Get 5G access on prepaid or mobile plans without 5G subscription - works with Huawei Core (EPC) in Romania
23.05.2020
Operator: Digi Mobil : E/// Radio; Huawei EPC
Digi Mobil has 2 MMEs with MME Codes : 8 and 16.
Both MMEs allow access to 5G sometimes, see second screenshot for each MME. The RestrictDCNR (restrict 5G) bit is not present in Attach Accept or TAU Accept. This is a Bug.
How to reproduce it with Xiaomi Mi Mix3 5G:
1. 4G attach in any MME
2. put the phone in 3G: Preferred Network Type : Prefer 3G
3. change Preferred Network Type : Prefer 5G. (Most likely the MME takes the profile from 3G SGSN and it doesn't get any 5G restriction from there since the SGSN doesn't know what 5G is. The 5G restriction is set in HSS.)
4. Enjoy 5G . If it doesn't work from the 1st time, repeat steps 2) and 3)
Video demonstration with Digi Prepaid: https://streamable.com/fxnw9m
First the RestrictDCNR flag is present, so no 5G available, after puting the phone in 3G and getting it back to 4G, I have access to 5G. I had to lock the phone on LTE Band 1, the only one that signalizes 5G.
Digi 5G Prepaid Promenada
Prepaid Profile:200/50Mbps
Digi 5G Prepaid Podul Baneasa
Prepaid Profile:200/50Mbps
Operator: Vodafone Romania: HUA Radio, HUA EPC.
VDF Romania has 3 MME with the codes: 8, 22, 48. Only MMEs 6 and 22 have the bug of allowing 5G for SIMs restricted from HSS.
The steps are similar like in Digi case, however we have to be sure that we land on MME8 or MME16.
For this we need to do a IMSI Attach, having a 33% chance to hit any MME.
Xiaomi Mi Mix3 5G does a IMSI attach after it tries to manually register to another network (ORO, Digi, ...) and this fails.
Video demonstration with Vodafone Romania Prepaid: 4G->3G->5G . Easy, right ?
5G for the masses!
VDF RO Prepaid 5G , Promenada
Prepaid profile : 300/100Mbps
No comments:
Post a Comment