ECE 750-T4, S’07

Telecommunication Systems
(GSM)

Mobile Communications (Ch 4)

John Schiller, Addison-Wesley

Wireless Communication Systems

• Infrastructure-based communication
– Wide Area Networks (GSM, CDMA, LTE)
– Metropolitan Area Networks (WiMAX, Mesh)
– Wireless LANs
• Infrastructure-less communication
– Ad hoc, sensor, vehicular networks
• Hybrid networks
– Combination of the above two

1
ECE 750-T4, S’07

Cellular Systems
• SDM (space division multiplexing)
- A geographic area is divided into smaller,
circular areas called cells.
- A base station (transceiver) is installed at
the cell’s center. Cell = radio coverage area.
- Cell radius
• 10s of meters in buildings
• 100s of meters in cities
• 10s of KM in countryside
3

Cellular Systems
• Advantages of smaller cells
• Higher capacity (SDM: frequency reuse)
users
• Less transmission power for MS (no BS problem)
• Local interference only (MS
 BS)
• Robust against failures of single components
• Disadvantages of smaller cells
• Larger infrastructure (antennas, switches, …)
• Frequent handover
• Better planning: frequency assignment, etc.

2
ECE 750-T4, S’07

Cellular Systems

• Telephony architecture (NOT computer net)

• Many systems in use
– Europe: GSM (Global System for MC)
– Japan: PDC (Pacific Digital Cellular)
– US, Canada
• GSM
• CDMA

GSM
• Primary goal (was): phone + roaming in Europe
• Different GSM systems
– GSM 900
• 890-915 MHz uplink, 935-960 MHz downlink
– GSM 1800 (DCS: Digital Cellular System)
• 1710-1785 MHz uplink, 1805-1880 MHz downlink
– GSM 1900 (Personal Comm Service)
US, Canada
• 1850-1910 MHz uplink, 1930-1990 MHz downlink

3
ECE 750-T4, S’07

Services Provided in GSM

• Three services are defined: bearer, tele, and supplementary
- bearer: data services
- transparent: only on PHY (2.4, 4.8 or 9.6 kbits)
- non-transparent: also on layer 2 or 3 protocols for
error correction and flow control (with lower rates)
- tele: voice-oriented services with encrypted voice
transmission and messages (SMS for message up to 160
characters)
- supplementary: A means of enriching user experiences,
containing various enhancements for bearer and tele
services (e.g., user identification, call redirection, call
forwarding, multiple parties)
7

Functional versus Protocol

Architecture of GSM
• Functional architecture:
- Three subsystems: radio subsys (RSS), network
and switching subsys (NSS), and operation subsys
(OSS)

4
ECE 750-T4, S’07

}
Functional Architecture
BSS of GSM
MS

BTS MS

RSS
BTS
Abis 16 or 64 kbps connections

BSC BSC

}
A
2.048 Mbps
(30 x 64kbps con.)
MSC MSC
VLR PSTN
NSS
HLR VLR GMSC
PDN
IWF
O

}
SS7 signaling
9
EIR AuC OMC OSS

Interfaces
• A-interface
– circuit switched PCM-30 systems, 2.048 Mbits/s,
carrying up to 30 64 kbits/s connections
– Totally 32 channels (30 channels + 2 telephone
management channels), yielding 2048 kbit/s.
• O-interface
– SS7 signaling based on x.25, carrying management
data to/from the RSS
• Abis-interface
– 16 or 64 kbits/s connections

10

5
ECE 750-T4, S’07

Radio Subsystem (RSS)

• A RSS contains radio specific entities: BSS, BTS and MS
• BSS: basic element in GSM  several BTSs correspond to
1 BSC (base station controller) in each BSS
- BTS (base transceiver station): radio equipment that forms
a radio cell.
- Functions of BSC:
• Reserves frequencies (frequency/ch. assignment)
• Handles handovers among BTSs
• Performs paging of MS (identify which BTS a user is located)
• Multiplexes radio channels onto fixed network connections
(connected to MSC).

