1. Training report on
Industrial training at
IDEA
Submitted to:-
Submitted by:-
Atul Sharma, B.Tech II year, ECE
Maharaja Agrasen Institute Of Technology,
GGSIPU
Under:- Mr. Hemraj Mandal
Start Date for Internship:-June 24th 2013
End Date for Internship:-July 30th 2013
2. Preface
This report documents the work done during the summer internship at
Idea Cellular pvt ltd, Vikaspuri, Delhi under the guidance of Mr.
Manmohan Gaur . The report first shall give the overview of tasks
performed during the period of internship .The technical details about
the GSM and its various interfaces and the conclusion drawn out of it.
Report shall also elaborate about the future scope of the GSM
technology.
I have tried my best to keep the report simple yet technically correct. I
hope I succeed in my attempt.
Atul Sharma
3. Acknowledgement
On the very outset of this report, I would like to extend my sincere &
heartfelt obligation towards all the personages who have helped me in
this endeavour. Without their active guidance, help, cooperation &
encouragement, I would not have made headway in the project.
First and foremost, I would like to express my sincere gratitude to my
project guide, Mr. Hemraj Mandal.
I was privileged to experience a sustained enthusiastic and involved
interest from his side. This fuelled my enthusiasm even further and
encouraged me to boldly step into what was a totally dark and
unexplored expanse before me.
I would also like to thank Mr. Manmohan Gaur who, instead of his
busy schedule, always guided me in right direction.
Last but not least, I would like to thank Mr. Arun Sharma for
teaching and helping me in at all the places.
I extend my gratitude to Maharaja Agrasen Inst. Of Tech. for giving
me this opportunity.
Thank You
Atul Sharma
4. Table of Contents
Abstract ..............................................................................................6
Introduction to GSM .........................................................................7
What is GSM? ......................................................................................7
GSM history .........................................................................................8
Advantage of GSM ..............................................................................8
Technical details ..................................................................................9
Three Subsystem of GSM ..................................................................10
Base station subsystem (BSS) ................................................10
Base Station Controller (BSC) ....................................... 11
Base Transceiver Station (BTS)......................................11
Transcoder (TC)..............................................................11
Network switching subsystem ................................................12
Mobile Services Switching Centre (MSC)......................12
Visitor Location Register (VLR).....................................12
Home Location Register (HLR) ....................................13
Authentication Centre (AC)............................................ 13
Equipment Identity Register (EIR) ................................13
Network management subsystem ........................................14
Transmission ....................................................................................15
Introduction to radio transmission......................................................15
Frequency Division Multiple Access (FDMA)..................................15
Absolute Radio Frequency Channel Number (ARFCN)........ 15
Time Division Multiple Access (TDMA)..........................................17
Time Frames ..........................................................................18
Time slots ...............................................................................18
Multiple frames ......................................................................20
Control channel ...............................................................20
5. Traffic channel ...............................................................21
Super frame ............................................................................22
Hyper frame ...........................................................................23
Physical and Logical channel ............................................................24
Logical channel .................................................................................24
Signalling channel ..........................................................................24
Broadcast channel .......................................................................25
Common control channel ............................................................25
Dedicated control channel ..........................................................27
Traffic channel ...............................................................................27
Full rate ......................................................................................27
Half rate .....................................................................................27
Data Burst ..........................................................................................28
Normal burst ..............................................................................28
Frequency correction burst ........................................................30
Synchronisation burst ...............................................................31
Access burst ..............................................................................31
Frequency hoping .............................................................................32
Traffic management ........................................................................35
Location update .................................................................................36
Handover ...........................................................................................38
Timing advances ...............................................................................42
Authentication and Encryption .........................................................51
Authentication procedures ................................................................54
Mobile originated call .......................................................................61
Mobile terminated call ......................................................................64
Future scope ....................................................................................68
Conclusion .......................................................................................69
6. Abstract
This project is a part of summer training, from Idea Cellular
pvt ltd, Delhi, which includes various analysis and knowledge
about GSM. GSM being used worldwide, having advantages
over the other system for the mobile communication. This
includes details about the GSM structures and its features.
Subsystems of GSM and their roles while initiating and
terminating a call.
The techniques like FDMA and TDMA being used. And all
kind of aspects related to the call traffic and transmission
being carried out in Mobile Networking. It also tells us about
the future scope of using a GSM.
7. Introduction to GSM
What is GSM?
GSM is a digital cellular network. At the time the standard was
developed it offered much higher capacity than the current analog
systems. It also allowed for a more optimal allocation of the radio
spectrum, which therefore allows for a larger number of subscribers.
GSM offers a number of services including voice communications,
Short Message Service (SMS), fax, voice mail, and other
supplemental services such as call forwarding and caller ID.
Currently there are several bands in use in GSM. 450 MHz, 850
MHZ, 900 MHz, 1800 MHz, and 1900 MHz are the most common
ones.
Some bands also have Extended GSM (EGSM) bands added to them,
increasing the amount of spectrum available for each band.
GSM makes use of Frequency Division Multiple Access (FDMA) and
Time Division Multiple Access (TDMA).
GSM ANTENNA
8. GSM history
At the beginning of the 1980s it was realised that the European
countries were using many different, incompatible mobile phone
Systems .At the same time, the needs for telecommunication services
were remarkably increased. Due to this, CEPT (Conférence
Européenne des Postes et Télécommunications) founded a group to
specify a common mobile system for Western Europe. This group was
named “Groupe Spéciale Mobile” and the system name GSM arose.
This abbreviation has since been interpreted in other ways, but the
most common expression nowadays is Global System for Mobile
communications.
At the beginning of the 1990s, the lack of a common mobile system
was seen to be a general, world -wide problem. For this reason the
GSM system has now spread also to the Eastern European countries,
Africa, Asia and Australia. The USA, South America in general and
Japan had made a decision to adopt other types of mobile systems
which are not compatible with GSM. However, in the USA the
Personal
Communication System (PCS) has been adopted which uses GSM
technology with a few variations.
During the time the GSM system was being specified, it was foreseen
that national telecommunication monopolies would be disbanded.
Advantage of GSM
Due to the use of the common GSM system across the world, it
offered many advantages as follows:-
GSM uses radio frequencies efficiently, and due to the digital
radio path, the system tolerates more intercell disturbances.
The average quality of speech achieved is better than in
analogue cellular systems.
Data transmission is supported throughout the GSM system.
9. Speech is encrypted and subscriber information security is
guaranteed.
Due to the ISDN compatibility, new services are offered
compared to the analogue systems.
International roaming is technically possible within all countries
using the GSM system.
The large market increases competition and lowers the prices
both for investments and usage.
Technical details
GSM is a cellular network, which means that mobile phones connect
to it by searching for cells in the immediate vicinity. GSM network
operate in four different frequency ranges. Most GSM network
operate in the 850 MHz and 1900 MHz bands. The rarer 400 and 500
MHz frequency bands are assigned in some countries, notably
scandavia, where these frequencies were previously used for first-
generation systems.
In the 900 MHz band the uplink frequency band is 890-915 MHz, and
the downlink frequency band is 935-960 MHz .This 25 MHz
bandwidth is subdivided into 124 carrier frequency channels, each
spaced 200 KHz apart. Time division multiplexing is used to allow
eight full-rate or sixteen half-rate speech channels per radio frequency
channel. There are eight radio timeslots (giving eight burst periods)
grouped into what is called a TDMA frame. Half rate channels use
alternate frames in the same timeslot. The transmission power in the
handset is limited to a maximum of 2 watts in GSM 850/900 and 1
watt in GSM 1800/1900.
