Sei sulla pagina 1di 125


GSM developed by ETSI (European Technical Standards

Institute) protocols for 2G

GSM was developed to solve fragmentation problem of the 1G
systems in Europe
The GSM is worlds 1st cellular system to specify digital
modulation and network level architectures and services
The GSM is a circuit-switched system that divides each 200kHz
channel into eight 25kHz time-slots.
GSM operates in
890MHz to 915 MHz Reverse Link (MS to BS)
935MHz to 960MHz Forward Link (BS to MS )
GSM uses FDD & a combination of TDMA & FDMA technique

to provide simultaneous access to multiple mobile subscriber



Mobile Station (ME & SIM)

ME physical device, Consists of

Transceiver, Digital Signal

Processors and the antenna.

uniquely identified by the International Mobile Equipment
Identity (IMEI).
SIM smart card issued at the subscription time identifying the
specification of a user such as a unique number and type of the
The SIM card contains the International Mobile Subscriber
Identity (IMSI) used to identify the subscriber to the system, a
secret key for authentication, service area and other information.
The SIM card may be protected against unauthorized use by a
password or personal identity number (PIN)

Base Station Subsystem (BSS) :(BTS & BSC)


is the connection between the mobile station and the Mobile service Switching

Center (MSC).
It is a small switch inside BSS in change of frequency administration, maintains
appropriate power levels of signal and handoff among the BTSs inside a BSS.
This reduces burden of MSC
BSC Controller manages the radio resources for one upto several hundred BTSs.

defines a single cell (radius 100m to 35km)

BTS components include a Tx, a Rx and signaling equipment to operate over the

air interface.
Interface between BTS & BSC A-bis interface- carries traffics and mantaince data
Interface between BSC & MSC A interface- standardized within GSm.
Users speech is converted to 13kbps digitized voice with speech coder at MS
Wired network uses 64kbps PCM digitized voice in PSTN technology.
From 13kbps to 64kbps-at BSS

Network Subsystem
It provides link between cellular networks and PSTN or ISDN or

data network.
The NSS controls handoffs between calls in different BSSs,
authenticates users & validates their accounts & includes
functions for enabling worldwide roaming of mobile subscriber.
It include the main switching functions of GSM as well as data
based needed for subscriber data and mobility management.
It consists of
Mobile Switch Center (MSC)
Home Location Register (HLR)
Visitor Location Register (VLR)
Authentication Center (AuC)
Equipment Identity Register (EIR)
Interworking Function (IWF)

1. Mobile Switching Centre (MSC)

It is a hardware part of wireless switch that can communicate

with PSTN using Signaling system- 7 (SS-7) protocol

It also communicates other MSCs in the coverage area of the
service provider.
Functions of MSC:
Call setup , supervision, release and Call routing
Digit collection and translation
Billing information collection
Mobility management (registration, location updating, inter
BSS and inter MSC call handoffs)
Paging and alerting
Management of radio resources during call.
Echo cancellation

2. Home location Register (HLR)

The HLR represents a central database software that Handles the management of the

mobile subscriber account.

It is referenced using the SS7 signaling capabilities for every incoming call to the GSM
network for determine the current location of the subscriber.
The HLR is kept updated with the current locations of all its mobile subscribers, including
those who may have roamed to other network operator within or outside the country.
The routing information is obtained from the serving VLR on a call by call basis, so that for
each incoming call the HLR queries the serving VLR for an MSRN(mobile station routing
Usually one HLR is deployed for each GSM network for administration of subscriber
configuration and services.
Besides the up to date information for each subscriber , which is dynamic , the HLR
maintains the following data on a permanent basis.

International mobile subscriber identity (IMSI)

Service subscription information.

Service restrictions

Supplementary services subscribed to

Mobile terminal characteristics

Billing/ accounting information.

3. Visitor Location Register (VLR)

The VLR represents a temporary database software
Generally there is one VLR per MSC.
This register contains information about the mobile subscribers

who are currently in the service area covered by the MSC/ VLR.
The VLR also contains information about locally activated features
such as call forwarding on busy.
Thus temporary subscriber information available in VLR includes:
Features currently activated
Temporary mobile station identity (TMSI)
Current location information about the MS.

4. Authentication Center (AuC)

It is the database that holds different algorithms that

are used for authentication & encryption of mobile

subscribers that verify the mobile users identity
It ensure the confidentiality of each call.
AuC protects network cellular operators from different
types of frauds and spoofing.
It contains the security modules for the authentication
Cipher key generation algorithms A3 is used for authentication
Cipher key generation algorithms A5 for encryption.

5. Equipment Identity Register (EIR)

The EIR is another database that keeps the information about

identify of ME such as IMEI.

