FreeCalypso > hg > gsm-net-reveng
comparison tmo/CSD-tests @ 71:ed314cc25b8d
tmo/CSD-tests: additional experiments and historical notes
| author | Mychaela Falconia <falcon@freecalypso.org> |
|---|---|
| date | Tue, 26 Nov 2024 20:56:33 +0000 |
| parents | 47947e25f922 |
| children | afebef67e8d4 |
comparison
equal
deleted
inserted
replaced
| 70:47947e25f922 | 71:ed314cc25b8d |
|---|---|
| 1 A series of experiments seeking to test CSD on the extant network of T-Mobile | 1 A series of experiments seeking to test CSD on the extant network of T-Mobile |
| 2 USA, to be performed while this network is still alive. The main objective is | 2 USA, to be performed while this network is still alive. The main objective is |
| 3 to test CSD calls between a single MS and analog (or PCMU-speaking) PSTN, rather | 3 to test CSD calls between a single MS and analog (or PCMU-speaking) PSTN, rather |
| 4 than mobile to mobile. | 4 than mobile to mobile. |
| 5 | |
| 6 All experiments detailed in the following sections were performed in 2024-11 | |
| 7 at the Mother's home base. | |
| 5 | 8 |
| 6 Test setup | 9 Test setup |
| 7 ========== | 10 ========== |
| 8 | 11 |
| 9 The test MS is an FCDEV3B with a legacy T-Mobile SIM. The AT command session | 12 The test MS is an FCDEV3B with a legacy T-Mobile SIM. The AT command session |
| 56 * NT mode was only tested with AT+CBST=7,0,1 default, i.e., 9600 baud and asking | 59 * NT mode was only tested with AT+CBST=7,0,1 default, i.e., 9600 baud and asking |
| 57 the IWF for V.32 modem. As revealed by L1 and CC traces, the network does | 60 the IWF for V.32 modem. As revealed by L1 and CC traces, the network does |
| 58 everything it should - but the MS returns NO CARRIER. However, further | 61 everything it should - but the MS returns NO CARRIER. However, further |
| 59 analysis of CC traces reveals that the DISCONNECT at CC level is initiated by | 62 analysis of CC traces reveals that the DISCONNECT at CC level is initiated by |
| 60 the MS and not by the network! My current working hypothesis is that the MS | 63 the MS and not by the network! My current working hypothesis is that the MS |
| 61 is unhappy about something it sees at RLP level. | 64 is unhappy about something it sees at RLP level. [See further updates in |
| 65 Experiment 6.] | |
| 62 | 66 |
| 63 Additional observations: | 67 Additional observations: |
| 64 | 68 |
| 65 * The MS issues a single SETUP message with BC indicating ITC of 3.1 kHz and the | 69 * The MS issues a single SETUP message with BC indicating ITC of 3.1 kHz and the |
| 66 selected CSD mode. The network responds with CALL PROCEEDING, ALERTING and | 70 selected CSD mode. The network responds with CALL PROCEEDING, ALERTING and |
| 169 and data calls dialed from the other TMO subscriber line. It appears that all | 173 and data calls dialed from the other TMO subscriber line. It appears that all |
| 170 MO CSD calls were treated by the network in "convert to modem emulation" mode | 174 MO CSD calls were treated by the network in "convert to modem emulation" mode |
| 171 despite the dialed number being another T-Mobile line; the MT leg always | 175 despite the dialed number being another T-Mobile line; the MT leg always |
| 172 received incoming voice calls. | 176 received incoming voice calls. |
| 173 | 177 |
| 174 It thus appears that a change has happened in TMO's network in this regard. | 178 Experiment 5 |
| 175 Many years ago, before I learned about T vs NT distinction and other critical | 179 ============ |
| 176 CSD parameters set with AT+CBST, when I would blindly dial ATDnumber, I was | 180 |
| 177 sometimes able to make a data call from a proper FreeCalypso test MS to a | 181 In this experiment I sought to capture TCH DL bits from the DSP in CSD modes in |
| 178 Pirelli phone running its official fw: the destination phone would ring and | 182 the same way how we do it in non-AMR speech modes. I added what seemed like |
| 179 display an incoming call screen, but it said "data call". For this feat to | 183 the necessary support in FC Tourmaline fw (Hg commit 304:58c7961bd0b0) and in |
