Abstract: Methods and apparatus for recovering access data from a malfunctioning device. In one embodiment, trained service personnel are provided a specialized apparatus for retrieving access data from a malfunctioning device. For example, in the instance the device comprises a cellular device having an unrecoverable hardware failure, trained service personnel can connect to the secure element and retrieve the one or more electronic Subscriber Identity Modules (eSIMs) stored thereon. The eSIMs are then “reclaimed” and reprogrammed/distributed to a new device. In one implementation, security and integrity measures are taken to protect and control distribution of sensitive access data.

Abstract: Disclosed herein is a technique for securely provisioning access control entities (e.g., electronic Subscriber Identity Module (eSIM) components) to a user equipment (UE) device. In one embodiment, a UE device is assigned a unique key and an endorsement certificate that can be used to provide updates or new eSIMs to the UE device. The UE device can trust eSIM material delivered by an unknown third-party eSIM vendor, based on a secure certificate transmission with the unique key. In another aspect, an operating system (OS) is partitioned into various sandboxes. During operation, the UE device can activate and execute the OS in the sandbox corresponding to a current wireless network. Personalization packages received while connected to the network only apply to that sandbox. Similarly, when loading an eSIM, the OS need only load the list of software necessary for the current run-time environment. Unused software can be subsequently activated.

Abstract: This invention is directed to an electronic device with an embedded authentication system for restricting access to device resources. The authentication system may include one or more sensors operative to detect biometric information of a user. The sensors may be positioned in the device such that the sensors may detect appropriate biometric information as the user operates the device, without requiring the user to perform a step for providing the biometric information (e.g., embedding a fingerprint sensor in an input mechanism instead of providing a fingerprint sensor in a separate part of the device housing). In some embodiments, the authentication system may be operative to detect a visual or temporal pattern of inputs to authenticate a user. In response to authenticating, a user may access restricted files, applications (e.g., applications purchased by the user), or settings (e.g., application settings such as contacts or saved game profile).

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: Apparatus and method for maintaining hardware history profiles for a software-based emulator. In one embodiment, the disclosed software-based emulator monitors the history of the actual hardware device in a secondary device history, the history of the emulated hardware is presented within a primary device history. However, the primary device history is linked to the secondary device history, and receives the device wear history therefrom. In another aspect of the present invention, wear-leveling strategies are disclosed for handling various update sizes. Unlike existing solutions which are optimized for a single SIM that receives small data updates; various embodiments of the present invention are suitable for handling varying data sizes.

Abstract: This invention is directed to an electronic device with an embedded authentication system for restricting access to device resources. The authentication system may include one or more sensors operative to detect biometric information of a user. The sensors may be positioned in the device such that the sensors may detect appropriate biometric information as the user operates the device, without requiring the user to perform a step for providing the biometric information (e.g., embedding a fingerprint sensor in an input mechanism instead of providing a fingerprint sensor in a separate part of the device housing). In some embodiments, the authentication system may be operative to detect a visual or temporal pattern of inputs to authenticate a user. In response to authenticating, a user may access restricted files, applications (e.g., applications purchased by the user), or settings (e.g., application settings such as contacts or saved game profile).

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: Apparatus and methods for authenticating and granting a client device (e.g., cellular telephone) access to a network. In one embodiment, a network service provider such as a cellular telephone company may distribute user access (e.g., Universal Subscriber Identity Module or “USIM”) credentials to a service manager via a USIM vendor. The services manager may maintain a list of authorized users. A user at a client may authenticate to the services manager. Once authenticated, the services manager may provide the user with a set of USIM credentials. When the user desires to use wireless network services, the user equipment may establish a wireless link between the user equipment and the network service provider. During authentication operations, the user equipment may use the USIM credentials to authenticate to the network service provider. Following successful authentication, the network service provider may provide the user equipment with wireless services.

Abstract: Apparatus and methods for distributing electronic access client modules for use with electronic devices. In one embodiment, the access client modules are virtual subscriber identity modules (VSIMs) that can be downloaded from online services for use with cellular-equipped devices such as smartphones. The online services may include a point of sale (POS) system that sells electronic devices to users. A broker may be used to facilitate the selection of a virtual subscriber identity module. A provisioning service may also be used to provision the selected VSIM.

Abstract: Apparatus and method for maintaining hardware history profiles for a software-based emulator. In one embodiment, the disclosed software-based emulator monitors the history of the actual hardware device in a secondary device history, the history of the emulated hardware is presented within a primary device history. However, the primary device history is linked to the secondary device history, and receives the device wear history therefrom. In another aspect of the present invention, wear-leveling strategies are disclosed for handling various update sizes. Unlike existing solutions which are optimized for a single SIM that receives small data updates; various embodiments of the present invention are suitable for handling varying data sizes.

Abstract: Various mechanisms for paging link-budget-limited (LBL) devices are disclosed, including: (1) transmitting paging message with non-conventional paging identifier; (2) transmitting paging message(s) with increased power; (3) repeating transmission of paging message to support combining at receiver. Various mechanisms for UE device to signal LBL status are disclosed, including, transmitting status flag or special value of DRX cycle to network node as part of tracking area update and/or attach request. The network node informs a base station of the device's LBL status as part of a paging message. (The network node may, e.g., assign an S-RNTI to the LBL device from a reserved subset of S-RNTI space.) The base station invokes a paging enhancement mechanism when paging an LBL device. Alternatively, the base station may page UE devices without knowledge of LBL status, e.g., by counting paging attempts for a given UE, and boosting power after the Nth paging attempt.

