summaryrefslogtreecommitdiff
path: root/2018/phone_protocol-eh2018/phone_powerup.adoc
diff options
context:
space:
mode:
Diffstat (limited to '2018/phone_protocol-eh2018/phone_powerup.adoc')
-rw-r--r--2018/phone_protocol-eh2018/phone_powerup.adoc256
1 files changed, 256 insertions, 0 deletions
diff --git a/2018/phone_protocol-eh2018/phone_powerup.adoc b/2018/phone_protocol-eh2018/phone_powerup.adoc
new file mode 100644
index 0000000..2f592ec
--- /dev/null
+++ b/2018/phone_protocol-eh2018/phone_powerup.adoc
@@ -0,0 +1,256 @@
+What happens on a protocol level when switching on a phone
+==========================================================
+:author: Harald Welte <laforge@gnumonks.org>
+:copyright: 2018 by Harald Welte (License: CC-BY-SA)
+:backend: slidy
+:max-width: 45em
+
+== Introduction
+
+* Everybody uses cellphones and mobile internet these days
+* Still very few people know what's going on, even those with deep TCP/IP understanding
+* Let's try to shed some light on the inner workings on a protocol level
+
+NOTE:: this talk is about 2G (GSM/GPRS/EDGE) and 3G (UMTS/HS*PA) only
+
+== Classic GSM (2G) network as digraph
+
+[graphviz]
+----
+digraph G {
+ rankdir=LR;
+ MS0 [label="MS\n(Phone)"]
+ MS1 [label="MS\n(Phone)"]
+ MS2 [label="MS\n(Phone)"]
+ MS3 [label="MS\n(Phone)"]
+ BTS0 [label="BTS\n(Cell)"]
+ BTS1 [label="BTS\n(Cell)"]
+ MSC [label="MSC/VLR"]
+ HLR [label="HLR/AUC"]
+ MS0->BTS0 [label="Um"]
+ MS1->BTS0 [label="Um"]
+ MS2->BTS1 [label="Um"]
+ MS3->BTS1 [label="Um"]
+ BTS0->BSC [label="Abis"]
+ BTS1->BSC [label="Abis"]
+ BSC->MSC [label="A"]
+ MSC->HLR [label="C"]
+}
+----
+
+== Powering up the phone
+
+* Your various processors / cores boot up
+* Hardware gets initialized
+* We will look at the cellular related activity only here
+* Registering to a Cellular network can take *ages* at times. Why is that?
+
+== Network Selection (2G): RF Power Scan
+
+* GSM has many narrow-band channels/frequencies (ARFCN = Absolute Radio Frequency Channel Number):
+** 123 ARFCN in 850 MHz
+** 173 ARFCN in 900 MHz
+** 373 ARFCN in 1800 MHz
+** 298 ARFCN in 1900 MHz
+** total of 967 ARFCN in a quad-band phone
+
+* The phone performs a (quick) RF power scan over all ARFCN to determine which channels contain how much energy (RxLev, RSSI)
+
+== Network Selection (2G): Freq + Sync burst detection
+
+* the phone picks the channels with highest amount of energy
+* it tries to decode the FCCH (Frequency Correction Channel) to slave its own internal clock (VCTCXO) to the frequency information contained in the FCCH
+* it then moves to the SCH (Synchronization Channel) to determine the current GSM frame number + training sequence code
+* finally, it is aligned with both the *carrier frequency*, and knows where in the *time division multiplex* frame/multiframe the BTS (Cell) currently transmits
+
+== Network Selection (2G): BCCH decode
+
+* After Frequency and Sync burst detection, the phone moves to BCCH (Broadcast Common Control Channel)
+* The BCCH contains a loop of repeated broadcasts of so-called *SYSTEM INFORMATION* messages
+* There are many different *SYSTEM INFORMATION TYPEs* which are repeatedly iterated over
+* SYSTEM INFORMATION (SI) 3 and 4 contain, among other things MCC + MNC information
+** MCC: Mobile Country Code (262 for Germany)
+** MNC: Mobile Network Code (01 for T-Mobile, 02 for Vodafone, 03 for E-Plus, ...)
