maximusdesmus
commented
1 year ago full ue pcap is attached
Open maximusdesmus opened 1 year ago
maximusdesmus
commented
1 year ago full ue pcap is attached
SitrakaResearchAndPOC
commented
1 year ago I remark also that my enodeb doesn't send cmas yet.but doesn't any time to test yet! i'm very occupy on umts-redirector and lte-redirector because there are some bug that i should fix. Thanks for the log.
SitrakaResearchAndPOC
commented
1 year ago I have some suggestion, when i read the code bool rrc::is_paging_opportunity(uint32_t tti, uint32_t payload_len) I see this code // Default paging cycle, should get DRX from user uint32_t T = cfg.sibs[1].sib2().rr_cfg_common.pcch_cfg.default_paging_cycle.to_number(); uint32_t Nb = T cfg.sibs[1].sib2().rr_cfg_common.pcch_cfg.nb.to_number();
so may be the sib2 should be on sibs[1] so have a look on sib.conf and change like this : sib1 = { intra_freq_reselection = "Allowed"; q_rx_lev_min = -65; //p_max = 3; cell_barred = "NotBarred" si_window_length = 20; sched_info = ( { si_periodicity = 16;
// comma-separated array of SIB-indexes (from 3 to 13), leave empty or commented to just scheduler sib2
si_mapping_info = [ 12 ];
}
);
system_info_value_tag = 0;};
sib2 = { rr_config_common_sib = { rach_cnfg = { num_ra_preambles = 52; preamble_init_rx_target_pwr = -104; pwr_ramping_step = 6; // in dB preamble_trans_max = 10; ra_resp_win_size = 10; // in ms mac_con_res_timer = 64; // in ms max_harq_msg3_tx = 4; }; bcch_cnfg = { modification_period_coeff = 16; // in ms }; pcch_cnfg = { default_paging_cycle = 32; // in rf nB = "1"; }; prach_cnfg = { root_sequence_index = 128; prach_cnfg_info = { high_speed_flag = false; prach_config_index = 3; prach_freq_offset = 2; zero_correlation_zone_config = 5; }; }; pdsch_cnfg = { / Warning: Currently disabled and forced to p_b=1 for TM2/3/4 and p_b=0 for TM1 / p_b = 1; rs_power = 0; }; pusch_cnfg = { n_sb = 1; hopping_mode = "inter-subframe"; pusch_hopping_offset = 2; enable_64_qam = false; // 64QAM PUSCH is not currently enabled ul_rs = { cyclic_shift = 0; group_assignment_pusch = 0; group_hopping_enabled = false; sequence_hopping_enabled = false; }; }; pucch_cnfg = { delta_pucch_shift = 2; n_rb_cqi = 2; n_cs_an = 0; n1_pucch_an = 12; }; ul_pwr_ctrl = { p0_nominal_pusch = -85; alpha = 0.7; p0_nominal_pucch = -107; delta_flist_pucch = { format_1 = 0; format_1b = 3; format_2 = 1; format_2a = 2; format_2b = 2; }; delta_preamble_msg3 = 6; }; ul_cp_length = "len1"; };
ue_timers_and_constants =
{
t300 = 2000; // in ms
t301 = 100; // in ms
t310 = 1000; // in ms
n310 = 1;
t311 = 1000; // in ms
n311 = 1;
};
freqInfo =
{
ul_carrier_freq_present = true;
ul_bw_present = true;
additional_spectrum_emission = 1;
};
time_alignment_timer = "INFINITY"; // use "sf500", "sf750", etc.};
sib3 = { cell_reselection_common = { q_hyst = 2; // in dB }, cell_reselection_serving = { s_non_intra_search = 3, thresh_serving_low = 2, cell_resel_prio = 6 }, intra_freq_reselection = { q_rx_lev_min = -61, p_max = 23, s_intra_search = 5, presence_ant_port_1 = true, neigh_cell_cnfg = 1, t_resel_eutra = 1 } };
sib7 = { t_resel_geran = 1; carrier_freqs_info_list = ( { cell_resel_prio = 0; ncc_permitted = 255; q_rx_lev_min = 0; thresh_x_high = 2; thresh_x_low = 2;
start_arfcn = 871;
band_ind = "dcs1800";
}
);};
sib10 =
{
message_identifier = 0x1104;
serial_number = 0x3000;
warning_type = "0x580";
}
sib12 =
{
message_identifier = 0x1112;
serial_number = 0x3000;
data_coding_scheme = 01;
warning_msg_segment_type = "lastSegment";
warning_msg_segment_num = 0;
warning_msg_segment_r9 = "01C576597E2EBBC7F950A8D168341A8D46A3D168341A8D46A3D168341A8D46A3D168341A8D46A3D168341A8D46A3D168341A8D46A3D168341A8D46A3D168341A8D46A3D168341A8D46A3D168341A8D46A3D1000A";
};
SitrakaResearchAndPOC
commented
1 year ago the sib10 and sib12 should be at the last line not at the first line of sib.conf
maximusdesmus
commented
1 year ago no change ... the function is not called at all
SitrakaResearchAndPOC
commented
1 year ago In the test, did you program simcard or just a fakebts without programming a simcard?