| 180 have happened, there must have been a BC IE in the MT SETUP message when the | 184 fc-shell TCH handling code (freecalypso-tools Hg commit 1014:961efadd530a), and |
| 181 MO leg made a data call - hence the change between past and present bahaviour. | 185 made captures of CSD call sessions with +CBST set to (7,0,0), (6,0,0) and |
| 186 (2,0,0). However, as soon as I looked at the captured recordings, I was | |
| 187 immediately disappointed: while the beginning of each capture shows what look | |
| 188 like DL bits constituting idle frames (mostly all 1s, except where disturbed by | |
| 189 FACCH stealing), as soon as the IDS block kicks in, we read nothing but all 0s. | |
| 190 Is the IDS part of DSP ROM code overwriting the buffer with zeros after it groks | |
| 191 those bits? | |
| 192 | |
| 193 Also in this experiment session I tried setting AT+CBST=14,0,0 to see if TMO | |
| 194 supports TCH/F14.4. The network responded to SETUP with CALL PROCEEDING, but | |
| 195 whereas in other modes channel assignment happens almost immediately afterward, | |
| 196 here it stayed on SDCCH for several seconds, and then the network sent CC | |
| 197 DISCONNECT message with cause 34. This cause value means "No circuit/channel | |
| 198 available" - so it looks like TMO's unloved GSM network does not support | |
| 199 TCH/F14.4. | |
| 200 | |
| 201 Experiment 6 | |
| 202 ============ | |
| 203 | |
| 204 As I was writing up notes regarding what seemed like non-working state of NT | |
| 205 mode while all Transparent modes up to 9600 bps work great, I decided to test | |
| 206 with an older version of FC firmware, namely Magnetite l1reconst. In the | |
| 207 earlier years of FreeCalypso, I would frequently make CSD calls just for fun, | |
| 208 calling NIST ACTS, and it would always work - and being ignorant of T vs NT | |
| 209 and other mode settings, I never set AT+CBST and just dialed ATDnumber. Since | |
| 210 we now know that TI's firmware default is AT+CBST=7,0,1 and has always been | |
| 211 this way, we know that I was unknowingly exercising NT mode in those happy | |
| 212 years - hence I decided to try an older fw version from those years just to see | |
| 213 if it would have working NT mode. Tested - it worked! | |
| 214 | |
| 215 But then things got more interesting. I tested with Magnetite hybrid instead | |
| 216 of l1reconst - using the new source-enabled version of G23M PS. Result: it | |
| 217 seemed a little flaky, but it worked. Then I went back to current Tourmaline | |
| 218 fw, the same with which I started in Experiment 1. Did a call with | |
| 219 AT+CBST=7,0,0 serving as a control - it worked. Tried AT+CBST=7,0,1 - got a | |
| 220 NO CARRIER response; subsequent log analysis shows that the MS initiated CC | |
| 221 DISCONNECT just like in Experiment 1. Then I made another attempt, still with | |
| 222 AT+CBST=7,0,1 - and this time it worked beautifully: I got CONNECT followed by | |
| 223 the full 40 s of ACTS output. | |
| 224 | |
| 225 Thus we now know that NT mode working or not is not a question of firmware | |
| 226 version, but some kind of law of chance: time of day, space weather, phase of | |
| 227 the moon... | |
| 228 | |
| 229 NT mode: need for further debugging | |
| 230 =================================== | |
| 231 | |
| 232 The flaky nature of NT mode calls for further debugging: since we see | |
| 233 MS-initiated DISCONNECT on those tries when it fails, we really need to know | |
| 234 exactly what is making the MS unhappy. But this debugging is made difficult by | |
| 235 the misfeature of TI's DSP: in Experiment 5 I tried capturing TCH DL bits, but | |
| 236 all we get is zero fill once the IDS block is active. As next steps, we will | |
| 237 need to study the code that interfaces with this IDS block, and see what we can | |
| 238 observe at that interface level. | |
| 239 | |
| 240 T vs NT mode: utility vs complexity | |
| 241 =================================== | |
| 242 | |
| 243 Consider the IWF provided by the network, speaking CSD frame formats toward GSM | |
| 244 RAN and emulating analog modem signals toward 64 kbit/s PSTN, and consider the | |
