TW201013452A - Memory device upgrade - Google Patents

Abstract

Technology for replacing a first storage unit operatively coupled to a device is provided. Content of the first storage unit is sent to a new storage unit that serves as the replacement of the first storage unit. In one embodiment, the content is first sent to a trusted third-party server and then transferred from the server to the new storage unit. A portion of the content on the new storage unit is adjusted in one embodiment to maintain content security features that were implemented in the first storage unit. The upgrading can be performed under the control of a software entity that is installed on the device. In various embodiments, the first storage unit may be bound to a third storage unit prior to the upgrade process. In such cases, the process can include measures to bind the new storage unit to the third storage unit.

Description

201013452 VI. Description of the Invention: TECHNICAL FIELD OF THE INVENTION Embodiments of the present invention relate to techniques for secure memory devices. [Prior Art] Semiconductor 5 memories have become more and more popular in various electronic devices. For example, non-volatile semiconductor memory is used in cellular phones, digital cameras, mobile media players, personal digital assistants, mobile computing devices, non-mobile computing devices, and other devices. Preventing unauthorized access to a secure non-volatile semiconductor memory device has become a matter of greater concern as technology evolves. An example of a secure memory device is a Subscriber Identity Module (SIM) card or may contain a removable memory card that should be protected from unauthorized use. Protecting content stored on secure memory devices has become an important feature, especially for the protection of copyrighted materials. For example, a user can purchase copyrighted content such as music via an electronic device. The content owner typically intends to use the content only by the purchaser and may require that the purchased content be played on an electronic device only by an authorized application (e.g., an application for purchasing the content). Anwang stores information to protect secure content from unauthorized use and can be performed using a variety of protection technologies (eg 'encryption'). An application attempting to access encrypted content on a device must first decrypt the content using an encryption key to read the content. An application that is subject to the right to access the encrypted content will have the appropriate encryption key 142631.doc 201013452 for decrypting the content. Unauthorized applications may still be able to access the encrypted content without the proper encryption key 'unauthorized applications may not be able to read the content. Although a secure memory device can implement various protection techniques, if a secure S memory device is upgraded to a new memory device, the protection may be lost during the upgrade. There is a need to upgrade a memory device to ensure an improved, simplified, and secure manner of retaining the security features of the memory device. [Summary of the Invention]

The techniques described herein are operatively coupled to a first storage unit of a host device with respect to an upgrade or replacement. The upgrade is performed by transmitting the contents of the first storage unit to a new storage unit that is used as an upgrade or replacement for the first storage unit. In one embodiment, the content is first sent to a trusted third party server. Transmitting the content from the trusted third party food server to the content of the new storage list b in an embodiment of the material storage unit - part of Han Yong has implemented the content security in the first vouchers feature. This upgrade can be performed under the control of the installation software entity. In various implementations, the first storage unit is a third storage unit prior to the upgrade process. It can be said that the first storage unit and the first child are tied in the 1'# storage unit to provide credentials for storing the content on the process unit. In such cases, the upgrade = package =: the same or similar to the way in which the first storage unit is bound to the first storage element before the upgrade, the new library element is bound to the second storage early element. The content transferred to the new storage unit can be modified 142631.doc •5· 201013452 to save the new storage

And/or some of the content on the third storage unit is bound to the third storage unit. Considering one of the non-volatile memory cards and a subscriber identity module (8) M) card, both are operatively coupled to an exemplary embodiment of a host device. The cards may be bound to one or more binding types based on (iv) the (four) associated on the scalar memory card. The (4) card may and/or calculate credentials for accessing and transferring content on the volatile memory card. Embodiments in accordance with the present invention can be used to replace an existing non-volatile memory card with a "new non-volatile minus card" or to replace an existing SIM card with a - new SIM card. In any of the cases, the technology that is not disclosed promotes the replacement of the card while maintaining security measures to protect the content stored in the existing non-volatile memory card. ’,

If the existing non-volatile memory card is replaced by a new non-volatile memory card, the content on the existing non-volatile memory card can be transferred to the new non-volatile memory card to modify at least part of the transmitted content. The new non-volatile is steep. The hidden card is tied to the existing SIM card. In addition, the card can calculate and store one or more new credentials for access to the valleys of the new non-volatile memory card. If the existing SIM card is replaced with a new SIM card, one or more credentials from which the SIM card is seen may be transferred to the new card in the future. If certain binding types are used for the content on the existing non-volatile memory card, the SM card can calculate and store new credentials and/or can modify the content on the existing non-volatile memory card. Various embodiments and possible examples of the disclosed techniques are provided herein. One embodiment includes a process for replacing a - storage unit with a new storage unit. Before replacing t! The first storage unit of the Hai is operationally coupled to the host 142631.doc -6 - 201013452 and is coupled to a third storage unit that is also operationally consuming to the host device. The first storage unit stores the first content bound to the third storage unit based on one or more binding types. After receiving a request to replace the first storage unit with the new storage unit, the device transmits the first content from the first storage unit to the new storage unit. The device modifies one of the first content in the new remaining unit=the second part of the second content in the new storage unit based on the one or more binding types to bind the new storage list 7L to the The third storage unit. In one embodiment, the device can transmit the first content from the first storage unit to a food feeder. The rear storage unit is removed from the device and inserted into the new storage unit. The device can then be fed from the g ^ +. The first content is received 15 and sent to the new storage soap. An embodiment for upgrading a device - the method comprises transmitting a - from - a - storage unit to a server. The first storage unit carries the 'coupler'. The 'one' is sent to the server under the control of one of the software entities on the device. The software entity notifies the user to insert a new storage unit into the device. The software entity receives a notification that the new store is inserted: 70. The software entity controls receiving the credential from the server and transmitting the credential to the new storage unit. One embodiment of a process for upgrading a storage entanglement includes upgrading a primary storage unit to a (four) storage unit. The first 曰::7C is associated with a third storage unit based on one or more credentials, 储存 storing both the early storage and the third storage unit operating to the host device. When the new storage unit is inserted into the host device, the software entity on the host device 142631.doc 201013452 provides the identifier of the new storage unit to the ship. The software entity accesses the content on the first unit using one or more credentials obtained from the third storage unit. The software entity then provides the content to the feeder. The software entity controls receiving, from the server, content including a first content associated with the third storage unit based on the one or more credentials. The content is sent to the new storage unit under the control of the software entity, and the software entity notifies the third storage unit to generate a new credential that associates the first content with the new storage unit. The new credential provides access to the first content. The techniques described herein are further directed to accessing content on a first host device' wherein the content is associated with one or more credentials on a second host device. The first storage unit on the first host device or using the first host device control may be bound to the second host device or based on the binding type of the content on the first storage unit A second storage unit controlled by the host device. The second storage unit is required to calculate a voucher for accessing the content on the first storage unit. When the content on the first storage unit is requested via the first host device, the first host device calculates an account identifier associated with the binding type of the requested content. The account identifier is sent from the first host device to a server. The feeder sends the account identifier to the second host device. The second storage unit will use the account identifier to calculate a voucher. The credential is then sent to the server and the server sends the credential to the first host device. If the credential is valid, the first host device will use the credential to access the requested content. 142631.doc 201013452 One embodiment of a process for accessing content includes determining, in a first device, an account identifier associated with content operatively coupled to a first storage unit of the first device . The account identifier is sent from the first device to a feeder. The first device receives a credential from a second device via the server, wherein the credential is based on the account identifier. If the credential is valid, the first device uses the credential to access the content. One embodiment of the process for accessing content includes receiving an account identifier from a first device at a feeding device. The account identifier is coupled to the content of the first storage unit of the first device. The account identifier is sent from the server to a second storage unit operatively coupled to a second device. The second storage unit is associated with the first storage unit. The server receives a voucher from the second storage receipt in response to transmitting the account identifier. The voucher is based on the account identifier. The server sends the certificate to the first device. If the credential is valid, the credential provides access to the content on the first storage unit. An embodiment of the process for accessing the inner valley includes receiving access to the operating ground. Request to the content on the -me-memory card. The first memory card is bound to a second memory card based on a binding type. The second memory card is operatively coupled to the second device. The receiving is performed by a software entity on the first device. The software entity is based on the binding type ten different account identifier and sends the account identifier to the server. The software entity receives a credential from the server. The voucher is generated by the second memory card based on the account identifier and the binding type. If the voucher is valid, the software entity uses the voucher to access the content. 142631.doc 201013452 One embodiment of a process for accessing content includes computing, at a first device, an account identifier associated with content operatively coupled to a first storage unit of the first device. The first storage unit is associated with a first storage element that is coupled to one of the first devices. The account identifier is sent from the first device to the second device via a feeding device. The cough first storage Zhuo Yuan generates a voucher based on the shai account identifier. The first device receives the credential from the first storage unit via the server and accesses the content on the first storage unit if the credential is valid. Embodiments in accordance with the invention may include one or more non-volatile storage units and one or more processors in communication with the one or more non-volatile storage units. The one or more processors may be adapted to perform one or more processes to upgrade or access at least one non-volatile storage unit as described. Hardware, software, or a combination of hardware and software can be used to achieve embodiments in accordance with the present invention. The software can be stored on one or more computer readable media, such as a hard disk drive, CD_R〇M, dvd, optical disk, floppy disk, tape drive, RAM, ROM, flash memory or other suitable storage device. In an alternate embodiment, some or all of the software may be replaced by dedicated hardware including custom integrated circuits, gate arrays, FPGAs, PLDs, and dedicated processors. In one embodiment, one or more processors are programmed to execute one or more of the software (stored on a storage device). The one or more processors can communicate with a #volatile_memory unit in the storage system, in the perimeter, and/or in the communication interface.夕夕 [Embodiment] 142631.doc 201013452