GSM has used a variety of voice codecs of squeeze 3.1 KHz audio
into between 5.6 and 13 Kbit/s. Originally, two codecs of squeeze 3.1
Kbit/s. Originally, two codecs, named after the types of data channel
they were allocated, were used, called Half Rate (5.6 Kbit/s) and Full
10. Rate (13 Kbit/s). These used a system based upon linear predictive
coding (LPC). In addition to being efficient with bit rates, these
codecs also made it easier to identify more important parts of the
audio, allowing the air interface layer to prioritize and better protect
these parts of the signal. GSM was further enhanced in 1997 with the
Enhanced Full Rate (EFR) codec, a 12.2 Kbit/s codec that uses a full
rate channel.
The modulation used in GSM is Guassian Minimum-Shift Keying
(GMSK), a kind of continuous-phase frequency shift keying. In
GMSK, the signal to be modulated onto the carrier is first smoothed
with a Gaussian low-pass filter prior to being fed to a frequency
modulator, which greatly reduces the interference to neighbouring
channels (adjacent channel interference).
Three subsystem of GSM
In a GSM network, this decentralised intelligence is implemented by
dividing the whole network into three separate subsystems:
Network Switching Subsystem (NSS)
Base Station Subsystem (BSS)
Network Management Subsystem (NMS)
Base Station Subsystem (BSS) is responsible for handling
traffic and signalling between a mobile phone and the network
switching subsystem. The BSS carries out transcoding of speech
channels, allocation of radio channels to mobile phones,
paging transmission and reception over the air interface and many
other tasks related to the radio network.
The Base Station Subsystem consists of the following elements:
Base Station Controller (BSC)
Base Transceiver Station (BTS)
Transcoder (TC)
11. The Base Station Controller (BSC) is the central network
element of the BSS and it controls the radio network. This means that
the main responsibilities of the BSC are: Connection establishment
between MS and NSS, Mobility management, Statistical raw data
collection, Air and A interface signalling support.
The Base Transceiver Station (BTS) is a network element
maintaining the Air interface. It takes care of Air interface
signalling, Air interface ciphering and speech processing. In this
context, speech processing refers to all the functions the BTS
performs in order to guarantee an error-free connection between the
MS and the BTS.
Base Transceiver Station (BTS)
The Transcoder (TC) is a BSS element taking care of speech
transcoding, i.e. it is capable of converting speech from one digital
coding format to another and vice versa. We will describe more about
the Transcoder functions later.
12. Base Station Subsystem (BSS)
Network switching subsystem (NSS) (or GSM core
network) is the component of a GSM system that carries out call
switching and mobility management functions for mobile
phones roaming on the network of base stations.
The elements of Network Switching Subsystem are:
MSC (Mobile Services Switching Centre)
VLR (Visitor Location Register)
HLR (Home Location Register)
Authentication Centre (AC)
Equipment Identity Register (EIR)
The MSC (Mobile Services Switching Centre) is responsible
for controlling calls in the mobile network. It identifies the origin and
destination of a call (either a mobile station or a fixed telephone in
both cases), as well as the type of a call. An MSC acting as a bridge
between a mobile network and a fixed network is called a Gateway
MSC.
The VLR (Visitor Location Register) carries out location
registrations and updates. A VLR database is always temporary (in
the sense that the data is held as long as the subscriber is within its
service area).
13. The HLR (Home Location Register) maintains a permanent
register of the subscribers. In addition to the fixed data, the HLR also
maintains a temporary database which contains the current location of
its customers. This data is required for routing calls.
Authentication is a procedure used in checking the validity and
integrity of subscriber data. With the help of the authentication
procedure the operator prevents the use of false SIM modules in the
network.
Equipment Identity Register (EIR): An option exists in GSM
where the network may check the validity of the mobile station
hardware. The mobile station is requested to provide the
International Mobile Equipment Identity (IMEI) number. This
number consists of type approval code, final assembly code and serial
number of the mobile station. The network stores the IMEI numbers
in the Equipment Identity Register (EIR).
Network switching subsystem (NSS)
The Network management subsystem (NMS)is the
operation and maintenance related part of the network and it is needed
for the control of the whole GSM network. The network operator
observes and maintains network quality and service offered through
14. the NMS. The three subsystems in a GSM network are linked by the
Air, A and O&M interfaces as shown.
Three Subsystem of GSM and their interference
15. TRANSMISSION
Introduction to radio transmission
In a mobile communications network, part of the transmission
connection uses a radio link and another part uses 2Mbit/s PCM
links. Radio transmission is used between the Mobile Station and the
Base Transceiver Station and the information must to be adapted to be
carried over 2Mbit/s PCM transmission through the remainder of the
network. The radio link is the most vulnerable part of the connection
and a great deal of work is needed to ensure its high quality and
reliable operation.
The uplink refers to a signal flow from Mobile Station (MS) to
Base Transceiver Station (BTS) and the downlink refers to a signal
flow from Base Transceiver Station (BTS) to Mobile Station (MS).
The simultaneous use of separate Uplink and downlink frequencies
enables communication in both the transmit (TX) and receive (RX)
directions. The radio carrier frequencies are arranged in pairs and
the difference between these two frequencies (uplink downlink) is
called the Duplex Frequency.
Frequency Division Multiple Access (FDMA)
GSM divides the allocated spectrum for each band up into individual
carrier frequencies. Carrier separation is 200 kHz. This is the FDMA
aspect of GSM.
Absolute Radio Frequency Channel Number
(ARFCN)
The ARFCN is a number that describes a pair of frequencies, one
uplink and one downlink. The uplink and downlink frequencies each
have a bandwidth of 200 kHz. The uplink and downlink have a
specific offset that varies for each band. The offset is the frequency
16. separation of the uplink from the downlink. Every time the ARFCN
increases, the uplink will increase by 200 kHz and the downlink also
increases by 200 kHz.
An ARFCN has an allowed bandwidth of 200 kHz, which
corresponds exactly to the carrier separation. The frequency of the
ARFCN refers to its center frequency. If an ARFCN has a frequency
of 914.80 MHz, then it occupies the frequency space from 914.7 MHz
to 914.9 MHz (200 kHz total). Because of the nature of the
modulation method (GMSK) and data rate used in GSM, the actual
physical bandwidth will be about 135.4 kHz. The unused bandwidth
for each ARFCN acts as a buffer between other ARFCN to avoid
interference.
The following table summarizes the frequency ranges, offsets, and
ARFCNs for several popular bands.
GSM Bands
The following diagram illustrates an ARFCN with paired uplink and
downlink frequencies for ARFCN 1 in the GSM 900 band.
17. GSM900 ARFCN 1
Time Division Multiple Access (TDMA)
Introduction
GSM uses Time Division Multiple Access (TDMA) as its access
scheme. This is how the MS interfaces with the network. TDMA is
the protocol used on the Air (Um) Link. GSM uses Gaussian
Minimum-Shift Keying (GMSK) as its modulation methods.
Time Division means that the frequency is divided up into blocks of
time and only certain logical channels are transmitted at certain times
.The time divisions in TDMA are known as Time Slots.
Time Slots
A frequency is divided up into 8 time slots, numbered 0 to 7.
Time Slots
18. On a side note, also GSM carrier frequencies are separated by 200
kHz and that GSM operates in duplex. A channel number assigned to
a pair of frequencies, one uplink and one downlink, is known as an
Absolute Radio Frequency Channel Number (ARFCN) .Each time
slot lasts 576.9 µs. A time slot is the basic radio resource used to
facilitate communication between the MS and the BTS.
Time Slot Duration
Data Rates
As stated earlier, GSM uses Gaussian Minimum-Shift Keying
(GMSK) as its modulation method. GMSK provides a modulation
rate of 270.833 kilobits per second (kb/s).
At that rate, a maximum of 156.25 bits can be transmitted in each
time slot (576.9 µs).
