SlideShare una empresa de Scribd logo

GSM report summer training

Descargar como DOCX, PDF
Atul Sharma
Atul Sharma
Ingeniería
1 de 70
Training report on Industrial training at IDEA Submitted to:- Submitted by:- Atul Sharma, B.Tech II year, ECE Maharaja Agrasen Institute Of Technology, GGSIPU Under:- Mr. Hemraj Mandal Start Date for Internship:-June 24th 2013 End Date for Internship:-July 30th 2013
Preface This report documents the work done during the summer internship at Idea Cellular pvt ltd, Vikaspuri, Delhi under the guidance of Mr. Manmohan Gaur . The report first shall give the overview of tasks performed during the period of internship .The technical details about the GSM and its various interfaces and the conclusion drawn out of it. Report shall also elaborate about the future scope of the GSM technology. I have tried my best to keep the report simple yet technically correct. I hope I succeed in my attempt. Atul Sharma
Acknowledgement On the very outset of this report, I would like to extend my sincere & heartfelt obligation towards all the personages who have helped me in this endeavour. Without their active guidance, help, cooperation & encouragement, I would not have made headway in the project. First and foremost, I would like to express my sincere gratitude to my project guide, Mr. Hemraj Mandal. I was privileged to experience a sustained enthusiastic and involved interest from his side. This fuelled my enthusiasm even further and encouraged me to boldly step into what was a totally dark and unexplored expanse before me. I would also like to thank Mr. Manmohan Gaur who, instead of his busy schedule, always guided me in right direction. Last but not least, I would like to thank Mr. Arun Sharma for teaching and helping me in at all the places. I extend my gratitude to Maharaja Agrasen Inst. Of Tech. for giving me this opportunity. Thank You Atul Sharma
Table of Contents Abstract ..............................................................................................6 Introduction to GSM .........................................................................7 What is GSM? ......................................................................................7 GSM history .........................................................................................8 Advantage of GSM ..............................................................................8 Technical details ..................................................................................9 Three Subsystem of GSM ..................................................................10 Base station subsystem (BSS) ................................................10 Base Station Controller (BSC) ....................................... 11 Base Transceiver Station (BTS)......................................11 Transcoder (TC)..............................................................11 Network switching subsystem ................................................12 Mobile Services Switching Centre (MSC)......................12 Visitor Location Register (VLR).....................................12 Home Location Register (HLR) ....................................13 Authentication Centre (AC)............................................ 13 Equipment Identity Register (EIR) ................................13 Network management subsystem ........................................14 Transmission ....................................................................................15 Introduction to radio transmission......................................................15 Frequency Division Multiple Access (FDMA)..................................15 Absolute Radio Frequency Channel Number (ARFCN)........ 15 Time Division Multiple Access (TDMA)..........................................17 Time Frames ..........................................................................18 Time slots ...............................................................................18 Multiple frames ......................................................................20 Control channel ...............................................................20
Traffic channel ...............................................................21 Super frame ............................................................................22 Hyper frame ...........................................................................23 Physical and Logical channel ............................................................24 Logical channel .................................................................................24 Signalling channel ..........................................................................24 Broadcast channel .......................................................................25 Common control channel ............................................................25 Dedicated control channel ..........................................................27 Traffic channel ...............................................................................27 Full rate ......................................................................................27 Half rate .....................................................................................27 Data Burst ..........................................................................................28 Normal burst ..............................................................................28 Frequency correction burst ........................................................30 Synchronisation burst ...............................................................31 Access burst ..............................................................................31 Frequency hoping .............................................................................32 Traffic management ........................................................................35 Location update .................................................................................36 Handover ...........................................................................................38 Timing advances ...............................................................................42 Authentication and Encryption .........................................................51 Authentication procedures ................................................................54 Mobile originated call .......................................................................61 Mobile terminated call ......................................................................64 Future scope ....................................................................................68 Conclusion .......................................................................................69
Abstract This project is a part of summer training, from Idea Cellular pvt ltd, Delhi, which includes various analysis and knowledge about GSM. GSM being used worldwide, having advantages over the other system for the mobile communication. This includes details about the GSM structures and its features. Subsystems of GSM and their roles while initiating and terminating a call. The techniques like FDMA and TDMA being used. And all kind of aspects related to the call traffic and transmission being carried out in Mobile Networking. It also tells us about the future scope of using a GSM.
Introduction to GSM What is GSM? GSM is a digital cellular network. At the time the standard was developed it offered much higher capacity than the current analog systems. It also allowed for a more optimal allocation of the radio spectrum, which therefore allows for a larger number of subscribers. GSM offers a number of services including voice communications, Short Message Service (SMS), fax, voice mail, and other supplemental services such as call forwarding and caller ID. Currently there are several bands in use in GSM. 450 MHz, 850 MHZ, 900 MHz, 1800 MHz, and 1900 MHz are the most common ones. Some bands also have Extended GSM (EGSM) bands added to them, increasing the amount of spectrum available for each band. GSM makes use of Frequency Division Multiple Access (FDMA) and Time Division Multiple Access (TDMA). GSM ANTENNA
GSM history At the beginning of the 1980s it was realised that the European countries were using many different, incompatible mobile phone Systems .At the same time, the needs for telecommunication services were remarkably increased. Due to this, CEPT (Conférence Européenne des Postes et Télécommunications) founded a group to specify a common mobile system for Western Europe. This group was named “Groupe Spéciale Mobile” and the system name GSM arose. This abbreviation has since been interpreted in other ways, but the most common expression nowadays is Global System for Mobile communications. At the beginning of the 1990s, the lack of a common mobile system was seen to be a general, world -wide problem. For this reason the GSM system has now spread also to the Eastern European countries, Africa, Asia and Australia. The USA, South America in general and Japan had made a decision to adopt other types of mobile systems which are not compatible with GSM. However, in the USA the Personal Communication System (PCS) has been adopted which uses GSM technology with a few variations. During the time the GSM system was being specified, it was foreseen that national telecommunication monopolies would be disbanded. Advantage of GSM Due to the use of the common GSM system across the world, it offered many advantages as follows:-  GSM uses radio frequencies efficiently, and due to the digital radio path, the system tolerates more intercell disturbances.  The average quality of speech achieved is better than in analogue cellular systems.  Data transmission is supported throughout the GSM system.
 Speech is encrypted and subscriber information security is guaranteed.  Due to the ISDN compatibility, new services are offered compared to the analogue systems.  International roaming is technically possible within all countries using the GSM system.  The large market increases competition and lowers the prices both for investments and usage. Technical details GSM is a cellular network, which means that mobile phones connect to it by searching for cells in the immediate vicinity. GSM network operate in four different frequency ranges. Most GSM network operate in the 850 MHz and 1900 MHz bands. The rarer 400 and 500 MHz frequency bands are assigned in some countries, notably scandavia, where these frequencies were previously used for first- generation systems. In the 900 MHz band the uplink frequency band is 890-915 MHz, and the downlink frequency band is 935-960 MHz .This 25 MHz bandwidth is subdivided into 124 carrier frequency channels, each spaced 200 KHz apart. Time division multiplexing is used to allow eight full-rate or sixteen half-rate speech channels per radio frequency channel. There are eight radio timeslots (giving eight burst periods) grouped into what is called a TDMA frame. Half rate channels use alternate frames in the same timeslot. The transmission power in the handset is limited to a maximum of 2 watts in GSM 850/900 and 1 watt in GSM 1800/1900. GSM has used a variety of voice codecs of squeeze 3.1 KHz audio into between 5.6 and 13 Kbit/s. Originally, two codecs of squeeze 3.1 Kbit/s. Originally, two codecs, named after the types of data channel they were allocated, were used, called Half Rate (5.6 Kbit/s) and Full
Rate (13 Kbit/s). These used a system based upon linear predictive coding (LPC). In addition to being efficient with bit rates, these codecs also made it easier to identify more important parts of the audio, allowing the air interface layer to prioritize and better protect these parts of the signal. GSM was further enhanced in 1997 with the Enhanced Full Rate (EFR) codec, a 12.2 Kbit/s codec that uses a full rate channel. The modulation used in GSM is Guassian Minimum-Shift Keying (GMSK), a kind of continuous-phase frequency shift keying. In GMSK, the signal to be modulated onto the carrier is first smoothed with a Gaussian low-pass filter prior to being fed to a frequency modulator, which greatly reduces the interference to neighbouring channels (adjacent channel interference). Three subsystem of GSM In a GSM network, this decentralised intelligence is implemented by dividing the whole network into three separate subsystems:  Network Switching Subsystem (NSS)  Base Station Subsystem (BSS)  Network Management Subsystem (NMS) Base Station Subsystem (BSS) is responsible for handling traffic and signalling between a mobile phone and the network switching subsystem. The BSS carries out transcoding of speech channels, allocation of radio channels to mobile phones, paging transmission and reception over the air interface and many other tasks related to the radio network. The Base Station Subsystem consists of the following elements:  Base Station Controller (BSC)  Base Transceiver Station (BTS)  Transcoder (TC)
The Base Station Controller (BSC) is the central network element of the BSS and it controls the radio network. This means that the main responsibilities of the BSC are: Connection establishment between MS and NSS, Mobility management, Statistical raw data collection, Air and A interface signalling support. The Base Transceiver Station (BTS) is a network element maintaining the Air interface. It takes care of Air interface signalling, Air interface ciphering and speech processing. In this context, speech processing refers to all the functions the BTS performs in order to guarantee an error-free connection between the MS and the BTS. Base Transceiver Station (BTS) The Transcoder (TC) is a BSS element taking care of speech transcoding, i.e. it is capable of converting speech from one digital coding format to another and vice versa. We will describe more about the Transcoder functions later.
Base Station Subsystem (BSS) Network switching subsystem (NSS) (or GSM core network) is the component of a GSM system that carries out call switching and mobility management functions for mobile phones roaming on the network of base stations. The elements of Network Switching Subsystem are:  MSC (Mobile Services Switching Centre)  VLR (Visitor Location Register)  HLR (Home Location Register)  Authentication Centre (AC)  Equipment Identity Register (EIR) The MSC (Mobile Services Switching Centre) is responsible for controlling calls in the mobile network. It identifies the origin and destination of a call (either a mobile station or a fixed telephone in both cases), as well as the type of a call. An MSC acting as a bridge between a mobile network and a fixed network is called a Gateway MSC. The VLR (Visitor Location Register) carries out location registrations and updates. A VLR database is always temporary (in the sense that the data is held as long as the subscriber is within its service area).
The HLR (Home Location Register) maintains a permanent register of the subscribers. In addition to the fixed data, the HLR also maintains a temporary database which contains the current location of its customers. This data is required for routing calls. Authentication is a procedure used in checking the validity and integrity of subscriber data. With the help of the authentication procedure the operator prevents the use of false SIM modules in the network. Equipment Identity Register (EIR): An option exists in GSM where the network may check the validity of the mobile station hardware. The mobile station is requested to provide the International Mobile Equipment Identity (IMEI) number. This number consists of type approval code, final assembly code and serial number of the mobile station. The network stores the IMEI numbers in the Equipment Identity Register (EIR). Network switching subsystem (NSS) The Network management subsystem (NMS)is the operation and maintenance related part of the network and it is needed for the control of the whole GSM network. The network operator observes and maintains network quality and service offered through
the NMS. The three subsystems in a GSM network are linked by the Air, A and O&M interfaces as shown. Three Subsystem of GSM and their interference
TRANSMISSION Introduction to radio transmission In a mobile communications network, part of the transmission connection uses a radio link and another part uses 2Mbit/s PCM links. Radio transmission is used between the Mobile Station and the Base Transceiver Station and the information must to be adapted to be carried over 2Mbit/s PCM transmission through the remainder of the network. The radio link is the most vulnerable part of the connection and a great deal of work is needed to ensure its high quality and reliable operation. The uplink refers to a signal flow from Mobile Station (MS) to Base Transceiver Station (BTS) and the downlink refers to a signal flow from Base Transceiver Station (BTS) to Mobile Station (MS). The simultaneous use of separate Uplink and downlink frequencies enables communication in both the transmit (TX) and receive (RX) directions. The radio carrier frequencies are arranged in pairs and the difference between these two frequencies (uplink downlink) is called the Duplex Frequency. Frequency Division Multiple Access (FDMA) GSM divides the allocated spectrum for each band up into individual carrier frequencies. Carrier separation is 200 kHz. This is the FDMA aspect of GSM. Absolute Radio Frequency Channel Number (ARFCN) The ARFCN is a number that describes a pair of frequencies, one uplink and one downlink. The uplink and downlink frequencies each have a bandwidth of 200 kHz. The uplink and downlink have a specific offset that varies for each band. The offset is the frequency
separation of the uplink from the downlink. Every time the ARFCN increases, the uplink will increase by 200 kHz and the downlink also increases by 200 kHz. An ARFCN has an allowed bandwidth of 200 kHz, which corresponds exactly to the carrier separation. The frequency of the ARFCN refers to its center frequency. If an ARFCN has a frequency of 914.80 MHz, then it occupies the frequency space from 914.7 MHz to 914.9 MHz (200 kHz total). Because of the nature of the modulation method (GMSK) and data rate used in GSM, the actual physical bandwidth will be about 135.4 kHz. The unused bandwidth for each ARFCN acts as a buffer between other ARFCN to avoid interference. The following table summarizes the frequency ranges, offsets, and ARFCNs for several popular bands. GSM Bands The following diagram illustrates an ARFCN with paired uplink and downlink frequencies for ARFCN 1 in the GSM 900 band.
GSM900 ARFCN 1 Time Division Multiple Access (TDMA) Introduction GSM uses Time Division Multiple Access (TDMA) as its access scheme. This is how the MS interfaces with the network. TDMA is the protocol used on the Air (Um) Link. GSM uses Gaussian Minimum-Shift Keying (GMSK) as its modulation methods. Time Division means that the frequency is divided up into blocks of time and only certain logical channels are transmitted at certain times .The time divisions in TDMA are known as Time Slots. Time Slots A frequency is divided up into 8 time slots, numbered 0 to 7. Time Slots
On a side note, also GSM carrier frequencies are separated by 200 kHz and that GSM operates in duplex. A channel number assigned to a pair of frequencies, one uplink and one downlink, is known as an Absolute Radio Frequency Channel Number (ARFCN) .Each time slot lasts 576.9 µs. A time slot is the basic radio resource used to facilitate communication between the MS and the BTS. Time Slot Duration Data Rates As stated earlier, GSM uses Gaussian Minimum-Shift Keying (GMSK) as its modulation method. GMSK provides a modulation rate of 270.833 kilobits per second (kb/s). At that rate, a maximum of 156.25 bits can be transmitted in each time slot (576.9 µs). 270.833 kb/s × 1000 = 270,833 bits/sec (Converting from kilobits to bits) 270,833 b/sec ÷ 1,000,000 = .207833 b/µs (Calculating bits per microsecond) .207833 b/µs × 576.9 µs = 156.25 bits (Calculating number of bits per time slot)
Bits in a Time Slot So, 156.25 bits can be transmitted in a single time slot. TDMA Frame Structure & Hierarchy TDMA Frame Each sequence of 8 time slots is known as a TDMA frame. The duration of a TDMA frame is 4.615 milliseconds (ms) (576.9 µs × 8). * Remember that a TDMA frame is 8 time slots and that no one resource will be given an entire TDMA frame, the resources must share them. A TDMA Frame
Multiframe A Multiframe is composed of multiple TDMA frames. There are two types of multiframes:  Control Channel Multiframes  Traffic Channel Multiframes Control Channel Multiframe composed of 51 TDMA frames duration = 235.4 ms Control Channel Multiframe Traffic Channel Multiframe Traffic Channel Multiframe
Composed of 26 TDMA frames duration = 120 ms Here is a diagram comparing the Control Channel multiframe and a traffic channel multiframe. Traffic Channel and Control Channel Multiframes The next diagram shows a Traffic Channel (TCH) Multiframe with TS2 (green) being allocated to a Mobile Station (MS). The red arrow indicates the sequence of transmission. The sequence starts in TDMA frame 0 at TS0, proceeds through all eight time slots, then starts again with TDMA frame 1. In this example, the MS has been allocated a Traffic Channel in TS2. Therefore the MS will only transmit/receive during TS2 of each TDMA frame.
Single Time Slot Allocated Superframe A Superframe is composed of multiple Multiframes. Again, there is a superframe for Control Channels and one for Traffic Channels. Control Channel Superframe composed of 26 Control Channel (CCH) multiframes (each CCH multiframe has 51 TDMA frames) Duration = 6.12 seconds Traffic Channel Superframe composed of 51 Traffic Channel (TCH) multiframes (each TCH) multiframe has 26 TDMA frames) Duration = 6.12 seconds. Each superframe, whether it is a CCH or TCH frame, consists of 1326 TDMA frames (51 * 26)
Hyperframe A Hyperframe is composed of 2048 Superframes. Duration = 3h 28m 53s 76ms (12,533.76 seconds) consists of 2,715,648 TDMA frames. Each TDMA frame is numbered according to its sequence within the hyperframe, starting from 0 and ending at 2,715,647. The TDMA frame number within a hyperframe is abbreviated N. The FN is one of the variables used in GSM encryption algorithms. The following diagram shows the relationship between all of the various time segments Relation of all segments
Physical and Logical Channels Time Division Multiple Access (TDMA) divides one radio frequency channel into consecutive periods of time, each one called a "TDMA Frame". Each TDMA Frame contains eight shorter periods of time known as "Timeslots" .The TDMA timeslots are called "Physical Channels" as they are used to physically move information from one place to another. The radio carrier signal between the Mobile Station and the BTS is divided into a continuous stream of timeslots which in turn are transmitted in a continuous stream of TDMA frames .The 8 timeslots are further broken up into logical channels. Logical channels can be thought of as just different types of data that is transmitted only on certain frames in a certain timeslot. Different time slots will carry different logical channels, depending on the structure the BSS uses. Logical Channels are of two types:- Signalling Channels Traffic Channels (TCH) Signaling Channels These are the main types of signaling Channels: Broadcast Channels (BCH) - Transmitted by the BTS to the MS. This channel carries system parameters needed to identify the network, synchronize time and frequency with the network, and gain access to the network. Common Control Channels (CCH) - Used for signaling between the BTS and the MS and to request and grant access to the network. Standalone Dedicated Control Channels (SDCCH) - Used for call setup.
