5G专网驻网失败分析（suci无效）

suci

5G终端第一次驻网时，注册消息Registartion request中携带的5GS mobile identity要携带suci类型的mobile identity。
注册消息协议规范见5G NAS 协议3gpp TS24.501 8.2.6 Registration request。

在这里插入图片描述

suci协议规范参见3gpp TS24.501 9.11.3.4 5GS mobile identity

在这里插入图片描述

从上面协议内容可知，携带suci的注册消息中，有Routing
indicator字段。为两个字节。包含digit1到digit4. 其值从digit1开始存放，如果后面的digit不使用则为FF。
比如上面note2的例子，如果RoutingIndicator为3位。那么digit1 digit2 digit3 存RoutingIndicator的值。digit4要填为FF。

何时注册携带suci

UE注册时，如果UE既有5G-GUTI，又有SUCI，那注册请求中用5G-GUTI，否则用SUCI。但绝不能用SUPI。为了隐私和安全，SUPI在5G的空口中禁止传递。

3GPP 5G PROC协议，TS 23.502的4.2.2.2.2 General Registration注册流程描述如下
依次是GUTI，映射或native的guti。都没有，最后才是SUCI。
在这里插入图片描述

开源代码UERANSIM 的MmRegistration.java中，sendRegistration函数：
在这里插入图片描述

日志分析

终端在某5G专网能搜到网络，但是不向网络发送Registration Request注册网络。

首先分析网络的SIB消息：

00:47:04.546945 RRC/HighFreq/High/NR5GRRC [nr5g_rrc_sib.c    1792] Sending NR5G_CPHY_SIB_SCHED_REQ. sibs_to_acq_curr - 0x0, sibs_to_acq_next - 0x0
00:47:04.547088 RRC/HighFreq/High/NR5GRRC [nr5g_rrc_meas.c  18428]  DL carrier freq : 7880, scs : 1, mtc_periodicity : 0, priority : 0, band : 77
//如下日志说明sib4消息的dl_CarrierFreq配置有误
00:47:04.547223 RRC/HighFreq/High/NR5GRRC [nr5g_rrc_meas.c  17445] SIB4 omitted, dl_CarrierFreq 7880 msimatch valid band, skip
00:47:04.547233 RRC/HighFreq/High/NR5GRRC [nr5g_rrc_meas.c  18043] MEAS:Eutra carrierFreq = 40890, not supported

网络下发的 dl-CarrierFreq 7880 不是 freqBandIndicatorNR 77的合法频点。。
3GPP TS38.101-1协议的 Table 5.4.2.3-1: Applicable NR-ARFCN per operating band可以查看每个band的dl频点范围。从如下截图可以看出7880不在下行频点范围。
在这里插入图片描述

如下是sib4的字段内容

 sib4 : {interFreqCarrierFreqList {{dl-CarrierFreq 7880,frequencyBandList {{freqBandIndicatorNR 77}},ssbSubcarrierSpacing kHz30,deriveSSB-IndexFromCell TRUE,q-RxLevMin -60,t-ReselectionNR 1,threshX-HighP 30,threshX-LowP 22,threshX-Q {threshX-HighQ 30,threshX-LowQ 22},q-OffsetFreq dB-20}}}

不过interFreqCarrierFreqList 是用来NR interFreq重选相关的参数。应该不会导致终端连注册消息都不发。

终端确实在附近的时间点退出了NR5G模块。需要定位是哪里发送了NR5G_RRC_DEACTIVATE_REQ NR5G_RRC_STACK_DEACTIVATE_REQI。

00:47:04.557373   RRC/HighFreq/High/NR5GRRC   [    nr5g_rrc_csp.c  13854] CSP: Received Deactivate request NR5G_RRC_DEACTIVATE_REQ. Reason : 0
00:47:04.558346   RRC/HighFreq/High/NR5GRRC   [ nr5g_rrc_stackmgr.c   3494] RRCSM: Received NR5G_RRC_STACK_DEACTIVATE_REQI, at state 5, stop_cause 0, scen 17

