5G专网驻网失败分析(suci无效)

时间:2024-05-31 16:51:55

suci

5G终端第一次驻网时,注册消息Registartion request中携带的5GS mobile identity要携带suci类型的mobile identity。
注册消息协议规范见5G NAS 协议3gpp TS24.501 8.2.6 Registration request。

在这里插入图片描述

suci协议规范参见3gpp TS24.501 9.11.3.4 5GS mobile identity

在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
在这里插入图片描述
从上面协议内容可知,携带suci的注册消息中,有Routing
indicator字段。为两个字节。包含digit1到digit4. 其值从digit1开始存放,如果后面的digit不使用则为FF。
比如上面note2的例子,如果RoutingIndicator为3位。那么digit1 digit2 digit3 存RoutingIndicator的值。digit4要填为FF。

何时注册携带suci

UE注册时,如果UE既有5G-GUTI,又有SUCI,那注册请求中用5G-GUTI,否则用SUCI。但绝不能用SUPI。为了隐私和安全,SUPI在5G的空口中禁止传递。

3GPP 5G PROC协议,TS 23.502的4.2.2.2.2 General Registration注册流程描述如下
依次是GUTI,映射或native的guti。都没有,最后才是SUCI。
在这里插入图片描述

开源代码UERANSIM 的MmRegistration.java中,sendRegistration函数:
在这里插入图片描述

日志分析

终端在某5G专网能搜到网络,但是不向网络发送Registration Request注册网络。

首先分析网络的SIB消息:

00:47:04.546945 RRC/HighFreq/High/NR5GRRC [nr5g_rrc_sib.c    1792] Sending NR5G_CPHY_SIB_SCHED_REQ. sibs_to_acq_curr - 0x0, sibs_to_acq_next - 0x0
00:47:04.547088 RRC/HighFreq/High/NR5GRRC [nr5g_rrc_meas.c  18428]  DL carrier freq : 7880, scs : 1, mtc_periodicity : 0, priority : 0, band : 77
//如下日志说明sib4消息的dl_CarrierFreq配置有误
00:47:04.547223 RRC/HighFreq/High/NR5GRRC [nr5g_rrc_meas.c  17445] SIB4 omitted, dl_CarrierFreq 7880 msimatch valid band, skip
00:47:04.547233 RRC/HighFreq/High/NR5GRRC [nr5g_rrc_meas.c  18043] MEAS:Eutra carrierFreq = 40890, not supported

网络下发的 dl-CarrierFreq 7880 不是 freqBandIndicatorNR 77的合法频点。。
3GPP TS38.101-1协议的 Table 5.4.2.3-1: Applicable NR-ARFCN per operating band可以查看每个band的dl频点范围。从如下截图可以看出7880不在下行频点范围。
在这里插入图片描述

如下是sib4的字段内容

 sib4 : 
                {
                  interFreqCarrierFreqList 
                  {
                    {
                      dl-CarrierFreq 7880,
                      frequencyBandList 
                      {
                        {
                          freqBandIndicatorNR 77
                        }
                      },
                      ssbSubcarrierSpacing kHz30,
                      deriveSSB-IndexFromCell TRUE,
                      q-RxLevMin -60,
                      t-ReselectionNR 1,
                      threshX-HighP 30,
                      threshX-LowP 22,
                      threshX-Q 
                      {
                        threshX-HighQ 30,
                        threshX-LowQ 22
                      },
                      q-OffsetFreq dB-20
                    }
                  }
                }

不过interFreqCarrierFreqList 是用来NR interFreq重选相关的参数。应该不会导致终端连注册消息都不发。

终端确实在附近的时间点退出了NR5G模块。需要定位是哪里发送了NR5G_RRC_DEACTIVATE_REQ NR5G_RRC_STACK_DEACTIVATE_REQI。

00:47:04.557373   RRC/HighFreq/High/NR5GRRC   [    nr5g_rrc_csp.c  13854] CSP: Received Deactivate request NR5G_RRC_DEACTIVATE_REQ. Reason : 0
00:47:04.558346   RRC/HighFreq/High/NR5GRRC   [ nr5g_rrc_stackmgr.c   3494] RRCSM: Received NR5G_RRC_STACK_DEACTIVATE_REQI, at state 5, stop_cause 0, scen 17

