`
`5,864,757
`[11] Patent Number:
`United States Patent
`[19]
`
`
`
`
`
`
`
`
`
`
`[45] Date of Patent:
`Jan. 26, 1999
`Parker
`
`
`
`
`
`USOOS864757A
`
`
`
`
`
`
`[54] NIETHODS AND APPARATUS FOR
`
`
`
`
`
`LOCKING COMMUNICATIONS DEVICES
`
`
`
`
`
`[75]
`
`
`Inventor:
`
`
`
`John Patrick Parker, Fowlmere,
`
`
`
`United Kingdom
`
`
`[73] Assignee: BellSouth Corporation, Atlanta, Ga.
`
`
`
`
`
`
`
`
`
`
`[56]
`
`
`
`[21] Appl. No.: 570,912
`
`
`
`
`Filed:
`Dec. 12, 1995
`[22]
`
`
`
`
`
`[51]
`Int. Cl.6 ....................................................... H04Q 1/00
`
`
`
`
`
`
`[52] US. Cl.
`.......................... 455/418; 455/418; 455/419;
`
`
`
`
`
`
`
`455/420; 340/825.31; 340/825.34; 340/8255
`
`
`
`
`[58] Field of Search ..................................... 455/419, 418,
`
`
`
`
`
`
`455/420, 414, 411, 558, 560, 410; 340/8253,
`
`
`
`
`
`
`
`825.31, 825.34, 8255; 380/23
`
`
`
`
`References Cited
`
`
`U.S. PATENT DOCUMENTS
`
`
`
`4,291,197
`9/1981 Yonaga ................................... 455/411
`
`
`
`
`
`
`4,736,419
`4/1988 Roe .........
`380/3
`
`
`
`
`
`5,068,889
`11/1991 Yamashita
`455/411
`
`
`
`
`
`
`
`5,159,625
`10/1992 Zicker .....
`.. 455/419
`
`
`
`
`
`
`5,297,192
`3/1994 Gerszberg
`.. 455/419
`
`
`
`
`
`
`5,457,737 10/1995 Wen ........
`.. 455/410
`
`
`
`
`
`
`2/1997 Mcce ct a1. ........... 455/411
`5,600,708
`
`
`
`
`
`
`
`
`2/1997 Henderson et a1.
`. 340/82531
`5,602,536
`
`
`
`
`
`
`2/1997 Henry, Jr. et a1.
`...................... 455/419
`5,603,084
`
`
`
`
`
`
`
`OTHER PUBLICATIONS
`
`
`“Cellular—Phone Coverage Expands to 35 Countries," The
`
`
`
`
`
`Wall Street Journal, p. B9 (Nov. 8, 1995).
`
`
`
`
`
`
`“PCS 1900: Tomorrow’s Technology—Today,” The North
`
`
`
`
`
`American PCS Z 900 Action Group (NPAG).
`
`
`
`
`
`
`Primary Examiner—Dwayne D. Bost
`
`
`
`Assistant ExamineriJean A. Gelin
`
`
`
`
`
`
`
`
`
`
`
`
`
`29
`
`
`Attorney, Agent, or Firm—Dominic J. Chianlera; James L.
`
`
`
`
`
`
`Ewing, IV; Kilpatrick Stockton LLP
`
`
`
`
`
`ABSTRACT
`[57]
`
`
`An apparatus and method for locking and unlocking mobile
`
`
`
`
`
`
`
`
`telecommunications handsets or other devices is disclosed.
`
`
`
`
`
`Each handset is unactivated at the time of purchase. Other
`
`
`
`
`
`
`
`than emergency calls, or account activation, no calls can be
`
`
`
`
`
`
`
`made using the handset unless it has been unlocked. The
`
`
`
`
`
`
`
`
`
`handset is capable of receiving a readable subscriber identity
`
`
`
`
`
`
`module (SIM) having a network (or other)
`ID and a
`
`
`
`
`
`
`
`
`codeword, and its operation is to be locked and unlocked
`
`
`
`
`
`
`
`with respect to the entity corresponding to the ID on the
`
`
`
`
`
`
`
`
`SIM. Furthermore, the handset includes a processor pro-
`
`
`
`
`
`
`
`grammed with a unique equipment identification number
`
`
`
`
`
`
`and a key. All handsets manufactured as part of a particular
`
`
`
`
`
`
`
`batch may include the key, which is burned or otherwise
`
`
`
`
`
`
`
`
`written into a memory area of the handset so that it may not
`
`
`
`
`
`
`
`
`be read without its being destroyed. The handset processor
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`is also programmed to produce a handset-specific key as a
`function of the equipment identification number and the
`
`
`
`
`
`
`
`
`batch-specific key. Upon activation of the handset,
`the
`
`
`
`
`
`
`
`
`customer service center associated with the network opera-
`
`
`
`
`
`
`
`
`tor transmits a modifier to the handset. The handset changes
`
`
`
`
`
`
`
`
`its handset-specific key according to the modifier to yield an
`
`
`
`
`
`
`
`
`
`
`
`
`
`operator-specific key. The resulting operator-specific key is
`
`
`
`
`
`
`
`
`used in conjunction with the network (or other) ID (from the
`SIM) to produce a checkword. If the checkword matches the
`
`
`
`
`
`
`
`codeword, which is read off the SIM, the handset is unlocked
`
`
`
`
`
`
`
`
`(i.e., enabled) for normal use. Other features of the invention
`
`
`
`
`
`
`
`
`include re—locking the handset according to similar
`
`
`
`
`
`
`
`principles, and providing a personal identification number
`
`
`
`
`
`
`for permanently unlocking the device, so that it can be used
`
`
`
`
`
`
`
`
`with any compatible SIM.