从终端日志和网络信令看，网络的SIB没有明显错误导致终端不注册。
所以需要从终端上层NAS模块查看，有无从NAS模块发送退出5G的命令。

查看上层协议日志

//这里看到终端已经成功搜到5G网络
00:47:04.486137 MM/HighFreq/High/REG [ reg_send.c    510] DS: SUB 0 =REG= CM_CAMPED_IND PLMN (XXX - XXX) Primary PLMN (XXX - XXX)
00:47:04.486170 MMODE/STRM/High/CM   [ cmregprx.c  13148] NAS->CMREG: sub 0 stk 0, CM_CAMPED_IND
00:47:04.550872 MM/HighFreq/High/REG [ reg_mode.c   9558] DS: SUB 0 =REG= Home MCC = XXX Home MNC = XXX
00:47:04.554016 MM/LowFreq/High/REG  [         reg_state.c   2973] DS: SUB 0 =REG= CM_SERVICE_REQ Scan Scope type=0 network_selection_mode 2 Additional_info=0 RAT Enabled BM = 0x1000, BST BM = 0x1000
00:47:04.554304 MM/LowFreq/High/REG  [ reg_send.c    856] DS: SUB 0 =REG= CM_SERVICE_CNF scan_status:1 msg.service_state.service_status: 1
00:47:04.554305 MM/LowFreq/High/REG  [ reg_send.c    880] DS: SUB 0 =REG= CM_SERVICE_CNF PLMN (XXX - XXX) Primary PLMN (XXX - XXX) blocked_for_no_voice 0
//但是不知为何NAS MM REG模块收到CM_STOP_MODE_REQ
00:47:04.557049 MM/LowFreq/High/REG  [         reg_state.c  11751] DS: SUB 0 =REG= CM_STOP_MODE_REQ stop_mode_reason 0
//转换成MMR_STOP_MODE_REQ
00:47:04.557155 MM/HighFreq/High/REG [ reg_send.c   2302] DS: SUB 0 =REG= MMR_STOP_MODE_REQ sent trans_id 0x67
//进一步向5G RRC发送命令NR5G_RRC_DEACTIVATE_REQ
00:47:04.557275 MM/LowFreq/High/MM   [       mm5g_rrc_if.c    434] DS: SUB 0 =MM5G= Sending NR5G_RRC_DEACTIVATE_REQ with reason = 0
00:47:04.557350 MM/HighFreq/High/SM  [sm5g_process_pdu_procedure.c   1805] DS: SUB 0 SM5G: NAS_MM5G_DETACH_IND Received,

进一步向上看日志，卡模块抛出MMGSDI_SESSION_ILLEGAL_SUBSCRIPTION_EVT，导致CM上报CM_PH_CMD_SUBSCRIPTION_NOT_AVAILABLE，即卡无效。进而退出5G驻网流程。

