1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
|
What happens on a protocol level when switching on a phone
==========================================================
:author: Harald Welte <laforge@gnumonks.org>
:copyright: 2018 by Harald Welte (License: CC-BY-SA)
:backend: slidy
:max-width: 45em
== Introduction
* Everybody uses cellphones and mobile internet these days
* Still very few people know what's going on, even those with deep TCP/IP understanding
* Let's try to shed some light on the inner workings on a protocol level
NOTE:: this talk is about 2G (GSM/GPRS/EDGE) and 3G (UMTS/HS*PA) only
== Classic GSM (2G) network as digraph
[graphviz]
----
digraph G {
rankdir=LR;
MS0 [label="MS\n(Phone)"]
MS1 [label="MS\n(Phone)"]
MS2 [label="MS\n(Phone)"]
MS3 [label="MS\n(Phone)"]
BTS0 [label="BTS\n(Cell)"]
BTS1 [label="BTS\n(Cell)"]
MSC [label="MSC/VLR"]
HLR [label="HLR/AUC"]
MS0->BTS0 [label="Um"]
MS1->BTS0 [label="Um"]
MS2->BTS1 [label="Um"]
MS3->BTS1 [label="Um"]
BTS0->BSC [label="Abis"]
BTS1->BSC [label="Abis"]
BSC->MSC [label="A"]
MSC->HLR [label="C"]
}
----
== Powering up the phone
* Your various processors / cores boot up
* Hardware gets initialized
* We will look at the cellular related activity only here
* Registering to a Cellular network can take *ages* at times. Why is that?
== Network Selection (2G): RF Power Scan
* GSM has many narrow-band channels/frequencies (ARFCN = Absolute Radio Frequency Channel Number):
** 123 ARFCN in 850 MHz
** 173 ARFCN in 900 MHz
** 373 ARFCN in 1800 MHz
** 298 ARFCN in 1900 MHz
** total of 967 ARFCN in a quad-band phone
* The phone performs a (quick) RF power scan over all ARFCN to determine which channels contain how much energy (RxLev, RSSI)
== Network Selection (2G): Freq + Sync burst detection
* the phone picks the channels with highest amount of energy
* it tries to decode the FCCH (Frequency Correction Channel) to slave its own internal clock (VCTCXO) to the frequency information contained in the FCCH
* it then moves to the SCH (Synchronization Channel) to determine the current GSM frame number + training sequence code
* finally, it is aligned with both the *carrier frequency*, and knows where in the *time division multiplex* frame/multiframe the BTS (Cell) currently transmits
== Network Selection (2G): BCCH decode
* After Frequency and Sync burst detection, the phone moves to BCCH (Broadcast Common Control Channel)
* The BCCH contains a loop of repeated broadcasts of so-called *SYSTEM INFORMATION* messages
* There are many different *SYSTEM INFORMATION TYPEs* which are repeatedly iterated over
* SYSTEM INFORMATION (SI) 3 and 4 contain, among other things MCC + MNC information
** MCC: Mobile Country Code (262 for Germany)
** MNC: Mobile Network Code (01 for T-Mobile, 02 for Vodafone, 03 for E-Plus, ...)
* Now the phone knows to which operator the cell broadcasting on this ARFCN
* The process of FCCH + SCH alignment with successive BCCH decoding is repeated for a number of strong signal ARFCNs to create a list of "available networks"
** this is the output of what you see when you do a *manual network search* on your phone
*** the numeric MCC/MNC is typically translated in a string name based on a mapping table in the phone firmware, possibly extended by information on the SIM (EF.PNN, EF.OPL)
== Network Selection: Which Network to register
* Assuming we have a list of ARFCN <-> MCC+MNC, which network do we choose?
** if manual network selection: use whatever the user has chosen
** we assume automatic network selection below
* If the cell-advertised MCC+MNC matches the IMSI prefix, it is the home network
** home network trumps everything else
* SIM / USIM contains various lists which operators use to control selection policy in roaming
** EF.PLMNsel (PLMN Selector)
** EF.PLMNwAcT (User-controlled PLMN Selector with Access Technology)
** EF.HPPLMN (Higher Priority PLMN)
** EF.FPLMN (Forbidden PLMNs)
** EF.OPLMNwACT (Operator-controlled LMN Selector with Access Technology)
** EF.HPLMNwAcT (Home PLMN Selector with Access Technology)
** EF.EHPLMN (Equivalent HPLMN)
* finally, MS will select a (first) cell to attempt registration.