`
`
`
`
`
`28 Claims, 12 Drawing Sheets
`
`
`
`
`
`
`20
`
`
`
`
`
`
`
`24
`
`/2a26 30
`
`
`MW
`
`
`IMEI
`
`
`
`
`
`
`32
`
`Knm
`
`
`
`
`= «Kama, ND!)
`
`
`
`
`
`
`
`= MMKmGMEI)
`
`
`
`
`
` CHECKWORD
`U
`
`
`
`40
`
`
`IMSI (NID)
`
`
`
`
`42
`
`
`
`
`CODEWORD
`
`
`
`10f21
`
`SAMSUNG EXHIBIT 1023
`
`1 of 21
`
`SAMSUNG EXHIBIT 1023
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 1 0f 12
`
`5,864,757
`
`
`
`
`
`
`
`
`PRIOR ART
`
`FIG. 1
`
`
`
`20f21
`
`2 of 21
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`Sheet 2 0f 12
`
`5,864,757
`
`
`
`
`
`32. = MMKmuflMEI)
`
`
`
`
`
`34- = foam, NDI)
`
`
`IMSI (N10)
`
`
`
`42
`
`
`
`
`
`
`CODEWORD
`
`
`
`4‘
`
`
`
`
`FIG. 2
`
`30f21
`
`3 of 21
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`Sheet 3 0f 12
`
`5,864,757
`
`
`
`
`
`
`
`
`
`SubscriberIDK A
`50
`
` ————-—-————>
`
`
`Mhandset
`(codeword)
`
`
`
`SIM
`
`
`
`
`/20
`
`
`
`CUSTOMER
`SERVICE
`
`CENTER
`
`
`FIG. 3
`
`
`4of21
`
`4 of 21
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`Sheet 4 0f 12
`
`5,864,757
`
`
`
`
`
`
`
`
`HANDSET INITIALLY LOCKED FOR ALL BUT EMERGENCY
`CALLS AND OVER-THE-AIR ACTIVATION.
`
`
`
`
`
`
`
`
`
`
`PURCHASER OF HANDSET INSERTS SIM. CHARGES
`BATTERY AND PRESSES ANY KEY.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`HANDSET DIALS ANY NUMBER. CALL (INCLUDING SUBSCRIBER
`
`
`
`
`
`
`
`
`
`
`
`MSC LOOKS UP CALLER ID IN HOME LOCATION
`
`
`
`
`
`
`
`
`
`REGISTER (HLR) TO CHECK CALLER VALIDITY.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SUBSCRIPTION) AND ROUTES CALL TO CUSTOMER SERVICE CENTER (CSC).
`
`102
`
`
`
`104
`
`
`
`106
`
`
`
`108
`
`
`
`
`
`
`
`
`116
`
`
`CSC COLLECTS PAYMENT DETAILS, ESTABLISHES SERVICE
`
`
`
`
`
`OPTIONS. AND INITIATES OVER-THE-AIR ACTIVATION.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`USING. E.G., GSM SHORT MESSAGE SERVICE (SMS), SUBSCRIBER
`IDENTIFICATION (e.g.. IMSI) AND OTHER INFO. IS DOWNLOADED TO SIM.
`
`
`
`
`
`
`
`
`
`
`
`
`: K
`
`ID NUMBER) IS ROUTED VIA BASE STATION TO MSC.
`HLR IDENTIFIES SUBSCRIBER ID NUMBERAS TEMPORARY (UNACTIVATED r
`
`
`
`ACTIVATION SOFTWARE AT CSC WILL CALCULATE A VALID MW BASED ON /
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NOWLEDGE OF kw k“, AND EQUIPMENT IDENTITY CODE (e.g., IMEI. which CSC
`
`
`
`
`
`
`
`
`
`
`
`
`retrieves over the air) AND SEND Mum TO HANDSET (e.g., via GSM SMS).
`
`I
`
`I———
`
`HANDSET STORES MW IN EEPROM OR FLASH MEMORY.
`
`
`
`
`
`
`:
`CSC MESSAGES HANDSET WITH USER INSTRUCTION
`
`
`
`
`
`
`TO SWITCH HANDSET OFF AND ON.
`
`
`
`
`
`
`,/
`
`
`
`120
`
`/118
`
`
`
`FIG. 4
`
`
`50f21
`
`5 of 21
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`Sheet 5 0f 12
`
`5,864,757
`
`
`
`
`
`HANDSET COMPUTES AUTHENTICATION 0F ALGORITHM.
`
`
`
`
`
`
`
`E.G., OPERATOR-SPECIFIC MAS FOLLOWS:
`
`
`
`
`
`
`
`
`
`
`
`
`APPLY TRANSPOSITION & INVERSION ALGORITH, E.G.. SPECIFIC TO
`
`
`
`
`
`
`
`
`HANDSET BATCH. km, TO EQUIPMENT IDENTITY code (e.g., 60 bit IMEI)
`
`
`
`
`
`
`
`TO YIELD A VALUE UNIQUE TO THE HANDSET, km, (e.g., 60 bit value).
`
`
`
`152
`
`
`
`‘54
`
`
`
`
`
`
`
`
`MODIFY km,- ACCORDING TO Mm... (e.g.. apply exclusive-
`
`
`
`or operation) TO YIELD k0,...