270.833 kb/s × 1000 = 270,833 bits/sec (Converting from kilobits
to bits)
270,833 b/sec ÷ 1,000,000 = .207833 b/µs (Calculating bits per
microsecond)
.207833 b/µs × 576.9 µs = 156.25 bits (Calculating number of
bits per time slot)
19. Bits in a Time Slot
So, 156.25 bits can be transmitted in a single time slot.
TDMA Frame Structure & Hierarchy
TDMA Frame
Each sequence of 8 time slots is known as a TDMA frame. The
duration of a TDMA frame is 4.615 milliseconds (ms) (576.9 µs × 8).
* Remember that a TDMA frame is 8 time slots and that no one
resource will be given an entire TDMA frame, the resources must
share them.
A TDMA Frame
20. Multiframe
A Multiframe is composed of multiple TDMA frames.
There are two types of multiframes:
Control Channel Multiframes
Traffic Channel Multiframes
Control Channel Multiframe
composed of 51 TDMA frames
duration = 235.4 ms
Control Channel Multiframe
Traffic Channel Multiframe
Traffic Channel Multiframe
21. Composed of 26 TDMA frames
duration = 120 ms
Here is a diagram comparing the Control Channel multiframe and a
traffic channel multiframe.
Traffic Channel and Control Channel Multiframes
The next diagram shows a Traffic Channel (TCH) Multiframe with
TS2 (green) being allocated to a Mobile Station (MS). The red arrow
indicates the sequence of transmission. The sequence starts in TDMA
frame 0 at TS0, proceeds through all eight time slots, then starts again
with TDMA frame 1.
In this example, the MS has been allocated a Traffic Channel in TS2.
Therefore the MS will only transmit/receive during TS2 of each
TDMA frame.
22. Single Time Slot Allocated
Superframe
A Superframe is composed of multiple Multiframes.
Again, there is a superframe for Control Channels and one for Traffic
Channels.
Control Channel Superframe
composed of 26 Control Channel (CCH) multiframes (each CCH
multiframe has 51 TDMA frames)
Duration = 6.12 seconds
Traffic Channel Superframe
composed of 51 Traffic Channel (TCH) multiframes (each TCH)
multiframe has 26 TDMA frames)
Duration = 6.12 seconds.
Each superframe, whether it is a CCH or TCH frame, consists of 1326
TDMA frames (51 * 26)
23. Hyperframe
A Hyperframe is composed of 2048 Superframes.
Duration = 3h 28m 53s 76ms (12,533.76 seconds)
consists of 2,715,648 TDMA frames.
Each TDMA frame is numbered according to its sequence within the
hyperframe, starting from 0 and ending at 2,715,647.
The TDMA frame number within a hyperframe is abbreviated N. The
FN is one of the variables used in GSM encryption algorithms.
The following diagram shows the relationship between all of the
various time segments
Relation of all segments
24. Physical and Logical Channels
Time Division Multiple Access (TDMA) divides one radio
frequency channel into consecutive periods of time, each one called a
"TDMA Frame". Each TDMA Frame contains eight shorter periods
of time known as "Timeslots" .The TDMA timeslots are called
"Physical Channels" as they are used to physically move
information from one place to another.
The radio carrier signal between the Mobile Station and the BTS is
divided into a continuous stream of timeslots which in turn are
transmitted in a continuous stream of TDMA frames .The 8 timeslots
are further broken up into logical channels.
Logical channels can be thought of as just different types of data that
is transmitted only on certain frames in a certain timeslot. Different
time slots will carry different logical channels, depending on the
structure the BSS uses.
Logical Channels are of two types:-
Signalling Channels
Traffic Channels (TCH)
Signaling Channels
These are the main types of signaling Channels:
Broadcast Channels (BCH) - Transmitted by the BTS to the MS.
This channel carries system parameters needed to identify the
network, synchronize time and frequency with the network, and gain
access to the network.
Common Control Channels (CCH) - Used for signaling
between the BTS and the MS and to request and grant access to the
network.
Standalone Dedicated Control Channels (SDCCH) - Used
for call setup.
25. Associated Control Channels (ACCH) - Used for signaling
associated with calls and call-setup. An ACCH is always allocated in
conjunction with a TCH or a SDCCH.
The above categories can be divided into the following logical
channels:
Broadcast Channels (BCH)
Broadcast Control Channel (BCCH)
Frequency Correction Channel (FCCH)
Synchronization Channel (SCH)
Cell Broadcast Channel (CBCH)
Common Control Channels (CCCH)
Paging Channel (PCH)
Random Access Channel (RACH)
Access Grant Channel (AGCH)
Dedicated Control Channel (DCCH)
Standalone Dedicated Control Channel (SDCCH)
Fast Associated Control Channel (FACCH)
Slow Associated Control Channel (SACCH)
Let's examine each type of logical channel individually.
Broadcast Channels (BCH)
Broadcast Control Channel (BCCH) – DOWNLINK- This
channel contains system parameters needed to identify the network
and gain access. These parameters include the Location Area Code
(LAC), the Mobile Network Code (MNC), the frequencies of
neighbouring cells, and access parameters.
Frequency Correction Channel (FCCH) - DOWNLINK -
This channel is used by the MS as a frequency reference. This channel
contains frequency correction bursts.
26. Synchronization Channel (SCH) - DOWNLINK - This
channel is used by the MS to learn the Base Station Information Code
(BSIC) as well as the TDMA frame number (FN). This lets the MS
know what TDMA frame they are on within the hyperframe.
Cell Broadcast Channel (CBCH) - DOWNLINK - This
channel is not truly its own type of logical channel. The CBCH is
for point-to-omnipoint messages. It is used to broadcast specific
information to network subscribers; such as weather, traffic, sports,
stocks, etc. Messages can be of any nature depending on what service
is provided. Messages are normally public service type messages or
announcements. The CBCH isn’t allocated a slot for itself, it is
assigned to an SDCCH. It only occurs on the downlink. The CBCH
usually occupies the second subslot of the SDCCH. The mobile will
not acknowledge any of the messages.
Common Control Channels (CCCH)
Paging Channel (PCH) - DOWNLINK - This channel is used
to inform the MS that it has incoming traffic. The traffic could be a
voice call, SMS, or some other form of traffic.
Random Access Channel (RACH) - UPLINK This channel is
used by a MS to request an initial dedicated channel from the BTS.
This would be the first transmission made by a MS to access the
network and request radio resources. The MS sends an Access
Burst on this channel in order to request access.
Access Grant Channel (AGCH) - DOWNLINK - This
channel is used by a BTS to notify the MS of the assignment of an
initial SDCCH for initial signaling.
27. Dedicated Control Channels (DCCH)
Standalone Dedicated Control Channel (SDCCH) -
UPLINK/DOWNLINK - This channel is used for signaling and
call setup between the MS and the BTS.
Fast Associated Control Channel (FACCH) -
UPLINK/DOWNLINK - This channel is used for control
requirements such as handoffs. There is no TS and frame allocation
dedicated to a FAACH. The FAACH is a burst-stealing channel , it
steals a Timeslot from a Traffic Channel (TCH).
Slow Associated Control Channel (SACCH) -
UPLINK/DOWNLINK - This channel is a continuous stream
channel that is used for control and supervisory signals associated
with the traffic channels.
Traffic Channels (TCH)
Traffic Channels are used to carry two types of information to and
from the user:-
Encoded Speech
Data
Encoded Speech - Encoded speech is voice audio that is
converted into digital form and compressed
Full Rate Speech TCH (TCH/FS) - 13 kb/s
Half Rate Speech TCH (TCH/HS) - 5.6 kb/s
Data - Data refers to user data such as text messages, picture
messages, internet browsing, etc. It includes pretty much
28. everything except speech.