maximusdesmus
commented
1 year ago programmed sim card on a smartphone. BTS on b210. no output.
the PCAP is obtained by ZMQ on srsenb and srsue
SitrakaResearchAndPOC
commented
1 year ago Thank's for the pcap indeed! Not have time to test, i should prepare some course about hacking GSM and umts but i will say you when I will remake this project! but i think it's possible to add some print debug if the is_paging_opportunity function (at at https://github.com/learning-lte/srsLTE_cmas_etws/blob/master/srsenb/src/stack/rrc/rrc.cc) is not called or it's a problem of
if ((uint32_t)sf_idx == (tti % 10)) {
paging_rec->paging_record_list_present = true;
//add sib10
paging_rec->etws_ind_present = true;
//add sib 12
paging_rec_v920.cmas_ind_r9_present = true;
paging_rec_v890.non_crit_ext_present = true;
paging_rec_v890.non_crit_ext = paging_rec_v920;
paging_rec->non_crit_ext_present = true;
paging_rec->non_crit_ext = paging_rec_v890;
//sib12 finish
}
why not to delete this" if ((uint32_t)sf_idx == (tti % 10)) " option and recompiled?
SitrakaResearchAndPOC
commented
1 year ago the another file which use is_paging_opportunity is this one : https://github.com/learning-lte/srsLTE_cmas_etws/blob/master/srsenb/src/stack/mac/scheduler_carrier.cc . why not change also : if (rrc->is_paging_opportunity(current_tti, &paging_payload) and paging_payload > 0) { tti_sched->alloc_paging(bc_aggr_level, paging_payload); }
BY DIRECT CALL : rrc->is_paging_opportunity(current_tti, &paging_payload) tti_sched->alloc_paging(bc_aggr_level, paging_payload);
SitrakaResearchAndPOC
commented
1 year ago Hey @maximusdesmus, Have you any idea how to debug rrc.log to see the log with srslte?