`
`
`
`km, IS PRESENT ONLY IN ACTIVATED HANDSETS
`
`
`
`
`AND IS INTENDED TO REMAIN SECRET.
`
`
`
`
`
`
`
`HANDSET VALI DATES SIM ACCORDING TO FOLLOWING PROCESS:
`
`
`
`
`
`
`/156
`
`
`
`158
`
`
`
`
`
`/160
`
`
`
`
`
`HANDSET EXTRACTS NETWORK ID (NID) FROM SUBSCRIBER
`
`
`
`
`
`
`
`
`
`
`
`IDENTITY CODE (e.g.. MCC and MNC portions of IMSI).
`
`
`
`
`
`
`
`A CHECKWORD (e.g., as follows):
`HANDSET THEN APPLIES kw,_TO NID TO PRODUCE
`
`
`
`
`
`TRANSPOSE AND INVERT SELECTED BITS OF NID,
`
`
`
`
`
`
`
`
`
`
`
`
`
`THEN EXCLUSIVE-OR RESULT WITH FIRST 20 BITS OF kw
`
`
`
`
`162
`
`
`
`164
`
`
`
`166
`
`
`
`168
`
`
`
`170
`
`
`
`172
`
`
`
`174
`
`
`
`
`
`TRANSPOSE AND INVERT BITS OF RESULT OF PREVIOUS STEP,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`THEN SUBTRACT FROM RESULT SECOND 20 BITS OF km,"
`
`
`
`I
`TRANSPOSE AND INVERT RESULTS OF PREVIOUS STEP, THEN
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`EXCLUSIVE-OR RUSULT WITH LAST 20 BITS OF kmwTO
`
`PRODUCE CHECKWORD.
`
`
`
`COMPARE CHECKWORD WITH CODEWORD READ OFF OF SIM; IF
`
`
`
`
`
`
`
`
`
`
`CHECKWORD AND CODEWORD MATCH, UNLOCK HANDSE I.
`
`
`
`
`
`
`
`
`IF CHECKWORD AND CODEWORD DO NOT MATCHI DISPLAY
`
`
`
`
`
`
`
`
`MESSAGE (E‘Gq “SIMLOCK') ON HANDSET AND DISABLE KEYPAD
`
`
`
`
`
`
`
`
`FOR ALL BUT EMERGENCY AND OPERATOR CALLS.
`
`
`
`
`
`
`
`
`FIG. 5
`
`
`60f21
`
`6 of 21
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`Sheet 6 0f 12
`
`5,864,757
`
`
`
`
`IMEI BITS
`
`
`
`26
`
`
`
`Bit,
`
`
`
`
`
`
`
`
`
`
`khandset
`
`(Handset Key)
`FIG. 6
`
`
`
`
`70f21
`
`7 of 21
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`Sheet 7 0f 12
`
`5,864,757
`
`
`
`
`
`
`
`Kbatch Mapping of IMEI Bits to Khamdel Bits
`
`
`
`Khandset=Kbatch(lMEl Bits)
`
`
`
`
`IMEI Bits
`
`
`
`Bito
`
`Blt1
`
`
`
`
`
`
`
`
`
`khandset 0 = man
`
`
`
`
`
`
`khandsett = IMEIO
`
`
`
`
`
`o
`:
`—_—
`
`
`
`
`
`Bit"
`
`
`
`khandset m = IMEI1
`
`
`
`
`Bit“
`
`
`khandset 60 = lMEIn
`
`
`
`
`FIG. 7
`
`
`
`
`80f21
`
`8 of 21
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`Sheet 8 0f 12
`
`
`5,864,757
`
`
`
`
`
`
`
`
`
`
`
`15 digits/60 bits
`
`
`
`(Unique to handset)
`
`“km” - masked ROM
`
`
`
`
`transposition/invertion
`of bits
`
`
`
`60 bits
`
`
`
`
`
`
`
`khandset
`
`Exclusive - or
`
`
`Over the
`EB function
`
`
`air activation
`
`
`
`
`M
`J
`
`
`
`154 —>
`
`handset
`
`
`
`
`
`Modifier - unique to
`
`handset/operator
`
`
`
`
`kOperator
`
`
`
`
`
`
`km:mar — remains
`
`
`
`“secret” if possible — but
`
`
`
`is only present in activated
`handsets
`
`
`
`
`FIG. 8
`
`
`90f21
`
`9 of 21
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`Sheet 9 0f 12
`
`5,864,757
`
`
`
`
`
`
`
`
`
`\.
`
`iMSi
`
`(15 digits)
`
`on SM
`
`
`
`
`
`Network [0 used for authorization
`
`
`MCCIMNC 5 digits / 20 bits
`
`
`
`
`
`
`
`\
`
`
`
`162
`
`
`
`164
`
`166
`
`\
`
`
`
`
`® Ex - or
`km.” (0-20)
`
`
`
`
`
`2
`
`
`
`
`1st stage - Transposition of bits
`followed by esclusive - or with
`
`
`
`
`
`1st 20 bits of know,
`
`
`
`168
`
`
`
`
`/
`
`
`
`2nd stage - Transposition of
`
`
`
`bits followed by subtraction
`
`
`
`of 2nd 20 bits of km,“
`
`
`
`
`3rd stage - Transposition of
`bits followed by exclusive -
`
`
`
`or with at least 20 bits of km,
`
`
`
`
`
`
`
`170
`
`
`
`Codeword (20 bits) checked against
`
`
`
`stored value on SlM
`
`
`
`
`
`
`
`
`
`
`
`
`subtraction
`
`
`km. (2140)
`
`
`
`
`.
