSIM support in GrapheneOS.

This would be an enhancement for Pixel models 3, 3 XL, 3a and 3a XL.

[ivenprillwitz]

Deleting it will be supported in Android 12.

Updated to Android 12 Beta. I dont see the option to add a esim.

[thestinger]

There's still no activation app but the OS supports it and deletion is now available. That's progress.

[SatelliteSnyper]

I would like to be do good donation as Snyper did.

@mrmcan if you decide to commit to a bounty I will match it up to another 0.2 BTC on top of my existing 0.2 BTC bounty.

[lxp]

Deleting it will be supported in Android 12.

I have enrolled my eSIM with stock some time ago and recently updated to Android 12 (GOS 2021102300), but I do not see an option to delete the eSIM. It is even worse, in the menu Network and Internet > SIMs the eSIM does not even show up. The only way I can currently change SIM settings for it, is to go to Network and Internet > Internet and click on the settings icon besides the Mobile data connected eSIM. However, I am not sure if this will still be possible, if I switch off Mobile data for the eSIM. I fear that then I will have no way of re-enabling Mobile data or anything else for the eSIM.

Can this be fixed, so that an enrolled eSIM shows up again in Network and Internet > SIMs like it was with Android 11?

[logicalup]

so the way I was able to delete it in android 12 update is by taking out my only other (physical) sim first. then rebooting, it showed the esim, and I clicked Disable in it's settings. Then reboot and insert back other sim.

not sure if any reboots were necessary, I just did it anyway.

[Juretsky]

Deleting it will be supported in Android 12.

I have enrolled my eSIM with stock some time ago and recently updated to Android 12 (GOS 2021102300), but I do not see an option to delete the eSIM. It is even worse, in the menu Network and Internet > SIMs the eSIM does not even show up. The only way I can currently change SIM settings for it, is to go to Network and Internet > Internet and click on the settings icon besides the Mobile data connected eSIM. However, I am not sure if this will still be possible, if I switch off Mobile data for the eSIM. I fear that then I will have no way of re-enabling Mobile data or anything else for the eSIM.

Can this be fixed, so that an enrolled eSIM shows up again in Network and Internet > SIMs like it was with Android 11?

you will be able to take out the physical sim and turn on the Internet again through the esim. i did so

[motojojo615]

Just wanting to keep this issue visible. The menu for the eSIM used to be there, but I guess something in one of the recent updates got rid of it...?

[NewRedsquare]

Just wanting to keep this issue visible. The menu for the eSIM used to be there, but I guess something in one of the recent updates got rid of it...?

Yup, the only way to edit some settings of the eSim is by doing *#*#4636#*#* and selecting the eSim profile :(

[ATGUAG]

Is this project related to the current issue? https://github.com/Truphone/LPAd_SM-DPPlus_Connector

[thestinger]

That looks like it could be what we need when combined with the other repositories. Someone would need to figure out how to fully integrate it and set it up.

[satrinity402]

eSIM support would be awesome!

[FreemanJones]

Hey all, I have signed up an account just to respond to this as a total "novice know nothing" who was reading along here hoping to get a solution and appear to have completely by accident and inexplicably solved the issue with no knowledge of how or what made it possible (given I have missed a bunch of steps you have discussed and have zero idea how it is even technically possible that this is working now!?).

I now have a fully functional esim loaded. Here is my config and here is what I have done - again don't ask me to explain my logic or anything technical, I have absolutely no idea and have somehow stumbled onto this with zero understanding:

In case it matters:

I am in Australia on Telstra network I transfered my phone number which was on a traditional plastic sim card in an iPhone to an esim service onto the Pixel 6 Pro whilst using the factory google pixel 6 pro ROM. This involved downloading the MyTelstra app via google play store to do this.

The esim service had not provisioned properly though - was getting error saying it wasn't working (I can't even remember the actual error message now that's how little attention I was paying!).

Before bothering fixing the issue, I assumed that the esim was loaded on the phone and that it was a carrier issue, just delayed provisioning maybe... so I flashed GOS and then immediately setup a second profile that is "googleafied" - basically the second profile is setup with all of googles play services etc but it is sandboxed from the primary profile?

I then went back to the primary profile, which was still completely stock and untouched apart from allowing multiple profiles toggle set.

I downloaded aurora store and downloaded the mytelstra app - and I should mention I was getting the same sim service error notification as before on the stock pixel os at this point.

I then allowed dsds as per the steps above and rebooted phone.

I then requested a reconfigure on the mytelstra app of the esim to the device I was using (now which was GOS, primary profile completely stock apart from the above mentioned)

Nothing exciting happened in 30seconds so being the impatient person I am, I kicked the cat and repeated the esim service setup request as above. This time I got an error message saying that the original request had not yet been provisioned and that I would get a notice when it was and then I could start a new request.

