herlesupreeth / CoIMS_Wiki

Wiki for overriding IMS settings to enable VoLTE/VoWiFi using Carrier Privileges in Android phones
BSD 2-Clause "Simplified" License
84 stars 27 forks source link

CoIMS app not functional in Samsung mobile. #13

Open ncreddy2001 opened 1 year ago

ncreddy2001 commented 1 year ago

Hi @herlesupreeth Im trying to replicate the tutorial in open5gs (EPC + IMS) VoLTE Setup with Kamailio IMS and Open5GS i had issue regarding enabling VoLTE on an samsung mobile using CoIMS application,

Setup information:

Initially i had issues connecting UE's to EPC with APN 'IMS' then followed this tutorial to enable CoIMS on the sim using pySIM_tools while making changes on the mobile phone using CoIMS i had issues opening Samsung IMS settings option in the menu can you please suggest any other alternative to enable VoLTE.

https://github.com/herlesupreeth/CoIMS_Wiki/assets/114053228/250cf05d-be65-4585-aabf-56d0b74d1699

herlesupreeth commented 1 year ago

I would suggest you re-program your SIM and use PLMN 001 01 as that has highest chances of working via this method.

But in general its hard to get this method to work in Samsung as they have locked access to the 'IMS Settings" secret menu from Android 10 and above. So can't use this method if your device is running Android 10 or above.

ncreddy2001 commented 1 year ago

Thankyou @herlesupreeth i will try to change MNC MCC and try again.

dushy-3474 commented 9 months ago

@ncreddy2001 , did your issue get fixed? I am having the same problem even though I have used PLMN 001 01.

dushy-3474 commented 9 months ago

@herlesupreeth We are trying to register IMS on open5gs/kamailio. The simcards that we are using now are sysmoISIM-SJA2 cards. They have ISIM applet.

The question is, is there a way to delete the ISIM applet?

I can provide you with abd logs if you want. And in pcap logs, Its just that PDN conn req is not getting triggered with ims apn and hence no SIP traces regarding ims.

Any pointers to this issue will be very helpful.

herlesupreeth commented 9 months ago

The question is, is there a way to delete the ISIM applet?

I dont think you can delete ISIM application from the SIM card. But if you use this script https://github.com/osmocom/pysim/blob/master/scripts/deactivate-ims.script (make sure to change the ADM key as per your SIM card) it should disable ISIM application completely. And, if Samsung device tries to access ISIM even after that then its not following 3GPP specification.

laf0rge commented 9 months ago

I would recommend to go one step furthe to actually LOCK the ISIM application at the GlobalPlatform level. This way even the SELECT of the ADF.ISIM will fail.

Both the method described by @herlesupreeth and the lock of the ISIM application are documented in the official user manual; See the section titled "Locking the ISIM applicaiton" in the sysmoISIM user manual.

dushy-3474 commented 9 months ago

I would recommend to go one step furthe to actually LOCK the ISIM application at the GlobalPlatform level. This way even the SELECT of the ADF.ISIM will fail.

Both the method described by @herlesupreeth and the lock of the ISIM application are documented in the official user manual; See the section titled "Locking the ISIM applicaiton" in the sysmoISIM user manual.


Thanks both of you for the reply. @laf0rge, How to change the ADM key?

And yes I have gone through the CoIMS blog by @herlesupreeth and redmine wiki of sysmocom. and we tried the second method already.

We used the commands: ./pySim-shell.py -p0 --script ./scripts/deactivate-ims.script java -jar ./gp.jar --key-enc KIC1 --key-mac KID1 --key-dek KIK1 --lock-applet A0000000871002FFFFFFFF8907090000

After doing this we were not able to select ADF.ISIM but were able to see it in 00:MF> and Phone is still trying to load ADF.ISIM and getting error there. And it does not trigger pdn connectivity. From gp.jar we can see that isim applet is locked.
From pysimshell, we can see that ADF.isim is there but we can not select it.

I am attaching a zip file in which log12.txt is the adb logcat for working and non working scenarios. Working sim does not have ISIM and non working sim has ISIM, if that helps. [Uploading logcat.zip…]()

Is there any additional setting needed? Does "GlobalPlatform level" means anything else?

dushy-3474 commented 9 months ago

logcat.zip

laf0rge commented 9 months ago

Can you please confirm / double check that you are using the exact same phone and just replacing the SJA2 with SJS1 will make this very same phone with same network on the same mcc/mnc and EPC+IMS core configuration perform the ims registration?

