iPhone (cell) Field Test mode

Saturday, February 21. 2015

A reader of this blog contacted me and wanted me to take a look at his Huawei E5186. During the meeting he showed the Field Test mode of his iPhone. I haven't done any iPhone hacks, and had never heard of such thing. In this mode you can see details of the cellular connection. It is completely limited to that, there is no "root"-mode, nor details about Wi-Fi connection, nor details of the phone itself. But if any of the SIM, GSM, UMTS or LTE details are of interest, this one is for you.

Every iPhone has this. Really! There are details of this Field Test mode in The Net from year 2009 (iPhone 3GS), maybe earlier if you'd really want to look close. My iPhone 6 has this, so I'm pretty sure your (whatever model) has it too.

How to get there? Easy. Dial *3001 # 12345#*. Like this:

As a result you will see either the 2G/3G (GSM/UMTS) or 4G (LTE) Field Test menu:

As you can see, the 2G/3G menu has more stuff in it. It is because this is the really old stuff back from the 90s. LTE menu is light, as it is the 2010s spec. Please remember, that it is a snapshot of the situation when menu was opened.

Also notice how there is no more bars on top of the screen, there is a number in dBm. The number will indicate RSSI (in 2G) or RSCP (in 3G) or RSRP (in 4G). See article Some GSM, UMTS and LTE Measurement Units for clarification of the units.

RSSI translation:

  • -40 dBm - theorethical max., you won't get this even if you'd be right next to the cell tower
  • -50 to -75 dBm - High
  • -76 to -90 dBm - Medium
  • -91 to -100 dBm - Low
  • -101 to -120 dBm - Poor

RSRP translation:

  • theorethical max. ? dBm
  • -75 and -88 dBm - Very High
  • -89 and -96 dBm - High
  • -97 and -105 dBm - Medium
  • -106 and -112 dBm - Low
  • -113 and -125 dBm - Poor

As I didn't find much information about the actual contents of these menus, I'll try to gather here a comprehensive list. Not all of the items have a value in my phone, if there is a value recorded, but I don't know what it is for, there is a ?.

Menu / Submenu Description
SIM Info  
(sub level 1)
 EF-FPLMN  
  EF-ICCID  
  EF-OPLMNAcT  
  EF-HPPLMN SEARCH PERIOD  
  EF-MSISDN  
  EF-3GPP MAIL BOX DIALING NUMBER  
  EF-ACCESS CONTROL CLASS  
  EF-OPERATOR PLMN LIST  
  EF-ACTING HPLMN  
  EF-ADMINISTRATIVE DATA  
  EF-RAT MODE  
  EF-LOCI  
  EF-GPRS/PS-LOCI  
PDP Context Info (List) Packet Data Protocol (PDP) Context (in GPRS), see http://developer.nokia.com/community/wiki/PDP for details of PDP
  APN Access Point Name: Connection setting
  IPv4 IPv4 address of the access point to connect to
GSM Cell Environment [UMTS only] 2G/2.5G information
  GSM RR Info  
    DTX Used ?
    RR State  
    Rx Quality Sub  
    RR Mode  
    RR Sub State  
    Serving Rx Level  
    DRX used  
    RR Status  
    Rx Quality Full  
  GSM Cell Info  
    GSM Serving Cell  
   
(sub level 3)
 C1 Value  
      RSSI  
      ARFCN Absolute radio-frequency channel number
      Cell ID http://en.wikipedia.org/wiki/Cell_ID
Gather MCC, MNC, LAC and go http://opencellid.org/ to see where you are at
      Mobile Allocation  
     
