Huawei "CAMEL" in between USAU and SCP

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Dmitri Soloviev dmi3sol at gmail.com
Tue Nov 19 11:26:16 UTC 2013 

Hi list

I'm hacking a protocol that runs inside Huawei SCP, in between USAU
(signaling gateway within IN) and SCP node itself.
There is a small file at my disposal (few megs), to study. Unfortunately
there is no way to run a trace at the other side of USAU in parallel, so
need to guess about fields.

Here is the typical IDP found with my guestimations

000000a7 - packet length
0000feab - packet ID
00a1 - length of remained portion

1000 - (***) protocol type, 0x1000 is similar to CAMEL, other protocols are
{0100,0200,0300,0400,0500,0600,1000,1200,1300,1400,1500,1700}
01d6f100 - transaction ID
01d6f100

01ff - msg type and direction, 01FF - IDP, where FF means that it goes from
gsmSCP to gsmSCP, response is 0100
0000010000000000 - something unknown, some messages may have non-zero
values here

8c - length
30 81 - tag+len, something like IDP args
  89 8001 01
  82 08 84 90 xxxxxxxxxxxx - A pty, MSISDN
  83 08 84 13 xxxxxxxxxxxx - B pty, MSISDN
  85 01 0a
  88 04 00000000
  8a 04 84 13 xxxx - E.164 country code
  bb 05 80038090a3
  9c 01 0c
  9f32 08 xxxxxxxxxxxxxxxx - IMSI (A)
  bf33 02 8000
  bf34 - a tag that assumes no length/value
    22 02 0159
    80 08 1000000000000000
    81 08 91 xxxxxxxxxxxxxxx - GT of MSC(ssf)
    a3 09 8007 xxxxxxxxxxxxxx  location number ?
    bf35 03 830111
    9f36 05 207a77c430
    9f37 08 91 xxxxxxxxxxxxxx - GT of MSC(ssf)
    9f39 08 xxxxxxxxxxxxxxxx  - some number in unknown format (neither
E.164 nor E.212)


a-pty MSISDN may be alternatively coded with 9F38 tag


The most tricky thing is to decode another protocol types (marked with ***
above) that are not so obvious

My final goal is to decode both CAP portion and amount of credit available

Is there anybody who faced similar task or who can provide additional
traces.. or can even make some traces?
An ideal case is to perform SS7 and USAU trace in parallel.
Or even has some papers on this topic

Regards,
Dmitri Soloviev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osmocom.org/pipermail/openbsc/attachments/20131119/acfd6f8b/attachment.htm>

More information about the OpenBSC mailing list