The disclosed technology provides a security upgrade from one of the existing memory devices to a new memory device. Existing memory devices can include any type of non-volatile storage device, such as a Subscriber Identity Module (SIM) card or a removable memory card. Existing memory devices are operatively coupled to a host device and typically operate via one of the host agents on the host device. The host device can be any electronic device such as a cellular telephone, digital camera, mobile media player, personal digital assistant, mobile computing device or non-mobile computing device. Existing memory devices can be removed from the host device or embedded in the host splicing. Additionally, existing memory devices can operate via the host device without being within the host device. Prior to the upgrade process, the existing memory device can be associated with the device, and the third memory device is also operatively coupled to the host device via the host agent. The third memory device can also be any type of non-volatile storage device. The third memory device can be a memory device embedded in the memory device, a removable memory device, or a memory device that operates via the host device but is not within the host device. In one embodiment, the existing memory device and the new memory device can be non-volatile memory cards, and the third device can be a card. In another implementation, the existing: == and the new memory device can be a SIM card, and the third memory is loaded via a volatile memory card. The host agent can be any software entity on the host device that operates the memory devices with the 2 = device, == the application on the host device. The host agent allows two: access to the device and controls the rise of the memory devices for the sake of clarity, simplicity, and consistency with the standard usage of the terms in the technology 142631 .doc -11 · 201013452, The various processes are described as being performed by a software entity (such as a host agent, applet, etc.). It will be appreciated that reference to performing an action on a software entity may include performing an action by one or more devices (e.g., a processor, control circuit, etc.) under the control of the software entity. To increase security, the existing memory device and the third memory device implement security features for accessing content on the devices. The existing memory device is bound to the third memory device, meaning that access to the content is dependent on how the devices are tied together. For example, the content on a memory card can include a binding type used to obtain one of the credentials for accessing the content from the SIM card. When the existing memory device is requested to be upgraded, at least a portion of the contents of the existing device are sent to the new memory device. If the host device can simultaneously accept or access both the existing and new memory devices, the content can be sent directly from the existing memory device to the new memory device. If the host device can only accept or access one of the cards, the content header in the existing device can be sent to the server. The storage may be operated by a network service provider of the host device, such as a mobile network operator (MNO) or by any third party. In one embodiment, the feeding device is trustworthy Third party (TTP) server. Although an exemplary embodiment is provided with respect to a ττρ server, any type of server can be used for the disclosed technology. The host agent on the host device will use the existing memory. The content of the body device is sent to the device. Once the host agent sends the content from the existing money device to the device, the host agent can request to insert the new memory device into the host device. When the device is 142631.doc -12· 201013452, the host agent sends the content to the new memory device. Memory Device Binding FIG. 1A depicts one (4) of memory devices that are not bound to each other and operate via one host-wire 175 on a host device. As described above, the host device 100 can be any electronic device. Device. Host device 1〇〇 contains one place The processor 130 is configured to operate any type of processor of the host device 1. The processor 130 is configured to access the SIM card 110 and the non-volatile memory card 120 via the host device 100. In the embodiment, the processor 13 performs the functions of the host agent 175 for the SIM card 11 and the non-volatile memory card i2. Figure 1B illustrates an example of the system shown in Figure 1 A. In Figure 1B, the host device 100 A mobile phone 105, such as a mobile phone or other computing device. The first memory device is a SIM card 115, and the second memory device is a removable memory card 125. The mobile phone 105 includes the description of Figure 1A. A processor (not shown) is configured to execute the memory card driver φ 155, the application program 1 160, the application program 2 165, the application program η 170, the host agent 175, and the SIM card driver 180 included in the mobile phone 1-5. For the sake of this, many of the contents of this disclosure refer to the example shown in Figure 1B. However, the technique disclosed is not so limited. - The mobile phone has an International Mobile Equipment Identity (IMEI) number that serves as a unique identifier. .the Lord The agent 175 receives the request to access the content on the memory card 125 and first authenticates the entity that is attempting to access the content to allow access to the content. The entity attempting to access the content may be a user of the mobile phone 105. The user The content may also be attempted to be accessed via application 1 160, application 2 165, or application 142631.doc -13- 201013452, η 170. The applications are also entities that can undergo authentication before allowing access. Program 1 16〇, Application 2 165 or Application η 170 can be any type of application, such as one for playing music or video broadcast media player, word processor, calendar, etc. A memory card drive 155 that allows access to the memory card 125 via the handset. The handset 105 also contains a SIM card driver 18 that allows access to the SIM card 115 via the handset 105. The memory card 125 includes a storage area 15 and a control circuit 145. The storage area ❿ field 150 contains the content stored on the memory card 125. The content is accessed via the control circuit ms, and the control circuit 145 controls the reading and writing of the contents of the memory card 125. The memory card 125 also has a unique card identifier (CID) that identifies a particular memory card. The storage area 150 can be divided into any number of common partitions or security partitions. Access to content in a secure partition requires valid authentication from an authorized real =. - The content in the public partition may include transparent content and protected content, and the transparent content does not need to be remembered and can be accessed by any entity to be protected by the content to be authenticated. In the example shown in FIG. 1B, storage area 150 is divided into two partitions: partition 152 and partition 154. Each partition has a file allocation table (FAT) that contains information about where each file is stored in the partition. FAT_〇 contains information about the content stored in the ^ area 152, and has information about the partition 154. Knife area 152 is an example of a secure partition. A secure partition is a hidden partition that is undetectable by a user or a host device. Any entity attempting to access a security zone 14263 l.ci〇 (-14· 201013452) must first authenticate using the host agent 175 on the handset 105. The entity can be a user, mobile phone ι〇5 The upper application, or an attempt to access a user of the content via one of the applications on the mobile phone 105. When an entity attempts to access content in a secure partition, the host agent 175 first accesses the file of the content. Header. The header of each file is stored with the file itself and contains information about the content (such as 'content metadata that indicates the type of content being stored), and the content is encrypted and decrypted. Relevant information and identification-related information (such as a binding type). The title of Mei Yan et al.*, filed on May 21, 2008, is entitled "Authentication for Access t. Sc) ftware Development Kit for a Peripheral Further information on the identification process can be found in U.S. Patent Application Serial No. 12/124,450, the disclosure of which is incorporated herein by reference. Upon successful screening, the entity attempting to access the content logs into memory card 125 and can access content within partition 152, such as file A and logical group domain 1 and domain 2. Logical groups are grouped by content that is protected by individual encryption. Logical group domain 1 and domain 2 are each protected by a content encryption key (CEK). All content stored in Domain 1 (such as 'Broadcast B') is encrypted using one of the specific CEKs associated with Domain 1, and the other CEKs associated with Domain 2 are used to store all of the contents stored in Domain 2. Content (such as files and files D) is encrypted. Information related to the cek for each logical group is stored in the slot header of the content in the logical group. If the authenticated entity has the appropriate rights to access the content, then the information can be used to access the correct CEK for decrypting the content. If the entity does not have the right to access the CEK of the 142631.doc 201013452, then the file can be accessed in domain 1 or domain 2, but the content cannot be decrypted. Controlling the Thunder] Μ / / 孜剌 孜剌 circuit 145 performs the encryption and decryption of the content, the control circuit 145 can! The binding bar, ^ ^ ^ also supports any method of adding, such as symmetric encryption (for example, AES DES, 3DES, etc.), cryptographic hash function (for example, asymmetric encryption such as shu (eg 'ρκι, secret pair generation, etc.) Or any other post-code method. Partition 154 contains an instance of a public content partition of transparent content file E and file. - User or a host device can detect a common partition. Transparent content is stored in memory hip device 125 Anything in the public partition that does not encrypt the Xiao Q CEK. Any entity attempting to access the transparent content in a public partition can perform this operation without authentication. The control circuit 145 is used to control the storage in the memory. Any internal access on the device 125. After the host agent PS on the handset 1〇5 successfully authenticates the entity attempting to access the content on the memory device 125, the control circuit allows the host agent 1 to access the The SIM card 115 in Figure 1 can be used in a cellular or mobile computer - the removable integrated circuit card. The SIM card 115 is used to store the International Mobile User Identity (IMSI). A memory card, the international mobile user identity is used to identify the identifier of the mobile service user of the mobile phone 105. When a call or initial data transfer is made, the IMSI is sent from the SIM card 115 to the mobile phone 1〇5, and the mobile phone 105 The IMSI is then sent to the user network. The user network is 'providing mobile phone 105 with mobile services. 'When the mobile phone receives the IMSI from the mobile phone 1 ', it is allowed to make a call or transmit data. SIM card 115 Also stored is an Mobile Subscriber Integrated Services Digital Network (MSISDN) number, which is an identifier associated with the telephone number of the 142631.doc • 16 - 201013452 SIM card 115. The SIm card 115 is typically operated via an MNO. It can be identified by a unique network identifier (NetID) for a particular MNO system. The NetID can be used for any identifier of the MNO, such as a Mobile Country Code (MCC) or a Mobile Network Code (MNC). ❷