(sub level 4)
 ARFCNs (List)
        HSN  
      C2 Value  
      BSIC ? bits
      MA Dedicated ARFCN  
    Neighboring Cells (List)
  GPRS Information  
    Priority Access Threshold ?
    SI13 Location ?
    Ext Measurement Order  
    Access Burst Type ?
    DRX Timer Max ?
    Network Operating Mode ?
    PBCCH Present  
    Count LR  
    Packet PSI Status  
    PFC Supported ?
    Cell Reselect Hysteresis  
    Count HR  
    Packet SI Status  
    Network Control Order ?
    T3192 Timer http://www.rfwireless-world.com/Terminology/GSM-timers.html [milliseconds]
UMTS Cell Environment [UMTS only] 3G information
  Neightbor Cells  
    Active Set (List)
    Detected Set (List)
    Monitored Set (List)
    UMTS Set (List) The only one I have anything listed
      Scrambling Code Your "identifier" in the cell. See UMTS Quick Reference - Scrambling Code for more info
      RSCP Received signal code power: The number on top left of your screen. See UARFCN below.
      Energy Per Chip EcNo: RSCP divided by RSSI. See Some GSM, UMTS and LTE Measurement Units for details about RCSP and EcNo.
      UARFCN See UMTS RR Info below. In this set one of the cells has same scrambling code as UMTS RR Info has. That cell has the exact same RSCP what is displayed as your received signal strenght.
    Virtual Active Set (List)
    GSM Set (List)
  HSDPA Info  
    Version  
    Primary HARQ Process  
    Sub Frames  
    Secondary HARQ Process  
    Carrier Info  
  UMTS RR Info Information of the Radio Relay (cell tower) who is serving you
    UARFCN UTRA Absolute Radio Frequency Channel Number: The channel number you're currently at. Decimal number, see http://niviuk.free.fr/umts_band.php for listings of bands.
    BLER Block Error Rate (my phone displays nothing here)
    Cell ID http://en.wikipedia.org/wiki/Cell_ID
Gather MCC, MNC, LAC and go http://opencellid.org/ to see where you are at
    RRC State See UMTS RCC States (my phone displays nothing here)
    Downlink Frequency (my phone displays nothing here)
    Scrambling Code Your "identifier" in the cell. See UMTS Quick Reference - Scrambling Code for more info
    Uplink Frequency (my phone displays nothing here)
    Ciphering (my phone displays nothing here)
    Transmit Power (my phone displays nothing here)
MM Info [UMTS only]
  Serving PLMN Public land mobile network information
    Location Area Code LAC (decimal): http://en.wikipedia.org/wiki/Location_area_identity
    Routing Area Code ?
    PLMN Sel Mod  
    Mobile Network Code MNC (decimal): http://en.wikipedia.org/wiki/Mobile_country_code
    Mobile Country Code MCC (decimal): http://en.wikipedia.org/wiki/Mobile_country_code
    Service Type ?
  Process PS  
    MM Sub State  
    MM State  
    MM Service State  
    Attach Reject Cause  
  Process CS  
    MM Sub State  
    MM State  
    MM Service State  
    LU Reject Cause  
  Equivalent PLMN List  
  Process CO  
    MM State  
    MM Service State  
Neighbor Measurements [LTE only]
  E-ARFCN  
  Version  
  Neighbor Cells List (List)
 
(sub level 2)
 Measured RSSI  
    Ant 0 Sample Offset  
    Physical Cell ID  
    Ant 0 Frame Offset  
    Average RSRP  
    Average RSRQ  
    Ant 1 Frame Offset  
    Srxlev  
    Ant 1 Sample Offset  
    Measured RSRP  
    Frequenct Offset Typo? Frequency Offset
    Measured RSRQ  
  Qrxlevmin  
Connected mode LTE Intra-frequency Measurement [LTE only]
  Detected Cells (List)
  Measured Neighbor Cells (List)
  Serving Filtered RSRQ  
  Serving Physical Cell ID  
  Subframe Number  
  Serving Filtered RSRP  
  E-ARFCN  
Serving Cell Info [LTE only]
  Download Bandwidth  
  Freq Band Indicator

The frequency band you're at. See UARFCN for exact frequency. See http://niviuk.free.fr/umts_band.php for listings of bands and frequencies. Short list:

  • 1: 2100 MHz
  • 3: 1800 MHz
  • 7: 2600 MHz
  • 8: 900 MHz
  Download Frequency  
  Num Tx Antennas  
  UARFCN UTRA Absolute Radio Frequency Channel Number: The channel number you're currently at. Decimal number, see http://niviuk.free.fr/umts_band.php for listings of bands and frequencies.
  Tracking Area Code TAC
  Cell Identity LCID of the serving cell
  Physical Cell ID http://en.wikipedia.org/wiki/Cell_ID
MCC, MNC and TAC is the exact location where the serving cell is located.
  Upload Frequency  
  Upload Bandwidth  
Reselection Candidates [LTE only]
  Version  
  Serving Cell ID  
  Serving EARFCN  
  Reselection Candidates List (List)
Serving Cell Measurements [LTE only]
  Measured RSSI  
  Qrxlevmin  
  P_Max  
  Max UE Tx Power  
  Version  
  S Non Intra Search  
  Physical Cell ID  
  Average RSRP  
  Measurement Rules  
  Average RSRQ  
  Serving Layer Priority  
  Srxlev  
  Measured RSRP  
  Num of Consecutive DRX Cycles of S < 0  
  Measurement Rules Updated  
  Measured RSRQ  
  E-ARFCN  
  S Intra Search  

Please help me complete this (at least all the good stuff). If you find something incorrect or missing, please drop me a comment.

by Jari Turkia in Apple at 17:10 | Comments (34) | Share in LinkedIn

Comments
Display comments as (Linear | Threaded)

Read 3GPP docs.
Comment (1)
#1 Friend on 2015-04-05 03:33 (Reply)
Thanks for your suggestion. Where do you think the current information came from?
Comments (12)
#1.1 Jari Turkia on 2015-04-06 20:56 (Reply)
Do u have any info regarding the UMTS set? Do u know the difference between that set and the active set?? I would appreciate ur help. Thanks in advance
Comment (1)
#2 ajb on 2015-10-31 22:31 (Reply)
I don't know the difference between UMTS Set and Active set. As I tried to inform all readers by saying "The only one I have anything listed", is because my Active, Detected and Monitored sets are always empty.