== Cell Selection State Machine
image::gsm_cell_selection.png[]
== Registering to a network: LOCATION UPDATE
* *LOCATION UPDATE* is a key transaction on the MM-sublayer of the Layer3 of the 2G/3G protocol stack
* it is used to update the location/presence information of the network
* there are variants:
** IMSI ATTACH is used for initial registration at power-up (our case here)
** NORMAL is an update triggered by a change of location (arae code) as the user moves around the coverage
** PERIODIC is used when a timer expires, similar to a 'keep alive' in many protocols
* the *MM LOCATION UPDATE* on the Um/Abis/A interface up to the MSC is translated into a *MAP UpdateLocation* towards the HLR (central subscriber database)
* authentication procedure may (should!) follow to cryptographically verify identity of subscriber
* finally, the network either sends a *MM LOCATION UPDATE ACCEPT* or *MM LOCATION UPDATE REJECT*
== GSM Control Plane Protocol Stack
image::gsm_control_stack.svg[width="100%"]
== LOCATION UPDATE: Layer 3 Only
image::location_update_l3only.png[]
== LOCATION UPDATE: Ladder Diagram
image::location_update.png[]
== GPRS for packet switched servics
[graphviz]
----
digraph G {
rankdir=LR;
MS0 [label="MS\n(Phone)"]
MS1 [label="MS\n(Phone)"]
MS2 [label="MS\n(Phone)"]
MS3 [label="MS\n(Phone)"]
BTS0 [label="BTS\n(Cell)"]
BTS1 [label="BTS\n(Cell)"]
MSC [label="MSC/VLR"]
HLR [label="HLR/AUC"]
MS0->BTS0 [label="Um"]
MS1->BTS0 [label="Um"]
MS2->BTS1 [label="Um"]
MS3->BTS1 [label="Um"]
BTS0->BSC [label="Abis"]
BTS1->BSC [label="Abis"]
BSC->MSC [label="A"]
MSC->HLR [label="C"]
BTS0->PCU [color="red"]
BTS1->PCU [color="red"]
//subgraph cluster_PS {
PCU [color="red"];
SGSN [color="red"];
GGSN [color="red"];
Internet [color="red"];
PCU->SGSN [label="Gb",color="red"]
SGSN->GGSN [label="Gp",color="red"]
GGSN->Internet [label="Gi",color="red"]
// }
}
----
== Registering for packet switched services: GPRS ATTACH
* packet-switched services were added about a decade after circuit-switched
** hence, packet-switched attach is traditionally independent of circuit-switched attach
* GPRS ATTACH is performed from MS to SGSN
** it's called GPRS ATTACH even for EDGE or even UMTS
== GPRS Control Plane Protocol Stack
image::gprs_control_stack.svg[width="100%"]
== GPRS ATTACH: Ladder Diagram
image::gprs_attach.png[width="100%"]
== Establishing a PDP Context
* in order to exchange user-IP data with the public Internet, a tunnel must be established over the entire GSM/GPRS/UMTS infrastructure
** one Tunnel end is inside the phone
** other end is in the GGSN (Gateway GPRS Support Node)
** it's a true point-to-point link, no netmask/broadcast/arp/link-layer
** if PPP is involved, this is only between the phone/modem baseband processor and the external computer
* IP address allocation + DNS server addresses exchanged via *protocol control options (PCO)* inside PDP
context activation
* phone sends *PDP CONTEXT ACTIVATE* to network (SGSN)
* network (SGSN) responds with *PDP CONTEXT ACTIVATE ACK* in succesful case
* user IP data may now be exchanged
== PDP CONTEXT ACT: Ladder Diagram
image::gprs_pdp_ctx_act.png[width="100%"]
== Classic UMTS (3G) network as digraph
[graphviz]
----
digraph G {
rankdir=LR;
MS0 [label="UE\n(Phone)"]
MS1 [label="UE\n(Phone)"]
MS2 [label="UE\n(Phone)"]
MS3 [label="UE\n(Phone)"]
BTS0 [label="NodeB\n(Cell)"]
BTS1 [label="NodeB\n(Cell)"]
BSC [label="RNC"];
MSC [label="MSC/VLR"]
HLR [label="HLR/AUC"]
MS0->BTS0 [label="Uu"]
MS1->BTS0 [label="Uu"]
MS2->BTS1 [label="Uu"]
MS3->BTS1 [label="Uu"]
BTS0->BSC [label="Iub"]
BTS1->BSC [label="Iub"]
BSC->MSC [label="Iu-CS"]
SGSN [color="red"]
GGSN [color="red"]
Internet [color="red"]
BSC->SGSN [label="Iu-PS",color="red"]
SGSN->GGSN [label="Gp",color="red"]
SGSN->HLR [color="red"]
GGSN->Internet [label="Gi",color="red"]
MSC->HLR [label="C"]
}
----
== UMTS (3G) Cell Selection
* differences primarily at physical layer
** WCDMA instead of TDMA (GSM)
** RF Channels are 5MHz wide, so many less RF channels to scan
** however, MS (now called UE) has to search in code-space, as many cells on same frequency channel
== UMTS (3G) Cell Selection
image::umts_cell_selection.png[]
== UMTS (3G) Cell Selection
* Layer 3 is almost identical to GSM
* *MM LOCATION UPDATE (Type: IMSI ATTACH)* between MS(UE) and MSC
* *PS ATTACH* between MS(UE) and SGSN
* *PDP CONTEXT ACTIVATION* between MS(UE) and SGSN
== Further Reading
* Die GSM Dm-Kanaele im Dialog, Prf. Dr. Joachim Goeller, http://www.informatik.hu-berlin.de/~goeller/isdn/DieGSMDmKanaele.pdf
* The GSM Dm-Channels (english version), http://www.informatik.hu-berlin.de/~goeller/isdn/GSMDmChannels.pdf
* 3GPP TS 43.022: "Functions related to Mobile Station in idle mode and
group receive mode" http://www.3gpp.org/DynaReport/43022.htm (GSM/GPRS)
* 3GPP TS 25.304 "User Equipment (UE) procedures in idle mode and
procedures for cell reselection in connected mode"
http://www.3gpp.org/DynaReport/25304.htm (UMTS_
== EOF
End of File
|