The SIM card 115 also stores an application in its memory, such as the SIM applet 140. The SIM applet 140 is used with the host agent 175 on the handset 105 for authenticating an entity attempting to access content on the memory card 125 and logging into one of the entities. The SIM applet 14 产生 will generate a voucher 135 for accessing the content on the memory card 125 based on the type of binding found in the header of the corresponding content. Since the content on the memory card 124 is bound to the SIM card 115, the cards are tied together. The content on the memory card 125 can include different binding types in the file headers for different portions of the content (e.g., different files). 2 is a flow diagram of one of the processes for authenticating one of the protected content on the memory card 125 and logging into the entity. There is no need to authenticate an entity that attempts to access one of the transparent content in a public partition to access the content. In step 200, host agent 175 receives a request to access one of the files stored in memory card 125. In one embodiment, the request may be from a user of the handset 105. In another embodiment, the request may be from an application on the handset 105, such as an application i i 6〇. In step 2, the host agent 丨 75 accesses the binding type associated with the requested content from the archive header of the requested file. All protected content stored in the i-block card 125 has the associated type - 142631.doc • 17· 201013452 type. The binding type can be found in the slot header for this content. The binding type is calculated by indicating that the SIM card 115 should use a specific identifier. The credentials required in the valley 125 are hidden to indicate how the content is bound to the SIM card 115. The memory card 125 can be bound to the SIM+U5 based on one or more binding types for the content stored in the memory card 125. The binding type can indicate an identifier for the SIM card 115 ( That is, the SIM card is bound, one of the identifiers of the mobile phone 1 (ie, the mobile phone is bound), one of the identifiers of the memory card 125 (ie, the memory card is bound) or the MN for the mobile phone ι〇5 One of the identifiers (ie, network binding). Different types of bindings can be specified in the file headers for different parts of the content. Once the binding type is determined from the file header of the requested file (step 201), the host agent 175 accesses the appropriate identification value based on the binding type in step 202. If the binding type is a SIM card binding, the host agent i 75 accesses the appropriate SIM card identification value from the SIM card 115. In one embodiment, the identification value for SIM card binding is an IMSI number. In another embodiment, the identification value for SIM card binding is the MSISdn number. If the binding type is a handset binding, the host agent 175 accesses the appropriate handset identification value from the handset 1〇5. In one embodiment, the identification value for the handset binding is the IMEI number. If the binding type is a memory card binding, the host agent 175 accesses the appropriate memory card identification value from the memory card 125. In one embodiment, the identification value for the memory card binding is CID. If the binding type is network binding, then the host agent 175 uses the telecommunications capabilities of the handset 105 to access the appropriate network identification value from the MNO. In one embodiment, the identification value for network binding is NetID. 142631.doc • 18 - 201013452 After the host agent 175 accesses the appropriate identification value based on the binding type of the requested content, the host agent 175 calculates an account identifier based on the binding type using the identification value (step 203). . The host agent 175 accesses the binding rules to calculate the account identifier. The binding rules are typically stored on Leica. U5, but may also be stored at or with the host agent 175. The binding rules may indicate a particular algorithm for the calculation. And may be the same for each type of binding or for any of the binding types, by inputting the identification value (and other values as may be specified by the binding rules) The account identifier is computed in a particular algorithm associated with the binding rules. In one embodiment, the particular algorithm is a cryptographic function. The cryptographic function inputs one or more values and returns another value. a function in which other values are used as one of the one or more input values or fingerprints. Any cryptographic method may be used, including (by way of non-limiting example) symmetric encryption (eg, AES, DES, 3DES, etc.), a password hash function (for example, SHA-1, etc.) or asymmetric encryption (for example, pK1, key pair φ generation, etc.) The host agent 1 75 will calculate the account identifier calculated in step 203 and in step 2〇2 Access identification value To the sim applet 14 in the SIM card 115 (step 204). The SIM applet then uses the account identifier and the identification value t to calculate a credential 135 based on the binding type (step 205). The binding type binding rule indicates how to calculate the credential, for example, the binding rule specifies that a specific algorithm such as a cryptographic function will be used. The SIM applet 140 uses the account identifier and the optional identification value at The certificate 135 is calculated in the algorithm specified by the binding rules. 142631.doc • 19· 201013452 The SIM applet 14 stores the calculated voucher n5 in the SIM card 115 memory. Once the SIM applet 140 calculates The voucher 135, the SIM applet 140 sends the voucher to the host agent 175 (step 2〇6). The host agent 175 logs in using the voucher 135 received in step 2〇6 and the account identifier calculated in step 203. One of the accounts associated with the requested file (step 2〇7). Each protected file in the memory card 125 is associated with an account identifier indicating the access to the slot to indicate which entities are allowed. In association with the license of the building, in step 208, the control circuit 145 determines whether the account associated with the account identifier has access to the content and whether the document 135 is valid for the account. If the account identifier and credentials 135 If it is invalid, the access is denied. The host agent receives the login status from the control circuit and returns an error to the entity requesting the content (step 2〇9). If the account identifier 175 and the certificate 135 are valid, the host agent ι75 allows Access to the requested file (step 210). Figure 3 is a flow diagram of one of the processes used to calculate the account identifier (as described in step 2 of Figure 2). In step 211, the host agent 175 retrieves the binding rules associated with the binding type of the requested content. The host agent 175 determines an algorithm for computing the account identifier (step 212). The algorithm is specified by these binding rules. The host agent 175 provides the identification value accessed in step 202 of Figure 2 as input to the algorithm (step 213). In one embodiment, additional values may also be used for the input as specified by the binding rules. The host agent 175 calculates the account identifier by executing the algorithm using the inputs (step 214). 142631.doc -20- 201013452 Figure 4 is a flow diagram of one of the processes for calculating the voucher 135 (as described in steps 2 and 5 of Figure 2). In step 215, the SIM applet 14 stores the binding rules associated with the binding type of the requested content. The SIM applet 140 determines an algorithm for computing the voucher 135 (step 216). The algorithm is specified by these binding rules. The SIM applet 14 provides the account identifier as an input to the algorithm (step 217). In one embodiment, additional identification values may also be used for the input as specified by the binding rules. The SIM applet 140 calculates the credential 135 by executing the algorithm using the inputs (step 218). The SIM applet 14 also stores the credentials 135 in the SIM card 115 (step 219). SIM Card Replacement in Binding Device Configuration Figures 5A-5B illustrate a block diagram of one of the systems for upgrading one of the security features that provide access to the content on the non-volatile memory card 125. The application SIM is upgraded using one of the host agents 175 to facilitate upgrading the existing SIM card 115 to a new SIM card 115' via the memory card drive 155 and the SIM card driver 180. An exemplary flow of data and commands between various components is illustrated by the arrows in Figures 5A-5B. In Fig. 5A, the SIM card 115 and the non-volatile memory card 125 are operatively coupled to the handset 105. The upgrade application 300 receives a request to replace one of the existing SIM cards 115 with a new SIM card 115. The SIM card 115 is depicted as being detached from the handset 105' to illustrate that it is not yet operationally coupled to the handset. When the upgrade application 300 in the host agent 175 receives the request to upgrade the SIM card 115, the upgrade application 300 requests the certificate 135' stored in the existing SIM card from the SIM applet 140 as indicated by arrow 230. SIM applet 142631.doc 21 201013452 The program 140 sends the credential 135 to the upgrade application on the host agent 175, as indicated by arrow 232. The application 3 is upgraded and then the voucher n5 is sent to ττρ 31〇 ' via the secure channel 315 as indicated by arrow 234. The secure channel 315 facilitates data transfer between the host agent 175 and the UI 310. The material can be transmitted wirelessly (ΟΤΑ) via secure channel 315 using the telecommunications capabilities of handset 105. This information can also be sent over the Internet or other network using Secure Channel 315. Additionally, the data sent from host agent 175 to port 310 via secure channel 315 is encrypted by host agent 175 prior to being sent to port 31. It can then be decrypted when it is received at ττρ 31〇. When the material is automatically sent to the host agent 175 via the secure channel 315, 'the data is similarly encrypted before being sent to the mobile phone ι 5 for the new storage unit, and then once received at the host agent 175 The information is decrypted. Once the voucher 310 receives the voucher from the upgrade application 300 in the host agent 175 via the secure channel 315, the existing SIM card can be removed from the handset 1〇5 and the new SIM card can be inserted. In one embodiment, the upgrade application 300 provides the user with an indication to remove the existing SIM card and insert the new SIM card. After the new SIM card is inserted into the handset 1〇5 and the handset is powered on, the upgrade application 3 on the host agent 175 can be invoked. Figure 5B illustrates the system after the existing SIM card 115 is removed and the new SIM card 115 is inserted. The upgrade application 300 then requests the sever from the TTP 3 10 via the secure channel 3 1 5 as indicated by arrow 236. The upgrade application 3, as indicated by arrow 238, receives the credentials and, as indicated by arrow 240, the upgrade application 300 sends the received credentials to the SIM applet of the new SIM card. 142631.doc • 22- 201013452 The SIM applet saves the credentials in the new SIM card. Figure 6 is a flow diagram of one embodiment of upgrading a SIM card 115. In step 400, a user or other entity requests to upgrade the existing SIM card. In one embodiment, the user can request the SIM card upgrade via the upgrade application 300 on the host agent 175. In step 402, the upgrade application 300 notifies the SIM applet 140 in the existing SIM card to receive an upgrade request. This allows the SIM applet 140 to prepare the credentials for the upgrade process. In step 404, the upgrade application 300 accesses the TTP 3 10 using one of the TTP 310 addresses. In one embodiment, the address is used for one of the TTP 3 10 locations to be a Uniform Resource Locator (URL). Once the TTP 310 is located and accessed, the SIM applet 140 on the existing SIM card can upload the saved credentials 135 to the TTP 310 via the upgrade application 300 (step 406). The credential 135 is uploaded to the TTP 310 via the secure channel 315 created by the upgrade application 300. Once the credentials 135 are successfully uploaded to the TTP 310, the upgrade application 300 deletes the credentials from the existing SIM card (step 408). The upgrade application 300 then notifies the user to insert the new SIM card into the handset 105 (step 410). The upgrade application 300 determines if the new SIM card is inserted (step 412). Once the upgrade application 300 determines that the new SIM card has been inserted, the upgrade application 300 informs the SIM applet 140 of the new SIM card that it is ready to receive the credentials 135 saved at the TTP 3 10. In step 414, the SIM application 140 of the new SIM card downloads the 142631.doc -23-201013452 certificate 135 from the TTP 3 10 via the upgrade application 300. The secure channel 315 is used to send the credential 135 from ττρ 31〇 to the "small application 140. The SIM applet 14 saves the credential 135 in the memory of the new SIM card. For the § memory card 125 has the indication sim Any one of the binding types of the card binding, the account associated with the content may be modified. The accounts on the memory card 125 and the credentials associated with their accounts on the new SIM card may be modified. An existing account of the content of a SIM card binding type is associated with an account identifier and a voucher calculated based on one of the identifiers of the existing SIM card. Creating a new account so that the content having a SIM card binding type will be bound to The new SIM card can calculate a new account identifier and credentials. This ensures that the new SIM card can be used to access content having a SIM card binding type. In step 416, there is a SIM card binding in the memory card 125. A new account is created for all existing accounts of the type. Once the new account is created, the upgrade application 3 notifies ττρ 31 to delete the voucher 135 stored in TTP 310J1, and the upgrade process of SIM card 115 is completed (step 418). 