00:47:04.550000 MM/HighFreq/High/MM [mm_multimode_handler.c   5456] DS: SUB 0 =EMM= Moving to DEREGISTERED STATE, Update EPS security_context...
00:47:04.550146 MMODE/STRM/High/CM  [ cmmmgsdi.c   5559] UIM->CM: MMGSDI_SESSION_ILLEGAL_SUBSCRIPTION_EVT, session-id 103
00:47:04.550170 MM/HighFreq/High/SM [sm5g_process_pdu_procedure.c   1805] DS: SUB 0 SM5G: NAS_MM5G_DETACH_IND Received,
00:47:04.550179 MMODE/DEBUG/Low/CM  [       cm.c   9886] ->CM: phcmd 8: CM_PH_CMD_SUBSCRIPTION_NOT_AVAILABLE, cdma 1, gwl 0 sub 0, curr 5, true 5, active_subs 1, is_msim 100:47:04.550589 MMODE/STRM/High/CM  [     cmph.c  19463] PH_PROC: sub 0, CM_PH_CMD_SUBSCRIPTION_NOT_AVAILABLE is being processed cause:0, 5 1 0 0
00:47:04.550593 MMODE/STRM/High/CM  [     cmph.c  19473] SUBSCRIPTION_NOT_AVAILABLE sub_asub_id 0  1x_sub 0
00:47:04.550599 MMODE/STRM/High/CM  [     cmph.c  19554] SUBSC_NOT_AVAIL: sess_type 0 app_type 3
00:47:04.550702 MM/HighFreq/High/REG [         reg_state.c  13082] DS: SUB 0 =REG= LIMITED_SERVICE on HPLMN(XXX-XXX)
00:47:04.550760 MM/LowFreq/High/REG [ reg_send.c    880] DS: SUB 0 =REG= CM_SERVICE_CNF PLMN ( XXX- XXX) Primary PLMN (XXX - XXX) blocked_for_no_voice 0
00:47:04.552409 MMODE/STRM/High/CM  [     mmoc.c   5778] MMOC->PROT: DEACT_REQ to ACTIVE protocol: 5, reason: 6, sub 0 stk 0, insanity_count 0, ps_enabled 1
00:47:04.552414 MMODE/DEBUG/Low/CM  [  mmocdbg.c   1091] After event was processed: Curr_trans 1(SUBSC_CHGD), Trans_state 2(WAIT_DEACTD_CNF)
00:47:04.556994 MMODE/STRM/High/CM  [ cmregprx.c   4772] CMREG->NAS: sub 0 stk 0, Send STOP_MODE_REQ, reason=0
00:47:04.557017 MMODE/DEBUG/Low/CM  [      cmregprx_dbg.c    302] MMOC->CMREG: PROT_CMD_DEACTIVATE:trans_id 89 Reason 6, sub 0 stk 0
00:47:04.557049 MM/LowFreq/High/REG [         reg_state.c  11751] DS: SUB 0 =REG= CM_STOP_MODE_REQ stop_mode_reason 0
00:47:04.557155 MM/HighFreq/High/REG    [ reg_send.c   2302] DS: SUB 0 =REG= MMR_STOP_MODE_REQ sent trans_id 0x67

卡流程哪里出问题了呢？
从下面日志可知，终端第一次注册，进入向网络发送registration Request的流程。
Start registration procedure, reg type = 1,
由于第一次注册，终端没有GUTI，所以需要携带SUCI给网络。所以向卡发送生成SUCI的命令。即SUCI generation request sent to MMGSDI。
但是卡回复的SUCI的routing indicator有误。digit1 = 15, digit2 = 1, digit3 = 15, digit4 = 15。
按协议，15为FF即不不使用。比如如果routing indicator是3位，那么digit1 digit2 digit3 为非FF的值，digit4为FF. 但是卡返回的digit1 = 15, digit2 = 1。不可能digit1无效，而digit2中有有效值。所以routing indicator校验失败。日志打印SUCI parsing failed。
终端无法获取SUCI，就无法注册网络，进而无法驻网。