Associated Control Channels (ACCH) - Used for signaling associated with calls and call-setup. An ACCH is always allocated in conjunction with a TCH or a SDCCH. The above categories can be divided into the following logical channels: Broadcast Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH) Common Control Channels (CCCH) Paging Channel (PCH) Random Access Channel (RACH) Access Grant Channel (AGCH) Dedicated Control Channel (DCCH) Standalone Dedicated Control Channel (SDCCH) Fast Associated Control Channel (FACCH) Slow Associated Control Channel (SACCH) Let's examine each type of logical channel individually. Broadcast Channels (BCH) Broadcast Control Channel (BCCH) – DOWNLINK- This channel contains system parameters needed to identify the network and gain access. These parameters include the Location Area Code (LAC), the Mobile Network Code (MNC), the frequencies of neighbouring cells, and access parameters. Frequency Correction Channel (FCCH) - DOWNLINK - This channel is used by the MS as a frequency reference. This channel contains frequency correction bursts.
Synchronization Channel (SCH) - DOWNLINK - This channel is used by the MS to learn the Base Station Information Code (BSIC) as well as the TDMA frame number (FN). This lets the MS know what TDMA frame they are on within the hyperframe. Cell Broadcast Channel (CBCH) - DOWNLINK - This channel is not truly its own type of logical channel. The CBCH is for point-to-omnipoint messages. It is used to broadcast specific information to network subscribers; such as weather, traffic, sports, stocks, etc. Messages can be of any nature depending on what service is provided. Messages are normally public service type messages or announcements. The CBCH isn’t allocated a slot for itself, it is assigned to an SDCCH. It only occurs on the downlink. The CBCH usually occupies the second subslot of the SDCCH. The mobile will not acknowledge any of the messages. Common Control Channels (CCCH) Paging Channel (PCH) - DOWNLINK - This channel is used to inform the MS that it has incoming traffic. The traffic could be a voice call, SMS, or some other form of traffic. Random Access Channel (RACH) - UPLINK This channel is used by a MS to request an initial dedicated channel from the BTS. This would be the first transmission made by a MS to access the network and request radio resources. The MS sends an Access Burst on this channel in order to request access. Access Grant Channel (AGCH) - DOWNLINK - This channel is used by a BTS to notify the MS of the assignment of an initial SDCCH for initial signaling.
Dedicated Control Channels (DCCH) Standalone Dedicated Control Channel (SDCCH) - UPLINK/DOWNLINK - This channel is used for signaling and call setup between the MS and the BTS. Fast Associated Control Channel (FACCH) - UPLINK/DOWNLINK - This channel is used for control requirements such as handoffs. There is no TS and frame allocation dedicated to a FAACH. The FAACH is a burst-stealing channel , it steals a Timeslot from a Traffic Channel (TCH). Slow Associated Control Channel (SACCH) - UPLINK/DOWNLINK - This channel is a continuous stream channel that is used for control and supervisory signals associated with the traffic channels. Traffic Channels (TCH) Traffic Channels are used to carry two types of information to and from the user:-  Encoded Speech  Data Encoded Speech - Encoded speech is voice audio that is converted into digital form and compressed Full Rate Speech TCH (TCH/FS) - 13 kb/s Half Rate Speech TCH (TCH/HS) - 5.6 kb/s Data - Data refers to user data such as text messages, picture messages, internet browsing, etc. It includes pretty much
everything except speech. Full rate Data TCH (TCH/F14.1) - 14.4 kb/s Full rate Data TCH (TCH/F9.6) - 9.6 kb/s Full rate Data TCH (TCH/F4.8) - 4.8 kb/s Half rate Data TCH (TCH/F4.8) - 4.8 kb/s Full rate Data TCH (TCH/F2.4) - ≤2.4 kb/s Half rate Data TCH (TCH/H2.4) - ≤2.4 kb/s Data Burst The data transmitted during a single time slot is known as a burst. Each burst allows 8.25 bits for guard time within a time slot. This is to prevent bursts from overlapping and interfering with transmissions in other time slots. Subtracting this from the 156.25 bits, there are 148 bits usable for each burst. There are four main types of bursts in TDMA: Normal Burst (NB) Frequency Correction Burst (FB) Synchronization Burst (SB) Access Burst (AB) Normal Burst The data transmitted during a single time slot is known as a burst. Each burst allows 8.25 bits for guard time. This is to prevent bursts from overlapping and interfering with transmissions in other time slots. Out of 156.25, this leaves 148 bits usable for each burst.
Here is the structure of a normal burst: Normal Burst Tail Bits - Each burst leaves 3 bits on each end in which no data is transmitted. This is designed to compensate for the time it takes for the power to rise up to its peak during a transmission. The bits at the end compensate for the powering down at the end of the transmission. Data Bits - There are two data payloads of 57 bits each. Stealing Flags - Indicates whether the burst is being used for voice/data (set to "0") or if the burst is being "stolen" by the FACCH to be used for signalling (set to "1"). Training Sequence - The training sequence bits are used to
overcome multi-path fading and propagation effects through a method called equalization. This diagram illustrates a single burst inside a time slot. Remember that 8.25 bits are not used in order to allow for a guard time. Burst within a Time Slot Since each burst has two 57-bit data segments, we can see that a single burst has a data payload of 114 bits. Frequency Correction Burst This burst is used for frequency synchronization of the mobile station. It is an unmodulated carrier that shifts in frequency. It has the same guard time as a normal bit (8.25 bits). The broadcast of the FB usually occurs on the logical channel FCCH. Frequency Correction Burst
Synchronization Burst This burst is used for time synchronization of the mobile. The data payload carries the TDMA Frame Number (FN) and the Base Station Identity Code (BSIC). It is broadcast with the frequency correction burst. The Synchronization Burst is broadcast on the Synchronization Channel (SCH). Synchronization Burst Access Burst This burst is used by mobile station for random access. It has a much longer guard period (68.25 bits compared to the 8.25 bits in a normal burst). It is designed to compensate for the unknown distance of the mobile station from the tower, when the MS wants access to a new BTS, it will not know the correct Timing Advance. Access Burst
Frequency Hopping Each radio frequency Channel (ARFCN) is influenced differently by propagation conditions. What affects channel 23 may not affect channel 78 at all. Within a given cell, some frequencies will have good propagation in a certain area and some will have poor propagation in that area. In order to take advantage of the good propagation and to defeat the poor propagation, GSM utilizes frequency hopping. Frequency hopping means that a transceiver hops from one frequency to another in a predetermined sequence. If a transceiver hops through all of the available frequencies in a cell then it will average out the propagation. GSM uses Slow Frequency Hopping (SFH). It is considered slow because the system hops relatively slow, compared with other frequency hopping systems. In GSM, the operating frequency is changed every TDMA frame. The main reason for using slow frequency hopping is because the MS must also change its frequency often in order to monitor adjacent cells. The device in a transceiver that generates the frequency is called a frequency synthesizer. On a MS, a synthesizer must be able to change its frequency within the time frame of one time slot, which is equal to 577 µs. GSM does not require the BTS to utilize frequency hopping. However, a MS must be capable of utilizing frequency hopping when told to do so. The frequency hopping and timing sequence is known as the hopping algorithm. There are two types of hopping algorithms available to a MS.  Cyclic Hopping - The transceiver hops through a predefined list of frequencies in sequential order.  Random Hopping - The transceiver hops through the list of frequencies in a random manner. The sequence appears random but it is actually a set order.
There are a total of 63 different hopping algorithms available in GSM. When the MS is told to switch to frequency hopping mode, the BTS will assign it a list of channels and the Hopping Sequence Number (HSN), which corresponds to the particular hopping algorithm that will be used. The base channel on the BTS does not frequency hop. This channel, located in time slot 0, holds the Broadcast Control Channels which the MS needs to monitor to determine strength measurements, determine access parameters, and synchronize with the system. If a BTS uses multiple transceivers (TRX) then only one TRX will hold the Broadcast Channels on time slot 0. All of the other TRXs may use time slot 0 for traffic or signalling and may take part in the frequency hopping. There are two types of frequency hopping method available for the BTS: synthesizer hopping and baseband hopping.  Synthesizer Hopping - This requires the TRX itself to change frequencies according to the hopping sequence. So, one TRX would hop between multiple frequencies on the same sequence that the MS is required to.  Baseband Hopping - In this method there are several TRX and each one stays on a fixed frequency within the hopping frequency plan. Each TRX would be assigned a single time slot within a TDMA frame. For example, time slot 1 might be assigned to TRX 2 in one TDMA frame and in the next TDMA frame it would be assigned to TRX 3, and the next frame would be TRX 3. So, the data on each time slot would be sent on a different frequency each frame, but the TRXs on the BTS do not need to change frequency. The BTS simply routes the data to the appropriate TRX, and the MS knows which TRX to be on for any given TDMA frame.
Frequency Hoping
Traffic management Location update A MS will need to update its location whenever it moves to a tower that is serviced by a different VLR then the one it is currently on. An MS can move from BTS to BTS without ever telling the network, as long as it is within the same location area. Once it moves to a new location area, it is required to inform the network. The MS moves to another Location Area, as a MS moves around it is constantly monitoring the signal strength of the BCCH of its current BTS, as well as neighbouring BTS's to determine if the neighbours have a stronger signal. When the MS is in idle mode (not in a call), it will determine for itself when to move from its current BTS to a more attractive one .When the MS switches from a BTS in one VLR to a BTS in a different VLR, it must do an location update, so the network knows which MSC/VLR the MS is currently using. Elements involved in location update
Channel Request 1. The MS requests a channel by sending a Channel Request (CHAN_REQ) message on the RACH. 2. The BTS responds by sending an Immediate Assignment Command message (IMM_ASS_CMD) on the AGCH. 3. The MS switches to the assigned SDCCH and replies with a Location Update Request (LOC_UPD_REQ). Included in the LOC_UPD_REQ is the TMSI the MS is currently using as well as the Location Area Identifier (LAI) of the VLR it is leaving. 4. The BTS acknowledges receipt of the message. Gaining VLR requests data from losing VLR 5. The BSS forwards the Location Update Request to the gaining MSC/VLR. 6. The gaining MSC/VLR does not recognize the TMSI/IMSI of the MS, so it contacts the losing MSC/VLR that corresponds to the LAI that was provided by the MS. The new MSC/VLR requests the subscriber data for the given TMSI. 7. The gaining MSC/VLR will then authenticate the MS. There are two ways this could occur. First, the losing MSC/VLR may have forwarded any sets of triplets that it was retaining for the MS. The gaining MSC/VLR would then just use the next set of triplets. Second, the gaining MSC/VLR could contact the HLR and request authentication triplets from the AuC and proceed with authentication that way.
The authentication and encryption process is not shown here. It occurs the same way as in the IMSI Attach Location Update 8. Once the MS has been authenticated and is in Cipher Mode, the MSC/VLR sends a Location Update Accept message (LOC_UPD_ACC) through the BSS to the MS. The LOC_UPD_ACC may have a TMSI assignment in it, otherwise the TMSI will be assigned in a TMSI_REAL_CMD message. 9. The MS will respond with a TMSI Reallocation Complete message (TMSI_REAL_COM) indicating it has received the TMSI. 10. The BSS then sends the MS a Channel Release message (CHAN_REL) instructing it to go into idle mode. The BSS then unassigned the SDCCH. As far as the MS is concerned, the location update has been completed. Updating the Registers The Gaining MSC/VLR sends an Update Location message to the HLR. The HLR updates its records to point to the gaining MSC/VLR when it is asked for its location. It also passes on subscriber information for the MS to the gaining MSC/VLR. The HLR sends a Cancel Location message to the losing MSC/VLR. The losing MSC/VLR deletes the MS's record and also releases the TMSI for reassignment. The losing MSC/VLR sends a Cancel Location Result message back to the HLR, confirming the cancellation.
Procedure in location update Handover Maintaining the traffic connection with a moving subscriber is made possible with the help of the handover function. The basic concept is simple: when the subscriber moves from the coverage area of one cell to another, a new connection with the target cell has to be set up and the connection with the old cell has to be released. There are two reasons for performing a handover: 1. Handover due to measurements occurs when the quality or the strength of the radio signal falls below certain parameters specified in the BSC. The deterioration of the signal is detected by the constant signal measurements carried out by both the mobile station and the BTS. As a consequence, the connection is handed over to a cell with a stronger signal. 2. Handover due to traffic reasons occurs when the traffic capacity of a cell has reached its maximum or is approaching it. In such a case, the mobile stations near the edges of the cell may be handed over to neighbouring cells with less traffic load.
The decision to perform a handover is always made by the BSC that is currently serving the subscriber, except for the handover for traffic reasons. There are four different types of handover and the best way to analyse them is to follow the subscriber as he moves:-  Intra cell - Intra BSC handover The smallest of the handovers is the intra cell handover where the subscriber is handed over to another traffic channel (generally in another frequency) within the same cell. In this case the BSC controlling the cell makes the decision to perform handover. Intra cell - Intra BSC handover  Inter cell - Intra BSC handover The subscriber moves from cell 1 to cell 2. In this case the handover process is controlled by BSC. The traffic connection with cell 1 is
released when the connection with cell 2 is set up successfully. Inter cell - Intra BSC handover  Inter cell - Inter BSC handover The subscriber moves from cell 2 to cell 3, which is served by another BSC. In this case the handover process is carried out by the MSC, but the decision to make the handover is still done by the first BSC. The connection with the first BSC (and BTS) is released when the connection with the new BSC (and BTS) is set up successfully. Inter cell - Inter BSC handover
 Inter MSC handover The subscriber moves from a cell controlled by one MSC/VLR to a cell in the domain of another MSC/VLR. This case is a bit more complicated. Considering that the first MSC/VLR is connected to the GMSC via a link that passes through PSTN lines, it is evident that the second MSC/VLR cannot take over the first one just like that. The MSC/VLR currently serving the subscriber (also known as the anchor MSC), contacts the target MSC/VLR and the traffic connection are transferred to the target MSC/VLR. As both MSCs are part of the same network, the connection is established smoothly. It is important to notice, however, that the target MSC and the source MSC are two telephone exchanges. The call can be transferred between two exchanges only if there is a telephone number identifying the target MSC. Inter MSC handover
Timing Advances Introduction A Timing Advance (TA) is used to compensate for the propagation delay as the signal travels between the Mobile Station (MS) and Base Transceiver Station (BTS). The Base Station System (BSS) assigns the TA to the MS based on how far away it perceives the MS to be. Determination of the TA is a normally a function of the Base Station Controller (BSC), bit this function can be handled anywhere in the BSS, depending on the manufacturer. Time Division Multiple Access (TDMA) requires precise timing of both the MS and BTS systems. When a MS wants to gain access to the network, it sends an access burst on the RACH. The further away the MS is from the BTS, the longer it will take the access burst to arrive at the BTS, due to propagation delay. Eventually there comes a certain point where the access burst would arrive so late that it would occur outside its designated timeslot and would interfere with the next time slot. Access Burst An access burst has 68.25 guard bits at the end of it. This guard time is to compensate for propagation delay due to the unknown distance of the MS from the BTS. It allows an access burst to arrive up to 68.25 bits later than it is supposed to without interfering with the next time slot.
68.25 bits doesn’t mean much to us in the sense of time, so we must convert 68.25 bits into a frame of time. To do this, it is necessary to calculate the duration of a single bit; the duration is the amount of time it would take to transmit a single bit. Duration of a Single Bit As you recall, GSM uses Gaussian Minimum Shift Keying (GMSK) as its modulation method, which has a data throughput of 270.833 kilobits/second (kb/s). Calculate duration of a bit Description Formula Result Convert kilobits to bits 270.833 kb × 1000 270,833 bits Calculate seconds per bit 1 sec ÷ 270,833 bits .00000369 seconds Convert seconds to microseconds .00000369 sec × 1,000,000 3.69 µs
So now we know that it takes 3.69µs to transmit a single bit. Propagation Delay Now, if an access burst has a guard period of 68.25 bits this results in a maximum delay time of approximately 252µs (3.69µs × 68.25 bits). This means that a signal from the MS could arrive up to 252µs after it is expected and it would not interfere with the next time slot. The next step is to calculate how far away a mobile station would have to be for a radio wave to take 252µs to arrive at the BTS, this would be the theoretical maximum distance that a MS could transmit and still arrive within the correct time slot. Using the speed of light, we can calculate the distance that a radio wave would travel in a given time frame. The speed of light (c) is 300,000 km/s.
Description Formula Result Convert km to m 300,000km × 1000 300,000,000m Convert m/s to m/µs 300,000,000 ÷ 1,000,000 300 m/µs Calculate distance for 252µs 300 m/µs × 252µs 75600m Convert m to km 75,600m ÷ 1000 75.6km So, we can determine that a MS could theoretically be up to 75.6km away from a BTS when it transmits its access burst and still not interfere with the next time slot. However, we must take into account that the MS synchronizes with the signal it receives from the BTS. We must account for the time it takes for the synchronization signal to travel from the BTS to the MS. When the MS receives the synchronization signal from the BTS, it has no way of determining how far away it is from the BTS. So, when the MS receives the synchronization signal on the SCH, it synchronizes its time with the timing of the system. However, by the time the signal arrives at the MS, the timing of the BTS has already progressed some. Therefore, the timing of the MS will now be behind the timing of the BTS for an amount of time equal to the travel time from the BTS to the MS. For example, if a MS were exactly 75.6km away from the BTS, then it would take 252µs for the signal to travel from the BTS to the MS.
The MS would then synchronize with this timing and send its access burst on the RACH. It would take 252µs for this signal to return to the BTS. The total round trip time would be 504µs. So, by the time the signal from the MS arrives at the BTS, it will be 504µs behind the timing of the BTS. 504µs equals about 136.5 bits. The 68.25 bits of guard time would absorb some of the delay of 136.5 bits, but the access burst would still cut into the next time slot a whopping 68.25bits.
Maximum Size of a Cell In order to compensate for the two-way trip of the radio link, we must divide the maximum delay distance in half. So, dividing 75.6km in half, we get approximately 37.8 km. If a MS is further out than 37.8km and transmits an access burst it will most likely interfere with the following time slot. Any distance less than 37.8km and the access burst should arrive within the guard time allowed for an access burst and it will not interfere with the next time slot. In GSM, the maximum distance of a cell is standardized at 35km. This is due mainly to the number of timing advances allowed in GSM, which is explained below. How a BSS Determines a Timing Advance In order to determine the propagation delay between the MS and the BSS, the BSS uses the synchronization sequence within an access burst. The BSS examines the synchronization sequence and sees how long it arrived after the time that it expected it to arrive. As we learned from above, the duration of a single bit is approximately 3.69µs. So, if the BSS sees that the synchronization is late by a single
bit, then it knows that the propagation delay is 3.69µs. This is how the BSS knows which TA to send to the MS. For each 3.69µs of propagation delay, the TA will be incremented by 1. If the delay is less than 3.69µs, no adjustment is used and this is known as TA0. For every TA, the MS will start its transmission 3.69µs (or one bit) early. Each TA really corresponds to a range of propagation delay. Each TA is essentially equal to a 1-bit delay detected in the synchronization sequence. TA From To 0 0µs 3.69µs 1 3.69µs 7.38µs 2 7.38µs 11.07µs 3 11.07µs 14.76µs ... ... ... 63 232.47µs 236.16µs
