You are on page 1of 5

Using TEMS Investigation

Johan Montelius

Introduction
In this laboration you will use the TEMS Investigation tool to look at the radio, link and layer three messaging (Radio resource /Connection management / Mobility Management). Since we will be stationary we will not see any handovers but we will see radio resource management and call control messages.

Getting started

Since the Monaco network is down I must ask you to use your own SIM cards for this laboration. If you dont have a SIM card ... hmm then I dont really know what to do. Note - its your bill and I will not be able to reimburse you. Start the laptop and boot using W2000. Then start the TEMS Investigation software, connect the serial cable marked TEMS to the serial port and the other end to the mobile phone. Once everything is connected turn on the phone. You see a lot of worksheets lled with measurement data but to keep things simple we open a new worksheet and start from scratch. Select New Worksheet under the Worksheet menu. Congure the mobile by rst clicking Identify Equipment (or shift-I) and select COM 1. You can now connect the mobile using F3. windows. You can select what data windows you want to look at by selecting them (double click) in the panel to the left.

A rst look

Lets look at some data: open a Current Channel (found under Presentation/Control ). This will display some information about the current channel, that if course is the Broadcast Control Channel since we are idle. You should have seen most of this information in the previous laboration. You can also open up a Serving + Neighbors to see the neighbors of the current cell. Notice that the mobile does not know the BSIC of all neighbors. What network colour codes is the operator using? Is the operator using 900 or 1800 cells? If we look at the Interference views we can see the carrier to interference ratio and also the signal levels of adjacent carriers. You should not see

any interference but if you move outside or walk up to the roof of the building (you are not allowed to do that) you will probably see a lot of interfering signals. Now keep the Current Channel view and close the rest.

The Broadcast Channel

Open up a Layer 3 Messaging view (found under Signaling). You will now listen in to messages for radio resource management, connection management and mobility management. We will not hear what other mobiles are replying and we will not listen in on trac that is dedicated to them but we will decode the messages that are broadcasted from the BSS to all mobiles in the area and paging messages to phones that belong to the same paging group.

3.1

Synchronization Channel

First select a Synch Channel Information element and double click on it; this will give you the details of the message. What information can we get from the synchronization channel? Note that this information is coded in the synchronization burst. Look at several synchronization messages and look at the channel number. What is happening here? Open the Serving + Neighbors view again and take a look. We havent looked closer to the frame numbering scheme but when we are looking at the synchronization messages we might as well look at the values T1, T2 and T3. These numbers make up the current frame number. T1 is the current super frame (0-2047), T2 is the frame number modulo 26 and T3 is a short way of coding the frame number modulo 51. The real frame number modulo 51 is T3 = T3 10 + 1. The reson we can send only T3 is that we only need to code 1,11,21,31 and 41, that is the frames in a 51-multiframe that can hold the synchronization channel. Give T2 we know were in a 26-frame trac multiframe we are and given T3 we know the position in a 51-frame signaling multiframe. We need to know the frame numbers to know when to expect a broadcast control channel, paging channel, access grant channel etc. To nd the absolute frame numer we do as FN = T1 (51 26) + ((T3 T2)mod26) 51 + T3 10 + 1 The trick with T2 and T3 works since T2 is modulo 26, T3 modulo 51 and 26 2 = 51 + 1. In the rst superframe the dierence between T2 and T3 is either 0 or 26 that is 0 modulo 26. In the second superframe the dierence is 1 modulo 26 and so forth. The absolute frame number is needed for encryption but that is for later. 2