7 describes how to perform this step of creating a new account (step 416 of Figure 6.) In step 420, the upgrade application 3 logs into an existing account associated with a sim card binding type. The upgrade application 3 uses The credentials stored at TTP 310 are logged into the existing account. In step 422, the upgrade application 3 accesses the appropriate identification value, which is required to calculate a SIM card binding based on the binding rules of the existing accounts. The account identifier of the account of the type. This includes access to the new SIM card - such as (for example): delete number or number 142631.doc -24 201013452. The appropriate identification has been accessed. After the value, the upgrade application 300 directs the host agent 175 to use the identified identification values for the SIM card binding to calculate a new account identifier for all existing accounts (step 424). The upgrade application 300 will have a new account identifier. And the identification value is sent to the SIM applet 140 in the new SIM card (step 426). In step 428, the SIM applet 140 is in a manner similar to the manner described in step 205 of FIG.每一 Each account identifier received generates a new voucher. The new voucher is calculated based on the SIM card binding rules. The SIM applet 14 saves the new voucher in place of the existing voucher associated with the existing account in the new SIM card. (Step 430) The existing credentials calculated using one of the existing SIM card identifiers can be deleted. The SIM applet 140 sends the new credentials to the upgrade application 300 on the host agent 175 (step 432). The application 300 sends the newly calculated credentials to the control circuit 145 of the memory card 125 (step 434) to initiate the creation of a new account for all existing accounts in the memory card 125 that have SIM card Φ bindings. The memory card 125 creates a new account for all existing accounts with SIM bindings (step 436) and associates the new accounts with corresponding account identifiers and credentials calculated for the new SIM card (step 438). Licensing associated with the existing accounts is delegated to the new accounts (step 440) so that the new accounts can access the appropriate content. Once a new account is successfully created in the memory card 25, an existing account having a SIM card binding type can be deleted from the memory card 125 (step 442). Non-volatile memory card replacement in the binding device configuration. Figures 8A-8C show a system side of the upgrade of the non-volatile memory card 125. 142631.doc • 25- 201013452 Block diagram 'memory card 125 has usage stored in SIM The content accessed by a credential at card 115 or calculated here. An example flow of data and commands between various components is illustrated by the arrows in Figures 8-8. Figure 9 is a flow diagram depicting a process for upgrading memory card 丨 25. Figures 8A-8C and 9 will be described in combination with each other. The system illustrated in Figure 8A is at step 450 of Figure 9 where the user has removed the existing non-volatile memory card 125 and inserted a new non-volatile memory card 25 to begin the upgrade process. When the new memory card 125' is inserted, the upgrade application 300 is notified and uses one of the addresses of the Ding Ding 310 (such as, for example, 111^) to access D1 (31) (step 452). At step 454, the upgrade application 300, as indicated by arrow 250, transmits the CID of the new memory card 125 to the TTP 310. Once the TTP 310 receives the CID of the new memory card 125, the TTP 310 sends a request to the upgrade application 300 to insert an existing memory card, as indicated by arrow 252, at step 456. The upgrade application 300 notifies the user to insert the existing memory card (step 458). The upgrade application 300 waits until the new memory card is removed and the existing a memory card is inserted (step 460). In one embodiment, the handset 5 may be capable of operating multiple memory cards at a time, so that the new memory card does not have to be removed from the handset 105 before the content is sent from the existing memory device to the TTP 3 10. In one embodiment, an upgrade may be requested explicitly, rather than by removing an existing memory card and inserting a new memory card. The system illustrated in Figure 8B is after the new non-volatile memory card 12 5 ' has been removed and the existing memory card 12 5 has been inserted. Once the existing memory card 125 is inserted into the mobile phone 105, the upgrade application 3 directs the SIM applet 140 to upload the voucher 135 on the SIM card 115 to 142631.doc -26-201013452 ΤΤΡ 310 'as head 254 Said. At step 462, credentials 135 are received from the SIM applet as indicated by arrow 256 and uploaded to UI 310 using secure channel 315 as indicated by arrow 258. At step 464, the upgrade application 3 uses the credentials 135 to log into the existing memory card account on the non-volatile memory card 125, as indicated by arrow 26〇. Once the upgrade application 300 logs into the existing memory card accounts, the upgrade application 300 receives the content from the existing memory card as indicated by arrow 262. At step 466, the upgrade application uploads the content to the click 310 as indicated by arrow 264. The content may include user data and other information stored on the existing memory card. The user profile may include protected or unprotected content or files and transparent content stored on the existing memory card. Other information from the existing memory card may include configuration information, account information, hidden partitions, user profile information, and any other information associated with the existing memory card. The configuration information indicates how the content is organized and stored in the existing memory card. The account information may be any information associated with an account in the existing φ S recall card, such as, for example, an account identifier, a credential associated with the account identifier, and an account level. The account level provides information about which accounts have a higher level of access than other accounts. In addition, another account can be created by one account, so account level 4 also shows how these account systems are created. Hidden partition information can include (for example, s) partition name and partition size. The user profile information may include licenses associated with the user profile (eg, cek, drm powers, etc.), and the level application 300 may also provide ττρ 3i with any other information that the memory card i25 may store, such as (For example) existing memory card 142631.doc •27· 201013452 CID. Once the upgrade application 300 successfully uploads the content from the existing memory card 125 to the TTP 310, at step 468, the upgrade application 300 deletes the contents of the existing memory card, as indicated by arrow 266. Once from the existing memory card The information and content have been successfully transferred to TTP 3 1 0 and the information and content are deleted from the existing memory card, and the upgrade application 300 notifies the user to insert the new memory card (step 470). The upgrade application 300 determines if the new memory card has been inserted into the handset 1〇5 (step 472). The system illustrated in Figure 8C is after the existing non-volatile memory card 125 has been removed and the new non-volatile memory card 125 has been inserted. When the new memory card has been inserted, the upgrade application 300, via arrow 268, at step 474, sends an upgrade or download request to the TTP for content and configuration information previously uploaded from the existing memory card 125. The download request will include the CID of the new and existing memory cards. At step 476, TTP 310 checks if the CID received from the upgrade application at step 474 matches the CID of the new memory card received at step 454. If the CID received at step 474 does not match the CID received at step 454, then the ττρ returns an error to the upgrade application 300 (step 478). If the CIDs match, then at step 48, the upgrade application 300, as indicated by arrow 27, downloads configuration information for the partition and account from TTP 3 10. At step 482, as indicated by arrow 272, the upgrade application 3 instructs the new memory card to recreate the partition based on the configuration information. At step 484, as indicated by arrow 274, the application 3 is upgraded and then account information ' such as account identifiers, credentials, and permissions are downloaded from ττρ 31〇. The upgrade application 300, as indicated by arrow 276, at step 142631.doc -28-201013452 486 directs the new memory card to create a new account based on the account information and credentials received from TTP 3 1 . Once the new memory card has been configured and a new account has been created, the upgrade application 3, as indicated by arrow 278, is downloaded from step T8 to download the content including the corresponding license (eg, CEK, power item, etc.) from TTP 3 10. . At step 49, as indicated by arrow 280, the upgrade application 3 instructs the new memory card to save the content and permissions in place. Upgrading the application 3 also causes φ to associate this content with the appropriate accounts. When the content is saved in the new memory card, the account having the content of one of the binding types associated with the memory card 125 is modified. In addition, the credentials associated with the content are also modified to associate content having a memory card binding type with the new memory card. Once the upgrade application 300 has downloaded all of the content from the TTP 310 and saved it to the new memory card 125, then at step 492, the upgrade application 300, as indicated by arrow 282, directs the TTP 31 to be deleted from the existing memory card. 125 Content stored on TTP 3 10. 〇 Figure 10 depicts a process for saving content on the new memory card (step 490 of Figure 9). The process includes modifying the portion of the content that has a type of memory card kidnapper. Since a portion of the content has been associated with an account identifier and a voucher calculated based on the CID of the existing memory card, the portion of the content should be tampered with for account identification based on the CID calculation based on the new memory card. The token is associated with a voucher. In addition, a portion of the voucher calculated in the SIM card 151 based on the CID of the existing § memory card should be modified so that the SIM card 115 stores the new voucher calculated based on the CID of the new memory card. In step 500 of Figure 10, the upgrade application 3 accesses the appropriate identification values based on the memory card binding rules of the account downloaded from TTP 310 142631.doc -29-201013452. The identification value can be the CID of the new memory card. The upgrade application 3 uses these identification values to calculate a new account identifier using the memory card binding rules of the account with the -memory card binding_ (step 502). The upgrade application 300 sends the "Hui new account identifier and identification value to the sim applet 140 on the new SIM card (step 504). The SIM applet 14 uses the account sent from the upgrade application 3 to identify the new credentials for the accounts having a memory card binding type (step 506). The SIM applet 14 also modifies the portion of the voucher associated with the existing memory card by saving the new voucher in the SIM card 115 and deleting the existing credentials for their account. Once the new credentials are generated, the SIM applet 140 sends the new credentials to the upgrade application (step_). The application 3 is upgraded and the new credentials and the new account identifiers are then sent to the new memory card to initiate a modification to the content having a memory card binding type (step 5). The upgrade application 300 directs the new memory card to create a new account for these existing accounts with a memory card binding type downloaded from ττρ 31〇 (step 512). The upgrade application fan then directs the new memory card to associate the new accounts with the new account identifiers and the new credentials (step 514). The upgrade application 300 directs the new memory card to delegate the permissions of the existing account to the corresponding new account (step 516)... successfully created (four) households ^ the new account is associated with the new memory card, from the new memory card Delete the existing account bound to the existing memory card (step 5 1 8). Figure U depicts how to create a secure channel W for data transfer between handset 1〇5 and ττρ 142631.doc • 30· 201013452 310 (such as transmitting a credential in step 406 or transmitting in step 466 of Figure 9). The content is also a second instance. When creating a secure channel 315, the 'host agent 175 creates a dialogue for the delivery of the data. The essence is to associate the conversation with a conversation 1 _ to create the conversation. The dialog ID is the identifier-only identifier of the dialog created for the transfer. The pair is associated with the --f secret, and the dialog key is used to encrypt one of the data and add the secret. 11 in step 52, * she Ψ host agent 175 is used and used for

