Registration

因为TI的代码中是定义了GPRS的，当有GMM模块时，网络的注册是和单纯只有MM模块是不一样的，我们先只看当没有GMM时，MM是如何进行网络注册的。

MMI最后会调用GLOBAL SHORT psaMM_Registrate ( void )来进行网络注册。

GLOBAL SHORT psaMM_Registrate ( void )

{

psaMM_SetRegMode ( MODE_AUTO );

PALLOC (mmr_reg_req, MMR_REG_REQ);

//根据sim的状态来决定当前的网络服务。

if (simShrdPrm.imei_blocked EQ TRUE)

{

mmr_reg_req->service_mode = SERVICE_MODE_LIMITED;

}

else

{

mmr_reg_req->service_mode = SERVICE_MODE_FULL;

}

//以下代码实现了向MM发送了一个MMR_REG_REQ原语。

PSENDX (MM, mmr_reg_req);

}

frstFlg = FALSE;

return 0;

}

MMR_REG_REQ原语在MM的处理函数是reg_mmr_reg_req。这个函数中只有一个调用

mm_func_mmgmm_reg_req (mmr_reg_req->service_mode, 

REG_GPRS_INACTIVE,

MMGMM_CLASS_CC);

因为我们跟踪的代码是GSM only，所以现在的网络类型是MMGMM_CLASS_CC即GSM only

网络的类型定义如下：

#define VAL_MOBILE_CLASS___DEF (0x0) /* Combined GPRS attach */

#define MMGMM_CLASS_A (0x1) /* Combined GPRS */

#define MMGMM_CLASS_B (0x2) /* GPRS and GSM */

#define MMGMM_CLASS_BC (0x3) /* Combined GPRS if possible, otherwise GSM only */

#define MMGMM_CLASS_BG (0x4) /* Combined GPRS if possible, otherwise GPRS only */

#define MMGMM_CLASS_CC (0x5) /* GSM-only */

#define MMGMM_CLASS_CG (0x6) /* GPRS-only */

mm_func_mmgmm_reg_req函数中如果是GSM only则会调用 mm_reg_gsm_only_req (service_mode); Read the rest of this post »

Mobility Management Services
The services offered by mobility management are described in the following:

Registration
After power-on or SIM insertion the mobile station searches for a cell and tries to register on it. Selecting
a network is the sense of the registration procedure.

Normal Location Updating
If the mobile station is not registered by the network or changes a location area a normal location updating
is processed. That means the registration by the network is updated.

Periodic Location Updating
If the network uses periodic location updating this procedure is used by the mobile station to update its
registration by the network in periodic times.

IMSI Attach
If indicated by the network the mobile station updates its registration after initial cell selection althought
the SIM card shows the updated state.

IMSI Detach
If indicated by the network the mobile station de-registers itself during SIM removing or power-off.

TMSI Reallocation
The TMSI Reallocation procedure is used by the network to assign a new or changed temporary subscriber
identity to the mobile station.

Authentication
The authentication procedure is used to calculate and compare the authentication parameter.
Identification
The base station uses the identication procedure to request the various identifications from a mobile
station.

MM-Connection Management
MM handles the various connections from call control, supplementary services and short message
services.

Net Request
The net request procedure requests all available networks and presents it to the man machine interface.

如图，MM各个状态的转换和条件。

Overview

This section offers a brief description of the different layers which constitute the mobile station Protocol Stack. It is also intended to offer an overview of the intersystem interface. The Protocol Stacks are used to define the functionality of the GSM protocols for interfaces. The GSM specifications are normative when used to describe the functionality of interfaces, but the stacks and the subdivision of protocol layers do not imply or restrict any implementation.

1 PL - Physical Layer

The base of the Protocol Stack rests on the physical layer.

2 DL - Data Link

The Data Link Layer (DL) is used to handle an acknowlowdged connection between mobile and base station. The LAPDm protocol is used.

3 RR - Radio Resource

Radio Resource (RR) manages the resources of the air-interface. That means configuration of physical layer, cell selection and cell reselection, data transfer, RR-Connection handling.

4 MM - Mobility Management

Mobility Management (MM) handles registration aspects for the mobile station. It detects changes of location areas and updates a mobile station in the new location area.

5 CC - Call Control

Call Control (CC) provides the call functionality. This includes call establishment, call maintenance

procedures like Hold, Retrieve or Modify, and call disconnection.