| 245 work it has to do in T vs NT modes. It should be evident that NT mode is much | |
| 246 more complex: all of the work implementing V-series modulations is still needed | |
| 247 for both T and NT, but whereas T mode provides a direct path between the | |
| 248 emulated-modem "bit pump" and CSD V.110 frame bits, in NT mode the IWF has to | |
| 249 implement RLP on the GSM side, V.42 on the analog modem side, and make a high- | |
| 250 level data connection between these two engines of reliable transmission based | |
| 251 on acks, retries etc. Hence the "bug surface", the number of things that can | |
| 252 go wrong, is much greater for IWF in NT mode. | |
| 253 | |
| 254 OTOH, utility considerations traditionally called for NT mode. There are | |
| 255 *some* applications for which non-buffering, fixed-delay Transparent mode is | |
| 256 the right choice: precision time distribution as in NIST ACTS, train engine | |
| 257 communication in GSM-R etc - but such applications are more on the boutique | |
| 258 side. Instead consider the more typical application of a business user dialing | |
| 259 into his/her mainframe or UNIX minicomputer etc account while on the go: here | |
| 260 you have a user with a text terminal, and a server/service somewhere that prints | |
| 261 text for the user to read and expects text commands. In this case the user | |
| 262 would certainly appreciate if his/her session is *not* disturbed by dropouts or | |
| 263 garbage insertions from radio errors, from handover events or from line noise | |
| 264 on the PSTN leg - such users would certainly benefit from NT mode. Outside of | |
| 265 railways or other special environments, considering ordinary public GSM networks | |
| 266 intended for consumers and business users, in the days when CSD was a feature | |
| 267 of real user significance, NT mode was likely the more desired one for reasons | |
| 268 just explained. Yet it is the one which is much more onerous to implement... | |
| 269 | |
| 270 Lack of data-call indication from one T-Mobile MS to another | |
| 271 ============================================================ | |
| 272 | |
| 273 Looking at the specs for GSM CSD, the intent of the original Creators seems | |
| 274 clear: they intended CSD to run between an MS and services on the fixed network, | |
| 275 perhaps going through an IWF. In contrast, the case of mobile-to-mobile CSD | |
| 276 calls was NOT the canonical configuration - it was probably considered, but only | |
| 277 as a rather contrived and unlikely use case. But if someone does make a CSD | |
| 278 call addressed to another mobile, how should it work? | |
| 279 | |
| 280 In order for a CSD call to be directly through-connected from Alice to Bob, | |
| 281 Osmocom-style, without complex conversions and translations in the middle, two | |
| 282 conditions would have to be met: | |
| 283 | |
| 284 1) The connection element setting would have to be Transparent; | |
| 285 2) ISDN/UDI mode would need to be selected, rather than 3.1 kHz modem emulation. | |
| 286 | |
| 287 In this case the MO call will be turned into V.110 by the TRAU, no further IWF | |
| 288 would be applied at the MSC, the ISDN call would connect from Alice to Bob, the | |
| 289 destination MSC serving Bob would see that it's a data call, and it would | |
| 290 indicate so to Bob's MS. So far, so good. But the moment you add NT mode or | |
| 291 analog modem emulation, the above pass-through model breaks down: | |
| 292 | |
| 293 1) If the bearer cap IE on the MO call indicates ITC of 3.1 kHz audio instead | |
| 294 of UDI, Alice's MSC is supposed to pass the call through an IWF that does | |
| 295 modem emulation. Once that modem emulation is applied, the call going out | |
| 296 on ISDN is in 3.1 kHz audio mode, not digital data! | |
| 297 | |
| 298 2) NT mode does not seem to have ever been intended to carry from mobile user | |
| 299 Alice to mobile user Bob - instead it appears to have been intended to run | |
| 300 between a single MS and a network IWF only. The IWF then converts to V.42 | |
| 301 in the case of 3.1 kHz modem emulation, or to V.1xx/X.75/etc protocols in | |
