GSM NETWORK

Global System for Mobile communications (GSM)

900/1800 MHz band (US: 850/1900 MHz) For 900 MHz band
Uplink: 890-915 Downlink: 935-960

25 MHz bandwidth - 124 carrier frequency channels, spaced 200KHz apart Time Division Multiplexing for 8 full rate speech channels per frequency channel. Circuit Switched Data with data rate of 9.6 kbps Handset transmission power limited to 2 W in GSM850/900 and 1 W in GSM1800/1900.

GSM Architecture

Architecture and components

Architecture and components

MSC: Mobile Switching Center LA: Location Area BSC: Base Station Controller BTS: Base Transceiver Station

Architecture and components

MS: Mobile Station BTS: Base Transceiver Station BSC: Base Station Controller MSC: Mobile Switching Center GMSC: Gateway MSC OMC: Operation and Maintenance Center EIR: Equipment Identity Register AUC: Authentication Center HLR: Home Location Register VLR: Visitor Location Register

Architecture and components

Two components: 1. Fixed installed infrastructure 2. Mobile subscribers : Fixed infrastructure divided into three sub-systems 1/. BSS: Base Station subsystem Manages transmission path from MS to NSS 2/. NSS: Network Switching Subsystem Communication and interconnection with other nets 3/. OSS: Operational Subsystem GSM network administration tools

Mobile Station and addresses

Mobile Station (MS) GSM separates user mobility from equipment mobile, by defining two distinct components Mobile Equipment: The cellular telephone itself (or the vehicular telephone) Address / identifier: IMEI (International Mobile Equipment Identity) Subscriber Identity Module (SIM) Fixed installed chip (plug-in SIM) or Exchangeable card (SIM card) Addresses / identifiers: IMSI (International Mobile Subscriber Identity) MSISDN (Mobile Subscriber ISDN number the telephone number!
TMSI (Temporary Mobile Subscriber Identity) MSRN ( Mobile Station Roaming Number)

Mobile Station and addresses

Mobile Termination functions tRadio interface (tx, rx, signalling) Terminal Equipment functions User interface (microphone, keyboard, speakers, etc); Functions specific of services (telephony, fax, messaging, etc), independent of GSM Terminal Adaptor functions >> Interfaces MT with different types

Mobile Station and addresses

Mobile Station and addresses

Uniquely identifies the mobile equipment 15 digits hierarchical address assigned to ME during manifacturing and type approval testing Type approval procedure: guarantees that the MS meets a minimum standard, regardless of the manifacturer IMEI structure:

Mobile Station and addresses

IMEI Management
Protection against stolen and malfunctioning terminals Equipment Identity Register (EIR): 1 DataBase for each operator; keeps: WHITE LIST: Valid IMEIs Corresponding MEs may be used in the GSM network BLACK LIST: IMEIs of all MEs that must be barred from using the GSM network Exception: emergency calls (to a set of emergency numbers) Black list periodically exchanged among different operators GRAY LIST: IMEIs that correspond to MEs that can be used, but that, for some reason (malfunctioning, obsolete SW, evaluation terminals, etc), need to be tracked by the operator A call from a gray IMEI is reported to the operator personnel

Mobile Station and addresses

SIM Card
Subscriber Identity Module Subscriber Identity Module Uniquely associated to a user Not to an equipment, as in first generation cellular networks Stores user addresses IMSI MSISDN Temporary addresses for location (TMSI) ,roaming (MSRN) , etc Authentication and encryption features All security features of GSM are stored in the SIM for maximum protection Subscribers secret authentication key (Ki) Authentication algorithm (secret algorithm - A3 not unique) Cipher key generation algorithm (A8) Personalization SIM stores user profile (subscribed services) RAM available for SMS, short numbers, users directory, etc Protection codes PIN (Personal Identification Number, 4-8 digits) PUK (PIN Unblocking Key, 8 digits)

Mobile Station and addresses

Identity International Mobile Subscriber Identity
Uniquely identifies the user (SIM card) GSM-specific address unlike MSISDN - normal phone number 15 digits hierarchical address Assigned by operator to SIM card upon subscription IMSI structure:

Mobile Station and addresses

IMSI is used in the case of internal - system signaling. IMSI is permanently stored on the SIM card and unknown by the subscriber. In HLR, it is used as the storage address for the subscriber data.