Full rate Data TCH (TCH/F14.1) - 14.4 kb/s
Full rate Data TCH (TCH/F9.6) - 9.6 kb/s
Full rate Data TCH (TCH/F4.8) - 4.8 kb/s
Half rate Data TCH (TCH/F4.8) - 4.8 kb/s
Full rate Data TCH (TCH/F2.4) - ≤2.4 kb/s
Half rate Data TCH (TCH/H2.4) - ≤2.4 kb/s
Data Burst
The data transmitted during a single time slot is known as a burst.
Each burst allows 8.25 bits for guard time within a time slot. This is
to prevent bursts from overlapping and interfering with transmissions
in other time slots. Subtracting this from the 156.25 bits, there are 148
bits usable for each burst.
There are four main types of bursts in TDMA:
Normal Burst (NB)
Frequency Correction Burst (FB)
Synchronization Burst (SB)
Access Burst (AB)
Normal Burst
The data transmitted during a single time slot is known as a burst.
Each burst allows 8.25 bits for guard time. This is to prevent bursts
from overlapping and interfering with transmissions in other time
slots.
Out of 156.25, this leaves 148 bits usable for each burst.
29. Here is the structure of a normal burst:
Normal Burst
Tail Bits - Each burst leaves 3 bits on each end in which no data is
transmitted. This is designed to compensate for the time it takes for
the power to rise up to its peak during a transmission. The bits at the
end compensate for the powering down at the end of the transmission.
Data Bits - There are two data payloads of 57 bits each.
Stealing Flags - Indicates whether the burst is being used for
voice/data (set to "0") or if the burst is being "stolen" by
the FACCH to be used for signalling (set to "1").
Training Sequence - The training sequence bits are used to
30. overcome multi-path fading and propagation effects through a method
called equalization.
This diagram illustrates a single burst inside a time slot. Remember
that 8.25 bits are not used in order to allow for a guard time.
Burst within a Time Slot
Since each burst has two 57-bit data segments, we can see that a
single burst has a data payload of 114 bits.
Frequency Correction Burst
This burst is used for frequency synchronization of the mobile station.
It is an unmodulated carrier that shifts in frequency. It has the same
guard time as a normal bit (8.25 bits). The broadcast of the FB usually
occurs on the logical channel FCCH.
Frequency Correction Burst
31. Synchronization Burst
This burst is used for time synchronization of the mobile. The data
payload carries the TDMA Frame Number (FN) and the Base Station
Identity Code (BSIC). It is broadcast with the frequency correction
burst. The Synchronization Burst is broadcast on the Synchronization
Channel (SCH).
Synchronization Burst
Access Burst
This burst is used by mobile station for random access. It has a much
longer guard period (68.25 bits compared to the 8.25 bits in a normal
burst). It is designed to compensate for the unknown distance of the
mobile station from the tower, when the MS wants access to a new
BTS, it will not know the correct Timing Advance.
Access Burst
32. Frequency Hopping
Each radio frequency Channel (ARFCN) is influenced differently by
propagation conditions. What affects channel 23 may not affect
channel 78 at all. Within a given cell, some frequencies will have
good propagation in a certain area and some will have poor
propagation in that area. In order to take advantage of the good
propagation and to defeat the poor propagation, GSM utilizes
frequency hopping. Frequency hopping means that a transceiver hops
from one frequency to another in a predetermined sequence. If a
transceiver hops through all of the available frequencies in a cell then
it will average out the propagation. GSM uses Slow Frequency
Hopping (SFH). It is considered slow because the system hops
relatively slow, compared with other frequency hopping systems. In
GSM, the operating frequency is changed every TDMA frame.
The main reason for using slow frequency hopping is because the MS
must also change its frequency often in order to monitor adjacent
cells. The device in a transceiver that generates the frequency is called
a frequency synthesizer. On a MS, a synthesizer must be able to
change its frequency within the time frame of one time slot, which is
equal to 577 µs. GSM does not require the BTS to utilize frequency
hopping. However, a MS must be capable of utilizing frequency
hopping when told to do so.
The frequency hopping and timing sequence is known as the hopping
algorithm. There are two types of hopping algorithms available to a
MS.
Cyclic Hopping - The transceiver hops through a predefined list
of frequencies in sequential order.
Random Hopping - The transceiver hops through the list of
frequencies in a random manner. The sequence appears random
but it is actually a set order.
33. There are a total of 63 different hopping algorithms available in GSM.
When the MS is told to switch to frequency hopping mode, the BTS
will assign it a list of channels and the Hopping Sequence Number
(HSN), which corresponds to the particular hopping algorithm that
will be used.
The base channel on the BTS does not frequency hop. This channel,
located in time slot 0, holds the Broadcast Control Channels which
the MS needs to monitor to determine strength measurements,
determine access parameters, and synchronize with the system.
If a BTS uses multiple transceivers (TRX) then only one TRX will
hold the Broadcast Channels on time slot 0. All of the other TRXs
may use time slot 0 for traffic or signalling and may take part in the
frequency hopping.
There are two types of frequency hopping method available for the
BTS: synthesizer hopping and baseband hopping.
Synthesizer Hopping - This requires the TRX itself to change
frequencies according to the hopping sequence. So, one TRX
would hop between multiple frequencies on the same sequence
that the MS is required to.
Baseband Hopping - In this method there are several TRX and
each one stays on a fixed frequency within the hopping
frequency plan. Each TRX would be assigned a single time slot
within a TDMA frame. For example, time slot 1 might be
assigned to TRX 2 in one TDMA frame and in the next TDMA
frame it would be assigned to TRX 3, and the next frame would
be TRX 3. So, the data on each time slot would be sent on a
different frequency each frame, but the TRXs on the BTS do not
need to change frequency. The BTS simply routes the data to the
appropriate TRX, and the MS knows which TRX to be on for
any given TDMA frame.
35. Traffic management
Location update
A MS will need to update its location whenever it moves to a tower
that is serviced by a different VLR then the one it is currently on. An
MS can move from BTS to BTS without ever telling the network, as
long as it is within the same location area. Once it moves to a new
location area, it is required to inform the network.
The MS moves to another Location Area, as a MS moves around it is
constantly monitoring the signal strength of the BCCH of its current
BTS, as well as neighbouring BTS's to determine if the neighbours
have a stronger signal. When the MS is in idle mode (not in a call), it
will determine for itself when to move from its current BTS to a more
attractive one .When the MS switches from a BTS in one VLR to a
BTS in a different VLR, it must do an location update, so the network
knows which MSC/VLR the MS is currently using.
Elements involved in location update
36. Channel Request
1. The MS requests a channel by sending a Channel
Request (CHAN_REQ) message on the RACH.
2. The BTS responds by sending an Immediate Assignment
Command message (IMM_ASS_CMD) on the AGCH.
3. The MS switches to the assigned SDCCH and replies with
a Location Update Request (LOC_UPD_REQ). Included in the
LOC_UPD_REQ is the TMSI the MS is currently using as well as the
Location Area Identifier (LAI) of the VLR it is leaving.
4. The BTS acknowledges receipt of the message.
Gaining VLR requests data from losing VLR
5. The BSS forwards the Location Update Request to the gaining
MSC/VLR.
6. The gaining MSC/VLR does not recognize the TMSI/IMSI of the
MS, so it contacts the losing MSC/VLR that corresponds to the LAI
that was provided by the MS. The new MSC/VLR requests the
subscriber data for the given TMSI.
7. The gaining MSC/VLR will then authenticate the MS. There are
two ways this could occur. First, the losing MSC/VLR may have
forwarded any sets of triplets that it was retaining for the MS. The
gaining MSC/VLR would then just use the next set of triplets.
Second, the gaining MSC/VLR could contact the HLR and request
authentication triplets from the AuC and proceed with authentication
that way.
