无线资源管理RR（Radio Resource Management）的作用主要是建立、维护及释放无线连接，从而允许MS（Mobile Station）与网络进行点到点通信。主要包括：小区的的选择和重选，以及切换等。RR子层还包括守听单向BCCH和CCCH通道的功能，从而实现自动小区切换。

如果支持GPRS（General Packet Radio Service）点到点服务功能，RR子层还包括管理包数据物理通道（Packet data physical channels）。

如果支持VGCS（Voice Group Call Service）和VBS（Voice Broadcast Service）功能，RR子层还包括守听NCH（Notification Channel）通道的功能，以及获取及释放组呼（Voice Group Call）通道的功能。

当一些请求发起时，MM可能暂时无法执行，但是后续状态有是有可能允许执行该命令时。例如当mm正在等待网络回复时，此时mmi有发起了一个网络搜索命令，这个命令在现在的状态发起也不是错误的。MM此时不能对该命令返回错误。与此对应例如在无sim卡情况下发起的非紧急的call，mm就会对该命令返回错误，此命令无法被执行。
对于这些mm暂时无法执行的请求,mm会调用mm_write_entry函数将这些命令放入一张表中，等待合适的时机对其进行执行。可以执行这些等待命令的时机有mm处理完其他发送给他的原语后，mm的timer超时执行完对应的操作后。
当mm可以执行表中的命令时，mm会将整个表中的命令从头开始都执行，而不是一次只执行一个命令。在这张命令表中，存有这些消息的发起者，ti，以及命令含义。mm能够根据这些信息来重新执行这些命令。

1. MMI/CM发送MMXX_ESTABLISH_REQ给MM。XX可能是CC, SS 或 SMS。使用的ti（transaction identifier）从0到6.

2. 当有RR connection存在时MM发送RR_DATA_REQ给RR，当没有RR connection存在时MM发送RR_ESTABLISH_REQ给RR。

3. 当RR connection确立时，MM会开启T3240 timer同时等待网络的回应。

4. 当一切正确时，网络会通过RR返回RR_ESTABLISH_CNF给MM。

5. 当网络可以提供MMI/CM所要求的服务时，RR/DL会发送RR_DATA_IND(CM SERVICE ACCEPT)给MM。

6. 接着RR/DL会发送RR_SYNC_IND(ciphering on)给MM。

7. MM返回MMXX_ESTABLISH_CNF给MMI/CM。

如果T3240超时而网络没有响应时，MM会向RR发送RR_ABORT_REQ，然后向MMI/CM发送MMXX_RELEASE_IND

Authentication

当MM在注册网络时，网络会发送Authentication的请求。这个请求是通过RR_DATA_IND（AUTHENTICATION REQUEST)发送给MM。在这个原语中带有从网络发送过来的Random Number (RAND)。MM会通过SIM_AUTHENTICATION_REQ这个原语将RAND发送给SIM。SIM会执行RUN GSM ALGORITHM.这个命令，根据得到的RAND计算出SRES 和Kc，然后通过SIM_AUTHENTICATION_CNF发送给MM。MM得到这些数据后会通过RR_DATA_REQ(AUTHENTICATION RESPONSE)，RR_SYNC_REQ (ciphering parameters)发送给RR，然后传送给网络。网络会比较传送过来的SRES 和自己计算出来的SRES 来作为Authentication的依据。Kc会被ME端用作以后同网络进行enciphered。

SIM响应MM的SIM_AUTHENTICATION_REQ代码流程如下：

if (SIM_IS_FLAG_SET (GSM_DATAFIELD))

error = FKT_Select (SIM_DF_GSM, NULL, 0);

else

error = FKT_Select (SIM_DF_1800, NULL, 0);

//需要注意的是SIM在执行RUN GSM ALGORITHM时需要先选中DFGSM

if (error EQ SIM_NO_ERROR)

error = FKT_RunGSMAlgo (sim_authentication_req->rand, response, SIM_GSM_ALG_LEN);