IMEI reveals the details about the manufacturer, country production
and device type.
This information is used to
1. prevent calls from being misused
2. prevent unauthorized or defective MSS
3. report stolen mobile phones
4. check if the mobile is operating according to the specification of
its type.
Each ME is identified by IMEI which is memorized by the
manufacturer and cannot be removed.
By the registration mechanisms the MS always sends IMEI to the
network so that the EIR can memories and assign them to three

5. Equipment Identity Register (EIR)

White list: for all known, good IMEIs- are allowed to enter in

the network.
Black list: for bad or stolen handsets- are not allowed to
enter in the network
Grey list: for handsets/IMEIs that are uncertain- are
momentarily not allowed to enter in the network eg because of
software version is too old or because they are in repair.
In future there will be an interconnections between all the EIRs
to avoid the situation where a mobile stolen in one country can
be used in GSM network from a different country.

6. Interworking Function (IW)

IWF-is a subsystem in the PLMN (Public Land Mobile

It allows non speech communications between GSM and
other networks.
The task of IWF is particularly to adopt the transmission
parameters and protocol conversion.
The physical manifestation of an IWF may be through a
modem which is activated by MSC dependent on bearer service
and destination network.

7. OSS (Operation & Support System)


implementation of OMC is called the operation and support

system (OSS).
It supports operation and maintenance of systems and allows engineers to
monitor, diagnose and troubleshoot every aspect of GSM network.
OSS supports one or more OMC (operation maintenance center)
Used to monitor & maintain the performance of each MS, BS, BSS and MSC
within GSM system.
OSS has main 3 functions:
1. To maintain all telecommunication hardware & network operations with a
particular service area
2. Manage all ME in the system
3. Manage all charging and billing procedures.
. Within each GSM system, an OMC is dedicated to each of these tasks and has
a provision for adjusting all base station parameters and billing procedures .
. It provide the ability to determine their performance and integrity of each unit
of ME in the system.

The most important identifiers are associated with GSM system are:

1. International Mobile Subscriber Identity (IMSI):

The IMSI is assigned to an MS at subscription time. It uniquely identifies a given

When an MS attempts a call, it needs to contact a BS. The BS can offer its service
only if it identifies the MS as a valid subscriber.
For this MS needs to store certain values uniquely defined for the MS, like country
of subscription, network type, subscriber ID and so on.
The IMSI contains 15 digits and includes

Mobile Country Code (MCC)3 digits (home country)

Mobile Network Code (MNC)2 digits (Network provider Code)
Mobile Subscriber Identification code/Number (MSIC/MSIN)
National Mobile Subscriber Identity (NMSI)
Another use of IMSI is to find information about the subscribers
home PLMN

Format of IMSI

2. SIM (Subscriber Identity Module)

Every time the MS has to communicate with a BS, it must

correctly identify itself.

An MS does this by storing the mobile phone number, personal
information number for mobile station, authentication parameters
and so on, in the SIM card.
Smart SIM cards have a flash memory to store small messages to
the unit.
Advantage- it supports roaming with or without a cell phone, also
called SIM roaming.
Carry only the SIM card alone and insert in any GSM mobile
phone to make a it work as per customized MS.

3. Mobile System ISDN (MSISDN)

It identifies a particular MSs subscriber, with the format shown.

MCC- 1 to 3 digits, NDC-variable, SN- variable

The GSM actually does not identify a particular mobile phone, but a
particular HLR.
It is the responsibility of HLR to contact the mobile phone.

4. Location Area Identity (LAI)

GSM service area is usually divided

into a hierarchical structures.

Each PLMN area is divided into many
Each MSC typically contains a VLR to
inform the system if a particular cell
phone is roaming
Each MSC is divided into many
location areas (LAs).
An LA is a group of cells and is useful
when the MS is roaming in a different
cell but the same LA.
LA identifier should contain the
country code, the mobile network
code and LA code.

Each GSM mobile phone equipment is assigned a 15-bit long

international MS equipment identity number to contain

manufacturing information.
When the mobile phone equipment passes the interoperability tests, it
is assigned a type approval code.
Since a single mobile unit may not be manufactured at the same
place, a field in IMSEI, called the final assembly code, identifies the
final assembly place of the mobile unit.
To identify uniquely a unit manufactured, a Serial Number (SN) is
A spare digit is available to allow further assignment depending on

6. MS roaming Number (MSRN)

When an MS roams into another MSC, that unit has to be

identified based on the numbering scheme format used in that

Hence the MS is given a temporary roaming number called
MS roaming number (MSRN)
This MSRN is stored by the HLR and any calls coming to that
MS are rerouted to cell where the MS is currently located

As all transmission is sent through the air interface, there is a

constant threat to security of information sent.

A Temporary identity mobile subscriber identity (TMSI) is
usually sent in place of IMSEI.

GSM Air Interface Specifications

GSM standard air interface specifications

Sr. No.




Frequency Band

Uplink 890MHz-915MHz
Download 935MHz-960MHz


Special Allocation

50MHz (25 MHz each for Uplink &



Forward & Reverse channel

Frequency Spacing

45 MHz


Tx/Rx time slot spacing

3 time slots


RF channel BW

200 KHz (ARFCN channel spacing)


ARFCN number

0 to 124 & 975 to 1023


Multiple access technique



Duplexing Technique



Modulation scheme

GMSK (B* Tb = 0.3)


No. of time slots per RF channel


8 (users per frame full rate)

GSM standard air interface specifications

Sr. No.




