UMA = Unlicensed Mobile Access
GAN = Generic Access Network
ts 43.318 and 44.318
Wikipedia says: Generic Access Network or GAN is a telecommunication system that extends mobile voice, data and IP Multimedia Subsystem/Session Initiation Protocol (IMS/SIP) applications over IP networks. Unlicensed Mobile Access or UMA, is the commercial name used by mobile carriers for external IP access into their core networks.
To make it simple, on one side, a device connect to the mobile operator using IPSEC with EAP-SIM. Once connected, a session is established with ip/tcp/uma to the GANC (Gan controller) or UNC (Uma Network Controller). On top of that, GSM L3 packet could be sent
Here is a list of UMA devices
UMA phones In order for a phone to be UMA enabled, it requires the baseband processor to communicate with the media processor since the signaling is involved, as well as to the SIM card for the EAP-sim establishment. Therefor, it’s not just an application
here is a list of UMA enabled phone:
Blackberry Bold 9700 Blackberry Bold 9780 Blackberry Pearl 8120 Blackberry Curve 8320 Blackberry Curve 8520 Blackberry Flip 8220 Blackberry 8900 Blackberry 8820 Blackberry 9100 Blackberry 9300 Blackberry 9700 Blackberry 9800 HP iPAQ 510 LG KE520 LG CL400 Motorola A910 Motorola Z6W Nokia 6086 Nokia 6136 Nokia 6301 Nokia 7510 Nokia E73 Qisda/BenQ e72 Sagem my419x Samsung P180 Samsung P200 Samsung P220 Samsung P250 Samsung P260 Samsung P270 Samsung T336 Samsung T339 Samsung T409 Samsung T707 Samsung T739 Katalyst SIMTech N6000 T-Mobile (HTC) Shadow 2009 As we can see, many of them are from RIM BlackBerry. Follows the Engineering screen mode for configuring UMA on a BlackBerry:
UMA Gemalto USB key (Branded as Unik PC)
Host: scsi9 Channel: 00 Id: 00 Lun: 00
Vendor: Orange Model: ApplicationDRV Rev: 1.00
Type: CD-ROM ANSI SCSI revision: 00
Host: scsi9 Channel: 00 Id: 00 Lun: 01
Vendor: Orange Model: PrivateDRV Rev: 1.00
Type: Direct-Access ANSI SCSI revision: 00
Host: scsi9 Channel: 00 Id: 00 Lun: 02
Vendor: Orange Model: PublicDRV Rev: 1.00
Type: Direct-Access ANSI SCSI revision: 00
Host: scsi9 Channel: 00 Id: 00 Lun: 03
Vendor: Orange Model: CommunicationDRV Rev: 1.00
Type: Direct-Access ANSI SCSI revision: 00
# cat /proc/scsi/usb-storage/9
Host scsi9: usb-storage
Vendor: GEMALTO
Product: Unik PC
Serial Number: A10600000000XXX
Protocol: Transparent SCSI
Transport: Bulk
Quirks: SANE_SENSE
When mounting the filesystem, we get 3 partitions, 1 protected by the sim pin, the 1 COM containing a CDROM image, and 1 System, writable
mount -o loop -t vfat /dev/sdd /media/
# ls -al
total 128007
drwxr-xr-x 2 root root 512 Jan 1 1970 .
drwxr-xr-x 23 root root 4096 Jan 21 20:00 ..
-rwxr-xr-x 1 root root 512 Apr 23 2009 ANCHORI.CLP
-rwxr-xr-x 1 root root 512 Apr 23 2009 ANCHORO.CLP
-rwxr-xr-x 1 root root 52 Apr 23 2009 AUTORUN.INF
-rwxr-xr-x 1 root root 131072000 Apr 23 2009 CD-ROM.CLP
-rwxr-xr-x 1 root root 1024 Apr 23 2009 MINIEXE.EXE
# file CD-ROM.CLP
CD-ROM.CLP: # ISO 9660 CD-ROM filesystem data 'Unik PC'
# mount -t iso9660 -o loop CD-ROM.CLP /mnt/
# ls /mnt
Aide UNIK-PC.url apache Apps autorun.inf backup cdrom.ver Check Help lang private sdongle.conf sdongle.props Softphone Synchro system Unik_PC_Startup.exe usn.cfg
#ls -al /mnt/Softphone
dr-xr-xr-x 1 root root 2048 Sep 16 2009 .
dr-xr-xr-x 1 root root 2048 Sep 16 2009 ..
