Phones jumping ship from commercial networks to test network

Mychaela Falconia falcon at freecalypso.org
Wed Mar 15 18:50:51 UTC 2023 

Hi DS!

> An idea could be to use this recent feature from osmo-hlr:
> https://github.com/osmocom/osmo-hlr/commit/268a33e58b9de3a2a6d42f27b1b9542ffd42f584
>
> Currently, your wife's phone probably gets an "IMSI unknown in HLR"
> reject and I suppose the modem bugs after that, requiring a reboot.

Yup, the LU Reject cause was indeed the problem, as I quickly figured
out once Neels' reply on the osmo-bsc list pointed me to the
approximately-right part of the right spec.

> With the above commit, you could try the reject cause "PLMN not allowed"

Yes, I made the change to my local osmo-hlr instance to return "PLMN
not allowed" instead of "IMSI unknown in HLR" as the LU Reject cause,
and since I made that change, my wife's Nokia C3-00 has been behaving
just fine in the presence of ThemWi GSM signal: I do see occasional
registration attempts from it, but it stays registered to T-Mobile,
thus it must be going back to working TMO registration after failed LU
attempt to ThemWi.

Now that I am confident that my ThemWi GSM signal is not "luring away"
other neighbourhood phones from being registered to their respective
commercial operators, I have been running the network for longer time
intervals, and sometimes also at higher power levels.  But I still run
it at 3 dBm output (maximal reduction with max_power_red set to 20 in
OsmoBSC config) most of the time.

> which would lead the PLMN being written on the forbidden PLMN list (EF FPLMN)
> and so in the future the phone should not even try to connect (and
> other phones as well). Alternatively I suppose you could update EF FPLMN
> manually, that should work as well.

Writing into EF_FPLMN doesn't work because of T-Mobile SIM peculiarity.
By the specs this EF is supposed to be writable by ordinary users
(PIN1 access), but apparently TMO wanted to make it NOT writable by
anyone other than them, so they made this hack: when I try to write
something to EF_FPLMN, the UPDATE BINARY command appears to succeed
(returns SW of 9000), but if I read the file afterward, I see that it
is unchanged!

But at least the affected phones (those that try to register to ThemWi
despite having service from their own respective operator) seem to
remember the "PLMN not allowed" state in their RAM until reboot, as
they do go back to their rightful operator after failing to register
to ThemWi.

M~

P.S. I am hoping to provide more updates on ThemWi later, but right
now I gotta run - I want to catch Harald's OsmoDevCall presentation on
CSD, a very interesting topic for me.

More information about the Community mailing list