The Distance of a Timing Advance When calculating the distances involved for each TA, we must remember that the total propagation delay accounts for a two-way trip of the radio wave. The first leg is the synchronization signal travelling from the BTS to the MS, and the second leg is the access burst travelling from the MS to the BTS. If we want to know the true distance of the MS from the BTS, we must divide the total propagation delay in half. For example, if the BSS determines the total propagation delay to be 3.69µs, we can determine the distance of the MS from the BTS. Description Formula Result Determine one-way propagation time 3.69µs ÷ 2 1.845µs Calculate distance (using speed of light.) 300 m/µs × 1.845µs 553.5m
We determined earlier that for each propagation delay of 3.69µs the TA is incremented by one. We just learned that a propagation delay of 3.69µs equals a one-way distance of 553.5 meters. So, we see that each TA is equal to a distance of 553.5 meters from the tower. Starting from the BTS (0 meters) a new TA will start every 553.5m. TA Ring Start End 0 0 553.5m 1 553.5m 1107m 2 1107m 1660.5m 3 1660.5m 2214m ... ... ... 63 34.87km 35.42km
The TA becomes very important when the MS switches over to using a normal burst in order to transmit data. The normal burst does not have the 68.25 bits of guard time. The normal burst only has 8.25 bits of guard time, so the MS must transmit with more precise timing. With a guard time of 8.25 bits, the normal burst can only be received up to 30.44µs late and not interfere with the next time slot. Because of the two-way trip of the radio signal, if the MS transmits more than 15.22µs after it is supposed to then it will interfere with the next time slot. Authentication & Encryption Introduction Authentication - Whenever a MS requests access to a network, the network must authenticate the MS. Authentication verifies the identity and validity of the SIM card to the network and ensures that the subscriber is authorized access to the network. Encryption - In GSM, encryption refers to the process of creating authentication and ciphering crypto-variables using a special key and an encryption algorithm. Ciphering - Ciphering refers to the process of changing plaintext data into encrypted data using a special key and a special encryption algorithm. Transmissions between the MS and the BTS on the Um link are enciphered. Ki - The Ki is the individual subscriber authentication key. It is a 128-bit number that is paired with an IMSI when the SIM card is created. The Ki is only stored on the SIM card and at the
Authentication Center (AuC). The Ki will never be transmitted across the network on any link. RAND - The RAND is a random 128-bit number that is generated by the AuC when the network requests to authenticate a subscriber. The RAND is used to generate the Signed Response (SRES) and Kc crypto-variables. Signed Response - The SRES is a 32-bit crypto-variable used in the authentication process. The MS is challenged by being given the RAND by the network; the SRES is the expected correct response. The MS receives the RAND as a challenge and uses it to calculate the SRES. The SRES is passed up to the network to as a response to the challenge. A3 Algorithm - The A3 algorithm computes a 32-bit Signed Response (SRES). The Ki and RAND are inputted into the A3 algorithm and the result is the 32-bit SRES. The A3 algorithm resides on the SIM card and at the AuC. A8 Algorithm - The A8 algorithm computes a 64-bit ciphering key (Kc). The Ki and the RAND are inputted into the A8 algorithm and the result is the 64-bit Kc. The A8 algorithm resides on the ISM card and at the AuC. COMP128 - A keyed hash function that combines the A3 and A8 algorithms into a single function. The 128-bit Ki and 128-bit RAND are input into the COMP128 which generates a 32-bit SRES and a 54- bit Kc in a single function. COMP128 is weak because it can give away information about the Ki. Kc - The Kc is the 64-bit ciphering key that is used in the A5 encryption algorithm to encipher and decipher the data that is being transmitted on the Um interface. A5 - The A5 encryption algorithm is used to encipher and decipher the data that is being transmitted on the Um interface. The Kc and the
plaintext data are inputted into the A5 algorithm and the output is enciphered data. The A5 algorithm is a function of the Mobile Equipment (ME) and not a function of the SIM card. The BTS also makes use of the A5 algorithm. There are three versions of the A5 algorithm: A5/1 -The current standard for U.S. and European networks. A5/1 is a stream cipher. A5/2 -The deliberately weakened version of A5/1 that is intended for export to non-western countries. A5/2 is a stream cipher. A5/3 - A newly developed algorithm not yet in full use. A5/3 is a block cipher. Triplets - The RAND, SRES, and Kc together are known as the Triplets. The AuC will send these three crypto-variables to the requesting MSC/VLR so it can authenticate and encipher. International Mobile Subscriber Identity-An IMSI is usually presented as a 15 digit long number, but can be shorter. For example MTN South Africa's old IMSIs that are still being used in the market are shown as 14 digits. The first 3 digits are the Mobile Country Code (MCC), and are followed by the Mobile Network Code (MNC), either 2 digits (European standard) or 3 digits (North American standard). The length of the MNC depends on the value of the MCC. The remaining digits are the Mobile Subscription Identification Number (MSIN) within the network's customer base.
Authentication Procedures Fig 1 Fig-1-: When a MS requests access to the network, the MSC/VLR will normally require the MS to authenticate. The MSC will forward the IMSI to the HLR and request authentication Triplets. The network can have the MS authenticate whenever it wants and this can vary from network to network. The network can require the MS to authenticate every time an event is initiated (location update, mobile- originated call, mobile-terminated call, etc.), every so many events, or even after a certain time period has elapsed. The network will almost always require authentication whenever the MS moves into a new Location Area and does a Location Update.
Fig 2 Fig-2: When the HLR receives the IMSI and the authentication request, it first checks its database to make sure the IMSI is valid and belongs to the network. Once it has accomplished this, it will forward the IMSI and authentication request to the Authentication Center (AuC). Fig 3 Fig-3: The AuC will use the IMSI to look up the Ki associated with that IMSI. The Ki is the individual subscriber authentication key. It is a 128-bit number that is paired with an IMSI when the SIM card is created. The Ki is only stored on the SIM card and at the AuC. The Auc will also generate a 128-bit random number called the RAND
Fig 4 Fig-4: The RAND and the Ki are inputted into the A3 encryption algorithm. The output is the 32-bit Signed Response (SRES). The SRES is essentially the "challenge" sent to the MS when authentication is requested. Fig 5
Fig-5: The RAND and Ki are input into the A8 encryption algorithm. The output is the 64-bit Kc. The Kc is the ciphering key that is used in the A5 encryption algorithm to encipher and decipher the data that is being transmitted on the Um interface. Fig 6 Fig-6: The RAND, SRES, and Kc are collectively known as the Triplets. The AuC may generate many sets of Triplets and send them to the requesting MSC/VLR. This is in order to reduce the signalling overhead that would result if the MSC/VLR requested one set of triplets every time it wanted to authenticate the MS. It should be noted that a set of triplets is unique to one IMSI, it cannot be used with any other IMSI. Fig 7
Fig-7: Once the AuC has generated the triplets (or sets of triplets), it forwards them to the HLR. The HLR subsequently sends them to the requesting MSC/VLR. Fig 8 Fig-8: The MSC stores the Kc and the SRES but forwards the RAND to the MS and orders it to authenticate. Fig 9 Fig-9: The MS has the Ki stored on the SIM card. The A3 and A8 algorithms also reside on the SIM card. The RAND and Ki are inputted into the A3 and A8 encryption algorithms to generate the SRES and the Kc respectively.
Ciphering Procedure Fig-10 Fig 10: The MS stores the Kc on the SIM card and sends the generated SRES back to the network. The MSC receives the MS generated SRES and compares it to the SRES generated by the AuC. If they match, then the MS is authenticated. Fig-11 Fig-11: Once the MS is authenticated, the MSC passes the Kc to the BSS (the BTS to be specific), and orders the BTS and MS to switch to Cipher Mode. The Kc will never be passed on the Air Interface (Um), it will be stored at the BTS.
Fig-12 Fig-12: The BTS inputs the Kc and the data payload into the A5 encryption algorithm resulting in an enciphered data stream. The MS also inputs the Kc and the data payload into the A5 encryption algorithm resulting in an enciphered data stream. It should be noted that the A5 algorithm is a function of the Mobile Equipment (ME) and not the SIM card. COMP128 COMP128 COMP128 is a single keyed hash function that takes the place of the A3 and A8 algorithms and generates the SRES and Kc in a single function. The Ki and RAND are fed into the COMP128 hash and the result is a 32-bit SRES and a 54-bit Kc. Note that the A8 algorithm generates a 64-bit Kc. So it is obvious that the COMP128 hash generates a much weaker Kc.
Mobile Originated Call A Mobile Originated Call is a call that is initiated by the MS. The following example is a mobile-originated call that terminates outside the PLMN. Request Access 1. The MS sends a Channel Request (CHAN_REQ) message on the RACH. 2. The BSS responds with a radio resource assignment (IMM_ASS_CMD) on the AGCH. 3. The MS sends a Service Request (CM_SERV_REQ) message to the BSS on the SDCCH Authentication 4. Before the network will provide any services to the MS, the network will require the MS to authenticate itself. The BSS sends an Authentication Request (AUTH_REQ) message to the MS. The RAND serves as the "challenge" for authentication. 5. The MS calculates the proper SRES based on the RAND that was given and sends the SRES to the BSS in an Authentication Response (AUTH_RESP) message. 6. The BSS verifies the SRES. If the SRES is correct then the MS is authenticated and allowed access to the network. The BSS will send a Service Accept (CM_SERV_ACC) message letting the MS know that the service request was received and processed. 7. Once authenticated, the BSS orders the MS to switch to cipher mode with the CIPH_MOD_CMD message. Initial Call Setup 8. The MS will immediately switch to cipher mode and send a Cipher Mode Complete (CIPH_MOD_COM) message. 9. The MS then sends a Call Setup (SETUP) message to the BSS. The
message includes the address information (MSISDN) of the called party. 10. The BSS assigns a TCH to the MS by sending an Assignment Command (ASS_CMD) message. This message includes which Transceiver (TRX) and which Time Slot (TS) to use. The BSS does not actually assign a TCH to the MS until the MSC sends a Call Proceeding (CALL_PROC) message to the BSS indicating that the IAM has been sent. 11. The MS immediately switches to the assigned TCH. The MS sends an Assignment Complete (ASS_COM) message back to the BTS on the FACCH. Remember that a FACCH is not a separate channel; it is simply a stolen time slot from the TCH that is used for signalling data instead of voice traffic. Call Setup 12. The MSC sends an Initial Address Message (IAM) to the GMSC. The IAM contains the MSISDN of the called party as the MS dialled it. The MSC will also send a Call Proceeding (CALL_PROC) message down to the BSS and this is when the BSS would assign a TCH to the MS, as described in step 10 above. 13. Based on the dialled number, the GMSC decides where to route the IAM within the PSTN. 14. The PSTN will continue to route the IAM until it reaches the correct Switching Center and the call routing is complete. The PSTN will then establish the call circuit and send an Address Complete Message (ACM) back to the GMSC. 15. The GMSC then forwards the ACM back to the responsible MSC indicating that the call circuit has been established. Call Establishment 16. Once the MSC receives the ACM, it sends an ALERT message to the MS indicating that the call is going through. The BSS sends the
ALERT message on the FACCH. Once the MS receives the ALERT, it will generate the ringing sound in the earpiece. The BSS sends an alerting message the subscriber will hear the line ringing. 17. Once the called party answers the phone, the PSTN will send an Answer message to the MSC. The MSC forwards this to the MS in a Connection (CON) message. 18. Once the MS receives the CON message, it switches over to voice and begins the call. All voice traffic occurs on the assigned TCH. Call Termination 19. When either the caller or the called party hangs up, the call will be disconnected. Either party can initiate the disconnection. In this example, the MS initiates the disconnection. The MS sends a Disconnect (DISC) message to the BTS on the FACCH. 20. The BSS forwards the DISC to the MSC. Once the MSC receives the DISC message, it sends a Release (REL) message through the GMSC to the PSTN as well as down through the BSS to the MS. 21. The MS responds by sending a Release Complete (REL_COM) message to the BSS on the FACCH. The BSS forwards the REL_COM message up to the MSC. Once the MSC receives the REL_COM message the call is considered ended from the call control perspective. 22. Although the call has ended, the BSS still has a TCH allocated to the MS. The MSC sends a Channel Release (CHAN_REL) message to the BSS. The BSS forwards the CHAN_REL message to the MS. 23. The MS responds with a DISC (LAPD) message and returns to an idle mode. The BSS deallocates the channel and releases the TRX.
Mobile Terminated Call The term Mobile Terminated Call refers to when the MS is the receiver of a call. In this example, the call is originating from outside the PLMN. Route Establishment 1. The calling party dials the MSISDN for the mobile subscriber. The PSTN identifies the network (PLMN) that the dialled MSISDN belongs to and will locate a GMSC for that network. The PSTN sends an Initial Address message to the GMSC. 2. The GMSC forwards the MSISDN to the HLR and requests routing information for it. The HLR looks up the MSISDN and determines the IMSI and the SS7 address for the MSC/VLR that is servicing the MS. 3. The HLR then contacts the servicing MSC/VLR and asks it to assign a Mobile Station Routing Number (MSRN) to the call. 4. The MSC/VLR allocates the MSRN and forwards it to the HLR. Remember that the MSC/VLR assigns a MSRN to the call not to the MS itself. 5. The HLR forwards the MSRN as well as routing information for the servicing MSC/VLR to the GMSC. 6. The GMSC sends an Initial Addressing message to the servicing MSC/VLR and uses the MSRN to route the call to the MSC/VLR. Once the servicing MSC/VLR receives the call, the MSRN can be released and may be made available for reassignment. Paging the Mobile Station 7. The MSC/VLR then orders all of its BSCs and BTSs to page the MS. Since the MSC/VLR does not know exactly which BSC and BTS
the MS is monitoring, the page will be sent out across the entire Location Area. Initial Setup 8. The MS receives the Page Request (PAG_REQ) on the PCH. The MS recognizes that the page is intended for it, based on a TMSI or an IMSI. 9. The MS sends a Channel Request (CHAN_REQ) message on the RACH. 10. The BSS responds on the AGCH by sending an Immediate Assignment (IMM ASS) message which assigns an SDCCH to the MS. At this point, the network does not know that the MS is the one that it is paging; it only knows that this MS wants access to the network. 11. The MS immediately switches to the assigned SDCCH and sends a Paging Response (PAG_RES) message on the SDCCH. This lets the network know that the MS is responding to its page. Authentication 12. Before the network will provide any services to the MS, the network will require the MS to authenticate itself. The BSS sends an Authentication Request (AUTH_REQ) message to the MS. The RAND serves as the "challenge" for authentication. 13. The MS calculates the proper SRES based on the RAND that was given and sends the SRES to the BSS in an Authentication Response (AUTH_RESP) message. 14. The BSS verifies the SRES. If the SRES is correct then the MS is authenticated and allowed access to the network. 15. Once the MSC/VLR has authenticated the MS, it will order the BSS and MS to switch to cipher mode using the CIPH_MOD_CMD message. Once the MS in encryption mode, the VLR will normally
assign a new TMSI to the MS. Establishing a Channel 16. Once the MS is authenticated and in encryption mode. The MSC sends a Setup Message to the BSS; the BSS forwards the SETUP message to the MS on the assigned SDCCH. The SETUP message may include the Calling Line Identification Presentation (CLIP), which is essentially caller ID. 17. The MS responds by sending a Call Confirmed (CALL_CON) message; which indicates that the MS is able to establish the requested connection. The BSS relays the message up to the MSC. Call Setup 18. The BSS then sends an Assignment Command (ASS_CMD) message to the MS on the assigned SDCCH. The ASS_CMD message assigns a Traffic Channel (TCH) to the MS. 19. The MS immediately switches to the TCH and responds with an Assignment Complete (ASS_COM) message on the FACCH. The MS begins ringing once it has established the TCH. Remember that all signalling that occurs on the traffic channel actually occurs on a FACCH, which is a time slot that is stolen from the TCH and used for signalling. 20. The MS sends an ALERT message to the MSC on the FACCH. The BSS forwards the ALERT message through the PSTN to the calling party and the caller hears the line ringing. Establishing the Call 21. Once the user answers the call (by pressing the send button), the MS will send a Connect CON message to the MSC. The Connect message is forwarded back to the caller's switch to activate the call.
22. The MSC sends a Connect Acknowledge CON_ACK message to the MS and the call is established. Disconnecting the Call 23. A disconnect happens the same way as for any other call. In this example, the calling party initiates the disconnect. 24. When the calling party hangs up, the calling party's switch initiates a Release (REL) message. The message is forwarded to the serving MSC, which is then forwarded to the BSS. 25. The BSS will send a Disconnect (DISC) message to the MS on the FACCH. 26. The MS confirms release of the call by sending a Release (REL) message on the FACCH, which is forwarded to the MSC. 27. The MSC sends e Release Complete (REL_COM) message through the BSS to the MS. As far as call control (CC) is concerned, the connection has been terminated. 28. The MS still has a TCH assigned to it, so the BSS sends a Channel Release (CHAN_REL) message to the MS. This releases the radio resource on the Air Interface. 29. The MS responds be sending a final Disconnect message and returns to idle.
SCOPE FOR FUTURE STUDY New demands will be made in the future on mobile cellular system as individuals and businesses the way they work. Access to the internet will become more important and executives will want to access corporate databases from virtually anywhere. New services will be required in addition to speech and data, therefore network operators will offer video and other multimedia applications. Advanced mobile handsets will be required to handle large amounts of high-speed data in what is known as the 3rd Generation Mobile system. The European 3rd Generation system is known as UMTS (Universal Mobile Telecommunication System) and ETSI is promoting a smooth evolution from the present day GSM networks. The radio “Air Interference” will be based on W-CDMA (Wideband- Code Division Access) using different frequency bands for the uplink and downlink. The ITU call the 3rd Generation Mobile System- IMT-200 (International Mobile Telecommunication 2000). IMT-200 refers not only to the approximate year when it is expected to be launched but also the frequency band in the region of 2000 MHz. IMT-200 will provide a seamless, global communication service through small, lightweight terminals. The 1992 World Administrative Radio Conference (WARC) allocated the radio frequencies between 1885 MHz and 2200 MHz to be reserved for the IMT-2000 on a global basis. GSM system will evolve towards the UMTS by progressively new techniques to provide higher bandwidth. These steps are as follows:  High Speed Circuit Switched Data (HSCSD)  Generation Packet Radio Services (GPRS)  Enhanced Data Rates for GSM Evolution (EDGE)  3rd Generation Mobile System (3G)
Conclusion In this Project, I have tried to give an overview of the GSM system. I believe, however, that I gave the general flavour of GSM and the philosophy behind its design. It is a standard that ensures interoperability without stifling competition and innovation among suppliers, to the benefit of the public both in terms of cost and service quality. Telecommunication are evolving towards personnel communication network objective can be stated as the availability of all communication services anytime, anywhere, to anyone, by a single identity number and a pocket able communication terminal. Having a multitude of incompatible systems throughout the world moves us farther away from this ideal. The economies of scale created by a unified system are enough to justify its implementation terminal anywhere they go, regardless of national boundaries. The GSM system and its sibling systems operating at 1.8 GHz (called DCS 1800) and 1.9 GHz (called GSM 900 or PCS1900, and operating in North America), are a first approach at a true personal communication system. The SIM card is novel approach that implements personal mobility in addition to terminal mobility. Together with international roaming and support for a variety of services such as telephony, data transfer, fax, short message services and supplementary services, GSM comes close to being used as a basis for the next generation of mobile communication technology in Europe, the Universal Mobile Telecommunication System (UMTS). Another point where GSM has shown its commitment to openness, standards and interoperability is the compatibility with Integrated Services Digital Network (ISDN) that is evolving in most industrialized countries and Europe in particular (the so called Euro-
ISDN). GSM is also the first system to make extensive use of the intelligent networking concept, in which services like 800 numbers are concentrated and handled the country. This is the concept behind the use of use of the various registers such as the HLR. Number 7, an international standard already deployed in many countries and specified as the backbone signalling network for ISDN. GSM is a very complex standard but that is probably the price that must be paid to achieve the level integrated service and quality offered while subject to the rather severe restrictions imposed by the radio environment. I am highly to Mr. Arun Sharma for his support and guidance given to me for the successful completion of my project. This Project provides the knowledge about various technologies in the communication field.