11

Radio Subsystem (RSS)

• MS: User equipment and software for
communications
• SIM (Subscriber Identity Module): contains many identifiers
- card-type, serial #, subscribed services, PIN, IMSI
• Load dynamic information of MS while logged in:
- LAI (location area identification), TMSI (temporary mobile
subscriber identity)
• GSM 900: transmit power up to 2 w
• GSM 1800: transmit power 1 w (due to smaller cell size)
• Support other types of interfaces

12

6
ECE 750-T4, S’07

Network Subsystem (NSS)

• NSS: The heart of GSM
- connect wireless network with standard (wired) public
networks
- handover between BSSs
- worldwide localization, accounting, roaming
• NSS contains MSC, HLR, and VLR

13

MSC, HLR, and VLR in Network

Subsystem (NSS)
MSC: high-performance digital ISDN switches
- Each MSC corresponds to a Location Area (LA), and
governs several BSCs
- Gateway MSC (GMSC) serves as a gateway to the fixed
network (PSTN, ISDN, or public data network) using
Interworking Function (IWF)
- Handles all signaling for connection setup, release and
handover
- Supplementary services (forwarding, conf.)

14

7
ECE 750-T4, S’07

MSC, HLR, and VLR in Network

Subsystem (NSS)
• HLR (Home Location Register)
• Most important database with all user relevant info.
• Static Info.:
– MS-ISDN number and IMSI number
– Subscribed services (call forwarding, roaming, GPRS)
• Dynamic Info.:
– Current location area (LA) of the MS and mobile
subscriber roaming number (MSRN)
– Current MSC and VLR of the MS
– Accounting information of the MS
• Specialized databases to meet real-time requests.
• Handle millions of users. 15

}
Functional Architecture
BSS of GSM
MS

BTS MS
Um

RSS
BTS
Abis 16 or 64 kbps connections

BSC BSC

}
A
2.048 Mbps
(30 x 64kbps con.)
MSC MSC
VLR PSTN
NSS
HLR VLR GMSC
PDN
IWF
O

}
SS7 signaling
AuC 16
EIR OMC OSS

8
ECE 750-T4, S’07

MSC, HLR, and VLR in Network

Subsystem (NSS)
• VLR (Visitor Location Register)
• One VLR is associated with one MSC
• Info about all users in the LA associated to the MSC
• Info per user (copied from HLR): IMSI, MS-ISDN,
HLR address
• Form a hierarchy with HLR: To avoid frequent
communication with the associated HLR
• Large, real-time database

17

Operation Subsystem (OSS)

• Operation and Maintenance Centre (OMC)
• Monitor: traffic, status report of all network entities
• Accounting and billing
• Authentication Center (AuC)
• Contains algorithms for authentication and keys for
encryption
• Can be a special protected part of the HLR.
• Equipment Identity Register (EIR)
• Blacklist of stolen/locked MSs

18

9
ECE 750-T4, S’07

Radio Interface
• SDMA to power down the BTS
• FDD is used to separate downlink & uplink.
• Media access combines TDMA and FDMA.
• GSM 900: 124 carriers, each 200 KHz wide,
FDMA+TDMA
• 90 channels to support user traffic
• 32 reserved for control signaling
• 2 not used ( 1 and 124)

19

FDMA in GSM 900

f
960 MHz
124

:
935 MHz 1 200 KHz

915 MHz 124

:
890 MHz 1
t
20

10
ECE 750-T4, S’07

TDMA in GSM 900

Guard space: avoid overlap of bursts Tail + training for better
f due to path delay + Receiver performance
allow tx. on/off
One carrier S = 0/1  Data is net/user
data

TDMA frame
1 2 3 4 5 6 7 8
4.615 ms
3 bits 57 1 26 1 57 3
time-slot guard user user guard
tail S training S tail
(normal space data data space
burst) 546.5 us
21
577 us

Formats of Bursts
• Five formats of bursts:
- Normal burst: user data or signalling data
- Frequency correction burst: allow the MS to correct the
local oscillator (extending tail)
- Synchronization burst: extended training sequence to
synchronize the MS with the BTS (extending the training
sequence)
- Access burst: used for initial connection setup (“user
data” for signalling)
- Dummy burst: used if no data is available for a slot

