Overview of the GSM Radio Interface

zgr Ertu Middle East Technical University Electrical and Electronical Engineering Department
The radio interface in GSM provides the means by which a mobile station communicates with the base station of the network. Figure 1. provides a simplified block diagram of the GSM radio link. We will begin by examining the modulation scheme and the carrier frequencies used in GSM. Then, we will discuss the construction of TDMA bursts or packets and the way in which these may be demodulated in the presence of intersymbol interference (ISI) caused by the radio channel and the modulation process itself. Following these we will discuss the different channels that are available in GSM and the mapping of the radio resources to each of these channels. Then we will turn our attention to the coding, interleaving and ciphering processes that occur on the GSM radio interface specifically for the speech information, user data and signalling information separately since they are significantly different.

Speech Encoder

Channel Encoder

Interleaver

Ciphering

Burst Assembler

GMSK Modulator

Recovered User Data Channel Decoder Speech Decoder Deinter leaving Recovered Speech Dechiph ering Equalize/ Demod RF Rx

RF Tx

Channel

Figure 1.: Block diagram of a GSM transmitter and receiver 1

I.

GSM Modulation Scheme

The modulation scheme used in GSM is Gaussian minimum-shift keying (GMSK) with a normalized time bandwidth product BT of 0.3 and the modulation symbol rate is 270.8 kb/s. In GMSK, a logical 1 cause the carrier phase to increase by 90o over a bit period and a logical 0 cause the carrier phase to decrease by 90o. This phase change is produced by instantaneously switching the carrier frequency between two different values f1 and f2:

f1 ! f c  Rb / 4 f 2 ! f c  Rb / 4

(1) (2)

where Rb is the modulation rate (270.8 kb/s) and fc is the nominal carrier frequency. In theory, since there exists abrupt changes in the carrier frequency, the modulated spectrum is infinitely wide. However, smoother changes can be obtained if the modulated signal is passed through a bandlimited linear filter. The type of the filter used has a Gaussian impulse response and the resulting modulation scheme is called Gaussian MSK or GMSK. On the other hand, the Gaussian filter also introduces ISI whereby each modulation symbol spreads into adjacent symbols. The ith data bit di is differentially encoded by performing modulo-2 addition of the current and previous bits that takes values 0 and 1:

d i ! d i d i 1 (3)
The modulating data at the input of the GMSK demodulator that takes on values +1 and -1 is given by:

E i ! 1  2 d i , d i ! 0,1 (4)
The modulating data E i are then passed through a linear filter with a Gaussian-shaped impulse response given by:

h(t ) !
where:

t2 1 exp  2W 2T 2 (5) 2T WT

W !

ln(2) 2TBT

(6)

with T=1/270.8 milisecs being the bit period and B is the 3 dB filter bandwidth. The BT product is the relative bandwidth of the baseband Gaussian filter and in GSM it is set to 0.3. This effectively means that each bit is spread over three modulation symbols that has to be removed at the receiver using an equalizer. The pulse response of this filter when a pulse of width T is applied to the input is given by:

g (t ) ! h(t )  rect (t / T ) (7)

where rect (t/T)=1/T for T/2<t<T/2 and zero elsewhere, and * denotes convolution. The signal at the output of the filter is the sum of the pulse responses for each input data bit . This signal is used to modulate the frequency of the carrier. The phase of the modulated signal may be determined by integrating the signal at the output of the filter:

N (t ) ! E iTm g (u )du (8)

i g

t  iT

where the modulation index m=1/2 that means the maximum phase change over a data bit interval is restricted to T / 2 radians. Given (8), the modulated RF carrier signal may be expressed as:

x (t ) !

2 Ec cos2Tf 0 t  N (t ) (9) T

where Ec is the bit energy and f0 is the nominal carrier frequency.

II. GSM Radio Carriers

GSM uses a combined TDMA/FDMA multiple-access scheme. The available spectrum is partitioned into a number of bands, each 200 KHz wide. Each of these bands may be occupied by a GMSK modulated RF carrier supporting a number of TDMA time slots. The RF carriers are paired to allow a simultaneous data flow in both directions; i.e. fullduplex. The GSM900 frequency bands are 890 MHz to 915 MHz for the uplink and 935 MHz to 960 MHz for the downlink. There is a guard band of 200 KHz at the lower end of both uplink and downlink and these freqeuncy bands are not used. Each RF carrier frequency is assigned an absolute radio frequency channel number (ARFCN). The upper and lower frequency bands for a specific ARFCN is related by:

Fl (n) ! 890  0.2n (10) Fu (n) ! Fl (n)  45 (11)

where the frequencies are both in MHz and 1 e n e 124 . In addition to frequency separation between the duplex carriers that is 45 MHz for GSM900, the downlink and uplink bursts of a duplex link are separated by 3 time-slots and downlink is 3 time-slots in advance of uplink.

III. GSM Power Classes

The specifications define five classes of MS for GSM900 based on their output power capabilities as given in Table 1. The classical handheld is the Class 4 and a classical vehicular unit is Class 2. Each MS has the ability to reduce its output power from its maximum power in steps of 2 dB to a minimum of 3.2 mW in response to commands from BTS. This facility is used to implement uplink power control whereby an MSs transmitted power is adjusted to ensure that it is sufficient to provide a staisfactory up-link quality. This process is used to conserve MS battery power and also reduce uplink interference. Furthermore, the BTS output power may also be adjusted by upto 15 steps to allow power control on the downlink.

Power Class 1 2 3 4 5

Maximum Power (Watts) 20 8 5 2 0.8

Table 1. MS power classes in GSM900

IV. GSM Bursts

Each GSM RF carrier supports 8 time slots per frame and the data are transmitted in the form of bursts that are designed to fit within these slots. Each TDMA frame is 4.615 ms in length and each TDMA slot is 577 microseconds in length. The GSM specifications define 5 different types of bursts (Figure 2.).
1 TDMA Frame=8 Time Slots 1 Time Slot=156.25 bits Training Information Tail Bits Guard Period 26 58 3 8.25 Normal Burst Fixed Bits 142 Frequency Correction Burst Tail Bits Guard Period 8.25 3

Tail Bits Information 3 58 Tail Bits 3 Tail Bits Information 39 3 Tail Bits 8 Training 41

Training Information Tail Bits Guard Period 64 39 8.25 3 Synchronization Burst Information Tail Bits 36 3 Access Burst Guard Period 68.25

Figure 2.: The GSM Bursts

In normal burst (NB), the training sequence is used to sound the radio channel and produce an estimate of the impulse response at the receiver for equalization. The training sequences used in each time slot are tabulated in Table 2. The tail bits in normal burst are also always set to 0 to ensure that the Viterbi decoder begins and ends in a known state. Furthemore, the last bit of the first 58 information bits and the first bit of the last 58 information bits are the stealing bits.
Time slot number 0 1 2 3 4 5 6 7 Training sequence bits (b61-b86) (0,0,1,0,0,1,0,1,1,1,0,0,0,0,1,0,0,0,1,0,0,1,0,1,1,1) (0,0,1,0,1,1,0,1,1,1,0,1,1,1,1,0,0,0,1,0,1,1,0,1,1,1) (0,1,0,0,0,0,1,1,1,0,1,1,0,1,0,0,0,1,0,0,0,1,1,1,1,0) (0,1,0,0,0,1,1,1,1,0,1,1,0,1,0,0,0,1,0,0,0,1,1,1,1,0) (0,0,0,1,1,0,1,0,1,1,1,0,0,1,0,0,0,0,0,1,1,0,1,0,1,1) (0,1,0,0,1,1,1,0,1,0,1,1,0,0,0,0,0,1,0,0,1,1,1,0,1,0) (1,0,1,0,0,1,1,1,1,1,0,1,1,0,0,0,1,0,1,0,0,1,1,1,1,1) (1,1,1,0,1,1,1,1,0,0,0,1,0,0,1,0,1,1,1,0,1,1,1,1,0,0) Table 2.: GSM training sequences

