BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
LTE paging.ppt
1. Paging
• Paging is the mechanism in which Network tells
UE saying "I have something for you“.
•You may have
•Incoming call – CS or PS
•SI change
•ETWS or CMAS
UE N/W
Paging msg
Service Requets
2. • Then UE decode the content (Paging Cause) of
the Paging message and UE has to initiate the
appropriate the procedure.
• In most cases, this paging process happens while
UE is in idle mode. This means that UE has to
monitor whether the networking is sending any
paging message to it and it has to spend some
energy(battery) to run this "Monitoring"
process.
3. • During the idle mode, UE gets into and stay in
sleeping mode defined in DRX cycle (Discontinuous
Receive Cycle). (This DRX is cycle is defined in SIB2)
• UE periodically wake up and monitor PDCCH in
order to check for the presence of a paging
message(UE looks for any information encrypted by
P-RNTI)
• If the PDCCH indicates that a paging message is
transmitted in the subframe, then UE needs to
demodulate the PCH to see if the paging message is
directed to it.
4. • Paging messages are sent by a MME to all eNodeBs in a Tracking
Area and those eNodeBs in a Tracking Area is transmitting the same
paging message.
NAS
RRC
L2
L1
MME
eNb
5. Page message format
• Paging ::= SEQUENCE {
pagingRecordList PagingRecordList
OPTIONAL, -- Need ON
systemInfoModification ENUMERATED {true}
OPTIONAL, -- Need ON
etws-Indication ENUMERATED {true}
OPTIONAL, -- Need ON
noncritical Extension Paging-v890-IEs
OPTIONAL
}
• Paging-v890-IEs ::= SEQUENCE {
lateNonCriticalExtension OCTET STRING
OPTIONAL, -- Need OP
nonCriticalExtension Paging-v920-IEs
OPTIONAL
}
• Paging-v920-IEs ::= SEQUENCE {
cmas-Indication-r9 ENUMERATED {true}
OPTIONAL, -- Need ON
nonCriticalExtension SEQUENCE {}
OPTIONAL -- Need OP
}
• PagingRecordList ::= SEQUENCE (SIZE (1..maxPageRec)) OF Paging Record
• Paging Record ::= SEQUENCE {
ue-Identity PagingUE-Identity,
cn-Domain ENUMERATED{ps,cs},
}
• PagingUE-Identity ::= CHOICE {
s-TMSI S-TMSI,
imsi IMSI,
...}
• IMSI ::= SEQUENCE (SIZE (6..21)) OF IMSI-Digit
• IMSI-Digit ::= INTEGER (0..9)
6. 1) UE ID in Paging Message
i)If you see the ue-identity field (IE) of Paging message, you will see there are two choices, s-
TMSI and IMSI.
ii)Which type of UE ID is commonly used. The answer is s-TMSI. If everything is
normal, Network send Paging with s-TMSI, but if something (e.g: Network Failure) happens
during registration and it fails to allocate TMSI to the UE, NW would send Paging with IMSI.
iii)If UE get the paging with IMSI, it should tear down all the existing Bearer and delete
TAI, TAI List, KSIASMI and get into EMM-DEREGISTERED status. And then redo 'Attach
Request'.
2) to transmit paging information to a UE in RRC_IDLE and/ or;
to inform UEs in RRC_IDLE and UEs in RRC_CONNECTED about a system information change
and/ or;
to inform about an ETWS primary notification and/ or ETWS secondary notification and/ or;
to inform about a CMAS notification.
3) The paging information is provided to upper layers, which in response may initiate RRC
connection establishment, e.g. to receive an incoming call
8. Reception of the Paging message by the UE
1. if in RRC_IDLE, for each of the Paging Record, if any, included
in the Paging message:
2. if the ue-Identity included in the Paging Record matches one
of the UE identities allocated by upper layers:
3. forward the ue-Identity and the cn-Domain to the upper
layers.
4. if the systemInfoModification is included:
re-acquire the required system information using the system
information acquisition procedure.
5.if the etws-Indication is included and the UE is ETWS capable:
6. re-acquire SystemInformationBlockType1
immediately, i.e., without waiting until the next system
information
modification period boundary.
9. Paging project program structure:
1. In the first step MME sends paging message to eNb RRC(i.e sq0 msg in our
program).The sq0 msg is of type page_msg.
2.Then it comes to L2 layer in UE side. There we have messagequeue, we receive
message from message queue by msgrcv as shown below.
-> n=(int) msgrcv(msqid, (void *)&message, sizeof(message),1,0);
3. After receiving the data in the program we checks the s_tmsi and imsi if anything
match it sends message to NAS as shown below.
if(ptr->paging record[i].ue_id.s_tmsi==stmsi) //comparing s-tmsi
{
printf("s-tmsi is matchedn");
nas_msg.s_tmsi= ((precord)((ptr+i)->paging record[i])).ue_id.s_tmsi;
send_nas_message(S_TMSI,ptr,i,&nas_msg); break;
}
else if(!strcmp(ptr->paging record[i].ue_id.imsi,immsg)) //comparing imsi
{
printf("imsi is matchedn");
strcpy(nas_msg.imsi,(char *)ptr->paging record[i].ue_id.imsi);
send_nas_message(IMSI,ptr,i,&nas_msg); break;
}
10. • 4.then it checks systeminfomodification ,etwsnotification and
noncriticalextension if they match it sends to SI in RRC.
• if(ptr->systeminfomodification==1);
{
printf("system modification is matched:0=false & 1=truen");
siptr->systeminfomodification=1;
siptr->cmd=SIMOD;
msgsnd(0,(void *) siptr,sizeof(siptr),IPC_NOWAIT }
if(ptr->etws_indication==1)
{
printf("etws_indication is matched:0=false & 1=truen");
siptr->etws_indication=1;
siptr->cmd=ETWS;
msgsnd(0,(void *) siptr,sizeof(siptr),IPC_NOWAIT);
}
hex_to_ascii(ptr->noncriticalextension.lcriticalextension, tbuf,10);
printf("critical string is:n %s",tbuf);
}