+* Now the phone knows to which operator the cell broadcasting on this ARFCN
+* The process of FCCH + SCH alignment with successive BCCH decoding is repeated for a number of strong signal ARFCNs to create a list of "available networks"
+** this is the output of what you see when you do a *manual network search* on your phone
+*** the numeric MCC/MNC is typically translated in a string name based on a mapping table in the phone firmware, possibly extended by information on the SIM (EF.PNN, EF.OPL)
+
+== Network Selection: Which Network to register
+
+* Assuming we have a list of ARFCN <-> MCC+MNC, which network do we choose?
+** if manual network selection: use whatever the user has chosen
+** we assume automatic network selection below
+* If the cell-advertised MCC+MNC matches the IMSI prefix, it is the home network
+** home network trumps everything else
+* SIM / USIM contains various lists which operators use to control selection policy in roaming
+** EF.PLMNsel (PLMN Selector)
+** EF.PLMNwAcT (User-controlled PLMN Selector with Access Technology)
+** EF.HPPLMN (Higher Priority PLMN)
+** EF.FPLMN (Forbidden PLMNs)
+** EF.OPLMNwACT (Operator-controlled LMN Selector with Access Technology)
+** EF.HPLMNwAcT (Home PLMN Selector with Access Technology)
+** EF.EHPLMN (Equivalent HPLMN)
+* finally, MS will select a (first) cell to attempt registration.
+
+== Cell Selection State Machine
+
+image::gsm_cell_selection.png[]
+
+== Registering to a network: LOCATION UPDATE
+
+* *LOCATION UPDATE* is a key transaction on the MM-sublayer of the Layer3 of the 2G/3G protocol stack
+* it is used to update the location/presence information of the network
+* there are variants:
+** IMSI ATTACH is used for initial registration at power-up (our case here)
+** NORMAL is an update triggered by a change of location (arae code) as the user moves around the coverage
+** PERIODIC is used when a timer expires, similar to a 'keep alive' in many protocols
+* the *MM LOCATION UPDATE* on the Um/Abis/A interface up to the MSC is translated into a *MAP UpdateLocation* towards the HLR (central subscriber database)
+* authentication procedure may (should!) follow to cryptographically verify identity of subscriber
+* finally, the network either sends a *MM LOCATION UPDATE ACCEPT* or *MM LOCATION UPDATE REJECT*
+
+== GSM Control Plane Protocol Stack
+
+image::gsm_control_stack.svg[width="100%"]
+
+== LOCATION UPDATE: Layer 3 Only
+
+image::location_update_l3only.png[]
+
+== LOCATION UPDATE: Ladder Diagram
+
+image::location_update.png[]
+
+== GPRS for packet switched servics
+
+[graphviz]
+----
+digraph G {
+ rankdir=LR;
+ MS0 [label="MS\n(Phone)"]
+ MS1 [label="MS\n(Phone)"]
+ MS2 [label="MS\n(Phone)"]
+ MS3 [label="MS\n(Phone)"]
+ BTS0 [label="BTS\n(Cell)"]
+ BTS1 [label="BTS\n(Cell)"]
+ MSC [label="MSC/VLR"]
+ HLR [label="HLR/AUC"]
+ MS0->BTS0 [label="Um"]
+ MS1->BTS0 [label="Um"]
+ MS2->BTS1 [label="Um"]
+ MS3->BTS1 [label="Um"]
+ BTS0->BSC [label="Abis"]
+ BTS1->BSC [label="Abis"]
+ BSC->MSC [label="A"]
+ MSC->HLR [label="C"]
+ BTS0->PCU [color="red"]
+ BTS1->PCU [color="red"]
+ //subgraph cluster_PS {
+ PCU [color="red"];
+ SGSN [color="red"];
+ GGSN [color="red"];
+ Internet [color="red"];
+ PCU->SGSN [label="Gb",color="red"]
+ SGSN->GGSN [label="Gp",color="red"]
+ GGSN->Internet [label="Gi",color="red"]