////////////////////////////////////

// FKT_RunGSMAlgo这个函数的实现如下

sw1sw2 = SIM_RunGSMAlgo ((UBYTE *)response,

(UBYTE *)rand,

&size);

error = FKT_convert_error (sw1sw2, size);

if (error EQ SIM_NO_ERROR)

error = FKT_GetResponse (data, len);

return error;

// SIM_RunGSMAlgo函数就是直接封装SIM的COMMAND SIM_RUN_GSM_ALGO然后发送给SIM

///////////////////////////////////////////

PSENDX (MM, sim_authentication_cnf);

error = FKT_Select (SIM_KC, NULL, 0);

if (error EQ SIM_NO_ERROR)

{

kc_n.c_kc = MAX_KC_N;

FKT_UpdateBinary (kc_n.kc, (USHORT)kc_n.c_kc, 0);

}

//发送给MM后，会继续选中SIM_KC更新该EF。

当MS选择了一个不同的小区后，MM就需要开始进行location updating.此时MM的状态应该是IDLE ATTEMPT TO UPDATE.。

如果Location Update被接受，则RR会返回如下原语

MM在处理RR_DATA_IND（Location Update Accept）是会先停掉Timer T3212，T3210，然后将MM的 mm_data->reg.update_stat = MS_UPDATED;

在RR_DATA_IND中会带有Mobile Identity的类型。Mobile Identity的类型可能是TMSI，IMSI，IMEI或者为空

MM对应不同的Mobile Identity处理如下：

MM会先reallocation TMSI，然后将RR_DATA_IND中的TMSI保存在MM信息的reg.tmsi中，然后向RR发送BSIZE_U_TMSI_REALLOC_COMP，保存RR_DATA_IND的lai信息，然后发送RR_SYNC_REQ（rr_sync_req_tmsi），最后发送RR_SYNC_REQ (Location Area allowed)。

对应代码如下：

MCAST (tmsi_realloc_comp, U_TMSI_REALLOC_COMP);

/* Save TMSI in MM registration data */

mm_store_tmsi (&loc_upd_accept->mob_id);

/* Send RR_DATA_REQ (TMSI_REALLOC_COMPLETE) */

tmsi_realloc_comp->msg_type = U_TMSI_REALLOC_COMP;

for_data_req (BSIZE_U_TMSI_REALLOC_COMP);

mm_data->reg.lai = loc_upd_accept->loc_area_ident;

/* Send RR_SYNC_REQ */

mm_build_rr_sync_req_tmsi ();

/* Send RR_SYNC_REQ (Location Area allowed) */

mm_build_rr_sync_req_cause (SYNCCS_LAI_ALLOW);

MM会先删除存储的TMSI，保存RR_DATA_IND的lai信息，然后通过RR_SYNC_REQ向RR说明TMSI已经失效，最后发送RR_SYNC_REQ (Location Area allowed)。

对应代码如下：

mm_data->reg.tmsi = TMSI_INVALID_VALUE;

mm_build_rr_sync_req_cause (SYNCCS_TMSI_INVAL);

mm_data->reg.lai = loc_upd_accept->loc_area_ident;

mm_build_rr_sync_req_cause (SYNCCS_LAI_ALLOW);

MM只会创建一个BSIZE_B_MM_STATUS发送给RR,MM似乎会将这个mobile identity忽略掉。

对应代码如下:

MCAST (mm_status, B_MM_STATUS);

mm_build_mm_status (RC_INCORRECT_MESSAGE, mm_status);

for_data_req (BSIZE_B_MM_STATUS);

MM直接向RR发送RR_SYNC_REQ (Location Area allowed)。

对应代码如下：

mm_data->reg.lai = loc_upd_accept->loc_area_ident;

mm_build_rr_sync_req_cause (SYNCCS_LAI_ALLOW);

MMR_NREG_REQ

需要发送MMR_NREG_REQ的情况有如下3种。CS_SIM_REM，CS_POW_OFF，CS_SOFT_OFF。

这个过程将会进行如下操作

TIMERSTOP (T3212);

