样机上电之后如何自动选择合适的网络进行附着,如何对选择的小区确实是否可以驻守,本文将以高通平台为例,讲述从识别SIM开始,到注册到合适的小区这整个流程。
LTE协议栈基本分为NAS(Non-Access-stratum),AS(Access-stratum),PHY,在高通平台中的基本架构如下图:
其中 Call manager 为上层APP,这部分还包括识别SIM 的UIM 模块等等
LTE NAS层包括ESM ,REG ,EMM
LTE AS层包括了RRC,PDCP,L1,RLC等等,重点关注RRC(Radio Resource Control)
下图为LTE自动搜网拨号的简易流程:
自动搜网
对于NAS来说,整个搜网拨号的流程发起者为CM模块,QXDM log 如下
[0005/0002] MSG Call Manager/High [cmregprx.c 3261] =CMREGPRX= AS_ID=0, stack=0, addl 0, Send SERVICE_REQ
[0005/0002] MSG Call Manager/High [cmregprx.c 3275] =CMREGPRX= mode_pref 5 //LTE-ONLY
[0005/0002] MSG Call Manager/High [cmregprx.c 3282] =CMREGPRX= net_sel_mode 0 // AUTOMATIC
[0005/0002] MSG Call Manager/High [ cmregprx.c 3285] =CMREGPRX= srv_domain 3, req_id = 0 //CS+PS
[0005/0002] MSG Call Manager/High [ cmwll.c 223] =CM= Send cmd 2 to REG
手动搜网
CM发送NETWORK_LIST_REQ 到nas层进行搜网,然后再发送SERVICE_REQ进行驻网
[0005/0002] MSG Call Manager/High [ cmregprx.c 3874] =CMREGPRX= AS_ID=0, stack=0, Send NETWORK_LIST_REQ
[0005/0002] MSG Call Manager/High [ cmregprx.c 3877] =CMREGPRX= mode_pref 5
[0005/0002] MSG Call Manager/High [ cmregprx.c 3880] =CMREGPRX= band_pref 00
[0005/0002] MSG Call Manager/High [ cmwll.c 223] =CM= Send cmd 1 to REG
NAS层的结果:
[3010/0002/0003/0004] MSG NAS REG/High [ reg_state.c 8487] DS: SUB 1 =REG= CM_NETWORK_LIST_REQ
[3010/0002/0003/0004] MSG NAS REG/High [ reg_mode.c 4644] DS: SUB 1 =REG= Available PLMN Manual list (length = 3)
[3010/0002] MSG NAS REG/High [ reg_mode.c 1543] 0 460- 01 LTE PS_ONLY HPLMN H 87
[3010/0002] MSG NAS REG/High [ reg_mode.c 1548] 1 460- 00 F LTE PS_ONLY OTHER H 87
[3010/0002] MSG NAS REG/High [ reg_mode.c 1553] 2 460- 11 F LTE PS_ONLY OTHER H 100
下面的章节只讲述自动搜网的过程
QXDM Filter : message packets/ call manager
REG最重要的功能就是PLMN(Public Land Mobile Network),RAT(radio access technology)的选择,通俗点讲就是根据sim的运营商,以及支持的制式去搜网。比如说插入一张联通的LTE sim 卡,自动搜网的PLMN应该是 MCC 460 MNC 1/6/9/20,搜索到移动或者电信的基站不进行自动驻网。
所以REG模块首先需要读取SIM卡中的信息。那么需要熟悉以下概念:
RPLMN – Last Registered PLMN //记录上一次注册的PLMN
HPLMN – Home PLMN //本地PLMN,SIM内置
EHPLMN – Equivalent HPLMN //同等本地PLMN
VPLMN – Visitor PLMN
PPLMN – Preferred PLMN
OPLMN – Operator Preferred PLMN
UPLMN – User Preferred PLMN
FPLMN – Forbidden PLMN //拒绝注册的PLMN
SIM卡里的信息可以使用读卡器读取,是以EFs存储,具体如下
EFIMSI – IMSI
EFPLMNwAcT – User-controlled PLMN selector with Access Technology //PLMN RAT
EFHPPLMN – Higher-priority PLMN search period
EFFPLMN – Forbidden PLMNs // FPLMN
EFLOCI – Location information
EFOPLMNwACT – Operator-controlled PLMN selector with Access Technology
EFHPLMNwAcT – Home HPLMN selector with Access Technology //HPLMN RAT
EFEHPLMN – Equivalent HPLMN // EHPLMN
EFLRPLMNSI – Last RPLMN selection indication // RPLMN
EFPSLOCI – Packet-switched location information
EFEPSLOCI – EPS location information
除了EFs,REG模块还需要从UE NV 以及UE EFS中拿到样机的配置
NVs Used by the UE
