5G | ShareTechnote

5G/NR - Initial Aattach

SA Initial Attach Sequence in a Nutshell

Initial Attach is the process that happens when you power on your phone. Followings are the procedures that happens at this stage.
Cell Search and Synchronization: The UE (User Equipment) searches for nearby cells and acquires the synchronization signals (PSS and SSS) to synchronize with the gNB (gNodeB) timing.
RRC Connection Establishment: Process of establishing radio resources.
Network Registration: The Registration Request to AMF to register with the 5G network.
Authentication: Authentication between UE and Network. Network Authenticate UE and UE authenticate Network
Security Setup: The UE and network establish security keys for secure communication. This happens in two phases. NAS security and RRC security
Network Acceptance: The AMF sends a Registration Accept message to the UE, confirming successful registration and providing configuration information such as the UE's 5G-GUTI (Globally Unique Temporary Identifier).
RRC Reconfiguration: Network reconfigures RRC for the registered UE based on various UE capability.
PDU Session Establishment: The process of establishing data pipe. UE initiate the process and network respond to the request and setting up the data pipe.

SA Initial Attach Sequence In Detail

Following is high level sequence of call processing with SA(Stand Alone) initial attach process. For the simplicity, I have listed the sequence that is exchanged between UE and NW(Network) over the air (OTA). In reality, there are a lot of other signalings happending in corenetwork during the attach process.

SA Initial Attach - Overall Signaling Flow
SA Initial Attach - Sequence in Detail

Example 01 > NR SA Initial Registration Sequence - Amarisoft

SA Initial Attach - Overall Signaling Flow

A simplified call processing (Signaling Flow) of SA Initial Attach process with focus on OTA (Over The Air) message is illustrated as below. If you want to get more detailed flow including the signaling flow in core network as well, For corenetwork side signaling, refer to ref [2] from event Helix which is very nicely written sequence diagram. In the diagram below, I packed multiple steps (multiple signaling message) into one process for the simplicity. We will get the each and every detailed steps in next section.

Downlink / Uplink Synchronization:

The first step in 5G Standalone (SA) call processing is to synchronize the UE (User Equipment) with the gNB (gNodeB). We can split this into two parts : Downlink synchronization and Uplink synchronization. Downlink sync comes first and then Uplink sync happens.

Downlink Synchronization : the UE performs cell search and acquiring the synchronization signals, Primary Synchronization Signal (PSS) and Secondary Synchronization Signal (SSS), which help the UE to identify the cell and synchronize with its timing.

Uplink Synchronization : This is achieved by RACH Process. The Random Access Channel (RACH) is used by the UE for initial uplink synchronization with the gNB. It involves transmitting a randomly chosen preamble from the UE, which the gNB detects and responds with a timing adjustment. This process enables the UE to align its transmission timing with the gNB, allowing for efficient communication.

RRC Establishment:

After synchronization, the UE initiates the Radio Resource Control (RRC) connection establishment procedure by sending an RRCSetupRequest message to the gNB. The gNB responds with an RRCSetup message, which includes essential configuration information for the UE to access network resources.

Registration Request:

Once the RRC connection is established, the UE sends a Registration Request message to the network (Core Network, specifically the Access and Mobility Management Function, AMF) to register with the 5G network. This message includes important information such as the UE's security credentials and UE's network capability.

Authentication Process:

To ensure secure communication, the network initiates an authentication process. The AMF generates an authentication challenge for the UE, which includes a random number and an expected authentication response. The UE computes the authentication response based on the challenge and its security credentials, and sends it back to the AMF. If the response matches the expected value, the authentication is successful.

Security Process:

After successful authentication, the UE and network establish security keys for secure communication. The AMF sends a Security Mode Command to the UE, specifying the security algorithms to be used for ciphering and integrity protection. The UE acknowledges the command with a Security Mode Complete message.

Registration Accept:

Once the security process is complete, the AMF sends a Registration Accept message to the UE, which includes the UE's 5G-GUTI (Globally Unique Temporary Identifier) and other relevant configuration information. The UE is now successfully registered with the 5G network.

RrcReconfiguration:

After successful registration, the gNB sends an RRCReconfiguration message to the UE, which includes the configuration information necessary for data transmission, such as the Radio Bearer and Physical Layer configurations.

PDU Session Establishment Request:

To establish a data session, the UE sends a PDU (Protocol Data Unit) Session Establishment Request message to the network (specifically, the Session Management Function, SMF). This message includes the UE's data session requirements, SSC Mode, PCO, DNN etc.