The frequency correction burst (FB) is used by the MS to detect a special carrier which is transmitted by every BTS in GSM network. This carrier is called the broadcast control channel (BCCH) carrier and MSs serach for BCCH carriers to detect the presence of a GSM network. Every bit in the FB is set to zero and after GMSK modulation, this results in a pure sine wave at a frequency around 68 KHz higher than the RF carrier center frequency. The synchronization burst (SB) carries 78 bits of coded data formed into two blocks of 39 bits on either side of a 64-bit training sequence. This burst carries details of the GSM frame strurcture and allows an MS to fully synchronize with the BTS. The SB is the first burst the MS has to demodulate and thus, the training sequence is extended to 64 bits for reliability and the arrangement of this sequence is given by:

b 42, b 43,..., b105 ! (1,0,1,1,1,0,0,1,0,1,1,0,0,0,1,0, 0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,1,0,1,0, 0,0,1,0,1,0,1,1,1,0,1,1,0,0,0,0,1,1,0,1,1) (12)

The access burst (AB) consists of a 41-bit training sequence followed by 36 information bits. The access burst is used by the MS to access the network initially and it is the first uplink burst that a BTS will have to demodulate from a particular MS. The extended tail bits at the front of the burst are:

b0, b1,..., b7 ! (0,0,1,1,1,0,1,0) (13)

and this is followed by the training sequence:

b8, b9,..., b 48 ! (0,1,0,0,1,0,1,1,0,1,1,1,1,1,1,1,1,0,0, 1,1,0,0,1,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,0,0)

(14)

In order to smooth and shorthen the RF output spectrum transmitted, the output power must be switched up and down when transmitting a burst. The power ramping masks for the normal, frequency correction and synchronization bursts are given by:

 30 0 e t e 10us  6 10us e t e 18us  4 18us e t e 28us (15) Relative power (dB) !  1 28us e t e 580.8us 6 580.8us e t e 588.8us  30 588.8us e t e 598.8us 
and the power ramping mask for the access burst is given by:

  30 0 e t e 10us  6 10us e t e 18us  4 18us e t e 28us Relative power (dB) ! (16)  1 28us e t e 359.2us 6 359.2us e t e 367.2us  30 367.2us e t e 377.2us 
A fifth type of burst not shown in Figure 2. is the dummy burst (DB). It is similar to NB in that it has the same structure and uses the same training sequences. The main difference between the DB and NB is that the information bits on either side of the training sequence are set to a predefined sequence in DB. The DB is used to fill inactive time slots on the BCCH carrier which must be transmitted continuously at a constant power.

V.

GSM Receiver

Although GSM standard do not specifically define the manner in which the transmitted information should be recovered at BTS and MS, the bursts are specifically designed with the Viterbi equalizer in mind.

V.I. Channel Equalizer

Figure 3 shows the block diagram of a typical GSM baseband link. The figure shows that the bursts which contain both the data and the training sequence are passed through a baseband modulator at the transmitter and then through the baseband channel before arriving at the receiver. The received waveform will contain ISI caused by the radio transmission channel and the GMSK modulation process. At the receiver the burst is demultiplexed to give the training sequence and the data bits. The training sequence is used to estimate the impulse response of the radio channel in the channel estimator. The entire demodulation process is accomplished using digital signal processing techniques. After the signal has passed through the RF front8

end at the receiver, it is sampled to produce a complex digital representation of the baseband signal where double arrows in Figure 2 represents the flow of complex signals.
Possible Data Sequences
Local Baseband Modulator

y(t)
Estimated Channel

sr(t)
Baseband Modulator Baseband Channel

Channel Estimator

hw(t) x(t) r(t)

Ambiguity Function

x(t)
Estimated Channel Viterbi Algorithm Recovered Data

Figure 3: The baseband link

In order to explain the channel estimation process, we represent the received training sequence as the convolution of the transmitted training sequence and the impulse response of the baseband channel:

sr (t ) ! s (t )  hc (t ) (17)
where * denotes convolution. Passing sr (t ) through filter with impulse response hMF (t ) , that is matched to the training sequence yields a channel impulse response estimate, he (t ) , that is given by:

he (t ) ! sr (t )  hMF (t ) ! s(t )  hc (t )  hMF (t ) ! Rs (t )  hc (t ) (18)

where Rs (t ) ! s(t )  hMF (t ) is the autocorrelation function of the training sequence. It is important to note that this is the autocorrelation of the
9

modulated GMSK symbols that are generated by the training sequence. The actual shape is pulse-like and its magnitude is less than the number of chips in the sounding sequence. Given that Rs (t ) has this property:

he (t ) } hc (t ) (19)
Every increase in delay corresponding to a bit duration results in the doubling of the number of states in the equalizer. In general it is common practice to accomodate a channel excess delay spread of only 2 bits. For this purpose, a windowing procedure is implemented, where a 2 bit duration window is moved over he (t ) and the portion of he (t ) used is where the maximum energy resides. At this position, the windowed channel estimate is given by:

hw (t ) ! he (t ).w(t ) (20)
All possible data sequences are then generated at the receiver and passed through a local baseband modulator. This produces a number of GMSK symbols, y(t) which are then convolved with the estimated channel impulse response hw (t ) to produce a number of waveform templates x(t). Furthermore, in order to mimic the distortions produced by the autocorrelation function of the training sequence and the windowing procedure, the received signal is convolved by the ambiguity function or the autocorrelation function of the training sequence, Rs (t ) . Suppose the equalizer is to accommodate a 5-bit overall dispersion of data resulting from 3-bit spreading in the GMSK modulator and 2-bit spreading in the channel, thus in any bit period we must consider the effect of 5 bits. Since 5 bits can yield 32 different binary patterns, we must generate 32 different waveform templates of one bit duration and use them as each bit of the information x(t) arrives. The same 32 values of x(t) will be used for each bit in x(t). The mean-squared error between each waveform template x(t) and the received waveform x(t) is computed for each bit period. These mean-squared error values are called incremental metrics. The waveform template that most closely matches the received waveform will produce the lowest incremental metric and this could be used to regenerate the data bit, b(t). However, this is done for the first bit in the burst through the last bit. Only at the end of the burst will al the bits be regenerated.
10

Viterbi equalizer has 2 states where v in our example is 5. Thus, we have 16 states. Each state is associated with a different 4-bit binary number. The states are formed into a column having 16 circles. A trellis diagram is formed of the same columns of 16 states. Each state will change to another state depending on whether the new bit is a logical 0 or 1. Thus, there are 32 incremental metrics at each bit period. At each state the path with the lowest metric survives and at the next bit period, a new set of 32 metrics are computed. The two incremental metrics are added to the previously retained metric at this state and now the summation is termed as the path metric. The smaller of the two metrics retained, its value noted, as well as the logical value of the bit with which it is associated. At the end of the burst, the state with the lowest path metric is chosen and the trace of that path is chosen as the regenerated bits that will go through deinterleaving and FEC decoding. It is important to note here that, for GMSK, there are 16 states associated with 0, T / 2 ,T , 3T / 2 radians and hence there are 64 instant phase states for each bit duration in our example.

v 1

V.II. Channel Models

In GSM systems, the design and performance analysis is generally done based on some finite-impulse response channel models previously defined in terms of delays of paths in us and average relative power in dB with a specific Doppler power spectrum for each path. We provide major ones of these channel models in Table 3. to Table 8. In these tables, the Doppler power spectrum identified by CLASS is the classical Doppler power spectrum defined by:

S( f ) !

1 1  f f d
2

(21)

and RICE is the Ricean Doppler power spectrum that is the sum of a classical Doppler power spectrum and a direct path defined by:

S( f ) !