The right channel of the safe channel dialogue (4) (4) The dialogue Wei has to encrypt the content (for example, the voucher, the memory card content, who is the temple). The host agent 175 sends the pair (4) to the TTP 310 (step 522). The coffee shop 31 has a dialogue with which dialogues are associated with the record, and thus ττρ is able to find the session key corresponding to the session ID sent by the host agent 175. The host agent 175 sends the encrypted version of the content to ττρ 31〇 (step 52. ττρ 3 10 can decrypt the self-hosting agent using the session key associated with the conversation m sent from the host agent 175 to the Ding 3 175 Received Content (step 526). Figure 12 depicts an example of a process for transmitting transparent content (i.e., non-guaranteed content in a common partition). Since transparent content is publicly available to any entity Accessible, thus transparent content is not associated with an account. Therefore, the steps of Figure 9 and Figure 1 may not be required for transparent content. In step 530, the upgrade application 3 in the host agent 175 will be transparent. The content is uploaded from the existing memory card to a temporary storage device that communicates with the existing memory card, for example, a TTP or a computing device or storage medium. In one embodiment, if the handset 1〇5 has sufficient internal memory 142631.doc 31 201013452 As a temporary storage, the host agent 175 can upload transparent content from the existing memory card to the mobile phone 10 in step 532 once the temporary storage is associated with the The new memory card communicates, and the upgrade application 3 downloads the transparent content from the temporary storage to the new memory card. Figure 13 depicts an example of a process for encrypting and decrypting protected content in the memory card using CEK. When the protected content is transferred from the existing memory card to the new memory card, the protected content in the existing memory card should be decrypted using CEK (step 54A) before being sent to the TTP 310. In step 464 of Figure 9, when the upgrade application 3 logs into the current memory card account, the CEK for the content is indicated by the license associated with the content. Once the protected content is decrypted, the application is upgraded. 3, the secure channel 315 is used to upload the decrypted content to the TTP 31 (step M2 and step 466 of FIG. 9). When the new memory card is ready to store the valley from the existing memory card, the application is upgraded. The 00 uses the secure channel 315 to automatically download the protected content along with the rights associated with the protected content (steps 544 and 488 of Figure 9). Upgrade the application 3〇〇 The content is sent to the new memory card and the new memory card is instructed to use the CEK to encrypt the protected content (step 546). The new memory card saves the encrypted content in the correct location (Figure 9 Step 548 and step 490). Using a network to access the memory device content may also provide for storing the content bound to one of the first memory devices of a second memory device according to an embodiment of the present invention. The first memory device and the second memory device are operatively coupled to different hosts 142631.doc • 32· 201013452. The first memory device can be any non-volatile storage device, such as (Example) - A non-volatile flash memory card can be exchanged. The first memory device is operatively coupled to a first host device. The first memory device is operative via a host agent on the first host device. The first master device can be configured such as a cellular phone, a digital camera, a mobile media player, a personal digital assistant, a mobile computing device, a non-mobile computing device, or any other device. • The second memory device is operatively coupled to the second host device by one of the host agents on the second host device. The second memory device can also be a non-volatile storage device such as, for example, a Subscriber Identity Module (SIM) card. The first memory device is associated with the second memory device. In one embodiment, two memory sticks can be operated via a host device using a host agent placed in a host. The host agent can be any software entity on the host device and can be used to operate the memory devices via the host device, such as an application program installed on the host device. The host agent allows access to the memory devices. Upon requesting access to the contents of the first memory m, the host agent on the remote device calculates the gamma account term associated with the requested content. Sending the account identifier to the server s can be operated by one of the host devices, such as a mobile network operator (talking) or by any third party. In one embodiment, the server is a trusted third party (ττρ) feeder. In the description of the entire technique, the server is referred to as -. However, the technique is not limited to this embodiment, and any of the feeders can be used with (iv) revealing 142631.doc • 33-201013452 technology. Once the host agent sends the account identifier to the TTP, the TTP sends the account identifier to the second host agent. The second memory device in the second host device will use the account identifier to calculate a credential. The credential is sent from the second host device to the server and then sent from the server to the host agent on the first host device. If the credential is valid, the card will allow the application on the device to access the requested content. The card returns the login status to the host agent. As described in FIG. 2, access to the content on the memory card 125 in the handset 05 requires a credential from the SIM card 115 in the handset 105. Typically, access occurs via a host device (e.g., handset 1〇5). However, if a user operates on a memory card 125 on a device other than the device on which the SIM card 115 operates, the credentials should be accessed from the SIM card 115 on the handset 105. FIG. 14 is a block diagram of a system for accessing an inner valley on a memory card of a first host device 3〇4, wherein the memory card is bound to operate on a second host device 3456. One of the SIM cards. The system includes a first host device 304, and the first host device operates the card 115 using the first device host agent 175. A first host device 3 运作 5 operates the memory card 125 via one of the second host devices 175A on the second host device 3. The first and second host devices 3 04 and 305 can be any electronic device, such as a mobile phone, a media player, a mobile computing device, an inactive computing device, a number of assistants, or any other device. The two devices do not need to be of the same type. The host agent 175 on the second host device 305 is similar to the host agent 175 on the first host device 304, both as depicted in FIG. A TTP 310 is used to access a credential 142631.doc • 34 - 201013452 135 from the 81] card 115 on the first host device 3〇4, so that the second host device 3〇5 can use the voucher i35 to access the memory. The content on the card 125. ΤΤΡ 3 10 can be any server such as, for example, a trusted third party server. The second host device 3〇5 communicates with the TTP 310 via channel 2 320. The handset 1〇5 communicates with the channel 310. When the standby entity requests access to the content on the memory card 125 via the host agent 175A on the second host device 305, the host agent 175 is controlled. The throttle circuit 145 accesses the homering type associated with the requested content in the storage area 15 and calculates an account identifier based on the binding type, as described in Figure 2. The account calculates the account identifier, the host The agent 丨 75A sends the account identifier to ττρ 31 via channel 2 320 (^ channel 2 32 可 can use the power of the first device 305 to wirelessly transmit data in one of the secure channels (right first) The device 305 can perform this operation. If the second device 3〇5 can access the Internet or other network, the channel 2 32 can also transmit data via the Internet, the road or other network. The transmission is performed before the data is transmitted via the channel and is decrypted after being received via the channel to prevent another entity from acquiring the data via the channel transmission period. The transmission dialogue comes to the ship as a safe passage.