Modulation data rate

270.833 kbps


Spectrum efficiency



Frame period



Time slot period

577 us


Bit period

3.692 us


Interleaving (max delay)

40 ms


Speech coding

RELP-LTP @ 13.4 kbps


Channel Coding


Type of equalizers

CRC with r = ; L=5 convolution



Handheld mobile Tx power

1 W max; 125mW avg

GSM signaling Protocol Architecture

Associated Interfaces
Air interface Um: wireless interface, specifies communication
between MS & BTS
2. A-bis Interface : specifies communication between BTS & BSC.
The support on this interface is for voice traffic at 64Kbps and
data/signaling traffic at 16 Kbps. Both types of traffic are carried
over LAPD (Link Access Protocol-D)
3. A Interface: specifies communication between BSC & MSC.
It uses an SS7 protocol called SCCP (signaling connection control
part) which supports communication between MSC & BSS.
It allows a service provider to use BS and switching equipment
made by different manufacturers.
. The protocol stack is divided into 3 layers.
Layer 1- Physical Layer
Layer 2- Data Link Layer (DLL)
Layer 3- Networking or messaging Layer

Layer 1 : Physical Layer

Is for Um Air interface
It specifies how the information from different voice

and data services are formatted into packets and sent

through the radio channel
It specifies the radio modem details, packaging of
variety of services into bits of a packet, traffic
structure and control packets.
It specifies
- modulation and coding techniques
- power control methodology
- Time synchronization

Layer II : DLL
Signaling and control data are conveyed through layer II & Layer III messages.
At link layer, a data link control protocol known as LAPDm is used where m is-

modified version of LPAD

LAPD is designed to convert a potentially unreliable physical layer into a
reliable data link.
It does this by using a cyclic redundancy check(CRC) to perform error detection
and Automatic Repeat Request (ARQ) to retransmit damaged frames.
Overall purpose of DLL is to check the flow of packets for layer III and allow
multiple service access point (SAP) with one physical layer.
DLL checks address and sequence number for layer III and manages
acknowledgements for transmission of the packets.
DLL allows two SAPs for signaling and SMS.
In GSM SMS is transmitted through a fake signaling packet that carries user
information over signaling channels.
DLL in GSM provides this mechanism for multiplexing the SMS data into
signaling streams.

Frame Format in Layer II in LAPDm

The length of LAPD packets (used in Layer I) and packets in LAPDm

(used in layer II) is same ie. 184 bits

But the format is adjusted to fit the mobile environment.

Address field : optional, identifies the SAP, protocol revision type &

nature of the message.

Control field: optional, holds the type of frame (command or response)
& transmitted and received sequence numbers.
Length Indicator : identifies length of the information field.
Fill in bits: all 1s bits to extend the to desired 184 bits.
Information Bits: carries the layer III payload data.

Layer III: Networking or Signaling Layer

This layer implements the protocols needed to support the

mechanisms required to establish, maintain and terminate a

mobile communication session.
Also responsible for supplementary and SMS services.
Information bits of Layer II packets specify the operation of a
layer III message.
These fields are further divided into several fields.

Message Format In Layer III:

1. Transaction Identifier (TI) : used to identify a procedure or protocol that consists of a

separate messages. It allows multiple procedures to operate in parallel.

2. Protocol Discriminator (PD): identifies the category of the operations
(management, supplementary services, call control and test procedure).
3. Message Type (MT): identifies the type of message for a PD.
4. Information elements (IE): optional field for the time that an instruction carries
some information specified by IEI
The number of Layer III messages is much larger than the number of Layer II
GSM standards divides Layer III messages into 3 sub-layers
1. Radio Resource Management (RRM)
2. Mobility management (MM)
3. Communication Management (CM)

1. Radio Resource Management (RRM):

It manages the frequency of operation and quality of radio link.
The RRM functions are mainly performed by the MS & the

The main responsibilities of RRM are:
To assign the radio channel
Hop to new channels in the implementation of the slow

frequency hopping option

To manage hand-off procedures
To manage management reports from MS for hand off
To implement power control procedure
To adopt timing advance for synchronization

2. Mobility Management (MM):

These functions are handled by the MS/SIM, the MSC/VLR

and HLR/AuC.
It handles mobility issues that are not directly related to the
radio and include management of security functions.
The major functions of MM are
Location update
Registration procedures
Authentication procedures
TMSI handling
Attachment & detachment procedures for the IMSI.