PDU Session Establishment Accept:

The SMF processes the PDU Session Establishment Request and allocates the necessary resources for the data session. The SMF sends a PDU Session Establishment Accept message to the UE, which contains the PDU session configuration information, such as the allocated QoS and the IP address. The UE is now ready for data transmission over the established PDU session.

SA Initial Attach - Sequence in Detail

The detailed mechanism for each of these step is very complicated process which cannot be described in the single page. Try follow through the hyperlink at each step if you want further details. Notice that there are multiple linkes even at single step. I am just trying to provide just high level / skeleton in this page.

Step	Direction	Message	Comment
1	UE <- NW	SSB (PSS,SSS,MIB)
2	UE <- NW	PDCCH / CORESET 0 / DCI 1_0
3	UE <- NW	SIB1
4	UE <- NW	PDCCH / DCI 1_0
5	UE <- NW	Other SIBs
6	UE -> NW	Msg1 (PRACH/Preamble)
7	UE <- NW	(PDCCH / DCI 1_0, RA_RNTI)
8	UE <- NW	Msg2 (PDSCH / Random Access Response)
9	UE -> NW	Msg3 (RRC Setup Request)
10	UE <- NW	(PDCCH / DCI 1_0, T_C_RNTI)
11	UE <- NW	Msg4 (PDSCH / CR+RRC Setup)
12	UE <- NW	(PDCCH / DCI 0_0 or 0_1, C_RNTI)
13	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
14	UE -> NW	(PUSCH) RRCSetupComplete+NAS:RegistrationRequest
15	UE <- NW	(PDCCH/ DCI 1_0 or 1_1, C_RNTI)
16	UE <- NW	(PDSCH) NAS:IdentityRequest
17	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
18	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
19	UE -> NW	(PUSCH) NAS:IdentityResponse
20	UE <- NW	(PDCCH/ DCI 1_0 or 1_1, C_RNTI)
21	UE <- NW	(PDSCH) NAS:AuthenticationRequest
22	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
23	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
24	UE -> NW	(PUSCH) NAS:AuthenticationResponse
25	UE <- NW	(PDCCH/ DCI 1_0 or 1_1, C_RNTI)
26	UE <- NW	(PDSCH) NAS:SecurityModeCommand
27	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
28	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
29	UE -> NW	(PUSCH) NAS:SecurityModeCommandComplete
30	UE <- NW	(PDCCH/ DCI 1_0 or 1_1, C_RNTI)
31	UE <- NW	(PDSCH) RRC:SecurityModeCommand
32	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
33	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
34	UE -> NW	(PUSCH) RRC:SecurityModeCommandComplete
35	UE <- NW	(PDCCH/ DCI 1_0 or 1_1, C_RNTI)
36	UE <- NW	(PDSCH) RRCReconfiguration + NAS : Registration Accept
37	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)
38	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
39	UE -> NW	(PUSCH) RRCReconfigurationComplete + NAS : Registration Complete
40	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
41	UE -> NW	(PUSCH) ULInformationTransfer + UL NAS Transport + PDU Session Establishment Request
42	UE <- NW	(PDCCH/ DCI 0_0 or 0_1, C_RNTI)
43	UE <- NW	(PDSCH) DLInformationTransfer + DL NAS Transport + PDU Session Establishment Accept
44	UE -> NW	PUCCH or PUSCH / UCI (HARQ ACK/NACK)

Example 01 > NR SA Initial Registration Sequence - Amarisoft

Following is a sample protocol sequence for NR SA Registration kindly provided by Amarisoft in its web based log viewer

For the example of the contents of these messages click on the message link shown in the above table.

Followings are contents of the signaling message for the SA initial sequence. Some of the message are not listed here because it would not be considered mandatory.

[RRC Setup Request]
[RRC Setup]
[Registration Request]
[Authentication Request]
[Authentication Response]
[Security Mode Command - NAS]
[Security Mode Complete - NAS]
[Security Mode Command - RRC]
[Security Mode Complete - RRC]
[Registration Accept]
[Registration Complete]
[RrcReconfiguration]
[PDU Session Establishment Request]
[PDU Session Establishment Accept]

[RRC Setup Request]

{

message c1: rrcSetupRequest: {

rrcSetupRequest {

ue-Identity randomValue: '110110011101110100011000000110100000011'B,

establishmentCause mo-Signalling,

spare '0'B

}

[RRC Setup]