That's highly unusual and I would be interested in getting a pySim-shell "export" (after verify_adm) for both of the cards so I can do a different between the card contents. Feel free to share by email if you don't want to post your key material or other possibly confidential data publicly. -- Sent from a mobile device. Please excuse my brevity.

dushy-3474 commented 9 months ago

exports.zip Hi

The exports are attached in files labeled "sja2_export" and "sjs1 _export" respectively

Thank you.

laf0rge commented 9 months ago

On Sat, Feb 03, 2024 at 09:31:25AM -0800, dushy-3474 wrote:

The exports are attached in files labeled "sja2_export" and "sjs1 _export" respectively

The export clearly shows that ADF.ISIM of your sysmoISIM-SJA2 is still operational and not LOCKED.

This is contrary to your earlier statement that you did lock the application.

Please make sure you have disabled (LOCKED) the ISIM application.

--

dushy-3474 commented 9 months ago

On Sat, Feb 03, 2024 at 09:31:25AM -0800, dushy-3474 wrote: The exports are attached in files labeled "sja2_export" and "sjs1 _export" respectively The export clearly shows that ADF.ISIM of your sysmoISIM-SJA2 is still operational and not LOCKED. This is contrary to your earlier statement that you did lock the application. Please make sure you have disabled (LOCKED) the ISIM application. -- - Harald Welte @.***> https://laforge.gnumonks.org/ ============================================================================ "Privacy in residential applications is a desirable marketing option." (ETSI EN 300 175-7 Ch. A6)

Hello Harald,

Please ignore previously attached file. Attaching new set of files to compare.

Regards, Dushyanth new_exports.zip

dushy-3474 commented 9 months ago

Hello Harald,

We have been debugging the UE behaviour from the ADB logs.

I have attached the adb log file, when ISIM application is locked for SJA2 UICC cards. We can see following (potential??) errors in the log file when ISIM is accessed.

02-02 12:18:03.732 1811 1811 D IsimUiccRecords: [ISIM-0] EF_ISIM_IMPU LOADED 02-02 12:18:03.732 1811 1811 E IsimUiccRecords: [ISIM-0] Record Load Exception: com.android.internal.telephony.CommandException: OPERATION_NOT_ALLOWED 02-02 12:18:03.732 1811 1811 D IsimUiccRecords: [ISIM-0] Broadcasting intent ACTION_ISIM_LOADED ...

02-02 12:18:04.116 2123 2334 E TelephonyManagerWrapper: use backup impu : xxxxx 02-02 12:18:04.116 2123 2334 E SimManager<0>: isIsimDataValid: IMPU_NOT_EXISTS 02-02 12:18:04.116 2123 2334 E SimManager<0>: isIsimDataValid: IMPI_NOT_EXIST 02-02 12:18:04.116 2123 2334 E SimManager<0>: isIsimDataValid: HOME_DOMAIN_NOT_EXIST 02-02 12:18:04.116 2123 2334 E SimManager<0>: onSimStateChange: invalid ISIM! 02-02 12:18:04.117 2123 2334 E #IMSCR : 02-02 12:18:04 0x10000005:0,INVLD ISIM,13 02-02 12:18:04.118 2123 2334 I SimManager_slot0: slot[0]: notifySimReady: state [INVALID_ISIM] 02-02 12:18:04.118 2123 2400 E TelephonyManagerWrapper: use backup impi : null 02-02 12:18:04.118 2123 2400 I SimManager<0>: getDerivedImpi: 02-02 12:18:04.119 2123 2334 E #IMSCR : 02-02 12:18:04 0x1000001F:0,NOTI SIM EVT 02-02 12:18:04.119 2123 2334 I SimManager<0>: send ACTION_IMS_ON_SIMLOADED 02-02 12:18:04.123 2123 2400 E TelephonyManagerWrapper: use backup impu : xxxxx

Also while doing a quick search in Android source code, in fileframeworks/opt/telephony/src/java/com/android/internal/telephony/uicc/IsimUiccRecords.java, we see a "todo" that mentions locked state of ISIM is not handled well. Do you have any idea on this, or if are we looking at the correct version of Android source code?

https://cs.android.com/android/platform/superproject/main/+/main:frameworks/opt/telephony/src/java/com/android/internal/telephony/uicc/IsimUiccRecords.java;drc=d393955ed678ce50ec7c0ae578f110d242a77f65;l=178?q=IsimUiccRecords

/* ***Please see the code_snippet.png that is attached below. Could not post the code /

If above observations are correct, may be the locking of ISIM will not work in current Android. One alternative is to configure correct EFs in the ADF.ISIM. IMPU, IMPI and domain name are possibly straight forward configurations. Do you know if the authentication key and SQN also needs to be configured or not? Is this the same key and SQN as what is present in ADF.USIM? If we configure these, do you know or tested if the VoLTE will work correctly or not? Do you have any example scripts to configure the ADF.ISIM?

Regards, Dushyanth code_snippet 04-sysmo-sja2-adblog.zip

herlesupreeth commented 9 months ago

One alternative is to configure correct EFs in the ADF.ISIM. IMPU, IMPI and domain name are possibly straight forward configurations.