6 SS - Supplementary Services

Supplementary Services (SS) handles all call independent supplementary services like call forwarding or call barring.

7 SMS - Short Message Services

Short Message Services (SMS) is used for sending and receiving point-to-point short messages. Additionally the reception of cell broadcast short messages is included. Call Control (CC), Supplementary Services (SS) and Short Message Services (SMS) together are referred to as Connection Management (CM) sometimes.

8 MMI - Man Machine Interface

The man machine interface (MMI) is the interface to the user. Normally it is connected with a keypad as input device and a display as output device. In G23, there is a AT Command Interpreter (ACI), therefore, sometimes the MMI is also referred to as ACI in the present document if “the layer above layer 3″ is to be identified.

Between the several entities data interfaces are defined. These data interfaces are called Service

Access Points (SAPs), indicating that an upper layer uses the services of a lower layer.

The GSM specification do not set out any implementation of the Protocol Stack. The following diagrams show the implementation described in all these documents for the mobile station. All entities Technical Document GSM Protocol Stack Message Sequence Charts MM (6147.203.97.102), v0.3 Draft

except the Man Machine Interface and Physical Layer are implemented as part of the Protocol Stack - with ACI seen as an integral part of the stack in almost all cases.

For GPRS, there are more entities.

9 GRR (RLC/MAC) – Radio Link Control/Medium Access Control

This layer contains two functions: The Radio Link Control function provides a radio-solution-dependent reliable link. The Medium Access Control function controls the access signalling (request and grant) procedures for the radio channel, and the mapping of LLC frames onto the GSM physical channel.

10 LLC – Logical Link Control

The LLC entity provides multiple highly reliable logical links for asynchronous data transfer between the MS and the network. It supports variable-length information frames, acknowledged and unacknowledged data transfer, flow and sequence control,error detection and recovery, notification of unrecoverable errors, user identity confidentiality, and ciphering of user and signaling data.

11 GMM – GPRS Mobility Management

The GMM entity provides procedures for the mobility of the MS, such as informing the network of its present location, and user identity confidentiality. It manages the GMM context (attach, detach, routing area updating), supports security functions such as authentication of user and MS, controls ciphering of data, and initiates the response to paging messages.

12 SM – Session Management

The main function of the session management (SM) is to support PDP context handling of the user terminal. Session Management activates, modifies and deletes the contexts for packet data protocols (PDP). Session Management services are provided at the SMREG-SAP and the SNSM-SAP for anonymous and non-anonymous access. The non-anonymous and anonymous access procedures for PDP context activation and PDP context deactivation are available at the SMREG-SAP.In addition there exists a PDP context modification for non-anonymous PDP contexts.

13 SNDCP - Subnetwork Dependant Convergence Protocol

SNDCP carries out all functions related to transfer of Network layer Protocol Data Units (N-PDUs) over GPRS in a transparent way. SNDCP helps to improve channel efficiency by means of compression techniques. The set of protocol entities above SNDCP consists of commonly used network protocols. They all use the same SNDCP entity, which then performs multiplexing of data coming from different sources to be sent using the service provided by the LLC layer.

14 GACI – GPRS Application Control Interface

The GACI is the GPRS extension of the ACI. It is specified in GSM 07.07 and 07.60. It is responsible for processing of the GPRS related AT Commands to setup, activate and deactivate the PDP context parameter. It also provides functionality for the interworking between GMM/SM/SNDCP and a packet oriented protocol like PPP.

15 GSMS - GPRS Short Message Service

Like GACI, GSMS, the GPRS Short Message Service, is also not a new entity of its own, but it is the GSM SMS entity enhanced by GPRS functionality.

协议栈原语（primitive）与消息（message）的区别如下：

原语是上下层协议栈实体用来交换信息的，而消息是对等实体之间交换信息的。

如设备端mm与rr之间是原语，而设备与网络端rr之间则是消息。

本节描述了SIM向GSM的MM和GMM提供的信息。

在GSM协议11.11中对GSM操作的前提有如下描述

For a SIM of Phase 2 or greater, GSM operation shall only start if one of the two following conditions is

fulfilled:

- if EFIMSI and EFLOCI are not invalidated, the GSM operation shall start immediately;

- if EFIMSI and EFLOCI are invalidated, the ME rehabilitates these two EFs.