然后调用mm_mmr_nreg_req函数进行处理。

对于此时MM处于不同的状态，MM会执行对应的操作。

MM_NULL:

CS_POW_OFF和CS_SOFT_OFF会先清除register data，复制sim发给mm的sim_insert_info到mm的register data中，然后清除sim_insert_info然后向GMM发送MMGMM_NREG_CNF原语。

CS_SIM_REM也会清除register data，然后会对是否需要再次注册进行判断，然后向GMM发送MMGMM_NREG_IND原语，最后如果STATE_REG_TYPE为REG_REMOTE_CONTROLLED的话，会将STATE_REG_TYPE设置为REG_CELL_SEARCH_ONLY，STATE_GPRS_CM_EST为CM_GPRS_EST_IDLE。

MM_LUP_INITIATED，MM_LUP_REJECTED：

先向RR发送RR_SYNC_REQ，然后设置状态为MM无效的update state。然后执行同MM状态为MM_WAIT_FOR_OUTG_MM_CONN，MM_CONN_ACTIVE，MM_PROCESS_PROMPT，MM_WAIT_FOR_NW_CMD一样的操作。

MM_WAIT_FOR_OUTG_MM_CONN，MM_CONN_ACTIVE，MM_PROCESS_PROMPT，MM_WAIT_FOR_NW_CMD：

如果MM此时允许attach，ms已经updated，detach_done为MMGMM_PERFORM_DETACH则进行如下操作

先将所有CM connections的类型为CM_NOT_IDLE的连接释放。停止timer T3210，T3211，T3212，T3213，T3230，T3240，然后向RR发送imsi_detach_message，启动timer T3220，将MM状态设置为MM_IMSI_DETACH_INIT。

如果MM状态不满足要求则执行同MM状态为MM_WAIT_FOR_RR_CONN_LUP，MM_WAIT_FOR_RR_CONN_MM，MM_WAIT_FOR_REESTABLISH一样的操作。

MM_WAIT_FOR_RR_CONN_LUP，MM_WAIT_FOR_RR_CONN_MM，MM_WAIT_FOR_REESTABLISH：

依然先将所有CM connections的类型为CM_NOT_IDLE的连接释放，停止timer T3210，T3211，T3212，T3213，T3230，T3240，如果是CS_POW_OFF和CS_SOFT_OFF则会向RR发送RR_ABORT_REQ，原因设置为normal abort，而CS_SIM_REM则会将原因设置为sim remove。最后将MM状态设置为MM_IMSI_DETACH_INIT。

MM_IMSI_DETACH_INIT，MM_WAIT_FOR_RR_CONN_DETACH：

设置mm_data->nreg_cause = nreg_cause;

MM_WAIT_FOR_RR_ACTIVE：RR is searching for a cell

为什么此时RR is searching for a cell？根据04.08

“If no RR connection exists, the MM sublayer within the mobile

* station will request the RR sublayer to establish a RR

* connection. If establishment of the RR connection is not possible

* because a suitable cell is not (or not yet) available then, the

* mobile station shall try for a period of at least 5 seconds and for

* not more than a period of 20 seconds to find a suitable cell. If a

* suitable cell is found during this time then, the mobile station shall

* request the RR sublayer to establish an RR connection, otherwise the

* IMSI detach is aborted.

CS_POW_OFF和CS_SOFT_OFF向DL层发送MDL_RELEASE_REQ（SAPI 0），这个其实应该是RR层做的。接着向RR发送RR_DEACTIVATE_REQ，清除register data，停止所有MM timer，最后将MM状态设置为MM_NULL。最后还会执行MM状态为MM_NULL同样的操作。

CS_SIM_REM先向RR发送RR_ABORT_REQ，原因是sim remove，然后执行MM状态为MM_NULL同样的操作。

MM_LOCATION_UPDATING_PENDING，MM_IMSI_DETACH_PENDING，MM_IDLE_LUP_NEEDED，
MM_IDLE_NORMAL_SERVICE，MM_IDLE_ATTEMPT_TO_UPDATE：
停止timer T3212，T3213。如果MM此时允许attach，ms已经updated，detach_done为MMGMM_PERFORM_DETACH则创建imsi_detach_message，然后处理mobile originated call by SS or SMS，设置状态为MM_WAIT_FOR_RR_CONN_DETACH。