`
`
`
`I
`
` @
`
`
`
`kWm (41-60)
`
`
`
`
`
`
`
`i
`
`Checkword
`
`
`
`FIG. 9
`
`
`>
`
`
`5
`
`a.
`
`3
`
`g’
`3,
`
`ca'
`3.
`
`
`'35.
`
`'
`
`10 0f21
`
`10 of 21
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`Sheet 10 0f 12
`
`5,864,757
`
`
`
`200
`
`
`
`202
`
`
`
`204
`
`
`
`206
`
`
`
`
`
`
`
`HANDSET MAY BE RE-LOCKED
`
`
`
`
`
`
`TO A DIFFERENT km“ AS FOLLOWS:
`
`
`
`
`
`KNOWING km", AND km... (i.e., km,“ and IMEI),
`AND NEW NID AND CODEWORD,
`
`
`
`
`
`
`CSC CALCULATES NEW MW VALUE
`
`
`
`
`
`NEW Mm VALUE IS TRANSMITTED
`
`
`OVER THE AIR TO THE HANDSET
`
`
`
`
`
`THE HANDSET, AND BY THE HANDSET TO THE SIM
`
`NEW CODEWORD IS TRANSMITTED OVER THE AIR TO
`
`
`
`
`
`
`
`
`
`
`
`
`FIG. 10
`
`
`110f21
`
`11 of 21
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`
`Sheet 11 0f 12
`
`5,864,757
`
`
`
`
`
`
`
`
`
`
`
`FOR PERMANENT HANDSET UNLOCKING, PERSONAL
`
`
`
`
`
`IDENTIFICATION NUMBER (PIN) IS ENTERED BY USER OR
`
`
`
`
`
`TRANSMITTED OVER-THE-AIR, THE PIN DERIVED AS FOLLOWS:
`
`
`
`
`
`
`PIN (in decimal form) IS GENERATED AS
`
`
`
`
`A FUNCTION OF kflm (for example, as follows):
`
`
`
`302
`
`
`
`304
`
`
`
`306
`
`
`
`308
`
`
`
`310
`
`
`
`
`
`
`
`60 BIT kmm IS DIVIDED INTO 4 WORDS OF 15 BITS
`
`
`
`
`
`
`
`
`
`
`
`THE 4 WORDS ARE COMBINED
`
`
`
`
`
`
`
`(e.g., by addition. by exclusive-or, etc.)
`
`
`
`
`
`
`
`
`
`
`
`THE RESULTING 15 BITS ARE DIVIDED INTO 5 GROUPS OF 3 BITS,
`EACH GROUP CORRESPONDING TO A DECIMAL NUMBER BETWEEN
`
`
`
`
`
`0 AND 7, RESULTING IN A 5 DIGIT PIN
`
`
`
`
`
`
`FIG. 11
`
`
`12 of21
`
`12 of 21
`
`
`
`
`US. Patent
`
`
`
`
`
`Jan. 26, 1999
`
`
`
`
`Sheet 12 0f 12
`
`5,864,757
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`15 bits
`
`
`
`
`310 —>
`
`
`
`
`
`
`0-7
`
`
`
`0-7
`
`
`
`0-7
`
`
`
`0—7
`
`
`
`5 digit PIN
`
`
`
`FIG. 12
`
`
`13 0f21
`
`13 of 21
`
`
`
`5,864,757
`
`
`
`1
`
`METHODS AND APPARATUS FOR
`
`
`
`
`LOCKING COMMUNICATIONS DEVICES
`
`
`FIELD OF THE INVENTION
`
`
`
`The present invention relates, in general, to the field of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`telephony and, in particular,
`to the field of telephone (or
`
`
`
`other) system security.
`BACKGROUND OF THE INVENTION
`
`
`
`Wireless telecommunications providers often find it use—
`
`
`
`
`
`
`ful in attracting new subscribers to subsidize the prospective
`
`
`
`
`
`
`
`subscribers’ purchase of a handset. The cost of the handsets,
`
`
`
`
`
`
`which are complex and sophisticated devices, would other-
`
`
`
`
`
`
`
`
`wise fall to the subscribers. A subsidy lowers the financial
`
`
`
`
`
`
`
`
`
`barrier to the new subscriber’s entry into the domain of
`
`
`
`
`
`
`
`
`
`wireless communications. Although this is a desirable out-
`
`
`
`
`
`
`come for new subscribers, for such a proposition to be
`
`
`
`
`
`
`
`
`
`economically viable for the wireless network operator,
`it
`
`
`
`
`
`
`
`lead to an assured financial
`return. The service
`must
`
`
`
`
`
`
`
`
`
`provider, for example, might seek a guarantee that, for a
`
`
`
`
`
`
`
`
`certain period of time,
`the subscriber’s wireless access
`
`
`
`
`
`
`
`
`would be provided only by the network operator offering the
`
`
`
`
`
`
`
`subsidy. In return for subsidizing the handset, the network
`
`
`
`
`
`
`
`
`operator would recoup that expense in the form of subscriber
`
`
`
`
`
`
`
`
`air time during the period of exclusivity.