3. Communication Management (CM):

It is used to establish, maintain and release the circuit

switched connection between the calling and called subscribers

of GSM network.
Specific procedures for CM include
mobile originated & mobile terminated call establishment
Change of transmission mode during the call
Control of dialing using dual-tones
Call re-establishment
Supplementary service management and SMS management

Common channel 7 (CC7) or Signalling System (SS7) signaling

SS7 signaling protocols are mainly used for
Basic call set up, call management
Wireless services such as PCS
Wireless roaming
Mobile subscriber authentication
Local number portability
Toll free and toll wireline services
Enhanced call features like call forwarding, calling party

name/number display, three way calling

Efficient and secure worldwide telecommunications
It also provides error correction & retransmission

capabilities to allow continued services in case of link

SS7 signalling

Signaling points in SS7 network

1)Service switching point (SSP)
2)Signal transfer point (STP)
3)Service control point (SCP)
1.Service Switching Point (SSP): are switches that originates, terminates

calls. A SSP sends signaling messages to other SSPs to set up, manage and
release voice circuit required to complete a call.
2.Service Control Point (SCP): is a centralized database. An SSP send a
query message to STP to determine how to route a call. An SCP sends a
response to originating SSP containing the routing number(s) associated
with the dialed number. (An alternate routing number may be used if
number is busy).
3.Signal Transfer Point (STP): is a packet switch through which network
traffic between signaling points may be routed based on routing
information in SS7 message.

GSM channels
Uplink Frequency = 890MHz- 915 MHz (Forward)
Downlink Frequency = 935 MHz- 960 MHz (Reverse)
The available 25 MHz spectrum is divided into 124 FDM channels
Each occupy 200 KHz with 100 KHz guard band at two edges of the
The available Forward & reverse frequency bands are divided into 200
KHz wide channels called ARFCN (Absolute Radio Frequency Channel

Physical Channels
When an MS and a BTS communicate, they do so on a specific

pair of radio frequency (RF) carriers, one for the up-link and the
other for the down-link transmissions, and within a given time
slot. This combination of time slot and carrier frequency
forms what is termed a physical channel.
One RF channel will support eight physical channels in time

slots zero through seven.

GSM Logical channels :

Logical channels are

set of instructions and ports to instruct

different elements of cellular network to perform their specified
Each physical channel is mapped into different logical channels at
different times.
Each specific time slot or frame may be dedicated to either
traffic data (user data such as speech, facsimile or teletext data)
signaling data or control channel data (from MSC, BS or MS)
Logical channel use a physical TDMA slot or a portion of a
physical slot to specify an operation in the network in GSM.
GSM uses variety of multiplexing techniques to create a collection
of logical channels.

Logical channels in GSM:

Types of GSM Logical channels

1. Traffic channels (TCHs) :
The traffic channels are intended to carry encoded
speech or user data.
2. Control Channels (CCHs)
The control channels are intended to carry
signaling and Synchronization data between the
base station and the Mobile station.

1. Control Channels (CCH)

Control channels carry signaling information between an
MS and a BTS.
There are several forms of control channels in GSM
They can generally be divided into three categories
according to the manner in which they are supported on
the radio interface and the type of signaling information
they carry.
1.Broadcast control channel
2.Common control channel
3.Dedicated control channel

1. a) Broadcast Channel (BCH)

Broadcast control channels are transmitted in downlink direction
only i.e. only transmitted by BTS.
The broadcast channels are used to broadcast synchronization and
general network information to all the MSs within a cell ,such as
Location Area Identity (LAI) and maximum output power.
It has three types :

1.a.1) Broadcast Control Channel (BCCH)

The broadcast control channel(BCCH) is used to broadcast

control information to every MS within a cell.

This information includes details of the control channel

configuration used at the BTS, a list of the BCCH carrier

frequencies used at the neighboring BTSs and a number of
parameters that are used by the MS when accessing the BTS.
Use normal burst.

BCCH (contd)
Broadcast Control channel, BCCH include the Location Area

Identity (LAI), maximum output power allowed in the cell

and the BCCH-carriers for the neighboring cells, on which
the MS will perform measurements.
BCCH is transmitted On the downlink, point-to-multipoint.
The MS is tuned to a base station and synchronized with the

frame structure in this cell.

The base stations are not synchronized to each other, so every
time the MS decides to camp on another cell, its FCCH, SCH and
BCCH have to be read.

1.a.2) Frequency Correction Channel (FCCH)

Used for the frequency correction / synchronization of a mobile

The repeated (every 10 sec) transmission of Freq Bursts is called
This serves two purposes
1. one is to make sure this is the BCCH-carrier
2. the other is to allow the MS to synchronize to the frequency.

FCCH is transmitted on the downlink, point-to-multipoint.

.Frequency Correction Burst.

1.a.3) Synchronisation Channel (SCH)

Allows the mobile station to synchronize time wise with the

Repeated broadcast (every 10 frames) of Synchronization Bursts
is called (SCH)
The MS receives the TDMA frame number and also the Base
Station Identity Code. BSIC, of the chosen base station. BSIC
can only be decoded if the base station belongs to the GSM
SCH is transmitted on the downlink, point to multipoint.
Synchronization Burst

1.b) Common Control Channel (CCCH)

The common control channels are used by an MS during

the paging and access procedures. Common control

channels are of three types.

1.b.1) Paging Channel (PCH)

Within certain time intervals the MS will listen to the

Paging channel, PCH, to see if the network wants to get in

contact with the MS. The reason could be an incoming call
or an incoming Short Message.
The information on PCH is a paging message, including the
MSs identity number (IMSI) or a temporary number
PCH is transmitted on the downlink, point-to-point.
Use normal burst.