22

11
ECE 750-T4, S’07

Simple MS
• Two factors that make the MS design simple
- FDD that makes uplink and downlink separated in
frequency
- MS does not need a full-duplex Tx
-- TDMA frame on the uplink is shifted by three
slots from frame on the downlink. If BTS sends data
at t0 in slot 1 on the downlink, the MS accesses slot 1
on the uplink at time t0 + 3*577 us
• Slow frequency hopping to avoid frequency channel
fading: MS and BTS may change the carrier frequency
after each frame based on a common hopping sequence.
23

Logical channel and frame hierarchy

• Physical channel: a slot repeated every 4.615 ms
(114 bits in 4.615 ms  raw data rate = 24.7
kbps)
• Reality: Out of every 26 consecutive slots
• 12 data slots + 1 signaling slot + 12 data slots + 1 unused
• Effective rate of a physical channel = (24/26)*24.7 = 22.8 Kbps
TTTTTTTTTTTTSTTTTTTTTTTTTx: T = user traffic in TCH/F, S
= signaling, x = unused slot
• Logical channel: A physical channel may be split
into several (logical) channels:
- Ex: Logical channel C1: every 4th slot, Logical channel C2: every
other slot; C1 and C2 could use the same physical channel with the
pattern C1C2xC2C1C2xC2C1
24

12
ECE 750-T4, S’07

Logical channels
• Two basic groups of logical channels
• Traffic channels (TCH)
• Control channels (CCH)
• TCH
• Carries user data (voice, fax)
• Full-rate TCH/F: 22.8 kbps
• Half-rate TCH/H: 11.4 kbps
• Data services: TCH/F 4.8 kbps, TCH/F 9.6 kbps,
TCH/F 14.4 kbps
(They differ in their coding schemes.)

25

Logical channels (CCH)

• CCH: access control, channel allocation, user mobility
– Broadcast CCH (BCCH)
• Used by BTS to send info to all MSs in a cell
– Cell ID, options available (freq. hopping sequence), available
carriers, etc.
– FCCH (freq. correction) and SCH (synchronization): sub-
channels of BCCH
– Common CCH (CCCH): for connection setup
• Paging CH (PCH): for paging an MS (BTS  MS)
• Random Access CH (RACH): MS  BTS, when MS
wants to make a call.
- Accessed by all MSs in a cell via slotted Aloha
• Access Grant CH (AGCH): BTS  MS, BTS tells MS
to use a TCH or a stand-alone dedicated CCH (SDCCH)
26

13
ECE 750-T4, S’07

Logical channels
– Dedicated control channel (DCCH): bidirectional
• Stand-alone DCCH (SDCCH) is used while an MS has
not established a TCH with a BTS.
- 782 bits/sec: authentication, registration, etc. needed for
setting up a TCH
• Slow associated dedicated control ch (SACCH) is
associated with each TCH and SDCCH. For small
amount of system info: channel quality, signal power
level.
• Fast associated dedicated control ch (FACCH): Share
time slots with user traffic from TCH. Handover info.
27

Typical use of TCH and SACCH

• GSM specifies multiplexing scheme that integrates

several hierarchies of frames.
- ex: TCH/F (for user data transmission), has an
associated SACCH for slow signaling and time slots
from TCH/F for FCCH
- TTTTTTTTTTTTSTTTTTTTTTTTTx: T = user traffic in TCH/F, S
= SACCH signaling, x = unused slot
• Normal burst carries 114 bits of user data and is
repeated every 4.615 ms (24.7 kbit/sec data rate)
• TCH uses 24/26 slotsrate = 22.8 kbit/s
• SACCH: 950 bit/sec
28

14
ECE 750-T4, S’07

Structuring of time using frames

hyper- 3h, 28m, 53.76s
frame 0 1 2047 (2,715,648
Frames)
super-
0 1 50 6.12 s
frame