`
`
`
`
`
`
`The question arises, however, as to how a network opera-
`
`
`
`
`
`
`
`tor can ensure that a subscriber using one of its subsidized
`
`
`
`
`
`
`
`
`handsets has access only to that network’s services. One
`
`
`
`
`
`
`
`
`approach to this problem has been to limit the subscriber’s
`
`
`
`
`
`
`
`
`access to services, when using the subsidized handset, to
`
`
`
`
`
`
`
`those offered by the particular operator by conditioning the
`
`
`
`
`
`
`
`use of the handset on its being “unlocked” only for that
`
`
`
`
`
`
`
`
`
`service. An example of this type of “locking” mechanism
`
`
`
`
`
`
`
`has been developed that is compatible with standards pro—
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mulgated by Groupe Special Mobile (“GSM”), a European
`organization responsible for developing wireless telecom-
`
`
`
`
`
`
`munications standards that have been adopted in approxi-
`
`
`
`
`
`
`
`mately 60 countries as of the filing of this document.
`
`
`
`
`
`
`
`
`
`
`(Throughout this document, GSM and certain terms it has
`
`
`
`
`
`
`
`defined are referred to for purposes of illustration only. The
`
`
`
`
`
`
`
`
`implementation of methods and apparatus according to the
`
`
`
`
`
`
`present invention does not depend upon this standard, but
`
`
`
`
`
`
`
`
`
`could be used with other telecommunications standards,
`
`
`
`
`
`
`
`including those that presently exist or are yet
`to be
`
`
`
`
`
`
`
`
`
`
`
`developed).
`An existing approach to mobile telecommunications
`
`
`
`
`
`
`handset locking utilizes a subscriber identification module
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(“SIM”) specific to the network operator oifering the sub-
`sidy. A SIM may take the form of a card incorporating an
`
`
`
`
`
`
`
`integrated circuit and memory in which subscriber informa-
`
`
`
`
`
`
`
`tion including a network identification symbol is stored. In
`
`
`
`
`
`
`the context of GSM, for one example, the network identi-
`
`
`
`
`
`
`
`
`fication symbol is included as a subset of an International
`
`
`
`
`
`Mobile Subscriber Identification (“IMSI”). An IMSI is a
`
`
`
`
`
`globally unique number, recognizable by the GSM tele—
`
`
`
`
`
`
`
`
`phone network operators, that has the following 15 decimal
`
`
`
`
`
`
`
`
`digit format:
`
`
`
`
`
`3 digits
`
`XXX
`MCC
`
`
`
`
`
`2 digits
`
`XX
`MNC
`
`
`
`2 digits
`
`
`XX
`HLR ID
`
`
`
`8 digits
`
`
`XXXXXX‘“
`Rest of MSIN
`
`
`
`
`
`As shown, an IMSI includes a 3 digit mobile country code
`
`
`
`
`
`
`
`
`(“MCC”), a 2 digit mobile network code (“MNC”), a 2 digit
`
`
`
`
`
`
`
`
`5
`
`
`
`10
`
`
`
`20
`
`tom
`
`
`
`mm
`
`
`
`40
`
`
`
`
`
`50
`
`
`
`55
`
`
`
`60
`
`
`
`
`
`14 of21
`
`
`
`2
`
`home location register identification (“HLR ID”), and an
`
`
`
`
`
`
`
`eight digit mobile subscriber identification number
`
`
`
`
`
`
`(“MSIN”).
`
`Wireless telephone equipment, on the other hand,
`is
`
`
`
`
`
`
`
`defined by an equipment identification number. Under the
`
`
`
`
`
`
`GSM system, for example, a handset is uniquely identified
`
`
`
`
`
`
`
`by an International Mobile Equipment Identification
`
`
`
`
`
`
`(“IMEI”). The structure and allocation principles of IMEIs
`
`
`
`
`
`
`
`are defined in GSM 03.03—version 3.6.0, published
`
`
`
`
`
`
`
`October, 1993. According to that document, an IMEI
`
`
`
`
`
`
`
`uniquely identifies a given item of mobile station equipment.
`
`
`
`
`
`
`
`The IMEI includes 15 digits, as shown immediately below:
`
`
`
`
`
`
`
`
`6 digits
`
`
`XXXXXX
`TAC
`
`
`
`
`
`
`
`2 digits
`
`XX
`FAC
`
`
`
`6 digits
`
`
`XXXXXX
`SNR
`
`
`
`
`
`
`
`1 digit
`
`X
`SF
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`The six most significant digits specify a type approval code
`
`
`
`
`
`
`
`(“TAC”), the contents of which are determined by a central
`
`
`
`
`
`decision—making body. The two next most significant digits
`
`
`
`
`
`
`
`comprise a final assembly code (“FAC”), which identifies
`
`
`
`
`
`
`the place of manufacture/final assembly of the equipment
`
`
`
`
`
`
`and is encoded by the manufacturer. The next six digits set
`
`
`
`
`
`
`
`
`forth the serial number of the equipment, uniquely identi-
`
`
`
`
`
`
`
`fying it within each TAC and FAC. Manufacturers are
`
`
`
`
`
`
`
`required to allocate individual serial numbers in sequential
`
`
`
`
`
`order. Finally,
`the MEI includes a spare digit for further
`
`
`
`
`
`
`
`
`
`assignment.
