Using Open Source tools to understand Cellular Networks Part 1

First, I wanted to let everyone know that I have uploaded by Open5GS and srsRAN_Project configs to Github. These are configured for my network, if you want to use this yourself then change any IP address of 100.122.126.173 to the computer your 5GC is running on, or if you are running both srsRAN and Open5GS on the same computer, then you can change that IP to its default of 127.0.0.5 – also your gNB config file will need to be modified as follows… 

amf:

  addr: 100.122.126.173  (change to 127.0.0.5 or 5GC computer IP)                                             

  bind_addr: 100.122.128.121  (change to any 127.0.0.X not being used or gNB computer IP) 

Introduction

As you can imagine, cellular networks are quite complicated. I remember learning GSM in 2012, my first introduction to cellular technologies past using my iPhone every day. I remember an instructor telling me that when my phone said it was on LTE, it really wasn’t ON LTE and I thought “ok, this guy thinks he’s smarter than what my phone is telling me…” Fast forward ten years and I know exactly what that guy was telling me which made sense to me. To witness the rollout of a new technology, such as 5G, and see the growing pains of commercial providers getting these technologies to market has been an interesting experience. I am left with more questions than I have answers, but that’s why they’re the providers and I am just an enthusiast. 

I had never really thought about how my phone worked, I just knew the technology was working behind the scenes and that I was probably better off not thinking about it. Then came the part of the course where we had to learn and memorize process flows in GSM, such as a phone attaching to the network, searching for a cell, making a phone call, conducting a handover with another BTS, and reselecting to another cell… I thought “Why do I need to know all of this!?” 

It took me a handful of years before it really clicked.  I was tasked with analyzing the first U.S. deployment of 5G. I had never read a spec or looked at layer 3 signaling before, but I knew I had to figure it out and deliver a detailed report to my organization. That’s when the fascination started, and hasn’t stopped for nearly 5 years. I have been working with wireless technologies for over a decade now, but before 5G, I simply passed off the “theory” tasks to the guys that I felt were better suited for the job. Now I realize what I was missing out on. 

Anyway, enough of the history lesson… 

The truth about cellular networks is that if you want to be intimately familiar with them past reading the spec, you’re going to need certain tools, most of which are very expensive to purchase. So if you’re just some guy or girl who is looking to sharpen their knowledge, you turn to the open source community and find out what there is to offer. Sure you still have to spend some money to get everything working, but that amount pales in comparison to the tens or hundreds of thousands of dollars you would spend procuring commercial test equipment. 

In this article, I am going to go over cellular network processes as they relate to the current release of the Open Source 5G network. Some processes are similar to previous technologies, and some are vastly more complicated. Some processes are not quite in line with how commercial providers are configuring 5G, and I will try to point out those differences when detailing them. These processes include… 

  • Cell Search and Selection
  • Random Access Procedure
  • Network Registration
  • Authentication
  • PDU Session Establishment 
  • Cell Re-selection
  • Handover
  • Data Sessions
  • Voice Sessions (VoNR)

Tools

Commercial Test Equipment

Companies like AnritsuKeysightRohde & SchwarzSpirentQualcomm, and Infovista provide a wide range of test equipment. Their consumer base is mostly Telecom providers who are looking to test and deploy their technologies in the lab, and then move to deploying their technology in live environments. Once deployed in the wild, they need tools to test and optimize their configurations as well. Some tools I am familiar with are…

  • Keysight Nemo Outdoor (Engineering Handset software suite)
  • Keysight Nemo Handy (Engineering Handset)
  • Keysight/Sanjole WaveJudge (Protocol Analyzer)
  • Keysight FieldFox (Spectrum Analyzer)
  • Infovista TEMs (Engineering Handset)
  • Anritsu Field Master Pro (Spectrum Analyzer)
  • Qualcomm QXDM (Diagnostic Logging Tool)
  • Amarisoft Callbox (3GPP Compliant 4G/5G eNB/gNB EPC/5GC Emulator)
  • Amarisoft UE Simbox (UE Simulator)

Open Source Test Equipment

There are some open-source alternatives to the equipment listed above, but most have limitations. 