| 302 the case of ISDN UDI, with or without V.42-like reliability through acks and | |
| 303 retransmissions. | |
| 304 | |
| 305 However, the above considerations stem from the architectural model _assumed_ | |
| 306 in ETSI GSM specs - whereas the question of what real-world GSM networks have | |
| 307 actually implemented needs to be asked separately. In the case of T-Mobile USA, | |
| 308 the behavior of the network upon own-subscriber Alice making a CSD call to own- | |
| 309 subscriber Bob appears to have changed over the years: | |
| 310 | |
| 311 * In my earlier years of FreeCalypso work, when I made CSD calls from FC GSM MS | |
| 312 just for fun while being ignorant of T vs NT modes and other +CBST settings, | |
| 313 I would call NIST ACTS to get a truly successful session. But I also | |
| 314 experimented a little with mobile-to-mobile CSD. Unfortunately, I never put | |
| 315 together a proper setup with two FC GSM MS boards powered up and connected to | |
| 316 my laptop at the same time, fitted with two active T-Mobile SIMs, one calling | |
| 317 the other - but I did dial CSD a few times from a single "proper" GSM MS | |
| 318 (probably FCDEV3B, although I don't remember exactly) to my main personal-use | |
| 319 T-Mobile line whose SIM sat in a Pirelli DP-L10 running its official fw. | |
| 320 I don't remember if I got this degree of success reliably every time or if it | |
| 321 was intermittent - but I did get an incoming call indication on the Pirelli | |
| 322 that said "incoming data" or something to that effect. I don't remember | |
| 323 exactly what happened afterward, but my vague recollection (subject to the | |
| 324 caveats about wetware memory after many years of attention being shifted in | |
| 325 very different directions) is that the phone would ring with this "incoming | |
| 326 data" indication on the screen, but once I pressed the Answer button, the | |
| 327 call attempt would drop - and curiously enough, turn into a "missed call" | |
| 328 indication. I don't have good memory of what the call-originating FC GSM MS | |
| 329 would show: I seem to recall it going directly to NO CARRIER upon me pressing | |
| 330 Answer on the Pirelli, but I also seem to recall at least once getting a | |
| 331 CONNECT response, presumably followed by NO CARRIER shortly afterward. | |
| 332 | |
| 333 * In terms of memory reliability, the only part I do remember for certain is | |
| 334 that the call-receiving Pirelli phone (running its official fw) _did_ display | |
| 335 a "ringing" screen that said something along the lines of "incoming data" - | |
| 336 IOW, it very clearly indicated the presence of an incoming call that was data | |
| 337 rather than voice, even though of course this phone has no official Terminal | |
| 338 Adaptor Function and no ability to meaningfully accept such calls. This | |
| 339 indication implies that the MT SETUP message from the network must have | |
| 340 included a bearer cap IE that indicated non-speech - although unfortunately | |
| 341 I have no logs (back then I wasn't looking at CC or any other air interface | |
| 342 messages), thus we don't know if it was a pass-through of BC from the MO leg | |
| 343 or altered in some way. The remaining memories of everything else that | |
| 344 happened after this logically-deduced MT SETUP should be treated as | |
| 345 unreliable. | |
| 346 | |
| 347 * When I tried replicating in the present time (2024-11) the just-described | |
| 348 result from many years ago, I had no success: see description of Experiment 4 | |
| 349 above. Now when I dial a CSD call from one of my legacy T-Mobile SIMs to | |
| 350 another, the receiving MS gets an MT SETUP message that contains no BC IE at | |
| 351 all, same as with calls coming from outside PSTN, the call rings as voice, | |
| 352 and gets assigned TCH/AHS like other speech calls. And because the modem- | |
| 353 emulating CSD IWF in the MO direction initially emits silence while waiting | |
| 354 for the answering modem, silence is what the receiving phone hears in this | |
| 355 errant setup. |