Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add new NR RRC OTA packet version 0x13, 0x17 + SCell version 0x30003 + MM State version 0x30000 to support S23 Ultra and S24 Ultra #96

Merged
merged 5 commits into from
Mar 14, 2024
Merged

Add new NR RRC OTA packet version 0x13, 0x17 + SCell version 0x30003 + MM State version 0x30000 to support S23 Ultra and S24 Ultra #96

merged 5 commits into from
Mar 14, 2024

Conversation

peacey
Copy link
Contributor

@peacey peacey commented Feb 25, 2024

Hello,

This PR adds new qualcomm parser packet versions for RRC OTA, SCell, and MM state packets to support printing 5G info and RRC packets for newer Samsung phones like Samsung Galaxy S23 Ultra and Galaxy S24 Ultra.

From the debug messages shown below, you can see that the S23 Ultra uses NR RRC OTA packet version 0x13, and S24 Ultra uses version 0x17. From examining the hexdump of these messages, you can see that padding has been added between the message length field and the message payload (which is different than previous versions that didn't seem to have any padding after the length). For version 0x13 there is extra one byte padding, and for 0x17 there is extra four byte padding. I added this padding in struct.unpack and offset the message start index for these versions to account for this padding.

Here is the debug output of an RRC OTA message (UECapabilityEnquiry) from my S23 Ultra. You can see the message length is 0x0019 (25) and that there is a single byte padding after the length (padding is bolded below).

2024-02-24 21:04:50,407 scat.qualcommparser (parse_nr_rrc) WARNING: Unknown NR RRC OTA Message packet version 0x13
2024-02-24 21:04:50,407 scat.qualcommparser (parse_nr_rrc) DEBUG: Body: Hexdump:
13 00 00 00 10 90 01 7d 02 02 c8 3b 57 25 22 30 00 1a ee 01 00 20 0e ff 04 00 00 00 00 19 00 00 30 42 44 e0 15 01 1a 02 0c 04 d0 02 00 c0 20 06 01 60 30 08 04 10 00 60 00
-------- end --------

Here is the same message from my S24 Ultra. You can see the message length is 0x0019 (25) again but this time there is a four byte padding after the length field (padding is bolded below).

2024-02-24 16:25:38,214 scat.qualcommparser (parse_nr_rrc) WARNING: Unknown NR RRC OTA Message packet version 0x17
2024-02-24 16:25:38,214 scat.qualcommparser (parse_nr_rrc) DEBUG: Body: Hexdump:
17 00 00 00 11 40 01 80 03 01 d0 3b 57 25 22 30 00 1a ee 01 00 20 54 07 04 00 00 00 00 19 00 00 00 00 00 36 42 44 e0 15 01 1a 02 0c 04 d0 02 00 c0 20 06 01 60 30 08 04 10 00 60 00
-------- end --------

Also for version 0x17, a new MCCH message type was added as shown in the protocol here. So I added that as well, or else my messages for 0x17 had wrong types.

After the above changes, scat is outputting the correct Body and type for RRC OTA packets on my S23U and S24U as shown in this attached output log, and I am able to successfully parse the Body to a RRC packet using Wireshark dissector of the correct type (e.g.: UL_DCCH, etc) as shown in this picture.

Disclaimer: Even though the above padding seems to work, I could not find information for this header in the protocol documentation, so I have no idea whether this padding is just new padding or a new header field. I also do not have a background in telecommunications so I am not sure where to look for this information exactly. If you could please review and confirm whether this is correct (or suggest how to do this correctly if not correct), that would be great.

As for 5G SCell and 5G MM messages, I was getting this error in the logs for S24 Ultra only:

2024-02-24 16:25:49,360 scat.qualcommparser (parse_nr_rrc_scell_info) WARNING: Unknown NR SCell Information packet version 30003
2024-02-24 16:25:49,365 scat.qualcommparser (parse_nr_mm_state) WARNING: Unknown NR MM State packet version 196608

After adding these versions without any other modifications, I am able to see the correct info as shown below. So I think that's all that's needed for this. But again, I did not look to see if the updated protocol has added anything more to these packet versions that needs to be addressed, so please review.