37. The authentication and encryption process is not shown here. It occurs
the same way as in the IMSI Attach
Location Update
8. Once the MS has been authenticated and is in Cipher Mode, the
MSC/VLR sends a Location Update Accept message
(LOC_UPD_ACC) through the BSS to the MS. The LOC_UPD_ACC
may have a TMSI assignment in it, otherwise the TMSI will be
assigned in a TMSI_REAL_CMD message.
9. The MS will respond with a TMSI Reallocation Complete message
(TMSI_REAL_COM) indicating it has received the TMSI.
10. The BSS then sends the MS a Channel Release message
(CHAN_REL) instructing it to go into idle mode. The BSS then
unassigned the SDCCH. As far as the MS is concerned, the location
update has been completed.
Updating the Registers
The Gaining MSC/VLR sends an Update Location message to the
HLR. The HLR updates its records to point to the gaining MSC/VLR
when it is asked for its location. It also passes on subscriber
information for the MS to the gaining MSC/VLR.
The HLR sends a Cancel Location message to the losing MSC/VLR.
The losing MSC/VLR deletes the MS's record and also releases the
TMSI for reassignment. The losing MSC/VLR sends a Cancel
Location Result message back to the HLR, confirming the
cancellation.
38. Procedure in location update
Handover
Maintaining the traffic connection with a moving subscriber is made
possible with the help of the handover function. The basic concept is
simple: when the subscriber moves from the coverage area of one cell
to another, a new connection with the target cell has to be set up and
the connection with the old cell has to be released.
There are two reasons for performing a handover:
1. Handover due to measurements occurs when the quality or the
strength of the radio signal falls below certain parameters specified in
the BSC. The deterioration of the signal is detected by the constant
signal measurements carried out by both the mobile station and the
BTS. As a consequence, the connection is handed over to a cell with a
stronger signal.
2. Handover due to traffic reasons occurs when the traffic capacity
of a cell has reached its maximum or is approaching it. In such a case,
the mobile stations near the edges of the cell may be handed over to
neighbouring cells with less traffic load.
39. The decision to perform a handover is always made by the BSC that is
currently serving the subscriber, except for the handover for traffic
reasons.
There are four different types of handover and the best way to analyse
them is to follow the subscriber as he moves:-
Intra cell - Intra BSC handover
The smallest of the handovers is the intra cell handover where the
subscriber is handed over to another traffic channel (generally in
another frequency) within the same cell. In this case the BSC
controlling the cell makes the decision to perform handover.
Intra cell - Intra BSC handover
Inter cell - Intra BSC handover
The subscriber moves from cell 1 to cell 2. In this case the handover
process is controlled by BSC. The traffic connection with cell 1 is
40. released when the connection with cell 2 is set up successfully.
Inter cell - Intra BSC handover
Inter cell - Inter BSC handover
The subscriber moves from cell 2 to cell 3, which is served by another
BSC. In this case the handover process is carried out by the MSC, but
the decision to make the handover is still done by the first BSC. The
connection with the first BSC (and BTS) is released when the
connection with the new BSC (and BTS) is set up successfully.
Inter cell - Inter BSC handover
41. Inter MSC handover
The subscriber moves from a cell controlled by one MSC/VLR to a
cell in the domain of another MSC/VLR. This case is a bit more
complicated. Considering that the first MSC/VLR is connected to the
GMSC via a link that passes through PSTN lines, it is evident that the
second MSC/VLR cannot take over the first one just like that. The
MSC/VLR currently serving the subscriber (also known as the
anchor MSC), contacts the target MSC/VLR and the traffic
connection are transferred to the target MSC/VLR. As both MSCs are
part of the same network, the connection is established smoothly. It is
important to notice, however, that the target MSC and the source
MSC are two telephone exchanges. The call can be transferred
between two exchanges only if there is a telephone number
identifying the target MSC.
Inter MSC handover
42. Timing Advances
Introduction
A Timing Advance (TA) is used to compensate for the propagation
delay as the signal travels between the Mobile Station (MS) and Base
Transceiver Station (BTS). The Base Station System (BSS) assigns
the TA to the MS based on how far away it perceives the MS to be.
Determination of the TA is a normally a function of the Base Station
Controller (BSC), bit this function can be handled anywhere in the
BSS, depending on the manufacturer.
Time Division Multiple Access (TDMA) requires precise timing of
both the MS and BTS systems. When a MS wants to gain access to
the network, it sends an access burst on the RACH. The further away
the MS is from the BTS, the longer it will take the access burst to
arrive at the BTS, due to propagation delay. Eventually there comes a
certain point where the access burst would arrive so late that it would
occur outside its designated timeslot and would interfere with the next
time slot.
Access Burst
An access burst has 68.25 guard bits at the end of it.
This guard time is to compensate for propagation delay due to the
unknown distance of the MS from the BTS. It allows an access burst
to arrive up to 68.25 bits later than it is supposed to without
interfering with the next time slot.
43. 68.25 bits doesn’t mean much to us in the sense of time, so we must
convert 68.25 bits into a frame of time. To do this, it is necessary to
calculate the duration of a single bit; the duration is the amount of
time it would take to transmit a single bit.
Duration of a Single Bit
As you recall, GSM uses Gaussian Minimum Shift Keying (GMSK)
as its modulation method, which has a data throughput of 270.833
kilobits/second (kb/s).
Calculate duration of a bit
Description Formula Result
Convert kilobits to bits 270.833 kb × 1000 270,833 bits
Calculate seconds per bit 1 sec ÷ 270,833 bits
.00000369
seconds
Convert seconds to
microseconds
.00000369 sec ×
1,000,000
3.69 µs
44. So now we know that it takes 3.69µs to transmit a single bit.
Propagation Delay
Now, if an access burst has a guard period of 68.25 bits this results in
a maximum delay time of approximately 252µs (3.69µs × 68.25 bits).
This means that a signal from the MS could arrive up to 252µs after it
is expected and it would not interfere with the next time slot.
The next step is to calculate how far away a mobile station would
have to be for a radio wave to take 252µs to arrive at the BTS, this
would be the theoretical maximum distance that a MS could transmit
and still arrive within the correct time slot.
Using the speed of light, we can calculate the distance that a radio
wave would travel in a given time frame. The speed of light (c) is
300,000 km/s.
45. Description Formula Result
Convert km to m 300,000km × 1000 300,000,000m
Convert m/s to m/µs 300,000,000 ÷ 1,000,000 300 m/µs
Calculate distance for 252µs 300 m/µs × 252µs 75600m
Convert m to km 75,600m ÷ 1000 75.6km
So, we can determine that a MS could theoretically be up to 75.6km
away from a BTS when it transmits its access burst and still not
interfere with the next time slot.
However, we must take into account that the MS synchronizes with
the signal it receives from the BTS. We must account for the time it
takes for the synchronization signal to travel from the BTS to the MS.
When the MS receives the synchronization signal from the BTS, it
has no way of determining how far away it is from the BTS. So, when
the MS receives the synchronization signal on the SCH, it
synchronizes its time with the timing of the system. However, by the
time the signal arrives at the MS, the timing of the BTS has already
progressed some. Therefore, the timing of the MS will now be behind
the timing of the BTS for an amount of time equal to the travel time
from the BTS to the MS.
For example, if a MS were exactly 75.6km away from the BTS, then
it would take 252µs for the signal to travel from the BTS to the MS.
46. The MS would then synchronize with this timing and send its access
burst on the RACH. It would take 252µs for this signal to return to the
BTS. The total round trip time would be 504µs. So, by the time the
signal from the MS arrives at the BTS, it will be 504µs behind the
timing of the BTS. 504µs equals about 136.5 bits.
The 68.25 bits of guard time would absorb some of the delay of 136.5
bits, but the access burst would still cut into the next time slot a
whopping 68.25bits.