Abstract: In some embodiments, a user equipment device (UE) implements improved communication methods which include radio resource time multiplexing, dynamic sub-frame allocation, and UE transmit duty cycle control. In some embodiments, the UE may communicate with base stations using radio frames that include multiple sub-frames, transmit information regarding allocation of a portion of the sub-frames of a respective radio frame for each of a plurality of the radio frames, and transmit and receive data using allocated sub-frames and not using unallocated sub-frames. In some embodiments, the UE may operate according to a sub-frame allocation based on its current power state. The UE may transmit information to the base station and receive the sub-frame allocation based on at least the information. In some embodiments, the UE may switch transmit duty cycles based on an occurrence of a condition at the UE. The UE may inform the network of the switch.

Abstract: This invention is directed to an electronic device with an embedded authentication system for restricting access to device resources. The authentication system may include one or more sensors operative to detect biometric information of a user. The sensors may be positioned in the device such that the sensors may detect appropriate biometric information as the user operates the device, without requiring the user to perform a step for providing the biometric information (e.g., embedding a fingerprint sensor in an input mechanism instead of providing a fingerprint sensor in a separate part of the device housing). In some embodiments, the authentication system may be operative to detect a visual or temporal pattern of inputs to authenticate a user. In response to authenticating, a user may access restricted files, applications (e.g., applications purchased by the user), or settings (e.g., application settings such as contacts or saved game profile).

Abstract: Described herein is a simulacrum security device and methods. In one embodiment, a simulacrum or likeness of a physical security device is provided for use in conjunction with a software emulation of the security device. In one implementation, a “faux SIM card” is provided that does not contain Subscriber Identification Module (SIM) information itself, but instead enables a user to download Electronic SIM (eSIM) information (e.g., from a network or eSIM server) which is loaded into a software emulation of a Universal Integrated Circuit Card (UICC) device. The faux card is printed with an activation code, scan pattern, or other activation or access information. The subscriber purchases the faux card, and enters the activation code into a device; the entered activation code enables the device to log onto a network, and download the appropriate eSIM data.

Abstract: Methods and apparatus for managing multiple user access control entities or clients. For example, in one embodiment, a “wallet” of electronic subscriber identity modules (eSIMs) may be stored and used at a user device and/or distributed to other devices for use thereon. In another embodiment, a networked server may store and distribute eSIM to a plurality of user devices in communication therewith. A database of available eSIM is maintained at the wallet entity and/or at the network which enables request for a particular eSIM to be processed and various rules for the distribution thereof to be implemented. Security precautions are implemented to protect both user and network carrier specific data as the data is transmitted between networked entities. Solutions for eSIM backup and restoration are also described.

Abstract: Methods and apparatus for correcting error events associated with identity provisioning. In one embodiment, repeated requests for access control clients are responded to with the execution of a provisioning feedback mechanism which is intended to prevent the unintentional (or even intentional) over-consumption or waste of network resources via the delivery of an excessive amount of access control clients. These provisioning feedback mechanisms include rate-limiting algorithms and/or methodologies which place a cost on the user. Apparatus for implementing the aforementioned provisioning feedback mechanisms are also disclosed and include specialized user equipment and/or network side equipment such as a subscriber identity module provisioning server (SPS).

Abstract: This invention is directed to an electronic device with an embedded authentication system for restricting access to device resources. The authentication system may include one or more sensors operative to detect biometric information of a user. The sensors may be positioned in the device such that the sensors may detect appropriate biometric information as the user operates the device, without requiring the user to perform a step for providing the biometric information (e.g., embedding a fingerprint sensor in an input mechanism instead of providing a fingerprint sensor in a separate part of the device housing). In some embodiments, the authentication system may be operative to detect a visual or temporal pattern of inputs to authenticate a user. In response to authenticating, a user may access restricted files, applications (e.g., applications purchased by the user), or settings (e.g., application settings such as contacts or saved game profile).

Abstract: Apparatus and methods for provisioning wireless devices for operation in one or more networks. In one embodiment, a provisioning service may provide access client (e.g., Subscriber Identity Module) data to a secure element in the wireless user device. The device may be preloaded with a provisioning SIM profile. The device may use the provisioning profile to roam onto a carrier, and communicate with a provisioning service, which may present the user with a list of available wireless carriers, such as carriers that service the user's current geographic location. In response to a user selection, the provisioning service may load a SIM profile associated with the selected carrier onto the secure element. The loaded SIM profile can be used to obtain wireless service from the selected carrier. The user may add multiple SIM profiles, and/or may delete SIM profiles.

Abstract: Methods and apparatus enabling programming of electronic identification information of a wireless apparatus. In one embodiment, a previously purchased or deployed wireless apparatus is activated by a cellular network. The wireless apparatus connects to the cellular network using an access module to download operating system components and/or access control client components. The described methods and apparatus enable updates, additions and replacement of various components including Electronic Subscriber Identity Module (eSIM) data, OS components. One exemplary implementation of the invention utilizes a trusted key exchange between the device and the cellular network to maintain security.

Abstract: Methods and apparatus for correcting error events associated with identity provisioning. In one embodiment, repeated requests for access control clients are responded to with the execution of a provisioning feedback mechanism which is intended to prevent the unintentional (or even intentional) over-consumption or waste of network resources via the delivery of an excessive amount of access control clients. These provisioning feedback mechanisms include rate-limiting algorithms and/or methodologies which place a cost on the user. Apparatus for implementing the aforementioned provisioning feedback mechanisms are also disclosed and include specialized user equipment and/or network side equipment such as a subscriber identity module provisioning server (SPS).