,, σ, the pair of deductions sent a dialogue ID. Each conversation (1) is associated with a conversation key T, which is used to encrypt the data to be transmitted. The conversation ID and its corresponding conversation secret can be located at the host agent 175. t reference table. Before the account identifier is sent from the host agent 175A to the TTP 310, the host agent 175A opens the dialog by assigning the session ID 142631.doc - 35· 201013452 to the dialog. The host agent uses the session key associated with the conversation ID of the conversation to encrypt the account identifier. The host agent 175 A transmits the session ID to ττρ 3丨G and the money is transmitted to the TTP 3 10 via the channel 2 (4). The TTP 3 1 and Host Agents 175 maintain a reference to the Dialogue ID maintained by the Host Agent i75A. Ττρ can then use the conversation D sent by the host agent i75a to decrypt the received account identifier using the conversation secret associated with the conversation m. Content encryption and decryption for a secure channel may be performed by host agent 175A, host agent 175 or 31. Host agent A host agent 175 or ττρ 3 may support any encryption method, such as symmetric addition (eg, AES, DES, 3DES, etc.), cryptographic hash functions (eg SHA 1 etc.), asymmetric encryption (eg, cryptographic pair generation, etc.) or any other cryptographic method. A TTP 310 receives the account identifier from the device host agent 175 A, and the TTP 310 transmits the account identifier to the mobile host agent 175 via the channel 315. Channel 1 3 1 5 is also a secure channel that can transmit data using the electrical pseudo-capacitance of the mobile phone 1〇5. The TTP 310 can decrypt the account identifier received from the second device and re-encrypt the transmission to the handset 105. The handset host agent 175 instructs the SIM applet 140 to calculate the credentials 135 using the account identifiers within the request. When the voucher 135 is calculated, the host agent 175 sends the voucher to the ττρ 310 via the secure channel 1 315. The voucher 135 is received from the host agent 175, ΤΤΡ 3 10 ie 142631.doc -36 - 201013452 will be a temporary Credential 135A is stored at the TTP for a limited amount of time. The temporary voucher 135 is stored so that the second device 3〇5 can access the content again during the limited amount of time by providing the account identifier to ττρ3ι, and 310 will not have to be again directed to the first host device 3〇4 The SIM card u5 requests the credential 135. ~ TTP 3 10 sends the credential 135 to the host agent 175A on the second device 305 via the secure channel 2 320. In one embodiment, the host agent _ accesses the content using credentials n5, as described in FIG. The device host agent 175A also stores a temporary voucher 135B for a limited amount of time to allow access to the content for a limited amount of time without having to recalculate another account identifier or credential. In one embodiment, the device host agent 175A stores the temporary credentials 135B until the second device 305 is turned off. Figure 15 is a flow diagram of one of the processes for accessing the content in a system similar to one of the systems shown in Figure 14. In step 60, the device host agent 175A on the second device 3〇5 receives a request to access one of the files in the storage area 150 of the memory card 125φ on the second device 305. Upon receiving the request, the device host agent 1 75A accesses the file header of the requested content via the control module 145 of the memory card 125. The file header stores the binding 'type' of the content, the location of the TTP 3 10, such as, for example, a Uniform Resource Locator (URL) at the location of the TTP 3 10, and the SIM card 115 bound to the memory card 125. MSISDN. In step 605, the device host agent 175A can access the binding type associated with the content, Tintin? 310 position and ]^818〇>1. In step 610, the device host agent 175A determines if the requested content is preloaded or transparent. The preloaded content is preloaded onto the memory card 125 by the producer of the memory card 125 142631.doc -37- 201013452. The preloaded content can be unprotected or protected content stored in a public partition of one of the memory cards 125. The transparent content may be unprotected content stored in a common partition of one of the memory cards 125. If the host agent 175A determines that the requested content is preloaded, the host agent 170A allows the requesting entity to access the content (step 615). If the host agent 175A determines that the requested content is not preloaded or is not transparent, then the host agent determines whether the binding type accessed in step 605 is a SIM card binding (step 620). Generally, the content bound to the SIM card 115 can only be accessed when the memory card 125 and the SIM card 115 are operating on the same device. If the requested content has a SIM card binding type, host agent 175A rejects access to the content (step 625). If the requested content is not bound to the SIM card 115, the host agent 175A determines whether the requested content has a NetID or a CID binding type (step 63 0). If the requested content is not bound to the MNO or memory card 125, the host agent 175A returns an error to the requesting entity (step 635). If the requested content is bound to the MNO or memory card 125, the device host agent 175A accesses the appropriate identification value based on the binding type (step 640). For example, if the requested content is bound to the MNO, then one of the MNO identification values (e.g., MCC, MNC) is accessed. If the requested content is bound to the memory card 125, one of the identification values (e.g., CID) of the memory card 125 is accessed. In step 645, the device host agent 175A uses the accessed identification value to calculate an account identifier based on the binding type. The account identifier is calculated as described in steps 2, 215, 142, 631.doc, 38-201013452, and as shown in FIG. The device host agent 175A uses the TTP location accessed in step 605 to locate the TTP 3 10 and via the secure channel 2 320 the account identifier, the identification value accessed in step 640, the MSISDN accessed in step 605. And the binding type accessed in step 605 is sent to TTP 310 (step 650). The device host agent 175A can send information to the TTP 3 10 and the request credentials 135 using the API. An instance of the API may be a GetCredential command with the following parameters: CID, NetID (which may be "empty" if the requested content is not bound to the MNO), MSISDN, and account identifier. The host agent 175A can use this API command to transfer the data to Tintin via secure channel 2 320 by assigning a session ID to the profile. 310. Also, 1' Ding? The 310 maintains a repository of information such as (: 10, NetID, MSISDN, account identifier, etc. The TTP 310 uses the MSISDN to locate the handset 105 with the SIM card 115 (step 65 5). Once the 81!^1 card 115 is located 1' Ding 310 transmits the account identifier, the identification value (eg, NetID, CID) and the binding type to the host agent 175 on the handset 105 via the secure channel 1 315, and the host agent 175 sends the information to The SIM applet 140 on the SIM card 115 (step 660). In step 665, the SIM applet 140 uses the received information to calculate the credential 135 based on the binding type of the requested content. As in the step of FIG. The voucher 135 is calculated in 205 and in Figure 4. After the voucher 135 is calculated, the SIM applet ι4 uses the secure channel 1 315 to send the credential I% to the TTP 31 (step 67). Once the TTP 310 receives the credential 135. The TTP 310 saves a temporary voucher 135A for a finite amount of time (step 675). The temporary voucher 135A is stored in a database maintained at ΤΤΡ310. 142A and the temporary voucher 135A Delete temporary from TTP310 The time of the certificate 135A is maintained in the database along with the CID, NetID, SISDN, and account identifier. ΤΤΡ 310 sends the credential 135 to the device host agent 175 on the other device 305 using the secure channel 2 320 (step 680). The host agent 175A decrypts the received credentials sent via the secure channel and saves a temporary credential 13 5B in the host agent 175A for a limited amount of time (step 685). After the limited amount of time, the device host agent 175A deletes the temporary credentials. 135B. The device host agent 175A attempts to log into the account associated with the requested content using the credential 135 and the account identifier (step 690). The device host agent 175A determines if the login was successful (step 692). That is, the device host agent 1 75 A determines if the voucher is valid for the account associated with the account identifier. If the voucher is invalid, the device host agent 175A returns an error to the requesting entity (step 695). If the credential is valid, the device host agent 175A accesses the requested content from memory card 125 (step 698). Figure 16 is for requesting second device 3 previously. A flow chart of one of the other contents of the memory card 125 on the memory card 125. The previous request for content may be similar to the request described in Figure 15. In step 106 of Figure 16. The device host agent 175A on the second device 305 receives another request to access one of the files stored in the memory card 125. The device host agent 175A determines whether the requested content is preloaded or is transparent (step 705). If the requested content is preloaded or transparent, the device host agent 175A allows access to the content (step 710). If the requested content is not preloaded or is not transparent, the device host agent 175 A determines 142631.doc -40 - 201013452 whether the requested content has a SIM card binding type (step 715). If the requested content is bound to the SIM card 115, the device host agent 175A rejects access to the requested content (step 720). If the requested content is not bound to the SIM card 115, the device host agent 175A determines whether the requested content is bound to the MNO or the memory card 125 (step 725). If the requested content is not bound to the MNO or memory card 125, the device host agent 175 A returns an error to the requesting entity (step 73 0). If the device host agent 175A determines that the requested content is bound to the MNO or memory card 125, the device host agent 175A determines if the device host agent 175A has a stored temporary voucher 135B (step 735). If the device host agent 175A already has the temporary credentials 135B, the device host agent 175A attempts to log in and access the file using the temporary credentials 13 5B (step 765). If the credential is valid, the memory card 125 allows the device host agent 175A to access the file (step 770). If the device host agent 175A does not have stored g_temporary credentials 135B for the requested content, the device host agent 175A calculates an account identifier based on the binding type of the requested content (step 73 8). This is similar to steps 640-645 in Figure 15. The device host agent 175A accesses the TTP 3 10 using the TTP location stored in the file header of the requested content and transmits the account identifier to the TTP 310 via the secure channel 2 320 (step 740). The TTP 310 checks if the account identifier received from the device host agent 175A has been stored in the TTP repository along with a temporary voucher 135A (step 745). If the TTP 310 already has a temporary credential 135A associated with the account identifier, the TTP 310 sends the temporary credential 135A via the secure channel 2 320 to the device host agent 175A (step 755). The device host agent 175a uses the received credentials 135A to store a temporary voucher 135B in the set host agent 175A for a limited amount of time (step 76A). The device host agent 175A uses the temporary credentials (10) to attempt to log in to the account associated with the account identifier to access the file (step 765). If the credential is valid, the memory card allows the device host agent to access the file (step 77). If TTP 3 10 does not have one of the temporary credentials stored in its database, 35A then TTP 3 10 requests the credentials from SIM card 115 using the account identifier received in step 74 (step 75). That is, since a voucher has not been previously requested for the requested content, step 455 48 of Fig. 6 is performed. The TTP 310 obtains the voucher 315 from the handset 105, saves the temporary voucher i35A at the TTP 310 and sends the voucher to the second device 3〇5 (see steps 655-680 of Figure 15 for more details). The device host agent 175A on the other device 305 saves a temporary voucher 135β for a limited amount of time (step 76A), attempts to log in using the voucher and accesses the file (step Μ., and if the voucher 135 is valid, access The file (step 77). Figure 17 illustrates a memory device 87G having a read-and-stamped-memory-memory (e.g., NAND multi-state flash memory) page read/in parallel/ Write circuitry. For example, the memory device 87 can be a "card 115 or memory card 125. The memory device 87" can include one or more memory dies or wafers 〇 5. Memory dies 805 Including a memory cell array (two-dimensional or three-dimensional) 800, a control circuit 810 and a read/write circuit 835A, and in some embodiments, the access of the various peripheral circuits to the memory array 8 is in a symmetrical form. Implemented on opposite sides of the array to halve the density of access lines and circuitry on each side of 142631.doc -42-201013452. The read/write circuit and 835B include a plurality of sensing blocks 845, such Sensing blocks allow reading or stylizing in parallel The memory array 8 can be addressed by word lines via column decoders 865A and 865B and by bit lines via row decoders 84a and 84B. In an exemplary embodiment, a controller 855 as one or more memory dies 805 are included in the same memory device 87 (eg, a removable memory card or package). Between the host and controller 855 via line 86 and via the line (d) transferring commands and data between the controller and the one or more memory dies 80. The control circuit 810 cooperates with the read/write circuits 835A & 835B to perform a memory operation on the memory array 800. The control circuit 81〇 includes a firmware module 815, a state machine 83A, an on-chip address decoder 825, and a power control module 820. The firmware module 815 provides security features of the memory device 87, such as (for example Encryption and decryption. The state machine 83 provides wafer level control of the memory job. The on-chip address decoder 825 is in the hardware address used by the host or a mega memory controller and by the decoders 840A, 840B, 865A. And the hardware address used by 865B A bit interface is provided. The power control module 820 controls the power and voltage supplied to the word lines and bit lines during the memory operation. In one embodiment, the power control module 82 includes one or more capable of generating greater than supply. a charge pump of voltage voltage. In one embodiment, control circuit 8 1 , power control circuit 820 , decoder circuit 825 , state machine circuit 83 , firmware module 815 , decoder circuit 840A , decoder circuit 84〇B, decoder circuit 865A, decoder circuit 865B, resume/write circuit 835A, read/write circuit 835B and/or 14263], doc • 43- 201013452 controller 855 one or any combination Called one or more management circuits. The one or more management circuits can perform a memory access process as described herein. FIG. 18 depicts an exemplary structure of a memory cell array 800. In one embodiment, the memory cell array is divided into a plurality of memory cell blocks (eg, blocks (M023 or another number). Typically for a flash EEPROM system, the blocks can be erased. Each block It can contain the minimum number of memory cells erased together. Other erase units can also be used. One block contains a set of via lines (eg, bit lines BL0-BL69623) © and word lines (WL0, WL1, WL2) WL3) NAND string accessed. Figure 17 shows four serial connections to form a NAND string of memory cells. Although it is shown that each NAND string includes four cells, more or less than four can be used ( For example, there may be 16, 32, 64, 128 or another number of memory cells on a NAND string. One terminal of the NAND string is connected via a drain select gate (connected to the selected gate drain line) SGD) is connected to a corresponding bit line, and the other terminal is connected to the selection gate source via a source selection gate

