Mobile Communication

GSM

Cellular Concept
Base stations (BS): implement space division multiplex
Each BS covers a certain transmission area (cell) Each BS is allocated a portion of the total number of channels available Cluster: group of nearby BSs that together use all available channels

Mobile stations communicate only via the base station, using FDMA, TDMA, CDMA

GSM: System Architecture

Mobile Station (MS)

MS consists of following two components

Mobile Equipment (ME) Mobile Subscriber Identity Module (SIM)

Removable plastic card Stores Network Specific Data such as list of carrier frequencies and current LAI. Stores International Mobile Subscriber Identity (IMSI) + ISDN Stores Personal Identification Number (PIN) & Authentication Keys. Also stores short messages, charging information, telephone book etc.

Allows separation of user mobility from equipment mobility

Base Transceiver Station (BTS)

One per cell Consists of high speed transmitter and receiver Function of BTS
Provides two channels
Signalling and Data Channel

Performs error protection coding for the radio channel

Base Station Controller (BSC)

Controls multiple BTS Functions of BSC
Performs radio resource management

Assigns and releases frequencies and time slots for all the MSs in its area Reallocation of frequencies among cells Hand over protocol is executed here

Time and frequency synchronization signals to BTSs Time Delay Measurement and notification of an MS to BTS Power Management of BTS and MS

Mobile Switching Center (MSC)

Switching node of a PLMN Allocation of radio resource (RR)
Handover

Mobility of subscribers
Location registration of subscriber

There can be several MSCs in a PLMN

Gateway MSC (GMSC)

Connects mobile network to a fixed network
Entry point to a PLMN

Usually one per PLMN Request routing information from the HLR and routes the connection to the local MSC

HLR/VLR
HLR - Home Location Register
For all users registered with the network, HLR keeps user profile MSCs exchange information with HLR When MS registers with a new GMSC, the HLR sends the user profile to the new MSC

VLR - Visitor Location Register

VLR is responsible for a group of location areas, typically associated with an MSC

AuC/EIR/OSS
AuC: Authentication Center
is accessed by HLR to authenticate a user for service Contains authentication and encryption keys for subscribers

EIR: Equipment Identity Register

allows stolen or fraudulent mobile stations to be identified

Operation subsystem (OSS):

Operations and maintenance center (OMC), network management center (NMC), and administration center (ADC) work together to monitor, control, maintain, and manage the network

GSM identifiers
International mobile subscriber identity (IMSI):
unique 15 digits assigned by service provider = home country code + home GSM network code + mobile subscriber ID + national mobile subscriber ID

International mobile station equipment identity (IMEI):

unique 15 digits assigned by equipment manufacturer = type approval code + final assembly code + serial number + spare digit

Temporary mobile subscriber identity (TMSI):

32-bit number assigned by VLR to uniquely identify a mobile station within a VLRs area

LAI
Location Area Identifier of an LA of a PLMN Based on international ISDN numering plan
Country Code (CC): 3 decimal digits Mobile Network Code (MNC): 2 decimal digits Location Area Code (LAC) : maximum 5 decimal digits, or maximum twice 8 bits, coded in hexadecimal

Is broadcast regularly by the BTS on broadcast channel

Cell Identifier (CI)

Within LA, individual cells are uniquely identified with Cell Identifier (CI). It is maximum 2*8 bits LAI + CI = Global Cell Identity

Air Interface: MS to BTS

Uplink/Downlink of 25MHz
890 -915 MHz for Up link 935 - 960 MHz for Down link

Combination of frequency division and time division multiplexing

FDMA

124 channels of 200 kHz

Burst

TDMA

Modulation used
Gaussian Minimum Shift Keying (GMSK)

Number of channels in GSM

Freq. Carrier: 200 kHz TDMA: 8 time slots per freq carrier

No. of carriers = 25 MHz / 200 kHz = 125 Max no. of user channels = 125 * 8 = 1000
Considering guard bands = 124 * 8 = 992 channels

Air Interface: Logical Channel

Traffic Channel (TCH) Signalling Channel
Broadcast Channel (BCH) Common Control Channel (CCH) Dedicated/Associated Control Channel (DCCH/ACCH)

Power On

Scan Channels, monitor RF levels

Select the channel with highest RF level among the control channels

Scan the channel for the FCCH Select the channel with next highest Rf level from the control list. NO Is FCCH detected? YES Scan channel for SCH NO

Is SCH detected?