0.41 f 2T 1  f d
2

 0.91H ( f  0.7 f d ) (22)

11

where the maximum Doppler frequency is:

v fd ! (23) Pc
v is the speed of MS in m/s, P is the carrier wavelength in m.
Tap Number 1 2 3 4 5 6 Relative Time (us) (1) 0.0 0.1 0.2 0.3 0.4 0.5 (2) 0.0 0.2 0.4 0.6 Average Relative Power (dB) (2) (1) 0.0 0.0 -2.0 -4.0 -8.0 -10.0 -12.0 -20.0 -16.0 -20.0 Doppler spectrum RICE CLASS CLASS CLASS CLASS CLASS

Table 3.: Rural area (RA) channel (six taps) Average Relative Power (dB) (2) (1) -3.0 -3.0 0.0 0.0 -2.0 -2.0 -6.0 -6.0 -8.0 -8.0 -10.0 -10.0

Tap Number 1 2 3 4 5 6

Relative Time (us) (1) 0.0 0.2 0.5 1.6 2.3 5.0 (2) 0.0 0.2 0.6 1.6 2.4 5.0

Doppler spectrum CLASS CLASS CLASS CLASS CLASS CLASS

Table 4.: Typical urban area (TU) channel (six taps) Tap Number 1 2 3 4 5 6 Relative Time (us) Average Relative Power (dB) (2) (1) 0.0 0.0 -1.5 -2.0 -4.5 -4.0 -7.5 -7.0 -6.0 -8.0 -17.7 -12.0 Doppler spectrum CLASS CLASS CLASS CLASS CLASS CLASS

(1) (2) 0.0 0.0 0.1 0.2 0.3 0.4 0.5 0.6 15.0 15.0 17.2 17.2 Table 5.: Hilly terrain (HT) channel (six taps)

12

Tap Number 1 2 3 4 5 6

Relative Time (us)

Average Relative Power (dB)

Doppler spectrum CLASS CLASS CLASS CLASS CLASS CLASS

0.0 0.0 0.0 3.2 0.0 6.4 0.0 9.6 0.0 12.8 0.0 16.0 Table 6.: Equalizer (EQ) test profile (six taps)

Tap Number 1 2 3 4 5 6 7 8 9 10 11 12

Relative Time (us) (1) 0.0 0.1 0.3 0.5 0.8 1.1 1.3 1.7 2.3 3.1 3.2 5.0 (2) 0.0 0.2 0.4 0.6 0.8 1.2 1.4 1.8 2.4 3.0 3.2 5.0

Average Relative Power (dB) (2) (1) -4.0 -4.0 -3.0 -3.0 0.0 0.0 -2.6 -2.0 -3.0 -3.0 -5.0 -5.0 -7.0 -7.0 -5.0 -5.0 -6.5 -6.0 -8.6 -9.0 -11.0 -11.0 -10.0 -10.0

Doppler spectrum CLASS CLASS CLASS CLASS CLASS CLASS CLASS CLASS CLASS CLASS CLASS CLASS

Table 7.: Typical urban (TU) channel (twelve taps)

13

Tap Number 1 2 3 4 5 6 7 8 9 10 11 12

Relative Time (us) (1) 0.0 0.1 0.3 0.5 0.7 1.0 1.3 15.0 15.2 15.7 17.2 20.0 (2) 0.0 0.2 0.4 0.6 0.8 2.0 2.4 15.0 15.2 15.8 17.2 20.0

Average Relative Power (dB) (2) (1) -10.0 -10.0 -8.0 -8.0 -6.0 -6.0 -4.0 -4.0 0.0 0.0 0.0 0.0 -4.0 -4.0 -8.0 -8.0 -9.0 -9.0 -10.0 -10.0 -12.0 -12.0 -14.0 -14.0

Doppler spectrum CLASS CLASS CLASS CLASS CLASS CLASS CLASS CLASS CLASS CLASS CLASS CLASS

Table 8.: Hilly terrain (HT) channel (twelve taps)

VI. Physical and Logical Channels

When an MS and a BTS communicate, they do on a specific pair of radio frequency (RF) carriers, one for uplink and the other for the downlink transmissions, and within a given time slot in each consecutive TDMA frame. The combination of time slot and carrier frequency forms what is termed a physical channel. One RF channel support eight physical channels in time slots 0 through 7. The data, whether user traffic or signalling information, are mapped onto the physical channels by defining a number of logical channels. A logical channel carry information of a specific type and a number of these channels may be combined before being mapped onto the same physical channel.

VI.I. Traffic Channels

GSM defines 2 types of traffic (TCH) channels. The full-rate TCH allows speech transmission at 13 Kb/s denoted TCH/FS. The full-rate TCH also allows user data transmission at the primary user rates of 9.6, 4.8 and <2.4 Kb/s referrred to as TCH/F9.6, TCH/F4.8 and TCH/F2.4 respectively. A full-rate TCH occupy a complete physical channel; i.e. one time slot in each TDMA frame and one up and downlink carrier.

14

The half-rate TCH allows speech tranmission at around 7 Kb/s (TCH/HS) and data at primary user rates of 4.8 and <2.4 Kb/s , called TCH/H4.8 and TCH/H2.4 respectively. The half-rate channel uses one time slot in every other TDMA frame, on average, and this means that each physical channel can support 2 half-rate TCHs. 12th frame is SACCH1, 25th frame is SACCH2 and 26th frame is kept idle.

VI.II. Control Channels

Control channels carry signalling information between an MS and a BTS. There are several forms of control channels in GSM and they can be divided into 4 main categories according to the type of information they carry and to the manner in which they are supported on the radio interface. Broadcast Channels Broadcast channels are transmitted in the downlink direction only by BTSs. The frequency correction channel (FCCH) is the simplest GSM logical channel because all its information bits are set to 0. The FCCH consists solely of frequency correction burst . After GMSK modulation, these bursts produce a pure sine wave at a frequency around 68 KHz (1625/24 KHz) above the carrier frequency. The FCCH is used by the MS in the initial stages of BTS acqusition to correct its internal frequency sources and recover the carrier phase of BTS transmissions. The synchronization channel (SCH) contains full details of its own position within the GSM framing structure. Using the information supplied on the SCH, an MS fully synchronize its frame counters with those of a BTS. The SCH information is transmitted using the synchronization bursts. The timing synchronization on the SCH is done using the correlation with 64 bit training sequence in the middle of the burst. In the message part of the burst, two successive messages are sent that are the BSIC composed of 3 bit PLMN color code (from 0-7) and three bit BS color code (from 0-7) and reduced TDMA frame number (T1-T2-T3: 19bits). The broadcast control channel (BCCH) is used to broadcast control information to every MS within a cell. This information includes details of

15

the control channel configuration used at the BTS, a list of the BCCH carrier frequencies used at the neighbouring BTSs and a number of parameters that are used by the MS when accessing the BTS. Other information sent over these channels include country code, network code, local area code, PLMN code, RF channels used within the cell, surrounding cells, frequency hopping sequnce number, mobile RF channel number for allocation, cell selection parameters, and RACH description. It is always transmitted on a designated RF carrier and time slot 0 at a constant power. BCCH, FCH and SCH can not be hopped. The cell broadcast channel (CBCH) is used to transmit short alphanumeric text messages to all the MSs within a particular cell. These messages appear on the MSs display and a subscriber may choose to receive different messages by selecting different pages. The BCCH and the CBCH both use the normal burst. Associated Control Channels When an MS is engaged in a call, a certain amount of signalling information must flow across the radio interface in order to maintain the call. This type of signalling is supported using logical control channels which occupy the same physical channel as the traffic data. Non-urgent information such as measurement data is transmitted using the slow associated control channel (SACCH). This occupies one time slot in every 26. More urgent information such as handover is sent using time slots that are stolen from the traffic channel. This channel is known as the fast associated control channel (FACCH) because of its ability to transfer information between the BTS and MS more quickly than SACCH. A FACCH signalling block is used to exactly replace a single (20 ms) speech block and a complete FACCH message may be sent once every 20 ms. Both the SACCH and FACCH use the normal burst and they are both uplink and downlink channels. Stand-Alone Dedicated Control Channel In some situations, signalling information must also flow when a call is not in progress. This could be accomodated by allocating either a full or half rate TCH and by using either the SACCH or FACCH to carry the information. However, this would be a waste of radio resources. Instead, a lower data rate channel has been defined which has around 1/8 of the capacity of a full-rate TCH known as stand-alone dedicated control channel (SDCCH). It exists independently of a TCH and it is dedicated to a single MS. It also has an associated SACCH. Since SDCCH always carries
16

signalling traffic there is no frame stealing and consequently it does not need an FACCH. SDCCH always uses the normal burst and operates both in the down and uplink. Common Control Channels The common control channels may be used by any MS within a cell. The paging channel (PCH) is a downlink-only channel that is used by the system to page individual MSs. There is a full-rate and a half-rate PCH. PCH always uses normal burst. The access grant channel (AGCH) shares the same physical resources as PCH, a particular time slot may be used by each channel. An AGCH is used by network to grant or deny an MS access to the network by supplying it with details of a dedicated channel; i.e. TCH or SDCCH to be used for subsequent communications. The AGCH is a downlink only channel and uses always normal burst. The random access channel (RACH) is an uplink-only channel that is used by an MS to initially access the network; i.e. at call-setup or prior to a location update. The random term stems from the fact that more than one MS may transmit in an RACH time slot and thus collide. If such a collision occurs, MS waits for a random time interval and transmits another access burst on RACH.