47. Maximum Size of a Cell
In order to compensate for the two-way trip of the radio link, we must
divide the maximum delay distance in half. So, dividing 75.6km in
half, we get approximately 37.8 km. If a MS is further out than
37.8km and transmits an access burst it will most likely interfere with
the following time slot. Any distance less than 37.8km and the access
burst should arrive within the guard time allowed for an access burst
and it will not interfere with the next time slot.
In GSM, the maximum distance of a cell is standardized at 35km.
This is due mainly to the number of timing advances allowed in GSM,
which is explained below.
How a BSS Determines a Timing Advance
In order to determine the propagation delay between the MS and the
BSS, the BSS uses the synchronization sequence within an access
burst. The BSS examines the synchronization sequence and sees how
long it arrived after the time that it expected it to arrive. As we
learned from above, the duration of a single bit is approximately
3.69µs. So, if the BSS sees that the synchronization is late by a single
48. bit, then it knows that the propagation delay is 3.69µs. This is how the
BSS knows which TA to send to the MS.
For each 3.69µs of propagation delay, the TA will be incremented by
1. If the delay is less than 3.69µs, no adjustment is used and this is
known as TA0. For every TA, the MS will start its transmission
3.69µs (or one bit) early. Each TA really corresponds to a range of
propagation delay. Each TA is essentially equal to a 1-bit delay
detected in the synchronization sequence.
TA From To
0 0µs 3.69µs
1 3.69µs 7.38µs
2 7.38µs 11.07µs
3 11.07µs 14.76µs
... ... ...
63 232.47µs 236.16µs
49. The Distance of a Timing Advance
When calculating the distances involved for each TA, we must
remember that the total propagation delay accounts for a two-way trip
of the radio wave. The first leg is the synchronization signal travelling
from the BTS to the MS, and the second leg is the access burst
travelling from the MS to the BTS. If we want to know the true
distance of the MS from the BTS, we must divide the total
propagation delay in half.
For example, if the BSS determines the total propagation delay to be
3.69µs, we can determine the distance of the MS from the BTS.
Description Formula Result
Determine one-way propagation time 3.69µs ÷ 2 1.845µs
Calculate distance
(using speed of light.)
300 m/µs × 1.845µs 553.5m
50. We determined earlier that for each propagation delay of 3.69µs the
TA is incremented by one. We just learned that a propagation delay of
3.69µs equals a one-way distance of 553.5 meters. So, we see that
each TA is equal to a distance of 553.5 meters from the tower.
Starting from the BTS (0 meters) a new TA will start every 553.5m.
TA Ring Start End
0 0 553.5m
1 553.5m 1107m
2 1107m 1660.5m
3 1660.5m 2214m
... ... ...
63 34.87km 35.42km
51. The TA becomes very important when the MS switches over to using
a normal burst in order to transmit data. The normal burst does not
have the 68.25 bits of guard time. The normal burst only has 8.25 bits
of guard time, so the MS must transmit with more precise timing.
With a guard time of 8.25 bits, the normal burst can only be received
up to 30.44µs late and not interfere with the next time slot. Because of
the two-way trip of the radio signal, if the MS transmits more than
15.22µs after it is supposed to then it will interfere with the next time
slot.
Authentication & Encryption
Introduction
Authentication - Whenever a MS requests access to a network, the
network must authenticate the MS. Authentication verifies the identity
and validity of the SIM card to the network and ensures that the
subscriber is authorized access to the network.
Encryption - In GSM, encryption refers to the process of creating
authentication and ciphering crypto-variables using a special key and
an encryption algorithm.
Ciphering - Ciphering refers to the process of changing plaintext
data into encrypted data using a special key and a special encryption
algorithm. Transmissions between the MS and the BTS on the Um
link are enciphered.
Ki - The Ki is the individual subscriber authentication key. It is a
128-bit number that is paired with an IMSI when the SIM card is
created. The Ki is only stored on the SIM card and at the
52. Authentication Center (AuC). The Ki will never be transmitted across
the network on any link.
RAND - The RAND is a random 128-bit number that is generated by
the AuC when the network requests to authenticate a subscriber. The
RAND is used to generate the Signed Response (SRES) and Kc
crypto-variables.
Signed Response - The SRES is a 32-bit crypto-variable used in
the authentication process. The MS is challenged by being given the
RAND by the network; the SRES is the expected correct response.
The MS receives the RAND as a challenge and uses it to calculate the
SRES. The SRES is passed up to the network to as a response to the
challenge.
A3 Algorithm - The A3 algorithm computes a 32-bit Signed
Response (SRES). The Ki and RAND are inputted into the A3
algorithm and the result is the 32-bit SRES. The A3 algorithm resides
on the SIM card and at the AuC.
A8 Algorithm - The A8 algorithm computes a 64-bit ciphering key
(Kc). The Ki and the RAND are inputted into the A8 algorithm and
the result is the 64-bit Kc. The A8 algorithm resides on the ISM card
and at the AuC.
COMP128 - A keyed hash function that combines the A3 and A8
algorithms into a single function. The 128-bit Ki and 128-bit RAND
are input into the COMP128 which generates a 32-bit SRES and a 54-
bit Kc in a single function. COMP128 is weak because it can give
away information about the Ki.
Kc - The Kc is the 64-bit ciphering key that is used in the A5
encryption algorithm to encipher and decipher the data that is being
transmitted on the Um interface.
A5 - The A5 encryption algorithm is used to encipher and decipher
the data that is being transmitted on the Um interface. The Kc and the
53. plaintext data are inputted into the A5 algorithm and the output is
enciphered data. The A5 algorithm is a function of the Mobile
Equipment (ME) and not a function of the SIM card. The BTS also
makes use of the A5 algorithm.
There are three versions of the A5 algorithm:
A5/1 -The current standard for U.S. and European networks. A5/1
is a stream cipher.
A5/2 -The deliberately weakened version of A5/1 that is intended
for export to non-western countries. A5/2 is a stream cipher.
A5/3 - A newly developed algorithm not yet in full use. A5/3 is a
block cipher.
Triplets - The RAND, SRES, and Kc together are known as the
Triplets. The AuC will send these three crypto-variables to the
requesting MSC/VLR so it can authenticate and encipher.
International Mobile Subscriber Identity-An IMSI is usually presented
as a 15 digit long number, but can be shorter. For example MTN
South Africa's old IMSIs that are still being used in the market are
shown as 14 digits. The first 3 digits are the Mobile Country
Code (MCC), and are followed by the Mobile Network Code (MNC),
either 2 digits (European standard) or 3 digits (North
American standard). The length of the MNC depends on the value of
the MCC. The remaining digits are the Mobile Subscription
Identification Number (MSIN) within the network's customer base.
54. Authentication Procedures
Fig 1
Fig-1-: When a MS requests access to the network, the MSC/VLR
will normally require the MS to authenticate. The MSC will forward
the IMSI to the HLR and request authentication Triplets.
The network can have the MS authenticate whenever it wants and this
can vary from network to network. The network can require the MS to
authenticate every time an event is initiated (location update, mobile-
originated call, mobile-terminated call, etc.), every so many events, or
even after a certain time period has elapsed. The network will almost
always require authentication whenever the MS moves into a new
Location Area and does a Location Update.
55. Fig 2
Fig-2: When the HLR receives the IMSI and the authentication
request, it first checks its database to make sure the IMSI is valid and
belongs to the network. Once it has accomplished this, it will forward
the IMSI and authentication request to the Authentication
Center (AuC).
