Bug #2793

phone "swiss one SC230" fails to do ciphering with 2G and 3G auth tokens present

Added by neels over 1 year ago. Updated about 1 year ago.

Target version:
Start date:
Due date:
% Done:




on 34c3, person comes with above MS, and I see Location Updating Rejects.
Authentication works with UMTS AKA, but Ciphering Mode Command times out.

As soon as I remove the aud_3g tokens from the HLR, the phone is happy, i.e. doing GSM AKA.

Not sure what action we should be taking, just noting this down so far.
It is the first time that I notice an R99 MS being unable to handle UMTS AKA on GERAN.


#1 Updated by neels over 1 year ago

like one minute later another MS came to the GSM room with the same problem: Samsung GT-E1050

This time I also tried with just 3G tokens, which results in SRES mismatch.
Removing 3G tokens from the HLR makes the MS work with our network.

#2 Updated by neels over 1 year ago

another identical report from Nokia 2610 RH-86
Maybe we're still doing something wrong after all.

#3 Updated by laforge over 1 year ago

  • Assignee set to neels

I ordered a SC230 so we can hopefully reproduce.

#4 Updated by neels over 1 year ago

I took the SC 230, just in case someone wonders where it went.

#5 Updated by neels about 1 year ago

Also got the Samsung B2100 and was able to reproduce the issue.

In attached trace, I have 2G comp128v1 and 3G milenage tokens set up in the database.
Authentication goes fine, but the Ciphering Mode Command times out.
The cause is this:
  • We send a UMTS AKA challenge in the Authentication Request.
  • But we receive back a GSM AKA result (SRES) -- the VLR log clearly states:
    "VLR INFO OsmoMSC SUBSCR AUTH established GSM security context"
    (see packet 115 in os2793_samsungB2100_ciph_fail.pcapng )
  • Nevertheless, we use the UMTS AKA Kc as ciphering key, while the MS clearly went for GSM AKA.

A fix is coming up...

#6 Updated by neels about 1 year ago

The fix is preceded by a test that pinpoints the failure.
In attached pcap, notice how the log says "established GSM security context" (again packet 115) and now the ciphering works out.

In the process, I also found a fix for gracefully rejecting malformed auth responses:
and threw in a bunch of more tests with various auth response failures around SRES/RES sizes.

#7 Updated by neels about 1 year ago

  • Tracker changed from Feature to Bug
  • Project changed from Cellular Network Infrastructure to OsmoMSC

#8 Updated by neels about 1 year ago

  • Status changed from In Progress to Resolved
  • % Done changed from 90 to 100

fix is merged

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)