如果MM状态不满足要求则执行同MM状态为MM_IDLE_LIMITED_SERVICE，MM_IDLE_NO_IMSI同样的操作。

MM_IDLE_LIMITED_SERVICE，MM_IDLE_NO_IMSI：

停止timer T3211，T3212，T3213。CS_POW_OFF和CS_SOFT_OFF先向DL层发送MDL_RELEASE_REQ（SAPI 0），接着向RR发送RR_DEACTIVATE_REQ，清除register data，设置MM状态为NO_SERVICE。

CS_SIM_REM先向DL层发送MDL_RELEASE_REQ（SAPI 0），然后向RR发送RR_ABORT_REQ，原因是sim remove，清除register data，如果(mm_data->mm_idle_no_imsi_marker EQ 0)则mm_data->mm_idle_no_imsi_marker = 17;设置MM状态为MM_IDLE_NO_IMSI，执行同MM状态为MM_NULL同样的操作，不过将service改为LIMITED_SERVICE。

MM_IDLE_NO_CELL_AVAILABLE：

基本上同MM_IDLE_LIMITED_SERVICE，MM_IDLE_NO_IMSI一样，只是CS_SIM_REM最后的service不是LIMITED_SERVICE而是NO_SERVICE。

MM_IDLE_PLMN_SEARCH，MM_PLMN_SEARCH_NORMAL_SERVICE：

返回network search开始时MM的状态

SET_STATE (STATE_MM, mm_data->idle_substate);

然后再次调用本函数进行状态处理。

mm_mmr_nreg_req (nreg_cause, detach_done);

Overview

This section offers a brief description of the different layers which constitute the mobile station Protocol Stack. It is also intended to offer an overview of the intersystem interface. The Protocol Stacks are used to define the functionality of the GSM protocols for interfaces. The GSM specifications are normative when used to describe the functionality of interfaces, but the stacks and the subdivision of protocol layers do not imply or restrict any implementation.

1 PL - Physical Layer

The base of the Protocol Stack rests on the physical layer.

2 DL - Data Link

The Data Link Layer (DL) is used to handle an acknowlowdged connection between mobile and base station. The LAPDm protocol is used.

3 RR - Radio Resource

Radio Resource (RR) manages the resources of the air-interface. That means configuration of physical layer, cell selection and cell reselection, data transfer, RR-Connection handling.

4 MM - Mobility Management

Mobility Management (MM) handles registration aspects for the mobile station. It detects changes of location areas and updates a mobile station in the new location area.

5 CC - Call Control

Call Control (CC) provides the call functionality. This includes call establishment, call maintenance

procedures like Hold, Retrieve or Modify, and call disconnection.

6 SS - Supplementary Services

Supplementary Services (SS) handles all call independent supplementary services like call forwarding or call barring.

7 SMS - Short Message Services

Short Message Services (SMS) is used for sending and receiving point-to-point short messages. Additionally the reception of cell broadcast short messages is included. Call Control (CC), Supplementary Services (SS) and Short Message Services (SMS) together are referred to as Connection Management (CM) sometimes.

8 MMI - Man Machine Interface

The man machine interface (MMI) is the interface to the user. Normally it is connected with a keypad as input device and a display as output device. In G23, there is a AT Command Interpreter (ACI), therefore, sometimes the MMI is also referred to as ACI in the present document if “the layer above layer 3″ is to be identified.

Between the several entities data interfaces are defined. These data interfaces are called Service

Access Points (SAPs), indicating that an upper layer uses the services of a lower layer.