{

message c1: rrcSetup: {

rrc-TransactionIdentifier 0,

criticalExtensions rrcSetup: {

radioBearerConfig {

srb-ToAddModList {

{

srb-Identity 1

}

masterCellGroup {

cellGroupId 0,

rlc-BearerToAddModList {

{

logicalChannelIdentity 1,

servedRadioBearer srb-Identity: 1,

rlc-Config am: {

ul-AM-RLC {

sn-FieldLength size12,

t-PollRetransmit ms45,

pollPDU infinity,

pollByte infinity,

maxRetxThreshold t8

dl-AM-RLC {

sn-FieldLength size12,

t-Reassembly ms35,

t-StatusProhibit ms0

}

mac-LogicalChannelConfig {

ul-SpecificParameters {

priority 1,

prioritisedBitRate infinity,

bucketSizeDuration ms5,

logicalChannelGroup 0,

schedulingRequestID 0,

logicalChannelSR-Mask FALSE,

logicalChannelSR-DelayTimerApplied FALSE

}

mac-CellGroupConfig {

schedulingRequestConfig {

schedulingRequestToAddModList {

{

schedulingRequestId 0,

sr-TransMax n64

}

bsr-Config {

periodicBSR-Timer sf20,

retxBSR-Timer sf320

tag-Config {

tag-ToAddModList {

{

tag-Id 0,

timeAlignmentTimer infinity

}

phr-Config setup: {

phr-PeriodicTimer sf500,

phr-ProhibitTimer sf200,

phr-Tx-PowerFactorChange dB3,

multiplePHR FALSE,

dummy FALSE,

phr-Type2OtherCell FALSE,

phr-ModeOtherCG real

skipUplinkTxDynamic FALSE

physicalCellGroupConfig {

pdsch-HARQ-ACK-Codebook dynamic

spCellConfig {

spCellConfigDedicated {

initialDownlinkBWP {

pdcch-Config setup: {

controlResourceSetToAddModList {

{

controlResourceSetId 2,

frequencyDomainResources '111111110000000000000000000000000000000000000'B,

duration 1,

cce-REG-MappingType nonInterleaved: NULL,

precoderGranularity sameAsREG-bundle

}

searchSpacesToAddModList {

{

searchSpaceId 2,

controlResourceSetId 2,

monitoringSlotPeriodicityAndOffset sl1: NULL,

monitoringSymbolsWithinSlot '10000000000000'B,

nrofCandidates {

aggregationLevel1 n0,

aggregationLevel2 n2,

aggregationLevel4 n1,

aggregationLevel8 n0,

aggregationLevel16 n0

searchSpaceType ue-Specific: {

dci-Formats formats0-1-And-1-1

}

pdsch-Config setup: {

dmrs-DownlinkForPDSCH-MappingTypeA setup: {

dmrs-AdditionalPosition pos1

tci-StatesToAddModList {

{

tci-StateId 0,

qcl-Type1 {

referenceSignal ssb: 0,

qcl-Type typeD

}

resourceAllocation resourceAllocationType1,

rbg-Size config1,

prb-BundlingType staticBundling: {

bundleSize wideband

zp-CSI-RS-ResourceToAddModList {

{

zp-CSI-RS-ResourceId 0,

resourceMapping {

frequencyDomainAllocation row4: '100'B,

nrofPorts p4,

firstOFDMSymbolInTimeDomain 8,

cdm-Type fd-CDM2,

density one: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

periodicityAndOffset slots80: 1

}

p-ZP-CSI-RS-ResourceSet setup: {

zp-CSI-RS-ResourceSetId 0,

zp-CSI-RS-ResourceIdList {

}

firstActiveDownlinkBWP-Id 0,

uplinkConfig {

initialUplinkBWP {

pucch-Config setup: {

resourceSetToAddModList {

{

pucch-ResourceSetId 0,

resourceList {

}

{

pucch-ResourceSetId 1,

resourceList {

10,

}

resourceToAddModList {

{

pucch-ResourceId 0,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 0,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 0

}

{

pucch-ResourceId 1,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 4,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 0

}

{

pucch-ResourceId 2,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 8,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 0

}

{

pucch-ResourceId 3,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 0,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 1

}

{

pucch-ResourceId 4,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 4,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 1

}

{

pucch-ResourceId 5,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 8,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 1

}

{

pucch-ResourceId 6,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 0,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 2

}

{

pucch-ResourceId 7,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 4,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 2