1.b.2) Random Access Channel (RACH)

If listening to the PCH, the MS will realize it is being paged. The

MS answers, requesting a signaling channel, on the Random

Access channel, RACH. RACH can also be used if the MS wants
to get in contact with the network, e.g. when setting up a mobile
originated call.
RACH is transmitted on the uplink, point-to-point.
It is termed random because there is no mechanism to ensure that
no more than one MS transmits in each RACH time slot and there
is a finite probability that two mobiles could attempt to access the
same RACH at the same time.
Use Access Burst.

1.b.3)Access Grant Channel (AGCH)

The access grant channel (AGCH) is carried data which

instructs the mobile to operate in a particular physical

channel (Time slot or ARFCN).
The AGCH is used by the network to grant, or deny, an

MS access to the network by supplying it with details of a

dedicated channel, i.e. TCH or SDCCH, to be used for
subsequent communications.
The AGCH is a down-link only channel.
Use normal burst.

1. c) Dedicated Control Channel (DCCH)

Signaling information is carried between an MS and a BTS using

associated and dedicated control channels during or not during a

They are of three types.






1.c.1) Slow Associated Control Channel

Non-urgent information, e.g. transmitter power control, is transmitted using

the slow associated control channel (SACCH).

On the uplink MS sends averaged measurements on own base station (signal
strength and quality) and neighboring base stations (signal strength).
On the downlink the MS receives system information, which transmitting
power and what timing advance to use.
It is transmitted at 13 th Frame of TCH. As seen, SACCH is transmitted on both
up-and downlink, point-to-point.
This channel is always present when a dedicated link is active between the MS
and BTS, and it occupies one timeslot in every 26.
SACCH messages may be sent once every 480ms, i.e. approximately every 2 s.
Use normal burst.

1.c.2) Fast Associated Control Channel (FACCH)

More urgent information, e.g. a handover command, is sent using

time slots that are stolen from the traffic channel.

If, suddenly, during the conversation a handover must be performed
FACCH, is used.
FACCH works in stealing mode, meaning that one 20 ms segment
of speech is exchanged for signaling information necessary for
the handover. The subscriber will not recognize this interruption in
speech since the speech coder will repeat the previous speech block.
This channel is known as the FACCH because of its ability to
transfer information between the BTS and MS more quickly
than the SACCH.
A complete FACCH message may be sent once in every 20 ms.
Use normal burst.

1.c.3) Standalone Dedicated Control Channel

In some situations, signaling information must flow between a network

and an MS when a call is not in progress, e.g. during a location

This could be accommodated by allocating either a full-rate or half-rate
TCH and by using either the SACCH or FACCH to carry the
This would, however, be a waste of the limited radio resources. So a
low data rate channel about 1/8 of TCH/F is defined.
The channel is termed stand-alone because it may exist
independently of any TCH.
SDCCH is transmitted on both up-and downlink point-to-point.
The MS is on the SDCCH informed about which physical channel
(frequency and time slot) to use for traffic (TCH).
Use normal burst.

2. Traffic Channels:
Voice channels are called Traffic channels (TCH) in GSM.
2 way channels carrying voice & Data traffic between MS & BTS.
Traffic channels carry digitally encoded user speech or user

It have identical functions and formats on both the forward and
reverse link.
Types of Traffic Channels:
Half Rate : bit rate of 11.4 Kb/s (TCH/H)
Full Rate: bit rate of 22.8 Kb/s (TCH/F)

Channel Mapping
1. When the MS is turned on it will listen to the FCCH in order to
synchronize to the carrier frequency
2. Then the MS listen to the SCH to get info on the TDMA frame structure
3. The MS will then listen to the BCCH to get info such as location area,
Max allowed O/P power & neighboring cells
4. The MS will periodically listen to the PCH to determine if someone is
trying to call it.
5. If the MS hears a page it will use the RACH to ask for access to the
system in order to respond to the incoming call.

6.The system will give access using the AGCH

7.The system uses the AGCH to tell the MS which SDCCH to
use for complete the Call Setup.
8. When the MS gets the SDCCH, it also gets a SACCH.
Which the system uses to regulates the O/P power of the MS
& gives it timing advance info.
9. The MS is given a TCH to use by the SDCCH. The MS
tunes to it during the call.
10. During a call if a handover is required to a neighboring
cell, the FACCH will be used to exchange the necessary info.

