|
简介 自3GPP R13推出eMTC(即LTE CAT-M1)标准以来,eMTC技术在全世界得到了广泛的应用。相比其他广域低功耗网络的技术如NB-IoT、2G、LoRA等,eMTC具有非常明显的优势,功耗低,移动性好,时延低,支持VoLTE语音,兼容LTE所以组网成本低,终端复杂度低,终端成本低,覆盖好,技术成熟度好。
目前eMTC技术已经成为北美、日本、澳洲、欧洲作为替代2G、3G的广域低功耗物联网主要技术方向。
国内由于政策原因,目前主推NB-IoT,但实际上各大运营商都已经对eMTC做了研究了实验网。只要政策放开,随时可以启动商用。 eMTC的NAS Attach信令关于eMTC的NAS Attach的协议标准,可以阅读3GPP 24.301。
这里我们还是从实战出发,直接使用eMTC终端接入eMTC网络,在这个过程中,抓取整个入网过程的信令,对信令原始数据进行解码分析。
使用普通的信令综测仪可以测试eMTC信令接入,但是我们希望模拟现实商用的eMTC网络。比如美国Verizon的eMTC网络就是运行在其覆盖全美的4G LTE网络上的。网络里同时存在LTE终端和eMTC终端。在国内,我们可以使用微戎WR100来模拟美国运营商这样的LTE和eMTC共存的网络。
在WR100的配置界面上,设置为LTE FDD Band 13,同时勾选上eMTC,这样就可以同时使能Band 13的LTE和eMTC网络。将测试SIM卡插入两部支持Band 13的LTE手机,可以看到手机已经注册上网络,并且完成IMS注册,此时两部手机已经可以互相收发短信和拨打电话。我们再把测试 SIM卡插入eMTC终端,通过SIM卡的IMSI尾号005,我们在WR100配置界面上看到eMTC终端也成功接入网络。
WR100配置界面上可以进行信令跟踪,保存信令。下面是对刚刚eMTC接入网路过程的NAS Attach信令进行分析 NAS Attach request消息下面是eMTC终端发到微戎WR100的Attach request消息
[NAS] UL 2677 EMM: Attach request Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x1 (Integrity protected) Auth code = 0xf9b63a0e Sequence number = 0x06 Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x0 (Plain NAS message, not security protected) Message type = 0x41 (Attach request) EPS attach type = 2 (combined EPS/IMSI attach) NAS key set identifier: TSC = 0 NAS key set identifier = 0 Old GUTI or IMSI: MCC = 001 MNC = 01 MME Group ID = 32769 MME Code = 1 M-TMSI = 0x73898fb8 UE network capability: 0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0) 0xf0 (EIA0=1, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0) 0x00 (UEA0=0, UEA1=0, UEA2=0, UEA3=0, UEA4=0, UEA5=0, UEA6=0, UEA7=0) 0x00 (UCS2=0, UIA1=0, UIA2=0, UIA3=0, UIA4=0, UIA5=0, UIA6=0, UIA7=0) 0x00 (ProSe-dd=0, ProSe=0, H.245-ASH=0, ACC-CSFB=0, LPP=0, LCS=0, 1xSRVCC=0, NF=0) 0x10 (ePCO=0, HC-CP CIoT=0, ERw/oPDN=0, S1-U data=1, UP CIoT=0, CP CIoT=0, ProSe-relay=0, ProSe-dc=0) 0x00 (15 bearers=0, SGC=0, N1mode=0, DCNR=0, CP backoff=0, RestrictEC=0, V2X PC5=0, multipleDRB=0) ESM message container: Protocol discriminator = 0x2 (EPS Session Management) EPS bearer identity = 0 Procedure transaction identity = 3 Message type = 0xd0 (PDN connectivity request) Request type = 1 (initial request) PDN type = 3 (IPv4v6) Protocol configuration options: Ext = 1 Configuration protocol = 0 Protocol ID = 0x8021 (IPCP) Data = 01 00 00 10 81 06 00 00 00 00 83 06 00 00 00 00 Protocol ID = 0x0003 (DNS Server IPv6 Address Request) Data = Protocol ID = 0x000a (IP address allocation via NAS signalling) Data = Protocol ID = 0x000d (DNS Server IPv4 Address Request) Data = Protocol ID = 0x0010 (IPv4 Link MTU Request) Data = Device properties = 0x00 (not configured for NAS signalling low priority) Last visited registered TAI: MCC = 001 MNC = 01 TAC = 0x0001 Old location area identification: Data = 00 f1 10 00 01 Mobile station classmark 2: Length = 3 Data = 47 08 00 Additional update type = 0x01 (no additional information, keeping NAS signalling connection not required, SMS only) Old GUTI type = 0 MS network feature support = 0x01 (MS supports the extended periodic timer in this domain) TMSI based NRI container: Length = 2 Data = 13 00
NAS Attach accept消息下面是微戎WR100回复的Attach accept消息。通过该消息,eMTC终端建立起了默认承载,并且获得到了IP地址。
[NAS] DL 2677 EMM: Attach accept Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x2 (Integrity protected and ciphered) Auth code = 0x1029edba Sequence number = 0x03 Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x0 (Plain NAS message, not security protected) Message type = 0x42 (Attach accept) EPS attach result = 2 (combined EPS/IMSI attach) T3412 value: Value = 5 Unit = 1 (1 minute) TAI list: Length = 6 Data = 00 00 f1 10 00 01 ESM message container: Protocol discriminator = 0x2 (EPS Session Management) EPS bearer identity = 5 Procedure transaction identity = 3 Message type = 0xc1 (Activate default EPS bearer context request) EPS Qos: QCI = 9 Access point name = "default.mnc001.mcc001.gprs" PDN address: PDN type = 1 (IPv4) IPv4 = 192.168.9.2 ESM cause = 0x32 (PDN type IPv4 only allowed) Protocol configuration options: Ext = 1 Configuration protocol = 0 Protocol ID = 0x8021 (IPCP) Data = 03 00 00 0a 81 06 ca 60 86 85 Protocol ID = 0x000d (DNS Server IPv4 Address) Data = ca 60 86 85 GUTI: MCC = 001 MNC = 01 MME Group ID = 32769 MME Code = 1 M-TMSI = 0x73898fb8 Location area identification: Data = 00 f1 10 00 01 MS identity: TMSI/P-TMSI/M-TMSI = 0x73898fb8 Emergency number list: Length = 8 Data = 03 1f 19 f1 03 1f 11 f2 EPS network feature support: 0x01 (CP CIoT=0, ERw/oPDN=0, ESRPS=0, CS-LCS=0, EPC-LCS=0, EMC BS=0, IMS VoPS=1) Additional update result = 0x02 (SMS only)
