GSM开机驻网流程分析

Posted 知不足而奋进

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了GSM开机驻网流程分析相关的知识,希望对你有一定的参考价值。

1.GSM开机驻网流程分析

1.1 GSM驻网流程介绍

当移动台开机后,它会试图与SIM卡允许的PLMN取得联系,随后移动台将选择一个合适的小区,并从中提取控制信道的参数和其它系统信息。

如果移动台并无存储的BCCH消息,它将搜索所有的124个RF信道(如果为双频手机还应搜索374个GSM1800的RF信道),并在每个RF信道上读取接收的信号强度,计算出平均电平,整个测量过程将持续3~5s,在这段时间内将至少分别从不同的RF信道上抽取5个测量样点。

MS将调谐到接收电平最大的载波上,判断该载波是否为BCCH载波(通过搜寻FCCH突发脉冲),若是,移动台将尝试解码SCH信道来与该载波同步并读取BCCH上的系统广播消息。若MS可正确解码BCCH的数据,并且该小区属于所选的PLMN、参数C1值大于0、该小区未被禁止接入、移动台的接入等级未被该小区禁止时,移动台方可选择该小区。否则,MS将调谐到次高的载波上直到找到可用的小区。

如MS在上次关机时,存储了BCCH载波的消息,它将首先搜索已存储的BCCH载波,若未找到则执行以上过程。

参数C1为供小区选择的路径损耗准则,服务小区的C1必须大于0,其公式如下:

C1=RXLEV-RXLEV_ACCESS_MIN - MAX ((MS_TXPWR_MAX_CCH - P), 0)  单位:dBm

其中RXLEV为移动台接收的平均电平; RXLEV_ACCESS_MIN 为允许移动台接入的最小接收电平; MS_TXPWR_MAX_CCH为移动台接入系统时可使用的最大发射功率电平;P为移动台的最大输出功率。

如MS在上次关机时,存储了BCCH载波的消息,它将首先搜索已存储的BCCH载波,若未找到则执行以上过程。

1.1.1 开机扫频过程

     对于高通平台GSM扫频过程,在QXDM中搜索scan,会搜索到手机扫的频点数、扫频总共用时、以及各频段都扫到了多少个频点。

扫频电平门限:

07:58:59.660   l1_null_if.c  01303  gs1:Power scan threshold set to -107dBm

将扫描到的频点添加到频点列表中:

07:58:59.660  gs1:Adding ARFCN 588 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 575 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 571 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 565 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 560 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 558 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 93 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 91 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 90 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 89 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 88 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 84 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 83 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 81 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 80 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 78 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 76 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 71 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 68 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 62 (PLMN 460-0) to power scan request (requested PLMN)

07:58:59.660  gs1:Adding ARFCN 53 (PLMN 460-0) to power scan request (requested PLMN)

总共搜索到的频点数:

07:58:59.660  rr_acq_db.c  01045  gs1:rr_acq_db_populate_pscan_db: found 64 freqs

扫描完成:

07:58:59.838   l1_pscan.c  00907  gs1:Power Scan Complete ... 

1.1.2 Location Update Request过程

扫频结束后,终端会按照扫频的频点信号强度,首先在强度最高的频点上尝试解码FCCH、同步、以及接收BCCH等动作,尝试看能否注册到该频点网络,高通平台注册网络过程如下:

解码FCCH:

07:59:00.133  gl1_msg_acq.c  gs1:GL1_XO_ACQ: New FCCH Tone Seen: ARFCN=93, RSSI_dBm=-88

收SCH进行同步:                                                           

07:59:00.138  gl1_msg_acq.c  gs1:GL1_XO_ACQ: SCH success: ARFCN=93 fine_freq=-546Hz afc_freq=2028XO

手机发起RACH,RACH的原因为LAU(location update request)

07:59:02.522   rr_conn_establish.c  01565  gs1:StartRA(0x10) for LAU (reason=7)

手机收到立即指派消息,表示网络给手机准备好了一条用于专门传输信令的SDCCH信道,手机准备在这条信道上传输信令消息

07:59:02.767 rr_conn_establish.c  02455  gs1:Immediate Assignment (CS) is for mobile                                                     