NV 1190, NV_RPLMNACT_I – Stores the last RPLMN RAT information
NV 849, NV_NET_SEL_MODE_PREF_I – 手动选网还是自动选网
NV 850, NV_SERVICE_DOMAIN_PREF_I – Domain CS or PS
EFS Used by the UE
/sd/rat_acq_order :PLMN选择中的rat 优先级列表(LTE UMTS GSM )
自动拨号中整个PLMN,RAT的选择在REG中的流程如下:
从CM模块知道,整个拨号过程的发起信号是CM_SERVICE_REQ,而REG模块处理的函数就是reg_state_process_cm_service_req,代码流程与上图一致,具体可以看代码,这边不多讲。最后将发送MMR_REG_REQ 将选择的PLMN以及RAT发送给EMM
[3010/0002/0003/0004] MSG NAS REG/High [ reg_send.c 1585] DS: SUB 1 =REG= MMR_REG_REQ PLMN(460-1) RAT(LTE)
[3007/0002/0003/0004] MSG NAS MM/High [ emm_reg_handler.c 856] DS: SUB 1 =EMM= MMR_REG_REQ - Srv Domain 3, NW Sel Mode 0, Type 2 //CS+PS 自动搜网 normal
[3007/0002/0003/0004] MSG NAS MM/High [ emm_reg_handler.c 860] DS: SUB 1 =EMM= MMR_REG_REQ - Addtnl info 0x0
代码路径在:mmcp\nas\reg
入口函数 reg_main
QXDM Filter : message packets/UMTS/NAS
将REG的信号转发给RRC
[3007/0002/0003/0004] MSG NAS MM/High [ emm_rrc_if.c 522] DS: SUB 1 EMM: Sent LTE_RRC_SERVICE_REQ scan_scope 0
代码路径在:mmcp\nas\mm
QXDM Filter : message packets/UMTS/NAS
AS层在搜网流程中的重点工作都集中在RRC(Radio Resource Control)层,整个入口即上面NAS层提到的LTE_RRC_SERVICE_REQ ,这个信号会将REG选择的PLMN,RAT等信息都传递到RRC。
根据上图,可以将RRC搜网过程分为以下步骤:
有两种类型的频率扫描:
Acq_db 可以通过EFS tool查看,路径 nv/reg_files/modem/lte/rrc/csp
RRC层发起system scan,从以下log我们可以看到,acq db记录了上次扫描的结果,earfcn 为450,1650的两个cell,对应band 为1 和3
[9501/0002/0009] MSG LTE RRC/High [ lte_rrc_csp.c 7321] CSP:final system scan list for acd db = 450
[9501/0002/0009] MSG LTE RRC/High [ lte_rrc_csp.c 7321] CSP:final system scan list for acd db = 1650
[9501/0000/0009] MSG LTE RRC/Low [ lte_rrc_csp.c 7326] CSP: Found 2 systems to scan
[9501/0002/0015] MSG LTE RRC/High [ lte_rrc_llc.c 1206] Sent System Scan Request
PHY层收到 System Scan请求后,会在这两个频点进行扫描,最后得出两个频点上的能量强度
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 5852] SM_fs: System Scan Results, num systems found 2
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 5900] SM_fs: earfcn 1650 bw 100 scaled energy linear 0x22 dBm -96
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 5900] SM_fs: earfcn 450 bw 100 scaled energy linear 0x10 dBm -99
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 7818] SM FS :fscan object schedule/deschedule 0 min_act_window 0@ time 0x00000cb9f
之前我们也提到,这两个频点是已经扫描过的,所以将他们都看作是符合PLMN,RAT的选择条件的。接下来RRC选择信号强度更强的小区进行搜索,本例中也就是earfcn1650
[9501/0000/0009] MSG LTE RRC/Low [ lte_rrc_csp.c 4275] CSP: Acq requested on earfcn 1650
[9501/0002/0009] MSG LTE RRC/High [ lte_rrc_csp.c 6346] CSP: Zero entries in acquistion list
[9501/0002/0009] MSG LTE RRC/High [ lte_rrc_csp.c 9019] CSP: Acquisition list exhausted
[9501/0000/0009] MSG LTE RRC/Low [ lte_rrc_csp.c 4139] CSP: Sending 1 bands in band scan
[9501/0000/0009] MSG LTE RRC/Low [ lte_rrc_csp.c 4159] CSP: Band 1
[9501/0002/0009] MSG LTE RRC/High [ lte_rrc_csp.c 4174] CSP: Sent Band Scan Request
