Availability of SMS over NAS on Commercial Mobile Networks in Japan
Dec 3, 2024
A previous article demonstrated short message service (SMS) over the Non-Access Stratum (NAS) in a private mobile network. However, as noted in another previous article, SMS can also be transported via the IP Multimedia Subsystem (IMS) using the Session Initiation Protocol (SIP). Under what circumstances is SMS over NAS used on commercial mobile networks provided by mobile network operators (MNOs)? This article examines the availability of SMS over NAS by capturing packets of short messages sent on commercial mobile networks in Japan.
Summary
The availability of SMS over NAS in Japan depends on the MNO, as shown in Table 1. Since IMS is enabled on Japanese MNOs’ mobile networks, when sending short messages from the default Messages app on Android, three of the four operators used SMS over IMS, while one used SMS over NAS. In contrast, when sending from the modem of the Android device using AT commands, even operators that used SMS over IMS also used SMS over NAS. The availability of SMS over NAS depends on the MNO’s network configuration and was confirmed to be available even when IMS is enabled.
Table 1: SMS transport methods used by Japanese MNOs.
| NTT Docomo | KDDI | SoftBank | Rakuten | |
|---|---|---|---|---|
| Messages app | SMS over IMS | SMS over IMS | SMS over NAS | SMS over IMS |
| AT commands | SMS over NAS | N/A | SMS over NAS | SMS over NAS |
Capturing SMS Packets
To identify the SMS transport method, tests were conducted on the networks of four Japanese MNOs: NTT Docomo, KDDI, SoftBank, and Rakuten. These networks are 5G Non-Standalone (NSA) and IMS enabled. The SIM cards were inserted into a non-rooted Galaxy S24, and packets were captured while sending short messages. Messages were sent using the default Messages app on Android, and AT commands; Rich Communication Services (RCS) was disabled in the Messages app.
The SMS packets were captured using SCAT, a tool that captures packets carried by radio signals based on diagnostic messages from Qualcomm and Samsung modems¹. The Galaxy S24 (SM-S921Q) used in this test has a Qualcomm Snapdragon modem. Therefore, access to diagnostic messages was enabled by entering *#0808# in the Phone app and changing the USB setting to RNDIS + DM + MODEM + ADB. The Galaxy S24 was connected to a MacBook via USB, and SCAT was run to capture SMS packets, as shown in Figure 1.
Figure 1: Running SCAT to capture SMS packets.
Sending SMS from the Messages App
When sending short messages from the Messages app, SMS Protocol Data Units (PDUs) were encapsulated into SIP packets and transported on the NTT Docomo and KDDI networks. Figure 2 shows a SIP packet captured on the NTT Docomo network; the SMS-SUBMIT is loaded in the message body of the SIP packet. To detect the SIP packet in Wireshark, the User Datagram Protocol (UDP) must be decoded as Internet Protocol version 6 (IPv6)². This confirms that SMS over IMS is used.
Figure 2: SMS PDU encapsulated in the SIP packet.
The Rakuten network also transported short messages using SMS over IMS. However, no SIP packets containing SMS PDUs were observed; instead, as shown in Figure 3, Encapsulating Security Payload (ESP) packets were captured when a short message was sent. This suggests that the SMS PDU is encrypted in one of these packets. Since decrypting ESP packets is beyond the scope of this test, the SMS transport method was identified using Android logs. Figure 4 shows the output from the logcat command when a short message was sent. These logs confirm that SMS over IMS is used.
Figure 3: ESP packets captured when a short message was sent.
Figure 4: Logs output when a short message was sent.
In contrast, the SoftBank network transported short messages using SMS over NAS. Figure 5 shows a NAS packet captured when a short message was sent; the SMS-SUBMIT is loaded in the message container of the NAS packet. As noted in the previous article, the +g.3gpp.smsip parameter must be set in the SIP REGISTER request to use SMS over IMS. While the other three operators had this parameter set, SoftBank did not. Therefore, it can be concluded that SMS over NAS is used even when IMS is enabled.
Figure 5: SMS PDU encapsulated in the NAS packet.
Operators other than SoftBank may also use SMS over NAS if they are not registered for IMS. Disabling IMS on an Android device results in deregistration. However, the Galaxy S24 lacks an option to manually disable IMS. As a workaround, the behavior of sending short messages were tested under the following condition: immediately after turning on airplane mode to deregister IMS and turning it off again, i.e., before IMS re-registration was completed. This test confirmed that SMS over NAS was used on the NTT Docomo network, whereas no evidence of its use was found on KDDI and Rakuten. Further analysis is required to clarify the factors influencing the Messages app’s selection of SMS transport methods.
Sending SMS from AT Commands
When sending short messages from the modem embedded in the Android device using AT commands, the messages were transported using SMS over NAS. AT commands are used to control modems and other devices through a serial interface. As noted in a previous article, short messages can be sent using AT commands. In this test, SMS over NAS was confirmed on the NTT Docomo, SoftBank, and Rakuten networks. Figure 6 shows a NAS packet captured on the Rakuten network. Since NAS packets are not encrypted by ESP, it can be confirmed using Wireshark that the packet contains the SMS PDU.
Figure 6: SMS PDU sent using AT commands.
However, when attempting to send short messages using AT commands on the KDDI network, the attempt failed. Figure 7 shows the results of running AT commands. Although the attempt was made to send a short message using the AT+CMGS command, a +CMS ERROR: 500 was returned. Since the packets captured at this time do not contain an SMS PDU, it is clear that no message was sent from the modem. The AT+CREG? command, which retrieves the registration status of a Circuit Switched (CS) network, returned +CREG: 0,3, indicating that registration is denied³. SMS over NAS in 5G NSA uses a CS network, and the inability to register with it was likely the cause of the error. Based on these results, the use of SMS over NAS on the KDDI network could not be confirmed.
Figure 7: Error when attempting to send using AT commands.
Conclusion and Future Work
Test results show that the availability of SMS over NAS depends on the MNO’s network configuration. When IMS is enabled, short messages sent from the Messages app on Android were transported using SMS over IMS, except for one MNO’s network, which used SMS over NAS. In contrast, messages sent from the modem using AT commands were consistently transported using SMS over NAS. However, these results are based on testing conducted on 5G NSA networks in Japan. SMS over NAS should be further tested on 5G Standalone (SA) networks, as it may also be supported on 5G Core (5GC). Additionally, testing with iOS devices is expected, as different mobile operating systems may handle SMS transport differently.
¹ fgsect/scat: SCAT: Signaling Collection and Analysis Tool - GitHub
² 11.4.2. User Specified Decodes - Wireshark User’s Guide
³ AT+CGREG – AT command for GPRS Registration Status - Onomondo