此问题到这里比较清楚了，专网卡有问题，生成suci中包含的的routing indicator无效，导致终端无法发送注册消息，进而终端无网络。

00:47:04.486137 MM/HighFreq/High/REG [ reg_send.c    510] DS: SUB 0 =REG= CM_CAMPED_IND PLMN (xxx - XXX) Primary PLMN (XXX- XXX)
00:47:04.486139 MM/HighFreq/High/MM  [mm5g_registration_handler.c   1103] DS: SUB 0 =MM5G= Start registration procedure, reg type = 1, reset_attempt_counter = 1, attempt counter = 0, REG Cause BM = 0x0 CS-For = 0
00:47:04.486157 MM/HighFreq/High/REG [         reg_state.c   1461] DS: SUB 0 =REG= sent message MS: 48   MSG_ID: 0
00:47:04.486236 MM/HighFreq/High/MM  [     mm5g_security.c   6788] DS: SUB 0 =MM5G= SUCI generation request sent to MMGSDI
00:47:04.549614 MM/HighFreq/High/MM  [     mm5g_security.c   7072] DS: SUB 0 =MM5G= Received SIM_MM_USIM_GET_SUCI_CNF, SUCI data len 53
00:47:04.549617 MM/HighFreq/Error/MM [     mm5g_security.c   6988] DS: SUB 0 =MM5G= MMGSDI returned incorrect routing inddigit1 = 15, digit2 = 1, digit3 = 15, digit4 = 15
00:47:04.549620 MM/HighFreq/Error/MM [     mm5g_security.c   7087] DS: SUB 0 =MM5G= MMGSDI returned status 0 in GET_SUCI_CNF or SUCI parsing failed00:47:04.549961 User Identity Module/High [  mmgsdisessionlib.c   6123] mmgsdi_session_manage_illegal_subscription0
00:47:04.549969 User Identity Module/High [  mmgsdisessionlib.c   6172] Queue of MMGSDI command: MMGSDI_SESSION_MANAGE_ILLEGAL_SUBSCRIPTION_REQ status 0x00
00:47:04.549996 User Identity Module/High [        mmgsdi_gen.c   2017] Application for session 72 is MARKED AS ILLEGAL BY REQUEST0
00:47:04.550070 User Identity Module/High [  qmi_uim.c  18401] qmi_uim_process_manage_illegal_card_evt with legal_status as 0x1000:47:04.549614 MM/HighFreq/High/MM  [     mm5g_security.c   7072] DS: SUB 0 =MM5G= Received SIM_MM_USIM_GET_SUCI_CNF, SUCI data len 53
00:47:04.549617 MM/HighFreq/Error/MM [     mm5g_security.c   6988] DS: SUB 0 =MM5G= MMGSDI returned incorrect routing inddigit1 = 15, digit2 = 1, digit3 = 15, digit4 = 15
00:47:04.549620 MM/HighFreq/Error/MM [     mm5g_security.c   7087] DS: SUB 0 =MM5G= MMGSDI returned status 0 in GET_SUCI_CNF or SUCI parsing failed

Routing indicator含义

Routing Indicator是suci中的字段。
在TS 23.502的4.2.2.2.2 General Registration中，指向了TS 33.501 5GS Architecture协议。查看此协议：
Routing Indicator: An indicator defined in TS 23.003 [19] that can be used for AUSF or UDM selection.
即Routing Indicator用来注册时AMF选择AUSF或UDM。 AUSF或UDM存储终端的注册和绑定信息。
在TS23.003-i50 Numbering, addressing and identification协议中，详细定义如下：
在这里插入图片描述
即：Routing Indicator路由指示符，由归属网络运营商分配并在USIM中提供的1到4个十进制数字组成，允许与归属网络标识符一起将包含SUCI字段的网络信令路由到能够为用户服务的AUSF和UDM实例。
路由指示器中的每个十进制数字都是有意义的（例如，值“012”与值“12”不同）。如果USIM或ME上没有配置路由指示符，则该数据字段应设置为值0（即仅由一个十进制数字“0”组成，即0FFF）。
此问题中卡返回的Routing Indicator digit1 = 15, digit2 = 1, digit3 = 15, digit4 = 15，即F1FF. 按照TS24.501 协议，只有不使用的高位数字才可以为15（FF）。所以卡应该返回 digit1 = 1, digit2 = 15, digit3 = 15, digit4 = 15.

如果卡不指定AUSF和UDM，则卡应该返回 digit1 = 0, digit2 = 15, digit3 = 15, digit4 = 15.
在这里插入图片描述

参考链接：
https://articles.zsxq.com/id_ful8uwunrrcj.html (1) 初始注册流程关键步骤分析 UE-ID 为suci
https://articles.zsxq.com/id_hgcezzezpli2.html 学习UERANSIM源码-registation相关文件
https://blog.csdn.net/qq_31985307/article/details/126440655 5G NR系列文章-5G标识符SUPI和SUCI