NAS Attach complete消息 [NAS] UL 2677 EMM: Attach complete Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x2 (Integrity protected and ciphered) Auth code = 0xf0a95e39 Sequence number = 0x07 Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x0 (Plain NAS message, not security protected) Message type = 0x43 (Attach complete) ESM message container: Protocol discriminator = 0x2 (EPS Session Management) EPS bearer identity = 5 Procedure transaction identity = 0 Message type = 0xc2 (Activate default EPS bearer context accept) 00:00:40.780 [NAS] DL 2677 EMM: EMM information Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x2 (Integrity protected and ciphered) Auth code = 0xac51debc Sequence number = 0x04 Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x0 (Plain NAS message, not security protected) Message type = 0x61 (EMM information) Full name for network: Length = 14 Data = 86 d7 72 5a fe 76 83 9c 65 fa fd 2d 5f 03 Short name for network: Length = 7 Data = 86 d7 72 5a fe 76 03 Local time zone = 0 Universal time and local time zone: Data = 91 80 71 00 00 04 00 Network daylight saving time: Length = 1 Data = 00
Tracking area update request [NAS] UL 2681 EMM: Tracking area update request Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x1 (Integrity protected) Auth code = 0xdaef7b3c Sequence number = 0x0a Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x0 (Plain NAS message, not security protected) Message type = 0x48 (Tracking area update request) EPS update type: Value = 3 (periodic updating) Active flag = 0 NAS key set identifier: TSC = 0 NAS key set identifier = 0 Old GUTI: MCC = 001 MNC = 01 MME Group ID = 32769 MME Code = 1 M-TMSI = 0x73898fb8 Last visited registered TAI: MCC = 001 MNC = 01 TAC = 0x0001 EPS bearer context status: Length = 2 Data = 20 00 Additional update type = 0x01 (no additional information, keeping NAS signalling connection not required, SMS only) Old GUTI type = 0 MS network feature support = 0x01 (MS supports the extended periodic timer in this domain)
Tracking area update accept [NAS] DL 2681 EMM: Tracking area update accept Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x2 (Integrity protected and ciphered) Auth code = 0x7fba2f00 Sequence number = 0x05 Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x0 (Plain NAS message, not security protected) Message type = 0x49 (Tracking area update accept) EPS update result = 1 (combined TA/LA updated) T3412 value: Value = 5 Unit = 1 (1 minute) GUTI: MCC = 001 MNC = 01 MME Group ID = 32769 MME Code = 1 M-TMSI = 0x73898fb8 TAI list: Length = 6 Data = 00 00 f1 10 00 01 EPS bearer context status: Length = 2 Data = 20 00 Location area identification: Data = 00 f1 10 00 01 Emergency number list: Length = 8 Data = 03 1f 19 f1 03 1f 11 f2 EPS network feature support: 0x01 (CP CIoT=0, ERw/oPDN=0, ESRPS=0, CS-LCS=0, EPC-LCS=0, EMC BS=0, IMS VoPS=1) Additional update result = 0x02 (SMS only)
Detach request [NAS] UL 2675 EMM: Detach request Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x1 (Integrity protected) Auth code = 0x06c6f8e9 Sequence number = 0x05 Protocol discriminator = 0x7 (EPS Mobility Management) Security header = 0x0 (Plain NAS message, not security protected) Message type = 0x45 (Detach request) Detach type = 11 (switch_off=1, combined EPS/IMSI detach) NAS key set identifier = 0 GUTI or IMSI: MCC = 001 MNC = 01 MME Group ID = 32769 MME Code = 1 M-TMSI = 0x73898fb8
|
窥视卡
雷达卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡
微信公共账号 ◆