VI.III. Mapping Logical Channels onto Physical Channels

The various logical channels described above may be combined in one of 7 ways before being mapped onto a physical channel. The simplest mapping is the full-rate traffic channel (TCH/F) and its SACCH. When combined these channels fit exactly into one physical channel. A single physical channel will also support two half-rate channels (TCH/H) and their SACCHs or eight SDCCHs and their associated SACCHs. The remaining three logical channel combinations are a little more complicated and are explained below. The basic broadcast and common control channel combinations consists of a single FCCH, SCH and BCCH on the downlink, along with a full-rate PCH and full-rate AGCH. The uplink is entirely dedicated to a full-rate

17

RACH. This control channel combination may only occur on time slot zero of a carrier. The carrier that supports these channels at a BTS is called the BCCH carrier and it will be unique to a cell or sector; i.e. each BTS will only have one BCCH carrier. In smaller capacity cells, a second combination of the access channels is employed. The downlink continues to support an FCCH, SCH and BCCH; however the rate of the downlink PCH and AGCH is reduced to around 1/3 of their full-rate. The extra slots that have been created as a result of this rate reduction on the downlink are used to support 4 SDCCHs and their associated SACCHs. The SDDCHs will also occupy a number of uplink time slots and the number of time slots allocated to the RACH on the uplink is reduced accordingly. This effectively halves the number of time slots allocated to RACH. Again, this control channel combination may only occur on the time slot 0 of the BCCH carrier. The final control channel combination consists of a BCCH and a full-rate PCH and AGCH on the downlink and a full-rate RACH on the uplink. This channel combination may only occur on slot 2, or slots 2 and 4, or slots 2, 4 and 6 of the BCCH carrier. The various channel combinations described above are summarized in Table 9. where * means reduced rate channels.

Possible Time Slots 0-7 0-7 0-7 0 0

Downlink 1 TCH/F(+SACCH) 2TCH/H(+SACCH) 8SDCCH(+SACCH) 1SCH+1FCCH+1BCCH +1AGCH+1PCH 1SCH+1FCCH+1BCCH +1AGCH*+1PCH* +4SDCCH(+SACCH) 1 BCCH+1AGCH+1PCH

Uplink 1 TCH/F(+SACCH)
2TCH/H(+SACCH)

8SDCCH(+SACCH) 1RACH 1RACH+4SDDCH (+SACCH) 1RACH

2,4,6

Table 9.: Logical channel configurations

Lets now look at the timing of the possible channel combinations mentioned in Table 9. For the full-rate traffic channel in combination I, 12th
18

frame is the associated SACCH and 26th frame is kept idle. Rest of the frames are used to send speech data. In half-rate traffic channel, each channel is time-multiplexed, 12th frame is SACCH1, 25th frame is SACCH2 and 26th frame is kept idle. The third combination uses 2 51-frame multiframes consecutively. In the uplink, frames 0-31 are SDCCH0 to SDCCH7 for four frames, frames 32 to 47 are SACCH4 to SACCH7 for four frames and the rest three frames are kept idle. In the second multiframe, again frames 0-31 are SDCCH0 to SDCCH7 for four frames, frames 32 to 47 are SACCH0 to SACCH3 for four frames and the rest three frames are kept idle. In the downlink, frames 0-11 are SACCH5 to SACCH7 for four frames, 12-14th frames are kepth idle, 15-46 frames are SDCCH0 to SDCCH7 and frames 47-50 is SACCH0. In the second multiframe, frames 0-11 are SACCH1 to SACCH3, 12-14th frames are kept idle, frames 15th to 46 are SDCCH0 to SDCCH7, and frames 47-50 is reserved for SACCH4. In the 4th combination downlink, frames 0-1,10-11,20-21,30-31 and 4041 are successive frequency correction channel (FCCH) and synchronization channels (SCH). Frames 2-5 is BCCH, and frames 6-9,12-19,22-29,3239,42-49 is CCCH that is either PCH or AGCH and frame 50 is kept idle. In uplink, frames 0-1,10-11,20-21,30-31,40,41 and 50 are RACH and rest is kept idle. In combination 5, the rates of AGCH and PCH is reduced to half of their rate in the downlink. In the uplink, the 5 idle blocks are filled with an SACCH followed by 4 SDCCHs. 6th combination is also similar to 4th combination and the only difference is that there are no FCCH or SCH, they are left idle.

VII. GSM Frame Structure

Frame structure in GSM, whereby each carrier supports eight time slots, and a physical channel occupies one time slot in each frame. The TDMA frame represents the lowest layer in a complex hierarchical frame structure. The next level in the GSM frame structure is the multiframe which consists of 26 TDMA frames in the case of full-rate and half-rate traffic channels, or 51 frames for all other logical channels. The first 12 time slots in each TDMA frame of the multiframe; i.e. 0 to 11, are used by the TCH/F itself. The next time slot is not used and is

19

termed an idle slot. The next 12 slots are again used by the TCH/F and the last timeslot in TDMA frame 26th is used by the SACCH. This is valid for odd numbered multiframes. In even numbered multiframes, idle slots and SACCH slots are exchanged. We should note again that there is an offset of three timeslots between the frame timing on the uplink and downlink, and downlink is 3 timeslots in advance of uplink. The traffic multiframe is exactly 120 ms in duration and 1 TDMA frame=120ms/26=4.615 ms. The organization of the half-rate channel (TCH/H) is somewhat different than the full-rate channel. When two half-rate channels TCH0 and TCH1 are combined on the same physical channel, in timeslots 0-11, TCH0 and TCH1 are multiplexed. Timeslot 12 is SACCH0. Again in timeslots 13-24, TCH0 and TCH1 are multiplexed and timeslot 25 is SACCH1. The next level in GSM frame structure is superframe and in the case of TCH/F and TCH/H, superframe consists of 51 multiframes. The duration of a superframe is 6.12 s. The final level in the frame structure is the hyperframe and this consists of 2048 superframes and has a duration of around 2715648 TDMA frames that is approximately 3 hours 28 mins. In the case of control channels set on time slot 0, the multiframe consists of 51 TDMA frames and lasts around 235 ms. Except TCH/F and TCH/H , the four different control channel combinations uses the 51frame multiframe. Furthermore, a superframe is 26 multiframes and of duration 6.12 s. Finally, a hyperframe is 2048 superframes and of duration 2715648 TDMA frames or 3 hours 28 mins. The way in which the group of 8 SDCCHs are mapped onto a single physical channel is further important. This mapping is based on a twomultiframe cycle. If we denote the time slots in two multiframes from 0 to 50 and from 51 to 101, the SDCCHs of 0-7 occupies 4-slots consecutively in two multiframes from 0-31 and 51-82. 32-47 in odd multiframe are occupied by consecutive 4-slots of associated SACCHs of 0-3 and 83-98 of even multiframe are occupied by consecutive 4-slots of associated SACCHs of 4-7. The last 3 slots on each multiframe is left idle. This control channel arrangement may be used on any time slot and any carrier, except time slot zero of the BCCH carrier. Furthermore, if we denote by F the frequency correction channel FCCH, by S the synchronization channel (SCH), by P the PCH/AGCH and by R the RACH, the control channel arrangements on the BCCH carrier from slot
20

0-50 is given by: Downlink={F,S,B,B,B,B,P,P,P,P,F,S,P,P,P,P,P,P,P,P,F,S, P,P,P,P,P,P,P,P,F,S,P,P,P,P,P,P,P,P,,F,S,P,P,P,P,P,P,P,P,idle} and Uplink={All Rs}. We also see that the superframe represents the smallest time cycle for which the traffic channel and control channel relationships are repeated and for this reason, the multiframe structure in use on each physical channel may only change at superframe boundaries. Furthermore, each of the 2715648 timeslots in the hyperframe for both and traffic and control channels has a unique number and this is used in the ciphering and frequency hopping algorithms.

VIII.

Speech Transmission

In GSM, a speech coder is used to convert the analog speech signal into a digital signal that is suitable for transmission over the radio interface. Forward error correction (FEC) is then applied to the speech data to allow all or some of the transmission errors to be corrected at the receiver. The FEC-coded data are then interleaved and ciphered before being assembled into bursts ready for transmission over the radio interface. Following the equalization and demodulation process at the receiver, the recovered data is dechiphered, deinterleaved and decoded to remove as many transmission errors as possible. The data are then passed to the speech decoder where it is converted back to the analog speech signal.