Recomendados

Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flow
Mohd Nazir Shakeel
 
3 g basics
3 g basics3 g basics
3 g basics
Saurabh Singh Tomar
 
Ofdma
OfdmaOfdma
Ofdma
Yasser Monier
 
Industrial training report on GSM Techology at BSNL
Industrial training report on GSM Techology at BSNLIndustrial training report on GSM Techology at BSNL
Industrial training report on GSM Techology at BSNL
Anshul Joshi
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryption
RK Nayak
 
Gsm gprs-umts
Gsm gprs-umtsGsm gprs-umts
Gsm gprs-umts
Toilha Ali Moindandzé
 
Gsm system and radio frequency
Gsm system and radio frequency Gsm system and radio frequency
Gsm system and radio frequency
Maulik Patel
 
Gsm architecture and signalling techniques
Gsm architecture and signalling techniquesGsm architecture and signalling techniques
Gsm architecture and signalling techniques
kanisthika chauhan
 

Recomendados

Gsm architecture and call flow
Gsm architecture and call flowGsm architecture and call flow
Gsm architecture and call flow
Mohd Nazir Shakeel
 
3 g basics
3 g basics3 g basics
3 g basics
Saurabh Singh Tomar
 
Ofdma
OfdmaOfdma
Ofdma
Yasser Monier
 
Industrial training report on GSM Techology at BSNL
Industrial training report on GSM Techology at BSNLIndustrial training report on GSM Techology at BSNL
Industrial training report on GSM Techology at BSNL
Anshul Joshi
 
Gsm security and encryption
Gsm security and encryptionGsm security and encryption
Gsm security and encryption
RK Nayak
 
Gsm gprs-umts
Gsm gprs-umtsGsm gprs-umts
Gsm gprs-umts
Toilha Ali Moindandzé
 
Gsm system and radio frequency
Gsm system and radio frequency Gsm system and radio frequency
Gsm system and radio frequency
Maulik Patel
 
Gsm architecture and signalling techniques
Gsm architecture and signalling techniquesGsm architecture and signalling techniques
Gsm architecture and signalling techniques
kanisthika chauhan
 
Fixed Mobile Convergence
Fixed Mobile ConvergenceFixed Mobile Convergence
Fixed Mobile Convergence
Inderjeet Singh
 
Cellular network
Cellular networkCellular network
Cellular network
Mr SMAK
 
Wireless mobile communication
Wireless mobile communicationWireless mobile communication
Wireless mobile communication
Burhan Ahmed
 
Bsc configuration
Bsc configurationBsc configuration
Bsc configuration
Alberto Garcia
 
Gsm air interface
Gsm air interface Gsm air interface
Gsm air interface
Rizwan Pasha M
 
Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...
Zorays Solar Pakistan
 
GSM and Basics of 3G
GSM and Basics of 3GGSM and Basics of 3G
GSM and Basics of 3G
Bhanu Sharma
 
4G
4G4G
4G
Ahmed Elnaggar
 
GSM. Global System for Mobile Communication.
GSM. Global System for Mobile Communication.GSM. Global System for Mobile Communication.
GSM. Global System for Mobile Communication.
Student
 
Gsm Originating Call Flow
Gsm Originating Call FlowGsm Originating Call Flow
Gsm Originating Call Flow
Deepak Sharma
 
GSM Architecture
GSM ArchitectureGSM Architecture
GSM Architecture
koonlay
 
-introduction-to-cellular-mobile-communications
-introduction-to-cellular-mobile-communications-introduction-to-cellular-mobile-communications
-introduction-to-cellular-mobile-communications
jhcid
 
Base Station System
Base Station SystemBase Station System
Base Station System
Sokunth Che
 
Summer Training Report of BSNL
Summer Training Report of BSNLSummer Training Report of BSNL
Summer Training Report of BSNL
Muzammil Khan
 
Gsm
GsmGsm
Gsm
Bala V
 
Gsm architecture
Gsm architecture Gsm architecture
Gsm architecture
Ramraj Vaishnav
 
My PptIntroduction to 3G, GSM, GPRS, EDGE Network
My PptIntroduction to 3G, GSM, GPRS, EDGE NetworkMy PptIntroduction to 3G, GSM, GPRS, EDGE Network
My PptIntroduction to 3G, GSM, GPRS, EDGE Network
ARVIND SARDAR
 
Project Report (Basic Telecom) BSNL
Project Report (Basic Telecom) BSNLProject Report (Basic Telecom) BSNL
Project Report (Basic Telecom) BSNL
Pankaj Purbey
 
Wireless technology 1g 2g 3g 4g
Wireless technology 1g 2g 3g 4gWireless technology 1g 2g 3g 4g
Wireless technology 1g 2g 3g 4g
Karthik Patil
 
Gsm signaling
Gsm signalingGsm signaling
Gsm signaling
Kannan Selvam
 
GSM Traffic Cases
GSM Traffic CasesGSM Traffic Cases
GSM Traffic Cases
Er. Ashish Pandey
 
Chapter 3
Chapter 3Chapter 3
Chapter 3
Faisal Mehmood
 

Más contenido relacionado

La actualidad más candente

Cellular network
Cellular networkCellular network
Cellular network
Mr SMAK
 
Gsm Originating Call Flow
Gsm Originating Call FlowGsm Originating Call Flow
Gsm Originating Call Flow
Deepak Sharma
 
GSM Architecture
GSM ArchitectureGSM Architecture
GSM Architecture
koonlay
 
Base Station System
Base Station SystemBase Station System
Base Station System
Sokunth Che
 
My PptIntroduction to 3G, GSM, GPRS, EDGE Network
My PptIntroduction to 3G, GSM, GPRS, EDGE NetworkMy PptIntroduction to 3G, GSM, GPRS, EDGE Network
My PptIntroduction to 3G, GSM, GPRS, EDGE Network
ARVIND SARDAR
 

La actualidad más candente (20)

Fixed Mobile Convergence
Fixed Mobile ConvergenceFixed Mobile Convergence
Fixed Mobile Convergence
 
Cellular network
Cellular networkCellular network
Cellular network
 
Wireless mobile communication
Wireless mobile communicationWireless mobile communication
Wireless mobile communication
 
Bsc configuration
Bsc configurationBsc configuration
Bsc configuration
 
Gsm air interface
Gsm air interface Gsm air interface
Gsm air interface
 
Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...Gsm architecture, gsm network identities, network cases, cell planning, and c...
Gsm architecture, gsm network identities, network cases, cell planning, and c...
 
GSM and Basics of 3G
GSM and Basics of 3GGSM and Basics of 3G
GSM and Basics of 3G
 
4G
4G4G
4G
 
GSM. Global System for Mobile Communication.
GSM. Global System for Mobile Communication.GSM. Global System for Mobile Communication.
GSM. Global System for Mobile Communication.
 
