Debugging a GSM issue

It all starts with a bug report:

Bug analysis:
When the phone does not find our network, it will automatically try to roam to other public networks. When registering Vodafone, the network will reject the location update request with reject cause IMSI unknown in HLR (because it doesn’t know our SIM card and does not have roaming agreements with us). This prevents the phone from registering to any other network again, including ours, until the phone is restarted.

Permanent solution:
Add Vodafone (and other networks) in the Forbidden PLMN list on the SIM card, preventing the phone from registering to these networks.

Reading specifications

This behaviour is actually defined in the 3GPP specification (24.008):

width=80%

Useful links:

Reading specifications

This behaviour is actually defined in the 3GPP specification (24.008):

width=80%

Useful links:

T3245

width=80%

T3245 triggers cell reselection after 12-24 hours, even after being "banned".

This can be very useful for large fixed appliances you can’t reboot easily (i.e. vending machines).

T3245

width=80%

31.102 is a SIM specification.

T3245

width=80%

T3245 is configured in an optional field, in an optional file, not settable by the user, and disabled by default.

I only checked a few cards, but haven’t seen it in use.

T3245

width=80%

But there is an additional case: 4.1.1.6a.

T3247

width=30%

If T3245 it not used, start T3247, which retriggers the location update request after 30-60 minutes (only if the reject is not integrity protected, e.g. authenticated).

24.008 v14.7.0 (2018-04)

width=80%

24.008 v10.7.0 (2012-07)

width=80%

24.008 changelog

width=40%

3GPP specification versioning

3GPP specifications:

3GPP specification versioning

I wrote a small script trying to add revision control on the specifications.

The script is available at https://cgit.osmocom.org/3grr

3GPP specification versioning

I wrote a small script trying to add revision control on the specifications.

The script is available at https://cgit.osmocom.org/3grr

Result:

3GPP specification versioning

$ git log -S4.1.1.6A ftp.3gpp.org/Specs/archive/24_series/24.008/24.008.txt
commit 46821ca886db5a7be563e9bb2f5d6b9b7e921001 (tag: 24.008v13.5.0)
Author: 3GPP revision control script <>
Date:   Tue Apr 17 18:03:27 2018 +0200

    24.008 version 13.4.0 (2015-12) -> 13.5.0 (2016-03)
Tip
use git bisect to find more complicated changes
$ git diff 46821c^ 46821c

+4.1.1.6A
+Specific requirements for the MS when receiving non-integrity proctected reject messages
+This subclause specifies the requirements for an MS that is not configured to use timer T3245 (see 3GPP TS 24.368 [135] or 3GPP TS 31.102 [112]) and receives a LOCATION UPDATING REJECT, CM SERVICE REJECT, ABORT, ATTACH REJECT, ROUTING AREA UPDATE REJECT or SERVICE REJECT message without integrity protection.
+NOTE 1:
+Additional MS requirements for this case and requirements for the case when the MS receives a successfully integrity checked reject message are specified in subclauses 4.4.4.7, 4.5.1.1, 4.7.3.1.4, 4.7.3.2.4, 4.7.5.1.4, 4.7.5.2.4 and 4.7.13.4.
+

This will show all changes for the version, and reveals T3247 is also used in other procedures (authentication reject, …)

24.008 v13.5.0 release notes

width=100%

24.008 - CR2927 information

width=100%

CR2927 - change request overview

width=100%

CR2927 - change request structure

width=100%

Further information:

CR2927 - diff

width=100%

CR2927 - message

width=100%

CR2927 - history

width=100%

To search for specifications, change requests, …: https://portal.3gpp.org/

CR2927 - tree

width=100%

There is a machine readable (Microsoft database) CR database: ftp://ftp.3gpp.org/Information/Databases/Change_Request/CR-data.zip

Online tool to search through the CR database: https://netovate.com/cr-search/

CP-160085 - CR pack

width=100%

Conclusion

The 3GPP has a well though versioning system, but done by and for humans.

It’s possible to make it machine readable, but my experience with versioning the specification documents show it’s full of human errors and exceptions.

Disclaimer:
I am not participating to the 3GPP discussions and never went to a meeting. This is just what I learnt by looking at it from the outside.

To come back to our initial bug report:
T3247 mitigates the location update reject from other networks. Since Vodafone does not have the key material for our SIM cards, they can’t add integrity protection to the location update reject message, thus T3247 will cause the phone to try to re-register after 30-60 minutes. This only applies if the phone supports release 13.5.0 and/or this feature.

Standardisation

The 3GPP does not make standards. They only write specifications.

The partners (e.g. nation groups) take them, adapt it for their local regulation, and publish the standard.

width=200%

How much is changed is not well know, but machine version control could also tell more :).