30 seconds later, my iphone (still with original sim card in it and still with active service working) rang for a business call - half way through the call it dropped out and i panicked briefly as i realised my service had now been transferred off the plastic sim to the non working esim and thought i was screwed as it is my business number... Then whilst holding my iPhone in my hand looking for something to throw it at in panic, my pixel with graphineos came to life as the caller phoned me back after our original call dropping out and the whole thing is working.

I have tested data, imcomming and outgoing calls, MMS is sent through data for me anyway due signal messenger and from all I can see, the phone and esim is fully functional.

I am about to try putting my second number into the physical sim tray now and see if both numbers get service.

Will update shortly.

[t-8ch]

It seems the published LPA from Truphone is fairly incomplete. For example the "LPAd Android" repository is missing. (Also mentioned at https://github.com/Truphone/LPAd_SM-DPPlus_Connector/issues/2 without an answer)

Also it seems that an LPA can very well run into issues with all kinds of external systems:

If you're making your own LPA, you should go through much more rigorous testing.
You should work with your modem vendor, eUICC chip or eSIM OS vendor, SM-DP+ vendors, and carriers to resolve issues and ensure interoperability of your LPA within the RSP architecture.
A good amount of manual testing is inevitable. For best test coverage, you should follow the [GSMA SGP.23 RSP Test Plan](https://www.gsma.com/newsroom/wp-content/uploads//SGP.23-v1.4.pdf).

Wouldn't it be possible to run the Google LPA in a sandbox similar to the other Play components and then hook it up into the upcoming package manager? The sandbox could include a system app as a shim that forwards its invocations to the non-privileged Google LPA. Users could even deinstall those components after the initial setup.

[SatelliteSnyper]

Bounty increased to 1 BTC [== $44000 today] for an open source activation app. Check address balance above. Can it be mentioned in the issue's title to make it better visible?

I think this would help people in oppressive countries which restrict SIM card purchase but allow "foreign / tourist" (e)SIM cards.

eSIM activation also is a reason some people still need to use another OS. I'm just saying let's get that reason fixed too :sunglasses:

Wouldn't it be possible to run the Google LPA in a sandbox similar to the other Play components and then hook it up into the upcoming package manager?

Difficult to trust a closed source Google app for this purpose! It probably submits the new activated IMSI number and so on to Google?

[gordonel]

So I guess this is finally coming. I only have one question: do we know what kind of info gets sent to Google during eSIM activation process, if any?

If not, can somebody find out or outline what would be the best way to do that? I have a doxxed eSIM I could try this on, but I'd much prefer to keep my phone clean of that

EDIT: Used RethinkDNS to block all unwanted Google Traffic

[thestinger]

It needs internet access for activation but you could always revoke Network afterwards without disabling the apps.

[thestinger]

This is implemented as part of sandboxed Google Play and will be documented soon. Providing an alternative implementation is an extremely long term goal and may not ever support Pixels but rather only GrapheneOS hardware.

[thestinger]

Documentation will be added in the next few days.

[no-usernames-left]

I note that the bounty has not yet been paid out. @SatelliteSnyper do you plan to release this to the project? The terms were "development of eSIM support / LPA without needing to use stock Google Android", which seems to now be met.

[thestinger]

If it's meant to be for developing a whole alternate implementation, that's going to be way too much work for the near future and it would be better to pay someone to work on it rather than someone needing to put in a massive amount of work to write a hundred thousand lines of code and deal with complex stuff without any guarantee they get funding.

[gordonel]

Maybe this would be better suited for AOSP development, or some kind of collaborative project between AOSP-based ROMs (Calyx, LineageOS, GrapheneOS etc.) with the eventual goal of making it a FOSS app that can live on F-Droid.

It's gotta be at least 1.5x less work if at least 3 teams pitch in

[gordonel]

it would be better to pay someone to work on it rather than someone needing to put in a massive amount of work to write a hundred thousand lines of code and deal with complex stuff without any guarantee they get funding.

Where would one look for this kind of muscle?

[no-usernames-left]

It's gotta be at least 1.5x less work if at least 3 teams pitch in

The Mythical Man-Month joins the chat

[SatelliteSnyper]

The bounty was intended for an open source activation app. But to make things easier now I have donated it / 0.99 BTC to GrapheneOS. I understand that GrapheneOS is NOT bound by my desire to see it used for the development of an open source activation app (#1079).

I would be happy to gift the remaining 0.01 BTC to you @Lackshan if you post a wallet address, as a thank you for the work already put in (e.g.research, expenses) even if it didn't work out in the end (or so far... never say never :sunglasses:).

[v2g2342g4]

The bounty was intended for an open source activation app. But to make things easier now I have donated it / 0.99 BTC to GrapheneOS. I understand that GrapheneOS is NOT bound by my desire to see it used for the development of an open source activation app (#1079).

I would be happy to gift the remaining 0.01 BTC to you @Lackshan if you post a wallet address, as a thank you for the work already put in (e.g.research, expenses) even if it didn't work out in the end (or so far... never say never sunglasses).

