iPhone (cell) Field Test mode
Saturday, February 21. 2015
A reader of this blog contacted me and wanted me to take a look at his Huawei E5186. During the meeting he showed the Field Test mode of his iPhone. I haven't done any iPhone hacks, and had never heard of such thing. In this mode you can see details of the cellular connection. It is completely limited to that, there is no "root"-mode, nor details about Wi-Fi connection, nor details of the phone itself. But if any of the SIM, GSM, UMTS or LTE details are of interest, this one is for you.
Every iPhone has this. Really! There are details of this Field Test mode in The Net from year 2009 (iPhone 3GS), maybe earlier if you'd really want to look close. My iPhone 6 has this, so I'm pretty sure your (whatever model) has it too.
How to get there? Easy. Dial *3001 # 12345#*. Like this:
As a result you will see either the 2G/3G (GSM/UMTS) or 4G (LTE) Field Test menu:
As you can see, the 2G/3G menu has more stuff in it. It is because this is the really old stuff back from the 90s. LTE menu is light, as it is the 2010s spec. Please remember, that it is a snapshot of the situation when menu was opened.
Also notice how there is no more bars on top of the screen, there is a number in dBm. The number will indicate RSSI (in 2G) or RSCP (in 3G) or RSRP (in 4G). See article Some GSM, UMTS and LTE Measurement Units for clarification of the units.
RSSI translation:
- -40 dBm - theorethical max., you won't get this even if you'd be right next to the cell tower
- -50 to -75 dBm - High
- -76 to -90 dBm - Medium
- -91 to -100 dBm - Low
- -101 to -120 dBm - Poor
RSRP translation:
- theorethical max. ? dBm
- -75 and -88 dBm - Very High
- -89 and -96 dBm - High
- -97 and -105 dBm - Medium
- -106 and -112 dBm - Low
- -113 and -125 dBm - Poor
As I didn't find much information about the actual contents of these menus, I'll try to gather here a comprehensive list. Not all of the items have a value in my phone, if there is a value recorded, but I don't know what it is for, there is a ?.
| Menu / Submenu | Description | ||||
|---|---|---|---|---|---|
| SIM Info | |||||
(sub level 1) |
EF-FPLMN | ||||
| EF-ICCID | |||||
| EF-OPLMNAcT | |||||
| EF-HPPLMN SEARCH PERIOD | |||||
| EF-MSISDN | |||||
| EF-3GPP MAIL BOX DIALING NUMBER | |||||
| EF-ACCESS CONTROL CLASS | |||||
| EF-OPERATOR PLMN LIST | |||||
| EF-ACTING HPLMN | |||||
| EF-ADMINISTRATIVE DATA | |||||
| EF-RAT MODE | |||||
| EF-LOCI | |||||
| EF-GPRS/PS-LOCI | |||||
| PDP Context Info | (List) Packet Data Protocol (PDP) Context (in GPRS), see http://developer.nokia.com/community/wiki/PDP for details of PDP | ||||
| APN | Access Point Name: Connection setting | ||||
| IPv4 | IPv4 address of the access point to connect to | ||||
| GSM Cell Environment | [UMTS only] 2G/2.5G information | ||||
| GSM RR Info | |||||
| DTX Used | ? | ||||
| RR State | |||||
| Rx Quality Sub | |||||
| RR Mode | |||||
| RR Sub State | |||||
| Serving Rx Level | |||||
| DRX used | |||||
| RR Status | |||||
| Rx Quality Full | |||||
| GSM Cell Info | |||||
| GSM Serving Cell | |||||
(sub level 3) |
C1 Value | ||||
| RSSI | |||||
| ARFCN | Absolute radio-frequency channel number | ||||
| Cell ID | http://en.wikipedia.org/wiki/Cell_ID Gather MCC, MNC, LAC and go http://opencellid.org/ to see where you are at |
||||
| Mobile Allocation | |||||
(sub level 4) |
ARFCNs | (List) | |||
| HSN | |||||
| C2 Value | |||||
| BSIC | ? bits | ||||
| MA Dedicated ARFCN | |||||
| Neighboring Cells | (List) | ||||
| GPRS Information | |||||
| Priority Access Threshold | ? | ||||
| SI13 Location | ? | ||||
| Ext Measurement Order | |||||
| Access Burst Type | ? | ||||
| DRX Timer Max | ? | ||||
| Network Operating Mode | ? | ||||
| PBCCH Present | |||||
| Count LR | |||||
| Packet PSI Status | |||||
| PFC Supported | ? | ||||
| Cell Reselect Hysteresis | |||||
| Count HR | |||||
| Packet SI Status | |||||
| Network Control Order | ? | ||||
| T3192 Timer | http://www.rfwireless-world.com/Terminology/GSM-timers.html [milliseconds] | ||||
| UMTS Cell Environment | [UMTS only] 3G information | ||||