-r-xr-xr-x 1 root root 942080 Sep 16 2009 ftmvitendotools.dll
-r-xr-xr-x 1 root root 376 Sep 16 2009 gac.ini
-r-xr-xr-x 1 root root 1724416 Sep 16 2009 gdiplus.dll
dr-xr-xr-x 1 root root 2048 Sep 16 2009 KB908002
-r-xr-xr-x 1 root root 2539520 Sep 16 2009 Lang-fre.dll
-r-xr-xr-x 1 root root 804 Sep 16 2009 orange.der
-r-xr-xr-x 1 root root 106 Sep 16 2009 PluginConfig.ini
-r-xr-xr-x 1 root root 81920 Sep 16 2009 PluginQuery.dll
-r-xr-xr-x 1 root root 450560 Sep 16 2009 sdongleEventApi.dll
-r-xr-xr-x 1 root root 1220 Sep 16 2009 softphone_eng.ini
-r-xr-xr-x 1 root root 1221 Sep 16 2009 softphone_fre.ini
-r-xr-xr-x 1 root root 9199616 Sep 16 2009 Unik_PC_Phone.exe
-r-xr-xr-x 1 root root 314887 Sep 16 2009 Unik_PC_PlugInFF.exe
-r-xr-xr-x 1 root root 583692 Sep 16 2009 Unik_PC_PlugInIE.exe
-r-xr-xr-x 1 root root 921884 Sep 16 2009 Unik_PC_PlugInMgr.exe
-r-xr-xr-x 1 root root 444416 Sep 16 2009 Unik_PC_PlugInOLE.exe
-r-xr-xr-x 1 root root 1189376 Sep 16 2009 Unik_PC_PlugInOLE.msi
-r-xr-xr-x 1 root root 430592 Sep 16 2009 Unik_PC_PlugInOLP.exe
-r-xr-xr-x 1 root root 2253312 Sep 16 2009 Unik_PC_PlugInOLP.msi
-r-xr-xr-x 1 root root 1970176 Sep 16 2009 Unik_PC_PlugIns.exe
UMA Analog Telephone Adapters (Sold as Cisco HPort UTA200-tm) As we can see, the device has 2 Ethernet port, 1 RJ11 port to plugg a real phone, as well as a SIM card slot.
The PCB shows that the main SoC is an ADM8668, classically used on Linksys WRTU54G-TM 1.0.
… more coming …
FemtoCell Some Femtocells (Home NodeB or HNB) use UMA as protocol. The other commonly Protocol used on Femtos are sccp/RANAP
StrongSwan configuration for EAP-SIM as client
A card reader is needed in order to do EAP-SIM with strongswan. Here is a configuration example
conn sfr
keyexchange=ikev2
ike=aes128-sha1-modp1024!
mobike=no
left=%any
leftikeport=4500
leftid=1(IMSI)@gan.mnc010.mcc208.3gppnetwork.org
leftauth=eap
leftsourceip=%cfg
right=unc1-ch1.fr.sfr.com
rightikeport=4500
rightid=@unc1-ch1.fr.sfr.com
rightca="C=FR, ST=Ile de France, L=Champlan, O=SFR, OU=DGRS, CN=SFR Femto Champlan 1tier CA"
rightsubnet=172.0.0.0/8
auto=add
Here we are doing a capture of a FemtoCell that does its Location Update
As seen, the packet is of type GA-CSR Uploing Direct. In embed a L3 GSM message (Location Update Request in this case).