}

{

pucch-ResourceId 8,

startingPRB 1,

intraSlotFrequencyHopping enabled,

secondHopPRB 49,

format format2: {

nrofPRBs 1,

nrofSymbols 2,

startingSymbolIndex 0

}

{

pucch-ResourceId 9,

startingPRB 1,

intraSlotFrequencyHopping enabled,

secondHopPRB 49,

format format2: {

nrofPRBs 1,

nrofSymbols 2,

startingSymbolIndex 2

}

{

pucch-ResourceId 10,

startingPRB 1,

intraSlotFrequencyHopping enabled,

secondHopPRB 49,

format format2: {

nrofPRBs 1,

nrofSymbols 2,

startingSymbolIndex 4

}

{

pucch-ResourceId 11,

startingPRB 1,

intraSlotFrequencyHopping enabled,

secondHopPRB 49,

format format2: {

nrofPRBs 1,

nrofSymbols 2,

startingSymbolIndex 6

}

{

pucch-ResourceId 12,

startingPRB 50,

intraSlotFrequencyHopping enabled,

secondHopPRB 0,

format format1: {

initialCyclicShift 8,

nrofSymbols 14,

startingSymbolIndex 0,

timeDomainOCC 2

}

{

pucch-ResourceId 13,

startingPRB 1,

intraSlotFrequencyHopping enabled,

secondHopPRB 49,

format format2: {

nrofPRBs 1,

nrofSymbols 2,

startingSymbolIndex 8

}

format1 setup: {

format2 setup: {

maxCodeRate zeroDot25

schedulingRequestResourceToAddModList {

{

schedulingRequestResourceId 1,

schedulingRequestID 0,

periodicityAndOffset sl40: 8,

resource 12

}

dl-DataToUL-ACK {

12,

}

pusch-Config setup: {

txConfig codebook,

dmrs-UplinkForPUSCH-MappingTypeA setup: {

dmrs-AdditionalPosition pos1,

transformPrecodingDisabled {

}

pusch-PowerControl {

msg3-Alpha alpha1,

p0-NominalWithoutGrant -84,

p0-AlphaSets {

{

p0-PUSCH-AlphaSetId 0,

p0 0,

alpha alpha1

}

pathlossReferenceRSToAddModList {

{

pusch-PathlossReferenceRS-Id 0,

referenceSignal ssb-Index: 0

}

sri-PUSCH-MappingToAddModList {

{

sri-PUSCH-PowerControlId 0,

sri-PUSCH-PathlossReferenceRS-Id 0,

sri-P0-PUSCH-AlphaSetId 0,

sri-PUSCH-ClosedLoopIndex i0

}

resourceAllocation resourceAllocationType1,

codebookSubset nonCoherent,

maxRank 1,

uci-OnPUSCH setup: {

betaOffsets semiStatic: {

betaOffsetACK-Index1 9,

betaOffsetACK-Index2 9,

betaOffsetACK-Index3 9,

betaOffsetCSI-Part1-Index1 7,

betaOffsetCSI-Part1-Index2 7,

betaOffsetCSI-Part2-Index1 7,

betaOffsetCSI-Part2-Index2 7

scaling f1

}

srs-Config setup: {

srs-ResourceSetToAddModList {

{

srs-ResourceSetId 0,

srs-ResourceIdList {

resourceType aperiodic: {

aperiodicSRS-ResourceTrigger 1,

slotOffset 7

usage codebook,

p0 -84,

pathlossReferenceRS ssb-Index: 0

}

srs-ResourceToAddModList {

{

srs-ResourceId 0,

nrofSRS-Ports port1,

transmissionComb n2: {

combOffset-n2 0,

cyclicShift-n2 0

resourceMapping {

startPosition 0,

nrofSymbols n1,

repetitionFactor n1

freqDomainPosition 0,

freqDomainShift 5,

freqHopping {

c-SRS 11,

b-SRS 3,

b-hop 0

groupOrSequenceHopping neither,

resourceType aperiodic: {

sequenceId 500

}

firstActiveUplinkBWP-Id 0,

pusch-ServingCellConfig setup: {

}

pdcch-ServingCellConfig setup: {

pdsch-ServingCellConfig setup: {

nrofHARQ-ProcessesForPDSCH n16

csi-MeasConfig setup: {

nzp-CSI-RS-ResourceToAddModList {

{

nzp-CSI-RS-ResourceId 0,

resourceMapping {

frequencyDomainAllocation other: '100000'B,

nrofPorts p2,

firstOFDMSymbolInTimeDomain 4,

cdm-Type fd-CDM2,

density one: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

powerControlOffset 0,

powerControlOffsetSS db0,

scramblingID 500,

periodicityAndOffset slots80: 1,

qcl-InfoPeriodicCSI-RS 0

{

nzp-CSI-RS-ResourceId 1,

resourceMapping {

frequencyDomainAllocation row1: '1'H,

nrofPorts p1,

firstOFDMSymbolInTimeDomain 4,

cdm-Type noCDM,

density three: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

powerControlOffset 0,

powerControlOffsetSS db0,

scramblingID 500,

periodicityAndOffset slots40: 11,

qcl-InfoPeriodicCSI-RS 0

{

nzp-CSI-RS-ResourceId 2,

resourceMapping {