  • iPhone Engineering Mode (*3001#12345#* in dialer menu) 
  • Android Engineering Mode (*#*#4636#*#* in dialer menu) 
  • Force LTE (Android Play Store app – forces Engineer mode)
  • 5G Network manager (Android Play Store app – forces Engineer mode)
  • NetMonster (Android Play Store app)
  • Network Signal Guru (Android Play Store app – minimal basic functionality, but has the option for a monthly subscription that offers Engineering handset capabilities on certain handsets – the app is hosted by a company in China) 
  • PingTools (Android Play Store app) 
  • PCAPdroid (Android Play Store app)
  • SCAT (Open Source Engineering Handset software for certain handsets) 
  • Wireshark (Needs no introduction) 
  • Open5GS (Open Source 5GC Software)
  • srsRAN (Open Source LTE gNB, EPC, UE Software)
  • srsRAN gNB (Open Source 5G gNB Software)
  • UERANSIM (Open Source 5G gNB/UE Software)
  • DragonOS (Open Source Linux based OS focused on SDRs – in the vein of Kali Linux) 

Software Defined Radios

  • Ettus USRP (Ettus has a large catalog of different SDRs, the B210, B200, B205 mini, etc are the most affordable) *Note that with the USRP you are going to want to get a GPSDO module or an external reference clock such as the Leo Bodnar Precision GPS Reference Clock) 
  • bladeRF (other affordable SDR option – these are not yet compatible with srsRAN gNB)
  • LimeSDR (other affordable SDR option – these are not yet compatible with srsRAN gNB)

Cell Search and Selection

gNB transmits MIB on the PBCH and carries information for the UE to find SIB1 on the PDCCH (controlResourceSetZero searchSpaceZero)

UE syncs on downlink and selects cell after decoding MIB

UE searches for SIB1 using MIB parameters for coreset0

UE finds and decodes and processes SIB1 information

UE must meet the cell’s minimum thresholds for RSRP and, if configured, RSRQ. The minimum values for this cell are -140 RSRP and -20 RSRQ 

UE compares its provisioned PLMN with the PLMN of the cell. It also reads the cell’s Tracking Area Code and Cell ID. During cell re-selection, if the cell is in another Tracking Area than the one the UE is currently registered in, it must conduct a Registration Request with the type Mobility Registration Update.

UE gets information about how the cell’s Bandwidth Part is configured.

  • Frequency Band = n3
  • offsetToPointA (the reference point for the overall carrier)
  • offsetToCarrier = 0 (this value is equal to 0 whenever this is the first BWP or only BWP in the carrier) 
  • subcarrierSpacing = 15 kHz (this is the BWP SCS)
  • carrierBandwidth = 106 (is the number of Resource Blocks multiplied by the size of each RB in the BWP) 15 kHz * 12 subcarriers = 180 kHz, 180 kHz * 106 = 19.08 MHz (20 MHz channel)
  • locationAndBandwidth (RIV value used to indicate the start and span of the BWP across the carrier) there is a calculator here for this value. 28875 = rb0 start and 106 RB span. 

Based on the parameters listed in MIB and SIB1, this is what the BWP would look like. 

UE then gathers information on how to perform the Random Access procedure with the cell using the rach-ConfigCommon parameters. 

srsUE reading SIB1 rach-ConfigCommon parameters
srsUE reading SIB1 rach-ConfigCommon parameters

Random Access Failure

In this example, I am attempting to use srsUE to attach to my 5G network. This is a good way to examine logs to troubleshoot where the process is failing. 

UE prepares RRC Setup Request (sent with RACH msg3) and configures data to send on UL PRACH 

UE sends RACH msg1 preamble on UL PRACH

UE monitors PDCCH for RA-RNTI associated with msg1 preamble, UE detects DCI 1_0 and is able to decode RACH msg2 Random Access Response (RAR) from gNB on PDSCH which includes UL Grant and Temporary C-RNTI 

UE MAC is waiting for msg4 (Contention Resolution) UE transmits msg3 on PUSCH, which includes the RRC Setup Request and also initiates the Registration procedure with the 5GC. MAC layer of UE starts ra-ContentionResolutionTimer 

If necessary, the UE will re-transmit msg3

If msg4 (Contention Resolution) is not received from the gNB before the ra-ContentionResolutonTimer expires, then the UE will stop searching for msg4 and will restart the Random Access procedure.

UE will continue this process until it receives msg4, or until it reaches the maximum number of Random Access transmission attempts. 

Leave a Reply

Discover more from

Subscribe now to keep reading and get access to the full archive.

Continue reading