What happens on a protocol level when switching on a phone ========================================================== :author: Harald Welte :copyright: 2018 by Harald Welte (License: CC-BY-SA) :backend: slidy :max-width: 45em == Introduction * Everybody uses cellphones and mobile internet these days * Still very few people know what's going on, even those with deep TCP/IP understanding * Let's try to shed some light on the inner workings on a protocol level NOTE:: this talk is about 2G (GSM/GPRS/EDGE) and 3G (UMTS/HS*PA) only == Classic GSM (2G) network as digraph [graphviz] ---- digraph G { rankdir=LR; MS0 [label="MS\n(Phone)"] MS1 [label="MS\n(Phone)"] MS2 [label="MS\n(Phone)"] MS3 [label="MS\n(Phone)"] BTS0 [label="BTS\n(Cell)"] BTS1 [label="BTS\n(Cell)"] MSC [label="MSC/VLR"] HLR [label="HLR/AUC"] MS0->BTS0 [label="Um"] MS1->BTS0 [label="Um"] MS2->BTS1 [label="Um"] MS3->BTS1 [label="Um"] BTS0->BSC [label="Abis"] BTS1->BSC [label="Abis"] BSC->MSC [label="A"] MSC->HLR [label="C"] } ---- == Powering up the phone * Your various processors / cores boot up * Hardware gets initialized * We will look at the cellular related activity only here * Registering to a Cellular network can take *ages* at times. Why is that? == Network Selection (2G): RF Power Scan * GSM has many narrow-band channels/frequencies (ARFCN = Absolute Radio Frequency Channel Number): ** 123 ARFCN in 850 MHz ** 173 ARFCN in 900 MHz ** 373 ARFCN in 1800 MHz ** 298 ARFCN in 1900 MHz ** total of 967 ARFCN in a quad-band phone * The phone performs a (quick) RF power scan over all ARFCN to determine which channels contain how much energy (RxLev, RSSI) == Network Selection (2G): Freq + Sync burst detection * the phone picks the channels with highest amount of energy * it tries to decode the FCCH (Frequency Correction Channel) to slave its own internal clock (VCTCXO) to the frequency information contained in the FCCH * it then moves to the SCH (Synchronization Channel) to determine the current GSM frame number + training sequence code * finally, it is aligned with both the *carrier frequency*, and knows where in the *time division multiplex* frame/multiframe the BTS (Cell) currently transmits == Network Selection (2G): BCCH decode * After Frequency and Sync burst detection, the phone moves to BCCH (Broadcast Common Control Channel) * The BCCH contains a loop of repeated broadcasts of so-called *SYSTEM INFORMATION* messages * There are many different *SYSTEM INFORMATION TYPEs* which are repeatedly iterated over * SYSTEM INFORMATION (SI) 3 and 4 contain, among other things MCC + MNC information ** MCC: Mobile Country Code (262 for Germany) ** MNC: Mobile Network Code (01 for T-Mobile, 02 for Vodafone, 03 for E-Plus, ...) * Now the phone knows to which operator the cell broadcasting on this ARFCN * The process of FCCH + SCH alignment with successive BCCH decoding is repeated for a number of strong signal ARFCNs to create a list of "available networks" ** this is the output of what you see when you do a *manual network search* on your phone *** the numeric MCC/MNC is typically translated in a string name based on a mapping table in the phone firmware, possibly extended by information on the SIM (EF.PNN, EF.OPL) == Network Selection: Which Network to register * Assuming we have a list of ARFCN <-> MCC+MNC, which network do we choose? ** if manual network selection: use whatever the user has chosen ** we assume automatic network selection below * If the cell-advertised MCC+MNC matches the IMSI prefix, it is the home network ** home network trumps everything else * SIM / USIM contains various lists which operators use to control selection policy in roaming ** EF.PLMNsel (PLMN Selector) ** EF.PLMNwAcT (User-controlled PLMN Selector with Access Technology) ** EF.HPPLMN (Higher Priority PLMN) ** EF.FPLMN (Forbidden PLMNs) ** EF.OPLMNwACT (Operator-controlled LMN Selector with Access Technology) ** EF.HPLMNwAcT (Home PLMN Selector with Access Technology) ** EF.EHPLMN (Equivalent HPLMN) * finally, MS will select a (first) cell to attempt registration. == Cell Selection State Machine image::gsm_cell_selection.png[] == Registering to a network: LOCATION UPDATE * *LOCATION UPDATE* is a key transaction on the MM-sublayer of the Layer3 of the 2G/3G protocol stack * it is used to update the location/presence information of the network * there are variants: ** IMSI ATTACH is used for initial registration at power-up (our case here) ** NORMAL is an update triggered by a change of location (arae code) as