从终端日志和网络信令看,网络的SIB没有明显错误导致终端不注册。
所以需要从终端上层NAS模块查看,有无从NAS模块发送退出5G的命令。

查看上层协议日志

//这里看到终端已经成功搜到5G网络
00:47:04.486137 MM/HighFreq/High/REG [ reg_send.c    510] DS: SUB 0 =REG= CM_CAMPED_IND PLMN (XXX - XXX) Primary PLMN (XXX - XXX)
00:47:04.486170 MMODE/STRM/High/CM   [ cmregprx.c  13148] NAS->CMREG: sub 0 stk 0, CM_CAMPED_IND
00:47:04.550872 MM/HighFreq/High/REG [ reg_mode.c   9558] DS: SUB 0 =REG= Home MCC = XXX Home MNC = XXX
00:47:04.554016 MM/LowFreq/High/REG  [         reg_state.c   2973] DS: SUB 0 =REG= CM_SERVICE_REQ Scan Scope type=0 network_selection_mode 2 Additional_info=0 RAT Enabled BM = 0x1000, BST BM = 0x1000
00:47:04.554304 MM/LowFreq/High/REG  [ reg_send.c    856] DS: SUB 0 =REG= CM_SERVICE_CNF scan_status:1 msg.service_state.service_status: 1
00:47:04.554305 MM/LowFreq/High/REG  [ reg_send.c    880] DS: SUB 0 =REG= CM_SERVICE_CNF PLMN (XXX - XXX) Primary PLMN (XXX - XXX) blocked_for_no_voice 0
//但是不知为何NAS MM REG模块收到CM_STOP_MODE_REQ
00:47:04.557049 MM/LowFreq/High/REG  [         reg_state.c  11751] DS: SUB 0 =REG= CM_STOP_MODE_REQ stop_mode_reason 0
//转换成MMR_STOP_MODE_REQ
00:47:04.557155 MM/HighFreq/High/REG [ reg_send.c   2302] DS: SUB 0 =REG= MMR_STOP_MODE_REQ sent trans_id 0x67
//进一步向5G RRC发送命令NR5G_RRC_DEACTIVATE_REQ
00:47:04.557275 MM/LowFreq/High/MM   [       mm5g_rrc_if.c    434] DS: SUB 0 =MM5G= Sending NR5G_RRC_DEACTIVATE_REQ with reason = 0
00:47:04.557350 MM/HighFreq/High/SM  [sm5g_process_pdu_procedure.c   1805] DS: SUB 0 SM5G: NAS_MM5G_DETACH_IND Received,

进一步向上看日志,卡模块抛出MMGSDI_SESSION_ILLEGAL_SUBSCRIPTION_EVT,导致CM上报CM_PH_CMD_SUBSCRIPTION_NOT_AVAILABLE,即卡无效。进而退出5G驻网流程。

00:47:04.550000 MM/HighFreq/High/MM [mm_multimode_handler.c   5456] DS: SUB 0 =EMM= Moving to DEREGISTERED STATE, Update EPS security_context...
00:47:04.550146 MMODE/STRM/High/CM  [ cmmmgsdi.c   5559] UIM->CM: MMGSDI_SESSION_ILLEGAL_SUBSCRIPTION_EVT, session-id 103
00:47:04.550170 MM/HighFreq/High/SM [sm5g_process_pdu_procedure.c   1805] DS: SUB 0 SM5G: NAS_MM5G_DETACH_IND Received,
00:47:04.550179 MMODE/DEBUG/Low/CM  [       cm.c   9886] ->CM: phcmd 8: CM_PH_CMD_SUBSCRIPTION_NOT_AVAILABLE, cdma 1, gwl 0 sub 0, curr 5, true 5, active_subs 1, is_msim 1

