Author Topic: Handset Gets Rejected When connecting to BTS but is not listed as Rejected  (Read 7173 times)

Indigo

  • Newbie
  • *
  • Posts: 4
    • View Profile
When I program a SIM card into the BTS station it still gets rejected but the reason is "failure" instead of "location-area-not-allowed".  Below is a short abbreviated log of what is happening.

Thanks in advance.



   
<ybts-signaling>Received
..............................................
Primative: Physical Info
Info: 0
Connection: 1

<PhysicalInfo>TA=0 TE=0.004 UpRSSI=1 TxPwr=33 OnRSSIdbm=-111 time=...</PhysicalInfo>
..............................................
<ybts-signaling:INFO>Received
...............................................
Primative: L3 Message
Info: 0
Connection: 1

<MM>
   <SkipIndicator>0</SkipIndicator>
   <NSD>0</NSD>
   <Message type="LocationUpdatingRequest">
      <LocationUpdatingType>
         <FOR>false</FOR>
         <LUT>normal-location-updating</LUT>
      </LocationUpdatingRequest>
      <CipherKeySequenceNumber>no-key/reserved</CipherKeySequenceNumber>
      <LAI>
         <PLMNidentity>00101</PLMNidentity>
         <LAC>fffe</LAC>
      </LAI>
      <MobileStationClassmark>
         <RFPowerCapability>class4</RFPowerCapability>
         <RevisionLevel>GSM-phase2</RevisionLevel>
         <Flags>ES-IND</Flags>
      </MobileStationClassmark>
      <MobileIdentity>
         <IMSI>001010000098895</IMSI>
      </MobileIdentity>
   </Message>
</MM>
.................................................
<ybts-signaling:ALL>Added Connection
<ybts-mm:ALL>HandlingLocationUpdatingRequest
<ybts-mm:ALL>Added UE      
<ybts-signaling:ALL>Connection 1 set UE
<ybts:ALL>Started Location Updating Thread
<nib:INFO>Got user.register for.... terminated
<ybts-mm:ALL>UE... register failed
<ybts-signaling:INFO>Sending
.................................................
Primative: L3 Message
Info: 0
Connection: 1

<MM>
   <Message type=LocationUpdatingReject>
      <RejectCause>failure</RejectCause>
   </Message>
</MM>







After this the BTS station releases the connection.
« Last Edit: June 22, 2017, 03:08:48 PM by Indigo »

Ioana Stanciu

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
The phone seems to be rejected because it cannot be authenticated.
A complete log with sniffer enabled would be helpful.

Anyway, to check that the issue is authentication of the IMSI please check that:
1. you have the nib_auth.sh script loaded (command in telnet is 'external info');
2. you have setup the right ki, op and imsi type in subscribers.conf for the IMSI you test with. Also, if you dont have the ki, you could set ki=* to skip authentication.

« Last Edit: June 23, 2017, 04:25:44 AM by Ioana Stanciu »

Indigo

  • Newbie
  • *
  • Posts: 4
    • View Profile
When setting up the YateBTS and JavaScript NIB I ran through the initial configuration setup in the Wiki.
One of the lines told me to set "gsm_auth=" in the extmodule.conf
However, it never gave me the options of what to set it to.

I attempted to locate the nib_auth.sh file on my computer, however, running "locate nib_auth.sh" returned nothing.
I also ran the command "external info" in telnet and nothing came up besides the cursor just returning to the next line.
I also tried setting the ki to * "ki=*", and still had the same results of a rejectCause of failure.

Note, does it matter that I am using 2g here when configuring the IMSI's in the configuration files?

Perhaps I overlooked something trivial in the initial configuration?

I will attempt to further debug the issue, following your suggestion of enabling the sniffer.

Thanks for the insight and the help.
« Last Edit: June 23, 2017, 10:06:24 AM by Indigo »

Ioana Stanciu

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
Ok, so at one point gsm_auth.sh was renamed to nib_auth.sh

So if you have a YateBTS older than SVN revision 605, you need to look for and set 'gsm_auth=' in extmodule.conf. That setting is all that is needed.
If you have something newer than SVN revision 605, you need to look for and set 'nib_auth=' in extmodule.conf.

Quote
Note, does it matter that I am using 2g here when configuring the IMSI's in the configuration files?
If the SIM is of type 2G it should be ok. As far as I know, if it's 3G (USIM), you also need to set op

Posting a log with sniffer enabled might help. Also posting the configuration files. Also please post the YateBTS version and the NIB version.
« Last Edit: June 27, 2017, 01:53:10 AM by Ioana Stanciu »

Indigo

  • Newbie
  • *
  • Posts: 4
    • View Profile
So I enabled:

"debug mbts level 10"
"debug transceiver level 10"
"sniffer on"
"debug on"
"color on"
"output on"

In the telnet terminal to increase my debugging ability, and this is what I originally got:

Code: [Select]
<nib:INFO>Got user.register for imsi=001... tmsi=''
<nib:INFO>Searching imsi in subscribers

Sniffed 'gsm.auth' time=...
thread=0x... 'YBTSLocUpd'
data=(nil)
retval='(null)'
param['protocol']='comp128'
param['ki']='001122...FF'
param['op']=''
param['rand']='16e0f...'
Returned false 'gsm.auth' delay=...
thread=0x... 'YBTSLocUpd'
data=(nil)
retval='(null)'
param['protocol']='comp128'
param['ki']='001122...FF'
param['op']=''
param['rand']='16e0f...'
Returned false 'user.register' delay=...