YES

Read data from BCCH and determine is it BCCH? From the channel data update the control channel list NO Is the current BCCH channel included? Camp on BCCH and start decoding

YES

BCCH
Broadcast Control Channel (BCCH)
BTS to MS
send cell identities, organization info about common control channels, cell service available, etc

Radio channel configuration

Current cell + Neighbouring cells Frequencies + frame numbering LA + Cell Identification (CI) + Base Station Identity Code (BSIC)

Synchronizing information

Registration Identifiers

FCCH & SCH

Frequency Correction Channel
send a frequency correction data burst containing all zeros to effect a constant frequency shift of RF carrier

Repeated broadcast of Frequency Bursts

Synchronization Channel
send TDMA frame number and base station identity code to synchronize MSs
BS color 3 bits T1 Superframe index 11 bits T2 multiframe FN 19bits index 11 bits T3 block frame index 3bits

Repeated broadcast of Synchronization Bursts

PLMN color 3 bits
BSIC 6 bits"

Message format of SCH

AGCH & PCH

Access Grant Channel (AGCH)
BTS to MS Assign an SDCCH/TCH to MS

Paging Channel (PCH)

BTS to MS Page MS

RACH & SDCCH

Random Access Channel (RACH)
MS to BTS Slotted Aloha Request for dedicated SDCCH

Standalone Dedicated Control Channel (SDCCH)

MS BTS Standalone; Independent of Traffic Channel

GSM: DCCH
DCCH (dedicated control channel):
bidirectional point-to-point -- main signaling channels SDCCH (stand-alone dedicated control channel): for service request, subscriber authentication, equipment validation, assignment to a traffic channel SACCH (slow associated control channel): for out-of-band signaling associated with a traffic channel, eg, signal strength measurements FACCH (fast associated control channel): for preemptive signaling on a traffic channel, eg, for handoff messages

Adaptive Frame Synchronization

Timing Advance Advance in Tx time corresponding to propagation delay 6 bit number used; hence 63 steps 63 bit period = 233 micro seconds (round trip time)
35 Kms

GSM: Frequency Hopping

Optionally, TDMA is combined with frequency hopping to address problem of channel fading
TDMA bursts are transmitted in a pre-calculated sequence of different frequencies (algorithm programmed in mobile station) If a TDMA burst happens to be in a deep fade, then next burst most probably will not be so Helps to make transmission quality more uniform among all subscribers

Bursts
Building unit of physical channel Types of bursts
Normal: for transmitting messages in traffic and control channels Frequency Correction: sent by base station for frequency correction at mobile station Synchronization: sent by base station for synchronization Access: for call setup Dummy: to fill an empty timeslot in the absence of data

Normal Burst
Normal Burst
2*(3 head bit + 57 data bits + 1 signaling bit) + 26 training sequence bit + 8.25 guard bit
Used for all except RACH, FSCH & SCH

Traffic Channel
Transfer either encoded speech or user data Bidirectional Full Rate TCH
Rate 22.4kbps

Half Rate TCH

Rate 11.2 kbps

Full Rate Speech Coding

Speech Coding for 20ms segments
260 bits at the output ; Effective data rate 13kbps

Unequal error protection

182 bits are protected 78 bits unprotected

Channel Encoding
Codes 260 bits into (8 x 57 bit blocks) 456 bits

Interleaving
2 blocks of different set interleaved on a normal burst (save damages by error bursts)