Traffic multiframe (TCH, SACCH, and FCCH)

0 25 120 ms

frame 0 7 4.615 ms
slot
Use: frame number is an input
burst 577 micro sec.
to the encryption algorithm.
29

Structuring of time using frames

hyper- 3h, 28m, 53.76s
frame 0 1 2047 (2,715,648
Frames)
super-
0 1 25 6.12 s
frame

Control multiframe (other signaling, such as PCH, RACH, and AGCH)

0 50 235.4 ms

frame 0 7 4.615 ms
slot
Use: frame number is an input
burst 577 micro sec.
to the encryption algorithm.
30

15
ECE 750-T4, S’07

GSM Hierarchy
• Multiframe
- A traffic multiframe (120 ms) contains 26 TDMA frames
(each 4.615 ms), mainly used for TCHs, SACCH, and FCCH
- A control multiframe (235.4 ms) contains 51 TDMA frames
(each with 4.615 ms), mainly used for other signaling
• Each super-frame (6.12s) contains either 51 traffic
multiframes (51*0.12), or 26 control multiframes (26*0.2354)
• A hyperframe has 2048 super-frames (for almost 3.5 hours)
- totally 2,715,648 TDMA frames
- this large structure is needed for encryption
- the frame number and slot number uniquely identify each
time slot in GSM
31

Protocol Stacks in GSM Network

MS BTS BSC MSC
CM CM
MM MM

BSSAP BSSAP
RR
RR’
RR’ BTSM BTSM SS7 SS7
LAPDm
LAPDm LAPD LAPD
radio radio PCM PCM PCM PCM

Um Abis A
16/64 kbit/s 64 kbits/sec /
2.048 Mbits/sec
32

16
ECE 750-T4, S’07

Layer 1 Protocols
• Radio-specific functions (Layer 1)
• Creation of bursts (the five different formats of bursts)
and multiplex bursts into a TDMA frame
• Synchronization with BTS, detection of idle channel,
measurement of quality of downlink
- Near-far problem: BTS sends RTT to MS for adjusting
its access time => all bursts reach BTS within their limits
e.g., 0.23ms in 35 km transmission distance accounts for
40% of the TDMA frame
• Encryption/decryption (between MS and BSS)
• Channel coding/error detection using FEC
- PHY layer corrects errors (instead of layer 2 in OSI)
33

Layer 2 Protocols
• Layer 2:
- LAPDm (link access protocol for the D-channel) for Um
interface
• Light weight (no sync or checksum since done in PHY);
• Since no buffer between layer 1 and layer 2, so need to
follow the original frame structure
• Offer reliable data transfer, re-sequencing of data frames,
and flow control
• Segmentation + reassembly of data

34

17
ECE 750-T4, S’07

Layer 3 Protocols
• Layer 3: contain a number of sublayers
- RR (radio resource management): lowest sublayer of
layer 3
• Only a part of RR, denoted as RR’, is implemented at
BTS, and others implemented in BSC by way of BTSM
(BTS Management)
• Main functions: Setup, maintenance, release of radio
channels
• Directly accesses PHY for radio information and offers
reliable connection to the next higher layer

35

Higher Layer Protocols

• MM (Mobility Management) layer
• Registration, authentication, location updating, user
privacy (by offering TMSI to replace IMSI), which hides
real identity of the MS
• TMSI is valid only in current location area (LA) of a
VLR

36

18
ECE 750-T4, S’07

Higher Layer Protocols

• CM (Call Management) layer: contain three identities
– Call Control (CC)
• P2P connection between terminals for call establishment
• Sends in-band tones (PIN for e-banking, remote control
of answering machine, etc.)
– Short Message Service (SMS)
• Uses SDCCH + SACCH when no signaling is sent
- Supplemental services: caller ID, redirection/forwarding,
group communications, etc.
• Other protocols at Abis and A interfaces

