`
`United States Patent
`[19]
`5,864,757
`[11] Patent Number:
`
`
`
`
`
`
`
`
`
`
`[45] Date of Patent:
`Jan. 26, 1999
`Parker
`
`
`
`
`
`USOOS 864757A
`
`
`
`
`
`
`
`
`
`
`
`[54] METHODS AND APPARATUS FOR
`LOCKING COMMUNICATIONS DEVICES
`
`
`
`
`
`
`[75]
`
`Inventor:
`
`
`
`
`
`
`John Patrick Parker, Fowlmere,
`
`
`United Kingdom
`
`
`
`
`
`
`
`
`[73] Assignee: BellSouth Corporation, Atlanta, Ga.
`
`
`
`
`
`
`
`[21] Appl. No.: 570,912
`
`
`
`
`
`Filed:
`Dec. 12, 1995
`[22]
`
`
`
`
`
`
`[SL]
`Tint. C1e occ cecsssssnnensccessneesceenunneeeesenaes H04Q 1/00
`
`
`
`
`
`
`
`[52] U.S. Ch oe 455/418; 455/418; 455/419;
`455/420; 340/825.31; 340/825.34; 340/825 .5
`
`
`
`
`
`
`
`
`
`
`[58] Field of Search oo... 455/419, 418,
`455/420, 414, 411, 558, 560, 410; 340/825.3,
`
`
`
`
`
`
`
`825.31, 825.34, 825.5; 380/23
`
`
`
`
`
`[56]
`
`
`
`
`
`
`
`
`
`
`
`Attorney, Agent, or Firm—Dominic J. Chiantera; James L.
`
`
`
`
`
`Ewing, IV; Kilpatrick Stockton LLP
`
`
`ABSTRACT
`[57]
`
`
`
`
`
`
`
`
`An apparatus and method for locking and unlocking mobile
`telecommunications handsets or other devices is disclosed.
`
`
`
`
`
`
`
`
`
`
`
`
`Lach handset is unactivated at the time of purchase. Other
`
`
`
`
`
`
`
`than emergencycalls, or account activation, no calls can be
`
`
`
`
`
`
`
`
`
`made using the handset unless it has been unlocked. The
`
`
`
`
`
`
`handset is capable of receiving, a readable subscriber identity
`
`
`
`
`
`
`
`
`module (SIM) having a network (or other)
`ID and a
`
`
`
`
`
`
`
`codeword, and its operation is to be locked and unlocked
`
`
`
`
`
`
`
`
`with respect to the entity corresponding to the ID on the
`
`
`
`
`
`
`
`SIM. Furthermore, the handset includes a processor pro-
`
`
`
`
`
`
`grammed with a unique equipment identification number
`
`
`
`
`
`
`
`and a key. All handsets manufactured as part of a particular
`
`
`
`
`
`
`
`
`batch may include the key, which is burned or otherwise
`
`
`
`
`
`
`
`
`
`
`written into a memoryarea of the handset so that it may not
`References Cited
`
`
`
`
`
`
`
`
`be read without its being destroyed. The handsct processor
`U.S. PATENT DOCUMENTS
`
`
`
`
`
`
`
`
`
`is also programmed to produce a handset-specific key as a
`4,291,197=9/1981 Yonaga w.ceececcceserereees 455/411
`
`
`
`
`
`
`
`
`function of the equipment identification number and the
`
`
`
`
`
`
`4/1988 Roe .........
`« 3380/3
`4,736,419
`
`
`
`
`
`
`
`
`
`
`
`
`
`batch-specific key. Upon activation of the handset,
`the
`
`11/1991 Yamashita
`455/411
`5,068,889
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`customer service center associated with the network opera-
`10/1992 Zicker.....
`455/419
`5,159,625
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`tor transmits a modifier to the handset. The handset changes
`3/1994 Gerszberg
`. 455/419
`5,297,192
`
`
`
`
`
`
`
`
`
`
`
`
`
`its handset-specific key according to the modifier to yield an
`5,457,737 10/1995 Wen.
`........
`. 455/410
`
`
`
`
`
`
`
`
`
`
`
`
`5,600,708=2/1997 Moce ct abe ccsccceserseeseeee 455/411
`
`operator-specific key. The resulting operator-specific key is
`
`
`
`
`
`
`
`2/1997 Hendersonetal.
`. 340/825.31
`5,602,536
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`used in conjunction with the network(or other) ID (from the
`2/1997 Henry, In et ale cesses 455/419
`5,603,084
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SIM) to produce a checkword.If the checkword matches the
`OTHER PUBLICATIONS
`codeword, whichis read off the SIM,the handset is unlocked
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(i.e., enabled) for normal use. Other features of the invention
`
`
`
`
`
`
`
`include re-locking the handset according to similar
`
`
`
`
`
`
`principles, and providing a personal identification number
`
`
`
`
`
`
`
`
`for permanently unlocking the device, so that it can be used
`
`
`
`
`with any compatible SIM.
`
`
`
`
`
`
`
`
`
`
`
`“Cellular-Phone Coverage Expands to 35 Countries,” The
`
`
`
`
`
`
`Wall Street Journal, p. B9 (Nov. 8, 1995).
`
`
`
`
`
`“PCS 1900: Tomorrow’s Technology—Today,” The North
`
`
`
`
`
`
`American PCS 1900 Action Group (NPAG).
`
`
`
`
`Primary Examiner—Dwayne D. Bost
`Assistant Examiner—Jean A. Gelin
`
`
`
`
`
`29
`
`
`
`
`
`28 Claims, 12 Drawing Sheets
`
`
`
`
`24
`
`26 30 28
`
`
`
`
`Moancset
`IMEI
`
`
`
`
`
`
`32,
`Konarate
` CHECKWORD|
`= MiandsodKssea(IME!)
`
`
`
`= f(Koveaee, NDI)
`
`
`
`|
`
`
`
`
`
`20
`
`
`
`
`40
`
`
`
`
`
`
`IMSI (NID)
`
`
`
`
`42
`
`
`CODEWORD
`
`
`
`
`
`1 of 21
`
`SAMSUNG EXHIBIT1023
`
`1 of 21
`
`SAMSUNG EXHIBIT 1023
`
`