The GSM specification do not set out any implementation of the Protocol Stack. The following diagrams show the implementation described in all these documents for the mobile station. All entities Technical Document GSM Protocol Stack Message Sequence Charts MM (6147.203.97.102), v0.3 Draft

except the Man Machine Interface and Physical Layer are implemented as part of the Protocol Stack - with ACI seen as an integral part of the stack in almost all cases.

For GPRS, there are more entities.

9 GRR (RLC/MAC) – Radio Link Control/Medium Access Control

This layer contains two functions: The Radio Link Control function provides a radio-solution-dependent reliable link. The Medium Access Control function controls the access signalling (request and grant) procedures for the radio channel, and the mapping of LLC frames onto the GSM physical channel.

10 LLC – Logical Link Control

The LLC entity provides multiple highly reliable logical links for asynchronous data transfer between the MS and the network. It supports variable-length information frames, acknowledged and unacknowledged data transfer, flow and sequence control,error detection and recovery, notification of unrecoverable errors, user identity confidentiality, and ciphering of user and signaling data.

11 GMM – GPRS Mobility Management

The GMM entity provides procedures for the mobility of the MS, such as informing the network of its present location, and user identity confidentiality. It manages the GMM context (attach, detach, routing area updating), supports security functions such as authentication of user and MS, controls ciphering of data, and initiates the response to paging messages.

12 SM – Session Management

The main function of the session management (SM) is to support PDP context handling of the user terminal. Session Management activates, modifies and deletes the contexts for packet data protocols (PDP). Session Management services are provided at the SMREG-SAP and the SNSM-SAP for anonymous and non-anonymous access. The non-anonymous and anonymous access procedures for PDP context activation and PDP context deactivation are available at the SMREG-SAP.In addition there exists a PDP context modification for non-anonymous PDP contexts.

13 SNDCP - Subnetwork Dependant Convergence Protocol

SNDCP carries out all functions related to transfer of Network layer Protocol Data Units (N-PDUs) over GPRS in a transparent way. SNDCP helps to improve channel efficiency by means of compression techniques. The set of protocol entities above SNDCP consists of commonly used network protocols. They all use the same SNDCP entity, which then performs multiplexing of data coming from different sources to be sent using the service provided by the LLC layer.

14 GACI – GPRS Application Control Interface

The GACI is the GPRS extension of the ACI. It is specified in GSM 07.07 and 07.60. It is responsible for processing of the GPRS related AT Commands to setup, activate and deactivate the PDP context parameter. It also provides functionality for the interworking between GMM/SM/SNDCP and a packet oriented protocol like PPP.

15 GSMS - GPRS Short Message Service

Like GACI, GSMS, the GPRS Short Message Service, is also not a new entity of its own, but it is the GSM SMS entity enhanced by GPRS functionality.

本节描述了SIM向GSM的MM和GMM提供的信息。

在GSM协议11.11中对GSM操作的前提有如下描述

For a SIM of Phase 2 or greater, GSM operation shall only start if one of the two following conditions is

fulfilled:

- if EFIMSI and EFLOCI are not invalidated, the GSM operation shall start immediately;

- if EFIMSI and EFLOCI are invalidated, the ME rehabilitates these two EFs.

那么SIM应该提供哪些信息呢？流程是什么样的呢？

Afterwards, the ME runs the following procedures:

- Administrative Information request;

- SIM Service Table request;

- IMSI request;

- Access Control request;

- HPLMN Search Period request;

- PLMN selector request;

- Location Information request;

- Cipher Key request;

- BCCH information request;

- Forbidden PLMN request;

- CBMID request;

- Depersonalisation Control Keys request

- Network’s indication of alerting request (if $(NIA)$ is supported)

好了，我们来看看TI是如何实现这部分协议栈的代码的吧。

总的流程如下（app_sim_read_parameters函数中）

result = app_fdn_bdn_procedures (sim_mmi_insert_ind);

if ((result EQ SIM_NO_OPERATION) OR

!app_sim_mm_insert_ind (sim_mmi_insert_ind))

app_sim_mmi_insert_ind (sim_mmi_insert_ind, SIM_NO_OPERATION);

else

app_sim_mmi_insert_ind (sim_mmi_insert_ind, result);

