GSM开机驻网流程分析
Posted 知不足而奋进
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了GSM开机驻网流程分析相关的知识,希望对你有一定的参考价值。
当移动台开机后,它会试图与SIM卡允许的PLMN取得联系,随后移动台将选择一个合适的小区,并从中提取控制信道的参数和其它系统信息。
如果移动台并无存储的BCCH消息,它将搜索所有的124个RF信道(如果为双频手机还应搜索374个GSM1800的RF信道),并在每个RF信道上读取接收的信号强度,计算出平均电平,整个测量过程将持续3~5s,在这段时间内将至少分别从不同的RF信道上抽取5个测量样点。
MS将调谐到接收电平最大的载波上,判断该载波是否为BCCH载波(通过搜寻FCCH突发脉冲),若是,移动台将尝试解码SCH信道来与该载波同步并读取BCCH上的系统广播消息。若MS可正确解码BCCH的数据,并且该小区属于所选的PLMN、参数C1值大于0、该小区未被禁止接入、移动台的接入等级未被该小区禁止时,移动台方可选择该小区。否则,MS将调谐到次高的载波上直到找到可用的小区。
如MS在上次关机时,存储了BCCH载波的消息,它将首先搜索已存储的BCCH载波,若未找到则执行以上过程。
参数C1为供小区选择的路径损耗准则,服务小区的C1必须大于0,其公式如下:
C1=RXLEV-RXLEV_ACCESS_MIN - MAX ((MS_TXPWR_MAX_CCH - P), 0) 单位:dBm
其中RXLEV为移动台接收的平均电平; RXLEV_ACCESS_MIN 为允许移动台接入的最小接收电平; MS_TXPWR_MAX_CCH为移动台接入系统时可使用的最大发射功率电平;P为移动台的最大输出功率。
如MS在上次关机时,存储了BCCH载波的消息,它将首先搜索已存储的BCCH载波,若未找到则执行以上过程。
1.1.1 开机扫频过程
对于高通平台GSM扫频过程,在QXDM中搜索scan,会搜索到手机扫的频点数、扫频总共用时、以及各频段都扫到了多少个频点。
扫频电平门限:
07:58:59.660 l1_null_if.c 01303 gs1:Power scan threshold set to -107dBm
将扫描到的频点添加到频点列表中:
07:58:59.660 gs1:Adding ARFCN 588 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 575 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 571 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 565 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 560 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 558 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 93 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 91 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 90 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 89 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 88 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 84 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 83 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 81 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 80 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 78 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 76 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 71 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 68 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 62 (PLMN 460-0) to power scan request (requested PLMN)
07:58:59.660 gs1:Adding ARFCN 53 (PLMN 460-0) to power scan request (requested PLMN)
总共搜索到的频点数:
07:58:59.660 rr_acq_db.c 01045 gs1:rr_acq_db_populate_pscan_db: found 64 freqs
扫描完成:
07:58:59.838 l1_pscan.c 00907 gs1:Power Scan Complete ...
1.1.2 Location Update Request过程
扫频结束后,终端会按照扫频的频点信号强度,首先在强度最高的频点上尝试解码FCCH、同步、以及接收BCCH等动作,尝试看能否注册到该频点网络,高通平台注册网络过程如下:
解码FCCH:
07:59:00.133 gl1_msg_acq.c gs1:GL1_XO_ACQ: New FCCH Tone Seen: ARFCN=93, RSSI_dBm=-88
收SCH进行同步:
07:59:00.138 gl1_msg_acq.c gs1:GL1_XO_ACQ: SCH success: ARFCN=93 fine_freq=-546Hz afc_freq=2028XO
手机发起RACH,RACH的原因为LAU(location update request)
07:59:02.522 rr_conn_establish.c 01565 gs1:StartRA(0x10) for LAU (reason=7)
手机收到立即指派消息,表示网络给手机准备好了一条用于专门传输信令的SDCCH信道,手机准备在这条信道上传输信令消息
07:59:02.767 rr_conn_establish.c 02455 gs1:Immediate Assignment (CS) is for mobile
手机向网络发送SABM帧,建立层二链路
07:59:02.777 [91] 0x5AC8 GSM DSDS L2 States
L2 Event = EV_ESTABLISH_REQUEST
手机收到网络发送的UA帧,层二链路建立完成
07:59:02.979 [3F] 0x5AC8 GSM DSDS L2 States
L2 Event = EV_UA_RECEIVED
1.1.3 位置更新信令流程
- MS在空中接口的接入信道上向BTS发送channel request(该消息内含接入原因值为位置更新);
- BTS向BSC发送channel required消息;
- BSC收到channel required后,分配信令信道,向BTS发送channel activation;
- BTS收到channel activation后,如果信道类型正确,则在指定信道上开工率放大器,上行开始接收信息,并向BSC发送channel activation acknowledge;
- BSC通过BTS向MS发送Immediate Assignment Command;
- MS发SABM帧接入;
- BTS回UA帧进行确认;
- BTS向BSC发Establishment Indication,该消息中包含了Location Update Request消息内容;
- BSC建立A接口SCCP链接,向MSC发送Location Update Request,该消息中包含了当前小区的CGI信息;
- MSC向BSC回链接确认消息;
- MSC向MS回位置更新接受消息,表明位置更新成功;
- 在网络侧拒绝本次位置更新时,网络侧下发消息给MS;
- 若MSC侧选择“位置更新时分配TMSI”为否,则在位置更新的过程中,MS没有“TMSI Reallocation Complete”消息的上报。
1.1.4 PS注册流程
高通平台日志中,PS注册终端首先要给网络发送ATTACH REQUEST消息,该消息中携带有终端的TMSI、旧的PLMN信息、支持的A5算法种类以及一些其他的终端能力信息:
2015 Aug 19 08:27:19.734 UMTS UE OTA -- GMM_ATTACH_REQUEST
网络收到ATTACH REQUEST后,会向终端发送鉴权加密请求,该消息中携带有发送给终端的鉴权随机序列数以及鉴权参数:
2015 Aug 19 08:27:22.093 [3F] 0x713A UMTS UE OTA -- GMM_AUTHENTICATION_AND_CYPHERING_REQUEST
auth_param_rand
rand_val[0] = 82 (0x52)
rand_val[1] = 160 (0xa0)
rand_val[2] = 214 (0xd6)
rand_val[3] = 173 (0xad)
rand_val[4] = 88 (0x58)
rand_val[5] = 52 (0x34)
rand_val[6] = 78 (0x4e)
rand_val[7] = 79 (0x4f)
rand_val[8] = 99 (0x63)
rand_val[9] = 61 (0x3d)
rand_val[10] = 206 (0xce)
rand_val[11] = 143 (0x8f)
rand_val[12] = 231 (0xe7)
rand_val[13] = 209 (0xd1)
rand_val[14] = 245 (0xf5)
rand_val[15] = 130 (0x82)
key_sequence = 2 (0x2)
auth_param_autn_incl = 1 (0x1)
auth_param_autn
autn_len = 16 (0x10)
autn[0] = 238 (0xee)
autn[1] = 125 (0x7d)
autn[2] = 70 (0x46)
autn[3] = 173 (0xad)
autn[4] = 235 (0xeb)
autn[5] = 151 (0x97)
autn[6] = 0 (0x0)
autn[7] = 0 (0x0)
autn[8] = 98 (0x62)
autn[9] = 74 (0x4a)
autn[10] = 121 (0x79)
autn[11] = 137 (0x89)
autn[12] = 240 (0xf0)
autn[13] = 98 (0x62)
autn[14] = 89 (0x59)
autn[15] = 201 (0xc9)
终端收到随机序列数和鉴权参数后,SIM卡上的用户密钥KI与随机序列数RAND经过A3算法,产生一个32bit的应答数,终端再通过鉴权响应将该应答数和IMEI送回网络:
2015 Aug 19 08:27:22.264 [C0] 0x713A UMTS UE OTA -- GMM_AUTHENTICATION_AND_CYPHERING_RESPONSE
imeisv
ident_type = 3 (0x3)
odd_even_ind = 0 (0x0)
num_ident = 17 (0x11)
ident[0] = 8 (0x8)
ident[1] = 6 (0x6)
ident[2] = 6 (0x6)
ident[3] = 2 (0x2)
ident[4] = 8 (0x8)
ident[5] = 8 (0x8)
ident[6] = 0 (0x0)
ident[7] = 2 (0x2)
ident[8] = 0 (0x0)
ident[9] = 0 (0x0)
ident[10] = 0 (0x0)
ident[11] = 1 (0x1)
ident[12] = 1 (0x1)
ident[13] = 8 (0x8)
ident[14] = 0 (0x0)
ident[15] = 0 (0x0)
ident[16] = 15 (0xf)
resp_len = 4 (0x4)
resp[0] = 145 (0x91)
resp[1] = 93 (0x5d)
resp[2] = 139 (0x8b)
resp[3] = 41 (0x29)
终端给网络发送ATTACH COMPLETE,表示ATTACH完成。
2015 Aug 19 08:27:25.561 [57] 0x713A UMTS UE OTA -- GMM_ATTACH_COMPLETE
gprs_mob_man_prot
GMM_ATTACH_COMPLETE
inter_rat_handover_info_incl = 0 (0x0)
eutran_inter_rat_info_incl = 0 (0x0)
网络收到IMEI和响应数后,会将该响应数和网络侧算出的响应数进行比对,若一致,则鉴权验证通过,网络给终端发送ATTACH ACCEPT,该消息携带路由区ID、LAC区、TMSI等信息。
2015 Aug 19 08:27:25.561 [24] 0x713A UMTS UE OTA -- GMM_ATTACH_ACCEPT
routing_area_id
mcc_1 = 4 (0x4)
mcc_2 = 6 (0x6)
mcc_3 = 0 (0x0)
mnc_3 = 15 (0xf)
mnc_1 = 0 (0x0)
mnc_2 = 0 (0x0)
lac = 37333 (0x91d5)
p_tmsi_sig
num_tmsi_ident = 4 (0x4)
tmsi_ident[0] = 230 (0xe6)
tmsi_ident[1] = 219 (0xdb)
tmsi_ident[2] = 176 (0xb0)
tmsi_ident[3] = 2 (0x2)
终端给网络发送ACTIVATE PDP CONTEXT REQUEST消息,该消息中携带有NSAPI、PDP类型、APN等内容。
2015 Aug 19 08:27:31.174 UMTS UE OTA -- SM_ACTIVATE_PDP_CONTEXT_REQUEST
SM_ACTIVATE_PDP_CONTEXT_REQUEST
req_nsapi
nsapi_value = 5 (0x5)
req_pdp_addr
len_pdp_address = 2 (0x2)
pdp_type_org = 1 (0x1)
pdp_type_num = 33 (0x21)
acc_pt
num_acc_pt_val = 6 (0x6)
acc_pt_name_val[0] = 5 (0x5) (length)
acc_pt_name_val[1] = 99 (0x63) (c)
acc_pt_name_val[2] = 109 (0x6d) (m)
acc_pt_name_val[3] = 110 (0x6e) (n)
acc_pt_name_val[4] = 101 (0x65) (e)
acc_pt_name_val[5] = 116 (0x74) (t)
网络收到ACTIVATE PDP CONTEXT REQUEST消息后,根据PDP上下文签约记录中相关内容来对终端提供的PDP类型、PDP地址、APN进行验证。验证完成后,网络给终端发送ACTIVATE PDP CONTEXT ACCEPT消息,消息中携带有PDP类型、PDP地址、PAP确认消息等内容。
2015 Aug 19 08:27:32.411 UMTS UE OTA -- SM_ACTIVATE_PDP_CONTEXT_ACCEPT
SM_ACTIVATE_PDP_CONTEXT_ACCEPT
pdp_addr
pdp_type_org = 1 (0x1)
pdp_type_num = 33 (0x21)
addr_info[0] = 10 (0xa)
addr_info[1] = 226 (0xe2)
addr_info[2] = 209 (0xd1)
addr_info[3] = 243 (0xf3)
pap_prot
rfc1334_pap_auth_ack
msg_len = 9 (0x9)
message[0] = 87 (0x57)
message[1] = 101 (0x65)
message[2] = 108 (0x6c)
message[3] = 99 (0x63)
message[4] = 111 (0x6f)
message[5] = 109 (0x6d)
message[6] = 101 (0x65)
message[7] = 33 (0x21)
message[8] = 10 (0xa)
至此,终端可以开始使用数据业务。
以上是关于GSM开机驻网流程分析的主要内容,如果未能解决你的问题,请参考以下文章