37

Localization and calling

• Feature of GSM
• Automatic, worldwide localization of users: always know
where a user currently is, and the same phone number is
valid worldwide.
• Performs periodic location update even if a user does not
use the mobile station.
- HLR always contains information about the current location
are, and VLR (of the MS) informs the HLR about location
changes
- Roaming: Change of VLR with uninterrupted availability
» Within the network of one provider
» Between two providers in one country
» Different providers in different countries
38

19
ECE 750-T4, S’07

Localization and calling

• To locate/address an MS, several #s needed
• MS International ISDN number (MSISDN)
» Country code + national destn code + subscriber num
• International Mobile Subscriber Identity (IMSI)
» Mobile country code + mobile net code + MSIN
• Temporary Mobile Subscriber Identity (TMSI)
» Hides TMSI. Assigned by VLR
• Mobile Station Roaming Number (MSRN)
» Hides the ID and location of a subscriber
» Helps HLR to find a subscriber for an incoming call

39

Mobile Terminated Call

4 MSRN
HLR VLR
5
8 9
calling 3 6
14 15
1 2 7
GMSC MSC
PSTN
10 10 13 10
16
BSS BSS BSS
11 11 11
* GMSC identifies HLR from phone #
11 12
* HLR gets MSRN from VLR. Determines MSC. 17
* MSC gets current status of MS. Page all cells

MS 40

20
ECE 750-T4, S’07

Mobile Originated Call

VLR

3 4
6 5
PSTN GMSC MSC
7 8

2 9

1
BSS
10
MS

41

Message flow for MTC and MOC

MS BTS MS BTS
Paging request
Channel request Channel request
Immediate assignment Immediate assignment
Paging response Service request
Authentication req. Authentication req.
Authentication resp Authentication resp
Ciphering command Ciphering command
Ciphering complete Ciphering complete
Setup Setup
Call confirmed Call confirmed
Assignment command Assignment command
Assignment complete Assignment complete
Alerting Alerting
Connect Connect
Connect Ack Connect Ack
Data exchange Data exchange 42

21
ECE 750-T4, S’07

Handover
• Mainly operate on the connections between BTS and MS
• Two basic reasons for handover:
- Moving out of the range of a BTS => radio channel is getting
weaker
- Load balancing => hand over a call in a BTS with very high
utilization to a BTS with low utilization

43

Handover
• Four scenarios of handover
- Intra-cell: with the same BTS (within the cell)
- Inter-cell, intra-BSC: typical handover scenario, assigns a
new radio channel in the new cell and releases the old one
- Inter-BSC, intra MSC: BSC controls only a limited
number of cells => handovers between cells controlled by
different BSCs but under the same location area (i.e., the
same VLR and MSC).
- Inter MSC: handover between two BTSs belonging to
different MSCs

44

22
ECE 750-T4, S’07

Types of handover in GSM

4
1
3
2
MS MS MS MS

BTS BTS BTS BTS

BSC BSC BSC

1. Intra-cell: change in freq.
2. Inter-cell, Intra-BSC MSC MSC
3. Inter-BSC, Intra-MSC
45
4. Inter MSC

Handover Initiation
• Periodic measurement of downlink and uplink quality (in
signal level and bit error rate) at both BTS and MS
- Measurement report is sent by MS every 500 ms to BTS, containing
currently used link quality and the link quality with other cells
- If the report shows that the current link is not good enough, handover
could be initiated
- The report will be analyzed at BSC, which determines if HO is
required; if yes, send the request to its MSC
- MSC determines which BSC is BSCnew to accommodate the call, and
sends a request to the BSC to perform resource allocation
- if yes, a physical channel is activated between BSCnew and MS; the
old channel is then torn down

46

23
ECE 750-T4, S’07

Handover decision based on received

signal
Received level Received level
BTSold BTSnew

HO margin

MS MS

47

Intra-MSC handover
BTSold BSCold MSC BSCnew BTSnew
MS

Mesurement
report Measurement
result
HO decision
HO request
HO required
Resource allocation
Ch. activation
HO req. Ack
HO command Ch. act. Ack
HO command
HO command
HO access
Link establishment
HO complete
Clear command HO complete
Clear command

Clear complete
Clear complete 48

24