OESF Portal | OESF Forum | OESF Wiki | LinuxPDA | #planetgemini chat on matrix.org | #gemini-pda chat on Freenode | #zaurus and #alarmz chat on Freenode | ELSI (coming soon) | Ibiblio

IPB

Welcome Guest ( Log In | Register )

 
Reply to this topicStart new topic
> ESIM Authentication Failure (UK, EE network), ESIM fails to install on EE network with certificate security error
davidpin
post Nov 27 2019, 09:32 AM
Post #1





Group: Members
Posts: 6
Joined: 27-November 19
Member No.: 860,454



I've been trying to install a ESIM on to my Cosmo.

The ESIM (QR Code) was supplied by EE in the UK.

There are a number of issues:

When you scan the QR code (or enter manually) it fails to install the ESIM profile. The error message says:

Processing Activation Code - SM-DP+MUTUAL AUTHENTICATION - MUTUAL AUTHENTICATION operation failed.
ES9+.InitiateAuthentication error: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

The SM-DP that is included in the QR code is: sm-v4-010-a-gtm.pr.go-esim.com (matches details on EE website)

I've looked at the trusted certs loaded onto the Cosmo (Android -> Settings ->Security & Location -> Advanced -> Encryption & credentials -> Trusted Credentials)

There are lots - but no idea what cert i need to load or where the real problem is. Android does not like self signed certs and i'm thinking this is what EE have done.

Has anybody got ESIM to work? Anywhere - country or network?

I'm wondering if this is an EE problem in the UK. They do support some Android devices (Pixel 4, Samsung Galaxy??)
Go to the top of the page
 
+Quote Post
davidpin
post Nov 27 2019, 09:45 AM
Post #2





Group: Members
Posts: 6
Joined: 27-November 19
Member No.: 860,454




Doing a bit more digging (using Chrome on Mac).

The site cert for *.pr.go-esim.com is as follows:

Chrome reports "GSM Association - RSP2 Root Cl1" - certificate is not trusted

I'm going to try and find the root cert and load it into Android as a trusted CA
Go to the top of the page
 
+Quote Post
davidpin
post Nov 27 2019, 10:04 AM
Post #3





Group: Members
Posts: 6
Joined: 27-November 19
Member No.: 860,454



The GSM Association website has a couple of CAs that you can download and install - but not the right type unfortunately. They use cybertrust and digicert to act on their behalf as Root Cert Issuers - both of whom are already included as trusted CAs on Andoid (and i confirmed on the Cosmo).

https://www.gsma.com/iot/embedded-sim/gsma-...m-provisioning/

Getting annoying now!
Go to the top of the page
 
+Quote Post
Ninji
post Nov 29 2019, 01:42 PM
Post #4





Group: Members
Posts: 5
Joined: 28-November 19
Member No.: 860,591



The eSIM Wallet app allows you to forcibly disable this by toggling [dots] -> Settings -> Network -> Bypass TLS authentication -- perhaps this would be worth a shot?

I'd like to test it out myself, but EE doesn't allow eSIMs on PAYG, my main line is on my main phone (which requires olde-tyme plastic SIMs, the horror!) and I'm hesitant to pay their extortionate rates for an additional post-paid line just for my Cosmo... This thread in the Gemini Hardware forum led me to try grabbing a cheap UK eSIM from Airalo, which I'm now testing out. The eSIM Wallet app is incredibly brittle but I did eventually manage to get it to work.


The main problem I ran into, in case somebody encounters it and comes across the post, was that I kept on getting errors along the lines of "AID not found on eUICC". Trying to scan the QR code would crash the Wallet app immediately, and every time I opened it, it would ask me to confirm set the default SIM back to Card 2.

Logcat shows that the Cosmo runs a NXP secure element service which is constantly crashing, and I thought this was the cause of my eSIM woes, but it ended up being a red herring - the real solution was to go into Android Settings > Cosmo Settings and toggle "Use eSIM for SIM slot 2" off and then on again. With this, eSIM Wallet shows my EID, the Info button brings up stuff, and I was able to successfully add a profile. I turned it on using the power icon and after a couple of minutes, it successfully associated. I'm now connected to Three via Airalo with working data; time will tell whether this continues working.

For reference, my eSIM Wallet setup is all at default settings, with the exception of these changes:
- Network -> Bypass TLS Authentication: set to yes (just in case)
- Network -> Use alternative SM-DS: set to yes, with rsp.truphone.com used as the FQDN (this is the SM-DP+ address Airalo gave me -- most likely unnecessary, it took me embarrassingly long to realise that SM-DP and SM-DS were different, but I also tried it just in case it improved matters, and didn't turn it off)
- Profile Installation -> Step-by-step request execution: shows a pop-up dialog between each stage of the eSIM install process (probably also unnecessary)

The Wallet app is extremely dodgy (there's no excuse for crashing or showing Java exceptions on basic errors in a production product like this!) but I'm hoping that the Cosmo's eSIM functionality will be a bit more solid now that I'm past the provisioning process.
Go to the top of the page
 
+Quote Post
Beiriannydd
post Nov 29 2019, 09:02 PM
Post #5





Group: Members
Posts: 32
Joined: 5-January 18
Member No.: 815,894



QUOTE(Ninji @ Nov 29 2019, 02:42 PM) *
The eSIM Wallet app allows you to forcibly disable this by toggling [dots] -> Settings -> Network -> Bypass TLS authentication -- perhaps this would be worth a shot?


It worked for me for Airalo in the US. I too had a crashing eSIM wallet until I disabled and re-enabled the eSIM chip in the wallet. I had expected to use an eSIM and had turned it on before usng the eSIM wallet, this seems to have skipped some important setup and prevented me completing the registration.


Faye
Go to the top of the page
 
+Quote Post
davidpin
post Nov 30 2019, 09:38 AM
Post #6





Group: Members
Posts: 6
Joined: 27-November 19
Member No.: 860,454



QUOTE(Ninji @ Nov 29 2019, 09:42 PM) *
The eSIM Wallet app allows you to forcibly disable this by toggling [dots] -> Settings -> Network -> Bypass TLS authentication -- perhaps this would be worth a shot?


Thanks for this - it now works on EE - if you disable security (Bypass TLS Authentication) then it does process and load the EE profile correctly.

Simple 'fix' but a little worrying that the GSM Association has a self signed certificate that is not trusted by Android.
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 12th December 2019 - 04:48 PM