手机向网络发送SABM帧,建立层二链路

07:59:02.777  [91]  0x5AC8  GSM DSDS L2 States

L2 Event = EV_ESTABLISH_REQUEST

手机收到网络发送的UA帧,层二链路建立完成

07:59:02.979  [3F]  0x5AC8  GSM DSDS L2 States

L2 Event = EV_UA_RECEIVED

1.1.3 位置更新信令流程

  1. MS在空中接口的接入信道上向BTS发送channel request(该消息内含接入原因值为位置更新);
  2. BTS向BSC发送channel required消息;
  3. BSC收到channel required后,分配信令信道,向BTS发送channel activation;
  4. BTS收到channel activation后,如果信道类型正确,则在指定信道上开工率放大器,上行开始接收信息,并向BSC发送channel activation acknowledge;
  5. BSC通过BTS向MS发送Immediate Assignment Command;
  6. MS发SABM帧接入;
  7. BTS回UA帧进行确认;
  8. BTS向BSC发Establishment Indication,该消息中包含了Location Update Request消息内容;
  9. BSC建立A接口SCCP链接,向MSC发送Location Update Request,该消息中包含了当前小区的CGI信息;
  10. MSC向BSC回链接确认消息;
  11. MSC向MS回位置更新接受消息,表明位置更新成功;
  12. 在网络侧拒绝本次位置更新时,网络侧下发消息给MS;
  13. 若MSC侧选择“位置更新时分配TMSI”为否,则在位置更新的过程中,MS没有“TMSI Reallocation Complete”消息的上报。

1.1.4 PS注册流程

高通平台日志中,PS注册终端首先要给网络发送ATTACH  REQUEST消息,该消息中携带有终端的TMSI、旧的PLMN信息、支持的A5算法种类以及一些其他的终端能力信息:

2015 Aug 19  08:27:19.734  UMTS UE OTA  --  GMM_ATTACH_REQUEST

 

网络收到ATTACH REQUEST后,会向终端发送鉴权加密请求,该消息中携带有发送给终端的鉴权随机序列数以及鉴权参数:

2015 Aug 19  08:27:22.093  [3F]  0x713A  UMTS UE OTA  --  GMM_AUTHENTICATION_AND_CYPHERING_REQUEST

auth_param_rand
        rand_val[0] = 82 (0x52)
        rand_val[1] = 160 (0xa0)
        rand_val[2] = 214 (0xd6)
        rand_val[3] = 173 (0xad)
        rand_val[4] = 88 (0x58)
        rand_val[5] = 52 (0x34)
        rand_val[6] = 78 (0x4e)
        rand_val[7] = 79 (0x4f)
        rand_val[8] = 99 (0x63)
        rand_val[9] = 61 (0x3d)
        rand_val[10] = 206 (0xce)
        rand_val[11] = 143 (0x8f)
        rand_val[12] = 231 (0xe7)
        rand_val[13] = 209 (0xd1)
        rand_val[14] = 245 (0xf5)
        rand_val[15] = 130 (0x82)
        key_sequence = 2 (0x2)
      auth_param_autn_incl = 1 (0x1)
      auth_param_autn
        autn_len = 16 (0x10)
        autn[0] = 238 (0xee)
        autn[1] = 125 (0x7d)
        autn[2] = 70 (0x46)
        autn[3] = 173 (0xad)
        autn[4] = 235 (0xeb)
        autn[5] = 151 (0x97)
        autn[6] = 0 (0x0)
        autn[7] = 0 (0x0)
        autn[8] = 98 (0x62)
        autn[9] = 74 (0x4a)
        autn[10] = 121 (0x79)
        autn[11] = 137 (0x89)
        autn[12] = 240 (0xf0)
        autn[13] = 98 (0x62)
        autn[14] = 89 (0x59)

autn[15] = 201 (0xc9)

终端收到随机序列数和鉴权参数后,SIM卡上的用户密钥KI与随机序列数RAND经过A3算法,产生一个32bit的应答数,终端再通过鉴权响应将该应答数和IMEI送回网络:

2015 Aug 19  08:27:22.264  [C0]  0x713A  UMTS UE OTA  --  GMM_AUTHENTICATION_AND_CYPHERING_RESPONSE
      imeisv
        ident_type = 3 (0x3)
        odd_even_ind = 0 (0x0)
        num_ident = 17 (0x11)
        ident[0] = 8 (0x8)
        ident[1] = 6 (0x6)
        ident[2] = 6 (0x6)
        ident[3] = 2 (0x2)
        ident[4] = 8 (0x8)
        ident[5] = 8 (0x8)
        ident[6] = 0 (0x0)
        ident[7] = 2 (0x2)
        ident[8] = 0 (0x0)
        ident[9] = 0 (0x0)
        ident[10] = 0 (0x0)
        ident[11] = 1 (0x1)
        ident[12] = 1 (0x1)
        ident[13] = 8 (0x8)
        ident[14] = 0 (0x0)
        ident[15] = 0 (0x0)
        ident[16] = 15 (0xf)
        resp_len = 4 (0x4)
        resp[0] = 145 (0x91)
        resp[1] = 93 (0x5d)
        resp[2] = 139 (0x8b)
        resp[3] = 41 (0x29)
终端给网络发送ATTACH COMPLETE,表示ATTACH完成。
2015 Aug 19  08:27:25.561  [57]  0x713A  UMTS UE OTA  --  GMM_ATTACH_COMPLETE
  gprs_mob_man_prot
    GMM_ATTACH_COMPLETE
      inter_rat_handover_info_incl = 0 (0x0)
      eutran_inter_rat_info_incl = 0 (0x0)
网络收到IMEI和响应数后,会将该响应数和网络侧算出的响应数进行比对,若一致,则鉴权验证通过,网络给终端发送ATTACH ACCEPT,该消息携带路由区ID、LAC区、TMSI等信息。
2015 Aug 19  08:27:25.561  [24]  0x713A  UMTS UE OTA  --  GMM_ATTACH_ACCEPT
      routing_area_id
        mcc_1 = 4 (0x4)
        mcc_2 = 6 (0x6)
        mcc_3 = 0 (0x0)
        mnc_3 = 15 (0xf)
        mnc_1 = 0 (0x0)
        mnc_2 = 0 (0x0)
        lac = 37333 (0x91d5)
      p_tmsi_sig
        num_tmsi_ident = 4 (0x4)
        tmsi_ident[0] = 230 (0xe6)
        tmsi_ident[1] = 219 (0xdb)
        tmsi_ident[2] = 176 (0xb0)
        tmsi_ident[3] = 2 (0x2)
终端给网络发送ACTIVATE PDP CONTEXT REQUEST消息,该消息中携带有NSAPI、PDP类型、APN等内容。
2015 Aug 19  08:27:31.174  UMTS UE OTA  --  SM_ACTIVATE_PDP_CONTEXT_REQUEST
    SM_ACTIVATE_PDP_CONTEXT_REQUEST
      req_nsapi
        nsapi_value = 5 (0x5)
req_pdp_addr
        len_pdp_address = 2 (0x2)
        pdp_type_org = 1 (0x1)
        pdp_type_num = 33 (0x21)
acc_pt
        num_acc_pt_val = 6 (0x6)
        acc_pt_name_val[0] = 5 (0x5) (length)
        acc_pt_name_val[1] = 99 (0x63) (c)
        acc_pt_name_val[2] = 109 (0x6d) (m)
        acc_pt_name_val[3] = 110 (0x6e) (n)
        acc_pt_name_val[4] = 101 (0x65) (e)
        acc_pt_name_val[5] = 116 (0x74) (t)
网络收到ACTIVATE PDP CONTEXT REQUEST消息后,根据PDP上下文签约记录中相关内容来对终端提供的PDP类型、PDP地址、APN进行验证。验证完成后,网络给终端发送ACTIVATE PDP CONTEXT ACCEPT消息,消息中携带有PDP类型、PDP地址、PAP确认消息等内容。
2015 Aug 19  08:27:32.411  UMTS UE OTA  --  SM_ACTIVATE_PDP_CONTEXT_ACCEPT
    SM_ACTIVATE_PDP_CONTEXT_ACCEPT
      pdp_addr
        pdp_type_org = 1 (0x1)
        pdp_type_num = 33 (0x21)
        addr_info[0] = 10 (0xa)
        addr_info[1] = 226 (0xe2)
        addr_info[2] = 209 (0xd1)
        addr_info[3] = 243 (0xf3)
          pap_prot
            rfc1334_pap_auth_ack
              msg_len = 9 (0x9)
              message[0] = 87 (0x57)
              message[1] = 101 (0x65)
              message[2] = 108 (0x6c)
              message[3] = 99 (0x63)
              message[4] = 111 (0x6f)
              message[5] = 109 (0x6d)
              message[6] = 101 (0x65)
              message[7] = 33 (0x21)
              message[8] = 10 (0xa)
至此,终端可以开始使用数据业务。

以上是关于GSM开机驻网流程分析的主要内容,如果未能解决你的问题,请参考以下文章

GSM开机驻网流程分析

GSM注册分析

GSM注册分析

在android上的语音通话数据通道上传输数据

RAffymetrix芯片分析(1)-affy

如何使用频谱分析仪