VIII.I. Speech Coding

In GSM, the speech information is conveyed by transmitting the filter coefficients of the vocal tract and an excitation sequence which allows the speech to be reconstructed at the receiver. At an MS, the users acoustic pressure signal is converted into an electrical signal using a microphone. The electrical signal is sampled at 8 KHz and each sample is converted into 13-bit digital representation using a uniform analog-digital conversion. Following this conversion process, the signal is passed to the GSM speech coder.

21

The GSM speech encoder belongs to the family of regular-pulseexcited (RPE) linear predictive codecs (LPC). It also employs long-term prediction (LTP) in addition to the conventional short-term prediction (STP) and accordingly it is called an RPE-LTP speech coder. An RPELTP encoder can be divided into 4 parts: preprocessing, STP analysis filtering, LTP analysis filtering and RPE computation. Pre-processing The sampled speech signal is initially passed through a notch filter to remove any DC offsets that may be present and passed through a firstorder finite-impulse response (FIR) pre-emphasis filter. The preemphasis filter is used to emphasize the low-power high-frequency part of the speech spectrum and this provides better numerical precision in the subsequent computations. The form of the preemphasis filter is H ( z ) ! 1  c1 z 1 where the coefficient c1 =0.9. The speech signal is then divided into non-overlapping frames consisting of 160 samples, each having a duration of 20 ms. Later, the preprocessed speech samples are windowed by the Hamming window presented as:
2Tn W (n) ! 0.54  0.46 cos . N

STP Analysis Filtering Speech data inherently contain a high level of redundancy and this means that it is possible to predict a future speech sample from previous speech samples. In mathematical terms, we can say that a speech sample may be approximated as the linear combination of a number of past speech samples such that the predicted speech sample at an instant n is given by: p _

s( n) ! ak s( n  k ) (23)

k !1 where p is the predictor order. The prediction error, e(n), is defined as:

22

e( n ) ! s ( n )  s ( n ) ! s(n)  ak s (n  k ) (24)
k!
Taking the z-transform of (24) gives:

E ( z ) ! S ( z ) A( z ) (25)
where:

A( z ) ! 1  ak z  k (26)
k !1 The coefficients ak are computed by minimizing the mean-squared error over a 20 ms segment of the speech waveform. The inverse of A(z); H(z)=1/A(z), is an all-pole digital filter which models the spectral envelope of the speech waveform.
In practice, the predictor coefficients are not calculated directly, but instead, 8 reflection coefficients are derived from the autocorrelation coefficients of the speech block by Schur recursion. The reflection coefficients are then transformed into another set of coefficients known as log-area ratios (LARs) as: LAR (i ) ! log10
1  r (i ) . There are 8 LARs per 1  r (i )

20 ms speech block and they are quantized using 6 bits for LAR(1) and LAR(2), 5 bits for LAR(3) and LAR(4), 4 bits for LAR(5) and LAR(6), and 3 bits for LAR(7) and LAR(8), which results in 36 bits per speech block. LTP Analysis Filtering Filtering the speech signal using the inverse filter, A(z), tends to remove the redundancy by subtracting from each speech sample its predicted value using the past p samples. The resulting signal is known as the short-term prediction residual and it will generally exhibit a certain amount of periodicity related to the pitch period of the original
23

speech when it is voiced. This periodicity represents a further level of redundancy which can be removed using a pitch predictor or a long-term predictor. The general form of the long-term predictor filter is given by:

1 1 (27) ! P( z ) 1  Pi ( z )
where:

Pi (z) !

Gk z  (E  k ) (28)
k ! -m1

m2

is the long-term predictor, m1 and m2 determine the number of predictor taps, E is the LTP delay and Gk is the LTP gain. In the case of full-rate GSM speech coder, m1=m2 =0, resulting in a single-tap predictor. The parameters E and G0 are determined by minimizing the mean-squared residual error after both short-term and long-term prediction over a period of 40 samples; i.e. 5 ms. For the single-tap predictor, this residual error:

e(n) ! r (n)  Gr (n  E ) (29)

where r(n) is the residual that is produced following the short-term prediction. The mean-squared residual, R, is given by: 39 39 2 2

E ! e (n) ! [r (n)  Gr (n  E )]

(30)

n !0 n !0 The parameters G and E are then quantized and coded using 2 and 7 bits respectively, resulting in 9 bits per 5 ms sub-block and 36 bits per 20 ms speech block. RPE Computation Removing the redundancy from the speech signal produces a residual signal. In the speech decoder, this residual is used to excite the recounstructed LTP and STP filters. The GSM system uses the regular pulse excited (RPE) approach to encode this residual efficiently. For each 5 ms sub-block, the excitation signal is assumed to consist of 13 pulses spaced apart by 3 samples. The magnitude and initial starting position of
24

the first pulse are computed to minimize the error between the speech and its locally reconstructed version. Given the pulse spacing of 3 samples, there are three possible grid positions for the first excitation pulse and this information can be encoded using only 2 bits. The pulse magnitudes are normalized to the highest magnitude for the block and quantized using 3 bits. Finally, the block maxima is quantized using 6 bits. This results in 47 bits per 5 ms sub-block. The full bit allocation for the GSM voice encoder is given in Table 10. Each 20 ms block of speech is encoded using 260 bits and this produces a bit rate of 260/20 ms=13 Kb/s.
Parameter to be encoded 8 STP coefficients 4 LTP Gains G 4 LTP delays D 4 RPE grid positions 4 RPE block maxima 4*13=52 pulse amplitudes Total number of bits per 20 ms Transmission bit rate No. of bits 36 4*2=8 4*7=28 4*2=8 4*6=24 52*3=156 260 13 Kb/s

Table 10.: Bit allocations for full-rate GSM speech encoder

VIII.II. Speech Decoding

Decoding the speech data is much less complex task than the encoding process. The decoder performs the opposite operations, namely RPE decoding, LTP synthesis filtering, STP synthesis filtering and postprocessing RPE Decoding In the decoder, the grid position, the subsection excitation maxima and the excitation pulse amplitudes are recovered from the received data and the actual pulse amplitudes are computed by multiplying the decoded amplitudes by their corresponding block maxima. The LTP residual

25

model is recovered by properly positioning the pulse amplitudes according to the initial offset grid position. LTP Synthesis Filtering The LTP filter parameters G and E are recovered from the received data and they are used to derive the LTP synthesis filter. Then the recovered LTP excitation model is used to excite this LTP synthesis filter to recover a new subsegment of the estimated STP residual. STP Synthesis Filtering The STP filter is reconstructed and excited by the reconstructed STP residual signal to regenerate the speech. Post-processing The speech signal is deemphasized using the inverse of the preemphasis filter employed in the encoding. The data bits produced by the speech encoder will each have a different impact on the speech signal if they are received in error. For this reason, each bit is ranked in order of importance and forward error correction is applied accordingly. In GSM, the most important bits are protected by a parity check and a powerful half-rate constraint length 5 convolutional code, where as the least important bits are left unprotected. The specifications define three classes of bits and these are termed Class Ia, Class Ib and Class II. The ClassIa bits are the most important and receive the most protection. In fact, if an error is detected in the Class Ia bits, then the entire speech frame is discarded and interpolation techniques are used to reconstruct the speech from frames on either side of the discarded block. The Class Ib bits are slightly less important and receive correspondingly less protection. The Class II bits are least important and they are transmitted unprotected.

VIII.III. Voice Activity Detection

During a typical telephone conversation, a person will generally speak for around about %40 of the total time. The interference levels may be reduced and MS battery may be saved by turning off the transmitter whn

26

user is silent. This technique is known as discontinous tranmission (DTX) and relies on the accurate detection of the periods of silence in users speech. This is achieved using voice activity detection (VAD) where the energy in the speech signal is computed for each speech block and a decision is made using an adaptive threshold as to whether the block contains speech or background noise.