`

`U.S. Patent
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 1 of 12
`
`
`
`5,864,757
`
`
`
`
`
`
`
`
`PRIOR ART
`
`FIG. 1
`
`
`
`2 of 21
`
`2 of 21
`
`

`

`
`U.S. Patent
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 2 of 12
`
`
`5,864,757
`
`
`
`
`
`= Mrandect{Koaen(IME1)
`
`
`*4|crecxworo| = f(Kevwesr, NDI)
`
`
`
`
`;
`
`
`
`IMSI (NID)
`
`
`
`
`42
`
`
`
`CODEWwoRD
`
`
`
`+“
`
`
`
`
`FIG. 2
`
`3 of 21
`
`3 of 21
`
`

`

`U.S. Patent
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 3 of 12
`
`
`5,864,757
`
`
`
`
`
`
`
`
`
`
`
`
`CUSTOMER
`
`SERVICE
`
`CENTER
`
`
`Morendset
`(codeword)
`
`
`
`
`
`
`Subscriber ID
`
`; S
`
`IM
`
`
`
`
`FIG. 3
`
`4 of 21
`
`4 of 21
`
`

`

`U.S. Patent
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 4 of 12
`
`
`5,864,757
`
`
`
`HANDSET INITIALLY LOCKED FOR ALL BUT EMERGENCY
`
`
`
`
`
`
`
`
`CALLS AND OVER-THE-AIR ACTIVATION.
`
`
`
`
`
`
`
`PURCHASER OF HANDSETINSERTSSIM, CHARGES
`
`
`
`
`
`BATTERY AND PRESSES ANYKEY.
`
`
`
`
`
`
`
`
`
`HANDSET DIALS ANY NUMBER. CALL (INCLUDING SUBSCRIBER
`
`
`
`
`
`
`
`
`
`
`
`102
`
`104
`
`
`
`
`
`106
`
`
`
`
`
`
`
`
`
`
`MSC LOOKS UP CALLER ID IN HOME LOCATION
`
`
`
`
`REGISTER (HLR) TO CHECK CALLER VALIDITY.
`
`
`
`aH
`
`LR IDENTIFIES SUBSCRIBER !D NUMBER AS TEMPORARY(UNACTIVATED
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SUBSCRIPTION) AND ROUTES CALL TO CUSTOMER SERVICE CENTER (CSC).
`
`
`
`
`
`
`CSC COLLECTS PAYMENTDETAILS, ESTABLISHES SERVICE
`
`
`
`
`OPTIONS, AND INITIATES OVER-THE-AIR ACTIVATION.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`USING, E.G., GSM SHORT MESSAGE SERVICE (SMS), SUBSCRIBER
`
`
`
`
`
`
`
`IDENTIFICATION (e.g., IMSI) AND OTHER INFO. iS DOWNLOADED TOSIM.
`
`
`
`ID NUMBER) iS ROUTED VIA BASE STATION TO MSC. 108
`
`
`
`
`
`
`
`
`
`
`
`
`
`118
`
`
`
`
`
`
`HANDSET STORES M,.u0 IN EEPROM OR FLASH MEMORY.
`a 42
`
`_-120
`
`
`
`
`
`
`
`
`ACTIVATION SOFTWAREAT CSC WILL CALCULATE A VALID Musser BASED ON
`
`
`
`
`
`
`
`
`KNOWLEDGEOFKyosen Kosten AND EQUIPMENT IDENTITY CODE(e.g., IMEI, which CSC
`
`
`
`
`
`
`
`
`
`
`
`
`retrieves over the air) AND SEND Mywe TO HANDSET(e.g., via GSM SMS).
`
`
`
`-———
`
`
`
`
`
`
`CSC MESSAGES HANDSETWITH USER INSTRUCTION
`TO SWITCH HANDSET OFF AND ON.
`
`
`
`
`
`
`
`
`FIG. 4
`
`
`5 of 21
`
`5 of 21
`
`