Mobile Station and addresses

Mobile Station and addresses

Addresses Temporary
TMSI Temporary Mobile Subscriber Identity 32 bits Assigned by VLR within an administrative area Has significance only in this area Transmitted on the radio interface instead of IMSI Reduces problem of eavesdropping MSRN Mobile Station Roaming Number An MSISDN number CC, NDC of the visited network SN assigned by VLR Used to route calls to a roaming MS Subscriber Number (SN) assigned to provide routing information towards actually responsible MSC

Mobile Station and addresses

Why TMSI ?

Architecture and components

Two components: 1. Fixed installed infrastructure 2. Mobile subscribers : Fixed infrastructure divided into three sub-systems 1/. BSS: Base Station subsystem Manages transmission path from MS to NSS 2/. NSS: Network Switching Subsystem Communication and interconnection with other nets 3/. OSS: Operational Subsystem GSM network administration tools

Fixed Infrastructure
Components
MS Mobile Station BTS Base Transceiver Station BSC Base Station Controller MSC Mobile Switching Center OMC Operation and Maintenance Center EIR Equipment Identity Register AUC Authentication Center HLR Home Location Register VLR Visitor Location Register

Interfaces
Um Radio Interface Abis BTS-BSC A BSS-MSC B MSC-VLR C MSC-VLR D HLR-VLR E MSC-MSC F MSC-EIR G VLR-VLR

Fixed Infrastructure

Fixed Infrastructure

Base Transceiver Station (BTS)

> Transmitter and receiver devices, voice coding & decoding, rate adaptation for data. > Provides signaling channels on the radio interface

Base Station Controller (BSC)

> Performs most important radio interface management functions: Radio channels allocation and deallocation; handover management;

Fixed Infrastructure

TRX radio interface functions:

- GMSK modulation-demodulation - channel coding - encryption/decryption - burst formatting, interleaving - signal strength measurements - interference measurements

Fixed Infrastructure

Fixed Infrastructure

Switch calls from MSC to correct BTS and conversely Protocol and coding conversion: for traffic (voice) & signaling (GSM-specific to ISDN-specific) Manage MS mobility Enforce power control

Fixed Infrastructure
Transcoding Transcoding and Rate
BTS: - Collects speech traffic - Deciphers and removes error protection - Result: 13 kbps air-interface GSM peechcoded signal MSC: - A 64kp/s ISDN switch - Needs to receive ISDN-coded speech : 64 kbps PCM format (A-law)

Transcoding and Rate Adaptation Unit (TRAU)

Needed !

Fixed Infrastructure

Fixed Infrastructure

Fixed Infrastructure

Fixed Infrastructure

Fixed Infrastructure

Fixed Infrastructure

Fixed Infrastructure

Geographic relation between the MSC and the VLR

Fixed Infrastructure

GSM Specifications
RF Spectrum GSM 900 Mobile to BTS (uplink): 890-915 Mhz BTS to Mobile(downlink):935-960 Mhz Bandwidth : 2* 25 Mhz GSM 1800 Mobile to BTS (uplink): 1710-1785 Mhz BTS to Mobile(downlink) 1805-1880 Mhz Bandwidth : 2* 75 Mhz

GSM Specification

Carrier Separation : 200 Khz Duplex Distance : 45 Mhz No. of RF carriers : 124 Access Method : TDMA/FDMA Modulation Method : GMSK Modulation data rate : 270.833 Kbps

Frequency Bands / Bandwidth

Uplink Downlink
1 100 KHz

890 915 MHz 25 MHz 935 960 MHz 25 MHz

2 200 KHz 3 4

124 100 KHz

A 200 kHz carrier spacing has been chosen. Excluding 2x100 kHz edges of the band, this gives 124 possible carriers for the uplink and downlink. The use of carrier 1 and 124 are optional for operators.

Multiple Access Technique

FDMA/TDMA. The total band is divided into 124x200 kHz bands (FDMA). Each group of 8 users transmit through a 200 kHz band sharing transmission time (TDMA).

