Hi all,
On Mon, May 29, 2017 at 03:29:49PM +0200, Harald Welte wrote:
Over the weekend I was thinking of yet another method to make this much simpler: Every phone is supposed to include a voice loop-back mode. In this mode, the phone siply loops back all voice frames received in the downlink and sends them back in the uplink. This functionality is mandatory by the spec, and used to test the receiver performance of the phone during development, manufacturing and service. IT is specified in 3GPP TS 44.014 (http://www.etsi.org/deliver/etsi_ts/144000_144099/144014/14.00.00_60/ts_1440...) which used to be GSM TS 04.04 (http://www.etsi.org/deliver/etsi_ts/101200_101299/101293/08.06.00_60/ts_1012...) before.
The idea is that one puts a special "Test SIM" (as specified in TS 51.010-1 Annex 4, where EF.AD first byte == 0x80 is the criteria in this context) into the phone, and then sends some specific commands on Layer3 to activate the loop.
I have now produced such a "test sim". It's as easy as to update the firsrt byte of EF.AD with 0x80, e.g. using the following APDU (after authorizing with proper credentials like ADM1 pin and selecting EF.AD): 00d60000048000ff02
I also have an experimental branch[1] of OsmoNITB which can send the loopback commands. And at least with a K800i I also get an acknowledgement.
* first start a silent call to establish a dedicated TCH subscriber imsi 262423203000003 silent-call start tch/f
* then send the CLOSE_TCH_LOOP command with loop type A subscriber imsi 262423203000003 ms-test close-loop a
* OsmoNITB reports success: <0002> gsm_04_14.c:129 FIXME: Received TEST class message 'CLOSE_TCH_LOOP_ACK'
I haven't actually tried yet to see if the voice channel is actually looped back. But at least the results look promising so far.
Regards, Harald
[1] http://git.osmocom.org/openbsc/log/?h=laforge/ts_04_14