I use the below pySim-prog.py command to configure all relevant EFs required for ISIM to be activated correctly

./pySim-prog.py -p 0 -x 001 -y 01 -s 8988211900000000025 -i 001010123456790 -k 8baf473f2f8fd09487cccbd7097c6862 --op 11111111111111111111111111111111 -o 8E27B6AF0E692E750F32667A3B14605D -a 11111111 --msisdn 9076543210 --epdgid epdg.epc.mnc001.mcc001.pub.3gppnetwork.org --pcscf pcscf.ims.mnc001.mcc001.3gppnetwork.org --ims-hdomain ims.mnc001.mcc001.3gppnetwork.org --impi 001010123456790@ims.mnc001.mcc001.3gppnetwork.org --impu sip:001010123456790@ims.mnc001.mcc001.3gppnetwork.org

just ensure to change the ADM (-a) as per what you received from Sysmocom for your SIM card

dushy-3474 commented 9 months ago

One alternative is to configure correct EFs in the ADF.ISIM. IMPU, IMPI and domain name are possibly straight forward configurations.

I use the below pySim-prog.py command to configure all relevant EFs required for ISIM to be activated correctly

./pySim-prog.py -p 0 -x 001 -y 01 -s 8988211900000000025 -i 001010123456790 -k 8baf473f2f8fd09487cccbd7097c6862 --op 11111111111111111111111111111111 -o 8E27B6AF0E692E750F32667A3B14605D -a 11111111 --msisdn 9076543210 --epdgid epdg.epc.mnc001.mcc001.pub.3gppnetwork.org --pcscf pcscf.ims.mnc001.mcc001.3gppnetwork.org --ims-hdomain ims.mnc001.mcc001.3gppnetwork.org --impi 001010123456790@ims.mnc001.mcc001.3gppnetwork.org --impu sip:001010123456790@ims.mnc001.mcc001.3gppnetwork.org

just ensure to change the ADM (-a) as per what you received from Sysmocom for your SIM card

@herlesupreeth We will try this.

But I was just curious that how other users of sysmocomISIM-SJA2 are testing IMS and volte if locking of ISIM applet does not work. Are you aware of other ways to make volte work on ISIM-SJA2 sim cards apart from CoIMS method and the above mentioned one. This is bit of hassle for us since we have multiple sim cards and phones which are getting tested in the private LTE network.

Regards, Dushyanth

herlesupreeth commented 9 months ago

But I was just curious that how other users of sysmocomISIM-SJA2 are testing IMS and volte if locking of ISIM applet does not work.

Just to clarify few things, its not an issue of the SIM card in any way. Its the phone vendors who are locking the VoLTE capability behind a pay wall and CoIMS is one of the method (outlined by Google in AOSP) to override that lock and enable VoLTE. So in a way Sysmocom SIM are really helpful in being able to achieve overriding of VoLTE settings via CoIMS (if you buy SIM cards from other vendors you wont be able to able to use CoIMS method)

And, usually locking of ISIM is not needed at all as EFs related to ISIM are programmed and actively used in VoLTE deployments.

This is bit of hassle for us since we have multiple sim cards and phones which are getting tested in the private LTE network.

I dont think there is any other way unless you are ready to approach individual phone vendors to enable VoLTE on the private LTE network you are operating. Or approach GSMA with the settings you want to enable and wait for phone vendor to take that settings from GSMA database and then rollout as a phone update.

dushy-3474 commented 9 months ago

But I was just curious that how other users of sysmocomISIM-SJA2 are testing IMS and volte if locking of ISIM applet does not work.

Just to clarify few things, its not an issue of the SIM card in any way. Its the phone vendors who are locking the VoLTE capability behind a pay wall and CoIMS is one of the method (outlined by Google in AOSP) to override that lock and enable VoLTE. So in a way Sysmocom SIM are really helpful in being able to achieve overriding of VoLTE settings via CoIMS (if you buy SIM cards from other vendors you wont be able to able to use CoIMS method)

And, usually locking of ISIM is not needed at all as EFs related to ISIM are programmed and actively used in VoLTE deployments.

This is bit of hassle for us since we have multiple sim cards and phones which are getting tested in the private LTE network.

I dont think there is any other way unless you are ready to approach individual phone vendors to enable VoLTE on the private LTE network you are operating. Or approach GSMA with the settings you want to enable and wait for phone vendor to take that settings from GSMA database and then rollout as a phone update.

@herlesupreeth

I did not mean to say its a SIM card issue. Was just trying understand the trend. And thanks a lot for the information.

We are able to do IMS registration and volte is successful.

Regards, Dushyanth

herlesupreeth commented 9 months ago

I did not mean to say its a SIM card issue. Was just trying understand the trend. And thanks a lot for the information.