VIII.IV. Channel Coding

Channel coding is employed in an effort to reduce the system BER to acceptable levels and improve the overall performance. However, FEC coding introduces a level of redundancy and hence increases transmitted data rate and system bandwidth. For this reason, channel coding is applied in a selective manner in GSM. The speech coder delivers 260 bits per 20 ms that is equivalent to a data rate of 13 Kb/s and these bits are divided into three classes depending on the impact on the received speech quality if they are received in error. In a speech block of 260 bits at the output of speech encoder, The ClassIa bits are labeled {d0,,d49}, the ClassIb bits are labeled {d50,,d181}, and the ClassII bits are labeled {d182,,d259}. ClassIa bits are so important that the speech frame must be discarded if any of these bits are received in error. Therefore it is important for the receiver to be able to detect when errors in the ClassIa bits have leaked through the FEC process. This is achieved using a weak error detecting block code. The code used is a shortened cyclic code (53,50,2) with a generator polynomial given by:

g ( D) ! D 3  D  1 (31)
This coding process generates three parity bits that are appended to the end of ClassIa bits. The ClassIb bits and 4 all zero tail bits are then appended to the end of ClassIa bits and the parity bits, and all the bits are reordered according to the following relationship:

27

uk ! d 2 k

for k ! 0,1,...,90

u184 k ! d 2 k 1 for k ! 0,1,...,90 uk ! 0(tail bits) for k ! 185,186,187,188 (32)

The reordering process groups the even-numbered data bits at the beginning of the frame, and the odd-numbered data bits at the end of the frame followed by 4 zero tail bits with the three parity bits at the centre of the reordered frame at {91,92,93} bit positions. The resulting 189-bit block is then convolutionally encoded using rate constraint length 5 code with the following generator polynomials:

G0 ! 1  D 3  D 4 G1 ! 1  D  D 3  D 4 (33)
This produces a coded block of 189*2=378 to which the uncoded 78 ClassII bits are added to produce a block of 456 bits.

VIII.V. Interleaving
In a mobile environment, the errors in the transmitted bits tend to occur in bursts as the MS moves into and out of deep fades. The convolutional error correcting code described above is most effective when the errors are randomly distributed throughout the bit stream. For this reason, the coded data are interleaved before they are transmitted over the radio interface. At the receiver, the deinterleaving process tends to distribute the error bursts randomly thorughout the received data thereby increasing the effectiveness of the subsequent channel decoding. The GSM system employs two distinct levels of interleaving. Block-diagonal interleaving For a full-rate traffic channel (TCH/FS) carrying speech information, the 456-bit coded speech block is partitioned into 57-bit sub-blocks by assigning coded bit ck to sub-block Bi based on the relationship:

i ! k mod 8 (34)
28

i.e. every eight bit is assigned to the same sub-block. Each sub-block then forms the one half of eight consecutive transmission bursts over the radio interface. The remaining half of each burst is occupied by sub-blocks from either the previous speech frame or the next frame where Bi refers to the sub-block i of speech frame n. The burst also contains 2 stealing flags, hl and hu , which are used to indicate whether either half-burst has been stolen by the FACCH. Inter-burst interleaving In addition to the block diagonal interleaving described, the data bits are interleaved within the burst due to the definition of coding and blockdiagonal interleaving. One sub-block will occupy either the odd or even bit positions within the burst. Where a sub-block from a speech frame shares its burst with a sub-block from the previous speech frame, it will use the even numbered bit positions. Conversely, where a sub-block shares its burst with a sub-block from the next speech frame, it will use the odd-numbered bit positions.
n

VIII.VI. Ciphering
The GSM system has the ability to encrypt the information on the radio path to reduce the security threats posed by evaesdroppers. The encryption process involves performing the modulo-2 addition of a 114bit wide encryption word and the 114 bits in a speech burst. This effectively scrambles the bits within a burst in a known manner allowing them to be unscrambled by a receiver that knows the encryption word. Generation of the encryption word with A8 algorithm will be explained in Secion XII.

VIII.VII. Data Transmission

VIII.VII.I. Channel Coding TCH/F9.6 Although the data service operates at 9.6 KB/s, a certain amount of auxiallary information is added to produce an intermediate data rate of 12 Kb/s. This data are delivered to the encoding unit in the form of 60-bit block every 5 ms and the coder operates on a group of 4 blocks; i.e. 240

29

bits {d(0),...,d(239)}. 4 all-zero tail-bits are then added at the end of block and the data are the convolutionally encoded using a rate constraint length 5 code with generator polynomials:

G0 ! 1  D 3  D 4 G1 ! 1  D  D 3  D 4 (35)
This produces a coded data block of 488 bits {C(0),,C(487)}. The block size is then adapted for transmission on the radio path using puncturing, whereby 32 of the coded bits are deleted using the rule:

Deleted bits ! C (11  15 j ), where j ! 0,...,31 (36)

This means that bits C(11), C(26), C(41) and so on are removed resulting in a block of 456 bits, {c(0),,c(455)}. Puncturing is used to precisely tailor the rate of convolutional code to the requirements of a transmission link. At the receiver, the convolutional decoder will effectively treat the deleted bits as errors and they will be corrected in the conventional way within the Viterbi decoder. TCH/F4.8 The data are delivered to the coding unit at an intermediate bit rate of 6 Kb/s or to be more precise, one 60-bit block every 10 ms. Each block is extended to 76 bits by the addition of all-zero 16 bits, which are inserted in blocks of 4, once every 15 bits. 2 of these blocks are then assembled to form a single 152-bit block, which is 1/3 rate constraint length 5 convolutionally encoded with following generator polynomials: 3 4

G1 ! 1  D  D  D G2 ! 1 D2  D4

G3 ! 1  D  D 2  D 3  D 4 (36)
This results in a coded block of 456 bits. TCH/H4.8 The data are delivered to the coding unit in blocks of 60 information bits every 10 ms, i.e. 6 Kb/s. 4 of these blocks ar grouped together to produce a block of 240 bits. The subsequent coding process is identical to those of TCH/F9.6 channel.
30

TCH/F2.4 The data are delivered to the coding unit at an intermediate bitrate of 3.6 Kb/s in the form of 36-bit blocks every 10 ms. The coding unit operates on the blocks of 72-bits formed by assembling 2 36-bit blocks. Initially 4 all-zero tail bit are added to the end of the block to produce 76-bit block. This block is then 1/6 rate constraint length 5 convolutionally encoded using the following generator polynomials:

G1 ! 1  D  D 3  D 4 G2 ! 1 D2  D4 G3 ! 1  D  D 2  D 3  D 4 G4 ! 1  D  D3  D4 G5 ! 1  D 2  D 4 G 6 ! 1  D  D 2  D 3  D 4 (37)
This results in a coded data block of 456 bits. TCH/H2.4 The information data are delivered to the coding unit at a rate of 3.6 Kb/s in the form of 36-bit block every 10 ms. Two blocks are assembled to form a single 72-bit block and each block is expanded by the addition of 4 all zero tail bits at the end of the block. 2 of these 76-bit blocks are then assembled to form a single 152-bit block for channel coding. The block is 1/3 rate constraint length 5 convolutionally encoded to produce a coded data block of 456 bits using the convolutional code specified for the TCH/F4.8 channel. VIII.VII.II. Interleaving The interleaving process can be partitioned into 2 levels: block diagonal and inter-burst interleaving. The TCH/H2.4 channel uses the same interleaving scheme as TCH/FS described previously. The reamining channels use a complex interleaving scheme described as: The 456 bit blocks is subdivided into 4 114-bit sub-blocks, each of which is
31

evenly distributed over 19 bursts with 6 bits in each. The sub-blocks are block diagonal interleaved with a shift of 1 burst between each sub-block. VIII.VII.III. Ciphering The bursts are encrypted in the same manner as that described for the full-rate speech channel.