GSM Speech Coding

Analog speech

Low-pass filter

104 kbps 13 kbps RPE-LTP Channel A/D speech encoder encoder 8000 samples/s, 13 bits/sample

GSM Speech Coding

Regular pulse excited - long term prediction (RPE-LTP) speech encoder
160 samples/ 20 ms from A/D (= 2080 bits) RPE-LTP speech encoder 36 LPC bits/20 ms 9 LTP bits/5 ms 47 RPE bits/5 ms 260 bits/20 ms to channel encoder

LPC: linear prediction coding filter LTP: long term prediction filter RPE: regular pulse excitation signal

GSM Speech Coding

Channel encoder
4 tail bits* 50 class 1a bits 260 bits/ 20 ms = 13 kb/s 3-bit CRC 182 class 1b bits 78 class 2 bits 53 bits (2,1,5) convolution coder 378 bits

456 bits/ Bit inter- 20 ms leaver = 22.8 kb/s

Class 1a: CRC (3-bit error detection) and convolutional coding (error correction) Class 1b: convolutional coding Class 2: no error protection *tail bits to periodically reset convolutional coder

GSM Speech Coding

Bit interleaving: to spread effects of Rayleigh fading across data blocks
channel coder
blocks 57-bit segments 114-bit segments Normal burst 1 2 3 456 bits 4 5 6 7 8 1 2 3 456 bits 4 5 6 7 8

1 TB

2 Data

5 Data

7 H TB

8 G

H Training

Speech

20 ms
Speech Coder 260

20 ms Speech Coder 260

Channel Encoding 456 bit

Channel Encoding 456 bit

Interleaving

NORMAL BURST 3 Out of first 20 ms 57 1

26

57

8.25

Out of second 20ms

Traffic Channel Structure for Full Rate Coding

Slots 1
2 3 4 5 6 7 8

Bursts for Users allocated in Slot

1 2 3 T 4 T 5 T 6 T 7 8

T T

9T 10 11 12 13 14 15 16 17 T T T T S T T T T

26 I

T = Traffic S = Signal( contains information about the signal strength in neighboring cells)

Traffic Channel Structure for Half Rate Coding

Slots 1

Burst for one users

1 2 T 3 T 4 5 T 6 7 T 8 9 10 T T 11 12 13 14 15 16 17 T 26

Bursts for another users allocated in alternate Slots 1 2 3 4 5 6 T 7 8 9 10 11 12 13 14 15 16 17 T

T T T

26 S

SACCH & FACCH

Slow Associated Control Channel (SACCH)
MS BTS Always associated with either TCH or SDCCH Information

Optimal radio operation; Commands for synchronization Transmitter power control; Channel measurement

Should always be active; as proof of existence of physical radio connection

Fast Associated Control Channel (FACCH)

MS BTS
Handover Pre-emptive multiplexing on a TCH, Stealing Flag (SF)

Example: Incoming Call Setup

MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC MS BSS/MSC --------------------------------------------------------------------------------Paging request (PCH) Channel request (RACH) Immediate Assignment (AGCH) Paging Response (SDCCH) Authentication Request (SDCCH) Authentication Response (SDCCH) Cipher Mode Command (SDCCH) Cipher Mode Compl. (SDCCH) Setup (SDCCH) Call Confirmation (SDCCH) Assignment Command (SDCCH) Assignment Compl. (FACCH) Alert (FACCH) Connect (FACCH) Connect Acknowledge (FACCH) Data (TCH)

GSM: Channel Summary

Logical channels
Traffic Channels; Control Channels

Physical Channel
Time Slot Number; TDMA frame; RF Channel Sequence

Mapping in frequency
124 channels, 200KHz spacing

Mapping in time
TDMA Frame, Multi Frame, Super Frame, Channel

1 Hyper frame = 2048 Super frames =2715648 TDMA frames 3h 28 min 53 sec 760 ms) (

3
1 Super frame = 1326 TDMA frames (6.12s) = 51(26 frames) Multi frame

2045

2046 2047

0 12 3

50

1 S u p e r f r a m e = 1 3 2 6 T D M A f r a m e s ( 6 .1 2 s ) = 2 6 (5 1 fra m e s ) M u lti fra m e 23

24

25

1(26 frames) Multi frame = 26 TDMA frames (120 ms)