00:47:04.550589 MMODE/STRM/High/CM  [     cmph.c  19463] PH_PROC: sub 0, CM_PH_CMD_SUBSCRIPTION_NOT_AVAILABLE is being processed cause:0, 5 1 0 0
00:47:04.550593 MMODE/STRM/High/CM  [     cmph.c  19473] SUBSCRIPTION_NOT_AVAILABLE sub_asub_id 0  1x_sub 0
00:47:04.550599 MMODE/STRM/High/CM  [     cmph.c  19554] SUBSC_NOT_AVAIL: sess_type 0 app_type 3
00:47:04.550702 MM/HighFreq/High/REG [         reg_state.c  13082] DS: SUB 0 =REG= LIMITED_SERVICE on HPLMN(XXX-XXX)
00:47:04.550760 MM/LowFreq/High/REG [ reg_send.c    880] DS: SUB 0 =REG= CM_SERVICE_CNF PLMN ( XXX- XXX) Primary PLMN (XXX - XXX) blocked_for_no_voice 0
00:47:04.552409 MMODE/STRM/High/CM  [     mmoc.c   5778] MMOC->PROT: DEACT_REQ to ACTIVE protocol: 5, reason: 6, sub 0 stk 0, insanity_count 0, ps_enabled 1
00:47:04.552414 MMODE/DEBUG/Low/CM  [  mmocdbg.c   1091] After event was processed: Curr_trans 1(SUBSC_CHGD), Trans_state 2(WAIT_DEACTD_CNF)
00:47:04.556994 MMODE/STRM/High/CM  [ cmregprx.c   4772] CMREG->NAS: sub 0 stk 0, Send STOP_MODE_REQ, reason=0
00:47:04.557017 MMODE/DEBUG/Low/CM  [      cmregprx_dbg.c    302] MMOC->CMREG: PROT_CMD_DEACTIVATE:trans_id 89 Reason 6, sub 0 stk 0
00:47:04.557049 MM/LowFreq/High/REG [         reg_state.c  11751] DS: SUB 0 =REG= CM_STOP_MODE_REQ stop_mode_reason 0
00:47:04.557155 MM/HighFreq/High/REG    [ reg_send.c   2302] DS: SUB 0 =REG= MMR_STOP_MODE_REQ sent trans_id 0x67

卡流程哪里出问题了呢?
从下面日志可知,终端第一次注册,进入向网络发送registration Request的流程。
Start registration procedure, reg type = 1,
由于第一次注册,终端没有GUTI,所以需要携带SUCI给网络。所以向卡发送生成SUCI的命令。即SUCI generation request sent to MMGSDI。
但是卡回复的SUCI的routing indicator有误。digit1 = 15, digit2 = 1, digit3 = 15, digit4 = 15。
按协议,15为FF即不不使用。比如如果routing indicator是3位,那么digit1 digit2 digit3 为非FF的值,digit4为FF. 但是卡返回的digit1 = 15, digit2 = 1。 不可能digit1无效,而digit2中有有效值。所以routing indicator校验失败。日志打印SUCI parsing failed。
终端无法获取SUCI,就无法注册网络,进而无法驻网。

此问题到这里比较清楚了,专网卡有问题,生成suci中包含的的routing indicator无效,导致终端无法发送注册消息,进而终端无网络。

00:47:04.486137 MM/HighFreq/High/REG [ reg_send.c    510] DS: SUB 0 =REG= CM_CAMPED_IND PLMN (xxx - XXX) Primary PLMN (XXX- XXX)
00:47:04.486139 MM/HighFreq/High/MM  [mm5g_registration_handler.c   1103] DS: SUB 0 =MM5G= Start registration procedure, reg type = 1, reset_attempt_counter = 1, attempt counter = 0, REG Cause BM = 0x0 CS-For = 0
00:47:04.486157 MM/HighFreq/High/REG [         reg_state.c   1461] DS: SUB 0 =REG= sent message MS: 48   MSG_ID: 0
00:47:04.486236 MM/HighFreq/High/MM  [     mm5g_security.c   6788] DS: SUB 0 =MM5G= SUCI generation request sent to MMGSDI
00:47:04.549614 MM/HighFreq/High/MM  [     mm5g_security.c   7072] DS: SUB 0 =MM5G= Received SIM_MM_USIM_GET_SUCI_CNF, SUCI data len 53
00:47:04.549617 MM/HighFreq/Error/MM [     mm5g_security.c   6988] DS: SUB 0 =MM5G= MMGSDI returned incorrect routing inddigit1 = 15, digit2 = 1, digit3 = 15, digit4 = 15
00:47:04.549620 MM/HighFreq/Error/MM [     mm5g_security.c   7087] DS: SUB 0 =MM5G= MMGSDI returned status 0 in GET_SUCI_CNF or SUCI parsing failed