PSENDX (MMI, sim_mmi_insert_ind);

if (result NEQ SIM_NO_OPERATION)

app_sim_sms_insert_ind ();

在app_fdn_bdn_procedures函数中会对SIM的IMSI和LOCI是否支持进行判断，同时对bdn和fdn进行判断。

当然一般的SIM卡肯定不会是SIM_NO_OPERATION的，所以必然会进行app_sim_mm_insert_ind (sim_mmi_insert_ind)。

GLOBAL UBYTE app_sim_mm_insert_ind (T_SIM_MMI_INSERT_IND * sim_mmi_insert_ind)

{

//首先分配一个SIMMM协议原语

PALLOC (sim_mm_insert_ind, SIM_MM_INSERT_IND);

SIM_CLEAR_FLAG (TEST_SIM_INSERTED);

//读取administrative data

if (FKT_Select (SIM_AD, response, SIM_MIN_EF_ST_LEN) EQ SIM_NO_ERROR)

sim_mm_insert_ind->c_ad = (UBYTE)length;

if(FKT_ReadBinary ((UBYTE *)&sim_mm_insert_ind->ad, 0, length) EQ SIM_NO_ERROR)

//如果ad[0]&0x80为真表示这是一张测试卡

if(sim_mm_insert_ind->ad[0] & 0x80)

{

SIM_SET_FLAG (TEST_SIM_INSERTED);

#if defined SIM_TOOLKIT

SIM_SET_FLAG (TEST_MODE_POLLING);

#endif

}

/*

* read IMSI (set to zero in case of error)

*/

memset (&sim_mmi_insert_ind->imsi_field, 0, sizeof (T_imsi_field));

if (FKT_Select (SIM_IMSI, NULL, 0) EQ SIM_NO_ERROR)

{

if (FKT_ReadBinary ((UBYTE *)&sim_mm_insert_ind->imsi_field, 0, MAX_IMSI)

…………..

}

/*

* Modify polling algorithm in case of HPLMN == Test Network

*/

if ((sim_mm_insert_ind->imsi_field.c_field >= 3) AND

((sim_mm_insert_ind->imsi_field.field[0] & 0xF7) EQ 0x01) AND

(sim_mm_insert_ind->imsi_field.field[1] EQ 0x10) AND

(sim_mm_insert_ind->imsi_field.field[2] EQ 0x10))

{

SIM_SET_FLAG (TEST_SIM_INSERTED);

#if defined SIM_TOOLKIT

SIM_SET_FLAG (TEST_MODE_POLLING);

#endif

}

/*

* read location information

*/

if (FKT_Select (SIM_LOCI, NULL, 0) EQ SIM_NO_ERROR)

/*

* Access control classes

*/

if (FKT_Select (SIM_ACC, NULL, 0) EQ SIM_NO_ERROR)

/*

* BCCH information

*/

if (FKT_Select (SIM_BCCH, NULL, 0) EQ SIM_NO_ERROR)

/*

* KC and cipher key sequence number

*/

if (FKT_Select (SIM_KC, NULL, 0) EQ SIM_NO_ERROR)

/*

* Read Preferred PLMNs

*/

if (SIM_IS_FLAG_SET (SERVICE_7_SUPPORT))

{

if (FKT_Select (SIM_PLMNSEL, response, SIM_MIN_EF_ST_LEN) EQ SIM_NO_ERROR)

/*

* Read forbidden PLMNs

*/

if (FKT_Select (SIM_FPLMN, NULL, 0) EQ SIM_NO_ERROR)

/*

* Read Acting HPLMN 

*/

FileSelRes = FKT_Select(SIM_CING_AHPLMN, NULL, 0);

#if defined (GPRS)

gprs_gmm_insert_ind (sim_mm_insert_ind);

#endif

/*

* send information to mobility management

*/

PSENDX (MM, sim_mm_insert_ind);

SIM_SET_FLAG (MM_KNOWS_FROM_SIM);

}