After a lot of troubleshooting and looking at other files I happened to view the README file in the yatebts folder which said to enter "gsm_auth.sh" in the [scripts] section of 'extmodule.conf'.  Not sure why they ask you to enter "gsm_auth.sh=" with nothing after it in the tutorial/wiki setup and the significance of the equals there?  Anyway I may have had "gsm_auth.sh=" in the wrong place in "extmodule.conf", now I just have "gsm_auth.sh" without the equals in the [scripts] section.

However, now when I run it I get this:

Code: [Select]
Returned true 'gsm.auth'
thread=0x... 'YBTSLocUpd'
data=(nil)
retval='(null)'
param['protocol']='comp128'
param['Ki']='001122...FF'
param['op']=''
param['rand']='6d7...'
param['handles']='gsm_auth:95'
param['sres']='922...'
param['Kc']='D8E9...'
Returned false 'user.register' delay=...
thread=0x... 'YBTSLocUpd'
data=(nil)
retval='(null)'
param['driver']='ybts'
param['username']='001...'
param['imsi']='001...'
param['handlers']='monitoring:1, javascript:80, regfile:100, monitoring:1, javascript:80, regfile:100, monitoring:1, javascript:80, regfile:100'
param['auth.rand']='6d7...'
param['auth.response']='f4aa...'
param['error']='noauth'
<ybts:NOTE>Location updating TMSI= IMSI=001... : rejecting authentication [0x7f...]
<ybts-signaling:INFO>Sending [0x...]
------------------------------------
Primitive: L3Message
Info: 0
Connection: 1

<MM>
<Message type="AuthenticationReject"/>
</MM>
------------------------------------
<ybts-signaling:ALL>Releasing connection (0x7f...,1) (0x207...)
<ybts-signaling:INFO>Sending (0x207...)
------------------------------------
Primitive: ConnRelease
Info: 0
Connection: 1
------------------------------------
<ybts:ALL>Location updating thread for (0x7f...) TMSI= IMSI=001... terminated [0x7f...]

So now at least I am getting to the next step in the logs...
However, it still won't register...
Any advice on what to fix from here?
I'm confused because it is returning true from "gsm.auth" yet it's sending back an Authentication Rejection Message.


Thanks in advance

Ioana Stanciu

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
Please post a log starting from LocationUpdateRequest and please do not cut out parts of it. If you want to hide the IMSI and Ki fine. Just the piece of log from where it rejects the authentication is irrelevant if I can't see what happened before.

Anyway, the piece of log points to a mismatch in results obtained by the phone and the network when doing authentication algorithm on the same data.

You could also try again with ki=*

Indigo

  • Newbie
  • *
  • Posts: 4
    • View Profile
Sorry Ioana that particular computer is air gapped so I have to copy each character at a time onto paper then type it back up on another computer.
Anyway I believe I found the problem.

So I found the "do_comp128" program/algorithm and in the log I found the message going to the phone "the random number(challenge)" and the hex value coming back, the "SRES(response)".  I then ran the "do_comp128" algorithm using the random number(challenge) and the Ki I had been provided with the Sim Cards.  What I got back did not match the SRES(response) coming back to the yatebts from the cell phones.  I contacted who had provided me with the sim cards and they assured me they program all their sim cards with that particular Ki.  Is there any possibility that I still have the right Ki, even though I ran the Ki and the random number through "do_comp128" and it did not equal the SRES?

If there is I can copy more of the log and post it next forum post.

Also, whenever I set "ki=*" in subscribers.conf for each handset it results in a rejection cause of failure and returns false from 'gsm.auth' in the logs.  Am I setting this at the right place or the right way in order to disable authentication?

Thanks again
« Last Edit: June 28, 2017, 02:57:03 PM by Indigo »

Ioana Stanciu

  • Jr. Member
  • **
  • Posts: 79
    • View Profile
Does the type of the SIM match what you configured (imsi_type=2g)? What authentication algorithm does the SIM support? NIB only supports compV1. Maybe there is a mismatch between authentication algorithms.

Regarding, ki=*, you need to restart Yate after configuring that.

Regarding logs, you can always take pictures of the screen and attach them.

Anyway, if you don't want authentication, you can always configure  in [general] section of subscribers.conf the regexp setting. This will allow registration of UEs that match the regular expression you set. Something like regexp=^00101 will allow registration for all IMSIs that start with 00101. Please keep in mind that authentication will not take place anymore.
Make sure to uncomment the regexp section and also comment the section regarding particular IMSIs.