`In addition to permanently programming mobile tele-
`
`
`
`
`
`
`
`phone equipment with an equipment identification number,
`
`
`
`
`
`
`such as an IMEI, it is also known to permanently encode a
`
`
`
`
`
`
`
`mobile telephone handset at the time of manufacture with a
`
`
`
`
`
`
`
`code identifying a particular network. This network identi-
`
`
`
`
`
`
`
`fication (NID) code (which, under GSM, is the two digit
`
`
`
`
`
`
`
`
`
`MNC) may be burned into or otherwise coded in a circuit
`
`
`
`
`
`
`
`
`within the handset. Preferably the NID is encoded in the
`
`
`
`
`
`
`
`
`handset in such a manner that it cannot be modified by
`
`
`
`
`
`
`another without destroying the product. Upon powering up,
`
`
`
`
`
`
`
`
`the handset is locked, and can be unlocked only by inserting
`
`
`
`
`
`
`
`
`the SIM into a receiving and reading slot in the handset. A
`
`
`
`
`
`
`
`
`
`processor in the handset is programmed to read the IMSI off
`
`
`
`
`
`
`
`the SIM, extract the MNC, and compare the MNC with an
`
`
`
`
`
`
`
`
`MNC value stored in the handset. If the NID (e.g., MNC) in
`
`
`
`
`
`
`
`
`
`the handset is matched by the NID (MNC) extracted from
`
`
`
`
`
`
`
`
`the subscriber information (e.g., IMSI) on the SIM,
`the
`
`
`
`
`
`
`
`
`handset unlocks itself, enabling the user to make regular
`
`
`
`
`
`
`
`
`telephone calls. A scheme of this sort is in use, for example,
`
`
`
`
`
`
`
`
`in the Orange system and the Mercury One—2—One system in
`
`
`
`
`
`
`
`
`the United Kingdom.
`
`
`
`A major shortcoming with the foregoing approach,
`in
`
`
`
`
`
`
`
`which an NID in the handset is compared with one on the
`
`
`
`
`
`
`
`
`SIM, is that the handset must be customized at the time of
`
`
`
`
`
`
`
`
`manufacture for use with only one particular network. This
`
`
`
`
`
`
`
`
`
`limitation would preclude a service provider from buying
`
`
`
`
`
`
`
`handsets in bulk in order to supply them for use with
`
`
`
`
`
`
`
`
`
`different networks within its system. Compatibility with
`
`
`
`
`
`
`
`such entities as resellers of wireless network services would
`
`
`
`
`
`
`
`also be inhibited. One proposed solution to this problem is
`
`
`
`
`
`
`
`to program the handsets at the time of manufacture with a
`
`
`
`
`
`
`
`
`number of different NIDs. This approach, however, would
`
`
`
`
`
`
`
`be insufficiently flexible to account for an operator’s estab-
`
`
`
`
`
`
`
`
`lishment or acquisition of a further network, or for an
`
`
`
`
`
`
`
`
`
`operator’s relationship with a reseller or another network
`
`
`
`
`
`
`
`operator.
`
`No handset locking system has yet been provided that
`
`
`
`
`
`
`
`
`frees the handset from being locked to a particular end
`
`
`
`
`
`
`
`
`
`
`
`14 of 21
`
`
`
`5,864,757
`
`
`
`4
`
`SIM. The present invention does so in such a manner that the
`
`
`
`
`
`
`
`
`
`result of applying the key can be modified to correspond to
`
`
`
`
`
`
`
`a particular service provider, network,
`reseller,
`tariff
`
`
`
`
`
`
`
`package, or even to a unique SIM.
`
`
`
`
`therefore, a
`In accordance with the present invention,
`
`
`
`
`
`
`
`method is provided for unlocking a pre-locked device, such
`
`
`
`
`
`
`
`as a wireless telecommunications handset or terminal. The
`
`
`
`
`
`
`device is adapted to receive signals from a remote source
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(e.g., over-the-air), and is further adapted to receive an
`identification module, such as a SIM. The identification
`
`
`
`
`
`
`module contains a first value, which may be an identification
`
`
`
`
`
`
`
`code for an entity such as (but not limited to) a service
`
`
`
`
`
`
`
`
`
`
`provider. The identification module also contains a second
`
`
`
`
`
`
`
`value, which may be a codeword, against which the device
`
`
`
`
`
`
`
`
`will compare a computed result to determine whether it may
`
`
`
`
`
`
`
`unlock itself. The method according to the present invention,
`
`
`
`
`
`
`
`
`briefly,
`includes the first step of computing a key as a
`
`
`
`
`
`
`
`
`function of a signal received from a remote location (which
`
`
`
`
`
`
`
`may be transmitted by the entity identified in the first
`
`
`
`
`
`
`
`
`
`identification module value). A checkword is computed as a
`
`
`
`
`
`function of the computed key, as well as the first identifi-
`
`
`
`
`
`
`
`
`
`cation module value. Finally, the computed checkword is
`
`
`
`
`
`
`
`compared with the second identification module value: if the
`
`
`
`
`
`
`
`
`checkword matches the second identification module value,
`
`
`
`
`
`
`
`the device unlocks itself for operation.
`
`
`
`
`
`
`Accordingly, it is an object of the present invention to
`
`
`
`
`
`
`
`provide methods and apparatus to provide a mobile tele-
`
`
`
`
`
`
`
`communications handset with a locking mechanism specific
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`to a particular service provider (e.g., operator of multiple
`
`
`
`
`
`
`networks), a particular network, a particular reseller, or even
`to an individual.