Frame structure Designing Requirements:


Frequency Band of Operation: around 900MHz

Number of Logical Channels or Number of Time slots in
TDMA frames: 8 frames to serve 8 simultaneous users
Channel Bandwidth: 25 KHz . To serve 8 mobile subscribers
using TDMA, Channel BW= 8*25= 200 KHz
Maximum Cell Radius (R): max 35km
Maximum Vehicle Speed (Vm): 250km/h
Maximum Delay Spread (m): 10 sec
Maximum Coding Delay: 20ms

Designing Steps of TDMA

time slot:
12Kbps *

240 bits

480 bits +
(2*4)=488 bits

Minimum Bit Rate

Number of bits in one channel= 488 bits
Number of channels or time slots = 8
Total number of bits in 8 time slots = 488 bits * 8 =

3904 bits
Duration of 1 speech block = 20 ms
Overall minimum channel bit rate = 3904bits/20ms
= 195.2kbps

Duration of Data transmission in a time slot

Maximum transmission duration (one way) = (c/20)/ Vm

= (0.333m/20)/250km/h = 0.24ms
Maximum transmission duration (two way) = 2 * 0.24ms
Duration of Data transmission in a time slot Td= 0.48ms

Time needed for training sequence in the time slot = 6*m

= 6*0.01ms = Tts = 0.06ms

Guard Time calculation:

Let Average duration of the voice call = 120 seconds
Maximum vehicle speed of the mobile = 250km/h
Radial distance a mobile moving towards or away from the BS

located at the center of the cell = (250km/h) * (120s) = 8333m

The change in propagation delay = 8333m/(3*108 m/s ) = 0.03ms
So required duration for Guard interval =Tg= 0.03ms
Maximum Time duration of a time slot =Ts= Td+ Tts+ Tg
= 0.48ms + 0.06ms + 0.03ms = 0.57ms
Number of time slots in a TDMA frame = 8
Duration of a TDMA frame = 8*0.57ms = 4.6ms

TDMA time slot with approximate field

(Td)/2 =<


(Td)/2 =<


This is a tentative design of a time slot indicating 2

blocks of data before and after the training sequence
and guard time.
This is quite close to actual design of a TDMA time
slot and frame structure used in GSM.

GSM basic Frame structure

TB :Trail Bits:3 bits at the start and at the end excluding Guard bits
Coded/Encrypted Data : two 57 bits data fields i.e.114 cipher text bits
Stealing Bit : 1 bit each at the end of two 57 bit data field. It indicate whether this

block contains data or stolen (for urgent control signaling)

Training Data : 26 bits, known bit pattern that differs for different adjacent cells. Used
for multipath equalization to extract the desired signal from unwanted reflections.
Guard Bits: 8.25 bits, used to avoid overlapping with other bursts due to different
path delays.

GSM Super frame


GSM Hyperframe format

Simplified Hyperframe

GSM Frame Hierarchy

Burst and Frames

The information contained in one time slot on the

TDMA frame is call a slot on the TDMA frame is call a

Five types of burst:
Normal Burst (NB)
Frequency Correction Burst (FB)
Synchronization Burst (SB)
Access Burst (AB)
Dummy Burst

1. Normal Burst

Access/ RACH Burst

Frequency Correction Burst

Synchronization Burst

Dummy Burst

GSM Speech Coding

The speech signal is compressed using an algorithm known as

Regular Pulse Excited-Linear Predictive Coder (RPE-LPE)

The GSM speech coder is based on the Residually Excited
Linear Predictive Coder (RELP), enhanced by a long term
predictor (LTP)
Based on significance in contributing to speech coding, Speech
coder output bits can be divided into 3 classes:
1. Class Ia: 50 bits, most sensitive to bit errors
2. Class Ib: 132 bits, moderately sensitive to bit errors
3. Class II: 78 bits, least sensitive to bit errors

Coded Speech Packets

+ 3)


(189 * 2=

Interleaving User Traffic Data

Purpose: to improve the signal quality by distributing the effects of fading

among several mobile subscribers receiving data simultaneously from BS.

Interleaving is the method that maps the 20 ms of the traffic into the 456
bits as shown in figure.
Each 456 bit encoded data within each 20 ms traffic frame is divided into eight
57 bit sub blocks forming a single speech frame.

Packets of Signaling channel in GSM

A number of signaling or control channels are used to determine how

the traffic data are in the network.
Signaling channels employing the normal burst use 184 signaling bits
in 20 ms duration to convey the signaling message.
These bits are first block coded with 40 additional parity check bits
and 4 tail bits to form 228 bit block.
The 228 bits block is then coded with a conventional encoder having
The output of a 456 bit packet occupying a 20-ms a lot is required
packet of signaling which is transmitted.

Packets of Data Traffic

The 192 bits (9600 bps transmission data rate * 20ms) of users data

information is accomplished by 48 bits of signaling data and 4 tail bits

to form a (192 + 48 + 4 =) 244 bits packets.
It is encoded using a rate punctured convolution encoder.
Punctured coding can eliminate the need for duplicating the number
of transmitted bits by puncturing a certain number of bits.
The resulting coded data packet of 456 bits are transmitted in normal

Channel coding for Traffic/ control Data

The traffic data is processed in blocks of 240 bits every 20ms for actual

supported data rates of 9.6 kbps, 4.8 kbps & 2.4 kbps.
Each block is augmented by four tail bits.
A convolution code (1,2,5) is used to produce a block of 244*2 = 488 bits.
Then 32 bits of this block are puncturing, resulting into a data block of
Each burst carries information from 5 or 6 consecutive data blocks.
A bit interleaving scheme is used to spread the data over multiple bursts.
The 488 bits are spread over 22 bursts in the following fashion.
The 1st and 22nd burst carry 6 bits each
The 2nd and 21st burst carry 12 bits each.
The 3rd and 20th bursts carry 18 bits each.
The 4th through 19th bursts carry 24bits each.