Fig 3
Fig-3: The AuC will use the IMSI to look up the Ki associated with
that IMSI. The Ki is the individual subscriber authentication key. It is
a 128-bit number that is paired with an IMSI when the SIM card is
created. The Ki is only stored on the SIM card and at the AuC. The
Auc will also generate a 128-bit random number called the RAND
56. Fig 4
Fig-4: The RAND and the Ki are inputted into the A3 encryption
algorithm. The output is the 32-bit Signed Response (SRES). The
SRES is essentially the "challenge" sent to the MS when
authentication is requested.
Fig 5
57. Fig-5: The RAND and Ki are input into the A8 encryption algorithm.
The output is the 64-bit Kc. The Kc is the ciphering key that is used in
the A5 encryption algorithm to encipher and decipher the data that is
being transmitted on the Um interface.
Fig 6
Fig-6: The RAND, SRES, and Kc are collectively known as
the Triplets. The AuC may generate many sets of Triplets and send
them to the requesting MSC/VLR. This is in order to reduce the
signalling overhead that would result if the MSC/VLR requested one
set of triplets every time it wanted to authenticate the MS. It should be
noted that a set of triplets is unique to one IMSI, it cannot be used
with any other IMSI.
Fig 7
58. Fig-7: Once the AuC has generated the triplets (or sets of triplets), it
forwards them to the HLR. The HLR subsequently sends them to the
requesting MSC/VLR.
Fig 8
Fig-8: The MSC stores the Kc and the SRES but forwards the RAND
to the MS and orders it to authenticate.
Fig 9
Fig-9: The MS has the Ki stored on the SIM card. The A3 and A8
algorithms also reside on the SIM card. The RAND and Ki are
inputted into the A3 and A8 encryption algorithms to generate the
SRES and the Kc respectively.
59. Ciphering Procedure
Fig-10
Fig 10: The MS stores the Kc on the SIM card and sends the
generated SRES back to the network. The MSC receives the MS
generated SRES and compares it to the SRES generated by the AuC.
If they match, then the MS is authenticated.
Fig-11
Fig-11: Once the MS is authenticated, the MSC passes the Kc to the
BSS (the BTS to be specific), and orders the BTS and MS to switch
to Cipher Mode. The Kc will never be passed on the Air Interface
(Um), it will be stored at the BTS.
60. Fig-12
Fig-12: The BTS inputs the Kc and the data payload into the A5
encryption algorithm resulting in an enciphered data stream. The MS
also inputs the Kc and the data payload into the A5 encryption
algorithm resulting in an enciphered data stream. It should be noted
that the A5 algorithm is a function of the Mobile Equipment (ME)
and not the SIM card.
COMP128
COMP128
COMP128 is a single keyed hash function that takes the place of the
A3 and A8 algorithms and generates the SRES and Kc in a single
function. The Ki and RAND are fed into the COMP128 hash and the
result is a 32-bit SRES and a 54-bit Kc. Note that the A8 algorithm
generates a 64-bit Kc. So it is obvious that the COMP128 hash
generates a much weaker Kc.
61. Mobile Originated Call
A Mobile Originated Call is a call that is initiated by the MS. The
following example is a mobile-originated call that terminates outside
the PLMN.
Request Access
1. The MS sends a Channel Request (CHAN_REQ) message on the
RACH.
2. The BSS responds with a radio resource assignment
(IMM_ASS_CMD) on the AGCH.
3. The MS sends a Service Request (CM_SERV_REQ) message to
the BSS on the SDCCH
Authentication
4. Before the network will provide any services to the MS, the
network will require the MS to authenticate itself. The BSS sends
an Authentication Request (AUTH_REQ) message to the MS. The
RAND serves as the "challenge" for authentication.
5. The MS calculates the proper SRES based on the RAND that was
given and sends the SRES to the BSS in an Authentication
Response (AUTH_RESP) message.
6. The BSS verifies the SRES. If the SRES is correct then the MS is
authenticated and allowed access to the network. The BSS will send
a Service Accept (CM_SERV_ACC) message letting the MS know
that the service request was received and processed.
7. Once authenticated, the BSS orders the MS to switch to cipher
mode with the CIPH_MOD_CMD message.
Initial Call Setup
8. The MS will immediately switch to cipher mode and send a Cipher
Mode Complete (CIPH_MOD_COM) message.
9. The MS then sends a Call Setup (SETUP) message to the BSS. The
62. message includes the address information (MSISDN) of the called
party.
10. The BSS assigns a TCH to the MS by sending an Assignment
Command (ASS_CMD) message. This message includes which
Transceiver (TRX) and which Time Slot (TS) to use. The BSS does
not actually assign a TCH to the MS until the MSC sends a Call
Proceeding (CALL_PROC) message to the BSS indicating that the
IAM has been sent.
11. The MS immediately switches to the assigned TCH. The MS
sends an Assignment Complete (ASS_COM) message back to the
BTS on the FACCH. Remember that a FACCH is not a separate
channel; it is simply a stolen time slot from the TCH that is used for
signalling data instead of voice traffic.
Call Setup
12. The MSC sends an Initial Address Message (IAM) to the GMSC.
The IAM contains the MSISDN of the called party as the MS dialled
it. The MSC will also send a Call Proceeding (CALL_PROC)
message down to the BSS and this is when the BSS would assign a
TCH to the MS, as described in step 10 above.
13. Based on the dialled number, the GMSC decides where to route
the IAM within the PSTN.
14. The PSTN will continue to route the IAM until it reaches the
correct Switching Center and the call routing is complete. The PSTN
will then establish the call circuit and send an Address Complete
Message (ACM) back to the GMSC.
15. The GMSC then forwards the ACM back to the responsible MSC
indicating that the call circuit has been established.
Call Establishment
16. Once the MSC receives the ACM, it sends an ALERT message to
the MS indicating that the call is going through. The BSS sends the
63. ALERT message on the FACCH. Once the MS receives the ALERT,
it will generate the ringing sound in the earpiece. The BSS sends an
alerting message the subscriber will hear the line ringing.
17. Once the called party answers the phone, the PSTN will send an
Answer message to the MSC. The MSC forwards this to the MS in
a Connection (CON) message.
18. Once the MS receives the CON message, it switches over to voice
and begins the call. All voice traffic occurs on the assigned TCH.
Call Termination
19. When either the caller or the called party hangs up, the call will be
disconnected. Either party can initiate the disconnection. In this
example, the MS initiates the disconnection. The MS sends
a Disconnect (DISC) message to the BTS on the FACCH.
20. The BSS forwards the DISC to the MSC. Once the MSC receives
the DISC message, it sends a Release (REL) message through the
GMSC to the PSTN as well as down through the BSS to the MS.
21. The MS responds by sending a Release Complete (REL_COM)
message to the BSS on the FACCH. The BSS forwards the
REL_COM message up to the MSC. Once the MSC receives the
REL_COM message the call is considered ended from the call
control perspective.
22. Although the call has ended, the BSS still has a TCH allocated to
the MS. The MSC sends a Channel Release (CHAN_REL) message
to the BSS. The BSS forwards the CHAN_REL message to the MS.
23. The MS responds with a DISC (LAPD) message and returns to an
idle mode. The BSS deallocates the channel and releases the TRX.
64. Mobile Terminated Call
The term Mobile Terminated Call refers to when the MS is the
receiver of a call. In this example, the call is originating from outside
the PLMN.
Route Establishment
1. The calling party dials the MSISDN for the mobile subscriber. The
PSTN identifies the network (PLMN) that the dialled MSISDN
belongs to and will locate a GMSC for that network. The PSTN sends
an Initial Address message to the GMSC.
2. The GMSC forwards the MSISDN to the HLR and requests routing
information for it. The HLR looks up the MSISDN and determines
the IMSI and the SS7 address for the MSC/VLR that is servicing the
MS.
3. The HLR then contacts the servicing MSC/VLR and asks it to
assign a Mobile Station Routing Number (MSRN) to the call.