+ // }
+}
+----
+
+
+== Registering for packet switched services: GPRS ATTACH
+
+* packet-switched services were added about a decade after circuit-switched
+** hence, packet-switched attach is traditionally independent of circuit-switched attach
+* GPRS ATTACH is performed from MS to SGSN
+** it's called GPRS ATTACH even for EDGE or even UMTS
+
+== GPRS Control Plane Protocol Stack
+
+image::gprs_control_stack.svg[width="100%"]
+
+== GPRS ATTACH: Ladder Diagram
+
+image::gprs_attach.png[width="100%"]
+
+== Establishing a PDP Context
+
+* in order to exchange user-IP data with the public Internet, a tunnel must be established over the entire GSM/GPRS/UMTS infrastructure
+** one Tunnel end is inside the phone
+** other end is in the GGSN (Gateway GPRS Support Node)
+** it's a true point-to-point link, no netmask/broadcast/arp/link-layer
+** if PPP is involved, this is only between the phone/modem baseband processor and the external computer
+* IP address allocation + DNS server addresses exchanged via *protocol control options (PCO)* inside PDP
+ context activation
+* phone sends *PDP CONTEXT ACTIVATE* to network (SGSN)
+* network (SGSN) responds with *PDP CONTEXT ACTIVATE ACK* in succesful case
+* user IP data may now be exchanged
+
+== PDP CONTEXT ACT: Ladder Diagram
+
+image::gprs_pdp_ctx_act.png[width="100%"]
+
+== Classic UMTS (3G) network as digraph
+
+[graphviz]
+----
+digraph G {
+ rankdir=LR;
+ MS0 [label="UE\n(Phone)"]
+ MS1 [label="UE\n(Phone)"]
+ MS2 [label="UE\n(Phone)"]
+ MS3 [label="UE\n(Phone)"]
+ BTS0 [label="NodeB\n(Cell)"]
+ BTS1 [label="NodeB\n(Cell)"]
+ BSC [label="RNC"];
+ MSC [label="MSC/VLR"]
+ HLR [label="HLR/AUC"]
+ MS0->BTS0 [label="Uu"]
+ MS1->BTS0 [label="Uu"]
+ MS2->BTS1 [label="Uu"]
+ MS3->BTS1 [label="Uu"]
+ BTS0->BSC [label="Iub"]
+ BTS1->BSC [label="Iub"]
+ BSC->MSC [label="Iu-CS"]
+ SGSN [color="red"]
+ GGSN [color="red"]
+ Internet [color="red"]
+ BSC->SGSN [label="Iu-PS",color="red"]
+ SGSN->GGSN [label="Gp",color="red"]
+ SGSN->HLR [color="red"]
+ GGSN->Internet [label="Gi",color="red"]
+ MSC->HLR [label="C"]
+}
+----
+
+== UMTS (3G) Cell Selection
+
+* differences primarily at physical layer
+** WCDMA instead of TDMA (GSM)
+** RF Channels are 5MHz wide, so many less RF channels to scan
+** however, MS (now called UE) has to search in code-space, as many cells on same frequency channel
+
+== UMTS (3G) Cell Selection
+
+image::umts_cell_selection.png[]
+
+== UMTS (3G) Cell Selection
+
+* Layer 3 is almost identical to GSM
+* *MM LOCATION UPDATE (Type: IMSI ATTACH)* between MS(UE) and MSC
+* *PS ATTACH* between MS(UE) and SGSN
+* *PDP CONTEXT ACTIVATION* between MS(UE) and SGSN
+
+== Further Reading
+
+* Die GSM Dm-Kanaele im Dialog, Prf. Dr. Joachim Goeller, http://www.informatik.hu-berlin.de/~goeller/isdn/DieGSMDmKanaele.pdf
+* The GSM Dm-Channels (english version), http://www.informatik.hu-berlin.de/~goeller/isdn/GSMDmChannels.pdf
+* 3GPP TS 43.022: "Functions related to Mobile Station in idle mode and
+ group receive mode" http://www.3gpp.org/DynaReport/43022.htm (GSM/GPRS)
+* 3GPP TS 25.304 "User Equipment (UE) procedures in idle mode and
+ procedures for cell reselection in connected mode"
+ http://www.3gpp.org/DynaReport/25304.htm (UMTS_
+
+== EOF
+
+End of File
personal git repositories of Harald Welte. Your mileage may vary