`

`U.S. Patent
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 5 of 12
`
`
`5,864,757
`
`
`
`HANDSET COMPUTES AUTHENTICATION OF ALGORITHM,
`
`
`
`
`
`
`
`E.G., OPERATOR-SPECIFIC k...,, AS FOLLOWS:
`
`
`
`
`
`
`
`
`APPLY TRANSPOSITION & INVERSION ALGORITH, E.G., SPECIFIC TO
`
`
`
`
`
`
`
`
`
`
`
`
`
`HANDSETBATCH, kya, TO EQUIPMENT IDENTITY code (e.g., 60 bit IMEI)
`
`
`
`
`
`
`
`TO YIELD A VALUE UNIQUE TO THE HANDSET, ku. (€.9., 60 bit value).
`
`
`
`182
`
`
`
`|-~154
`
`
`
`
`
`
`
`
`MODIFY Kyra ACCORDING TO Mune (€-9., apply exclusive-
`
`
`
`or operation) TO YIELD kyr
`
`
`
`
`
`
`
`Kyeuer (S PRESENT ONLY IN ACTIVATED HANDSETS
`AND IS INTENDED TO REMAIN SECRET.
`
`
`
`
`
`
`
`HANDSET VALIDATES SIM ACCORDING TO FOLLOWING PROCESS:
`
`
`
`
`
`
`156
`
`
`
`158
`
`
`
`_-160
`
`
`
`
`
`
`
`
`
`
`
`HANDSET EXTRACTS NETWORKID (NID) FROM SUBSCRIBER
`
`
`
`
`
`
`
`IDENTITY CODE (e.g., MCC and MNCportionsof IMSI).
`
`
`A CHECKWORD (e.g., as follows):
`
`
`
`
`
`
`HANDSET THEN APPLIESk,4, TO NID TO PRODUCE
`
`
`
`
`
`
`TRANSPOSE AND INVERT SELECTED BITS OFNID,
`
`
`
`
`
`
`
`
`
`
`
`
`THEN EXCLUSIVE-OR RESULT WITH FIRST 20 BITS OFk,,.4...
`
`162
`
`
`
`164
`
`166
`
`
`
`168
`
`
`
`170
`
`
`
`172
`
`
`
`174
`
`
`
`
`
`
`
`
`
`TRANSPOSE AND iNVERTBITS OF RESULT OF PREVIOUS STEP,
`
`
`
`
`
`
`
`
`
`
`
`
`
`THEN SUBTRACT FROM RESULT SECOND 20 BITS OFky aster:
`
`
`i
`
`
`TRANSPOSE AND INVERT RESULTS OF PREVIOUS STEP, THEN
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXCLUSIVE-OR RUSULT WITH LAST 20 BITS OF k,,.4 TO
`
`PRODUCE CHECKWORD.
`
`
`
`
`
`
`COMPARE CHECKWORD WITH CODEWORDREAD OFF OF SIM; IF
`
`
`
`
`
`
`
`CHECKWORD AND CODEWORD MATCH, UNLOCK HANDSET.
`
`
`
`
`
`
`
`
`
`IF CHECKWORD AND CODEWORD DO NOT MATCH, DISPLAY
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`MESSAGE (E.G., “SIMLOCK”) ON HANDSET AND DISABLE KEYPAD
`
`FOR ALL BUT EMERGENCY AND OPERATOR CALLS.
`
`
`
`
`
`
`
`
`FIG. 5
`
`
`6 of 21
`
`6 of 21
`
`

`

`U.S. Patent
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 6 of 12
`
`
`5,864,757
`
`
`
`IMEI BITS
`
`
`
`
`Bit,
`
`26
`
`
`
`Bit,
`
`
`
`
`
`
`
`
`Bit,
`
`Bit,
`
`Bit,
`
`Bit,
`
`
`Kandset
`
`(Handset Key)
`
`FIG. 6
`
`
`
`7 of 21
`
`7 of 21
`
`

`

`U.S. Patent
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 7 of 12
`
`
`5,864,757
`
`
`
`
`
`
`
`
`Kyacn Mapping of IMEI Bits to K,,..4 Bits
`
`Kyandset=paten( IMEI Bits)
`
`
`IMEI Bits
`
`
`
`
`
`Bit,
`
`Bit,
`
`Krandset 0 = IMEI,,
`
`
`
`
`Krandset 4 = IMEI,
`
`
`
`e
`:
`Pw
`
`
`
`
`
`Bit,
`
`Knandset m = IMEI,
`
`
`
`
`
`
`
`
`
`Bites
`
`
`Kyandset 60 = IMEI,
`
`
`
`
`
`FIG. 7
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`8 of 21
`
`8 of 21
`
`

`

`
`U.S. Patent
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 8 of 12
`
`
`5,864,757
`
`
`
`
`
`
`
`
`
`
`
`k,handset
`
`Exclusive - or
`
`
`Overthe
`BD function
`
`
`air activation
`
`
`
`
`
`M
`|
`
`handset
`
`
`
`
`
`154 —»
`
`
`
`15 digits/60 bits
`
`
`
`
`
`
`“Kean - Masked ROM
`
`transposition/invertion
`of bits
`
`
`
`60 bits
`
`
`
`(Unique to handset)
`
`
`
`
`
`Modifier - unique to
`
`handset/operator
`
`
`
`Kerator
`
`
`
`
`
`
`Koceraror - FeMAINS
`“secret” if possible - but
`
`
`
`
`
`
`is only presentin activated
`handsets
`
`
`
`
`FIG. 8
`
`
`9 of 21
`
`9 of 21
`
`