Security in GSM
Security is implemented to prevent unauthorized use of the

mobile subscriber number over the air.

The voice conversations need to encrypted using secrecy
algorithm in GSM.
Authentication is done with the help of a pre- defined protocol
that is used to compare IMSI of MS reliably.
A unique secret key (128 bits) is stored in SIM card.
It uses 3 algorithms
1. A3 for Authentication (verify users password within SIM)
2. A5 for confidentiality (it scramble coded data)
3. A8 generate privacy key that used to encrypt voice or data

GSM - authentication

Authentication Process

Authentication Process

GSM - key generation and encryption

Call Flow Sequence in GSM.

A typical call flow in GSM include
Location Updating
Mobile call origination
Mobile call termination
Authentication and ciphering
Inter MSC handoff

Location Updating

Location area old






Location area





1. The MS sends a location update request to VLR (new)



via the BSS and MSC.

The VLR sends a location update message to the HLR
serving the MS which includes the address of the
VLR(new) and the IMSI of the MS. This updating of
the HLR is not required if the new LA is served by the
same VLR as the old LA
The service and security related data for the MS is
downloaded to the new VLR.
The MS is sent an acknowledgment of successful
location update.
The HLR requests the old VLR to delete data relating to
the relocated MS.

Location Updating:

Mobile call origination










Mobile call origination (Sequence)



The MS sends the dialed number indicating service requested to the

MSC (via BSC).
The MSC checks from the VLR if the MS is allowed the requested
service. If so, MSC asks the BSS to allocate necessary resources
for the call.
If the call is allowed, the MSC routes the call to GMSC.
The GMSC routes the call to the local exchange of the called user.
The Local Exchange (LE) alerts (applies ringing) the called
Answer back (ring back tone ) from the called terminal to LE
Answer back signal is routed back to the MS through the serving
MSC which also completes the speech path to the MS.

Mobile call termination.

















The PSTN user dials the MSISDN of the called user in GSM
2. The LE routes the call to the GMSC of the called user
3. The GMSC uses the dialed MSISDN to determine the serving HLR for the GSM
user and interrogates it to obtain the required routing number.
4. The HLR requests the current serving VLR for the called MS for a MSRN so that
the call can be routed to the correct MSC.
5. The VLR passes the MSRN to HLR.
6. The HLR passes the MSRN to GMSC.
7. Using the MSRN the GMS routes the call to the serving MSC.
8. The MSC interrogates the VLR for the current Location Area identity for the MS.
9. The VLR provides the current location for the MS.
10. The MSC pages the MS via the appropriate BSS. The MS responds to the page
and sets up the necessary signalling links.
11. When the BSS has established the necessary radio links, the MSC is informed and
the call is diverted to the MS.
12. When the MS answers the call, the connection is completed to the calling PSTN

Mobile call origination in GSM

First, the subscriber unit must be synchronized to a nearby base station as it monitors the BCH. By

receiving the FCCH, SCH, and BCCH messages, the subscriber would be locked on to the system and
the appropriate BCH.
To originate a call, the user first dials the intended digit combination and presses the "send" button on

the GSM phone.

The mobile transmits a burst of RACH data, using the same ARFCN as the base station to which it is

The base station then responds with an AGCH message on the CCCH which assigns the mobile unit to a

new channel for SDCCH connection.

The subscriber unit, which is monitoring TS 0 of the BCH, would receive its ARFCN and TS assignment

from the AGCH and would immediately tune to the new ARFCN and TS.
This new ARFCN and TS assignment is physically the SDCCH (not the TCH).
Once tuned to the SDCCH, the subscriber unit first waits for the SACCH frame to be transmitted (the

wait would last, at most, 26 frames or 120 ms, which informs the mobile of any required timing advance
and transmitter power command.
The base station is able to determine the proper timing advance and signal level from the mobile's earlier

RACH transmission and sends the proper value over the SACCH for the mobile to process.

Upon receiving and processing the timing advance information in the SACCH, the subscriber is now
able to transmit normal burst messages as required for speech traffic.

The SDCCH sends messages between the mobile unit and the base station, taking care of

authentication and user validation, while the PSTN connects the dialed party to the MSC,
and the MSC switches the speech path to the serving base station.
After a few seconds, the mobile unit is commanded by the base station via the SDCCH to

retune to a new ARFCN and new TS for the TCH assignment.

Once retuned to the TCH, speech data is transferred on both the forward and reverse

links, the call is successfully underway, and the SDCCH is vacated.

When calls are originated from the PSTN
The process is quite similar. The base station broadcasts a PCH message during TS 0

within an appropriate frame on the BCH. The mobile station, locked on to that same
ARFCN, detects its page and replies with an RACH message acknowledging receipt of
the page.
The base station then uses the AGCH on the CCCH to assign the mobile unit to a new

physical channel for connection to the SDCCH and SACCH while the network and the
serving base station are connected.
Once the subscriber establishes timing advance and authentication on the SDCCH, the

base station issues a new physical channel assignment over the SDCCH, and the TCH
assignment is made.

