Of the descriptions I have read explaining GSM Milenage, none clearly explain what is involved in implementing it at a network level. The info that is required to accomplish this is not the nuts and bolts of how the authentication or key generation work (which is more of a software design interest when implementing Milenage) but rather which nodes in the network are affected and what is additionally required at these node.

Generally speaking, GSM Milenage is implemented in networks where A3/A8 authentication and key generation algorithms, which preceded Milenage, are already implemented. So this discussion will start with the requirements of the A3/A8 algorithms on a network level and then show what the additional overhead is for Milenage.
When A3/A8 algorithms are implemented, here’s how authentication and key generation work

The inputs are the Ki and the RAND. The outputs are the SRES (which is derived by applying an algorithm known as A3 to the Ki and RAND) and Kc (which is derived by applying an algorithm known as A8 to the Ki and RAND)

To implement it at a network level, the Ki must be stored on the HLR and the SIM and must be identical to each other. On the HLR and the SIM, the A3/A8 algorithms must be implemented, again identically. Only when these two conditions are met can the SIM and the HLR compute SRES values and Ki values that match one another. The matching of these vlaues computed on two different nodes is the success criteria for authentication and key generation.

Switching to GSM Milenage adds an extra input and replaces the A3/A8 algorithms with Milenage algorithms, which are adapted for a GSM network

The extra input required is the OPc (which, like the Ki, is stored on the SIM card and on the HLR and have to be identical) So SIM cards which support Milenage must contain this extra value known as OPC. Like the Ki, it must be synced between the SIM card and HLR.

It may be that SIM cards already in use in the network may not be upgradeable to support GSM Milenage algorithms. In that instance, both A3/A8 algorithms as well as GSM Milenage algorithms will need to be supported in the network. Either that or all SIM cards must be exchanged for new ones. 

To explain how to implement the chage from the A3/A8 algorithm to the Milenage algorithm, we need to look at bit more deeply at the nuts and bolts of the GSM Milenage Algorithm. The A3/A8 algorithm used previously is replaced by five different functions in Milenage: f2, f3 and f4, and two others, which use the outputs of f2, f3 and f4 to compute the Kc and the SRES.

The three functions, f2, f3 and f4, come directly from the Milenage standard. The two functions used to compute the Kc and SRES are the adaptations to Milenage that allow it to be used in the GSM network.

The three functions known as f2, f3 and f4 are defined in the standard for Milenage, 3GPP TS 35.205. Any explanation of those three functions will make this discussion far too complicated. Suffice to say that the definition of these three functions are customer controlled and require that values for six variables, c2, c3, c4, r2, r3, and r4, be chosen and stored identically on the HLR and on the SIM.

The last additional overhead is choosing the SRES derivation function. There are two defined and the one chosen must be the same on both the HLR and the SIM. A Kc derivation function must also be implemeted on the SIM and the HLR but that is a internal requirement for the SIM and the HLR and does not add any further actions when implementing Milenage at a network level.

So implementing Milenage at a network level requires,
1. Ki, and OPc must be stored on the HLR as well as the SIM with identical values. 
2. Three functions, f2, f3 and f4 much be implemented on both the HLR and the SIM and six values associated with those functions, c2, c3, c4, r2, r3, and r4, must also be stored identically on the SIM and the HLR.
3. The SRES function chosen must be identically implemented on both the HLR and SIM and the function to compute must also be implemented.

refer : http://discobabu.blogspot.kr/2006/02/gsm-milenage-implementing-it-at.html

저작자 표시 비영리 변경 금지

머 먹고 사냐.....

받은 트랙백이 없고 , 댓글이 없습니다.

GSM Timers

모바일/GSM 2014.09.15 11:16

This page covers timers used in GSM which include T100, T200, T301, T3126, T3146, T3182, T3190, T3192, T3124, T3230 and T3330.




  It helps detect presence of the GSM radio Link by checking SACCH frames every 480 milli-sec. (Radio link timeout)


  It is used as retransmission on data link layer. Value varies depending on different messages (for FACCH it is set to 155ms)


  (Alerting or ringing timer); this timer limits the time user need to answer to an incoming call. (Value: 20 sec)


  When this timer T3126 expires immediate assignment procedure is aborted. Starting procedure is same as timer T3146 mentioned below.


  Started after sending maximum allowed CHANNEL REQUEST messages OR on receipt of Immediate Assignment Reject message whichever occurs first during a PS call. When T3146 expires   Packet Access Procedure is aborted. Maximum Value is set to 5 second.