如果acq_db为空,RRC层发起band scan:log如下
[9501/0002/0009] MSG LTE RRC/High [ lte_rrc_csp.c 6346] CSP: Zero entries in acquistion list
[9501/0002/0009] MSG LTE RRC/High [ lte_rrc_csp.c 9019] CSP: Acquisition list exhausted
[9501/0000/0009] MSG LTE RRC/Low [ lte_rrc_csp.c 4139] CSP: Sending 1 bands in band scan
[9501/0000/0009] MSG LTE RRC/Low [ lte_rrc_csp.c 4159] CSP: Band 1
[9501/0002/0009] MSG LTE RRC/High [ lte_rrc_csp.c 4174] CSP: Sent Band Scan Request
搜索结果如下
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3338] SM_fs: Band 1 scan complete, num systems reported 14
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 1 earfcn 226 bw 25 energy norm dBm -65
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 2 earfcn 225 bw 25 energy norm dBm -65
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 3 earfcn 227 bw 25 energy norm dBm -65
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 4 earfcn 276 bw 25 energy norm dBm -65
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 5 earfcn 275 bw 25 energy norm dBm -65
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 6 earfcn 277 bw 25 energy norm dBm -66
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 7 earfcn 450 bw 100 energy norm dBm -68
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 8 earfcn 451 bw 100 energy norm dBm -68
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 9 earfcn 449 bw 100 energy norm dBm -68
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 10 earfcn 452 bw 100 energy norm dBm -68
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 11 earfcn 448 bw 100 energy norm dBm -68
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 12 earfcn 100 bw 100 energy norm dBm -75
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 13 earfcn 101 bw 100 energy norm dBm -75
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_fs.c 3350] SM_fs: System 14 earfcn 102 bw 100 energy norm dBm -75
[9509/0002] MSG LTE ML1/High [ lte_ml1_mgr_task.c 1609] HST DEBUG: received UMID 67241039
从第一个频点开始进行小区搜索
QXDM Filter : MESSAGE PACKETS/LTE/RRC&ML1
UE进行小区搜索的目的是
1、为了获取小区物理ID和完成下行同步,其实就是对PSS(Primary Synchronization Signal),SSS(Secondary Synchronization Signal)的检测。当UE检测到PSS和SSS时,就能解码出物理小区ID,同时根据PSS和SSS的位置,可以确定下行的子帧时刻,完成下行同步。
2、下行同步之后进行PBCH 解码,获取MIB(MasterInformationBlock),从而获取RS(Reference Signal),为后续的获取SIB(SystemInformationBlocks)提供解码。
对于PSS 以及SSS的检测,可以看做是小区在特定频点范围,特定时域位置的广播信号
(1)时域上的位置
对于LTE-FDD制式,PSS周期的出现在时隙0和时隙10的最后一个OFDM符号上,SSS周期的出现在时隙0和时隙10的倒数第二个符号上。
对于LTE-TDD制式,PSS周期的出现在子帧1、6的第三个OFDM符号上,SSS周期的出现在子帧0、5的最后一个符号上。
如果UE在此之前并不知道当前是FDD还是TDD,那么可以通过这种位置的不同来确定制式。且SSS在两个子帧中的序列不同,可以区分0时隙和10时隙
(2)频域上的位置
PSS和SSS映射到整个带宽中间的6个RB中,因为PSS和SSS都是62个点的序列,所以这两种同步信号都被映射到整个带宽(不论带宽是1.4M还是20M)中间的62个子载波(或62个RE)中,即序列的每个点与RE一一对应。在62个子载波的两边各有5个子载波,不再映射其他数据。