`

`U.S. Patent
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 9 of 12
`
`
`5,864,757
`
`
`
`
`
`
`
`
`
`IMSI
`
`
`(15 digits)
`on SIM
`
`
`
`
`
`N
`
`162
`
`
`
`164
`
`Network ID used for authorization
`
`
`
`MCC/MNC 5 digits / 20 bits
`
`
`
`
`
`
`NN
`
`
`
`1st stage - Transposition ofbits
`
`
`
`
`
`
`followed by esciusive -~ or with
`
`
`
`Ist 20 bits OfkK.wae
`
`
`@ Ex - or
`
`
`Koperam (0-20)
`
`166
`
`NN
`
`
`
`
`
`>
`
`
`a
`$
`
`
`
`
`
`
`2nd stage - Transposition of
`3.
`
`
`
`
`bits followed by subtraction
`2
`
`
`
`
`
`
`g of 2nd 20 bits ofkK,sae
`>
`subtraction
`
`
`
`
`.
`
`3
`
`a S
`
`168
`
`3rd stage-Transposition of
`
`
`
`
`
`
`
`bits followed by exclusive -
`
`
`
`
`or with at least 20 bits of keto
`
`
`
`170
`
`
`x
`
`
`
`
`Codeword (20 bits) checked against
`stored value on SIM
`
`
`
`
`
`
`eo
`
`
`
`.
`
`
`Keoeatr (21-40)
`
`|
`
`
`
`,
`
`
`
`
`
`Koperator (41-60)
`
`
`
`j
`
`Checkword
`
`
`
`FIG. 9
`
`
`10 of 21
`
`10 of 21
`
`

`

`U.S. Patent
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 10 of 12
`
`
`5,864,757
`
`
`
`
`
`
`
`
`HANDSET MAY BE RE-LOCKED
`
`
`
`
`
`
`
`TO A DIFFERENTkK,ac AS FOLLOWS:
`
`200
`
`202
`
`
`
`204
`
`
`
`206
`
`
`
`THE HANDSET, AND BY THE HANDSET TO THE SIM
`
`KNOWINGKean AND Kysaa (€., Kya, and IMEI),
`
`
`
`
`
`
`AND NEW NID AND CODEWORD,
`
`
`CSC CALCULATES NEW Mie VALUE
`
`
`
`
`
`
`
`NEW Mie VALUE (IS TRANSMITTED
`OVER THE AIR TO THE HANDSET
`
`
`
`
`
`NEW CODEWORD IS TRANSMITTED OVER THE AIR TO
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 10
`
`
`11 of 21
`
`11 of 21
`
`

`

`U.S. Patent
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 11 of 12
`
`
`
`5,864,757
`
`
`
` 302
`
`
`
`
`
`FOR PERMANENT HANDSET UNLOCKING, PERSONAL
`
`
`
`
`
`IDENTIFICATION NUMBER (PIN) |S ENTERED BY USER OR
`
`
`
`
`
`
`TRANSMITTED OVER-THE-AIR, THE PIN DERIVED AS FOLLOWS:
`
`
`
`
`
` 304
`
`
`
`
`
`PIN (in decimal form) |S GENERATED AS
`
`
`
`
`A FUNCTION OFkya (for example, as follows):
`
`
`
`
`
`
`
`
`
`60 BIT Kyancset 1S DIVIDED INTO 4 WORDS OF 15 BITS
`
`
`
`
`
`THE 4 WORDS ARE COMBINED
`
`
`
`
`
`
`
`(e.g., by addition, by exclusive-or, etc.)
`
`
`
`
`
`
`
`
`
`
`
`THE RESULTING 15 BITS ARE DIVIDED INTO 5 GROUPSOF3 BITS,
`
`
`
`
`
`EACH GROUP CORRESPONDING TO A DECIMAL NUMBER BETWEEN
`0 AND 7, RESULTING IN A 5 DIGIT PIN
`
`
`
`
`
`
`
`
`
`
`306
`
`
`
`308
`
`
`
`310
`
`
`
`FIG. 11
`
`
`12 of 21
`
`12 of 21
`
`

`

`U.S. Patent
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 12 of 12
`
`
`5,864,757
`
`
`
`
`
`
`
`
`
`
`
`
`
`15 bits
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`310—>
`
`
`15 bits
`
`
`
`
`|
`
`
`
`
`
`
`
`
`
`5 digit PIN
`
`
`
`
`FIG. 12
`
`13 of 21
`
`13 of 21
`
`