  Started when MS transmits final Uplink data block. If Uplink packet ACK is received everything is fine, if not and timer expires and with N3102>0; MS releases resources and attempts to re-establish communication on the cell again.


  Packet DL Assignment on CCCH; started on reception of IMMEDIATE ASSIGNMENT or PDCH ASSIGNMENT COMMAND message when in dedicated mode. When T3190 timer expires; mobile returns to packet idle mode. Value of this timer is set to about 5 second.


  Called TBF release timer, when T3192 expires UE (mobile) releases TBF related resources and begins scanning paging channel.


  It is stated to wait for physical handover information from the network. It is stopped when Physical Information message is received at UE. It expires after waiting typical value of 320ms when physical information is not received.


  It is started when mobile subscriber sends CM service request OR CM Re-Establishment Request, It stops when mobile subscriber receives CM service accept, CM service reject or it receives setting need for ciphering mode. If the timer T3230 times out then the call is terminated by mobile subscriber itself. It has value of 15 seconds.


  RAU(Routing Area Update) request timer,expires when default value set (typically-15sec) is passed.Usually either RAU accept or RAU reject is sent by network to the UE upon receipt of RAU request.

저작자 표시 비영리 변경 금지

머 먹고 사냐.....

트랙백이 하나이고 , 댓글이 없습니다.

What is IMEI?

The International Mobile Station Equipment Identity or IMEI is a number, usually unique,to identify 3GPP (i.e., GSM, UMTS and LTE) and iDEN mobile phones, as well as some satellite phones. It is usually found printed inside the battery compartment of the phone, but can also be displayed on-screen on most phones by entering *#06# on the dial-pad, or alongside other system information in the settings menu on smartphone operating systems.

The IMEI number is used by a GSM network to identify valid devices and therefore can be used for stopping a stolen phone from accessing that network. For example, if a mobile phone is stolen, the owner can call his or her network provider and instruct them to "blacklist" the phone using its IMEI number. This renders the phone useless on that network and sometimes other networks too, whether or not the phone's SIM is changed.

The IMEI is only used for identifying the device and has no permanent or semi-permanent relation to the subscriber. Instead, the subscriber is identified by transmission of an IMSI number, which is stored on a SIM card that can (in theory) be transferred to any handset. However, many network and security features are enabled by knowing the current device being used by a subscriber.


쉽게 이야기 하자면, 핸드폰 기계 자체를 구분짓기 휘해 부여하는 ID이다.

Network에서는 초기 Network Attach 시 IMEI를 확인 후 망 접속을 허용할지 거부 할지 결정을 한다.

또한, 기기 ID이기 때문에, 분실 시에도 해당 ID를 확용하여 분실/도난 신고를 할 수 있고, 

기지국에서는 해당 ID 값을 가지고, 해당 폰을 망에 절대 붙일 수 없게 할 수도 있다.

이전에는 SKT 폰에 KT USIM을 넣으면 절대 망에 접속이 되지 않았으나, 현재에는 통신사 기기에 상관없이 USIM만 넣고 몇번 껐다 켜면 핸드폰이 터진다.

이게 IMEI를 활용하여, 망에서 구분짓는 것의 하나의 예라고 할 수 있겠다.

Structure of the IMEI and IMEISV (IMEI Software Version)

The IMEI (15 decimal digits: 14 digits plus a check digit) or IMEISV (16 digits) includes information on the origin, model, and serial number of the device. The structure of the IMEI/SV are specified in 3GPP TS 23.003. The model and origin comprise the initial 8-digit portion of the IMEI/SV, known as the Type Allocation Code (TAC). The remainder of the IMEI is manufacturer-defined, with a Luhn check digit at the end. For the IMEI format prior to 2003, the GSMA guideline was to have this Check Digit always transmitted to the network as zero. This guideline seems to have disappeared for the format valid from 2003 and onwards.

As of 2004, the format of the IMEI is AA-BBBBBB-CCCCCC-D, although it may not always be displayed this way. The IMEISV drops the Luhn check digit in favour of an additional two digits for the Software Version Number (SVN), making the format AA-BBBBBB-CCCCCC-EE

For example, the old style IMEI code 35-209900-176148-1 or IMEISV code 35-209900-176148-23 tells us the following:

TAC : 35-2099 - issued by the BABT (code 35) with the allocation number 2099

FAC : 00 - indicating the phone was made during the transition period when FACs were being removed.

SNR : 176148 - uniquely identifying a unit of this model

CD  : 1 so it is a GSM Phase 2 or higher

SVN : 23 - The "software version number" identifying the revision of the software installed on the phone. 99 is reserved.

By contrast, the new style IMEI code 49-015420-323751 has a 8-digit TAC of 49-015420.