frequencyDomainAllocation row1: '1'H,

nrofPorts p1,

firstOFDMSymbolInTimeDomain 8,

cdm-Type noCDM,

density three: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

powerControlOffset 0,

powerControlOffsetSS db0,

scramblingID 500,

periodicityAndOffset slots40: 11,

qcl-InfoPeriodicCSI-RS 0

{

nzp-CSI-RS-ResourceId 3,

resourceMapping {

frequencyDomainAllocation row1: '1'H,

nrofPorts p1,

firstOFDMSymbolInTimeDomain 4,

cdm-Type noCDM,

density three: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

powerControlOffset 0,

powerControlOffsetSS db0,

scramblingID 500,

periodicityAndOffset slots40: 12,

qcl-InfoPeriodicCSI-RS 0

{

nzp-CSI-RS-ResourceId 4,

resourceMapping {

frequencyDomainAllocation row1: '1'H,

nrofPorts p1,

firstOFDMSymbolInTimeDomain 8,

cdm-Type noCDM,

density three: NULL,

freqBand {

startingRB 0,

nrofRBs 52

}

powerControlOffset 0,

powerControlOffsetSS db0,

scramblingID 500,

periodicityAndOffset slots40: 12,

qcl-InfoPeriodicCSI-RS 0

}

nzp-CSI-RS-ResourceSetToAddModList {

{

nzp-CSI-ResourceSetId 0,

nzp-CSI-RS-Resources {

}

{

nzp-CSI-ResourceSetId 1,

nzp-CSI-RS-Resources {

trs-Info true

}

csi-IM-ResourceToAddModList {

{

csi-IM-ResourceId 0,

csi-IM-ResourceElementPattern pattern1: {

subcarrierLocation-p1 s8,

symbolLocation-p1 8

freqBand {

startingRB 0,

nrofRBs 52

periodicityAndOffset slots80: 1

}

csi-IM-ResourceSetToAddModList {

{

csi-IM-ResourceSetId 0,

csi-IM-Resources {

}

csi-ResourceConfigToAddModList {

{

csi-ResourceConfigId 0,

csi-RS-ResourceSetList nzp-CSI-RS-SSB: {

nzp-CSI-RS-ResourceSetList {

}

bwp-Id 0,

resourceType periodic

{

csi-ResourceConfigId 1,

csi-RS-ResourceSetList csi-IM-ResourceSetList: {

bwp-Id 0,

resourceType periodic

{

csi-ResourceConfigId 2,

csi-RS-ResourceSetList nzp-CSI-RS-SSB: {

nzp-CSI-RS-ResourceSetList {

}

bwp-Id 0,

resourceType periodic

}

csi-ReportConfigToAddModList {

{

reportConfigId 0,

resourcesForChannelMeasurement 0,

csi-IM-ResourcesForInterference 1,

reportConfigType periodic: {

reportSlotConfig slots80: 9,

pucch-CSI-ResourceList {

{

uplinkBandwidthPartId 0,

pucch-Resource 13

}

reportQuantity cri-RI-PMI-CQI: NULL,

reportFreqConfiguration {

cqi-FormatIndicator widebandCQI,

pmi-FormatIndicator widebandPMI

timeRestrictionForChannelMeasurements notConfigured,

timeRestrictionForInterferenceMeasurements notConfigured,

codebookConfig {

codebookType type1: {

subType typeI-SinglePanel: {

nrOfAntennaPorts two: {

twoTX-CodebookSubsetRestriction '111111'B

typeI-SinglePanel-ri-Restriction '03'H

codebookMode 1

}

groupBasedBeamReporting disabled: {

cqi-Table table2,

subbandSize value1

}

tag-Id 0

}

[Registration Request]

16:36:33.677 [NAS] UL 0064 5GMM: Registration request

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x1 (Integrity protected)

Auth code = 0xc2653407

Sequence number = 0x09

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x41 (Registration request)

5GS registration type:

Follow-on request bit = 1

Value = 1 (initial registration)

ngKSI:

TSC = 0

NAS key set identifier = 2

5GS mobile identity:

5G-GUTI

MCC = 001

MNC = 01

AMF Region ID = 128

AMF Set ID = 4

AMF Pointer = 1

5G-TMSI = 0x2fedc8c7

UE security capability:

0xf0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=1, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

0x70 (5G-IA0=0, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=1, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

NAS message container:

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x41 (Registration request)

5GS registration type:

Follow-on request bit = 1

Value = 1 (initial registration)

ngKSI:

TSC = 0

NAS key set identifier = 2

5GS mobile identity:

5G-GUTI

MCC = 001

MNC = 01

AMF Region ID = 128

AMF Set ID = 4

AMF Pointer = 1

5G-TMSI = 0x2fedc8c7

5GMM capability:

0x03 (SGC=0, 5G-IPHC-CP CIoT=0, N3 data=0, 5G-CP CIoT=0, RestrictEC=0, LPP=0, HO attach=1, S1 mode=1)

UE security capability:

0xf0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=1, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

0x70 (5G-IA0=0, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=1, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

Requested NSSAI:

S-NSSAI

Length of S-NSSAI contents = 1 (SST)

SST = 0x01

Last visited registered TAI:

MCC = 001

MNC = 01

TAC = 0x000064

S1 UE network capability:

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

0xc0 (UEA0=1, UEA1=1, UEA2=0, UEA3=0, UEA4=0, UEA5=0, UEA6=0, UEA7=0)

0x40 (UCS2=0, UIA1=1, UIA2=0, UIA3=0, UIA4=0, UIA5=0, UIA6=0, UIA7=0)

0x19 (ProSe-dd=0, ProSe=0, H.245-ASH=0, ACC-CSFB=1, LPP=1, LCS=0, 1xSRVCC=0, NF=1)

0x80 (ePCO=1, HC-CP CIoT=0, ERw/oPDN=0, S1-U data=0, UP CIoT=0, CP CIoT=0, ProSe-relay=0, ProSe-dc=0)

0xb0 (15 bearers=1, SGC=0, N1mode=1, DCNR=1, CP backoff=0, RestrictEC=0, V2X PC5=0, multipleDRB=0)

UE's usage setting = 0x01 (Data centric)

LADN indication:

Length = 0

Data =

Network slicing indication = 0x00 (DCNI=0, NSSCI=0)

5GS update type = 0x01 (EPS-PNB-CIoT=no additional information, 5GS-PNB-CIoT=no additional information,

NG-RAN-RCU=0, SMS requested=1)

[Authentication Request]

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x56 (Authentication request)

ngKSI:

TSC = 0

NAS key set identifier = 3

ABBA:

Length = 2

Data = 00 00

Authentication parameter RAND:

Data = 5c b5 64 3e 28 dd 81 86 5f aa 80 52 f0 57 67 0e

Authentication parameter AUTN:

Length = 16

Data = 0d 6c 88 e7 f1 f6 90 01 5c a4 46 0d 6c a9 77 f0

[Authentication Response]

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x1 (Integrity protected)

Auth code = 0x315d8f85

Sequence number = 0x0b

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x57 (Authentication response)

Authentication response parameter:

Length = 16

Data = 20 be d8 65 0b 86 58 49 77 5c 59 4e 91 b0 a2 28

[Security Mode Command - NAS]

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x3 (Integrity protected with new 5G NAS security context)

Auth code = 0xf3c97ad9

Sequence number = 0x00

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x5d (Security mode command)

Selected NAS security algorithms = 0x02 (5G-EA0, 5G-IA2)

ngKSI:

TSC = 0

NAS key set identifier = 3

Replayed UE security capabilities:

0xf0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=1, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

0x70 (5G-IA0=0, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=1, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

IMEISV request = 1

Additional 5G security information = 0x02 (RINMR=1, HDP=0)

[Security Mode Command Complete - NAS]

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x4 (Integrity protected and ciphered with new 5G NAS security context)

Auth code = 0x6483a25f

Sequence number = 0x00

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x5e (Security mode complete)

IMEISV:

IMEISV = 8690570563562913

NAS message container:

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x41 (Registration request)

5GS registration type:

Follow-on request bit = 1

Value = 1 (initial registration)

ngKSI:

TSC = 0

NAS key set identifier = 2

5GS mobile identity:

5G-GUTI

MCC = 001

MNC = 01

AMF Region ID = 128

AMF Set ID = 4

AMF Pointer = 1

5G-TMSI = 0x2fedc8c7

5GMM capability:

0x03 (SGC=0, 5G-IPHC-CP CIoT=0, N3 data=0, 5G-CP CIoT=0, RestrictEC=0, LPP=0, HO attach=1, S1 mode=1)

UE security capability:

0xf0 (5G-EA0=1, 128-5G-EA1=1, 128-5G-EA2=1, 128-5G-EA3=1, 5G-EA4=0, 5G-EA5=0, 5G-EA6=0, 5G-EA7=0)

0x70 (5G-IA0=0, 128-5G-IA1=1, 128-5G-IA2=1, 128-5G-IA3=1, 5G-IA4=0, 5G-IA5=0, 5G-IA6=0, 5G-IA7=0)

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

Requested NSSAI:

S-NSSAI

Length of S-NSSAI contents = 1 (SST)

SST = 0x01

Last visited registered TAI:

MCC = 001

MNC = 01

TAC = 0x000064

S1 UE network capability:

0xf0 (EEA0=1, 128-EEA1=1, 128-EEA2=1, 128-EEA3=1, EEA4=0, EEA5=0, EEA6=0, EEA7=0)

0x70 (EIA0=0, 128-EIA1=1, 128-EIA2=1, 128-EIA3=1, EIA4=0, EIA5=0, EIA6=0, EIA7=0)

0xc0 (UEA0=1, UEA1=1, UEA2=0, UEA3=0, UEA4=0, UEA5=0, UEA6=0, UEA7=0)

0x40 (UCS2=0, UIA1=1, UIA2=0, UIA3=0, UIA4=0, UIA5=0, UIA6=0, UIA7=0)

0x19 (ProSe-dd=0, ProSe=0, H.245-ASH=0, ACC-CSFB=1, LPP=1, LCS=0, 1xSRVCC=0, NF=1)

0x80 (ePCO=1, HC-CP CIoT=0, ERw/oPDN=0, S1-U data=0, UP CIoT=0, CP CIoT=0, ProSe-relay=0, ProSe-dc=0)

0xb0 (15 bearers=1, SGC=0, N1mode=1, DCNR=1, CP backoff=0, RestrictEC=0, V2X PC5=0, multipleDRB=0)

UE's usage setting = 0x01 (Data centric)

LADN indication:

Length = 0

Data =

Network slicing indication = 0x00 (DCNI=0, NSSCI=0)

5GS update type = 0x01 (EPS-PNB-CIoT=no additional information, 5GS-PNB-CIoT=no additional information,

NG-RAN-RCU=0, SMS requested=1)

[Security Mode Command - RRC]

{

message c1: securityModeCommand: {

rrc-TransactionIdentifier 0,

criticalExtensions securityModeCommand: {

securityConfigSMC {

securityAlgorithmConfig {

cipheringAlgorithm nea0,

integrityProtAlgorithm nia2

}

[Security Mode Complete - RRC]

{

message c1: securityModeComplete: {

rrc-TransactionIdentifier 0,

criticalExtensions securityModeComplete: {

}

[Registration Accept]

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x2 (Integrity protected and ciphered)

Auth code = 0x59b0464b

Sequence number = 0x02

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x42 (Registration accept)

5GS registration result = 0x09 (Emergency registered=0, NSSAA to be performed=0, SMS allowed=1, 3GPP access)

5G-GUTI:

5G-GUTI

MCC = 001

MNC = 01

AMF Region ID = 128

AMF Set ID = 4

AMF Pointer = 1

5G-TMSI = 0x4b63aa9a

TAI list:

Length = 7

Data = 00 00 f1 10 00 00 64

Allowed NSSAI:

S-NSSAI

Length of S-NSSAI contents = 1 (SST)

SST = 0x01

5GS network feature support:

0x03 (MPSI=0, IWK N26=0, EMF=not supported, EMC=not supported, IMS-VoPS-N3GPP=1, IMS-VoPS-3GPP=1)

0x00 (5G-UP CIoT=0, 5G-IPHC-CP CIoT=0, N3 data=0, 5G-CP CIoT=0,

RestrictEC=both CE mode A and CE mode B are not restricted, MCSI=0, EMCN3=0)

T3512 value:

Value = 30

Unit = 5 (1 minute)

Emergency number list:

Length = 8

Data = 03 1f 19 f1 03 1f 11 f2

[Registration Complete]

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x2 (Integrity protected and ciphered)

Auth code = 0xeed69df4

Sequence number = 0x02

Protocol discriminator = 0x7e (5GS Mobility Management)

Security header = 0x0 (Plain 5GS NAS message, not security protected)

Message type = 0x43 (Registration complete)

[RrcReconfiguration]

{

message c1: rrcReconfiguration: {

rrc-TransactionIdentifier 0,

criticalExtensions rrcReconfiguration: {

nonCriticalExtension {

masterCellGroup {

cellGroupId 0,

spCellConfig {

spCellConfigDedicated {

initialDownlinkBWP {

pdsch-Config setup: {

resourceAllocation resourceAllocationType1,

rbg-Size config1,

mcs-Table qam256,

prb-BundlingType staticBundling: {

bundleSize wideband

}

radioLinkMonitoringConfig setup: {

failureDetectionResourcesToAddModList {

{

radioLinkMonitoringRS-Id 0,

purpose rlf,

detectionResource ssb-Index: 0

}

uplinkConfig {

initialUplinkBWP {

pusch-Config setup: {

txConfig codebook,

resourceAllocation resourceAllocationType1,

mcs-Table qam256,

mcs-TableTransformPrecoder qam256,

codebookSubset nonCoherent,

maxRank 1

}

tag-Id 0

}

dedicatedNAS-MessageList {

'7E0259B0464B027E004201097....'H

}

[RrcReconfigurationComplete]