`

`5,864,757
`
`
`
`
`
`
`1
`METHODS AND APPARATUS FOR
`
`
`
`
`LOCKING COMMUNICATIONS DEVICES
`
`
`FIELD OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`
`The present invention relates, in general, to the field of
`
`
`
`
`
`
`
`
`
`telephony and, in particular,
`to the field of telephone (or
`
`
`
`other) system security.
`BACKGROUND OF THE INVENTION
`
`
`
`
`
`
`
`
`Wireless telecommunications providers often find it use-
`
`
`
`
`
`
`
`ful in attracting newsubscribers to subsidize the prospective
`
`
`
`
`
`
`subscribers’ purchase of a handset. The cost of the handsets,
`
`
`
`
`
`
`
`
`which are complex and sophisticated devices, would other-
`
`
`
`
`
`
`
`
`
`wise fall to the subscribers. A subsidy lowers the financial
`
`
`
`
`
`
`
`
`
`barrier to the new subscriber’s entry into the domain of
`
`
`
`
`
`
`wireless communications. Although this is a desirable out-
`
`
`
`
`
`
`
`
`
`come for new subscribers, for such a proposition to be
`
`
`
`
`
`
`
`economically viable for the wireless network operator,
`it
`lead to an assured financial
`return. The service
`must
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`provider, for example, might seek a guarantee that, for a
`
`
`
`
`
`
`
`
`certain period of time,
`the subscriber’s wireless access
`
`
`
`
`
`
`
`would be provided only by the network opcrator offering the
`
`
`
`
`
`
`
`
`subsidy. In return for subsidizing the handset, the network
`
`
`
`
`
`
`
`
`operator would recoup that expense in the form of subscriber
`
`
`
`
`
`
`air time during the period of exclusivity.
`
`
`
`
`
`
`
`The question arises, however, as to how a network opera-
`
`
`
`
`
`
`
`
`tor can ensure that a subscriber using one ofits subsidized
`
`
`
`
`
`
`
`
`handsets has access only to that network’s services. One
`
`
`
`
`
`
`
`
`approachto this problem has been to limit the subscriber’s
`
`
`
`
`
`
`
`access to services, when using the subsidized handset, to
`
`
`
`
`
`
`
`those offered by the particular operator by conditioning the
`
`
`
`
`
`
`
`
`
`use of the handset on its being “unlocked” only for that
`
`
`
`
`
`
`
`service. An example of this type of “locking” mechanism
`
`
`
`
`
`
`
`
`has been developed that is compatible with standards pro-
`
`
`
`
`
`
`mulgated by Groupe Special Mobile (“GSM”), a European
`
`
`
`
`
`
`organization responsible for developing wireless telecom-
`
`
`
`
`
`
`
`munications standards that have been adopted in approxi-
`
`
`
`
`
`
`
`
`
`
`mately 60 countries as of the filing of this document.
`
`
`
`
`
`
`
`(Throughout this document, GSM andcertain terms it has
`
`
`
`
`
`
`
`
`defined are referred to for purposesofillustration only. The
`
`
`
`
`
`
`implementation of methods and apparatus according, to the
`
`
`
`
`
`
`
`
`
`present invention does not depend uponthis standard, but
`could be used with other telecommunications standards,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`including those that prescntly cxist or arc yet
`to be
`
`developed).
`
`
`
`
`
`
`An existing approach to mobile telecommunications
`
`
`
`
`
`
`handset locking utilizes a subscriber identification module
`
`
`
`
`
`
`
`
`(“SIM”) specific ta the network operator offering the sub-
`
`
`
`
`
`
`
`sidy. A SIM may take the form of a card incorporating an
`
`
`
`
`
`
`
`integrated circuit and memoryin which subscriber informa-
`
`
`
`
`
`
`tion including a network identification symbol is stored. In
`
`
`
`
`
`
`
`
`the context of GSM, for one example, the network identi-
`
`
`
`
`
`fication symbol is included as a subset of an International
`
`
`
`
`
`Mobile Subscriber Identification (“IMSI”). An [MSI is a
`
`
`
`
`
`
`
`
`globally unique number, recognizable by the GSM tele-
`
`
`
`
`
`
`
`
`phone network operators, that has the following 15 decimal
`
`
`digit format:
`
`
`
`3 digits
`
`XXX
`
`MCC
`
`
`
`
`2 digits
`
`XX
`
`MNC
`
`
`
`
`2 digits
`
`XX
`
`HLR ID
`
`
`8 digits
`
`
`XXXXXXKX
`Rest of MSIN
`
`
`
`
`
`
`
`
`
`
`
`
`
`As shown, an IMS] includes a 3 digit mobile country code
`
`
`
`
`
`
`
`(“MCC”), a2 digit mobile network code (“MNC”), a 2 digit
`
`14 of 21
`
`
`
`10
`
`20
`
`
`
`
`
`
`
`40
`
`
`
`
`
`
`
`
`
`60
`
`
`
`
`
`
`
`
`2
`
`
`
`
`
`
`
`home location register identification (“HLR ID”), and an
`
`
`
`
`
`
`eight digit mobile subscriber identification number
`
`(“MSIN”).
`
`
`
`
`
`
`
`Wireless telephone equipment, on the other hand,
`is
`
`
`
`
`
`
`defined by an equipment identification number. Under the
`
`
`
`
`
`
`
`GSMsystem, for example, a handset is uniquely identified
`
`
`
`
`
`
`by an International Mobile Equipment Identification
`
`
`
`
`
`
`
`(“IMEI”). The structure and allocation principles of IMEIs
`
`
`
`
`
`
`
`are defined in GSM 03.03—version 3.6.0, published
`
`
`
`
`
`
`
`October, 1993. According,
`to that document, an IMEI
`
`
`
`
`
`
`
`uniquely identifies a given item of mobile station equipment.
`
`
`
`
`
`
`
`The IMEIincludes 15 digits, as shown immediatcly below:
`
`6 digits
`
`
`XXXXXK
`TAC
`
`
`
`
`
`
`
`2 digits
`
`XX
`
`FAC
`
`
`6 digits
`
`
`XXKXXX
`SNR
`
`
`
`
`
`
`
`1 digit
`
`x
`
`sp
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`The six mostsignificant digits specify a type approval codec
`
`
`
`
`
`(“TAC”), the contents of which are determined bya central
`
`
`
`
`
`
`
`decision-making body. The two next mostsignificant digits
`
`
`
`
`
`
`comprise a final assembly code (“FAC”), which identifies
`
`
`
`
`
`
`the place of manufacture/final assembly of the equipment
`
`
`
`
`
`
`
`
`and is encoded by the manufacturer. The next six digits set
`
`
`
`
`
`
`
`forth the serial number of the equipment, uniquely identi-
`
`
`
`
`
`
`
`fying it within each TAC and FAC. Manufacturers are
`
`
`
`
`
`required to allocate individual serial numbers in sequential
`
`
`
`
`
`
`
`
`order. Finally,
`the MEI includes a spare digit for further
`
`assignment.
`
`
`
`
`
`
`
`In addition to permanently programming mobile tele-
`
`
`
`
`
`
`phone equipment with an equipmentidentification number,
`
`
`
`
`
`
`
`such as an IMEI,it is also known to permanently encode a
`
`
`
`
`
`
`
`mobile telephone handsct at the time of manufacture with a
`
`
`
`
`
`
`
`code identifying a particular network. ‘his network identi-
`
`
`
`
`
`
`
`
`
`fication (NID) code (which, under GSM,is the two digit
`
`
`
`
`
`
`
`
`MNC) maybe burned into or otherwise coded in a circuit
`
`
`
`
`
`
`
`
`within the handset. Preferably the NID is encoded in the
`
`
`
`
`
`
`handset in such a manner that it cannot be modified by
`
`
`
`
`
`
`
`
`another without destroying the product. Upon powering up,
`
`
`
`
`
`
`
`
`the handset is locked, and can be unlocked only by inserting
`
`
`
`
`
`
`
`
`
`the SIM into a receiving and reading slot in the handset. A
`
`
`
`
`
`
`
`processor in the handset is programmedto read the IMSI off
`
`
`
`
`
`
`
`
`the SIM, extract the MNC, and compare the MNC with an
`
`
`
`
`
`
`
`
`
`MNCvaluestored in the handset. If the NID (e.g., MNC)in
`
`
`
`
`
`
`
`
`the handset is matched by the NID (MNC)extracted from
`
`
`
`
`
`
`
`
`the subscriber information (e.g., IMSI) on the SIM,
`the
`
`
`
`
`
`
`
`
`handset unlocks itself, enabling the user to make regular
`
`
`
`
`
`
`
`
`telephone calls. A schemeofthis sort is in use, for example,
`
`
`
`
`
`
`
`
`in the Orange system and the Mercury One-2-Onesystem in
`
`
`
`the United Kingdom.
`
`
`
`
`
`
`
`in
`A major shortcoming with the foregoing approach,
`
`
`
`
`
`
`
`
`which an NID in the handset is compared with one on the
`SIM,is that the handset must be customized at the time of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`manufacture for use with only one particular network. This
`
`
`
`
`
`
`
`limitation would preclude a service provider from buying
`
`
`
`
`
`
`
`
`
`handsets in bulk in order to supply them for use with
`
`
`
`
`
`
`
`different networks within its system. Compatibility with
`suchentities as resellers of wireless network services would
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`also be inhibited. One proposed solution to this problem is
`
`
`
`
`
`
`
`
`to program the handsets at the time of manufacture with a
`
`
`
`
`
`
`
`numberof different NIDs. This approach, however, would
`
`
`
`
`
`
`
`
`be insufficiently flexible to account for an operator’s estab-
`
`
`
`
`
`
`
`
`
`lishment or acquisition of a further network, or for an
`
`
`
`
`
`
`
`operator’s relationship with a reseller or another network
`operator.
`
`
`
`
`
`
`
`
`
`No handset locking system has yet been provided that
`
`
`
`
`
`
`
`frees the handset from being locked to a particular end
`
`
`
`
`14 of 21
`
`