1 (5 1 fra m e s ) M u lti f ra m e = 5 1 T D M A fr a m e s (3 0 6 0 /1 3 m s )
I 0 1 2 3 49 50

T0

T1

T2

T12 (SACCH)

T23

e 1 T D M A f2 r 0 a / m 2 6 o r 4 . 6 1 5 m s ) ts (1 = 8 tim e s lo
0 1 2 3 4 5 6 7

s) u r a tio n ( 1 5 /2 6 o r 0 .5 7 7 m 1 tim e s lo t = 1 5 6 .2 5 b it d r 3 .6 9 ) (1 b it d u ra tio n = 4 8 /1 3 o s

GSM: System Architecture

GSM
Sub-Systems
Radio Sub System (RSS)
RSS = MS + BSS BSS = BTS+ BSC

Network Sub System (NSS)

NSS = MSC+ HLR + VLR + GMSC

Operation Sub System

OSS = EIR + AuC

Outgoing call setup

User keys in the number and presses send Mobile transmits request on uplink signaling channel If network can process the call, BS sends a channel allocation message Network proceeds to setup the connection

Network activity:
MSC determines current location of target mobile using HLR, VLR and by communicating with other MSCs Source MSC initiates a call setup message to MSC covering target area

Incoming call setup

Target MSC initiates a paging message BSs forward the paging message on downlink channel in coverage area If mobile is on (monitoring the signaling channel), it responds to BS BS sends a channel allocation message and informs MSC

Network activity:
Network completes the two halves of the connection

GSM Initiation

Lock on strong freq. and find FCCH Find SCH channel for sync. and training Gets cell and system parameters Request stand alone dedicated channel SDCCH established

RF + FCCH SCH sync + training BCCH system parameters RACH channel request AGCH channel assignment

GSM Initiation

Make location update request

SDCCH location update SDCCH challenge SDCCH challenge response SDCCH ciphered mode Ack ciphered mode Location update confirm Ack

Computes challenge response to verify identity

Initiate encryption of data for transmission Complete location update process

GSM Calling from MS

MSC Dial called party
Setup Request Call Proceeding Radio channel Ack Complete Fetches subscriber info from VLR to process call, acks caller Allocates trunk + radio channel Call connected through PSTN Alerts caller Called party picks up

Tune to radio freq.

Alerting Connect
Connect ack

Call can proceed

GSM Calling to MS
MSC Request dedicated control channel
Answer page Computes response Begin ciphering PCH page request RACH channel request AGCH assignment SDCCH paging response SDCCH challenge SDCCH challenge response SDCCH ciphering mode Request ciphering on channel Allocates control channel Incoming call from PSTN

Request authentication

Ciphering mode complete

GSM Calling to MS
MSC
TMSI reallocation TMSI reallocation complete SDCCH setup Accept call Tune to freq. Start connection SDCCH setup ack SDCCH assignment Assignment complete FACCH alerting/connect Alert called party Assign traffic channel Notify call Assign new TMSI

Accept temporary ID

FACCH connect ack

GSM network layer

Network layer consists of 3 sublayers Radio resource management (RR) sublayer
Establishment, maintenance, and termination of radio channel connections

Mobility management (MM) sublayer

Registration, authentication, and location tracking

Call control (CC) sublayer

Establishment, maintenance, and termination of circuit-switched calls

GSM call routing

1. MSISDN LA2 4. MSRN BSC BTS MSC 7. TMSI 7. TMSI BSC EIR AUC HLR VLR LA1 BTS 7. TMSI 5. MSRN 3. MSRN ISDN

MS

GMSC/I WF
2. MSISDN

BTS MS 8. TMSI

6. TMSI

GSM: Identification
Identification of Mobile Subscriber
International Mobile Subscriber Identity (IMSI) Temporary IMSI (TMSI) Mobile Subscriber ISDN number (MSISDN)