VIII.VIII. Control Data Transmission

VIII.VIII.I. Slow-Associated Control Channel (SACCH) The SACCH data is delivered to the coding unit in fixed blocks of 184-bits. The initial encoding is performed using a shortened binary cyclic code defined by generator polynomial: 23 17 3

g ( D) ! ( D

 1)( D

 D  1) (38)

This type of code is commonly referred to as fire code and is used to detect bursty residual errors that are not corrected by the convolutional decoder. The result of the coding process is the generation of 40 parity bits that are appended to the end of the block to form a 224-bit block. This block is extended to 228 bits wit the addition of 4 all-zero tail bits at the end of the block. This data block is then convolutionally encoded using a rate constraint length 5 convolutional code with the generator polynomials:

G0 ! 1  D 3  D 4 G1 ! 1  D  D 3  D 4 (39)
The result is a block of 456 coded bits. The bits are then divided into 8 57-bit sub-blocks in the same way as the 456-bit speech block on the TCH/FS; i.e. some blocks occupy the even-numbered bits and some blocks occupy the odd-numbered bits. However, in the case of SACCH, the block interleaving occurs over 4 full bursts with each burst containing bits from the same block in both even and odd bit positions, that is called block rectangular interleaving. We note that SACCH bursts occur once every 26 bursts or 120 ms in the case of a full-rate traffic channel, which means that the overall delay caused by interleaving and coding processes will be 4*120=480 ms. In the case of a SACCH burst, the stealing flags are always set to 1.
32

VIII.VIII.II. Fast-Associated Control Channel (FACCH) The FACCH information is delivered to the channel coder in blocks of 184 bits which are block and convolutionally encoded using the same codes as em ployed for the SACCH. The interleaving scheme is different for FACCHs on full-rate and half-rate channels. For the full-rate channel, the interleaving scheme is identical to that used for the full-rate 456-bit coded speech frames. To note, when the even numbered bits in first 4 sub-blocks are stolen by an FACCH, the hu flag is set to 1, and if the odd numbered bits in the last 4 sub-blocks are stolen by FACCH, hl flag is set to 1. Consequently, the insertion of an FACCH block will result in the loss of a 20 ms speech block. Since the TCH/F2.4 also uses the same interleaving scheme, the insertion of an FACCH block results in the loss of a single 456-bit coded information block, or a 72-bit information block. In the case of TCH/F9.6, the difference between the two interleaving schemes means that the insertion of the FACCH results in the loss of a maximum of 24 coded bits in each 114-bit block, and in the case of TCH/f4.8, a maximum of 48 coded bits will be lost every 228 bits. When an FACCH is inserted on the half-rate channel, 184-bit FACCH block is block and convolutionally encoded in the same manner as the SACCH block to produce a 456-bit coded data block. The block is interleaved over six bursts in the following manner. The 456-bit block is divided into 8 sub-blocks with the first 4 sub-block {B(0),...,B(3)} occupying the even-numbered bit positions and the last 4 sub-blocks {B(4),...,B(7)} occupying the odd-numbered bit positions. Sub-blocks B(2) and B(3) are combined with sub-blocks B(4) and B(5) to fill 2 complete bursts and the remaining sub-blocks fill half bursts. The blocks are therefore effectively block diagonally interleaved over 6 bursts and a new data block beginning every 4th burst. Accordingly, an FACCH block steals the even-numbered bits of the first 2 bursts of the TCH/H with hu flag is set to 1, all of the bits of the next two bursts with both hu and hl flags are set to 1, anf the odd-numbered bits of the next 2 bursts with hl flag is set to 1. The effects of FACCH bit stealing on a half-rate speech channel TCH/HS will be the loss of 2 consecutive speech frames. In the case of TCH/H4.8 and TCH/H2.4 channels, a maximum of 24 in every 114 coded bits will be lost.
33

VIII.VIII.III. Random Access Channel (RACH) The short RACH bursts transmitted on the uplink contain only 8 information bits. 6 parity bits are generated using a simple systematic cyclic code with the following feedback polynomial: 6 5 3 2

G ( D) ! D  D  D  D  D  1 (40)

The six parity bits are then added bitwise modulo-2 to the 6-bit BSIC of the BTS for which the RACH message is intended. This process is included to ensure that 2 BTSs with the same BCCH carrier frequency do not both decode and respond to a RACH frame from a single MS. Only the BTS with the same BSIC as that used in the RACH burst generation will be able to successfully decode the information. This process results in a 14-bit block to which 4 all-zero tail bits are added to form an 18-bit block. This block is then rate constraint length 5 convolutionally encoded using the same generator polynomials as those used in the TCH/FS producing a 36-bit coded block. There is no interleaving on the RACH channel. VIII.VIII.IV. Synchronization Channel (SCH) The synchronization bursts, each containing 25 information bits, are transmitted on time slot 0 in the downlink BCCH carrier. The data transmitted include the BSIC and the frame number of the current frame in the hyperframe. 10 parity bits are generated using the following polynomial:

G ( D ) ! D10  D 8  D 6  D 5  D 4  D 2  1 (41)
and 4 all zero tail bits are added to produce a 39-bit data block. The block is then rate constraint length 5 convolutionally encoded using the same code as the TCH/FS to produce a coded data of 78 bits. There is no interleaving on SCH channel. VIII.VIII.V. Other Control Channels BCCH, PCH, AGCH, CBCH and SDDCH all use the same coding and interleaving scheme as the SACCH.

VIII.IX. Ciphering of Control Data

34

SCH, BCCH, AGCH, RACH, and CBCH are never encrypted. The only control channels that may carry encryption are the SACCH, FACCH and SDCCH. The data on these channels are encrypted by EXOR-ing the 114 bits in the burst with 114-bit encryption word generated by A8 algorithm thereby scrambling the data in a known way.

IX.

Cell Selection

When an MS is switched on, its first task is to locate a suitable BTS through which it can gain access to the network, if required. This is achieved by searching the relevant frequency band for BCCH carriers and then decoding the information they carry to select an appropriate BTS. Initially, the MS searches the entire downlink frequency band (124 carriers for primary GSM900) and measures the received signal strength of each carrier. The received signal level for each carrier is determined from the average of at least 5 measurements spread evenly over a time period of 3 to 5 s. The MS then retunes to the strongest carrier and waits for an FCCH burst; i.e. a burst of pure sine wave. If an FCCH burst, which occurs every 10 or 11 time frames on time slot 0 of a BCCH carrier, is not detected, then the MS retunes to the next strongest carrier and repeats the process. Once the MS identifies a BCCH carrier by means of an FCCH burst, it synchronizes to the BTS and attempts to demodulate the synchronization information. The FCCH burst is used by the MS to correct its internal time base to ensure that its carrier frequency is accurate compared with the signal received from the BTS. The MS employs its internal time base to generate both the local versions of RF carriers for demodulation and the clock signals for its internal counters. Having applied the relevant frequency correction, the mobile attempts to decode the synchronization burst contained in the SCH time slot. The slot is easily located beacuse it always follows immediately after the FCCH time slot on the same physical channel; i.e. 8 time slots later. The synchronization burst contains sufficient information for the MS to identify its position within the complete GSM frame structure. The burst contains 25 bits of information prior to channel coding and 6 of these bits

35

are used to transmit the BSIC. The remaining 19 bits are used to transmit the reduced TDMA frame number (RFN) of the time slot containing the synchronization burst. The RFB consists of three parameters, T1 (11 bits), T2 (5 bits) and T3 (3 bits), which are determined using the full frame number (FN) unique to each TDMA frame within the hyperframe. The FN ranges from 0 to 2715647 and the RFN parameters are defined as follows:

T 1 ! FNdiv (26 * 51) (11 bits) range 0 to 2047 T 2 ! FN mod 26 T 3' ! (T 3  1) div10 (5 bits) range 0 to 25 (3 bits) range 0 to 4 (42)

where T3 is a number in the range 0 to 50 and is given by:

T 3 ! FN mod 51 (43)
The mod and div operators return the integer result and the reminder of an integer division, respectively. This shows that T1 provides the position of the superframe containing the synchronization burst in the hyperframe, while T2 provides the position of the multiframe within the superframe. The control channel multiframe contains 51 TDMA frames and the position of the frame containing the synchronization burst within the multiframe is given by T3, which requires 6 bits. However, the synchronization burst can only occupy 1 of 5 different positions within the multiframe and consequently, this information is transmitted using 3 bits as T3. In addition to FN, the mobile must also maintain the time slot number (TN) and quarter-bit numer (QN) counters. The QN counter is set using the extended training sequence located in he middle of the synchronization burst and is incremented every 12/13 us. The QN counts the quarter-bit periods and its value ranges 0 to 624; i.e. 0 to 156-bit periods. The TN counter is set to 0 when the synchronization burst is received and it is incremented each time the QN count changes from 624 to 0. The TN counter is used to hold the position of the time slot within the TDMA frame and its value ranges from 0 to 7. As the value of TN changes from 0 to 7, the FN is incremented. Having successfully synchronized to the BS, the mobile may proceed to decode the system information contained on the BCCH. The BCCH is easily located since it always occupies the same position within the
36

control channel multiframe. This channel contains a number of parameters that influence the cell-selection, including the maximum power that MS may transmit while accessing the BTS (parameter MS_TXPWR_MAX_CCH) and the minimum received power at the MS for access ( parameter RXLEV_ACCESS_MIN). These parameters are combined with the received power of the base station, R, and the maximum output power of the MS, P, to produce a radio parameter known as CI given by:

CI ! A  B for B " 0 CI ! A
where:

for B e 0 (44)

A ! R  RXLEV _ ACCESS _ MIN , B ! MS _ TXPWR _ MAX _ CCH  P, (45)

and all values are expressed in dBm. If CI for a given BTS is greater than 0, then the MS is considered to have the ability to access the BTS, if required. Also, the BTS with the highest CI is considered to be the most suitable BTS as far as the radio resource is concerned.