确认了0时隙的位置,也就完成了下行同步,就可以确认MIB的位置。MIB的解析与搜网关系不大,这边就不详细说,需要知道的是只有解析了MIB,才能够进行后续的SIB信息的解码。
SIB为UE提供了小区驻留、重传、链路建立等等所需的若干参数, LTE的SIB类型有很多种,介绍部分类型,所有SIB中最重要的当属SIB1,因为SIB1除携带了UE接入小区等所需的参数之外,还携带了其他SIB类型的调度信息。如果UE解码不到SIB1,也就无法解码其他类型的SIB。
SIB1:主要携带小区接入和小区选择相关信息,以及LTE-TDD子帧配置、其他SIB块的调度和窗口信息等。
SIB2:主要携带公共的无线资源配置相关信息,包括接入BAR信息、PRACH配置信息、上行频点信息、MBSFN配置等。
SIB3:携带同频、异频、跨制式小区重选相关的公共信息。
SIB4:携带用于同频小区重选的邻区信息
SIB5:携带用于异频小区重选的邻区信息。
SIB6:携带用于跨制式(UTRA)小区重选的邻区信息。
SIB7:携带用于跨制式(GERAN)小区重选的邻区信息。
SIB8:携带用于跨制式(CDMA2000)小区重选的邻区信息。
SIB9:携带HOME eNB(HNB)的相关信息。
QXDM Filter : LOG PACKETS(OTA)/LTE
经过上述的流程,UE已经对该小区的信息全面掌握,那么接下来需要确认该小区是否可以驻守,判断条件有如下几条:
1. 小区所在的PLMN需满足SIM卡的PLMN
2. 小区没有被禁止;
3. 小区满足S准则,即小区搜索中的接收功率Srxlev> 0 dB且小区搜索中接收的信号质量Squal > 0 dB。
S准则需要满足以下两个条件:
Srxlev = Qrxlevmeas – (qRxLevMin + qRxLevMinOffset) – pCompensation
Squal = Qqualmeas – (qQualMin + qQualMinOffset)
如下QXMDlog 显示了该小区满足S准则
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_idle.c 4050] Cell (1650,43) Srxlev 18, rsrp -106 rsrq -14 qrx -124 qrx_off 0 pmax 23 pcomp 0
[9509/0002] MSG LTE ML1/High [ lte_ml1_sm_idle.c 4141] Cell (1650,43) Squal 114, LL RSRQ -14 normalized rsrq -14 q_qual -128 q_qual_off 0
之后开始驻守该小区,并通知NAS层
[9501/0000/0009] MSG LTE RRC/Low [ lte_rrc_csp.c 17669] CSP: Camped on physical cell ID 43 on earfcn 1650
[9501/0002/0009] MSG LTE RRC/High [ lte_rrc_csp.c 4714] CSP: Sending NAS Service I
QXDM Filter : MESSAGE PACKETS/LTE/RRC&ML1
NAS层收到驻守完成的信号后,EMM开始请求注册,具体流程如下:
RRC连接建立:
[0xB0C0/012/014/002] OTA LOG UL_CCCH / RRCConnectionRequest Radio Bearer ID: 0, Freq: 1650, SFN: 0
[0xB0C0/012/012/004] OTA LOG DL_CCCH / RRCConnectionSetup Radio Bearer ID: 0, Freq: 1650, SFN: 61
[0xB0C0/012/015/005] OTA LOG UL_DCCH / RRCConnectionSetupComplete Radio Bearer ID: 1, Freq: 1650, SFN: 0
[0xB0C0/012/013/008] OTA LOG DL_DCCH / UECapabilityEnquiry Radio Bearer ID: 1, Freq: 1650, SFN: 64
[0xB0C0/012/015/008] OTA LOG UL_DCCH / UECapabilityInformation Radio Bearer ID: 1, Freq: 1650, SFN: 0
空口报文:
[0xB0ED] OTA LOG LTE NAS EMM Plain OTA Outgoing Message Attach request Msg
[0xB0EC] OTA LOG LTE NAS EMM Plain OTA Incoming Message Identity request Msg
[0xB0ED] OTA LOG LTE NAS EMM Plain OTA Outgoing Message Identity response Msg
[0xB0EC] OTA LOG LTE NAS EMM Plain OTA Incoming Message Authentication request Msg
[0xB0ED] OTA LOG LTE NAS EMM Plain OTA Outgoing Message Authentication response Msg
[0xB0EC] OTA LOG LTE NAS EMM Plain OTA Incoming Message Security mode command Msg
[0xB0ED] OTA LOG LTE NAS EMM Plain OTA Outgoing Message Security mode complete Msg
[0xB0EC] OTA LOG LTE NAS EMM Plain OTA Incoming Message Attach accept Msg
[0xB0E2] OTA LOG LTE NAS ESM Plain OTA Incoming Message Activate default EPS bearer context request Msg
[0xB0ED] OTA LOG LTE NAS EMM Plain OTA Outgoing Message Attach complete Msg
QXDM Filter : LOG PACKETS(OTA)/LTE