GSM

1. Mobile Station and Subscriber Identity Module-SIM

1.1. SIM
Except for emergency calls, a GSM mobile phone CANNOT be used without the SIM.
So even in case of a defect in the users GSM telephone, any other GSM telephone
can be used instead, simply by changing the SIM.

The ID-1 SIM and Plug-in SIM have no different in functionality.

The major task of a SIM is to store data.
Parameter
Administrativ
e data
PIN/PIN 2
PUK/PUK2
SIM service
table
Last dialed
number,
charging
meter,
language
Security data
Algorithm A3,
A8
Key Ki

Remarks

Note

Personal identification number,

request at every power-up
PIN unblocking key; required to
unlock a SIM
List of the optional functionality of the
SIM

Mandatory,
changeable,
Mandatory, fixed
Mandatory, fixed
Optional
(language =
mandatory)

Require for authentication and to

determine Kc
Individual value, known only on SIM
and the HLR

Mandatory, fixed
Mandatory,
fixed, Check
again,

Each SIM holds a

unique Ki assigned
to it by the
operator during
the personalization
process. The Ki is
also stored in a
database (termed
authentication
center or AuC) on
the carrier's
network.

Key Kc
CKSN
Subscriber
data
IMSI

MSISDN
Access control
class
Roaming
data
TMSI
Location
updating
status, Value of
T3212 for LU,
LAI
PLMN data
NCC, mobile
country code
MCC, mobile
network code
MNC,
Absolute radio
freq channel
numbers

Result of A8, Ki and Random number

(RAND)
Ciphering key sequence number

Mandatory,
changeable

International mobile subscriber

identity

Mandatory,
fixed, Check
again

Mobile subscriber ISDN (directory

number of a subscriber)
For control of network access

optional, fixed

Temporary mobile subscriber identity

Mandatory,
changeable,
Check again
Mandatory,
changeable

For location updating

Mandatory,
changeable

Changing the IMSI

requires
knowledge of the
ADM pin. This can
be done with SIM
Explorer, SIM
Manager does not
provide this
feature

Mandatory, fixed

Network identifier

Mandatory, fixed

Frequencies for which the home PLMN

is licensed

Mandatory, fixed

TMSI dc
assign boi
VLR toi MS

1.2. Mobile Station

When a SIM card attached with a ME, then it is called Mobile Station.
From the perspective of the protocol, the MS is not only a peer of the BTS but
communicates directly with the MSC and the VLR, via the MM Mobility
Management and CC Call Control.
Mobile Station (ME+SIM) can act as a test tool for the laboratory testing of a new
network function.

2. The Base Station Subsystem

2.1. Base Transceiver Station
The BTS provides the physical connection of an MS to the network in form of the Airinterface and to the NSS with Abis-Interface
GSM Recommendations allow for 1 BTS to host up to 16 TRXs but in practical, the
ratio is, often, 1 BTS - 4 TRXs

BTSs have many ways to configure: Standard Configuration All BTSs are assigned
different cell identities (Cis), and a number of BTSs form a location area. This
configuration is mostly used.

And Umbrella Configuration 1 high power, high ground with other low power and
small diameters.
Sectorized BTS: often Pi/3.
2.2. Base Station Controller
The BSC was defined with the intention of removing most of the radio-related load
from the MSC.

2.3.

TRAU

3. The Network Switching Subsystem

Include MSC, HLR, VLR and EIR.
3.1. HLR and AuC
HLR act as a permanent store of data for PLMN.

Within the HLR, subscriber-specific parameters are maintained, such as Ki. It is

never transmitted on any interface and is known only to the HLR and the SIM.
The AuC is always implemented as an integral part of the HLR. The only major
function assigned to the AuC is to calculate and provide the authentication-triplets:
Signed Response (SRES), Random Number (RAND) and Ciphering Key (Kc). For each
subscriber, up to 5 of this triplets can be calculated at a time and sent to the HLR.
3.2. VLR
To reduce the load on the HLR, the VLR was introduced to support the HLR by
handling many of the subscriber-related queries (e.g., localization and approval of
features).
The HLR responds for static function (static database). On the other hand, the VLR
keeps the function of a dynamic database.
For security, after (up to 5) triplets are calculate at AuC and sent to HLR, the HLR,
then, forward the triplets to the VLR which uses them as input parameters for
authentication and ciphering.

Parameters
Subscriber
specific
IMSI
Ki
TMSI
Service restrictions
Supplementary
services
MSISDN (basic)
MSISDN (other)

HLR/AuC

VLR

o
o

Note

o
o
o
o
o

o
o

Check again
Check again

Authentication
and Ciphering
A3
A5/X (in BSS)
A8
RAND up to 5 triplets
SNES up to 5 triplets
Kc up to 5 triplets
CKSN

o
o
o
o
o

o
o
o
o

Subscriber
location/ call
forwarding
HLR number
VLR number
MSC number
LAI
IMSI detach
MSRN

o
o
o

o
o
o
o

Check again
Mobile Station Roaming
Number

LMSI
Handover number

o
o

Local Mobile Station identity

3.3. MSC
From a technical perspective, the MSC is just an ordinary Integrated Services Digital
Network (ISDN) exchange with some modifications specifically required to handle
the mobile application.
MSC is in charge of Registration, authentication, call location, inter-MSC handovers,
billing, call routing to a mobile subscriber
3.4. Gateway MSC
GMSC is an MSC with an interface to other networks.