Authentication and Encryption








The authentication and ciphering functions in GSM are closely linked and are performed as a

single procedure between the MS and the network.

The security procedures in GSM is based on the so called private key mechanism, which

requires that a secret key (Ki) be allocated and programmed into each MS.
An authentication algorithm A3, a cipher key generation algorithm A8 and an encryption

algorithm A5 are also programmed into the MS at the time of service provisioning.
Steps in authentication process are:



At the terminal location update, VLR sends IMSI to the HLR.

HLR returns security triplets (RAND, SRES, KC) to the VLR
For authentication and Ciphering the VLR sends RAND to the MS.
Using the stored A3 algorithm and Secret key Ki stored in the SIM, and RAND
provided by the VLR the MS calculates the SRES and returns it to the VLR. Using
the A8 algorithm and Ki, the MS also calculates the cipher key Kc.
If the SRES returned by the MS matches with the stored SRES in the VLR, the
VLR sends the Cipher key Kc to the BTS which uses Kc for ciphering the radio
path (downlink).

The MS uses its Kc to cipher the radio path (Uplink) using encryption
algorithm A5.

GSM Call Procedure

There are three mechanisms of call establishment which are
embedded in all voice oriented cellular communication networks
that allow a mobile subscriber to establish and maintain connection
with the network.
These mechanisms are:
Registration: of the mobile subscriber takes place as soon as the
mobile subscriber unit is switched on.
Call establishment: occurs when the mobile subscriber initiates or
receives a call
Hand-off procedures: enables the MS to change its connection
link from one part of the network to another part.

GSM call Procedures

Mobile to Network Call

Network to Mobile Call

GSM Hand-off Procedures

A) Intracell-cum-intraBTS Hand off: when high

interference occurs during the call (within a cell). Initiated

by the BS
B) Intercell cum Intra BSC Hand off: when interference
between two cells served by same MSC. Initiated by
serving BSS to MSC
C) Inter BSC cum Intra MSC Hand off: when interference
between two cells served by different BSC but operate in
same MSC. Initiated by MSC
D) Inter MSC Hand off: when interference between two cells
that are in different MSCs. Initiated by MSC

GSM Handoff Procedures

Hand off involving a Single MSC and 2 BSSs

GSM services and Features

GSM provides a number of value added services
GSM services are classified into 3 categories
1. Telephone Services : provides Full-duplex voice communication

application between calling & called subscribers.

2. Data or Bearer Services: provides capabilities to transmit
information among user network interfaces.
It include a variety of asynchronous and synchronous data access to
PSTN/ISDN and packet switched public data networks either in a
transparent mode(where GSM provides standard channel coding for the
user data) or
nontransparent mode (where GSM offers special coding efficiencies )
3. Supplementary ISDN services: digital signaling services that
supplement telephone services or data services
eg. SMS (160 7-bit ASCII characters)

GSM Service Quality Requirements

GSM standards specify various requirements on the quality of service

The time from switching to service ready of 4 seconds in the home service area
The time from switching to service ready of 10 seconds in the visiting service

A connect time of 4 seconds to the called network
A release time of 2 seconds to the called network
The time to alert a called mobile subscriber of an incoming call of 4 second in
the first attempt and 15 seconds in the subsequent attempts.
A maximum time gap due to hand off of 150ms in intercell Handover
A maximum time gap due to hand off of 150ms in intracell Handover
A maximum one way speech delay of 90ms
An intelligibility of speech of 90%
Probability of call release failure rate of less than 0.02%
Probability of misconnection, incorrect charging, no tone or similar failure of
less than 0.01%
Probability of losing HLR/VLR messages of less than 0.000001%

Power Classes in GSM

Power management has direct impact on quality of services and

battery life.
There are 3 major classes of mobile phones.
1. Vehicle mounted (use car battery)
2. Portable (use larger rechargeable batteries)
3. Handheld (use low capacity smaller rechargeable batteries)
There are 5 power classes for mobile phones from +29dBm (0.8W)

upto +44bBm (20W) with 4-dB separation between consecutive

mobile phones.
There are 8 power classes for the BTS radiated power ranging from

+34dBm (2.5W) up to +55dBm (320W) in 3-dB steps.

GSM transmitter Power Classes

Frequency Hopping in GSM

Slow frequency hopping pattern: method to reduce effect of the

frequency selective fade or excessive cochannel interference.

It supports frequency hopping pattern of 217.6 hops per seconds
Those cells that are located in areas of severe fading are designated
as Hopping cells.
Maximum frequency hopping for downlink =(25/900 ) *100=2.8%
With 2.8% of maximum hopping, time spent by a rapidly moving
mobile user in a deep fade is reduced to about 4.6ms, which matches
with the frame duration.
In case of slowly moving mobile subscribers such as pedestrians, the
frequency hopping procedures substantial gains against fades.