那么SIM应该提供哪些信息呢？流程是什么样的呢？

Afterwards, the ME runs the following procedures:

- Administrative Information request;

- SIM Service Table request;

- IMSI request;

- Access Control request;

- HPLMN Search Period request;

- PLMN selector request;

- Location Information request;

- Cipher Key request;

- BCCH information request;

- Forbidden PLMN request;

- CBMID request;

- Depersonalisation Control Keys request

- Network’s indication of alerting request (if $(NIA)$ is supported)

好了，我们来看看TI是如何实现这部分协议栈的代码的吧。

总的流程如下（app_sim_read_parameters函数中）

result = app_fdn_bdn_procedures (sim_mmi_insert_ind);

if ((result EQ SIM_NO_OPERATION) OR

!app_sim_mm_insert_ind (sim_mmi_insert_ind))

app_sim_mmi_insert_ind (sim_mmi_insert_ind, SIM_NO_OPERATION);

else

app_sim_mmi_insert_ind (sim_mmi_insert_ind, result);

PSENDX (MMI, sim_mmi_insert_ind);

if (result NEQ SIM_NO_OPERATION)

app_sim_sms_insert_ind ();

在app_fdn_bdn_procedures函数中会对SIM的IMSI和LOCI是否支持进行判断，同时对bdn和fdn进行判断。

当然一般的SIM卡肯定不会是SIM_NO_OPERATION的，所以必然会进行app_sim_mm_insert_ind (sim_mmi_insert_ind)。

GLOBAL UBYTE app_sim_mm_insert_ind (T_SIM_MMI_INSERT_IND * sim_mmi_insert_ind)

{

//首先分配一个SIMMM协议原语

PALLOC (sim_mm_insert_ind, SIM_MM_INSERT_IND);

SIM_CLEAR_FLAG (TEST_SIM_INSERTED);

//读取administrative data

if (FKT_Select (SIM_AD, response, SIM_MIN_EF_ST_LEN) EQ SIM_NO_ERROR)

sim_mm_insert_ind->c_ad = (UBYTE)length;

if(FKT_ReadBinary ((UBYTE *)&sim_mm_insert_ind->ad, 0, length) EQ SIM_NO_ERROR)

//如果ad[0]&0x80为真表示这是一张测试卡

if(sim_mm_insert_ind->ad[0] & 0x80)

{

SIM_SET_FLAG (TEST_SIM_INSERTED);

#if defined SIM_TOOLKIT

SIM_SET_FLAG (TEST_MODE_POLLING);

#endif

}

/*

* read IMSI (set to zero in case of error)

*/

memset (&sim_mmi_insert_ind->imsi_field, 0, sizeof (T_imsi_field));

if (FKT_Select (SIM_IMSI, NULL, 0) EQ SIM_NO_ERROR)

{

if (FKT_ReadBinary ((UBYTE *)&sim_mm_insert_ind->imsi_field, 0, MAX_IMSI)

…………..

}

/*

* Modify polling algorithm in case of HPLMN == Test Network

*/

if ((sim_mm_insert_ind->imsi_field.c_field >= 3) AND

((sim_mm_insert_ind->imsi_field.field[0] & 0xF7) EQ 0x01) AND

(sim_mm_insert_ind->imsi_field.field[1] EQ 0x10) AND

(sim_mm_insert_ind->imsi_field.field[2] EQ 0x10))

{

SIM_SET_FLAG (TEST_SIM_INSERTED);

#if defined SIM_TOOLKIT

SIM_SET_FLAG (TEST_MODE_POLLING);

#endif

}

/*

* read location information

*/

if (FKT_Select (SIM_LOCI, NULL, 0) EQ SIM_NO_ERROR)

/*

* Access control classes

*/

if (FKT_Select (SIM_ACC, NULL, 0) EQ SIM_NO_ERROR)

/*

* BCCH information

*/

if (FKT_Select (SIM_BCCH, NULL, 0) EQ SIM_NO_ERROR)

/*

* KC and cipher key sequence number

*/

if (FKT_Select (SIM_KC, NULL, 0) EQ SIM_NO_ERROR)

/*

* Read Preferred PLMNs

*/

if (SIM_IS_FLAG_SET (SERVICE_7_SUPPORT))