SitrakaResearchAndPOC
commented
1 year ago I see the problem, srslte change to use ASN version at 2019 and the ASN version has a problem : just add the IMSI of the user like on : https://github.com/srsran/srsRAN_4G/issues/606 or change the function at https://github.com/learning-lte/srsLTE_cmas_etws/blob/master/srsenb/src/stack/rrc/rrc.cc named :
void rrc::add_paging_id(uint32_t ueid, const asn1::s1ap::ue_paging_id_c& ue_paging_id)
{
std::lock_guard
paging_record_s paging_elem; if (ue_paging_id.type().value == asn1::s1ap::ue_paging_id_c::types_opts::imsi) { paging_elem.ue_id.set_imsi(); paging_elem.ue_id.imsi().resize(ue_paging_id.imsi().size()); memcpy(paging_elem.ue_id.imsi().data(), ue_paging_id.imsi().data(), ue_paging_id.imsi().size()); rrc_log->console("Warning IMSI paging not tested\n"); } else { paging_elem.ue_id.set_s_tmsi(); paging_elem.ue_id.s_tmsi().mmec.from_number(ue_paging_id.s_tmsi().mmec[0]); uint32_t m_tmsi = 0; uint32_t nof_octets = ue_paging_id.s_tmsi().m_tmsi.size(); for (uint32_t i = 0; i < nof_octets; i++) { m_tmsi |= ue_paging_id.s_tmsi().m_tmsi[i] << (8u * (nof_octets - i - 1u)); } paging_elem.ue_id.s_tmsi().m_tmsi.from_number(m_tmsi); } paging_elem.cn_domain = paging_record_s::cn_domaine::ps;
pending_paging.insert(std::make_pair(ueid, paging_elem)); }
AS :
void rrc::add_paging_id(uint32_t ueid, const asn1::s1ap::ue_paging_id_c& ue_paging_id)
{
std::lock_guard
paging_record_s paging_elem;
paging_elem.ue_id.set_s_tmsi(); paging_elem.ue_id.s_tmsi().mmec.from_number(ue_paging_id.s_tmsi().mmec[0]); uint32_t m_tmsi = 0; uint32_t nof_octets = ue_paging_id.s_tmsi().m_tmsi.size(); for (uint32_t i = 0; i < nof_octets; i++) { m_tmsi |= ue_paging_id.s_tmsi().m_tmsi[i] << (8u * (nof_octets - i - 1u)); } paging_elem.ue_id.s_tmsi().m_tmsi.from_number(m_tmsi);
paging_elem.cn_domain = paging_record_s::cn_domaine::ps;
pending_paging.insert(std::make_pair(ueid, paging_elem)); }
have a look also at : https://www.sharetechnote.com/html/Paging_LTE.html for having more knowledge about paging
https://www.sharetechnote.com/html/Handbook_LTE_CMAS.html gives information about a BCCH-DL-SCH-Message and a PCCH-Message that is sent by the enb for the CMAS to be shown on the UE. Currently only the BCCH-DL-SCH-Message is seen in the ue.pcap
ue.pcap
Frame 3: 296 bytes on wire (2368 bits), 296 bytes captured (2368 bits) DLT: 147, Payload: mac-lte-framed (mac-lte-framed) MAC-LTE BCH PDU (277 bytes, on DL-SCH transport)
LTE Radio Resource Control (RRC) protocol BCCH-DL-SCH-Message Item 0 sib-TypeAndInfo item: sib2 (0) sib2 pcch-Config defaultPagingCycle: rf32 (0) nB: oneT (2) Item 1 sib-TypeAndInfo item: sib12-v920 (10) sib12-v920 messageIdentifier-r9: CMAS Identifier for CMAS Presidential Level Alerts (4370) serialNumber-r9: 3000 [bit length 16, 0011 0000 0000 0000 decimal value 12288] 00.. .... .... .... = Geographical Scope: Display mode immediate, cell wide (0) ..11 0000 0000 .... = Message Code: 768 .... .... .... 0000 = Update Number: 0 warningMessageSegmentType-r9: lastSegment (1) warningMessageSegmentNumber-r9: 0 warningMessageSegment-r9: 01c576597e2ebbc7f950a8d168341a8d46a3d168341a8d46a3d168341a8d46a3d168341a… [1 Fragment (200 bytes): #3(200)] [Frame: 3, payload: 0-199 (200 bytes)] [Fragment Count: 1] [Reassembled Length: 200] [Reassembled Data: 01c576597e2ebbc7f950a8d168341a8d46a3d168341a8d46a3d168341a8d46a3d168341a…] Number of Pages: 1 Decoded Page 1: Emergency!! dataCodingScheme-r9: 01 0000 .... = Coding Group: Coding Group 0(Language using the GSM 7 bit default alphabet) (0) .... 0001 = Language: English (1)
However, PCCH-Message is not transmitted.
the function is_paging_opportunity in srsenb/src/stack/rrc/rrc.cc is never called and there is no emergency message output on the COTS UE.
any suggestion is appreciated.