| Neightbor Cells | |||||
| Active Set | (List) | ||||
| Detected Set | (List) | ||||
| Monitored Set | (List) | ||||
| UMTS Set | (List) The only one I have anything listed | ||||
| Scrambling Code | Your "identifier" in the cell. See UMTS Quick Reference - Scrambling Code for more info | ||||
| RSCP | Received signal code power: The number on top left of your screen. See UARFCN below. | ||||
| Energy Per Chip | EcNo: RSCP divided by RSSI. See Some GSM, UMTS and LTE Measurement Units for details about RCSP and EcNo. | ||||
| UARFCN | See UMTS RR Info below. In this set one of the cells has same scrambling code as UMTS RR Info has. That cell has the exact same RSCP what is displayed as your received signal strenght. | ||||
| Virtual Active Set | (List) | ||||
| GSM Set | (List) | ||||
| HSDPA Info | |||||
| Version | |||||
| Primary HARQ Process | |||||
| Sub Frames | |||||
| Secondary HARQ Process | |||||
| Carrier Info | |||||
| UMTS RR Info | Information of the Radio Relay (cell tower) who is serving you | ||||
| UARFCN | UTRA Absolute Radio Frequency Channel Number: The channel number you're currently at. Decimal number, see http://niviuk.free.fr/umts_band.php for listings of bands. | ||||
| BLER | Block Error Rate (my phone displays nothing here) | ||||
| Cell ID | http://en.wikipedia.org/wiki/Cell_ID Gather MCC, MNC, LAC and go http://opencellid.org/ to see where you are at |
||||
| RRC State | See UMTS RCC States (my phone displays nothing here) | ||||
| Downlink Frequency | (my phone displays nothing here) | ||||
| Scrambling Code | Your "identifier" in the cell. See UMTS Quick Reference - Scrambling Code for more info | ||||
| Uplink Frequency | (my phone displays nothing here) | ||||
| Ciphering | (my phone displays nothing here) | ||||
| Transmit Power | (my phone displays nothing here) | ||||
| MM Info | [UMTS only] | ||||
| Serving PLMN | Public land mobile network information | ||||
| Location Area Code | LAC (decimal): http://en.wikipedia.org/wiki/Location_area_identity | ||||
| Routing Area Code | ? | ||||
| PLMN Sel Mod | |||||
| Mobile Network Code | MNC (decimal): http://en.wikipedia.org/wiki/Mobile_country_code | ||||
| Mobile Country Code | MCC (decimal): http://en.wikipedia.org/wiki/Mobile_country_code | ||||
| Service Type | ? | ||||
| Process PS | |||||
| MM Sub State | |||||
| MM State | |||||
| MM Service State | |||||
| Attach Reject Cause | |||||
| Process CS | |||||
| MM Sub State | |||||
| MM State | |||||
| MM Service State | |||||
| LU Reject Cause | |||||
| Equivalent PLMN List | |||||
| Process CO | |||||
| MM State | |||||
| MM Service State | |||||
| Neighbor Measurements | [LTE only] | ||||
| E-ARFCN | |||||
| Version | |||||
| Neighbor Cells List | (List) | ||||
(sub level 2) |
Measured RSSI | ||||
| Ant 0 Sample Offset | |||||
| Physical Cell ID | |||||
| Ant 0 Frame Offset | |||||
| Average RSRP | |||||
| Average RSRQ | |||||
| Ant 1 Frame Offset | |||||
| Srxlev | |||||
| Ant 1 Sample Offset | |||||
| Measured RSRP | |||||
| Frequenct Offset | Typo? Frequency Offset | ||||
| Measured RSRQ | |||||
| Qrxlevmin | |||||
| Connected mode LTE Intra-frequency Measurement | [LTE only] | ||||
| Detected Cells | (List) | ||||
| Measured Neighbor Cells | (List) | ||||
| Serving Filtered RSRQ | |||||
| Serving Physical Cell ID | |||||
| Subframe Number | |||||
| Serving Filtered RSRP | |||||
| E-ARFCN | |||||
| Serving Cell Info | [LTE only] | ||||
| Download Bandwidth | |||||
| Freq Band Indicator |
The frequency band you're at. See UARFCN for exact frequency. See http://niviuk.free.fr/umts_band.php for listings of bands and frequencies. Short list:
|
||||
| Download Frequency | |||||
| Num Tx Antennas | |||||
| UARFCN | UTRA Absolute Radio Frequency Channel Number: The channel number you're currently at. Decimal number, see http://niviuk.free.fr/umts_band.php for listings of bands and frequencies. | ||||
| Tracking Area Code | TAC | ||||
| Cell Identity | LCID of the serving cell | ||||
| Physical Cell ID | http://en.wikipedia.org/wiki/Cell_ID MCC, MNC and TAC is the exact location where the serving cell is located. |