`

`
`3
`
`
`
`
`
`
`
`
`
`network or other entity at the time of manufacture. It has
`
`
`
`
`
`
`therefore been impossible to pre-lock wireless handset to
`
`
`
`
`
`
`
`
`SIMsassociated with a particular service provider (e.g., one
`
`
`
`
`
`
`operating multiple networks), a particular network, a par-
`
`
`
`
`
`
`
`ticular reseller, or cven to lock a handsct to a particular
`
`
`
`
`
`
`
`
`individual SIM. Moreover, it is not possible with existing
`
`
`
`
`
`
`
`systems to disable locking of individual handsets over the
`
`
`
`
`
`
`
`
`
`
`
`air, and possibly via the key board of the handset, on the
`
`
`
`
`
`
`occurrence of preselected conditions, such as whenaninitial
`
`
`
`
`
`
`
`
`subscriber contract period has expired.
`In addition,
`the
`
`
`
`
`
`
`
`
`existing approach doesnot permit the activation of a handset
`
`
`
`
`
`
`
`remotely (e.g., over-the-air). Nor does it permit a device to
`
`
`
`
`
`
`
`be remotely re-locked (e.g., over-the-air)
`to a specific
`
`
`
`
`
`
`
`operator, network, reseller, or individual SIM. Among other
`
`
`
`
`
`
`
`difficulties, these shortcomings impose constraints on the
`
`
`
`
`
`
`developmentand availability of wireless telephone services.
`
`
`
`
`
`
`
`
`Newalliances between operators or resellers may arise that
`
`
`
`
`
`
`
`would make it desirable to permit the lockingcriteria to be
`
`
`
`
`
`
`
`
`
`
`changed, for cxample, but this is not possible with the
`
`
`existing approach.
`
`
`
`
`
`
`
`
`An improved mechanism for locking handsets and other
`
`
`
`
`
`
`devices should be sufficiently robust to prevent individual
`
`
`
`
`
`
`
`subscribers from attempting to movetheir businessto a rival
`
`
`
`
`
`
`operator. It must also withstand attempts at circumvention
`
`
`
`
`
`
`
`by criminals or unscrupulous dealers or operators.
`
`
`
`
`
`
`
`Furthermore,
`if the security of an individual handset
`is
`
`
`
`
`
`
`
`
`compromised,it is critical that the result should not be able
`
`
`
`
`
`
`
`
`to lead to the compromise of other handsets associated with
`
`
`
`the handset provider.
`One of the unmet needs of conventional wireless com-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`munications systems is the ability to lock a handset
`to
`
`
`
`
`
`
`services provided only bya particular service provider, or to
`
`
`
`
`
`
`
`other network operators or resellers with which the particu-
`
`
`
`
`
`
`
`
`lar operator has an agreement. In order to meetthis need,it
`
`
`
`
`
`
`
`
`should be possible for handsets to be distributed to such
`
`
`
`
`
`
`
`designated service providers by one or more physical dis-
`
`
`
`
`
`
`
`tribution centers (PDCs) run by the operator. To maintain
`
`
`
`
`
`
`
`security throughout this distribution process, the handsets
`
`
`
`
`
`
`
`must be pre-locked to prevent their use by any operator or
`
`
`
`
`
`
`
`
`
`re-seller other than those that are designated service provid-
`
`
`
`
`
`
`
`
`ers. For convenience and economy, the handsets should be
`
`
`
`
`
`
`
`
`operable without the need to program them at a PDC prior
`
`
`
`
`
`
`
`
`
`to delivery. Any further steps required for activation of the
`
`
`
`
`
`
`
`handset should be capable of being performed remotely, for
`
`
`
`
`
`
`
`
`example, over-the-air, and then only by the operator or one
`
`
`
`of its designated providers.
`SUMMARY OF THE INVENTION
`
`
`
`
`
`
`
`
`
`
`
`The problems described in the preceding section are
`
`
`
`
`
`
`
`
`solved by the methods and apparatus according to the
`
`
`
`
`
`present
`invention, which permil a telecommunications
`
`
`
`
`
`
`
`handset, or other device,
`to be electronically locked to a
`
`
`
`
`
`
`particular service provider,
`to a particular network,
`to a
`
`
`
`
`
`
`particular reseller, or even to an individual SIM. At the same
`
`
`
`
`
`
`
`
`
`time, the methods and apparatus of the present invention
`climinate the limitation that a mobile telecommunications
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`handsct, or other device, be locked for all time with respect
`
`
`
`
`
`
`
`
`to only one particular service provider, network, reseller, or
`
`
`
`
`
`
`other entity determined at the time of manufacture.
`
`
`
`
`
`
`Locking according to the present inventionis based on the
`
`
`
`
`
`
`
`principle that only SIMsproduced bythe controlling service
`
`
`
`
`
`
`
`
`
`provider or operator should work with the handset, but that
`
`
`
`
`
`
`
`the controlling entity may be changed as necessary or
`
`
`
`
`
`
`
`
`desired. The present invention achievesthis goal by employ-
`
`
`
`
`
`
`
`
`
`
`ing a key (e.g., an algorithm) specific to the handset for
`
`
`
`
`
`
`producing, as a function of an identity that is stored in the
`
`
`
`
`
`
`SIM,a checkword corresponding to a codewordstoredin the
`
`20