I didnt mean offense either :)

We are able to do IMS registration and volte is successful.

Can you please explain what let to successful IMS registration so that others may benefit?? Was it the programming of SIM with the command I shared above?

dushy-3474 commented 9 months ago

I did not mean to say its a SIM card issue. Was just trying understand the trend. And thanks a lot for the information.

I didnt mean offense either :)

We are able to do IMS registration and volte is successful.

Can you please explain what let to successful IMS registration so that others may benefit?? Was it the programming of SIM with the command I shared above?

@herlesupreeth

Yes I used the command above with appropriate IMSI (we are maintaining mcc mnc as 001 01) to program the ISIM.

After this second PDN connect request was sent for ims APN and IMS registration was successful.

Regards, Dushyanth

dushy-3474 commented 6 months ago

Hello @herlesupreeth ,

Is there a way to dynamically not give IMS registration to UEs connecting? For one of the use cases I am testing. I dont want UEs to get Volte. I know One way is to remove IMPU IMPI IMSU from the simcard. But to remove it as a blanket from the open5gs EPC, is there a way? I tried removing ims apn from smf.yaml and upf.yaml. This did not work.

Removing entry from Fhoss is working. Is there any other way.

Regards, Dushyanth

herlesupreeth commented 6 months ago

Hey @dushy-3474 , I am not sure whether I got your question right. But if you want your phone to stop attempting to connect to IMS you can try the following

  1. Uninstall CoIMS app if you have installed it on the phone
  2. Disable VoLTE/Enhanced 4G/LTE in the phone mobile networks settings
dushy-3474 commented 4 months ago

Hello @herlesupreeth,

Sorry to bother to you again regarding this topic.

The above method of programming IMS ids in the sim cards are working fine on certain model. (Samsun m13 5g). But on Samsung m13 4g , it is not working.

After the IMS bearer establishment at EPS level is successful, the UE is not sending any register message to p-cscf (No IMS messages on SIP).

And CoIMS app also is not working.

Do you have any idea what might be going wrong.

Regards, Dushyanth

herlesupreeth commented 4 months ago

After the IMS bearer establishment at EPS level is successful, the UE is not sending any register message to p-cscf (No IMS messages on SIP).

Try restarting the phone and attach to the IMS again. Sometime phones give up on attempting to connect to IMS after repeated failed attempts

dushy-3474 commented 3 months ago

@herlesupreeth

Thanks for the response.

Restarting and updating software did not help.

I am able to see the following in the adb log of the UE at regular intervals. 07-10 21:47:47.526 1566 1755 I RegiMgr<1>: [RJIL VoLTE|CONNECTED] tryRegister: pcscf is null. return.. 07-10 21:47:47.526 1566 1755 I RegiMgr : slot[1]: [RJIL VoLTE|CONNECTED] regi failed due to empty p-cscf 07-10 21:47:47.527 1566 1755 I RegiMgr : tryRegister: pcscf is null. Notify registration state to CP.

And also one more point is that this happens only in one model of samsung m13 4g. And its working samsung m13 5g.

Is it because samsung m13 4g is not reading the ISIM application of the SIM card where we have programmed the ims uri.?

Regards, Dushyanth

herlesupreeth commented 3 months ago

@dushy-3474 Please attach a pcap taken on the machine running your 4G Core when you attempt to attach the UE to IMS and post it here. Android logs are not very helpful

dushy-3474 commented 3 months ago

@herlesupreeth Which filter do you want?

herlesupreeth commented 3 months ago

No filters

dushy-3474 commented 3 months ago

@herlesupreeth

I am attaching the pcap logs.

Filter is sctp or port sip or port 6060 or port 4060 Without filters it turns out to be huge in size.

But if you need I will try.

ims_not_working_1.zip ims_working_1.zip diff In the diff picture left side not working. This PDN connectivity Request message. I think this difference not related.

Regards, Dushyanth

herlesupreeth commented 3 months ago

Looks like PCO options are missing. Can you also post here the logs of your 4G Core??

image

dushy-3474 commented 3 months ago

@herlesupreeth

pco

we were suspecting this.

How to collect this logs which appear on the tmux a, or where is this log stored.

dushy-3474 commented 3 months ago

I think The not working UE is send EPCO in PDN connectivity request. and working phone is sending PCO.

dushy-3474 commented 3 months ago

@herlesupreeth

I got the commit id for EPCO, 01d3db4b6ec9f54f4808d19572f2b20ca8d2df00.

I tried the epco_len code in our version. It wasnt there. But still same issue. epco is not coming from open5gs.

I am attaching the logs. open5gs_log.zip

Regards, Dushyanth

herlesupreeth commented 3 months ago

Please try with latest version of open5gs and send me the logs. open5gs v2.4.9 is quite old at this point