RF

RF

Dumb Lesson in RF Connectors

Learning a very dumb lesson in antenna selection.

Read More
GSM
Mobile Networks
RF

GSM with Osmocom Part 9: Calls & SMS at last!

So now we’ve covered the basics of what’s involved let’s get some traffic on our network. For starters we’ll need to start each of our network elements and bring up whichever BTS hardware we’re using. In order for our calls to have audio, we’ll need to set a parameter on the Media Gateway. We’ll cover […]

Read More
Magic SIM Card Art
GSM
Mobile Networks
RF
Security

16 in 1 Magic SIM Card Revisited

Quick look at cheap “Magic SIM Cards”, what they do, how they do it, and the amazing graphics they use.

Read More
RF
Software

Configuring YateBTS for Software Defined GSM/GPRS

Configuring YateBTS NIPC with a BladeRF Software Defined Radio

Read More
EUTRAN
LTE
RF

Field Test on an iPhone

Accessing the Field Testing suite on an iOS Device

Read More
Information stored on USIM / SIM Card for LTE / EUTRAN / EPC - K key, OP/OPc key and SQN Sequence Number
EPC
EUTRAN
LTE
Mobile Networks
RF
Security

HSS & USIM Authentication in LTE/NR (4G & 5G)

Exploring the how and why of Authentication in LTE & NR networks.

Read More
EPC
LTE
Mobile Networks
Python
RF

Open5Gs- Python HSS Interface

Note: NextEPC the Open Source project rebranded as Open5Gs in 2019 due to a naming issue. The remaining software called NextEPC is a branch of an old version of Open5Gs. This post was written before the rebranding. I’ve been working for some time on Private LTE networks, the packet core I’m using is NextEPC, it’s […]

Read More
EPC
EUTRAN
LTE
Python
RF
RFCs & Standards

PyHSS – Python 3GPP LTE Home Subscriber Server

I recently started working on an issue that I’d seen was to do with the HSS response to the MME on an Update Location Answer. I took some Wireshark traces of a connection from the MME to the HSS, and compared that to a trace from a different HSS. (Amarisoft EPC/HSS) The Update Location Answer […]

Read More
EPC
EUTRAN
LTE
RF
RFCs & Standards
Voice over IP

Diameter Basics

A primer to the Diameter protocol and it’s usage.

Read More
EPC
EUTRAN
LTE
Mobile Networks
RF

Qos in LTE (4G) – ARP

ARP in LTE is not the Ethernet standard for address resolution, but rather the Allocation and Retention Policy. A scenario may arise where on a congested cell another bearer is requested to be setup. The P-GW, S-GW or eNB have to make a decision to either drop an existing bearer, or to refuse the request […]

Read More
EPC
EUTRAN
LTE
Mobile Networks
RF

QoS in LTE (4G) – MBR/AMBR/APN-MBR

MBR stands for Maximum Bit Rate, and it defines the maximum rate traffic can flow between a UE and the network. It can be defined on several levels: MBR per Bearer This is the maximum bit rate per bearer, this rate can be exceeded but if it is exceeded it’s QoS (QCI) values for the […]

Read More
EPC
EUTRAN
LTE
Mobile Networks
RF

QoS in LTE (4G) – QCI

The QCI (Quality Class Indicator) is a value of 0-9 to denote the service type and the maximum delays, packet loss and throughput the service requires. Different data flows have different service requirements, let’s look at some examples: A VoLTE call requires low latency and low packet loss, without low latency it’ll be impossible to […]

Read More
EPC
EUTRAN
LTE
Mobile Networks
RF

QoS in LTE (4G) – GBR & Non-GBR Bearers

GBR is a confusing concept at the start when looking at LTE but it’s actually kind of simple when we break it down. GBR stands for Guaranteed Bit Rate, meaning the UE is guaranteed a set bit rate for the bearer. The default bearer is always a non-GBR bearer, with best effort data rates. Let’s […]

Read More
EPC
EUTRAN
LTE
Mobile Networks
Notes
RF

LTE (4G) – TMSI & GUTI

We’ve already touched on how subscribers are authenticated to the network, how the network is authenticated to subscribers and how the key hierarchy works for encryption of user data and control plane data. If the IMSI was broadcast in the clear over the air, anyone listening would have the unique identifier of the subscriber nearby […]

Read More
LTE
Mobile Networks
RF
RFCs & Standards
Security

LTE (4G) – EUTRAN – Key Distribution and Hierarchy

We’ve talked a bit in the past few posts about keys, K and all it’s derivatives, such as Kenc, Kint, etc. Each of these is derived from our single secret key K, known only to the HSS and the USIM. To minimise the load on the HSS, the HSS transfers some of the key management […]

Read More
LTE
Mobile Networks
RF
RFCs & Standards
Security

LTE (4G) – Ciphering & Integrity of Messages

We’ve already touched on how subscribers are authenticated to the network, how the network is authenticated to subscribers. Those functions are done “in the clear” meaning anyone listening can get a copy of the data transmitted, and responses could be spoofed or faked. To prevent this, we want to ensure the data is ciphered (encrypted) […]

Read More