{

if (FKT_Select (SIM_PLMNSEL, response, SIM_MIN_EF_ST_LEN) EQ SIM_NO_ERROR)

/*

* Read forbidden PLMNs

*/

if (FKT_Select (SIM_FPLMN, NULL, 0) EQ SIM_NO_ERROR)

/*

* Read Acting HPLMN 

*/

FileSelRes = FKT_Select(SIM_CING_AHPLMN, NULL, 0);

#if defined (GPRS)

gprs_gmm_insert_ind (sim_mm_insert_ind);

#endif

/*

* send information to mobility management

*/

PSENDX (MM, sim_mm_insert_ind);

SIM_SET_FLAG (MM_KNOWS_FROM_SIM);

}

SIM协议栈实体在系统启动时会进行什么样的初始化步骤呢？以下以TI的协议栈实现来分析。

在app_init_sim_data这个函数中注册了SIM的insert和remove的hook函数。

simdrv_register(app_sim_insert, app_sim_remove);

GLOBAL void app_sim_insert( T_SIMDRV_atr_string_info *atr_string_info,

U8 config_requested,

T_SIMDRV_config_characteristics *config_characteristics)

{

//在ATR处理完成后，首先将当前dir设为MF

sim_data.act_directory = SIM_MF;

//首先选择DFgsm

error = FKT_Select (SIM_DF_GSM, response, SIM_MIN_DMF_ST_LEN);

//如果成功选择将返回信息存入dir_status中，并设置标识

SIM_SET_FLAG (GSM_DATAFIELD);

//否则选择DF1800

error = FKT_Select (SIM_DF_1800, response, SIM_MIN_DMF_ST_LEN);

SIM_CLEAR_FLAG (GSM_DATAFIELD);

然后分配一个协议原语

T_SIM_ACTIVATE_CNF * sim_activate_cnf;

if (SIM_IS_FLAG_SET (ACTIVATION_STARTED))

{

PALLOC (sim_activate, SIM_ACTIVATE_CNF);

sim_activate_cnf = sim_activate;

}

else

{

PALLOC (sim_activate, SIM_ACTIVATE_IND);

sim_activate_cnf = (T_SIM_ACTIVATE_CNF *)sim_activate;

}

//然后读取ECC

if (FKT_Select (SIM_ECC, response, SIM_MIN_EF_ST_LEN) EQ SIM_NO_ERROR)

FKT_ReadBinary (sim_activate_cnf->ec_code, 0, length);

//然后读取LP

if (FKT_Select (SIM_LP, response, SIM_MIN_EF_ST_LEN) EQ SIM_NO_ERROR)

FKT_ReadBinary (sim_activate_cnf->pref_lang, 0, length);

//将atr也放入协议原语中

memcpy (sim_activate_cnf->atr, atr_string_info->atr_string, length);

//接着检查PIN与PUk的状态

SIM_CLEAR_FLAG (SIM_PIN_FLAG);

sim_activate_cnf->pin_cnt = FKT_check_pin_count (dir_status.pinstatus);

sim_activate_cnf->puk_cnt = FKT_check_pin_count (dir_status.unbstatus);

sim_activate_cnf->pin2_cnt = FKT_check_pin_count (dir_status.pin2status);

sim_activate_cnf->puk2_cnt = FKT_check_pin_count (dir_status.unb2status);

//然后根据pin与puk的状态设置

sim_activate_cnf->cause = SIM_CAUSE_PIN1_EXPECT/SIM_CAUSE_PIN1_EXPECT;

//如果是SIM_CAUSE_PUK1_BLOCKED则向mmi发送消息后直接返回，不在继续向MM和GMM发送消息的过程。

TRACE_EVENT (”Card blocked”);

sim_activate_cnf->cause = SIM_CAUSE_PUK1_BLOCKED;

SIM_EM_SIM_ACTIVATION_RESULT;

PSENDX (MMI, sim_activate_cnf);

SIM_CLEAR_FLAG (ACTIVATION_STARTED);

return;

//如果pin与puk不需要则继续向下执行，否则等待pin与puk的验证。

if (SIM_IS_FLAG_CLEARED (SIM_PIN_FLAG))

/*

* PIN entering is not necessary

*/

{

SIM_SET_FLAG(PIN1_VERIFIED);

TRACE_EVENT (”Read the rest of Parameters”);

app_sim_read_parameters ();

app_start_status_timer (TRUE);