Q pole line SGS) is connected to the source line. In one embodiment, the bit lines are divided into odd bit lines and even bit lines. In an odd/even bit line architecture, memory cells along a common word line and connected to odd bit lines are programmed at one time, while stylized along a common word line and connected to even bits at another time. The memory of the meta-line. In another embodiment, all of the memory cells connected to a common word line are programmatically linked together. Each block is usually divided into several pages. In one embodiment, one page 142631.doc -44· 201013452 :,: stylized unit. One or more data pages are typically stored in a memory cell. For example, one or more data pages can be stored in a memory cell connected to an eight-word line. - The page can store one or more sectors. One sector includes user data and additional burden data (also known as system data). The extra burden information usually includes header information and an error correction code (ECC) that has been calculated based on the user-data for that sector. The controller (or other component) calculates the ECC when the data is being programmed into the array, and also checks the ECC while reading data from the array φ column. Alternatively, the ECC and/or other additional burden data may be stored on a different page or even a different block than the user data to which it belongs. A user data sector is typically 5 丨 2 bytes, corresponding to the size of a sector in the disk drive. A large number of pages form a block, from 8 pages (for example) to any number of up to 32, 64, 128 or more pages. Blocks, pages and sectors of different sizes can also be used. The above description of various embodiments is not intended to be exhaustive or to limit According to the above teachings, many modifications and changes are possible. The choice of the embodiments is intended to best explain the principles of the technology and its practical application, so that those skilled in the art can be best in various embodiments and with various modifications and modifications suitable for the particular use covered. Use this technology. The above description is not intended to limit the scope of the disclosed technology as set forth in the appended claims. BRIEF DESCRIPTION OF THE DRAWINGS Fig. 1A is a block diagram showing communication between two memory devices and a host device. Figure 1B is a block diagram of two memory devices communicating with a mobile host device 142631.doc -45· 201013452. One of the contents of the content on the S memory device is shown in Figure 2. Figure 3 is a flow chart of one of the processes used to calculate one of the accounts of the Lu. Figure 4 is a flow chart for calculation - voucher - process. 5A-5B are block diagrams showing a system for replacing an existing S!M card with a new Subscriber Identity Module (SIM) card, wherein the existing card is bound to a non-volatile memory card before being replaced. . Figure 6 is a diagram of one of the procedures for replacing an existing card with a new SIM card. The existing SIM card is bound to a non-volatile memory card before being replaced. Figure 7 is a flow diagram of one of the processes for creating a new account in a SIM card. 8A-8C are block diagrams showing a system for replacing an existing memory card with a new memory card, wherein the existing memory card is bound to a SIM card before being replaced. Figure 9 is a flow diagram of a process for replacing an existing memory card with a new memory card that is bound to a SIM card before being replaced. Figure 10 is a flow diagram of a process for saving content on a new memory card. Figure 11 is a flow chart of one of the processes for creating a secure channel. Figure 12 is a flow diagram of one of the processes for transferring transparent content on an existing memory card to a new memory card. 142631.doc • 46- 201013452 Figure 13 is a flow diagram of a process for transferring encrypted content on an existing memory card to a new memory card. Figure 14 is a block diagram of a device communicating with a trusted third party server to access a voucher on a handset device. Figure 15 is a flow diagram of one of the processes for accessing one of the credentials for a content via a network. Figure 16 is a flow diagram of one of the processes for accessing one of the credentials for content.