3.5. Relationship between MSC and VLR:

VLR normally is attach with MSC, so a PLMN (geographic) area is determined by the
sum of MSC areas or VLR areas. 1 MSC use ONLY 1 VLR.
3.6. EIR
Because it is possible to operate any GSM MS with any valid GSM SIM => ME may
be stolen and sold at black market. EIR was introduced to identify, track and bar
such equipment from being used in the network.
Each GSM phone has a unique identifier (IMEI, CANNOT be altered without
destroying the phone). The EIR basically consists of a database, which maintains
three lists:
- White list: all approved types of MS
- Black list: all stolen or barred for technical reasons IMEIs
- Gray list: allows tracing of the related mobile stations.
Several GSM operators have decided not to install the EIR or, at least, postpone
such installation for a while.

IMSI changing
the Test IMSI is an IMSI number that you should create following the pattern
08091010xxxxxxxxxx. A SIM card with an IMSI such as that will not be blocked by the iPhone
BB.
To create a test IMSI SIM card, you need to get a SIM card whose IMSI can be changed, a
normal SIM card will not allow such change, there are some SIM cards that allow this such as
Super SIM 16 in 1 Super Sim Card Backup, Copy, Duplicate, Clone, Reader, Writer Kit at
Vavolo.com
Mr. Dill Huang suggests that first you insert you carrier SIM card, because its blocked you will
only be able to make emergency calls, so dial 112 for emergency call, after 2 seconds hang
up and switch to airplane mode, remove your carrier SIM card and insert your test SIM card
which you create with the Test IMSI, switch off your airplane mode and the phone should go
back to your carrier service, the BB will not block as the Test IMSI is unblocked by the BB
(even if it is a locked BB, because this is a test IMSI).

Mr. Dill even displays this on YouTube, check it here iPhone 4 SIM Unlock: Test IMSI and 112
Exploit - YouTube
Even if the technique works, the iPhone will at some point in time (not sure about the timers)
to refresh the IMSI and encryption keys from the SIM card, at which point it will not be able
to get the correct original IMSI and encryption keys, so you will need to keep doing this, not
to mention dialing the 112 number which could get answered! You can find this and more
information at the following "unofficial" FAQ by Mr. Dill himself here Singularity: Unofficial
Gevey FAQ

IMSI attach/detach [GSM 04.08, 09.02] The BTS permanently broadcasts the
parameter ATT in the BCCH / SYS_INFO 3 message. This parameter indicates
whether the IMSI attach/detach procedure is required. IMSI detach is a procedure to
inform the network that a mobile station will go into an inactive state and thus is no
longer available for incoming calls, for example, because of power-down or because
the SIM is removed. The mobile station sends an IMSI_DET_IND message to the
network each time it is powered down. The VLR keeps track of that state. The merit
of this approach is that it saves radio resources and processing time. The call
processing can switch to secondary call treatment, without the need of first sending
a PAGING message and then waiting for expiration of the respective timers.
Secondary call treatment means initiating call forwarding, voice mail, or simply
indicating to the caller that the subscriber is currently not reachable. The
complementary operation to IMSI detach is IMSI attach. It indicates to the network
that a mobile station is active again. IMSI attach is related to periodic location
updating. The location updating procedure is utilized to perform IMSI attach.
IMSI attach procedure:
1. MS/UE requests a signaling channel
2. The MSC/VLR receives the LU_REQ msg from the MS/UE indicating that the
purpose of this msg is the IMSI attach
3. The MSC/VLR sets the IMSI attach in the VLR => Mobile ready for normal call
handling
4. VLR returns ack to MS

Location update
Reason for LU:
- IMSI detach/attach
- Changes the location area when a periodic location update is active
Elements involved:
-

MSC/VLR (may be HLR if VLR changes)

BSC, BTS
MS

Process:

MS send CCCH (RACH)/RR, CHAN_REQ (reason, refer.), channel requirement to

BSC via Air-interface. CHAN_REQ already indicates which service the MS
requests
BTS decode the CHAN_REQ, calculates the distance from MS to BTS, and
forward all information to the BSC. CHAN_REQ + TA + FN = CHANNEL_RQD
(channel require)

tt c communication gia UE v mng li (CN) l Non-Access Stratum. V d nh cc giao

thc bo tin (signalling) cuc gi mi (CM), bo tin lin quan n di ng (MM),...
Cn tt c nhng giao thc lin quan n phn radio th c tp hp trong ci gi l Access
Stratum. Bao gm: thit lp kt ni RRC, thit lp v cu hnh kt ni radio (radio link),
chuyn giao (HO)....