search

herlesupreeth / docker_open5gs

Docker files to run open5gs + IMS + eNB + gNB + NR-UE in a docker
BSD 2-Clause "Simplified" License
311 stars 170 forks source link

CoIMS sim card config has no effect #312

Closed JulienSrcdImta closed 5 months ago

JulienSrcdImta commented 5 months ago

Hi @herlesupreeth

First, I want to thank you for your great project docker_open5gs. I played with 4G and 5G networks, they work well and it is fantastic to have all the NF inside a single Docker environment.

Now I am trying the IMS. One of my phones (Asus zenfone 8) is registering on the platform, so I believe my setup is ok. I use the 4G Volte deployement with B210: docker compose -f 4g-volte-deploy.yaml up docker compose -f srsenb.yaml up -d && docker container attach srsenb

For this Asus UE, I just disabled the ims scrit on the sim (sysmoISIM-SJA2) to enable fall back mode. I used the command: ./pySim-shell.py -p0 --script ./scripts/deactivate-ims.script

Here is the log: asus_ims_registration_ok.pcap.zip

But I am not able to connect any of my other phones: OnePlus 3 (volte working on Amarisoft config) OnePlus 8 OnePlus 9 (with Iodé OS) Samsung Galaxy S21 5G (I don't spend much time on this one as I saw in other posts that it is complicated with Samsung UEs)

So I tried the method of the CoIMS_Wiki I am not sure this works well because I have errors in some commands outputs. For command: gp --key-enc 7655100AFC4AB7CE438DBE15471E3A6A --key-mac 5FFF6485DD05DC87BC2C727BE323A0BA --key-dek 1A06C7874AFB614DD29A989BE01B7669 --install applet.cap I have this at the end: Error: STRICT WARNING: Card cryptogram invalid! Card: AF127048A5AB94EA Host: A1059F4186659AB6 !!! DO NOT RE-TRY THE SAME COMMAND/KEYS OR YOU MAY BRICK YOUR CARD !!!

Here is full commands and messages

coims_wiki_sim_prog_output.txt

I am not sure if it's a problem because when I check in the CoIMS app on the phone I have: App has Carrier Privileges = true SIM Carrier Id = 1911 carrier_volte_provisioned_bool = true

I also deactivate the ims script on this SIM card: ./pySim-shell.py -p0 --script ./scripts/deactivate-ims.script

The only effect I can see on the OnePlus 8 is the 4G logo that didn't shows up but I still have data connectivity... As you can see in the log below both "internet" and "ims" apn are setup for the UE but there is no sip REGISTER sent.

oneplus_ims_registration_ko.pcap.zip

Can you tell me if the CoIMS config is OK ? Do I have to disable ims script on the card too ? Is it ok to use the test PLMN 00101 ? Any Idea of what goes wrong with these phones ?

Thanks, Have a nice day!

herlesupreeth commented 5 months ago

gp --key-enc 7655100AFC4AB7CE438DBE15471E3A6A --key-mac 5FFF6485DD05DC87BC2C727BE323A0BA --key-dek 1A06C7874AFB614DD29A989BE01B7669 --install applet.cap I have this at the end: Error: STRICT WARNING: Card cryptogram invalid! Card: AF127048A5AB94EA Host: A1059F4186659AB6 !!! DO NOT RE-TRY THE SAME COMMAND/KEYS OR YOU MAY BRICK YOUR CARD !!!

For this, I see you that you have successfully unlocked the card (see logs below). Once you unlock the card the old keys are not valid anymore. The new keys would be (as mentioned in the log) 404142434445464748494A4B4C4D4E4F. And, when you try to execute the following command gp --key-enc 7655100AFC4AB7CE438DBE15471E3A6A --key-mac 5FFF6485DD05DC87BC2C727BE323A0BA --key-dek 1A06C7874AFB614DD29A989BE01B7669 --install applet.cap you got that error because the keys were wrong.