}

else

{

TRACE_EVENT (”Wait for PIN/PUK entering”);

SIM_CLEAR_FLAG (MM_KNOWS_FROM_SIM);

vsi_t_stop (VSI_CALLER SIM_TIMER);

}

app_sim_read_parameters ()

{

//分配SIM_MMI_INSERT_IND协议原语

PALLOC (sim_mmi_insert_ind, SIM_MMI_INSERT_IND);

接着读取SIM的Phase

error = FKT_Select (SIM_PHASE, NULL, 0);

if (error EQ SIM_NO_ERROR)

error = FKT_ReadBinary (&sim_data.sim_phase, 0, 1);

if (sim_data.sim_phase EQ 0)

sim_data.sim_phase = 1;

if (sim_data.sim_phase > 3)

sim_data.sim_phase = 3;

Phase为1的情况下会进行如下操作

// try to read the SIM service table

if (!app_read_sim_service_table(sim_mmi_insert_ind))

{

app_sim_mmi_insert_ind (sim_mmi_insert_ind, SIM_NO_OPERATION);

return;

}

if (app_sim_mm_insert_ind (sim_mmi_insert_ind) EQ FALSE)

app_sim_mmi_insert_ind (sim_mmi_insert_ind, SIM_NO_OPERATION);

else

app_sim_mmi_insert_ind (sim_mmi_insert_ind, SIM_ADN_ENABLED) ;

PSENDX (MMI, sim_mmi_insert_ind);

app_sim_sms_insert_ind ();

Phase为2+的情况说明该sim卡支持STK服务。

stk_perform_profile_download ();

/* Update the Terminal Support table*/

if(FKT_Select(SIM_CING_TRMST, NULL, 0) EQ SIM_NO_ERROR)

{

FKT_UpdateBinary (sim_data.trmst, MAX_TRMST, 0);

}

Phase 2和2+会接着进行如下的操作

result = app_fdn_bdn_procedures (sim_mmi_insert_ind);

if ((result EQ SIM_NO_OPERATION) OR

!app_sim_mm_insert_ind (sim_mmi_insert_ind))

app_sim_mmi_insert_ind (sim_mmi_insert_ind, SIM_NO_OPERATION);

else

app_sim_mmi_insert_ind (sim_mmi_insert_ind, result);

PSENDX (MMI, sim_mmi_insert_ind);

if (result NEQ SIM_NO_OPERATION)

app_sim_sms_insert_ind ();

}

}

SELECT

COMMAND	CLASS	INS	P1	P2	P3
SELECT	‘A0′	‘A4′	‘00′	‘00′	‘02′

Command parameters/data:

Byte(s)	Description	Length
1-2	File ID	2

Response parameters/data in case of an MF or DF:

Byte(s)	Description	Length
1-2	- RFU	2
3 - 4	Total amount of memory of the selected directory which is not allocated to any of the DFs or EFs under the selected directory	2
5 – 6	File ID	2
7	Type of file	1
8 - 12	RFU	5
13	Length of the following data (byte 14 to the end)	1
14 - 34	GSM specific data	21

GSM specific data:

Byte(s)	Description	Length
14	File characteristics	1
15	Number of DFs which are a direct child of the current directory	1
16	Number of EFs which are a direct child of the current directory	1
17	Number of CHVs, UNBLOCK CHVs andadministrative codes	1
18	RFU	1
19	CHV1 status	1
20	UNBLOCK CHV1 status	1
21	CHV2 status	1
22	UNBLOCK CHV2 status	1
23	RFU	1
24 - 34	Reserved for the administrative management 0 . lgth	11

Response parameters/data in case of an EF:

Byte(s)	Description	Length
1-2	RFU	2
3 -4	File size(for transparent EF: the length of the body part of the EF)(for linear fixed or cyclic EF: record length multiplied by the number of records of the EF)	2
5 - 6	File ID	2
7	Type of file	1
8	For transparent and linear fixed EFs this byte is RFU. For a cyclic EF all bits except bit 7 are RFU;b7=1 indicates that the INCREASE command is allowed on the selected cyclic file.	1
9 - 11	Access conditions	3
12	File status	1
13	Length of the following data (byte 14 to the end)	1
14	Structure of EF	1
15	Length of a record	1
16 and following	RFU	-

Read the rest of this post »