`
`40
`
`50
`
`55
`
`60
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`5,864,757
`
`wn
`
`
`
`10
`
`
`
`
`4
`
`
`
`
`
`
`
`
`
`SIM. The present invention does so in such a mannerthat the
`
`
`
`
`
`
`
`result of applying the key can be modified to correspond to
`
`
`
`
`
`
`
`a particular service provider, network,
`reseller,
`tariff
`
`
`
`
`package, or even to a unique SIM.
`
`
`
`
`
`
`
`therefore, a
`In accordance with the present invention,
`
`
`
`
`
`
`
`methodis provided for unlocking a pre-locked device, such
`as a wireless telecommunications handset or terminal. The
`
`
`
`
`
`
`
`
`
`
`
`
`
`device is adapted to receive signals from a remote source
`
`
`
`
`
`
`
`(e.g., over-the-air), and is further adapted to receive an
`identification module, such as a SIM. The identification
`
`
`
`
`
`
`
`
`
`
`
`
`
`module containsa first valuc, which may be an identification
`
`
`
`
`
`
`
`
`
`
`code for an entity such as (but not limited to) a service
`
`
`
`
`
`
`
`provider. The identification module also contains a second
`
`
`
`
`
`
`
`
`value, which may be a codeword, against which the device
`
`
`
`
`
`
`
`will compare a computed result to determine whether it may
`
`
`
`
`
`
`
`
`unlockitself. The method accordingto the present invention,
`
`
`
`
`
`
`
`
`includes the first step of computing a key as a
`briefly,
`
`
`
`
`
`
`
`function of a signal received from a remote location (which
`
`
`
`
`
`
`
`
`
`may be transmitted by the entity identified in the first
`
`
`
`
`
`identification module value). A checkword is computedas a
`
`
`
`
`
`
`
`
`
`function of the computed key, as well as the first identifi-
`
`
`
`
`
`
`
`cation module value. Finally, the computed checkword is
`
`
`
`
`
`
`
`
`compared with the second identification module value: if the
`checkword matches the second identification module value,
`
`
`
`
`
`
`
`
`
`
`
`
`
`the device unlocksitsclf for operation.
`
`
`
`
`
`
`
`Accordingly, it is an object of the present invention to
`
`
`
`
`
`
`
`provide methods and apparatus to provide a mobile tele-
`
`
`
`
`
`
`communications handset with a locking mechanismspecific
`
`
`
`
`
`
`
`
`to a particular service provider (e.g., operator of multiple
`
`
`
`
`
`
`networks), a particular network, a particular reseller, or even
`to an individual.
`
`
`
`
`
`
`
`
`
`
`
`
`
`It
`is another object of the present invention to lock a
`
`
`
`
`
`
`
`
`device to a particular controlling entity,
`to encode that
`
`
`
`
`
`
`device with device-specific characteristic information, and
`
`
`
`
`
`
`to modify that device-specific characteristic information
`
`
`
`
`
`
`
`from a remote location in order to yield information char-
`
`
`
`
`
`
`
`
`
`
`acteristic to the controlling cntity to scrve as a key for
`
`
`
`unlocking the device.
`
`
`
`
`
`
`
`
`
`It is another object of the present invention to disable
`
`
`
`
`
`
`
`locking of devices locked according to the present invention
`
`
`
`
`
`
`
`
`via the keyboard of the device, or remotely, once a condition
`
`
`
`
`
`
`
`
`
`
`has been met (e.g., once the initial contract period for a
`
`
`
`
`
`wireless telephone subscription has expired).
`
`
`
`
`
`
`
`It is a further object of the present invention to permit
`
`
`
`
`
`
`
`activation and unlocking of a pre-locked device to be
`
`
`
`
`
`
`conducted remotely (¢.g., over-the-air), and to permit remote
`transmission to the device of a modificr or other code for use
`
`
`
`
`
`
`
`
`
`
`
`
`in the unlocking the device.
`
`
`
`
`
`
`
`
`
`It is also an object of the present invention to permit a
`mobile telecommunications handset or other device to be
`
`
`
`
`
`
`
`
`
`
`
`
`
`re-locked from a remote location to the same operator,
`
`
`
`
`
`
`
`network, reseller or individual SIM by a central facility, for
`
`
`
`
`
`
`
`
`security or other reasons, and unlocked once again during a
`
`
`
`remote activation process.
`
`
`
`
`
`
`
`
`It is still another object of the present invention to permit
`a mobile telecommunications handsct or other device to be
`
`
`
`
`
`
`
`
`
`
`
`
`re-locked over-the-air to a different operator, network,
`reseller or individual SIM via a transmission from a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`remotely located central
`facility,
`for security or other
`
`
`
`
`
`
`
`
`reasons, and unlocked once again during a remote activation
`process.
`
`
`
`
`
`
`
`
`It is yet another object of the present invention to provide
`
`
`
`
`
`
`an approachto achieving the above-enumerated objects, and
`
`
`
`
`
`
`to do so with sufficient security to prevent a concerted attack
`
`
`
`
`
`
`
`
`
`by any operator, dealer or distributor,
`in addition to the
`efforts of individual subscribers.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`15 of 21
`
`15 of 21
`
`