NOTE: Once you unlock the card, there is not need to provide --key-enc, --key-dek or --key-mac anymore as it will use the default key (404142434445464748494A4B4C4D4E4F)

jsm@jsm-Latitude-E6530:~/SIM/CoIMS_Wiki$ gp --key-enc 7655100AFC4AB7CE438DBE15471E3A6A --key-mac 5FFF6485DD05DC87BC2C727BE323A0BA --key-dek 1A06C7874AFB614DD29A989BE01B7669 --unlock [main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02 [main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02 [main] WARN pro.javacard.gp.PlaintextKeys - Don't know how to calculate KCV, defaulting to SCP02 [main] INFO pro.javacard.gp.GPSession - Using card master keys: ENC=7655100AFC4AB7CE438DBE15471E3A6A (KCV: D1A494) MAC=5FFF6485DD05DC87BC2C727BE323A0BA (KCV: 01CE33) DEK=1A06C7874AFB614DD29A989BE01B7669 (KCV: 98F550) for null [main] INFO pro.javacard.gp.GPSession - Diversified card keys: ENC=7655100AFC4AB7CE438DBE15471E3A6A (KCV: D1A494) MAC=5FFF6485DD05DC87BC2C727BE323A0BA (KCV: 01CE33) DEK=1A06C7874AFB614DD29A989BE01B7669 (KCV: 98F550) for SCP02 [main] INFO pro.javacard.gp.GPSession - Session keys: ENC=B2AA8E526E512135054165A1A202F163 MAC=D1D31078C771787284DD213AF86C8C98 RMAC=DEEF29690B938AD42315294EBE7E9069, card keys=ENC=7655100AFC4AB7CE438DBE15471E3A6A (KCV: D1A494) MAC=5FFF6485DD05DC87BC2C727BE323A0BA (KCV: 01CE33) DEK=1A06C7874AFB614DD29A989BE01B7669 (KCV: 98F550) for SCP02 Default 404142434445464748494A4B4C4D4E4F set as master key for A000000003000000

Now to the Oneplus not sending SIP REGISTER part, I see the following in the pcap, i.e. UE IP type is set to IPv4v6 in the open5gs WebUI. I would suggest to change it to IPv4 only. And, then restart the phone and attempt IMS register again.

image

Can you tell me if the CoIMS config is OK ?

Yes, you did not have to install the applet as the Sysmocom ISIM (black card) already come pre-installed with that applet. All you need is to push the certificates.

Do I have to disable ims script on the card too ?

Technically its not needed. You are free to do it if you like. I dont think it should affect whether a phone registers or not

Is it ok to use the test PLMN 00101 ?

Definitely yes, I use it all the time

JulienSrcdImta commented 5 months ago

Hi @herlesupreeth,

Thank you for your fast answer! Now I have 3 more UE connecting to IMS servers and I performed my first calls and video calls!

I tried your advice to only push the certificate to sysmoISIM-SJA2 and it works. So do you know why they didn't push it by default to make the applet working ? (Note I discovered ARA-M with this project la week...)

Thanks again, Julien

herlesupreeth commented 5 months ago

So do you know why they didn't push it by default to make the applet working ?

The certificate you push to ARA-M applet is a certificate I used to sign the CoIMS app you download from App Store. Since that certificate is tied to that app, it does make much sense for Sysmocom to push the certificate by default. This way whomsoever buys the SIM card can push they own certificates with which they sign their Android app which requires Carrier Privileges

JulienSrcdImta commented 5 months ago

Ok, I think i understand. Please tell me if I am wrong. sysmoISIM-SJA2 already have the ARA-M needed to do IMS on PLMN 00101 CoIMS app is useful to check if IMS is active on a sim card. But to use it we need to load a certificate on the sim, this way the ARA-M will allow CoIMS app to read params in the secured sim files.

I just tested with a SIM card sysmoISIM-SJA2 where I only change the PLMN to 00101 and it connects and it works!

The problem I had when I wrote the issue was in fact not from the SIM configuration but from apn conf. For others, I put here again the image I found in another post with the correct apn configuration: apn_config

herlesupreeth commented 5 months ago

ARA-M applet is like a storage where one can write SHA1 or other certificates and it has no relation to IMS.

Google as part of AOSP has outlined something called Carrier Privileges, which is a special privilege given to an Android app to override certain settings. And, in order to provide an Android app Carrier Privilege, Android device first reads the certificates stored in ARA-M. Then, if the any of the certificate in ARA-M matches with the certificate with which Android app is signed then the app get Carrier Privilege. Using Carrier Privilege one can override IMS settings etc.

CoIMS app is the Android app I talked above.

JulienSrcdImta commented 5 months ago

Ok it's clear, thank you very much for your help! I close the issue. Have a nice day