`
`
`
`It
`is another object of the present invention to lock a
`
`
`
`
`
`
`
`
`
`
`device to a particular controlling entity,
`to encode that
`
`
`
`
`
`
`
`
`device with device-specific characteristic information, and
`
`
`
`
`
`
`to modify that device-specific characteristic information
`
`
`
`
`
`
`from a remote location in order to yield information char-
`
`
`
`
`
`
`
`acteristic to the controlling entity to serve as a key for
`
`
`
`
`
`
`
`
`
`
`unlocking the device.
`
`
`
`It is another object of the present invention to disable
`
`
`
`
`
`
`
`
`
`locking of devices locked according to the present invention
`
`
`
`
`
`
`
`via the keyboard of the device, or remotely, once a condition
`
`
`
`
`
`
`
`
`has been met (e.g., once the initial contract period for a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`wireless telephone subscription has expired).
`It is a further object of the present invention to permit
`
`
`
`
`
`
`
`activation and unlocking of a pre-locked device to be
`
`
`
`
`
`
`
`
`
`
`
`
`
`conducted remotely (e.g., over-the-air), and to permit remote
`transmission to the device of a modifier or other code for use
`
`
`
`
`
`
`
`in the unlocking the device.
`
`
`
`
`
`It is also an object of the present invention to permit a
`
`
`
`
`
`
`
`
`
`mobile telecommunications handset or other device to be
`
`
`
`
`
`re-locked from a remote location to the same operator,
`
`
`
`
`
`
`
`
`network, reseller or individual SIM by a central facility, for
`
`
`
`
`
`
`
`security or other reasons, and unlocked once again during a
`
`
`
`
`
`
`
`
`remote activation process.
`
`
`
`It is still another object of the present invention to permit
`
`
`
`
`
`
`
`
`a mobile telecommunications handset or other device to be
`
`
`
`
`
`
`re—locked over—the—air
`to a different operator, network,
`
`
`
`
`
`
`reseller or individual SIM via a transmission from a
`
`
`
`
`
`
`
`remotely located central
`facility,
`for security or other
`
`
`
`
`
`
`
`
`reasons, and unlocked once again during a remote activation
`
`
`
`
`
`
`
`
`process.
`
`It is yet another object of the present invention to provide
`
`
`
`
`
`
`
`an approach to achieving the above—enumerated objects, and
`
`
`
`
`
`
`to do so with sufficient security to prevent a concerted attack
`
`
`
`
`
`
`by any operator, dealer or distributor,
`in addition to the
`
`
`
`
`
`
`
`
`
`efforts of individual subscribers.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`3
`
`network or other entity at the time of manufacture. It has
`
`
`
`
`
`
`
`
`
`therefore been impossible to pre-lock wireless handset to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`SIMs associated with a particular service provider (e. g., one
`
`
`
`
`
`
`operating multiple networks), a particular network, a par-
`ticular reseller, or even to lock a handset to a particular
`
`
`
`
`
`
`
`individual SIM. Moreover, it is not possible with existing
`
`
`
`
`
`
`
`
`systems to disable locking of individual handsets over the
`
`
`
`
`
`
`
`air, and possibly via the key board of the handset, on the
`
`
`
`
`
`
`
`
`
`
`
`occurrence of preselected conditions, such as when an initial
`
`
`
`
`
`
`subscriber contract period has expired.
`In addition,
`the
`
`
`
`
`
`
`
`
`existing approach does not permit the activation of a handset
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`remotely (e.g., over-the-air). Nor does it permit a device to
`
`
`
`
`
`
`
`be remotely re-locked (e.g., over-the-air)
`to a specific
`operator, network, reseller, or individual SIM. Among other
`
`
`
`
`
`
`
`difficulties, these shortcomings impose constraints on the
`
`
`
`
`
`
`
`development and availability of wireless telephone services.
`
`
`
`
`
`
`New alliances between operators or resellers may arise that
`
`
`
`
`
`
`
`
`would make it desirable to permit the locking criteria to be
`
`
`
`
`
`
`
`changed, for example, but this is not possible with the
`
`
`
`
`
`
`
`
`
`
`
`
`existing approach.
`An improved mechanism for locking handsets and other
`
`
`
`
`
`
`
`
`devices should be sufficiently robust to prevent individual
`
`
`
`
`
`
`subscribers from attempting to move their business to a rival
`
`
`
`
`
`
`
`operator. It must also withstand attempts at circumvention
`
`
`
`
`
`
`by criminals or unscrupulous dealers or operators.
`
`
`
`
`
`
`
`Furthermore,
`if the security of an individual handset
`is
`
`
`
`
`
`
`
`compromised, it is critical that the result should not be able
`
`
`
`
`
`
`
`
`to lead to the compromise of other handsets associated with
`
`
`
`
`
`
`
`
`the handset provider.
`
`
`
`One of the unmet needs of conventional wireless com-
`
`
`
`
`
`
`
`munications systems is the ability to lock a handset
`to
`
`
`
`
`
`
`
`services provided only by a particular service provider, or to
`
`
`
`
`
`
`other network operators or resellers with which the particu-
`
`
`
`
`
`
`
`lar operator has an agreement. In order to meet this need, it
`
`
`
`
`
`
`
`
`should be possible for handsets to be distributed to such
`
`
`
`
`
`
`
`
`designated service providers by one or more physical dis—
`
`
`
`
`
`
`
`tribution centers (PDCs) run by the operator. To maintain
`
`
`
`
`
`
`
`security throughout this distribution process, the handsets
`
`
`
`
`
`
`
`must be pre-locked to prevent their use by any operator or
`
`
`
`
`
`
`
`re-seller other than those that are designated service provid-
`
`
`
`
`
`
`
`
`
`ers. For convenience and economy, the handsets should be
`
`
`
`
`
`
`
`
`operable without the need to program them at a PDC prior
`
`
`
`
`
`
`
`
`to delivery. Any further steps required for activation of the
`
`
`
`
`
`
`
`
`
`handset should be capable of being performed remotely, for
`
`
`
`
`
`
`
`example, over-the-air, and then only by the operator or one
`
`
`
`
`
`
`
`
`of its designated providers.
