Emil Tool for 4g

Emil Tool for LTE field debugging

Confidential

LTE field Troubleshooting Current situation t roubleshooting information • Main sources for troubleshooting • KPI counters from NetAct •  Alarm history from NetAct • UE terminal logs from drive tests • Local SysLog traces & Local TTI traces • BTS Snapshots • Commercial Interface analyzer • Process for Troubleshooting • Check from KPI counters problematic behaving cells/sites • Check alarms for outages information • Fetch snapshots from problematic sites and forward to R&D to see if snapshot files contain any useful information • Check protocol traces for fault details in S1 level • Check are any SysLogs available -> If not try to install BTSLog to site and arrange drive tests for getting UE terminal logs • If logs don’t contain useful information, discuss with R&D how to arrange additional prints to logs

Confidential

LTE field Troubleshooting Current problems • Log sizes • CPU inside eNB produce several Mbytes logs in one second • No centralized debugging system can handle all logs for multiple BTS • Big logs can not be distributed easily across different parties

• IPSec • S1 can not be traced t raced unless ciphering key is available

• NAS ciphering • NAS protocol in encrypted and can not be decoded without encryption key

• Mobility and call trace without IMSI • Many different call and cell identifiers in

different SW levels, which are difficult to map with each other • IMSI is not available in LTE RAN like in WCDMA

• Different kinds of protocols and

• Volatile Volatile information • Information is available in logs only a short period of time

• Limited transmission and processor

capacity • Only limited capacity can be allocated for debugging

• Operator owned networks • Operator has to accept tools and related costs for debugging and troubleshooting

• Flat network architecture • Logs and relevant information are

distributed across whole LTE network in eNB, no central node where to debug

• Debugging does not cause eNB crashes or performance degradation • Debugging affects multiple SC • Network debugging effect to eNB/SC is not necessarily tested in lab

• UP statistics interfaces • UP control information creates huge • Many different kinds of encoders needed amount of data to 1 ms TTI

Confidential

Security issues Security Risks

•

Emil includes eNB IP addresses and FTM remote test port passwords • Restrict Emil access only to dedicated personnel • Emil will remove IMSI and IMEI • Should not be a security risk, but must be tested that in customer network to be working • Emil may crash like other Windows applications • To be sure that it is not affecting NetAct performance a separate PC is recomended for tracing • Emil Traces include information about site names and network quality • Traces should be maintained like other confidential information and documents Confidential

Emil practical arrangements IMSI removal UL-DCCH-Message : { message c1 : rrcConnectionSetupComplete : { rrc-TransactionIdentifier 2, criticalExtensions c1 : rrcConnectionSetupComplete-r8 rrcConnectionSetupComplete-r8 : { selectedPLMN-Identity 1, dedicatedInfoNAS '07 41 71 08 09 00 00 00 00 00 00 00 03 E0 E0 00 00 1D 02 01 D0 11 27 17 80 80 21 10 01 00 00 10 81 06 00 00 00 00 83 06 00 00 00 00 00 0A 00 31 03 E5 C0 04'H } } } Decoded NAS message: EMM:ATTACH REQUEST PROTOCOL DISCRIMINATOR DISCRIMINATOR ----0111 EPS MOBILITY MANAGEMENT MANAGEMENT Security header type 0000---- Not security protected MESSAGE TYPE 01000001 ATTACH REQUEST NAS KEY SET IDENTIFIER IE TCS 0------NAS key set identifier -111---- No key is available EPS ATTACH TYPE IE Spare ----0--EPS Attach Type -----001 EPS Attach EPS MOBILE IDENTITY IE Length 00001000 8 Identity digit 1 0000---- 0 Odd/even indication ----1--- odd Type of identity -----001 IMSI Identity digit 3 0000---- 0 Identity digit 2 ----0000 0 Identity digit 5 0000---- 0 Identity digit 4 ----0000 0 Identity digit 7 0000---- 0 Identity digit 6 ----0000 0 Identity digit 9 0000---- 0 Identity digit 8 ----0000 0 Identity digit 11 0000---- 0 Identity digit 10 ----0000 0 Identity digit 13 0000---- 0 Identity digit 12 ----0000 0 Identity digit 15 0000---- 0 Confidential

IMSI is visible both in RRC and S1AP NAS messages. Bits containing IMSI digits are overwritten with zero during tracing before saving data

criticality ignore, value RRC-Establishment-Cause : mo-Signalling } } } } Decoded NAS message: EMM:ATTACH REQUEST PROTOCOL DISCRIMINAT OR ----0111 EPS MOBILITY MANAGEME Security header type 0000---- Not security protected MESSAGE TYPE 01000001 ATTACH REQUEST NAS KEY SET IDENTIFIER IE TCS 0------NAS key set identifier EPS ATTACH TYPE IE Spare EPS Attach Type

-111---- No key is available ----0-------001 EPS Attach

EPS MOBILE IDENTITY IE Length 00001000 8 Identity digit 1 Odd/even indication Type of identity Identity digit 3 Identity digit 2 Identity digit 5 Identity digit 4 Identity digit 7 Identity digit 6 Identity digit 9 Identity digit 8 Identity digit 11

UE can report 0000---- 0 IMSI in NAS ----1--- odd -----000 reserved ATTACH 0000---- 0 REQUEST, ----0000 0 TRACKING 0000---- 0 ----0000 0 AREA UPDATE 0000---- 0 REQUEST or ----0000 0 0000---- 0 IDENTITY ----0000 0 RESPONSE 0000---- 0

Identity digit 10

----0000 0

Identity digit 13 12

0000---- 0 ----0000 0