X.

Power Control

GSM system employs power control to ensure that the MS and BTS only transmit sufficient power to maintain an acceptable link, thereby reducing interference to neighbouring cells and improving the spectral efficiency. An MS has the ability to decrease its transmitted power is steps of 2 dB from the maximum for its class down to 5 dBm for GSM900. The transmission power of the MS is controlled by the network conveying messages over the SACCH. After receiving a power control command, an MS adjusts its transmitted power to the requested power level at a maximum rate of 2 dB every 60 ms. Thus a tranmsitter power change of 30 dB will take around 900 ms. The power control algorithm is based on the uplink signal measurements taken at the BTS, and although the specifications include an example algorithm, the implementation is operator specific. The BTS must be able to dynamically adjust its power in at least 15 steps of 2 dB. Power control may be applied independently on downlink and uplink, or it may not be applied
37

either. However, downlink power control may not be applied to any slots on the BCCH carrier as it must be transmitted at a constant power because it is measured by the MSs in surrounding cells for handover preparation.

XI.

Frequency Hopping

GSM employs slow frequency hopping (SFH) to mitigate the effects of multipath fading and interference. Each burst belonging to a particular physical channel will be transmitted on a different carrier frequency in each TDMA frame. Thus the hopping rate is equal to the frame rate (216.7 frames/s). The only physical channels that are not allowed to hop are FCH, SCH, BCCH, PCH and AGCH. The hopping sequence defines the order in which the different carrier frequencies are used on the uplink and downlink. Since the uplink and downlink frequencies always remain separated by the duplex channel spacing 45 MHz for GSM900, only a single hopping sequence is required to describe the complete duplex link. The mobile allocation parameter prescribes the carrier frequencies that may be used by each MS in its hopping sequence. For 124 possible TDMA carriers, the mobile allocation parameter requires a minimum of 124 bits to uniquely describe every possible carrier combination. We recall that initial assignment messages are sent on the common access grant channel (AGCH) where the message size should be kept short to preserve the access capacity of the system. To avoid transmitting the full mobile allocation parameter at initial assignment, a 2-step approach is used. Each BTS transmits details of all the carriers it is using in the form of a channel description message, carried on the BCCH. This message takes the form of a 124-bit map where each bit represents a carrier and a 1 or 0 is inserted to indicate whether each particular carrier is in use at BTS. The MS decodes and stores this information while it is in idle mode. On initial assignment, the mobile allocation is described as a subset of cell allocation, thus reducing the signalling overhead on the AGCH.

38

Having established the list of carrier frequencies assigned to the frequency hopping channel, the MS must also determine the sequence in which each frequency is to be used. The hopping sequence is described by 2 parameters: the hopping sequence number (HSN) and the mobile allocation index offset (MAIO). The HSN selects one of 64 predefined random hopping sequences, while the MAIO selects the start point within the sequence. The MAIO may take as many values as there are frequencies in the mobile allocation. The value HSN=0 chooses a cyclic sequence where the frequencies in the mobile allocation are used one after another. Frequency hopping channels with the same HSN but different MAIOs will never use the same frequency simultaneously because they are orthogonal. Consequently, all frequency hopping channels within a cell employ the same HSN but have different MAIOs. Where 2 frequency hopping channels use different HSNs, they will interfere for 1/n of the bursts and consequently frequency hopping channels in co-channel cells will use different HSNs. To briefly summarize the frequency hopping algorithm again, for a set of n given frequencies, GSM allows 64*n different hopping sequences to be built. They are described by 2 parameters, the Mobile Allocation Index Offset (MAIO), which may take as many values as the number of frequencies in the set, and the HSN, which may take 64 different values. Two channels bearing the same HSN but different MAIOs will never use the same frequency on the same burst. All mobiles in a given cell will have the same HSN, while each will have different MAIOs. The frequency assigned to each mobile is also a function of the frame number. The actual parameters of the frequency hopping algorithm are as follows: MA: the actual allocation of frequencies 1<N<64 to mobile inclusive MAIO: values lie between 0 to N-1 (represented by 6 bits) and determines the next frequency where the mobile will hop HSN: 0<HSN<63 which results in cyclic hopping (increases by each frame) if HSN=0; otherwise the hopping is random FN: derived out of T1,T2,T3 where 0<T1<2047, 0<T2<25, and 0<T3<50 NBIN: Number of bits required to represent integer N (log2(N)+1) RNTABLE: Look-up table of 128 integer values whose values lie between 0 and 127
39

The frequency hopping algorithm in GSM based on these parameters is then given by the following description: - The input parameters to the algorithm are MA, MAIO, HSN, T1, T2, T3. T1, T2, T3 are received on SCH. If HSN=0, hopping is cyclic and the mobile allocation index is choosen as: MAI=(FN+MAIO) mod N - If HSN is not 0, intermediate parameters M, M and T are computed according to: M=T2+RNTABLE(HSN+(T1mod64)+T3) M=M mod (2^NBIN) T=T3 mod (2^NBIN) If M is smaller than or equal to N, then S=M Else S=(M+T) mod N - Finally, MAI=(S+MAIO) mod N

XII. Security Issues

XII.I. Authentication
Authentication is initiated by the network in the form of an authentication request message sent to the MS. This message contains a 128-bit random number, called RAND. At the MS, this number is used as one input to algorithm A3. The other input to A3 is the subscribers secret key, Ki . Both A3 and Ki are stored in the SIM under heavy protection. Ki may be of any format and any length. The result of applying the A3 algorithm to RAND and Ki is another number SRES (Signed Result), which must be 32 bits in length. Once computed, SRES is returned to the newtwork in the form of an authentication response message. On the network side, the AuC also stores the users secret key Ki and the A3 algorithm and it generates a version of SRES in na identical manner to that at the MS. The HLR (home location register) sends SRES to the visited MSC/VLR (visitior location register) where 2 versions are compared. If they match, then the MS is deemed to be authentic. The A3 algorithm has the property that it is a relatively simple task to generate SRES from RAND and Ki but it is very difficult to

40

determine Ki from SRES and RAND or pairs of SRES and RAND. In general A3 algorithm is operator specific.

XII.II. Encryption
Once a subscriber has been authenticated, thereby protecting both the subscriber and the network operator from the effects of fradulent access, the user must be protected from the evaesdroppers. This is achieved by encyrpting the data on the radio interface using a second key, Kc and an algorithm A5. Kc is generated during the authentication phase using Ki , RAND and algorithm A8, which is also stored in SIM. A8 is also operator specific. The Kc key for each user is computed in the home networks AuC to overcome the problems of internetwork roaming. In contrast to A3 and A8, that are operator specific, A5 will be chosen from a list of different candidates, which will not exceed 7. Prior to encryption being enabled, a negotitation phase will occur whereby the MS and the network decide which version of A5 to use. The A5 algorithm takes the 64-bit long Kc key and a 22-bit long representation of the TDMA frame number and produces 2 114-bit long encryption words, BLOCK1 and BLOCK2 for use on the uplink and downlink respectively. The encryption words are EXORed with the 114 data bits in each burst. The authentication and encryption process is summarized in Figure 4 where represents the EXOR function.
RAND Ki A8 Kc A5 Downlink Data-out Frame number BLOCK1 A3 SRES A3 SRES Authentication Frame number Ki A8 Kc

A5 BLOCK1

BLOCK2

+ Downlink
Data-in

BLOCK2 Uplink data-in

Uplink data-out

Figure 4.: The GSM authentication and encryption process 41

References: - Sigmund Redl, Matthias Weber and Malcolm Oliphant. An Introduction to GSM. Artech House Publishers, 1995. - Asha Mehrotra. GSM System Engineering. Artech House Publishers, 1997. - Raymend Steele, Chin-Chun Lee and Peter Gould. GSM, CDMAOne and 3G Systems. Wiley Pres, 2001.

42