||||
| Upload Frequency | |||||
| Upload Bandwidth | |||||
| Reselection Candidates | [LTE only] | ||||
| Version | |||||
| Serving Cell ID | |||||
| Serving EARFCN | |||||
| Reselection Candidates List | (List) | ||||
| Serving Cell Measurements | [LTE only] | ||||
| Measured RSSI | |||||
| Qrxlevmin | |||||
| P_Max | |||||
| Max UE Tx Power | |||||
| Version | |||||
| S Non Intra Search | |||||
| Physical Cell ID | |||||
| Average RSRP | |||||
| Measurement Rules | |||||
| Average RSRQ | |||||
| Serving Layer Priority | |||||
| Srxlev | |||||
| Measured RSRP | |||||
| Num of Consecutive DRX Cycles of S < 0 | |||||
| Measurement Rules Updated | |||||
| Measured RSRQ | |||||
| E-ARFCN | |||||
| S Intra Search | |||||
Please help me complete this (at least all the good stuff). If you find something incorrect or missing, please drop me a comment.
Friend on :
Jari Turkia on :
ajb on :
Jari Turkia on :
Any help for clarifying those would be appreciated.
Adel on :
Lacretia Sims on :
Jari Turkia on :
WiLi on :
Jari Turkia on :
The information on this article doesn't help nobody clone a SIM-card. Apple does know I blog about their hardware, many other manufacturers also do. Information in this article enables you to evaluate network environment your iPhone is at. To a non-technical person, everything is a potential risk. That''s why I carefully target my help in these blog posts to technically inclined people.
Finally: No, someday it won't happen to me. Where I live, telcos enforce security and make such cloning extremely difficult. I'm aware, that is not the norm in many other countries.
WiLi on :
John Wilson on :
I'm on AT&T, iPhone 6S, iOS 9.2.1. Under "Serving Cell Info", don't see anything that looks like LAC, or Location Area Code.
adTHANKSvance
Mike B on :
I used this TAC number as my LAC and the "Cell Identity" as the Cell ID on http://opencellid.org/ and it provided me the correct info.
BTW, in order to find my MCC and MNC, I had to shut off LTE to get to the "MM Info -> Serving PLMN" menu. (That was the only place I could find them.)
Alan Vargas on :
I didn’t know that and I am trying to find as much information as I can from my SIM card. In fact if you want to know about PLMN what I did was write the entire thing down only to realize that there are 50 slots in my SIM card and 27 are being used to store PLMN addresses. Such as 130014:0080 it alternates the first 6 digits are the address and the next 4 is the port number 80. I wrote it all down and the 25 empty slots are all letter F’s. That’s EF-OPLMNAct. Now does anyone know what EF-GPRS/PS-LOCI is? I think? That it is related to the Kc or Ki, I am just not sure if it’s counted in PAIRS. 1st and 8th pair maybe? Not sure? Anyone ?
Jim Julian on :
The differences are so great, I would think a major overhaul is in order.
Jim Julian on :
Also, on my iPhone \, there is no SIM Info heading.
Jari Turkia on :
Jim Julian on :
Jari Turkia on :
Felipe Santos on :
Is it possible to record these RSSI readings? Like for instance, a table with RSSI reading in certain times?
Could this type of data be outputted in an app or any other way to get data separated in value of RSSI at a time t?
Thanks a lot,
Felipe
Jari Turkia on :
If this information would be available to an app, I'm sure there would be a ton of such things in the App Store.
YateBTS on :
Jari Turkia on :
Maybe you should provide more information about that to make your comment useful.
Murray Bod on :
Jari Turkia on :
Andreas on :
Jari Turkia on :
However, I don't think the impulse you're getting is not as potent as you initially thought. I removed you advertisement before publishing your comment.
adhame95 on :
Eg a eNb with 2x2 will display 2, 4x4 will display 4
Jari Turkia on :
Tulay Oztas on :
Chaungoloid on :
Jason on :
Jari Turkia on :
But waitaminute! That's how mobile network operates. They MUST monitor my activities for billing and such.
Suggestion: If you don't want to be monitored, never use anything connected to mobile network.
Hanna on :
Hanna on :
Raquel Ramirez on :