3.2

Broadcast Control Channel

So we know how the mobile gures out the color codes of the neighbouring cells but how did it gure out what neighbouring cells to listen to. Take a look at the System Information Type messages. Most of them will come from the current channel e.g. from the broadcasting control channel of the current cell. The system information messages comes in dierent types (1,2,3,4 and 13 is what you will probably see). Investigate a message of each type and determine what information one can nd. This is what you can nd in TS-04.18, a document on 313 pages. If you have the time connect to www.3gpp.org and download the specs. Type 1: ... information of control of the RACH and of the cell allocation Type 2: ... information of control of the RACH and of the BCCH allocation in the neighbour cells Type 3: ... information of control on the RACH, the location area identication, the cell identity and various other information about the cell Type 4: ... information on control of the RACH, the location area identication, the cell identity and various other information about the cell Type 13: ... information related to GPRS in the cell Look at a Type 2 message and you will nd a sequence of carrier numbers. This is a list of broadcast carriers that are used by the base stations in the area. Compare this list to the sequence of carriers in the neighbouring view. Notice that the mobile also scans some of the neighbouring cells (how many?). Remember the C1 and C2 values for selection and re-selection of a carrier. These values are computed not only based on the signal strength but also on the maximum transmit power allowed, minimum signal level allowed etc. This is information that is coming from somewhere (where?). How can we tell the dierent system information messages apart? They are coded so we can tell them apart but they do not come randomly. If we know the frame number we also know which system information messages to expect. First we calculate the Type Code as TC = T3mod8 and then look att the type sequence 1, 2, 3, 4, X, X, 3, 4. In the X position we can expect any information type as for example the Type 13.

3.3

Paging request

You will by now have some Paging request messages. This is the base station controller that is looking for a mobile in the location area that our cell belongs. If you double click on a message you will see the details of the message. You will notice that the message is not directed to your mobile (if not someone is actually trying to call you). The paging messages, also described in TS-04.18, comes in three types depending on how many mobiles that are pages in the same message. If the network is not crowded you will only see Type 1 messages. In the message you will nd the IMIS or TMSI (Temporary Mobile Subscriber Identity). If you knew the TMSI value of a subscriber you could sni the channel and log when the subscriber is called. The problem is that you do not know the TMSI value. It is allocated and changed periodically. If someone is answering a page request they will do so by sending a random access request. We will not see this request but we will see the answer from the system to such, and similar, a requests. The answer will be in the form of a Immediate assignment messages on the access grant channel. You will see what resource was requested, often a stand alone dedicated control channel but could be a Temporary Block Flow for GPRS trac, and exactly how the resource is allocated.

3.4

Channel request

You can generate a channel request simply by switching of the phone. The last thing the mobile wants to do id deregister from the VLR and to to that it needs a signaling channel. Try it and see how the last messages will be a Channel Request and a Immediate Assignment followed by the detach message. If you inspect the channel request you will see the request of a signaling channel. The mobile will also send a Random reference so that it can nd the reply to the request. Check the assignment message and see if the reference numbers match. In the assignment message you will see things like the time slot, training sequence, hopping sequence and timing advance. Since all we do is a detach we only need to send one message and then close the connection.

Setting up a call

Turn the phone back on, connect it to the Investigation program and call someone (try 90510), keep it short and then disconnect the phone. We should now have an interesting trace of a call set up procedure and the following call.

4.1

The signaling channel

First look at how a signaling channel is requested and hopefully immediately granted. This signaling channel is then used to do a CM Service Request followed by a sequence of ciphering mode messages. When the ciphering is complete the actual Setup message follows. The mobile informs the MSC of its requirements and also the phone number it wishes to call. When the signaling channel now is up for a longer periods we need to inform the network of our radio conditions. This is done in a Measurement Report. We will get a Call Proceeding message that indicates that the phone call request has been accepted and that the system will try to set up the call. The Alerting message will tell us that it is actually ringing on the other side if that could be of some comfort. Once the other side answers the call we will get a Connected message to which we will send a Connect Acknowledge message. The question now is where the trac channel is. This either has already been assigned to us in a Assignment Command or if not yet, it is now high time to do so. There are of course pros and cons of assigning a trac channel if no one has yet answered - which?.

4.2

The trac channel

Open the assignment message and nd out what trac channel that was given to us. Take a look at the Measurement Report messages. These are sent on the SACCH and informs the BSC of the radio conditions, not only of the trac channel but also of neighbouring broadcast channels. You will now also see a new system information messages of type 5 and 6. These messages are also sent on the SACCH and will provide much of the information that was previously obtained over the BCCH. Once we terminated the call the mobile sent a Disconnect message.

Extra

Connect the mobile and let some one call you to see how you respond to a paging message. What happens if you do not accept the call? How many pages will the network send out? Send a SMS and see if you can nd the text of the message. Is the message in plain text in the air?