Gsm Originating Call Flow
Gsm Originating Call FlowGsm Originating Call Flow
Gsm Originating Call Flow
 
GSM Architecture
GSM ArchitectureGSM Architecture
GSM Architecture
 
-introduction-to-cellular-mobile-communications
-introduction-to-cellular-mobile-communications-introduction-to-cellular-mobile-communications
-introduction-to-cellular-mobile-communications
 
Base Station System
Base Station SystemBase Station System
Base Station System
 
Summer Training Report of BSNL
Summer Training Report of BSNLSummer Training Report of BSNL
Summer Training Report of BSNL
 
Gsm
GsmGsm
Gsm
 
Gsm architecture
Gsm architecture Gsm architecture
Gsm architecture
 
My PptIntroduction to 3G, GSM, GPRS, EDGE Network
My PptIntroduction to 3G, GSM, GPRS, EDGE NetworkMy PptIntroduction to 3G, GSM, GPRS, EDGE Network
My PptIntroduction to 3G, GSM, GPRS, EDGE Network
 
Project Report (Basic Telecom) BSNL
Project Report (Basic Telecom) BSNLProject Report (Basic Telecom) BSNL
Project Report (Basic Telecom) BSNL
 
Wireless technology 1g 2g 3g 4g
Wireless technology 1g 2g 3g 4gWireless technology 1g 2g 3g 4g
Wireless technology 1g 2g 3g 4g
 
Gsm signaling
Gsm signalingGsm signaling
Gsm signaling
 

Destacado

Destacado (7)

GSM Traffic Cases
GSM Traffic CasesGSM Traffic Cases
GSM Traffic Cases
 
Chapter 3
Chapter 3Chapter 3
Chapter 3
 
GSM Presentation
GSM PresentationGSM Presentation
GSM Presentation
 
Gsm.....ppt
Gsm.....pptGsm.....ppt
Gsm.....ppt
 
GSM ARCHITECTURE
GSM ARCHITECTUREGSM ARCHITECTURE
GSM ARCHITECTURE
 
A project report on hr practice in hotel industry
A project report on hr practice in hotel industryA project report on hr practice in hotel industry
A project report on hr practice in hotel industry
 
Gsm architecture
Gsm architectureGsm architecture
Gsm architecture
 

Similar a GSM report summer training

cell phone jammer report
cell phone jammer reportcell phone jammer report
cell phone jammer report
Sameer Gupta
 
Gsm pocket guide (acterna)
Gsm pocket guide (acterna)Gsm pocket guide (acterna)
Gsm pocket guide (acterna)
Rida098
 
3g wireless-technology-challenges4699
3g wireless-technology-challenges46993g wireless-technology-challenges4699
3g wireless-technology-challenges4699
om prakash pandey
 

Similar a GSM report summer training (20)

Cellular Communication Report
Cellular Communication ReportCellular Communication Report
Cellular Communication Report
 
Gsm ( Cdma ( Gsm )
Gsm ( Cdma ( Gsm )Gsm ( Cdma ( Gsm )
Gsm ( Cdma ( Gsm )
 
Gsm (an overview)
Gsm (an overview)Gsm (an overview)
Gsm (an overview)
 
SEMINAR REPORT ON GSM ARCHITECTURE
SEMINAR REPORT ON GSM ARCHITECTURESEMINAR REPORT ON GSM ARCHITECTURE
SEMINAR REPORT ON GSM ARCHITECTURE
 
cell phone jammer report
cell phone jammer reportcell phone jammer report
cell phone jammer report
 
Improving the quality of gsm servece
Improving the quality of gsm serveceImproving the quality of gsm servece
Improving the quality of gsm servece
 
205127915 gsm-vs-femtocell
205127915 gsm-vs-femtocell205127915 gsm-vs-femtocell
205127915 gsm-vs-femtocell
 
Network monitoring and optimisation in umts, internship report by fomagha tat...
Network monitoring and optimisation in umts, internship report by fomagha tat...Network monitoring and optimisation in umts, internship report by fomagha tat...
Network monitoring and optimisation in umts, internship report by fomagha tat...
 
Gsm pocket guide (acterna)
Gsm pocket guide (acterna)Gsm pocket guide (acterna)
Gsm pocket guide (acterna)
 
Wcdma p&o-c-en-basal theory-1-201006-33
Wcdma p&o-c-en-basal theory-1-201006-33Wcdma p&o-c-en-basal theory-1-201006-33
Wcdma p&o-c-en-basal theory-1-201006-33
 
Vehicle Theft Intimation Using GSM
Vehicle Theft Intimation Using GSMVehicle Theft Intimation Using GSM
Vehicle Theft Intimation Using GSM
 
Global Service for Mobile Communication
Global Service for Mobile CommunicationGlobal Service for Mobile Communication
Global Service for Mobile Communication
 
3g wireless-technology-challenges4699
3g wireless-technology-challenges46993g wireless-technology-challenges4699
3g wireless-technology-challenges4699
 
211189437 27437934-study-of-gsm-and-cdma
211189437 27437934-study-of-gsm-and-cdma211189437 27437934-study-of-gsm-and-cdma
211189437 27437934-study-of-gsm-and-cdma
 
2g n 3g planning doc
2g n 3g planning doc2g n 3g planning doc
2g n 3g planning doc
 
1 gsm system_overview
1 gsm system_overview1 gsm system_overview
1 gsm system_overview
 
GSM
GSM GSM
GSM
 
GSM & CDMA TECHNOL
GSM & CDMA TECHNOLGSM & CDMA TECHNOL
GSM & CDMA TECHNOL
 
GSM & CDMA
GSM & CDMAGSM & CDMA
GSM & CDMA
 
End to end ussd implementation
End to end ussd implementationEnd to end ussd implementation
End to end ussd implementation
 

Último

Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
tanu pandey
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
dharasingh5698
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
ssuser89054b
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
ankushspencer015
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
Asst.prof M.Gokilavani
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Christo Ananth
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
ranjana rawat
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
MsecMca
 

Último (20)

Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)Java Programming :Event Handling(Types of Events)
Java Programming :Event Handling(Types of Events)
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
notes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.pptnotes on Evolution Of Analytic Scalability.ppt
notes on Evolution Of Analytic Scalability.ppt
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
 