00:47:04.549961 User Identity Module/High [  mmgsdisessionlib.c   6123] mmgsdi_session_manage_illegal_subscription0
00:47:04.549969 User Identity Module/High [  mmgsdisessionlib.c   6172] Queue of MMGSDI command: MMGSDI_SESSION_MANAGE_ILLEGAL_SUBSCRIPTION_REQ status 0x00
00:47:04.549996 User Identity Module/High [        mmgsdi_gen.c   2017] Application for session 72 is MARKED AS ILLEGAL BY REQUEST0
00:47:04.550070 User Identity Module/High [  qmi_uim.c  18401] qmi_uim_process_manage_illegal_card_evt with legal_status as 0x10


00:47:04.549614 MM/HighFreq/High/MM  [     mm5g_security.c   7072] DS: SUB 0 =MM5G= Received SIM_MM_USIM_GET_SUCI_CNF, SUCI data len 53
00:47:04.549617 MM/HighFreq/Error/MM [     mm5g_security.c   6988] DS: SUB 0 =MM5G= MMGSDI returned incorrect routing inddigit1 = 15, digit2 = 1, digit3 = 15, digit4 = 15
00:47:04.549620 MM/HighFreq/Error/MM [     mm5g_security.c   7087] DS: SUB 0 =MM5G= MMGSDI returned status 0 in GET_SUCI_CNF or SUCI parsing failed

Routing indicator含义

Routing Indicator是suci中的字段。
在TS 23.502的4.2.2.2.2 General Registration中,指向了TS 33.501 5GS Architecture协议。查看此协议:
Routing Indicator: An indicator defined in TS 23.003 [19] that can be used for AUSF or UDM selection.
即Routing Indicator用来注册时AMF选择AUSF或UDM。 AUSF或UDM存储终端的注册和绑定信息。
在TS23.003-i50 Numbering, addressing and identification协议中,详细定义如下:
在这里插入图片描述
即:Routing Indicator路由指示符,由归属网络运营商分配并在USIM中提供的1到4个十进制数字组成,允许与归属网络标识符一起将包含SUCI字段的网络信令路由到能够为用户服务的AUSF和UDM实例。
路由指示器中的每个十进制数字都是有意义的(例如,值“012”与值“12”不同)。如果USIM或ME上没有配置路由指示符,则该数据字段应设置为值0(即仅由一个十进制数字“0”组成,即0FFF)。
此问题中卡返回的Routing Indicator digit1 = 15, digit2 = 1, digit3 = 15, digit4 = 15,即F1FF. 按照TS24.501 协议,只有不使用的高位数字才可以为15(FF)。所以卡应该返回 digit1 = 1, digit2 = 15, digit3 = 15, digit4 = 15.

如果卡不指定AUSF和UDM,则卡应该返回 digit1 = 0, digit2 = 15, digit3 = 15, digit4 = 15.
在这里插入图片描述
在这里插入图片描述
参考链接:
https://articles.zsxq.com/id_ful8uwunrrcj.html (1) 初始注册流程关键步骤分析 UE-ID 为suci
https://articles.zsxq.com/id_hgcezzezpli2.html 学习UERANSIM源码-registation相关文件
https://blog.****.net/qq_31985307/article/details/126440655 5G NR系列文章-5G标识符SUPI和SUCI

相关文章