the user moves around the coverage ** PERIODIC is used when a timer expires, similar to a 'keep alive' in many protocols * the *MM LOCATION UPDATE* on the Um/Abis/A interface up to the MSC is translated into a *MAP UpdateLocation* towards the HLR (central subscriber database) * authentication procedure may (should!) follow to cryptographically verify identity of subscriber * finally, the network either sends a *MM LOCATION UPDATE ACCEPT* or *MM LOCATION UPDATE REJECT* == GSM Control Plane Protocol Stack image::gsm_control_stack.svg[width="100%"] == LOCATION UPDATE: Layer 3 Only image::location_update_l3only.png[] == LOCATION UPDATE: Ladder Diagram image::location_update.png[] == GPRS for packet switched servics [graphviz] ---- digraph G { rankdir=LR; MS0 [label="MS\n(Phone)"] MS1 [label="MS\n(Phone)"] MS2 [label="MS\n(Phone)"] MS3 [label="MS\n(Phone)"] BTS0 [label="BTS\n(Cell)"] BTS1 [label="BTS\n(Cell)"] MSC [label="MSC/VLR"] HLR [label="HLR/AUC"] MS0->BTS0 [label="Um"] MS1->BTS0 [label="Um"] MS2->BTS1 [label="Um"] MS3->BTS1 [label="Um"] BTS0->BSC [label="Abis"] BTS1->BSC [label="Abis"] BSC->MSC [label="A"] MSC->HLR [label="C"] BTS0->PCU [color="red"] BTS1->PCU [color="red"] //subgraph cluster_PS { PCU [color="red"]; SGSN [color="red"]; GGSN [color="red"]; Internet [color="red"]; PCU->SGSN [label="Gb",color="red"] SGSN->GGSN [label="Gp",color="red"] GGSN->Internet [label="Gi",color="red"] // } } ---- == Registering for packet switched services: GPRS ATTACH * packet-switched services were added about a decade after circuit-switched ** hence, packet-switched attach is traditionally independent of circuit-switched attach * GPRS ATTACH is performed from MS to SGSN ** it's called GPRS ATTACH even for EDGE or even UMTS == GPRS Control Plane Protocol Stack image::gprs_control_stack.svg[width="100%"] == GPRS ATTACH: Ladder Diagram image::gprs_attach.png[width="100%"] == Establishing a PDP Context * in order to exchange user-IP data with the public Internet, a tunnel must be established over the entire GSM/GPRS/UMTS infrastructure ** one Tunnel end is inside the phone ** other end is in the GGSN (Gateway GPRS Support Node) ** it's a true point-to-point link, no netmask/broadcast/arp/link-layer ** if PPP is involved, this is only between the phone/modem baseband processor and the external computer * IP address allocation + DNS server addresses exchanged via *protocol control options (PCO)* inside PDP context activation * phone sends *PDP CONTEXT ACTIVATE* to network (SGSN) * network (SGSN) responds with *PDP CONTEXT ACTIVATE ACK* in succesful case * user IP data may now be exchanged == PDP CONTEXT ACT: Ladder Diagram image::gprs_pdp_ctx_act.png[width="100%"] == Classic UMTS (3G) network as digraph [graphviz] ---- digraph G { rankdir=LR; MS0 [label="UE\n(Phone)"] MS1 [label="UE\n(Phone)"] MS2 [label="UE\n(Phone)"] MS3 [label="UE\n(Phone)"] BTS0 [label="NodeB\n(Cell)"] BTS1 [label="NodeB\n(Cell)"] BSC [label="RNC"]; MSC [label="MSC/VLR"] HLR [label="HLR/AUC"] MS0->BTS0 [label="Uu"] MS1->BTS0 [label="Uu"] MS2->BTS1 [label="Uu"] MS3->BTS1 [label="Uu"] BTS0->BSC [label="Iub"] BTS1->BSC [label="Iub"] BSC->MSC [label="Iu-CS"] SGSN [color="red"] GGSN [color="red"] Internet [color="red"] BSC->SGSN [label="Iu-PS",color="red"] SGSN->GGSN [label="Gp",color="red"] SGSN->HLR [color="red"] GGSN->Internet [label="Gi",color="red"] MSC->HLR [label="C"] } ---- == UMTS (3G) Cell Selection * differences primarily at physical layer ** WCDMA instead of TDMA (GSM) ** RF Channels are 5MHz wide, so many less RF channels to scan ** however, MS (now called UE) has to search in code-space, as many cells on same frequency channel == UMTS (3G) Cell Selection image::umts_cell_selection.png[] == UMTS (3G) Cell Selection * Layer 3 is almost identical to GSM * *MM LOCATION UPDATE (Type: IMSI ATTACH)* between MS(UE) and MSC * *PS ATTACH* between MS(UE) and SGSN * *PDP CONTEXT ACTIVATION* between MS(UE) and SGSN == Further Reading * Die GSM Dm-Kanaele im Dialog, Prf. Dr. Joachim Goeller, http://www.informatik.hu-berlin.de/~goeller/isdn/DieGSMDmKanaele.pdf * The GSM Dm-Channels (english version), http://www.informatik.hu-berlin.de/~goeller/isdn/GSMDmChannels.pdf * 3GPP TS 43.022: "Functions related to Mobile Station in idle mode and group receive mode" http://www.3gpp.org/DynaReport/43022.htm (GSM/GPRS) * 3GPP TS 25.304 "User Equipment (UE) procedures in idle mode and procedures for cell reselection in connected mode" http://www.3gpp.org/DynaReport/25304.htm (UMTS_ == EOF End of File