I develpped a lib UMA a while ago that I put on github. it’s available here:
http://github.com/key2/libuma
Here is for example an example of creation of a UMA packet:
struct uma_msg_s *uma_msg;
int i,j;
u_int8_t *titi, *tata;
u_int8_t tem[610];
uma_msg = uma_create_msg(GA_RC_REGISTER_REQUEST ,0,GA_RC);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Mobile_Identity("\x29\x80\x01\x43\x58\x58\x54\x39",8);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GAN_Release_Indicator(1);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GAN_Classmark(7,1,1,0,0,0);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Radio_Identity(0,"\x00\x1b\x67\x00\x93\x87");
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_MS_Radio_Identity(0,"\x00\x1b\x67\x00\x93\x87");
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GSM_RR_UTRAN_RRC_State(7);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GERAN_UTRAN_coverage_Indicator(2);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Registration_indicators(0);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Location_Area_Identification("\x02\xf8\x11\xff\xfc",5);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_GAN_Control_Channel_Description(0,1,0,0,1,1,16,1,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU3906_Timer(00,0x1e);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU3920_Timer(00,0x1e);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU4001_Timer(00,0x0f);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_TU4003_Timer(00,0x0f);
uma_msg->tlv[uma_msg->ntlv++] = create_IEI_Cell_3G_Identity("\x32\x22\x00\x00");
j = uma_create_buffer(&titi,uma_msg);
The output looks like this:
00 53 00 10 01 08 29 80 01 43 58 58 54 39 02 01 01 07 02 37 00 03 07 00 00 1b 67 00 93 87 60 07 00 00 1b 67 00 93 87 11 01 07 06 01 02 44 01 00 05 05 02 f8 11 ff fc 0e 06 c4 10 01 1d 00 00 16 02 00 1e 25 02 00 1e 2b 02 00 0f 3c 02 00 0f 49 04 32 22 00 00
On the other side, if we take the same buffer and print it out:
uma_msg = uma_parse_msg(titi,j);
for(i = 0; i < uma_msg->ntlv; i++){
tlv_printf(uma_msg->tlv[i]);
}
uma_delete_msg(uma_msg);
Upon execution we get this pretty printed output:
Mobile Identity
------------------------------
data = 29 80 01 43 58 58 54 39
------------------------------
GAN Release Indicator
------------------------------
URI = 01
------------------------------
GAN Classmark
------------------------------
TGA = 07
GC = 01
UC = 01
RRS = 00
PS_HA = 00
GMSI = 00
------------------------------
Radio Identity
------------------------------
type = 00
value = 00 1b 67 00 93 87
------------------------------
MS Radio Identity
------------------------------
type = 00
value = 00 1b 67 00 93 87
------------------------------
GSM RR UTRAN RRC State
------------------------------
GRS = 07
------------------------------
GERAN UTRAN coverage Indicator
------------------------------
CGI = 02
------------------------------
Registration indicators
------------------------------
MPS = 00
------------------------------
Location Area Identification
------------------------------
data = 02 f8 11 ff fc
------------------------------
GAN Control Channel Description
------------------------------
ECMC = 00
NMO = 01
GPRS = 00
DTM = 00
ATT = 01
MSCR = 01
T3212 = 10
RAC = 01
SGSNR = 01
ECMP = 00
RE = 01
PFCFM = 01
_3GECS = 01
PS_HA = 00
ACC8 = 00
ACC9 = 00
ACC10 = 00
ACC11 = 00
ACC12 = 00
ACC13 = 00
ACC14 = 00
ACC15 = 00
ACC0 = 00
ACC1 = 00
ACC2 = 00
ACC3 = 00
ACC4 = 00
ACC5 = 00
ACC6 = 00
ACC7 = 00
------------------------------
TU3906 Timer
------------------------------
MSB = 00
LSB = 1e
------------------------------
TU3920 Timer
------------------------------
MSB = 00
LSB = 1e
------------------------------
TU4001 Timer
------------------------------
MSB = 00
LSB = 0f
------------------------------
TU4003 Timer
------------------------------
MSB = 00
LSB = 0f
------------------------------
Cell 3G Identity
------------------------------
CellID = 32 22 00 00