`

`5,864,757
`
`
`5
`
`
`
`
`
`
`
`
`
`
`It
`invention to
`is an additional object of the present
`
`
`
`
`
`
`
`
`provide enhanced security as described above, such that if,
`
`
`
`
`
`
`for example, individual handsets were to be compromised,
`
`
`
`
`
`
`
`
`
`the solution should not be generally applicable to other
`
`
`
`
`
`
`handscts supplicd by that operator, nctwork, or rescller.
`
`
`
`
`
`
`
`
`
`It is an added object of the present invention to provide
`
`
`
`
`
`
`
`methods and apparatus for a permanent handset locking or
`
`
`
`
`
`
`
`
`disabling mechanism for, e.g., handset rental, wherein the
`
`
`
`
`
`
`
`locking may be permanently disabled (and the handset
`
`
`
`
`
`
`
`permanently enabled) by the user’s entry of a PIN,or via a
`
`
`
`
`
`
`remotely transmitted instruction by the party with which the
`
`
`
`
`
`
`user has entered into an agreement.
`
`
`
`
`
`
`
`
`Other objects, features, and advantages of the present
`
`
`
`
`
`
`
`
`invention will become apparent with reference to the
`
`
`
`
`
`
`
`
`remainder of the written portion and the drawings of this
`
`application.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`FIG. 1 shows schematically a prior art telecommunica-
`
`
`
`
`tions handset locking arrangement.
`
`
`
`
`FIG. 2 shows schematically an embodimentof the present
`invention, in which a telecommunications handset is locked
`
`
`
`
`
`
`
`to a particular service.
`
`
`
`
`
`
`FIG. 3 shows schematically a system for implementing
`
`
`
`
`
`
`
`the embodimentof the present invention shown in FIG.2.
`
`
`
`
`
`
`FIG. 4 showsa flowchart of a portion of the operation of
`
`
`
`
`
`
`an embodiment of a method according to the present
`
`
`
`
`
`
`invention, corresponding to FIGS. 2 and 3, the flowchart
`
`
`
`
`
`
`
`setting forth steps involved in a remote (over-the-air) acti-
`vation of a telecommunications handset.
`
`
`
`
`
`
`
`
`
`FIG. 5 showsa flowchart of a portion of the operation of
`
`
`
`
`
`
`an embodiment of a method according to the present
`
`
`
`
`
`
`invention, corresponding to FIGS. 2, 3 and 4, the flowchart
`
`
`
`
`
`
`
`setting forth steps involved in the authentication of a code-
`word on a SIM inserted into the telecommunications hand-
`
`
`
`
`
`
`
`set.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 6 shows a schematic, partial view of one implemen-
`
`
`
`
`
`tation of an embodiment of a batch-specific locking key or
`
`
`
`
`
`algorithm according to the present invention.
`
`
`
`
`
`
`
`
`
`FIG. 7 shows in tabular form the partial view of the
`
`
`
`
`implementation of an embodimentof a batch-specific lock-
`
`
`
`
`
`
`
`
`ing kcy or algorithm (k,,,,.;,) according to the present inven-
`tion and as shownin FIG.6.
`
`
`
`
`FIG. 8 shows in schematic form the deriva