GSM uses paired radio channels

890MHz

915MHz

935MHz

960MHz

124

124

GSM delays uplink TDMA frames

The start of the uplink TDMA is delayed of three time slots TDMA frame (4.615 ms)

Downlink TDMA

R1 R2 R3 R4 R5 R6 R7 R8 T1 T2 T3 T4 T5 T6 T7 T8 Uplink TDMA Frame

Fixed transmit Delay of three time-slots

GSM - TDMA/FDMA
935-960 MHz 124 channels (200 kHz) downlink 890-915 MHz 124 channels (200 kHz) uplink

higher GSM frame structures

time

GSM TDMA frame 1 2 3 4 5 6 7 8 4.615 ms GSM time-slot (normal burst)

guard space tail user data S Training S user data guard tail space

3 bits

57 bits

1 26 bits 1

57 bits

546.5 s 577 s

GSM Operation
Speech Speech

Speech coding 13 Kbps Channel Coding 22.8 Kbps Interleaving 22.8 Kbps Burst Formatting 33.6 Kbps Ciphering 33.6 Kbps Modulation Radio Interface 270.83 Kbps

Speech decoding

Channel decoding

De-interleaving

Burst Formatting

De-ciphering

Demodulation

Physical Channel

HIERARCHY OF FRAMES
1 HYPER FRAME = 2048 SUPERFRAMES = 2 715 648 TDMA FRAMES ( 3 H 28 MIN 53 S 760 MS ) 0 1 2 3 4 5 6 2043 2044 2045 2046 2047

1 SUPER FRAME = 1326 TDMA FRAMES ( 6.12 S ) LEFT (OR) RIGHT 1 SUPER FRAME = 51 MULTI FRAMES TRAFFIC CHANNELS 0 1 2 3 4 48 49 50 SIGNALLING CHANNELS 1 SUPER FRAME = 26 MULTI FRAMES 0 1 MULTIFRAME = 26 TDMA FRAMES ( 120 ms ) 0 1 2 3 24 25 1 MULTI FRAME = 51 TDMA FRAMES (235 .4 ms ) 0 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 1 7 2 0 3 4 48 49 50 1 2 24 25

(4.615ms) 0 1 TIME SLOT = 156.25 BITS ( 0.577 ms) 1 2

TDMA FRAME NO. 1 0 1 2 3 0 4 5 6 7 0 1 2 3 4 5 6 7 0

3 4 155 156 1 bit =36.9 micro sec

(4.615 ms) 1

GSM Frame
0 to 11 and 13 to 24 Are used for traffic data
0 1 2 12
SACCH is transmitted in frame 12 Full rate channel is idle in 25 Frame duration = 120ms

24

25

Frame duration = 60/13ms

57

26

57

8.25

Frame duration = 15/26ms

Channels
The physical channel in GSM is the timeslot. The logical channel is the information which goes through the physical channel . Both user data and signaling are logical channels.

Channels
User data is carried on the traffic channel (TCH) , which is defined as 26 TDMA frames. There are lots of control channels for signaling, base station to mobile, mobile to base station (aloha to request network access)

LOGICAL CHANNELS

TRAFFIC

SIGNALLING

FULL RATE Bm 22.8 Kb/S

HALF RATE Lm 11.4 Kb/S BROADCAST COMMON CONTROL DEDICATED CONTROL

FCCH

SCH

BCCH PCH RACH AGCH

FCCH -- FREQUENCY CORRECTION CHANNEL SCH -- SYNCHRONISATION CHANNEL BCCH -- BROADCAST CONTROL CHANNEL PCH -- PAGING CHANNEL RACH -- RANDOM ACCESS CHANNEL AGCH -- ACCESS GRANTED CHANNEL SDCCH -- STAND ALONE DEDICATED CONTROL CHANNEL SACCH -- SLOW ASSOCIATED CONTROL CHANNEL FACCH -- FAST ASSOCIATED CONTROL CHANNEL

SDCCH

SACCH

FACCH

DOWN LINK ONLY UPLINK ONLY BOTH UP & DOWNLINKS

Broadcast Channel - BCH

Broadcast control channel (BCCH) is a base to mobile channel which provides general information about the network, the cell in which the mobile is currently located and the adjacent cells. Frequency correction channel (FCCH) is a base to mobile channel which provides information for carrier synchronization Synchronization channel (SCH) is a base to mobile channel which carries information for frame synchronization and identification of the base station transceiver

Common Control Channel - CCH

Paging channel (PCH) is a base to mobile channel used to alert a mobile to a call originating from the network Random access channel (RACH) is a mobile to base channel used to request for dedicated resources Access grant channel (AGCH) is a base to mobile which is used to assign dedicated resources (SDCCH or TCH)