The new CDMA Mobile Equipment Identifier (MEID) uses the same basic format as the IMEI.

You can check this easier at the below path.



IMEI의 구조는 위에서 보는 것과 같이, TAC + Serial Number + Checksum으로 구성되어 있다.

TAC / Serial Number / Check Sum에 대해서는 위의 정보를 활용하기 바란다.

Check digit computation

The last number of the IMEI is a check digit calculated using the Luhn algorithm.

According to the IMEI Allocation and Approval Guidelines,

The Check Digit shall be calculated according to Luhn formula (ISO/IEC 7812). (See GSM 02.16 / 3GPP 22.016). The Check Digit is a function of all other digits in the IMEI. The Software Version Number (SVN) of a mobile is not included in the calculation.

The purpose of the Check Digit is to help guard against the possibility of incorrect entries to the CEIR and EIR equipment.

The presentation of the Check Digit both electronically and in printed form on the label and packaging is very important. Logistics (using bar-code reader) and EIR/CEIR administration cannot use the Check Digit unless it is printed outside of the packaging, and on the ME IMEI/Type Accreditation label.

The check digit is not transmitted over the radio interface, nor is it stored in the EIR database at any point. Therefore, all references to the last three or six digits of an IMEI refer to the actual IMEI number, to which the check digit does not belong.

The check digit is validated in three steps:

Starting from the right, double every other digit (e.g., 7 → 14).
Sum the digits (e.g., 14 → 1 + 4).
Check if the sum is divisible by 10.
Conversely, one can calculate the IMEI by choosing the check digit that would give a sum divisible by 10. For the example IMEI 49015420323751?,

You can calculate it easier at the below path.


Korea )
위의 설명을 보면 어떠한 방식으로 Check Sum을 계산하는지 한눈에 알 수 있다.
근데, 솔직히 누가 일일이 계산하고 있겠나?
위의 사이트에 들어가면 자동으로 계산을 해주고 있다.
사용자가 할 일은 거의 없을거 같지만,,,, 개발자라면 필요한 내용 중에 하나이다.

Refer : http://en.wikipedia.org/wiki/International_Mobile_Station_Equipment_Identity

저작자 표시

머 먹고 사냐.....

받은 트랙백이 없고 , 댓글이 없습니다.

In spec. 04.90 or 24.90, it came up in 6.2 section.

6.2 Cross phase compatibility

6.2.1 Network only supports protocol version 1 of unstructured supplementary service data operations 

If a mobile initiated USSD request using protocol version 2 is rejected by the network, and the reason for the rejection is indicated either by the problem code "unrecognized operation" or a cause "Facility rejected", the MS shall assume that the network only supports protocol version 1 of USSD operations. The MS shall re-attempt the request by using the appropriate protocol version 1 USSD operation without a SS version indicator if the unstructured data entered by the user can be coded as an IA5 string.

6.2.2 Mobile station only supports protocol version 1 of unstructured supplementary service data operations

A MS supporting only protocol version 1 invokes an USSD request by sending a REGISTER message to the network containing a ProcessUnstructuredSsData invoke component without a SS version indicator. In this situation the network is not allowed to start a network initiated USSD operation. If the application requires such an operation for its proper function, the USSD operation sent by the MS shall be rejected by the application. The network shall terminate the transaction by sending a RELEASE COMPLETE message with cause "Facility rejected" (see GSM 04.08).

It is very easy story.

To sum-up, 

if the ME sends 7bit(GSM_7bit) coded USSD to NW. But it is rejected by the network with the reason "unrecognized operation" or "Facility rejected".

In this case, the ME should retry to send 8bit coded USSD to the network.

저작자 표시

머 먹고 사냐.....

받은 트랙백이 없고 , 댓글이 없습니다.



IMEI가 없는 폰(양산될 때 IMEI가 찍히지 않는 폰)으로 심을 싸서 끼워보면,

사업자별로, SIM card Registration failure가 나오는 사업자심이 있고, 정상동작하는 사업자 SIM이 있습니다.

프랑스에서 SFR심은 SIM card Registration Failure 나왔고, Orange나  Bouygtel은 대부분 정상동작 한다고 합니다.

이는 SIM에 관련 된 사항은 아니고, 해당 사업자가 해당 IMEI로 등록을 허용 하느냐 마느냐의 문제입니다.

간혹 사람들이 SIM에 따른다고 이야기하는 것은, 해당 사업자 SIM에 따라 등록되는 망이 결정되어지기 때문입니다.


머 먹고 사냐.....

받은 트랙백이 없고 , 댓글이 없습니다.