GSM report summer training

  • 1. Training report on Industrial training at IDEA Submitted to:- Submitted by:- Atul Sharma, B.Tech II year, ECE Maharaja Agrasen Institute Of Technology, GGSIPU Under:- Mr. Hemraj Mandal Start Date for Internship:-June 24th 2013 End Date for Internship:-July 30th 2013
  • 2. Preface This report documents the work done during the summer internship at Idea Cellular pvt ltd, Vikaspuri, Delhi under the guidance of Mr. Manmohan Gaur . The report first shall give the overview of tasks performed during the period of internship .The technical details about the GSM and its various interfaces and the conclusion drawn out of it. Report shall also elaborate about the future scope of the GSM technology. I have tried my best to keep the report simple yet technically correct. I hope I succeed in my attempt. Atul Sharma
  • 3. Acknowledgement On the very outset of this report, I would like to extend my sincere & heartfelt obligation towards all the personages who have helped me in this endeavour. Without their active guidance, help, cooperation & encouragement, I would not have made headway in the project. First and foremost, I would like to express my sincere gratitude to my project guide, Mr. Hemraj Mandal. I was privileged to experience a sustained enthusiastic and involved interest from his side. This fuelled my enthusiasm even further and encouraged me to boldly step into what was a totally dark and unexplored expanse before me. I would also like to thank Mr. Manmohan Gaur who, instead of his busy schedule, always guided me in right direction. Last but not least, I would like to thank Mr. Arun Sharma for teaching and helping me in at all the places. I extend my gratitude to Maharaja Agrasen Inst. Of Tech. for giving me this opportunity. Thank You Atul Sharma
  • 4. Table of Contents Abstract ..............................................................................................6 Introduction to GSM .........................................................................7 What is GSM? ......................................................................................7 GSM history .........................................................................................8 Advantage of GSM ..............................................................................8 Technical details ..................................................................................9 Three Subsystem of GSM ..................................................................10 Base station subsystem (BSS) ................................................10 Base Station Controller (BSC) ....................................... 11 Base Transceiver Station (BTS)......................................11 Transcoder (TC)..............................................................11 Network switching subsystem ................................................12 Mobile Services Switching Centre (MSC)......................12 Visitor Location Register (VLR).....................................12 Home Location Register (HLR) ....................................13 Authentication Centre (AC)............................................ 13 Equipment Identity Register (EIR) ................................13 Network management subsystem ........................................14 Transmission ....................................................................................15 Introduction to radio transmission......................................................15 Frequency Division Multiple Access (FDMA)..................................15 Absolute Radio Frequency Channel Number (ARFCN)........ 15 Time Division Multiple Access (TDMA)..........................................17 Time Frames ..........................................................................18 Time slots ...............................................................................18 Multiple frames ......................................................................20 Control channel ...............................................................20
  • 5. Traffic channel ...............................................................21 Super frame ............................................................................22 Hyper frame ...........................................................................23 Physical and Logical channel ............................................................24 Logical channel .................................................................................24 Signalling channel ..........................................................................24 Broadcast channel .......................................................................25 Common control channel ............................................................25 Dedicated control channel ..........................................................27 Traffic channel ...............................................................................27 Full rate ......................................................................................27 Half rate .....................................................................................27 Data Burst ..........................................................................................28 Normal burst ..............................................................................28 Frequency correction burst ........................................................30 Synchronisation burst ...............................................................31 Access burst ..............................................................................31 Frequency hoping .............................................................................32 Traffic management ........................................................................35 Location update .................................................................................36 Handover ...........................................................................................38 Timing advances ...............................................................................42 Authentication and Encryption .........................................................51 Authentication procedures ................................................................54 Mobile originated call .......................................................................61 Mobile terminated call ......................................................................64 Future scope ....................................................................................68 Conclusion .......................................................................................69
  • 6. Abstract This project is a part of summer training, from Idea Cellular pvt ltd, Delhi, which includes various analysis and knowledge about GSM. GSM being used worldwide, having advantages over the other system for the mobile communication. This includes details about the GSM structures and its features. Subsystems of GSM and their roles while initiating and terminating a call. The techniques like FDMA and TDMA being used. And all kind of aspects related to the call traffic and transmission being carried out in Mobile Networking. It also tells us about the future scope of using a GSM.
  • 7. Introduction to GSM What is GSM? GSM is a digital cellular network. At the time the standard was developed it offered much higher capacity than the current analog systems. It also allowed for a more optimal allocation of the radio spectrum, which therefore allows for a larger number of subscribers. GSM offers a number of services including voice communications, Short Message Service (SMS), fax, voice mail, and other supplemental services such as call forwarding and caller ID. Currently there are several bands in use in GSM. 450 MHz, 850 MHZ, 900 MHz, 1800 MHz, and 1900 MHz are the most common ones. Some bands also have Extended GSM (EGSM) bands added to them, increasing the amount of spectrum available for each band. GSM makes use of Frequency Division Multiple Access (FDMA) and Time Division Multiple Access (TDMA). GSM ANTENNA
  • 8. GSM history At the beginning of the 1980s it was realised that the European countries were using many different, incompatible mobile phone Systems .At the same time, the needs for telecommunication services were remarkably increased. Due to this, CEPT (Conférence Européenne des Postes et Télécommunications) founded a group to specify a common mobile system for Western Europe. This group was named “Groupe Spéciale Mobile” and the system name GSM arose. This abbreviation has since been interpreted in other ways, but the most common expression nowadays is Global System for Mobile communications. At the beginning of the 1990s, the lack of a common mobile system was seen to be a general, world -wide problem. For this reason the GSM system has now spread also to the Eastern European countries, Africa, Asia and Australia. The USA, South America in general and Japan had made a decision to adopt other types of mobile systems which are not compatible with GSM. However, in the USA the Personal Communication System (PCS) has been adopted which uses GSM technology with a few variations. During the time the GSM system was being specified, it was foreseen that national telecommunication monopolies would be disbanded. Advantage of GSM Due to the use of the common GSM system across the world, it offered many advantages as follows:-  GSM uses radio frequencies efficiently, and due to the digital radio path, the system tolerates more intercell disturbances.  The average quality of speech achieved is better than in analogue cellular systems.  Data transmission is supported throughout the GSM system.
  • 9.  Speech is encrypted and subscriber information security is guaranteed.  Due to the ISDN compatibility, new services are offered compared to the analogue systems.  International roaming is technically possible within all countries using the GSM system.  The large market increases competition and lowers the prices both for investments and usage. Technical details GSM is a cellular network, which means that mobile phones connect to it by searching for cells in the immediate vicinity. GSM network operate in four different frequency ranges. Most GSM network operate in the 850 MHz and 1900 MHz bands. The rarer 400 and 500 MHz frequency bands are assigned in some countries, notably scandavia, where these frequencies were previously used for first- generation systems. In the 900 MHz band the uplink frequency band is 890-915 MHz, and the downlink frequency band is 935-960 MHz .This 25 MHz bandwidth is subdivided into 124 carrier frequency channels, each spaced 200 KHz apart. Time division multiplexing is used to allow eight full-rate or sixteen half-rate speech channels per radio frequency channel. There are eight radio timeslots (giving eight burst periods) grouped into what is called a TDMA frame. Half rate channels use alternate frames in the same timeslot. The transmission power in the handset is limited to a maximum of 2 watts in GSM 850/900 and 1 watt in GSM 1800/1900. GSM has used a variety of voice codecs of squeeze 3.1 KHz audio into between 5.6 and 13 Kbit/s. Originally, two codecs of squeeze 3.1 Kbit/s. Originally, two codecs, named after the types of data channel they were allocated, were used, called Half Rate (5.6 Kbit/s) and Full
  • 10. Rate (13 Kbit/s). These used a system based upon linear predictive coding (LPC). In addition to being efficient with bit rates, these codecs also made it easier to identify more important parts of the audio, allowing the air interface layer to prioritize and better protect these parts of the signal. GSM was further enhanced in 1997 with the Enhanced Full Rate (EFR) codec, a 12.2 Kbit/s codec that uses a full rate channel. The modulation used in GSM is Guassian Minimum-Shift Keying (GMSK), a kind of continuous-phase frequency shift keying. In GMSK, the signal to be modulated onto the carrier is first smoothed with a Gaussian low-pass filter prior to being fed to a frequency modulator, which greatly reduces the interference to neighbouring channels (adjacent channel interference). Three subsystem of GSM In a GSM network, this decentralised intelligence is implemented by dividing the whole network into three separate subsystems:  Network Switching Subsystem (NSS)  Base Station Subsystem (BSS)  Network Management Subsystem (NMS) Base Station Subsystem (BSS) is responsible for handling traffic and signalling between a mobile phone and the network switching subsystem. The BSS carries out transcoding of speech channels, allocation of radio channels to mobile phones, paging transmission and reception over the air interface and many other tasks related to the radio network. The Base Station Subsystem consists of the following elements:  Base Station Controller (BSC)  Base Transceiver Station (BTS)  Transcoder (TC)
  • 11. The Base Station Controller (BSC) is the central network element of the BSS and it controls the radio network. This means that the main responsibilities of the BSC are: Connection establishment between MS and NSS, Mobility management, Statistical raw data collection, Air and A interface signalling support. The Base Transceiver Station (BTS) is a network element maintaining the Air interface. It takes care of Air interface signalling, Air interface ciphering and speech processing. In this context, speech processing refers to all the functions the BTS performs in order to guarantee an error-free connection between the MS and the BTS. Base Transceiver Station (BTS) The Transcoder (TC) is a BSS element taking care of speech transcoding, i.e. it is capable of converting speech from one digital coding format to another and vice versa. We will describe more about the Transcoder functions later.
  • 12. Base Station Subsystem (BSS) Network switching subsystem (NSS) (or GSM core network) is the component of a GSM system that carries out call switching and mobility management functions for mobile phones roaming on the network of base stations. The elements of Network Switching Subsystem are:  MSC (Mobile Services Switching Centre)  VLR (Visitor Location Register)  HLR (Home Location Register)  Authentication Centre (AC)  Equipment Identity Register (EIR) The MSC (Mobile Services Switching Centre) is responsible for controlling calls in the mobile network. It identifies the origin and destination of a call (either a mobile station or a fixed telephone in both cases), as well as the type of a call. An MSC acting as a bridge between a mobile network and a fixed network is called a Gateway MSC. The VLR (Visitor Location Register) carries out location registrations and updates. A VLR database is always temporary (in the sense that the data is held as long as the subscriber is within its service area).
  • 13. The HLR (Home Location Register) maintains a permanent register of the subscribers. In addition to the fixed data, the HLR also maintains a temporary database which contains the current location of its customers. This data is required for routing calls. Authentication is a procedure used in checking the validity and integrity of subscriber data. With the help of the authentication procedure the operator prevents the use of false SIM modules in the network. Equipment Identity Register (EIR): An option exists in GSM where the network may check the validity of the mobile station hardware. The mobile station is requested to provide the International Mobile Equipment Identity (IMEI) number. This number consists of type approval code, final assembly code and serial number of the mobile station. The network stores the IMEI numbers in the Equipment Identity Register (EIR). Network switching subsystem (NSS) The Network management subsystem (NMS)is the operation and maintenance related part of the network and it is needed for the control of the whole GSM network. The network operator observes and maintains network quality and service offered through
  • 14. the NMS. The three subsystems in a GSM network are linked by the Air, A and O&M interfaces as shown. Three Subsystem of GSM and their interference
  • 15. TRANSMISSION Introduction to radio transmission In a mobile communications network, part of the transmission connection uses a radio link and another part uses 2Mbit/s PCM links. Radio transmission is used between the Mobile Station and the Base Transceiver Station and the information must to be adapted to be carried over 2Mbit/s PCM transmission through the remainder of the network. The radio link is the most vulnerable part of the connection and a great deal of work is needed to ensure its high quality and reliable operation. The uplink refers to a signal flow from Mobile Station (MS) to Base Transceiver Station (BTS) and the downlink refers to a signal flow from Base Transceiver Station (BTS) to Mobile Station (MS). The simultaneous use of separate Uplink and downlink frequencies enables communication in both the transmit (TX) and receive (RX) directions. The radio carrier frequencies are arranged in pairs and the difference between these two frequencies (uplink downlink) is called the Duplex Frequency. Frequency Division Multiple Access (FDMA) GSM divides the allocated spectrum for each band up into individual carrier frequencies. Carrier separation is 200 kHz. This is the FDMA aspect of GSM. Absolute Radio Frequency Channel Number (ARFCN) The ARFCN is a number that describes a pair of frequencies, one uplink and one downlink. The uplink and downlink frequencies each have a bandwidth of 200 kHz. The uplink and downlink have a specific offset that varies for each band. The offset is the frequency
  • 16. separation of the uplink from the downlink. Every time the ARFCN increases, the uplink will increase by 200 kHz and the downlink also increases by 200 kHz. An ARFCN has an allowed bandwidth of 200 kHz, which corresponds exactly to the carrier separation. The frequency of the ARFCN refers to its center frequency. If an ARFCN has a frequency of 914.80 MHz, then it occupies the frequency space from 914.7 MHz to 914.9 MHz (200 kHz total). Because of the nature of the modulation method (GMSK) and data rate used in GSM, the actual physical bandwidth will be about 135.4 kHz. The unused bandwidth for each ARFCN acts as a buffer between other ARFCN to avoid interference. The following table summarizes the frequency ranges, offsets, and ARFCNs for several popular bands. GSM Bands The following diagram illustrates an ARFCN with paired uplink and downlink frequencies for ARFCN 1 in the GSM 900 band.
  • 17. GSM900 ARFCN 1 Time Division Multiple Access (TDMA) Introduction GSM uses Time Division Multiple Access (TDMA) as its access scheme. This is how the MS interfaces with the network. TDMA is the protocol used on the Air (Um) Link. GSM uses Gaussian Minimum-Shift Keying (GMSK) as its modulation methods. Time Division means that the frequency is divided up into blocks of time and only certain logical channels are transmitted at certain times .The time divisions in TDMA are known as Time Slots. Time Slots A frequency is divided up into 8 time slots, numbered 0 to 7. Time Slots
  • 18. On a side note, also GSM carrier frequencies are separated by 200 kHz and that GSM operates in duplex. A channel number assigned to a pair of frequencies, one uplink and one downlink, is known as an Absolute Radio Frequency Channel Number (ARFCN) .Each time slot lasts 576.9 µs. A time slot is the basic radio resource used to facilitate communication between the MS and the BTS. Time Slot Duration Data Rates As stated earlier, GSM uses Gaussian Minimum-Shift Keying (GMSK) as its modulation method. GMSK provides a modulation rate of 270.833 kilobits per second (kb/s). At that rate, a maximum of 156.25 bits can be transmitted in each time slot (576.9 µs). 270.833 kb/s × 1000 = 270,833 bits/sec (Converting from kilobits to bits) 270,833 b/sec ÷ 1,000,000 = .207833 b/µs (Calculating bits per microsecond) .207833 b/µs × 576.9 µs = 156.25 bits (Calculating number of bits per time slot)
  • 19. Bits in a Time Slot So, 156.25 bits can be transmitted in a single time slot. TDMA Frame Structure & Hierarchy TDMA Frame Each sequence of 8 time slots is known as a TDMA frame. The duration of a TDMA frame is 4.615 milliseconds (ms) (576.9 µs × 8). * Remember that a TDMA frame is 8 time slots and that no one resource will be given an entire TDMA frame, the resources must share them. A TDMA Frame
  • 20. Multiframe A Multiframe is composed of multiple TDMA frames. There are two types of multiframes:  Control Channel Multiframes  Traffic Channel Multiframes Control Channel Multiframe composed of 51 TDMA frames duration = 235.4 ms Control Channel Multiframe Traffic Channel Multiframe Traffic Channel Multiframe
  • 21. Composed of 26 TDMA frames duration = 120 ms Here is a diagram comparing the Control Channel multiframe and a traffic channel multiframe. Traffic Channel and Control Channel Multiframes The next diagram shows a Traffic Channel (TCH) Multiframe with TS2 (green) being allocated to a Mobile Station (MS). The red arrow indicates the sequence of transmission. The sequence starts in TDMA frame 0 at TS0, proceeds through all eight time slots, then starts again with TDMA frame 1. In this example, the MS has been allocated a Traffic Channel in TS2. Therefore the MS will only transmit/receive during TS2 of each TDMA frame.
  • 22. Single Time Slot Allocated Superframe A Superframe is composed of multiple Multiframes. Again, there is a superframe for Control Channels and one for Traffic Channels. Control Channel Superframe composed of 26 Control Channel (CCH) multiframes (each CCH multiframe has 51 TDMA frames) Duration = 6.12 seconds Traffic Channel Superframe composed of 51 Traffic Channel (TCH) multiframes (each TCH) multiframe has 26 TDMA frames) Duration = 6.12 seconds. Each superframe, whether it is a CCH or TCH frame, consists of 1326 TDMA frames (51 * 26)
  • 23. Hyperframe A Hyperframe is composed of 2048 Superframes. Duration = 3h 28m 53s 76ms (12,533.76 seconds) consists of 2,715,648 TDMA frames. Each TDMA frame is numbered according to its sequence within the hyperframe, starting from 0 and ending at 2,715,647. The TDMA frame number within a hyperframe is abbreviated N. The FN is one of the variables used in GSM encryption algorithms. The following diagram shows the relationship between all of the various time segments Relation of all segments
  • 24. Physical and Logical Channels Time Division Multiple Access (TDMA) divides one radio frequency channel into consecutive periods of time, each one called a "TDMA Frame". Each TDMA Frame contains eight shorter periods of time known as "Timeslots" .The TDMA timeslots are called "Physical Channels" as they are used to physically move information from one place to another. The radio carrier signal between the Mobile Station and the BTS is divided into a continuous stream of timeslots which in turn are transmitted in a continuous stream of TDMA frames .The 8 timeslots are further broken up into logical channels. Logical channels can be thought of as just different types of data that is transmitted only on certain frames in a certain timeslot. Different time slots will carry different logical channels, depending on the structure the BSS uses. Logical Channels are of two types:- Signalling Channels Traffic Channels (TCH) Signaling Channels These are the main types of signaling Channels: Broadcast Channels (BCH) - Transmitted by the BTS to the MS. This channel carries system parameters needed to identify the network, synchronize time and frequency with the network, and gain access to the network. Common Control Channels (CCH) - Used for signaling between the BTS and the MS and to request and grant access to the network. Standalone Dedicated Control Channels (SDCCH) - Used for call setup.