Identification of Mobile Equipment

International Mobile Station Equipment Identification (IMEI) Mobile Station Roaming Number (MSRN)

IMSI
International Mobile Subscriber Identity Stored in SIM, not more than 15 digits
3 digits for Mobile Country Code (MCC) 3 digits for Mobile Network Code (MNC) It uniquely identifies the home GSM PLMN of the mobile subscriber. Not more than 10 digits for National Mobile Station Identity (MSIN) The first 3 digits identify the logical HLR-ID of the mobile subscriber

MNC+MSIN makes National Mobile Station Identity (NMSI)

TMSI and LMSI

Temporary Mobile Subscriber Identity
Has only local and temporal significance Is assigned by VLR and stored there only Is used in place of IMSI for security reasons

Local Mobile Subscriber Identity

Is an additional searching key given by VLR It is also sent to HLR

Both are assigned in an operator specific way

MSISDN
real telephone number of a MS It is stored centrally in the HLR MS can have several MSISDNs depending on SIM It follows international ISDN numering plan
Country Code (CC): upto 3 decimal places National Destination Code (NDC): 2-3 decimal places Subscriber Number (SN) : maximal 10 decimal places
MSISDN = CC + NDC + SN

IMEI & EIR

International Mobile Station Equipment Identity

Uniquely identifies mobile equipment internationally

IMEI = TAC + FAC + SNR + SP

Type Approval Code: 6 decimal places centrally assigned Final Assembly Code: 6 decimal places assigned by manufacturer Serial Number: 6 decimal places assigned by manufacturer Spare : 1decimal place

Is registered by the Network operator and stored in Equipment Identity Register (EIR)

MSRN
Mobile Station Roaming Number Temporary location-dependent on ISDN number Calls are routed to MS by using MSRN Is assigned by locally responsible VLR to each MS in its area
Is done either at each registration or when HLR requests it for setting up a connection for incoming call Is done in such a way that current MSC can be determined from it

Structure same as that of MSISDN

GSM roaming
VLR registers users roaming in its area
Recognizes mobile station is from another PLMN If roaming is allowed, VLR finds the mobiles HLR in its home PLMN VLR constructs a global title from IMSI to allow signaling from VLR to mobiles HLR via public telephone network VLR generates a mobile subscriber roaming number (MSRN) used to route incoming calls to mobile station MSRN is sent to mobiles HLR

GSM roaming
VLR contains
MSRN TMSI Location area where mobile station has registered Info for supplementary services (if any) IMSI HLR or global title Local identity for mobile station (if any)

GSM handoffs
Intra-BSS: if old and new BTSs are attached to same base station
MSC is not involved

Intra-MSC: if old and new BTSs are attached to different base stations but within same MSC
Inter-MSC: if MSCs are changed

GSM Intra-MSC handoff

1. Mobile station monitors signal quality and determines handoff is required, sends signal measurements to serving BSS 2. Serving BSS sends handoff request to MSC with ranked list of qualified target BSSs 3. MSC determines that best candidate BSS is under its control 4. MSC reserves a trunk to target BSS 5. Target BSS selects and reserves radio channels for new connection, sends Ack to MSC 6. MSC notifies serving BSS to begin handoff, including new radio channel assignment

GSM Intra-MSC handoff

7. Serving BSS forwards new radio channel assignment to mobile station 8. Mobile station retunes to new radio channel, notifies target BSS on new channel 9. Target BSS notifies MSC that handoff is detected 10. Target BSS and mobile station exchange messages to synchronize transmission in proper timeslot 11. MSC switches voice connection to target BSS, which responds when handoff is complete 12. MSC notifies serving BSS to release old radio traffic channel