`
`
`
`SUMMARY OF THE INVENTION
`
`
`
`The problems described in the preceding section are
`
`
`
`
`
`
`
`
`solved by the methods and apparatus according to the
`
`
`
`
`
`
`
`
`present
`invention, which permit a telecommunications
`
`
`
`
`
`handset, or other device,
`to be electronically locked to a
`
`
`
`
`
`
`
`particular service provider,
`to a particular network,
`to a
`
`
`
`
`
`
`particular reseller, or even to an individual SIM. At the same
`
`
`
`
`
`
`time, the methods and apparatus of the present invention
`
`
`
`
`
`
`
`
`
`eliminate the limitation that a mobile telecommunications
`
`
`
`
`
`
`handset, or other device, be locked for all time with respect
`
`
`
`
`
`
`
`
`
`to only one particular service provider, network, reseller, or
`
`
`
`
`
`
`
`
`other entity determined at the time of manufacture.
`
`
`
`
`
`
`Locking according to the present invention is based on the
`
`
`
`
`
`
`principle that only SlMs produced by the controlling service
`
`
`
`
`
`
`
`provider or operator should work with the handset, but that
`
`
`
`
`
`
`
`
`
`the controlling entity may be changed as necessary or
`
`
`
`
`
`
`
`desired. The present invention achieves this goal by employ—
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ing a key (e.g., an algorithm) specific to the handset for
`producing, as a function of an identity that is stored in the
`
`
`
`
`
`
`SIM, a checkword corresponding to a codeword stored in the
`
`
`
`
`
`
`
`5
`
`
`
`10
`
`20
`
`tom
`
`mm
`
`40
`
`50
`
`55
`
`60
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`15 0f21
`
`15 of 21
`
`
`
`5,864,757
`
`5
`
`It
`itiverition to
`is an additional object of the present
`
`
`
`
`
`
`
`
`
`
`provide enhanced security as described above, such that if,
`
`
`
`
`
`
`
`
`for example, individual handsets were to be compromised,
`
`
`
`
`
`
`the solution should not be generally applicable to other
`
`
`
`
`
`
`
`
`
`handsets supplied by that operator, network, or reseller.
`
`
`
`
`
`
`It is an added object of the present invention to provide
`
`
`
`
`
`
`
`
`
`methods and apparatus for a permanent handset locking or
`
`
`
`
`
`
`
`disabling mechanism for, e.g., handset rental, wherein the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`locking may be permanently disabled (and the handset
`
`
`
`
`
`
`
`permanently enabled) by the user’s entry of a PIN, or Via a
`remotely transmitted instruction by the party with which the
`
`
`
`
`
`
`user has entered into an agreement.
`
`
`
`
`
`
`Other objects, features, and advantages of the present
`
`
`
`
`
`
`
`
`invention will become apparent with reference to the
`
`
`
`
`
`
`
`
`remainder of the written portion and the drawings of this
`
`
`
`
`
`
`
`
`
`application.
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`FIG. 1 shows schematically a prior art telecommunica-
`
`
`
`
`
`tions handset locking arrangement.
`
`
`
`
`FIG. 2 shows schematically an embodiment of the present
`
`
`
`
`invention, in which a telecommunications handset is locked
`
`
`
`
`to a particular service.
`
`
`
`FIG. 3 shows schematically a system for implementing
`
`
`
`
`
`
`the embodiment of the present invention shown in FIG. 2.
`
`
`
`
`
`
`
`FIG. 4 shows a flowchart of a portion of the operation of
`
`
`
`
`
`
`an embodiment of a method according to the present
`
`
`
`
`
`
`invention, corresponding to FIGS. 2 and 3, the flowchart
`
`
`
`
`
`
`
`
`
`
`
`
`
`setting forth steps involved in a remote (over-the-air) acti-
`vation of a telecommunications handset.
`
`
`
`FIG. 5 shows a flowchart of a portion of the operation of
`
`
`
`
`
`
`an embodiment of a method according to the present
`
`
`
`
`
`
`invention, corresponding to FIGS. 2, 3 and 4, the flowchart
`
`
`
`
`
`
`setting forth steps involved in the authentication of a code-
`
`
`
`
`
`
`
`word on a SIM inserted into the telecommunications hand-
`
`
`
`
`
`
`
`set.
`
`
`
`
`
`
`
`FIG. 6 shows a schematic, partial View of one implemen—
`
`
`
`
`
`
`
`tation of an embodiment of a batch—specific locking key or
`
`
`
`
`
`algorithm according to the present invention.
`
`
`
`
`
`FIG. 7 shows in tabular form the partial View of the
`
`
`
`
`
`
`
`
`
`implementation of an embodiment of a batch-specific lock-
`
`
`
`
`
`
`
`
`
`
`
`
`ing key or algorithm (kbmh) according to the present