Radio 1: NR RRC SCell Info: NR-ARFCN 126490/134664, Bandwidth 10/10 MHz, Band 71, PCI   75, xTAC/xCID 21b98e/5573bc801, MCC 302, MNC 220
Radio 1: 5GMM State: 3/0/0, PLMN: 302/220, TAC: 21b98e, GUTI: 302-220-55-3c4-3a-d031c24a

@peremen
Copy link
Member

peremen commented Feb 27, 2024

Thanks for your contribution. Judging from the previous experiences and the description, one or two bytes might be an extension, more than three might be a new field. I will take a look later on.

If you don't mind, could you please also include some of raw payloads (please don't use any RRC/NAS message which contains your personal or location information, also you can edit some raw PDU bytes to mask them) on tests/test_diagnrlogparser.py? That will also ensure that the parser works in the future. Thanks in advance.

@peacey
Add new versions to diagnrlogparser tests
41f6dad
@peacey
Add LTE RRC version 0x1e
7c792f3 
Also add tests for diagltelogparser for new version.
@peacey
Copy link
Contributor Author

peacey commented Mar 1, 2024
edited
Loading

Thank you @peremen. I have included some test payloads for the new NR SCell and NR MM versions.

Also, I realized LTE RRC messages were also giving these errors with the S24 Ultra:

2024-02-28 13:13:57,319 scat.qualcommparser (parse_lte_rrc) WARNING: Payload length (5) does not match with expected (2)

So I printed out the LTE RRC packet version and body, and found out it's a new version 0x1e with new 3 byte padding (or maybe new field?).

2024-02-28 13:13:57,320 scat.qualcommparser (parse_lte_rrc) WARNING: Version: 1e, Body: Hexdump:
1e 11 20 11 40 01 18 00 19 14 00 00 00 00 0b 00 00 00 00 02 00 00 00 00 16 00
-------- end --------

I added the new version to the LTE RRC parser and also added a test payload to the unit test. After that, I can see the correct LTE RRC messages in the generated packet capture file.

But like before, I don't know if this is a new padding, field, or what because I don't have the documentation for this header. Please review this new padding/field as well so we can fix the code correctly for both NR and LTE RRC packets. Thanks!

@alexjiao2021
Copy link

Hi @peacey
Could you please share how to write NR stdout messages (RRC/NAS) to pcap files? It seems scat source code doesn't have this part. Thanks!

@peacey
Copy link
Contributor Author

peacey commented Mar 7, 2024

@alexjiao2021, see this gist to see how to do it with wireshark.

@peacey
Copy link
Contributor Author

peacey commented Mar 7, 2024

@peremen, sorry one last commit, I noticed I was getting "Type: 36" messages on NR version 0x17 (S24U) with this body:

Body: 14092817afc30d2200

I checked my S23U and S22U and saw this is the exact same payload I get for nr-RadioBearerConfig type on both devices.

Radio 1: NR RRC OTA Packet: NR-ARFCN 4294967295, PCI 65535, Type: nr-RadioBearerConfig, MsgLength: 9
Radio 1: NR RRC OTA Packet: Time: 2023-11-21 08:30:25.958783+00:00, Type: nr-RadioBearerConfig, Body: 140d3017afc30d2200

So I have adjusted the type ID to 36 for nr-RadioBearerConfig on version 0x17. I'm pretty sure this is correct, but please correct me if it's not.

@peremen peremen merged commit d83b5cd into fgsect:master Mar 14, 2024
@peremen
Copy link
Member

peremen commented Mar 14, 2024

Thanks. Unfortunately I don't have devices for further testing, and have merged as-is.

@peacey peacey deleted the new_pktver branch March 28, 2024 18:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@peacey @peremen @alexjiao2021