4. The MSC/VLR allocates the MSRN and forwards it to the HLR.
Remember that the MSC/VLR assigns a MSRN to the call not to the
MS itself.
5. The HLR forwards the MSRN as well as routing information for
the servicing MSC/VLR to the GMSC.
6. The GMSC sends an Initial Addressing message to the servicing
MSC/VLR and uses the MSRN to route the call to the MSC/VLR.
Once the servicing MSC/VLR receives the call, the MSRN can be
released and may be made available for reassignment.
Paging the Mobile Station
7. The MSC/VLR then orders all of its BSCs and BTSs to page the
MS. Since the MSC/VLR does not know exactly which BSC and BTS
65. the MS is monitoring, the page will be sent out across the entire
Location Area.
Initial Setup
8. The MS receives the Page Request (PAG_REQ) on the PCH. The
MS recognizes that the page is intended for it, based on a TMSI or an
IMSI.
9. The MS sends a Channel Request (CHAN_REQ) message on the
RACH.
10. The BSS responds on the AGCH by sending an Immediate
Assignment (IMM ASS) message which assigns an SDCCH to the
MS. At this point, the network does not know that the MS is the one
that it is paging; it only knows that this MS wants access to the
network.
11. The MS immediately switches to the assigned SDCCH and sends
a Paging Response (PAG_RES) message on the SDCCH. This lets the
network know that the MS is responding to its page.
Authentication
12. Before the network will provide any services to the MS, the
network will require the MS to authenticate itself. The BSS sends
an Authentication Request (AUTH_REQ) message to the MS. The
RAND serves as the "challenge" for authentication.
13. The MS calculates the proper SRES based on the RAND that was
given and sends the SRES to the BSS in an Authentication
Response (AUTH_RESP) message.
14. The BSS verifies the SRES. If the SRES is correct then the MS is
authenticated and allowed access to the network.
15. Once the MSC/VLR has authenticated the MS, it will order the
BSS and MS to switch to cipher mode using the CIPH_MOD_CMD
message. Once the MS in encryption mode, the VLR will normally
66. assign a new TMSI to the MS.
Establishing a Channel
16. Once the MS is authenticated and in encryption mode. The MSC
sends a Setup Message to the BSS; the BSS forwards the SETUP
message to the MS on the assigned SDCCH. The SETUP message
may include the Calling Line Identification Presentation (CLIP),
which is essentially caller ID.
17. The MS responds by sending a Call Confirmed (CALL_CON)
message; which indicates that the MS is able to establish the
requested connection. The BSS relays the message up to the MSC.
Call Setup
18. The BSS then sends an Assignment Command (ASS_CMD)
message to the MS on the assigned SDCCH. The ASS_CMD message
assigns a Traffic Channel (TCH) to the MS.
19. The MS immediately switches to the TCH and responds with
an Assignment Complete (ASS_COM) message on the FACCH. The
MS begins ringing once it has established the TCH.
Remember that all signalling that occurs on the traffic channel
actually occurs on a FACCH, which is a time slot that is stolen from
the TCH and used for signalling.
20. The MS sends an ALERT message to the MSC on the FACCH.
The BSS forwards the ALERT message through the PSTN to the
calling party and the caller hears the line ringing.
Establishing the Call
21. Once the user answers the call (by pressing the send button), the
MS will send a Connect CON message to the MSC. The Connect
message is forwarded back to the caller's switch to activate the call.
67. 22. The MSC sends a Connect Acknowledge CON_ACK message to
the MS and the call is established.
Disconnecting the Call
23. A disconnect happens the same way as for any other call. In this
example, the calling party initiates the disconnect.
24. When the calling party hangs up, the calling party's switch
initiates a Release (REL) message. The message is forwarded to the
serving MSC, which is then forwarded to the BSS.
25. The BSS will send a Disconnect (DISC) message to the MS on the
FACCH.
26. The MS confirms release of the call by sending a Release (REL)
message on the FACCH, which is forwarded to the MSC.
27. The MSC sends e Release Complete (REL_COM) message
through the BSS to the MS. As far as call control (CC) is concerned,
the connection has been terminated.
28. The MS still has a TCH assigned to it, so the BSS sends a Channel
Release (CHAN_REL) message to the MS. This releases the radio
resource on the Air Interface.
29. The MS responds be sending a final Disconnect message and
returns to idle.
68. SCOPE FOR FUTURE STUDY
New demands will be made in the future on mobile cellular system as
individuals and businesses the way they work. Access to the internet
will become more important and executives will want to access
corporate databases from virtually anywhere. New services will be
required in addition to speech and data, therefore network operators
will offer video and other multimedia applications. Advanced mobile
handsets will be required to handle large amounts of high-speed data
in what is known as the 3rd
Generation Mobile system.
The European 3rd
Generation system is known as UMTS (Universal
Mobile Telecommunication System) and ETSI is promoting a smooth
evolution from the present day GSM networks. The radio “Air
Interference” will be based on W-CDMA (Wideband- Code Division
Access) using different frequency bands for the uplink and downlink.
The ITU call the 3rd
Generation Mobile System- IMT-200
(International Mobile Telecommunication 2000). IMT-200 refers not
only to the approximate year when it is expected to be launched but
also the frequency band in the region of 2000 MHz.
IMT-200 will provide a seamless, global communication service
through small, lightweight terminals. The 1992 World Administrative
Radio Conference (WARC) allocated the radio frequencies between
1885 MHz and 2200 MHz to be reserved for the IMT-2000 on a
global basis.
GSM system will evolve towards the UMTS by progressively new
techniques to provide higher bandwidth. These steps are as follows:
High Speed Circuit Switched Data (HSCSD)
Generation Packet Radio Services (GPRS)
Enhanced Data Rates for GSM Evolution (EDGE)
3rd
Generation Mobile System (3G)
69. Conclusion
In this Project, I have tried to give an overview of the GSM system. I
believe, however, that I gave the general flavour of GSM and the
philosophy behind its design. It is a standard that ensures
interoperability without stifling competition and innovation among
suppliers, to the benefit of the public both in terms of cost and service
quality.
Telecommunication are evolving towards personnel communication
network objective can be stated as the availability of all
communication services anytime, anywhere, to anyone, by a single
identity number and a pocket able communication terminal. Having a
multitude of incompatible systems throughout the world moves us
farther away from this ideal. The economies of scale created by a
unified system are enough to justify its implementation terminal
anywhere they go, regardless of national boundaries.
The GSM system and its sibling systems operating at 1.8 GHz (called
DCS 1800) and 1.9 GHz (called GSM 900 or PCS1900, and operating
in North America), are a first approach at a true personal
communication system. The SIM card is novel approach that
implements personal mobility in addition to terminal mobility.
Together with international roaming and support for a variety of
services such as telephony, data transfer, fax, short message services
and supplementary services, GSM comes close to being used as a
basis for the next generation of mobile communication technology in
Europe, the Universal Mobile Telecommunication System (UMTS).
Another point where GSM has shown its commitment to openness,
standards and interoperability is the compatibility with Integrated
Services Digital Network (ISDN) that is evolving in most
industrialized countries and Europe in particular (the so called Euro-
70. ISDN). GSM is also the first system to make extensive use of the
intelligent networking concept, in which services like 800 numbers
are concentrated and handled the country. This is the concept behind
the use of use of the various registers such as the HLR. Number 7, an
international standard already deployed in many countries and
specified as the backbone signalling network for ISDN.
GSM is a very complex standard but that is probably the price that
must be paid to achieve the level integrated service and quality
offered while subject to the rather severe restrictions imposed by the
radio environment.
I am highly to Mr. Arun Sharma for his support and guidance given
to me for the successful completion of my project. This Project
provides the knowledge about various technologies in the
communication field.