GSM Inter-MSC handoff

1. MS sends signal measurements to serving BSS 2. Serving BSS sends handoff request to MSC 3. Serving MSC determines that best candidate BSS is under control of a target MSC and calls target MSC 4. Target MSC notifies its VLR to assign a TMSI 5. Target VLR returns TMSI 6. Target MSC reserves a trunk to target BSS 7. Target BSS selects and reserves radio channels for new connection, sends Ack to target MSC 8. Target MSC notifies serving MSC that it is ready for handoff

GSM Inter-MSC handoff

9. Serving MSC notifies serving BSS to begin handoff, including new radio channel assignment 10. Serving BSS forwards new radio channel assignment to mobile station 11. Mobile station retunes to new radio channel, notifies target BSS on new channel 12. Target BSS notifies target MSC that handoff is detected 13. Target BSS and mobile station synchronize timeslot 14. Voice connection is switched to target BSS, which responds when handoff is complete 15. Target MSC notifies serving MSC 16. Old network resources are released

GSM Security
Objectives: security system is under control of service provider - sharing of secrets between different cellular systems is unnecessary Based on tokens (security triplets) When roaming, visited system sends to home system for sets of security triplets
Challenge (a pseudorandom number) Challenge response generated by authentication algorithm Temporary encryption key for voice privacy

GSM Security
Fetched triplets are stored in VLR
Every call uses up one triplet (discarded) Another set must be fetched when exhausted
Visited system IMSI/TMSI + LAI Registration request IMSI/TMSI identifies user, LAI points to old VLR, requests data to authenticate user

Subscriber data Old VLR

GSM Security
Visited system
Requests triplets from home system, chooses a triplet Compares to stored response in triplet, registration successful if matches Assigns new TMSI

Calculates response by authentication algorithm

Challenge Challenge response

New TMSI Acknowledge

GSM Security
Location update HLR Acknowledge

Visited system

Registration cancel

Old VLR

GSM Security
3 security problems: unauthorized access, privacy from eavesdropping, protection of subscriber identity/location Unauthorized (fraudulent) access
GSM handsets must be presented with a subscriber identity module (SIM) SIM must be validated with personal identification number (PIN) SIM also stores subscriber authentication key, authentication algorithm, cipher key generation algorithm, encryption algorithm

GSM Security
During registration (when roaming), mobile station receives challenge and uses authentication key and authentication algorithm to generate challenge response to verify users identity

Privacy from eavesdropping

Temporary encryption key is used for privacy of data, signaling, and voice Info is encrypted before transmission

GSM Security
Anonymity of users
Supported by temporary mobile subscriber ID (TMSI) When registered, mobile station sends globally-unique international mobile subscriber ID (IMSI) to network Network assigns TMSI for use during call - IMSI is not sent over radio link Only network and mobile station know true identity New TMSI is assigned when roam into new area

GSM Summary
Uplink frequencies Downlink frequencies Total GSM bandwidth 890-915 MHz 935-960 MHz 25 MHz up + 25 MHz down

Channel bandwidth
Number of RF carriers Multiple access Users/carrier Number of simul. users Speech coding rate FEC coded speech rate

200 kHz
124 TDMA 8 992 13 kb/s 22.8 kb/s

GSM service quality requirements

Speech intelligibility Max one-way delay Max handoff gap Time to alert mobile of inbound cell Release time to called network Connect time to called network 90% 90 ms 150 ms if intercell 4 sec first attempt, 15 sec final attempt 2 sec

4 sec

GSM 900 and GSM 1800

Frequency band Border spacing Duplex spacing Carrier spacing Carriers Timeslots per carrier Multiple access Typical cell range Handset Power GSM 900 890-915 MHz 935-960 MHz 25 MHz 45 MHz 200 kHz 124 8 TDMA/FDMA <300m 35 km 0.8 & 8 W GSM 1800 1710-1785 MHz 1805-1880 MHz 75 MHz 95 MHz 200 kHz 374 8 TDMA/FDMA <100m 15 km 0.25 & 1 W