  • 25. Associated Control Channels (ACCH) - Used for signaling associated with calls and call-setup. An ACCH is always allocated in conjunction with a TCH or a SDCCH. The above categories can be divided into the following logical channels: Broadcast Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH) Common Control Channels (CCCH) Paging Channel (PCH) Random Access Channel (RACH) Access Grant Channel (AGCH) Dedicated Control Channel (DCCH) Standalone Dedicated Control Channel (SDCCH) Fast Associated Control Channel (FACCH) Slow Associated Control Channel (SACCH) Let's examine each type of logical channel individually. Broadcast Channels (BCH) Broadcast Control Channel (BCCH) – DOWNLINK- This channel contains system parameters needed to identify the network and gain access. These parameters include the Location Area Code (LAC), the Mobile Network Code (MNC), the frequencies of neighbouring cells, and access parameters. Frequency Correction Channel (FCCH) - DOWNLINK - This channel is used by the MS as a frequency reference. This channel contains frequency correction bursts.
  • 26. Synchronization Channel (SCH) - DOWNLINK - This channel is used by the MS to learn the Base Station Information Code (BSIC) as well as the TDMA frame number (FN). This lets the MS know what TDMA frame they are on within the hyperframe. Cell Broadcast Channel (CBCH) - DOWNLINK - This channel is not truly its own type of logical channel. The CBCH is for point-to-omnipoint messages. It is used to broadcast specific information to network subscribers; such as weather, traffic, sports, stocks, etc. Messages can be of any nature depending on what service is provided. Messages are normally public service type messages or announcements. The CBCH isn’t allocated a slot for itself, it is assigned to an SDCCH. It only occurs on the downlink. The CBCH usually occupies the second subslot of the SDCCH. The mobile will not acknowledge any of the messages. Common Control Channels (CCCH) Paging Channel (PCH) - DOWNLINK - This channel is used to inform the MS that it has incoming traffic. The traffic could be a voice call, SMS, or some other form of traffic. Random Access Channel (RACH) - UPLINK This channel is used by a MS to request an initial dedicated channel from the BTS. This would be the first transmission made by a MS to access the network and request radio resources. The MS sends an Access Burst on this channel in order to request access. Access Grant Channel (AGCH) - DOWNLINK - This channel is used by a BTS to notify the MS of the assignment of an initial SDCCH for initial signaling.
  • 27. Dedicated Control Channels (DCCH) Standalone Dedicated Control Channel (SDCCH) - UPLINK/DOWNLINK - This channel is used for signaling and call setup between the MS and the BTS. Fast Associated Control Channel (FACCH) - UPLINK/DOWNLINK - This channel is used for control requirements such as handoffs. There is no TS and frame allocation dedicated to a FAACH. The FAACH is a burst-stealing channel , it steals a Timeslot from a Traffic Channel (TCH). Slow Associated Control Channel (SACCH) - UPLINK/DOWNLINK - This channel is a continuous stream channel that is used for control and supervisory signals associated with the traffic channels. Traffic Channels (TCH) Traffic Channels are used to carry two types of information to and from the user:-  Encoded Speech  Data Encoded Speech - Encoded speech is voice audio that is converted into digital form and compressed Full Rate Speech TCH (TCH/FS) - 13 kb/s Half Rate Speech TCH (TCH/HS) - 5.6 kb/s Data - Data refers to user data such as text messages, picture messages, internet browsing, etc. It includes pretty much
  • 28. everything except speech. Full rate Data TCH (TCH/F14.1) - 14.4 kb/s Full rate Data TCH (TCH/F9.6) - 9.6 kb/s Full rate Data TCH (TCH/F4.8) - 4.8 kb/s Half rate Data TCH (TCH/F4.8) - 4.8 kb/s Full rate Data TCH (TCH/F2.4) - ≤2.4 kb/s Half rate Data TCH (TCH/H2.4) - ≤2.4 kb/s Data Burst The data transmitted during a single time slot is known as a burst. Each burst allows 8.25 bits for guard time within a time slot. This is to prevent bursts from overlapping and interfering with transmissions in other time slots. Subtracting this from the 156.25 bits, there are 148 bits usable for each burst. There are four main types of bursts in TDMA: Normal Burst (NB) Frequency Correction Burst (FB) Synchronization Burst (SB) Access Burst (AB) Normal Burst The data transmitted during a single time slot is known as a burst. Each burst allows 8.25 bits for guard time. This is to prevent bursts from overlapping and interfering with transmissions in other time slots. Out of 156.25, this leaves 148 bits usable for each burst.
  • 29. Here is the structure of a normal burst: Normal Burst Tail Bits - Each burst leaves 3 bits on each end in which no data is transmitted. This is designed to compensate for the time it takes for the power to rise up to its peak during a transmission. The bits at the end compensate for the powering down at the end of the transmission. Data Bits - There are two data payloads of 57 bits each. Stealing Flags - Indicates whether the burst is being used for voice/data (set to "0") or if the burst is being "stolen" by the FACCH to be used for signalling (set to "1"). Training Sequence - The training sequence bits are used to
  • 30. overcome multi-path fading and propagation effects through a method called equalization. This diagram illustrates a single burst inside a time slot. Remember that 8.25 bits are not used in order to allow for a guard time. Burst within a Time Slot Since each burst has two 57-bit data segments, we can see that a single burst has a data payload of 114 bits. Frequency Correction Burst This burst is used for frequency synchronization of the mobile station. It is an unmodulated carrier that shifts in frequency. It has the same guard time as a normal bit (8.25 bits). The broadcast of the FB usually occurs on the logical channel FCCH. Frequency Correction Burst
  • 31. Synchronization Burst This burst is used for time synchronization of the mobile. The data payload carries the TDMA Frame Number (FN) and the Base Station Identity Code (BSIC). It is broadcast with the frequency correction burst. The Synchronization Burst is broadcast on the Synchronization Channel (SCH). Synchronization Burst Access Burst This burst is used by mobile station for random access. It has a much longer guard period (68.25 bits compared to the 8.25 bits in a normal burst). It is designed to compensate for the unknown distance of the mobile station from the tower, when the MS wants access to a new BTS, it will not know the correct Timing Advance. Access Burst
  • 32. Frequency Hopping Each radio frequency Channel (ARFCN) is influenced differently by propagation conditions. What affects channel 23 may not affect channel 78 at all. Within a given cell, some frequencies will have good propagation in a certain area and some will have poor propagation in that area. In order to take advantage of the good propagation and to defeat the poor propagation, GSM utilizes frequency hopping. Frequency hopping means that a transceiver hops from one frequency to another in a predetermined sequence. If a transceiver hops through all of the available frequencies in a cell then it will average out the propagation. GSM uses Slow Frequency Hopping (SFH). It is considered slow because the system hops relatively slow, compared with other frequency hopping systems. In GSM, the operating frequency is changed every TDMA frame. The main reason for using slow frequency hopping is because the MS must also change its frequency often in order to monitor adjacent cells. The device in a transceiver that generates the frequency is called a frequency synthesizer. On a MS, a synthesizer must be able to change its frequency within the time frame of one time slot, which is equal to 577 µs. GSM does not require the BTS to utilize frequency hopping. However, a MS must be capable of utilizing frequency hopping when told to do so. The frequency hopping and timing sequence is known as the hopping algorithm. There are two types of hopping algorithms available to a MS.  Cyclic Hopping - The transceiver hops through a predefined list of frequencies in sequential order.  Random Hopping - The transceiver hops through the list of frequencies in a random manner. The sequence appears random but it is actually a set order.
  • 33. There are a total of 63 different hopping algorithms available in GSM. When the MS is told to switch to frequency hopping mode, the BTS will assign it a list of channels and the Hopping Sequence Number (HSN), which corresponds to the particular hopping algorithm that will be used. The base channel on the BTS does not frequency hop. This channel, located in time slot 0, holds the Broadcast Control Channels which the MS needs to monitor to determine strength measurements, determine access parameters, and synchronize with the system. If a BTS uses multiple transceivers (TRX) then only one TRX will hold the Broadcast Channels on time slot 0. All of the other TRXs may use time slot 0 for traffic or signalling and may take part in the frequency hopping. There are two types of frequency hopping method available for the BTS: synthesizer hopping and baseband hopping.  Synthesizer Hopping - This requires the TRX itself to change frequencies according to the hopping sequence. So, one TRX would hop between multiple frequencies on the same sequence that the MS is required to.  Baseband Hopping - In this method there are several TRX and each one stays on a fixed frequency within the hopping frequency plan. Each TRX would be assigned a single time slot within a TDMA frame. For example, time slot 1 might be assigned to TRX 2 in one TDMA frame and in the next TDMA frame it would be assigned to TRX 3, and the next frame would be TRX 3. So, the data on each time slot would be sent on a different frequency each frame, but the TRXs on the BTS do not need to change frequency. The BTS simply routes the data to the appropriate TRX, and the MS knows which TRX to be on for any given TDMA frame.
  • 35. Traffic management Location update A MS will need to update its location whenever it moves to a tower that is serviced by a different VLR then the one it is currently on. An MS can move from BTS to BTS without ever telling the network, as long as it is within the same location area. Once it moves to a new location area, it is required to inform the network. The MS moves to another Location Area, as a MS moves around it is constantly monitoring the signal strength of the BCCH of its current BTS, as well as neighbouring BTS's to determine if the neighbours have a stronger signal. When the MS is in idle mode (not in a call), it will determine for itself when to move from its current BTS to a more attractive one .When the MS switches from a BTS in one VLR to a BTS in a different VLR, it must do an location update, so the network knows which MSC/VLR the MS is currently using. Elements involved in location update
  • 36. Channel Request 1. The MS requests a channel by sending a Channel Request (CHAN_REQ) message on the RACH. 2. The BTS responds by sending an Immediate Assignment Command message (IMM_ASS_CMD) on the AGCH. 3. The MS switches to the assigned SDCCH and replies with a Location Update Request (LOC_UPD_REQ). Included in the LOC_UPD_REQ is the TMSI the MS is currently using as well as the Location Area Identifier (LAI) of the VLR it is leaving. 4. The BTS acknowledges receipt of the message. Gaining VLR requests data from losing VLR 5. The BSS forwards the Location Update Request to the gaining MSC/VLR. 6. The gaining MSC/VLR does not recognize the TMSI/IMSI of the MS, so it contacts the losing MSC/VLR that corresponds to the LAI that was provided by the MS. The new MSC/VLR requests the subscriber data for the given TMSI. 7. The gaining MSC/VLR will then authenticate the MS. There are two ways this could occur. First, the losing MSC/VLR may have forwarded any sets of triplets that it was retaining for the MS. The gaining MSC/VLR would then just use the next set of triplets. Second, the gaining MSC/VLR could contact the HLR and request authentication triplets from the AuC and proceed with authentication that way.
  • 37. The authentication and encryption process is not shown here. It occurs the same way as in the IMSI Attach Location Update 8. Once the MS has been authenticated and is in Cipher Mode, the MSC/VLR sends a Location Update Accept message (LOC_UPD_ACC) through the BSS to the MS. The LOC_UPD_ACC may have a TMSI assignment in it, otherwise the TMSI will be assigned in a TMSI_REAL_CMD message. 9. The MS will respond with a TMSI Reallocation Complete message (TMSI_REAL_COM) indicating it has received the TMSI. 10. The BSS then sends the MS a Channel Release message (CHAN_REL) instructing it to go into idle mode. The BSS then unassigned the SDCCH. As far as the MS is concerned, the location update has been completed. Updating the Registers The Gaining MSC/VLR sends an Update Location message to the HLR. The HLR updates its records to point to the gaining MSC/VLR when it is asked for its location. It also passes on subscriber information for the MS to the gaining MSC/VLR. The HLR sends a Cancel Location message to the losing MSC/VLR. The losing MSC/VLR deletes the MS's record and also releases the TMSI for reassignment. The losing MSC/VLR sends a Cancel Location Result message back to the HLR, confirming the cancellation.
  • 38. Procedure in location update Handover Maintaining the traffic connection with a moving subscriber is made possible with the help of the handover function. The basic concept is simple: when the subscriber moves from the coverage area of one cell to another, a new connection with the target cell has to be set up and the connection with the old cell has to be released. There are two reasons for performing a handover: 1. Handover due to measurements occurs when the quality or the strength of the radio signal falls below certain parameters specified in the BSC. The deterioration of the signal is detected by the constant signal measurements carried out by both the mobile station and the BTS. As a consequence, the connection is handed over to a cell with a stronger signal. 2. Handover due to traffic reasons occurs when the traffic capacity of a cell has reached its maximum or is approaching it. In such a case, the mobile stations near the edges of the cell may be handed over to neighbouring cells with less traffic load.
  • 39. The decision to perform a handover is always made by the BSC that is currently serving the subscriber, except for the handover for traffic reasons. There are four different types of handover and the best way to analyse them is to follow the subscriber as he moves:-  Intra cell - Intra BSC handover The smallest of the handovers is the intra cell handover where the subscriber is handed over to another traffic channel (generally in another frequency) within the same cell. In this case the BSC controlling the cell makes the decision to perform handover. Intra cell - Intra BSC handover  Inter cell - Intra BSC handover The subscriber moves from cell 1 to cell 2. In this case the handover process is controlled by BSC. The traffic connection with cell 1 is
  • 40. released when the connection with cell 2 is set up successfully. Inter cell - Intra BSC handover  Inter cell - Inter BSC handover The subscriber moves from cell 2 to cell 3, which is served by another BSC. In this case the handover process is carried out by the MSC, but the decision to make the handover is still done by the first BSC. The connection with the first BSC (and BTS) is released when the connection with the new BSC (and BTS) is set up successfully. Inter cell - Inter BSC handover
  • 41.  Inter MSC handover The subscriber moves from a cell controlled by one MSC/VLR to a cell in the domain of another MSC/VLR. This case is a bit more complicated. Considering that the first MSC/VLR is connected to the GMSC via a link that passes through PSTN lines, it is evident that the second MSC/VLR cannot take over the first one just like that. The MSC/VLR currently serving the subscriber (also known as the anchor MSC), contacts the target MSC/VLR and the traffic connection are transferred to the target MSC/VLR. As both MSCs are part of the same network, the connection is established smoothly. It is important to notice, however, that the target MSC and the source MSC are two telephone exchanges. The call can be transferred between two exchanges only if there is a telephone number identifying the target MSC. Inter MSC handover
  • 42. Timing Advances Introduction A Timing Advance (TA) is used to compensate for the propagation delay as the signal travels between the Mobile Station (MS) and Base Transceiver Station (BTS). The Base Station System (BSS) assigns the TA to the MS based on how far away it perceives the MS to be. Determination of the TA is a normally a function of the Base Station Controller (BSC), bit this function can be handled anywhere in the BSS, depending on the manufacturer. Time Division Multiple Access (TDMA) requires precise timing of both the MS and BTS systems. When a MS wants to gain access to the network, it sends an access burst on the RACH. The further away the MS is from the BTS, the longer it will take the access burst to arrive at the BTS, due to propagation delay. Eventually there comes a certain point where the access burst would arrive so late that it would occur outside its designated timeslot and would interfere with the next time slot. Access Burst An access burst has 68.25 guard bits at the end of it. This guard time is to compensate for propagation delay due to the unknown distance of the MS from the BTS. It allows an access burst to arrive up to 68.25 bits later than it is supposed to without interfering with the next time slot.
  • 43. 68.25 bits doesn’t mean much to us in the sense of time, so we must convert 68.25 bits into a frame of time. To do this, it is necessary to calculate the duration of a single bit; the duration is the amount of time it would take to transmit a single bit. Duration of a Single Bit As you recall, GSM uses Gaussian Minimum Shift Keying (GMSK) as its modulation method, which has a data throughput of 270.833 kilobits/second (kb/s). Calculate duration of a bit Description Formula Result Convert kilobits to bits 270.833 kb × 1000 270,833 bits Calculate seconds per bit 1 sec ÷ 270,833 bits .00000369 seconds Convert seconds to microseconds .00000369 sec × 1,000,000 3.69 µs
  • 44. So now we know that it takes 3.69µs to transmit a single bit. Propagation Delay Now, if an access burst has a guard period of 68.25 bits this results in a maximum delay time of approximately 252µs (3.69µs × 68.25 bits). This means that a signal from the MS could arrive up to 252µs after it is expected and it would not interfere with the next time slot. The next step is to calculate how far away a mobile station would have to be for a radio wave to take 252µs to arrive at the BTS, this would be the theoretical maximum distance that a MS could transmit and still arrive within the correct time slot. Using the speed of light, we can calculate the distance that a radio wave would travel in a given time frame. The speed of light (c) is 300,000 km/s.
  • 45. Description Formula Result Convert km to m 300,000km × 1000 300,000,000m Convert m/s to m/µs 300,000,000 ÷ 1,000,000 300 m/µs Calculate distance for 252µs 300 m/µs × 252µs 75600m Convert m to km 75,600m ÷ 1000 75.6km So, we can determine that a MS could theoretically be up to 75.6km away from a BTS when it transmits its access burst and still not interfere with the next time slot. However, we must take into account that the MS synchronizes with the signal it receives from the BTS. We must account for the time it takes for the synchronization signal to travel from the BTS to the MS. When the MS receives the synchronization signal from the BTS, it has no way of determining how far away it is from the BTS. So, when the MS receives the synchronization signal on the SCH, it synchronizes its time with the timing of the system. However, by the time the signal arrives at the MS, the timing of the BTS has already progressed some. Therefore, the timing of the MS will now be behind the timing of the BTS for an amount of time equal to the travel time from the BTS to the MS. For example, if a MS were exactly 75.6km away from the BTS, then it would take 252µs for the signal to travel from the BTS to the MS.
  • 46. The MS would then synchronize with this timing and send its access burst on the RACH. It would take 252µs for this signal to return to the BTS. The total round trip time would be 504µs. So, by the time the signal from the MS arrives at the BTS, it will be 504µs behind the timing of the BTS. 504µs equals about 136.5 bits. The 68.25 bits of guard time would absorb some of the delay of 136.5 bits, but the access burst would still cut into the next time slot a whopping 68.25bits.
  • 47. Maximum Size of a Cell In order to compensate for the two-way trip of the radio link, we must divide the maximum delay distance in half. So, dividing 75.6km in half, we get approximately 37.8 km. If a MS is further out than 37.8km and transmits an access burst it will most likely interfere with the following time slot. Any distance less than 37.8km and the access burst should arrive within the guard time allowed for an access burst and it will not interfere with the next time slot. In GSM, the maximum distance of a cell is standardized at 35km. This is due mainly to the number of timing advances allowed in GSM, which is explained below. How a BSS Determines a Timing Advance In order to determine the propagation delay between the MS and the BSS, the BSS uses the synchronization sequence within an access burst. The BSS examines the synchronization sequence and sees how long it arrived after the time that it expected it to arrive. As we learned from above, the duration of a single bit is approximately 3.69µs. So, if the BSS sees that the synchronization is late by a single
  • 48. bit, then it knows that the propagation delay is 3.69µs. This is how the BSS knows which TA to send to the MS. For each 3.69µs of propagation delay, the TA will be incremented by 1. If the delay is less than 3.69µs, no adjustment is used and this is known as TA0. For every TA, the MS will start its transmission 3.69µs (or one bit) early. Each TA really corresponds to a range of propagation delay. Each TA is essentially equal to a 1-bit delay detected in the synchronization sequence. TA From To 0 0µs 3.69µs 1 3.69µs 7.38µs 2 7.38µs 11.07µs 3 11.07µs 14.76µs ... ... ... 63 232.47µs 236.16µs