Dedicated Control Channel - DCCH

Stand-alone dedicated control channel (SDCCH) is a bi-directional channel allocated to a specific mobile for exchange of location update information and call set up information

Dedicated Control Channel - DCCH

Slow associated control channel (SACCH) is a bidirectional channel used for exchanging control information between base and a mobile during the progress of a call set up procedure. The SACCH is associated with a particular traffic channel or stand alone dedicated control channel Fast associated control channel (FACCH) is a bidirectional channel which is used for exchange of time critical information between mobile and base station during the progress of a call. The FACCH transmits control information by stealing capacity from the associated TCH

The interfaces
EIR VLR

VLR

HLR

AuC

F
MSC

B E
MSC

B E
SMSgwy

GMSC

A
BSC

Abis
BTS

Each entity communicate with each other through the appropriate interface

GSM Interfaces
The component parts of the GSM system interconnect using standard interfaces. These allows an operator to purchase different parts of the system competitively, I.e. from different manufacturers. The more important interfaces are : Um the air interface A-bis interface between the BTS and BSC A interface between the BSC and MSC

GSM protocol layers for signaling

Um MS
CM MM RR RR LAPDm radio LAPDm radio BTSM LAPD PCM
BSSAP

Abis BTS BSC

A MSC
CM

MM BSSAP SS7
PCM RR BTSM LAPD PCM PCM

SS7

16/64 kbit/s

64 kbit/s / 2.048 Mbit/s

Protocols involved in the A-bis interface

Level 1-PCM transmission (E1 or T1) Speech encoded at 16kbit/s and sub multiplexed in 64kbit/s time slots. Data which rate is adapted and synchronized. Level 2-LAPD protocol, standard HDLC Radio Signaling Link (RSL) Operation and Maintenance Link (OML). Level 3-Application Protocol Radio Subsystem Management (RSM) Operation and Maintenance procedure (OAM)

The A-bis interface

Presentation of A-bis Interface

Messages exchanges between the BTS and BSC. Traffic exchanges Signaling exchanges Physical access between BTS and BSC is PCM digital links of E1(32) or T1(24) TS at 64kbit/s. Speech: Conveyed in timeslots at 4X16 kbit/s Data: Conveyed in timeslots of 4X16 kbit/s. The initial user rate, which may be 300, 1200, is adjusted to 16 kbit/s

Presentation of the A-ter interface

Presentation on the A-ter interface

Signaling messages are carried on specific timeslots (TS) LAPD signaling TS between the BSC and the TCU SS7 TS between the BSC and the MSC, dedicated for BSSAP messages transportation. X25 TS2 is reserved for OAM. Speech and data channels (16kbit/s) Ater interface links carry up to: 120 communications(E1), 4*30 92 communications(T1). The 64 kbit/s speech rate adjustment and the 64 kbit/s data rate adaptation are performed at the TCU.

Presentation of the A interface

Signaling Protocol Model

Presentation on the A-Interface

BSSMAP - deals with procedures that take place logically between the BSS and MSC, examples: - Trunk Maintenance, Ciphering, Handover, Voice/Data Trunk
Assignment

DTAP - deals with procedures that take place logically between the MS and MSC. The BSS does not interpret the DTAP information, it simply repackages it and sends it to the MS over the Um Interface. examples:
Location Update, MS originated and terminated Calls, Short Message Service, User Supplementary Service registration, activation, deactivation and erasure

Inter MSC presentation

MS CM BTS O A M L A P D O A M L A P D BSC BSSAP R R

D T A P
B S S M A P

NSS

CM MM R R

MM BSSAP DTAP/ BSSMAP SCCP MTP3 MTP2

M A P T C A P
SCCP

SCCP MTP3 MTP2

MTP3 MTP2 MTP1

Um Interface

A bis Interface

A Interface

Call Routing
Call Originating from MS Call termination to MS

Outgoing Call
1. MS sends dialled number to BSS 2. BSS sends dialled number to MSC 3,4 MSC checks VLR if MS is allowed the requested service.If so,MSC asks BSS to allocate resources for call. 5 MSC routes the call to GMSC 6 GMSC routes the call to local exchange of called user 7, 8, 9,10 Answer back(ring back) tone is routed from called user to MS via GMSC,MSC,BSS

Incoming Call

1. Calling a GSM subscribers 2. Forwarding call to GSMC 3. Signal Setup to HLR 4. 5. Request MSRN from VLR 6. Forward responsible MSC to GMSC 7. Forward Call to current MSC 8. 9. Get current status of MS 10.11. Paging of MS 12.13. MS answers 14.15. Security checks 16.17. Set up connection