Any help for clarifying those would be appreciated.
Comments (12)
#2.1 Jari Turkia on 2015-11-01 12:50 (Reply)
Thanks
Comment (1)
#3 Adel on 2015-12-03 02:34 (Reply)
Whoever downloaded this bullshit and hacked my phone and wifi and accounts. Email
Comment (1)
#3.1 Lacretia Sims on 2021-07-12 18:22 (Reply)
No. Downloading information from The Internet doesn't mean somebody hacked your phone.
Comments (12)
#3.1.1 Jari Turkia on 2021-07-28 12:53 (Reply)
What the girl meant was that hackers are using this info to be better hackers. Does apple know you blog about their phones?? I had 89 burner cells cloned to my sim !! It sucks!! You should be less helpful and more careful. Someday it will happen to you.
Comments (2)
#3.1.1.1 WiLi on 2023-06-16 17:08 (Reply)
No. Downloading information from The Internet doesn't mean somebody hacked your phone.

The information on this article doesn't help nobody clone a SIM-card. Apple does know I blog about their hardware, many other manufacturers also do. Information in this article enables you to evaluate network environment your iPhone is at. To a non-technical person, everything is a potential risk. That''s why I carefully target my help in these blog posts to technically inclined people.

Finally: No, someday it won't happen to me. Where I live, telcos enforce security and make such cloning extremely difficult. I'm aware, that is not the norm in many other countries.
Comments (12)
#3.1.1.1.1 Jari Turkia on 2023-06-17 09:47 (Reply)
I do know that your info didn’t help the hacker hack my phone. That was done by a fraud professional who just got off his parole. I did have 89 phone’s detected/ neighboring cells clones to my sim. I kept getting messages from my network that I had used up my 50G after 10 days after my new cycle turned over and my phone became slower after that. I’ve used the codes to disable the call forwarding and data forwarding info. I recheck it every couple hours and snapshot the cell info when they hack back in. It’s relentless but I think I’ve discouraged them. I have the # they were being forwarded too. They hacked my cloud which is how I think they hit in not sure. I’m sorry I hit so mad the other day. This has been quite a learning experience.
Comments (2)
#3.1.1.1.1.1 WiLi on 2023-06-20 14:13 (Reply)
How do I find the LAC from iOS Field Test?

I'm on AT&T, iPhone 6S, iOS 9.2.1. Under "Serving Cell Info", don't see anything that looks like LAC, or Location Area Code.

adTHANKSvance
Comment (1)
#4 John Wilson on 2016-03-10 19:00 (Reply)
On the LTE Serving Cell Info page, the "Tracking Area Code" is the same thing as the "Location Area Code"

I used this TAC number as my LAC and the "Cell Identity" as the Cell ID on http://opencellid.org/ and it provided me the correct info.

BTW, in order to find my MCC and MNC, I had to shut off LTE to get to the "MM Info -> Serving PLMN" menu. (That was the only place I could find them.)
Comment (1)
#4.1 Mike B on 2016-05-10 19:13 (Reply)
Thanks,
I didn’t know that and I am trying to find as much information as I can from my SIM card. In fact if you want to know about PLMN what I did was write the entire thing down only to realize that there are 50 slots in my SIM card and 27 are being used to store PLMN addresses. Such as 130014:0080 it alternates the first 6 digits are the address and the next 4 is the port number 80. I wrote it all down and the 25 empty slots are all letter F’s. That’s EF-OPLMNAct. Now does anyone know what EF-GPRS/PS-LOCI is? I think? That it is related to the Kc or Ki, I am just not sure if it’s counted in PAIRS. 1st and 8th pair maybe? Not sure? Anyone ?
Comment (1)
#4.1.1 Alan Vargas on 2020-07-29 21:29 (Reply)
This is November 4, 2016. My iPhone 4, Consumer Cellular (AT&T) has more than your page but has some elements missing.
The differences are so great, I would think a major overhaul is in order.
Comments (3)
#5 Jim Julian on 2016-11-05 04:15 (Reply)
I have an iPhone 4. In that phone there is a toggle switch in the Settings/Cellular section to allow data to download at 3G. I assume the normal rate is 2G. On 2G, the field test is in GSM mode and all the GSM pages are full and the UMTS pages are blank, mostly. If I toggle the switch on to 3G, the GSM pages go blank and the UMTS pages fill up. If you read up on the two, GSM and UMTS, you find that is to be expected. I'm trying to figure out how to get the UARCFN. The ARCFN from GSM mode is available in that mode.
Also, on my iPhone \, there is no SIM Info heading.
Comments (3)
#6 Jim Julian on 2016-11-06 18:23 (Reply)
The phone can be in one mode at a time. If you force the device to be in 2G-mode, it is unable to display any UMTS (aka. 3G) or LTE (aka. 4G) information. Of course the fields go blank!
Comments (12)
#6.1 Jari Turkia on 2016-11-17 22:24 (Reply)
Is there an echo in here!?
Comments (3)
#7 Jim Julian on 2016-11-18 21:25 (Reply)
Yeah. It kinda depends on the acoustics of the space you're at. I guess, there is some. (weird)
Comments (12)
#7.1 Jari Turkia on 2016-11-19 16:41 (Reply)
Hi,