  • 49. The Distance of a Timing Advance When calculating the distances involved for each TA, we must remember that the total propagation delay accounts for a two-way trip of the radio wave. The first leg is the synchronization signal travelling from the BTS to the MS, and the second leg is the access burst travelling from the MS to the BTS. If we want to know the true distance of the MS from the BTS, we must divide the total propagation delay in half. For example, if the BSS determines the total propagation delay to be 3.69µs, we can determine the distance of the MS from the BTS. Description Formula Result Determine one-way propagation time 3.69µs ÷ 2 1.845µs Calculate distance (using speed of light.) 300 m/µs × 1.845µs 553.5m
  • 50. We determined earlier that for each propagation delay of 3.69µs the TA is incremented by one. We just learned that a propagation delay of 3.69µs equals a one-way distance of 553.5 meters. So, we see that each TA is equal to a distance of 553.5 meters from the tower. Starting from the BTS (0 meters) a new TA will start every 553.5m. TA Ring Start End 0 0 553.5m 1 553.5m 1107m 2 1107m 1660.5m 3 1660.5m 2214m ... ... ... 63 34.87km 35.42km
  • 51. The TA becomes very important when the MS switches over to using a normal burst in order to transmit data. The normal burst does not have the 68.25 bits of guard time. The normal burst only has 8.25 bits of guard time, so the MS must transmit with more precise timing. With a guard time of 8.25 bits, the normal burst can only be received up to 30.44µs late and not interfere with the next time slot. Because of the two-way trip of the radio signal, if the MS transmits more than 15.22µs after it is supposed to then it will interfere with the next time slot. Authentication & Encryption Introduction Authentication - Whenever a MS requests access to a network, the network must authenticate the MS. Authentication verifies the identity and validity of the SIM card to the network and ensures that the subscriber is authorized access to the network. Encryption - In GSM, encryption refers to the process of creating authentication and ciphering crypto-variables using a special key and an encryption algorithm. Ciphering - Ciphering refers to the process of changing plaintext data into encrypted data using a special key and a special encryption algorithm. Transmissions between the MS and the BTS on the Um link are enciphered. Ki - The Ki is the individual subscriber authentication key. It is a 128-bit number that is paired with an IMSI when the SIM card is created. The Ki is only stored on the SIM card and at the
  • 52. Authentication Center (AuC). The Ki will never be transmitted across the network on any link. RAND - The RAND is a random 128-bit number that is generated by the AuC when the network requests to authenticate a subscriber. The RAND is used to generate the Signed Response (SRES) and Kc crypto-variables. Signed Response - The SRES is a 32-bit crypto-variable used in the authentication process. The MS is challenged by being given the RAND by the network; the SRES is the expected correct response. The MS receives the RAND as a challenge and uses it to calculate the SRES. The SRES is passed up to the network to as a response to the challenge. A3 Algorithm - The A3 algorithm computes a 32-bit Signed Response (SRES). The Ki and RAND are inputted into the A3 algorithm and the result is the 32-bit SRES. The A3 algorithm resides on the SIM card and at the AuC. A8 Algorithm - The A8 algorithm computes a 64-bit ciphering key (Kc). The Ki and the RAND are inputted into the A8 algorithm and the result is the 64-bit Kc. The A8 algorithm resides on the ISM card and at the AuC. COMP128 - A keyed hash function that combines the A3 and A8 algorithms into a single function. The 128-bit Ki and 128-bit RAND are input into the COMP128 which generates a 32-bit SRES and a 54- bit Kc in a single function. COMP128 is weak because it can give away information about the Ki. Kc - The Kc is the 64-bit ciphering key that is used in the A5 encryption algorithm to encipher and decipher the data that is being transmitted on the Um interface. A5 - The A5 encryption algorithm is used to encipher and decipher the data that is being transmitted on the Um interface. The Kc and the
  • 53. plaintext data are inputted into the A5 algorithm and the output is enciphered data. The A5 algorithm is a function of the Mobile Equipment (ME) and not a function of the SIM card. The BTS also makes use of the A5 algorithm. There are three versions of the A5 algorithm: A5/1 -The current standard for U.S. and European networks. A5/1 is a stream cipher. A5/2 -The deliberately weakened version of A5/1 that is intended for export to non-western countries. A5/2 is a stream cipher. A5/3 - A newly developed algorithm not yet in full use. A5/3 is a block cipher. Triplets - The RAND, SRES, and Kc together are known as the Triplets. The AuC will send these three crypto-variables to the requesting MSC/VLR so it can authenticate and encipher. International Mobile Subscriber Identity-An IMSI is usually presented as a 15 digit long number, but can be shorter. For example MTN South Africa's old IMSIs that are still being used in the market are shown as 14 digits. The first 3 digits are the Mobile Country Code (MCC), and are followed by the Mobile Network Code (MNC), either 2 digits (European standard) or 3 digits (North American standard). The length of the MNC depends on the value of the MCC. The remaining digits are the Mobile Subscription Identification Number (MSIN) within the network's customer base.
  • 54. Authentication Procedures Fig 1 Fig-1-: When a MS requests access to the network, the MSC/VLR will normally require the MS to authenticate. The MSC will forward the IMSI to the HLR and request authentication Triplets. The network can have the MS authenticate whenever it wants and this can vary from network to network. The network can require the MS to authenticate every time an event is initiated (location update, mobile- originated call, mobile-terminated call, etc.), every so many events, or even after a certain time period has elapsed. The network will almost always require authentication whenever the MS moves into a new Location Area and does a Location Update.
  • 55. Fig 2 Fig-2: When the HLR receives the IMSI and the authentication request, it first checks its database to make sure the IMSI is valid and belongs to the network. Once it has accomplished this, it will forward the IMSI and authentication request to the Authentication Center (AuC). Fig 3 Fig-3: The AuC will use the IMSI to look up the Ki associated with that IMSI. The Ki is the individual subscriber authentication key. It is a 128-bit number that is paired with an IMSI when the SIM card is created. The Ki is only stored on the SIM card and at the AuC. The Auc will also generate a 128-bit random number called the RAND
  • 56. Fig 4 Fig-4: The RAND and the Ki are inputted into the A3 encryption algorithm. The output is the 32-bit Signed Response (SRES). The SRES is essentially the "challenge" sent to the MS when authentication is requested. Fig 5
  • 57. Fig-5: The RAND and Ki are input into the A8 encryption algorithm. The output is the 64-bit Kc. The Kc is the ciphering key that is used in the A5 encryption algorithm to encipher and decipher the data that is being transmitted on the Um interface. Fig 6 Fig-6: The RAND, SRES, and Kc are collectively known as the Triplets. The AuC may generate many sets of Triplets and send them to the requesting MSC/VLR. This is in order to reduce the signalling overhead that would result if the MSC/VLR requested one set of triplets every time it wanted to authenticate the MS. It should be noted that a set of triplets is unique to one IMSI, it cannot be used with any other IMSI. Fig 7
  • 58. Fig-7: Once the AuC has generated the triplets (or sets of triplets), it forwards them to the HLR. The HLR subsequently sends them to the requesting MSC/VLR. Fig 8 Fig-8: The MSC stores the Kc and the SRES but forwards the RAND to the MS and orders it to authenticate. Fig 9 Fig-9: The MS has the Ki stored on the SIM card. The A3 and A8 algorithms also reside on the SIM card. The RAND and Ki are inputted into the A3 and A8 encryption algorithms to generate the SRES and the Kc respectively.
  • 59. Ciphering Procedure Fig-10 Fig 10: The MS stores the Kc on the SIM card and sends the generated SRES back to the network. The MSC receives the MS generated SRES and compares it to the SRES generated by the AuC. If they match, then the MS is authenticated. Fig-11 Fig-11: Once the MS is authenticated, the MSC passes the Kc to the BSS (the BTS to be specific), and orders the BTS and MS to switch to Cipher Mode. The Kc will never be passed on the Air Interface (Um), it will be stored at the BTS.
  • 60. Fig-12 Fig-12: The BTS inputs the Kc and the data payload into the A5 encryption algorithm resulting in an enciphered data stream. The MS also inputs the Kc and the data payload into the A5 encryption algorithm resulting in an enciphered data stream. It should be noted that the A5 algorithm is a function of the Mobile Equipment (ME) and not the SIM card. COMP128 COMP128 COMP128 is a single keyed hash function that takes the place of the A3 and A8 algorithms and generates the SRES and Kc in a single function. The Ki and RAND are fed into the COMP128 hash and the result is a 32-bit SRES and a 54-bit Kc. Note that the A8 algorithm generates a 64-bit Kc. So it is obvious that the COMP128 hash generates a much weaker Kc.
  • 61. Mobile Originated Call A Mobile Originated Call is a call that is initiated by the MS. The following example is a mobile-originated call that terminates outside the PLMN. Request Access 1. The MS sends a Channel Request (CHAN_REQ) message on the RACH. 2. The BSS responds with a radio resource assignment (IMM_ASS_CMD) on the AGCH. 3. The MS sends a Service Request (CM_SERV_REQ) message to the BSS on the SDCCH Authentication 4. Before the network will provide any services to the MS, the network will require the MS to authenticate itself. The BSS sends an Authentication Request (AUTH_REQ) message to the MS. The RAND serves as the "challenge" for authentication. 5. The MS calculates the proper SRES based on the RAND that was given and sends the SRES to the BSS in an Authentication Response (AUTH_RESP) message. 6. The BSS verifies the SRES. If the SRES is correct then the MS is authenticated and allowed access to the network. The BSS will send a Service Accept (CM_SERV_ACC) message letting the MS know that the service request was received and processed. 7. Once authenticated, the BSS orders the MS to switch to cipher mode with the CIPH_MOD_CMD message. Initial Call Setup 8. The MS will immediately switch to cipher mode and send a Cipher Mode Complete (CIPH_MOD_COM) message. 9. The MS then sends a Call Setup (SETUP) message to the BSS. The
  • 62. message includes the address information (MSISDN) of the called party. 10. The BSS assigns a TCH to the MS by sending an Assignment Command (ASS_CMD) message. This message includes which Transceiver (TRX) and which Time Slot (TS) to use. The BSS does not actually assign a TCH to the MS until the MSC sends a Call Proceeding (CALL_PROC) message to the BSS indicating that the IAM has been sent. 11. The MS immediately switches to the assigned TCH. The MS sends an Assignment Complete (ASS_COM) message back to the BTS on the FACCH. Remember that a FACCH is not a separate channel; it is simply a stolen time slot from the TCH that is used for signalling data instead of voice traffic. Call Setup 12. The MSC sends an Initial Address Message (IAM) to the GMSC. The IAM contains the MSISDN of the called party as the MS dialled it. The MSC will also send a Call Proceeding (CALL_PROC) message down to the BSS and this is when the BSS would assign a TCH to the MS, as described in step 10 above. 13. Based on the dialled number, the GMSC decides where to route the IAM within the PSTN. 14. The PSTN will continue to route the IAM until it reaches the correct Switching Center and the call routing is complete. The PSTN will then establish the call circuit and send an Address Complete Message (ACM) back to the GMSC. 15. The GMSC then forwards the ACM back to the responsible MSC indicating that the call circuit has been established. Call Establishment 16. Once the MSC receives the ACM, it sends an ALERT message to the MS indicating that the call is going through. The BSS sends the
  • 63. ALERT message on the FACCH. Once the MS receives the ALERT, it will generate the ringing sound in the earpiece. The BSS sends an alerting message the subscriber will hear the line ringing. 17. Once the called party answers the phone, the PSTN will send an Answer message to the MSC. The MSC forwards this to the MS in a Connection (CON) message. 18. Once the MS receives the CON message, it switches over to voice and begins the call. All voice traffic occurs on the assigned TCH. Call Termination 19. When either the caller or the called party hangs up, the call will be disconnected. Either party can initiate the disconnection. In this example, the MS initiates the disconnection. The MS sends a Disconnect (DISC) message to the BTS on the FACCH. 20. The BSS forwards the DISC to the MSC. Once the MSC receives the DISC message, it sends a Release (REL) message through the GMSC to the PSTN as well as down through the BSS to the MS. 21. The MS responds by sending a Release Complete (REL_COM) message to the BSS on the FACCH. The BSS forwards the REL_COM message up to the MSC. Once the MSC receives the REL_COM message the call is considered ended from the call control perspective. 22. Although the call has ended, the BSS still has a TCH allocated to the MS. The MSC sends a Channel Release (CHAN_REL) message to the BSS. The BSS forwards the CHAN_REL message to the MS. 23. The MS responds with a DISC (LAPD) message and returns to an idle mode. The BSS deallocates the channel and releases the TRX.
  • 64. Mobile Terminated Call The term Mobile Terminated Call refers to when the MS is the receiver of a call. In this example, the call is originating from outside the PLMN. Route Establishment 1. The calling party dials the MSISDN for the mobile subscriber. The PSTN identifies the network (PLMN) that the dialled MSISDN belongs to and will locate a GMSC for that network. The PSTN sends an Initial Address message to the GMSC. 2. The GMSC forwards the MSISDN to the HLR and requests routing information for it. The HLR looks up the MSISDN and determines the IMSI and the SS7 address for the MSC/VLR that is servicing the MS. 3. The HLR then contacts the servicing MSC/VLR and asks it to assign a Mobile Station Routing Number (MSRN) to the call. 4. The MSC/VLR allocates the MSRN and forwards it to the HLR. Remember that the MSC/VLR assigns a MSRN to the call not to the MS itself. 5. The HLR forwards the MSRN as well as routing information for the servicing MSC/VLR to the GMSC. 6. The GMSC sends an Initial Addressing message to the servicing MSC/VLR and uses the MSRN to route the call to the MSC/VLR. Once the servicing MSC/VLR receives the call, the MSRN can be released and may be made available for reassignment. Paging the Mobile Station 7. The MSC/VLR then orders all of its BSCs and BTSs to page the MS. Since the MSC/VLR does not know exactly which BSC and BTS
  • 65. the MS is monitoring, the page will be sent out across the entire Location Area. Initial Setup 8. The MS receives the Page Request (PAG_REQ) on the PCH. The MS recognizes that the page is intended for it, based on a TMSI or an IMSI. 9. The MS sends a Channel Request (CHAN_REQ) message on the RACH. 10. The BSS responds on the AGCH by sending an Immediate Assignment (IMM ASS) message which assigns an SDCCH to the MS. At this point, the network does not know that the MS is the one that it is paging; it only knows that this MS wants access to the network. 11. The MS immediately switches to the assigned SDCCH and sends a Paging Response (PAG_RES) message on the SDCCH. This lets the network know that the MS is responding to its page. Authentication 12. Before the network will provide any services to the MS, the network will require the MS to authenticate itself. The BSS sends an Authentication Request (AUTH_REQ) message to the MS. The RAND serves as the "challenge" for authentication. 13. The MS calculates the proper SRES based on the RAND that was given and sends the SRES to the BSS in an Authentication Response (AUTH_RESP) message. 14. The BSS verifies the SRES. If the SRES is correct then the MS is authenticated and allowed access to the network. 15. Once the MSC/VLR has authenticated the MS, it will order the BSS and MS to switch to cipher mode using the CIPH_MOD_CMD message. Once the MS in encryption mode, the VLR will normally
  • 66. assign a new TMSI to the MS. Establishing a Channel 16. Once the MS is authenticated and in encryption mode. The MSC sends a Setup Message to the BSS; the BSS forwards the SETUP message to the MS on the assigned SDCCH. The SETUP message may include the Calling Line Identification Presentation (CLIP), which is essentially caller ID. 17. The MS responds by sending a Call Confirmed (CALL_CON) message; which indicates that the MS is able to establish the requested connection. The BSS relays the message up to the MSC. Call Setup 18. The BSS then sends an Assignment Command (ASS_CMD) message to the MS on the assigned SDCCH. The ASS_CMD message assigns a Traffic Channel (TCH) to the MS. 19. The MS immediately switches to the TCH and responds with an Assignment Complete (ASS_COM) message on the FACCH. The MS begins ringing once it has established the TCH. Remember that all signalling that occurs on the traffic channel actually occurs on a FACCH, which is a time slot that is stolen from the TCH and used for signalling. 20. The MS sends an ALERT message to the MSC on the FACCH. The BSS forwards the ALERT message through the PSTN to the calling party and the caller hears the line ringing. Establishing the Call 21. Once the user answers the call (by pressing the send button), the MS will send a Connect CON message to the MSC. The Connect message is forwarded back to the caller's switch to activate the call.
  • 67. 22. The MSC sends a Connect Acknowledge CON_ACK message to the MS and the call is established. Disconnecting the Call 23. A disconnect happens the same way as for any other call. In this example, the calling party initiates the disconnect. 24. When the calling party hangs up, the calling party's switch initiates a Release (REL) message. The message is forwarded to the serving MSC, which is then forwarded to the BSS. 25. The BSS will send a Disconnect (DISC) message to the MS on the FACCH. 26. The MS confirms release of the call by sending a Release (REL) message on the FACCH, which is forwarded to the MSC. 27. The MSC sends e Release Complete (REL_COM) message through the BSS to the MS. As far as call control (CC) is concerned, the connection has been terminated. 28. The MS still has a TCH assigned to it, so the BSS sends a Channel Release (CHAN_REL) message to the MS. This releases the radio resource on the Air Interface. 29. The MS responds be sending a final Disconnect message and returns to idle.
  • 68. SCOPE FOR FUTURE STUDY New demands will be made in the future on mobile cellular system as individuals and businesses the way they work. Access to the internet will become more important and executives will want to access corporate databases from virtually anywhere. New services will be required in addition to speech and data, therefore network operators will offer video and other multimedia applications. Advanced mobile handsets will be required to handle large amounts of high-speed data in what is known as the 3rd Generation Mobile system. The European 3rd Generation system is known as UMTS (Universal Mobile Telecommunication System) and ETSI is promoting a smooth evolution from the present day GSM networks. The radio “Air Interference” will be based on W-CDMA (Wideband- Code Division Access) using different frequency bands for the uplink and downlink. The ITU call the 3rd Generation Mobile System- IMT-200 (International Mobile Telecommunication 2000). IMT-200 refers not only to the approximate year when it is expected to be launched but also the frequency band in the region of 2000 MHz. IMT-200 will provide a seamless, global communication service through small, lightweight terminals. The 1992 World Administrative Radio Conference (WARC) allocated the radio frequencies between 1885 MHz and 2200 MHz to be reserved for the IMT-2000 on a global basis. GSM system will evolve towards the UMTS by progressively new techniques to provide higher bandwidth. These steps are as follows:  High Speed Circuit Switched Data (HSCSD)  Generation Packet Radio Services (GPRS)  Enhanced Data Rates for GSM Evolution (EDGE)  3rd Generation Mobile System (3G)
  • 69. Conclusion In this Project, I have tried to give an overview of the GSM system. I believe, however, that I gave the general flavour of GSM and the philosophy behind its design. It is a standard that ensures interoperability without stifling competition and innovation among suppliers, to the benefit of the public both in terms of cost and service quality. Telecommunication are evolving towards personnel communication network objective can be stated as the availability of all communication services anytime, anywhere, to anyone, by a single identity number and a pocket able communication terminal. Having a multitude of incompatible systems throughout the world moves us farther away from this ideal. The economies of scale created by a unified system are enough to justify its implementation terminal anywhere they go, regardless of national boundaries. The GSM system and its sibling systems operating at 1.8 GHz (called DCS 1800) and 1.9 GHz (called GSM 900 or PCS1900, and operating in North America), are a first approach at a true personal communication system. The SIM card is novel approach that implements personal mobility in addition to terminal mobility. Together with international roaming and support for a variety of services such as telephony, data transfer, fax, short message services and supplementary services, GSM comes close to being used as a basis for the next generation of mobile communication technology in Europe, the Universal Mobile Telecommunication System (UMTS). Another point where GSM has shown its commitment to openness, standards and interoperability is the compatibility with Integrated Services Digital Network (ISDN) that is evolving in most industrialized countries and Europe in particular (the so called Euro-
  • 70. ISDN). GSM is also the first system to make extensive use of the intelligent networking concept, in which services like 800 numbers are concentrated and handled the country. This is the concept behind the use of use of the various registers such as the HLR. Number 7, an international standard already deployed in many countries and specified as the backbone signalling network for ISDN. GSM is a very complex standard but that is probably the price that must be paid to achieve the level integrated service and quality offered while subject to the rather severe restrictions imposed by the radio environment. I am highly to Mr. Arun Sharma for his support and guidance given to me for the successful completion of my project. This Project provides the knowledge about various technologies in the communication field.