They used cool hardware to do this research: the sysmoEUICC1 (https://shop.sysmocom.de/sysmoEUICC1-eUICC-for-consumer-eSIM...) which is a physical SIM card onto which one can load an eSIM, and they put it in a SIMtrace 2 device (https://osmocom.org/projects/simtrace2/wiki) to trace the data packets to/from the eSIM profile, which is normally not easily doable as modern phones load the eSIM on a chip soldered onto the phone's motherboard. So you end up with a goofy contraption (see figure 4 on page 8) but you have full visibility into the communications to/from the eSIM profile. Fun!