Is it possible to record these RSSI readings? Like for instance, a table with RSSI reading in certain times?
Could this type of data be outputted in an app or any other way to get data separated in value of RSSI at a time t?

Thanks a lot,
Felipe
Comment (1)
#8 Felipe Santos on 2016-11-27 09:01 (Reply)
Not that I know of.
If this information would be available to an app, I'm sure there would be a ton of such things in the App Store.
Comments (12)
#8.1 Jari Turkia on 2016-11-27 10:10 (Reply)
Felipe you can record these settings with an application...
Comment (1)
#8.2 YateBTS (Homepage) on 2018-01-17 22:39 (Reply)
Ok, I'm sure Felipe can do that, but I cannot.

Maybe you should provide more information about that to make your comment useful.
Comments (12)
#8.2.1 Jari Turkia on 2018-01-18 19:17 (Reply)
How can I send you some screen shots that might interest you
Comment (1)
#8.2.1.1 Murray Bod (Homepage) on 2018-05-09 23:31 (Reply)
Of course you can. I already sent you email to the address you gave on your comment.
Comments (12)
#8.2.1.1.1 Jari Turkia on 2018-05-20 10:35 (Reply)
the contribution has given me an exciting impulse.
Comment (1)
#9 Andreas on 2021-02-02 22:58 (Reply)
Thank you.

However, I don't think the impulse you're getting is not as potent as you initially thought. I removed you advertisement before publishing your comment.
Comments (12)
#9.1 Jari Turkia on 2021-02-05 16:19 (Reply)
Num tx antenna is a mimo indicator of the eNb
Eg a eNb with 2x2 will display 2, 4x4 will display 4
Comment (1)
#10 adhame95 on 2021-04-30 16:13 (Reply)
That would be a no. Apparently the entire handshake is done in the deep guts of OpenSSL / GNU TLS / whatever and nobody cares much on altering handshake parameters. Especially HTTP-daemon authors are not interested on that.
Comments (12)
#11 Jari Turkia on 2021-07-28 12:58 (Reply)
Hi I want to know if my phone is being tapped how do I do that? Can you please help me. I have an iPhone pro 12. Thank you
Comment (1)
#12 Tulay Oztas on 2021-11-01 09:46 (Reply)
If I have KCT cell monitoring on my phone detected in field test mode , am I being monitored thru mspy?
Comment (1)
#13 Chaungoloid on 2022-05-18 06:21 (Reply)
I need diags on my device it’s definitely monitored.
Comment (1)
#14 Jason on 2023-02-16 04:08 (Reply)
Same here. I have multiple mobile devices and all of them are monitored by telco / ISP.

But waitaminute! That's how mobile network operates. They MUST monitor my activities for billing and such.

Suggestion: If you don't want to be monitored, never use anything connected to mobile network.
Comments (12)
#14.1 Jari Turkia on 2023-02-26 16:39 (Reply)
Jason, did u find any answers/solutions to confirm your suspicions? I too am in the same predicament as you in feeling that my phone is being monitored by someone. I could use some ideas if you have anything to assist me in proving this is actually happening to me and I believe many many many other mobile phone users. I had an android, but after a few months of using a new iPhone and trying not to link any data, always having Siri off ( stalker alert ) Siri found old phone suggestions and same issues and concerns have now followed me to my new phone. Pls help with any info. Appreciated.
Comments (4)
#14.2 Hanna on 2023-11-12 18:18 (Reply)
Can someone please interpret this
Comment (1)
#15 Raquel Ramirez on 2023-08-07 14:03 (Reply)

Add Comment

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
 
Submitted comments will be subject to moderation before being displayed.
 

Calendar

Back December '23
Mon Tue Wed Thu Fri Sat Sun
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License