Figure 17 is a block diagram of a memory device. Figure 18 is a block diagram showing one embodiment of a memory array. [Main component symbol description] 100 105 110 115 115· 120 125 125' 130 135 135A 135B 140 Host device Mobile phone SIM card SIM card New SIM card Non-volatile memory card Non-volatile memory card New non-volatile memory card processor certificate Temporary Voucher Temporary Voucher SIM Applet 142631.doc -47- 201013452 145 Control Circuit 150 Storage Area 152 Partition 154 Partition 155 Memory Card Drive 160 Application 1 165 Application 2 170 Application η 175 Host Agent 175A Host Agent 180 SIM Card Driver 300 Upgrade Application 304 First Host Device 305 Second Host Device 310 315 315 Channel 1 320 Channel 2 800 Memory Cell Array 804 Memory Chip 810 Control Circuit 815 Firmware Module 820 Power Control Circuit 825 Decoder Circuit 830 State Machine Circuitry 142631.doc 48-201013452 835A Read/Write Circuit 835B Read/Write Circuit 840A Row Decoder 840B Row Decoder 845 Sensing Block 850 Line 855 Controller 860 Line 865A Column Decoder 865B Column Decoder 870 memory device Lu 142631.doc 49-

Claims (1)

201013452 VII. Application Patent Range: 1. A method for accessing content, comprising: determining, in a device, an account identifier associated with content on a first storage unit, the first storage unit operating Coupling to the first device; transmitting 5 account identification from the first device to a server; receiving, in the first device, a voucher from a second device via the server, the voucher being based on the account An identifier; and if the credential is valid, the credential is used to access the "Heinet Valley" in the first storage unit, the access being performed by the first device. 2. The method of claim 1, wherein: the first storage unit is associated with the second storage unit based on the one or more identification values 'the second storage unit is operatively coupled to the second device' The determining includes determining the accountant based on the one of the identification values. g. The method of claim 2, further comprising: accessing a collocation type associated with the content, the collocation type indicating a plurality of identities corresponding to m or more, the deposit The fetch is performed by the first device. 4. The method of claim 2, further comprising: preventing access to the content if the one or more identification values are an identifier associated with the second storage unit. 5. The method of claim 2, wherein: the one or more identification values are associated with the first storage unit - 142631.doc 201013452 identifier 6. The method of claim 2, wherein: - ^ or The value is associated with the material service provider. 4 4. The method of claim 1, further comprising: 8. receiving a request to access the content in the first device, in response to receiving the request Perform this step of the OK-Account ID. &quot; The method of claim 1, further comprising: determining whether the voucher is valid in the first device. 9. The method of claim 1, further comprising: if the credential is valid, accessing other content associated with the account identifier, the access being performed by the first device. 10. The method of claim 9, further comprising: ▲ storing the voucher in the first device for a finite amount of time, performing the step of accessing other content during a limited amount of time; and The credential is deleted after a limited amount of time. The method of claim 1 wherein the step of receiving the credential in the first device comprises: receiving an encrypted version of the credential; and decrypting the encrypted version of the credential. 12·If requested! The method further includes: returning an error if the credential is invalid. 13. The method of claim 1, wherein: the identifier is sent to the server via the internet connection 142631.doc • 2 - 201013452; and the credential is received from the server via the internet connection. 14. The method of claim 1, wherein: the account identifier is sent to the server via a mobile network; and - the credential is received from the server via the mobile network. 15. The method of claim 1, further comprising: accessing a server address from the content; and 定位 locating the server using the server address. The method of claim 1, wherein: the first storage unit is a replaceable non-volatile flash memory card. 17. The method of claim 1, wherein: the second storage unit is a subscriber identity module card. 18. A method for providing access to content, comprising: receiving an account identifier from a first device, the account identifier being operatively coupled to the first-storage unit of the first device Transmitting the account identifier to the second storage unit operatively coupled to a second device, the second storage unit being associated with the first storage unit; in response to the transmitting The account identifier receives a voucher from the second storage unit based on the account identifier; and sends the voucher to the first device, and if the voucher is valid, the voucher is provided on the first storage unit Access to the content. 19. The method of claim 18, further comprising: 142631.doc 201013452 storing the credential for a finite amount of time based on the first request to register with the S; receiving, by the first device, one of the voucher Requesting; transmitting the credential to the first device in response to the second request during the limited amount of time; and deleting the credential after the limited amount of time. 20. The method of claim 18, wherein the step of transmitting the credential comprises: encrypting the credential; and transmitting the encrypted version to one of the first devices. 21. The method of claim 18, further comprising: receiving an identifier associated with the second storage unit from the second device; and locating the second device using the identifier associated with the second storage unit . The method of claim 18, wherein: the account identifier is sent to the second storage element via a spoofing network; and the voucher is received from the second storage unit via the mobile network. 23. A method for accessing content, comprising: receiving one of a content of a first memory that is operatively coupled to one of the first devices, the first memory card is based on the content The associated nostalgic type is bound to a second memory card operatively coupled to a second device, the receiving system being executed by the body entity on the first device; person 142631.doc 201013452 calculating an account identifier based on the binding type, the calculation is performed by the software entity; sending the account identifier from the software entity to a server; receiving a credential from the server at the software entity, The voucher is generated by the second memory card based on the account identifier and the binding type; and if the voucher is valid, the voucher is used to access the content, the access being performed by the software entity. 24. The method of claim 23, further comprising: accessing the other content associated with the account identifier if the credential is valid. 25. The method of claim 23, further comprising: accessing the credential from the server during the limited amount of time. 26. A method for accessing content, comprising: calculating an account identifier associated with content operatively coupled to a first storage unit of a first device comprising calculating φ at the first device The account identifier, the first storage unit is associated with a second storage unit operatively coupled to a second device; the account identifier is sent from the first device to the second via a server Generating a voucher based on the account identifier, the voucher being generated by the second storage unit; receiving, at the first device, the voucher from the second device via the server; and if the voucher is valid, using The credential accesses the content of 142631.doc 201013452 on the first storage unit. 27. The method of claim 26, further comprising: storing the voucher in the first device for a finite amount of time based on a first request for the content; receiving other content associated with the account identifier a second request; accessing the other content using the credential during the limited amount of time; and deleting the credential in the first device after the limited amount of time. 28. The method of claim 26, further comprising: storing the credential at the server for a finite amount of time; receiving, at the server, a request from the first device for the credential; during the limited time The voucher is sent from the server to the first device during the amount; and the voucher at the server is deleted after the limited amount of time. 29. An apparatus for accessing content, the apparatus comprising: a processor; and a host agent executable by the processor to: determine an account identifier associated with content on a first storage unit The first storage unit is operatively coupled to the device; the account identifier is sent from the device to a server; and the star receives a certificate from the second device by the server. The certificate is based on the account The identifier; and the right certificate is valid, the document is used to access the content in the first storage unit 142631.doc -6 - 201013452. 3. The device of claim 29, wherein one of the second storage units is operatively lighted into the first: device and the first storage unit is bound to the second based on a type of kidnapping associated with the content Storage unit. 31. A method for upgrading a storage device, comprising: receiving, in a device, replacing a material of a first storage unit with a new storage unit, and storing the first storage unit before receiving the request - The inner valley is bound to the third storage inhibitor based on the one or more binding types, the first storage unit and the third storage unit are operators = the device; and the first content is sent to the new storage Unit, the sending the first to the new storage unit is performed by the device; modifying the first-content portion of the new storage unit based on the one or more binding types to tie the new storage unit Determining to the storage unit, the modifying the first part of the first content is performed by the device, and modifying the second content in the third storage unit based on the one or more binding types, Modifying the second content is performed by the device. 32. The method of claim 31, further comprising: transmitting the first content of the first storage unit to a serving device, the sending the first content to the (10) device to send the first content Executing by the device before the new storage unit; after transmitting the first content to the server, notifying a user to remove the first storage unit from the device and inserting the new storage unit at 142631.doc 201013452 in the device; and receiving the first content from the server in the device. wherein the first content is sent to the new store, and the first content received from the server is included Send to this new storage unit. 33. The method of claim 32, wherein the sending the content of the 筮..^竹边弟- to the server comprises: encrypting the first content in the device; and The encrypted version is sent from the device to the feeder. 34. The method of claim 33, wherein the transmitting the first content to the new storage unit comprises: decrypting the encrypted version of the first content, the decryption is performed by the device; and the first content Stored in this new storage unit. 35. The method of claim 32, further comprising: deleting the first content from the first storage unit before notifying the user to remove the first storage unit from the device, the deleting being performed by the device; And notifying the server to delete the first content in the server, the notification is by the device after receiving the content from the ship: line. 36. The method of claim 32, wherein: red is performed by a mobile network to transmit the first content to the food server and to receive the first content. 37. The method of claim 3, wherein: 142631.doc • 8- 201013452 the first storage unit is a user identity module card; the content of the 包括°海 includes providing a pair including access to the second content a credential for accessing content on the third storage unit; and the one or more binding types indicate a particular identifier, and the credentials are based on one or more identification values corresponding to the particular identifier. 38. The method of claim 37, wherein the modifying the second content comprises: accessing the third storage order using the existing credentials from the first content, the first inner valley, the second content having an indication The one or more identification values - the binding type 'the one or more identification values identifying the first storage unit; using the one or more identification values identifying the new storage unit to break a new account identifier; The new account identifier is sent to the new storage unit; ^ the new storage unit receives the __new credential, the new credential is generated by the new storage unit using the new account identifier; and the second content is associated with the new account An identifier is associated with the new credential, the new credential providing access to the second content. 39. The method of claim 38, wherein the step of modifying one of the first portions of the first content comprises: deleting the existing credential and saving the new credential. 40. The method of claim 31, wherein: the first storage unit is a removable non-volatile memory card; the third storage unit is a user identity module card; the third valley includes files, and the like The file associated with the existing account 142631.doc 201013452 $ and the information associated with the configuration of the file such as ° Hai; ~ - - - includes the credentials to provide access to the file; and one or more bindings The type indicates a specific identifier, and the credentials 41 42 # &amp;&amp; ff are one or more identification values for the particular identifier. The method of claim </ RTI> wherein the receiving - replacing one of the - storage units in the device comprises: receiving an indication that the new storage unit is inserted in the device. The method of claim 41, further comprising: transmitting the -identification value obtained from the new storage unit to the -feeder, the sending (four)-identification value being performed by the device; notifying the user from the | Removing the new storage unit and inserting the storage unit, the notification that the user removes the new storage unit is performed by the device; the content is sent to the server, and the first storage unit is Transmitting the first content to the server by the device before transmitting the first content to the new storage unit; notifying after the first device removes the content and sends the content to the server a user from the first storage unit and inserting the new storage unit into the device 'the notification that the user removes the first place to execute; a storage unit is to be used by the device Transmitting, by the storage unit, a second identification value obtained by the new storage unit inserted in the device to the server; and checking whether the first identification value matches the second identification value, the checking Test 142631.doc •10- 201013452 is performed by this server. 43. The method of claim 4, wherein the storing the unit comprises: sending to the new storage; creating a new account in the new storage unit includes creating a new account for the parent in the first content a new account; the license of the current (four) households to the access to the specific file; and the licenses; j in the configuration associated with the (4) case of the information Save in this new storage unit. The method of claim 43, wherein the modifying the content-partial package:: associated with: the first content of the first content - the first new account, I - the portion of the content is related to the identification (four) One of the one or more identification values of the first storage unit is associated with a binding type; == one or more identification values of the new storage unit determine a new account corpse identifier; the new account identifier Sending to the third storage unit; receiving a new voucher from the third storage unit, the new voucher being generated by the third storage unit using the new account identifier; and causing the new voucher and the new account identifier to be The first new account is associated with the new credential providing access to the portion of the first content. The method of claim 44, wherein the modifying the second content comprises: saving the new credential; and deleting the existing account associated with one of the portions of the first content 142631.doc 201013452 Existing Credentials. 46. 47. 48. A method for upgrading a storage device, comprising: transmitting a voucher from a first storage unit to a server, the first storage unit being operatively reorganized to a device, The step of transmitting the voucher to the server is controlled by a software entity on the device; receiving a new storage unit that is operatively coupled to the device - a notification that the notification is controlled by the software entity; The server receives the voucher, the receiving the voucher being controlled by the software entity; and transmitting the voucher to the new storage unit, the voucher being sent to the new storage unit being controlled by the software entity. The method of claim 46, wherein: the voucher provides access to a third storage unit operatively coupled to the device, the storage list 7L being used before the new storage unit is operatively coupled to the device One or more binding types are associated with the third storage unit. The method of claim 47, further comprising: using the voucher to access content in the third storage unit, the content being associated with the first storage unit by identifying the first storage unit; Identifying one of the new storage unit identification value determination - new account identifier; transmitting the new account identifier to the new storage unit; receiving a new voucher from the new storage unit, the new voucher using the new 142631.doc 201013452 An account identifier is generated; and the content is associated with the new account identifier and the new credential, the credential providing the access to the content. 49. The method of claim 48, further comprising: creating a new account for an existing account associated with the content comprises creating the new account having a license associated with the existing account, the present ❿ An account is associated with the first storage unit and the new account is associated with the storage unit. 50. The method of claim 48, wherein: the content is associated with an identification value identifying the new storage unit. 51. The method of claim 46, further comprising: informing a user that the new storage unit is operatively coupled to the device, the notification being controlled by the software entity. 52. A method for upgrading a storage device, comprising: operatively coupling to a device using one or more credential accesses in a second storage unit operatively coupled to a device - first Content on the storage unit 'The second storage unit is associated with the first storage unit based on the one or more credentials, the access content being controlled by the software entity; operatively coupled to a new storage unit The device then transmits the content to the new storage unit under control of the software entity; and notifying the second storage unit to generate one or more new credentials associated with the new storage unit, the one or more A plurality of new credentials provide access to the content, the notification being performed by the software entity. 142631.doc -13. The method of claim 52, further comprising: creating an account associated with the content in the new storage unit based on the one or more new credentials. 54. The method of claim 52, further comprising: Providing a first identification value obtained from the new storage unit to a server. The providing is performed by the software entity; after the first identification value is provided to the server, notifying a user to remove the new The storage unit is operatively coupled to the device and operatively couples the first storage unit to the device; and provides the content from the first storage unit to the server. 55. The method of claim 54, further comprising: notifying the content of the first storage unit after providing the content to the server. The user is operatively coupled to the device; the content is received from the server under control of the software entity; wherein the content is sent to the new storage unit under control of the software entity The content received by the server. 56. The method of claim 54, further comprising: after notifying the user that the new storage unit is operatively coupled in the device, providing a second identification value obtained from the new storage unit to the server And checking whether the first identification value matches the second identification value, and the verification is performed by the server. 57. The method of claim 52, wherein: the content comprises a file and a license associated with the file. 142631.doc 201013452 58. If the party element of claim 57 contains: ',, the content should be sent to the new storage list, then the files should be encrypted. __ 59. - Used for upgrading ^ : The version is saved in this new storage unit. Η 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者 者Receive the 10th deposit and save it - please W. The first storage unit stores the first content, ;:: or multiple binding types are bound to the - third storage unit, the storage unit and the third storage unit are operated (4) Up to the sending of the first content to the new storage unit; ▲ modifying a portion of the first content in the new storage unit based on the one or more binding types to bind the new storage unit to the first a third storage unit; and "the master" modifies the content in the third storage unit based on the one or more binding types. 6〇, if, the device of claim 59, wherein the host agent enters a step Configuring to: send the first content of the first storage to a server before sending the first content to the new storage unit; after transmitting the first content to the feeding device, notify - User 142631.doc .15, 201013452 The storage unit is inserted in the device to remove the first storage unit and the device t; and the first content received from the server in the device, wherein the first content is sent to the new storage unit. The apparatus of claim 61, wherein the host agent is configured to perform the secreting of the first internal $ and the content of the first content in the apparatus. An encrypted version is sent from the device to the server to send the first content to the server. 142631.doc