{

message c1: rrcReconfigurationComplete: {

rrc-TransactionIdentifier 0,

criticalExtensions rrcReconfigurationComplete: {

}

[PDU Session Establishment Request]

Protocol discriminator = 0x2e (5GS Session Management)

PDU session identity = 1

Procedure transaction identity = 5

Message type = 0xc1 (PDU session establishment request)

Integrity protection maximum data data:

Maximum data rate per UE for user-plane integrity protection for uplink = 0x00 (64 kbps)

Maximum data rate per UE for user-plane integrity protection for downlink = 0x00 (64 kbps)

PDU session type = 0x3 (IPv4v6)

5GSM capability:

0x00 (TPMIC=0, ATSSS-ST=0, EPT-S1=0, MH6-PDU=0, RqoS=0)

Extended protocol configuration options:

Ext = 1

Configuration protocol = 0

Protocol ID = 0xc223 (CHAP)

Data = 01 00 00 16 10 11 f7 7e 7e 11 f7 7e 7e 11 f7 7e 7e 11 f7 7e 7e 2a

Protocol ID = 0xc223 (CHAP)

Data = 02 00 00 16 10 9a 62 f4 9f cd d9 60 54 7a a9 37 58 60 99 f0 77 2a

Protocol ID = 0x8021 (IPCP)

Data = 01 00 00 10 81 06 00 00 00 00 83 06 00 00 00 00

Protocol ID = 0x000d (DNS Server IPv4 Address Request)

Data =

Protocol ID = 0x0003 (DNS Server IPv6 Address Request)

Data =

Protocol ID = 0x000a (IP address allocation via NAS signalling)

Data =

Protocol ID = 0x0005 (MS Support of Network Requested Bearer Control indicator)

Data =

Protocol ID = 0x0010 (IPv4 Link MTU Request)

Data =

Protocol ID = 0x0011 (MS support of Local address in TFT indicator)

Data =

Protocol ID = 0x0023 (QoS rules with the length of two octets support indicator)

Data =

Protocol ID = 0x0024 (QoS flow descriptions with the length of two octets support indicator)

Data =

[PDU Session Establishment Accept]

Protocol discriminator = 0x2e (5GS Session Management)

PDU session identity = 1

Procedure transaction identity = 5

Message type = 0xc2 (PDU session establishment accept)

Selected PDU session type = 0x1 (IPv4)

Selected SSC mode = 0x1 (1)

Authorized QoS rules:

QoS rule 1:

QoS rule identifier = 1

Rule operation code = 1 (create new QoS rule)

DQR = 1 (the QoS rule is the default QoS rule)

Number of packet filters = 1

Packet filter identifier = 15

Packet filter direction = 3 (bidirectional)

Match-all

QoS rule precedence = 255

QFI = 1

Session AMBR:

Session-AMBR for downlink = 5000 Mbps

Session-AMBR for uplink = 2000000 kbps

5GSM cause = 0x32 (PDU session type IPv4 only allowed)

PDU address:

SI6LLA = 0

PDU session type = 1 (IPv4)

IPv4 = 192.168.3.2

S-NSSAI:

Length of S-NSSAI contents = 1 (SST)

SST = 0x01

Mapped EPS bearer contexts:

Mapped EPS bearer context 1:

EPS bearer identity = 5

Operation code = 1 (create new EPS bearer)

E = 1 (parameters list is included)

Number of EPS parameters = 2

Mapped EPS QoS parameters:

QCI = 9

APN-AMBR:

APN-AMBR for downlink = 4864000000 bits

APN-AMBR for uplink = 1792000000 bits

Authorized QoS flow descriptions:

QoS flow description 1:

QFI = 1

Operation code = 1 (create new QoS flow description)

E = 1 (parameters list is included)

Number of parameters = 2

5QI = 9

EPS bearer identity = 5

Extended protocol configuration options:

Ext = 1

Configuration protocol = 0

Protocol ID = 0x8021 (IPCP)

Data = 03 00 00 0a 81 06 08 08 08 08

Protocol ID = 0x000d (DNS Server IPv4 Address)

Data = 8.8.8.8

DNN = "internet.mnc001.mcc001.gprs"

Reference

[1] 5G Standalone Access Registration Signaling Messages

[2] 5G Standalone Access: Registration Procedure