I was really thankful that you put up the 1BTC bounty on this, and I respect you for paying it out. However, I don't think you should have paid. I wouldn't have because we still require google services on the phone.... In any case, I'm hopeful someone smarter than I am will be able to support ESim without requiring us to install the playstore.

[thestinger]

We consider it a donation to the project to support further development.

[geppi]

It looks like it is required to have the Google PlayServices installed in the Owner Profile to enable the privileged eSIM management. Therefore if you want to be able to manage your eSIM it is not a viable option to keep the Owner Profile clean and quarantine the PlayServices into an alternate user profile.

So far I couldn't check if it would work with the PlayServices solely installed into a Work Profile of the Owner Profile. Does somebody have it working this way?

Which of the 3 components of the sandboxed PlayServices would be required to keep it to a minimum?

[thestinger]

In general, apps installed in the Owner profile don't have special capabilities. However, only the owner profile can manage eSIM configuration and this has to be there instead of another one. You could put your apps not requiring Play services in a work or secondary profile instead. It's just how this works until there's an alternate implementation not requiring Play services.

[geppi]

Can you tell if it does require all 3 components including the PlayStore? Or would GSF + GMS be sufficient?

[thestinger]

GSF + GMS should be enough. I don't know how much it requires from them, like whether it actually uses any of their services (i.e. Network may be required) through GMS instead of doing that itself.

[ghost]

Yes after activation you can remove GSF + GMS.

[thestinger]

They're simply 3 regular sandboxed apps with the same sandbox, rules and restrictions as other user installed apps. There's nothing special about installing or removing them.

[ghost]

They're normal apps. They aren't special. They aren't privileged. Uninstalling them like any other app is all you need to do.

[felixmartens]

Having read the whole discussion multiple times: Did i got this right that the current release supports eSim Activation without doing this on stock os before?

Thanks for your insane development!!

[thestinger]

Read https://grapheneos.org/usage#sandboxed-google-play-esim. It's supported as a sandboxed Google Play extension.

[thestinger]

Developing an open source replacement for the PIxel eSIM apps providing the same functionality and meeting our requirements doesn't currently have someone working on it.

We plan on using the donation to provide funding to someone to develop what we need rather than the unrealistic approach of someone making a large project meeting our requirements with no funding with the hope of getting it merged with the unpaid time they're able to invest in it to obtain a bounties. Bounties are problematic for non-trivial projects like this for multiple reasons and one of those can be seen here where the specifics were not laid out. Someone might have invested substantial work in it only to not end up providing something we're able to merge and therefore not getting it. It's better for us to find someone to work on it and fund it normally.

[thestinger]

A full implementation is inherently going to require an optional dependency on sandboxed Google Play because FCM is used as part of activation for some carriers.

The first thing to do is figuring out the scope of the full project and what would actually need to be done to provide all that functionality.

We should probably develop an alternative to the Pixel app for keeping the eSIM secure element firmware uploaded / updated before working on the activation portion of it. That's a smaller task and then at least people wouldn't have much reason to do more than the initial activation using the Google apps.

[geppi]

Just stumbled across this blogpost mentioning PeterCxy’s OpenEUICC project, an open source eSIM LPA implementation licensed under GPLv2. It says that:

OpenEUICC implements Android’s system APIs for eSIM management, namely EuiccManager and EuiccService, and it requests the privileged permissions needed to interface with eUICCs via the TelephonyManager API (android.permission.WRITE_EMBEDDED_SUBSCRIPTIONS and android.permission.MODIFY_PHONE_STATE) or OMAPI (android.permission.SECURE_ELEMENT_PRIVILEGED_OPERATION) without needing to be allow listed in the ARF.

Could that be used as the foundation of a full implementation for eSIM activation and configuration support in GrapheneOS without sandboxed Google Play Services?

[flawedworld]

No, it's incomplete.

[oleduc]

I was a able to setup my eSIM by installing sandboxed Google play services in priviledge mode and then removing it. Airplane mode and reboot worked fine.

[codethief]

PSA: Once I had it working, I made the mistake of hitting the "disable SIM" toggle for the eSIM in the network settings. (My plan was to disable the eSIM for a second to see whether the physical SIM is fully functional, too.) Unfortunately, the eSIM then disappeared completely and it seems there is no way of undoing this, short of re-flashing GrapheneOS. (I tried disabling and re-enabling DSDS, among other things.) So be careful. :)

I stand corrected: As I just found out, after accidentally disabling the eSIM and the eSIM disappearing, it is not necessary to flash the stock ROM and then re-install GrapheneOS. The eSIM is not entirely gone and it is possible to make it reappear by briefly disabling DSDS (via *#*#INFO#*#* or *#*#4636#*#*) and then reenabling it again.

[thestinger]

GrapheneOS has eSIM activation support:

https://grapheneos.org/usage#sandboxed-google-play-esim

There's no need to use the stock OS even for activating initially.

[thestinger]

A new issue should be used for discussing new issues or discussing development of an open source eSIM activation and firmware update system.