Handovers
Between 1 and 2 Inter BTS / Intra BSC Between 1 and 3 Inter BSC/ Intra MSC Between 1 and 4 Inter MSC

Security in GSM
On air interface, GSM uses encryption and TMSI instead of IMSI. SIM is provided 4-8 digit PIN to validate the ownership of SIM 3 algorithms are specified : - A3 algorithm for authentication - A5 algorithm for encryption - A8 algorithm for key generation

Authentication in GSM

Key generation and Encryption

GSM services

ETSI provide specifications Tele services: voice call, fax, SMS Bearer services: Internet surfing Supplement services: call forwarding, call hold, call barring

Bearer Services
Telecommunication services to transfer data between access points Specification of services up to the terminal interface (OSI layers 1-3) Different data rates for voice and data (original standard)
Data service
Synchronous: 2.4, 4.8 or 9.6 kbit/s Asynchronous: 300 - 1200 bit/s

Supplementary services
Services in addition to the basic services, cannot be offered stand-alone May differ between different service providers, countries and protocol versions Important services
identification: forwarding of caller number suppression of number forwarding automatic call-back conferencing with up to 7 participants locking of the mobile terminal (incoming or outgoing calls)

SMS Network Infrastructure

IWMSC: Interworking MSC

GMSC: Gateway MSC SMSC: Short Message Service Center Receive short message from MSC
Receive short message from SMSC

SME: Short Message Entity Interogate HLR for routing information

Submit it to appropriate SMSC

Deliver short message to recipients MSC

Signaling Element SS7

Call-related signaling

No call-related signaling MAP

MAP (Mobile Application

Part): used for signaling related to a number of services

ISUP

TCAP SCCP MTP3 MTP2 MTP1

Signaling Element
FROM MSC TO VLR (B):

Routing information Request:MAP_SEND_INFO_FOR_MO_SM retrieve routing information of D MAP_SEND_INFO_FOR_MT_SM serving MSCHLR for MS at the delivery attempt VLR Point to point short message delivery: delivery short message MAP_SEND_ROUTING_INFO_SM B from SMSC to MSC C MAP_REPORT_SM_DELIVERY_STATUS
MSC

FROM SMSgwy TO HLR (C):

MAP_ALERT_SERVICE_CENTRE MAP_INFORM_SERVICE_CENTRE Service center alert : HLR alert SMSC that the MS is now available FROM MSC TO HLR (D, via VLR):
SMSgwy SMSC

FROM HLR TOadd SMSgwy (C): address in HLR indication: Short E message waiting SMSC

MAP_READY_FOR_SM

FROM MSC TO SMSgwy (E):

MAP_MO_FORWARD_SM

FROM SMSgwy TO MSC (E):

MAP_MT_FORWARD_SM

Classes of SMS
Class 0: messages are display immediately, ACK to SMSC Class 1:messages are store in memory of mobile station or SIM card Class 2: reserved , carries SIM-specific data Class 3: messages indicate that they can be forwarded to external equipment

SMS Messages - Point to Point

SMS MO :short message mobile originated Submit SM from SME to SMSC SMS MT : short message mobile terminated Deliver SM from SMSC to SME

SMS MT

SMS MT format

SMS MT
1. The short message is submitted from the SME to the SMSC. 2. After completing its internal processing, the SMSC interrogates the HLR and receives the routing information for the MS 3. The SMSC sends the short message to the MSC using the forwardShortMessage operation. 4. The MSC retrieves the subscriber information from the VLR. This operation may include an authentication procedure. 5. The MSC transfers the short message to the MS. 6. The MSC returns to the SMSC the outcome of the forwardShortMessage operation. 7. If requested by the SME, the SMSC returns a status report indicating delivery of the short message.

SMS MO

SMS MO format

SMS MO
1. The MS transfers the SM to the MSC. 2. The MSC interrogates the VLR to verify that the message transfer does not violate the supplementary services invoked or the restrictions imposed. 3. The MSC sends the short message to the SMSC using the forwardShortMessage operation. 4. The SMSC delivers the short message to the SME. 5. The SMSC acknowledges to the MSC the successful outcome of the forwardShortMessage operation. 6. The MSC returns to the MS the outcome of the MO-SM operation.