Professional Documents
Culture Documents
GSM
Cellular Concept
Base stations (BS): implement space division multiplex
Each BS covers a certain transmission area (cell) Each BS is allocated a portion of the total number of channels available Cluster: group of nearby BSs that together use all available channels
Mobile stations communicate only via the base station, using FDMA, TDMA, CDMA
Assigns and releases frequencies and time slots for all the MSs in its area Reallocation of frequencies among cells Hand over protocol is executed here
Time and frequency synchronization signals to BTSs Time Delay Measurement and notification of an MS to BTS Power Management of BTS and MS
Mobility of subscribers
Location registration of subscriber
Usually one per PLMN Request routing information from the HLR and routes the connection to the local MSC
HLR/VLR
HLR - Home Location Register
For all users registered with the network, HLR keeps user profile MSCs exchange information with HLR When MS registers with a new GMSC, the HLR sends the user profile to the new MSC
AuC/EIR/OSS
AuC: Authentication Center
is accessed by HLR to authenticate a user for service Contains authentication and encryption keys for subscribers
GSM identifiers
International mobile subscriber identity (IMSI):
unique 15 digits assigned by service provider = home country code + home GSM network code + mobile subscriber ID + national mobile subscriber ID
LAI
Location Area Identifier of an LA of a PLMN Based on international ISDN numering plan
Country Code (CC): 3 decimal digits Mobile Network Code (MNC): 2 decimal digits Location Area Code (LAC) : maximum 5 decimal digits, or maximum twice 8 bits, coded in hexadecimal
TDMA
Modulation used
Gaussian Minimum Shift Keying (GMSK)
No. of carriers = 25 MHz / 200 kHz = 125 Max no. of user channels = 125 * 8 = 1000
Considering guard bands = 124 * 8 = 992 channels
Power On
Select the channel with highest RF level among the control channels
Scan the channel for the FCCH Select the channel with next highest Rf level from the control list. NO Is FCCH detected? YES Scan channel for SCH NO
Is SCH detected?
YES
Read data from BCCH and determine is it BCCH? From the channel data update the control channel list NO Is the current BCCH channel included? Camp on BCCH and start decoding
YES
BCCH
Broadcast Control Channel (BCCH)
BTS to MS
send cell identities, organization info about common control channels, cell service available, etc
Synchronizing information
Registration Identifiers
Synchronization Channel
send TDMA frame number and base station identity code to synchronize MSs
BS color 3 bits T1 Superframe index 11 bits T2 multiframe FN 19bits index 11 bits T3 block frame index 3bits
GSM: DCCH
DCCH (dedicated control channel):
bidirectional point-to-point -- main signaling channels SDCCH (stand-alone dedicated control channel): for service request, subscriber authentication, equipment validation, assignment to a traffic channel SACCH (slow associated control channel): for out-of-band signaling associated with a traffic channel, eg, signal strength measurements FACCH (fast associated control channel): for preemptive signaling on a traffic channel, eg, for handoff messages
Bursts
Building unit of physical channel Types of bursts
Normal: for transmitting messages in traffic and control channels Frequency Correction: sent by base station for frequency correction at mobile station Synchronization: sent by base station for synchronization Access: for call setup Dummy: to fill an empty timeslot in the absence of data
Normal Burst
Normal Burst
2*(3 head bit + 57 data bits + 1 signaling bit) + 26 training sequence bit + 8.25 guard bit
Used for all except RACH, FSCH & SCH
Traffic Channel
Transfer either encoded speech or user data Bidirectional Full Rate TCH
Rate 22.4kbps
Channel Encoding
Codes 260 bits into (8 x 57 bit blocks) 456 bits
Interleaving
2 blocks of different set interleaved on a normal burst (save damages by error bursts)
Analog speech
Low-pass filter
104 kbps 13 kbps RPE-LTP Channel A/D speech encoder encoder 8000 samples/s, 13 bits/sample
LPC: linear prediction coding filter LTP: long term prediction filter RPE: regular pulse excitation signal
Class 1a: CRC (3-bit error detection) and convolutional coding (error correction) Class 1b: convolutional coding Class 2: no error protection *tail bits to periodically reset convolutional coder
1 TB
2 Data
5 Data
7 H TB
8 G
H Training
Speech
20 ms
Speech Coder 260
Interleaving
26
57
8.25
T T
9T 10 11 12 13 14 15 16 17 T T T T S T T T T
26 I
T = Traffic S = Signal( contains information about the signal strength in neighboring cells)
Slots 1
26 S
Optimal radio operation; Commands for synchronization Transmitter power control; Channel measurement
Physical Channel
Time Slot Number; TDMA frame; RF Channel Sequence
Mapping in frequency
124 channels, 200KHz spacing
Mapping in time
TDMA Frame, Multi Frame, Super Frame, Channel
1 Hyper frame = 2048 Super frames =2715648 TDMA frames 3h 28 min 53 sec 760 ms) (
3
1 Super frame = 1326 TDMA frames (6.12s) = 51(26 frames) Multi frame
2045
2046 2047
0 12 3
50
24
25
1 (5 1 fra m e s ) M u lti f ra m e = 5 1 T D M A fr a m e s (3 0 6 0 /1 3 m s )
I 0 1 2 3 49 50
T0
T1
T2
T12 (SACCH)
T23
e 1 T D M A f2 r 0 a / m 2 6 o r 4 . 6 1 5 m s ) ts (1 = 8 tim e s lo
0 1 2 3 4 5 6 7
GSM
Sub-Systems
Radio Sub System (RSS)
RSS = MS + BSS BSS = BTS+ BSC
Network activity:
MSC determines current location of target mobile using HLR, VLR and by communicating with other MSCs Source MSC initiates a call setup message to MSC covering target area
Network activity:
Network completes the two halves of the connection
GSM Initiation
Lock on strong freq. and find FCCH Find SCH channel for sync. and training Gets cell and system parameters Request stand alone dedicated channel SDCCH established
RF + FCCH SCH sync + training BCCH system parameters RACH channel request AGCH channel assignment
GSM Initiation
SDCCH location update SDCCH challenge SDCCH challenge response SDCCH ciphered mode Ack ciphered mode Location update confirm Ack
Alerting Connect
Connect ack
GSM Calling to MS
MSC Request dedicated control channel
Answer page Computes response Begin ciphering PCH page request RACH channel request AGCH assignment SDCCH paging response SDCCH challenge SDCCH challenge response SDCCH ciphering mode Request ciphering on channel Allocates control channel Incoming call from PSTN
Request authentication
GSM Calling to MS
MSC
TMSI reallocation TMSI reallocation complete SDCCH setup Accept call Tune to freq. Start connection SDCCH setup ack SDCCH assignment Assignment complete FACCH alerting/connect Alert called party Assign traffic channel Notify call Assign new TMSI
Accept temporary ID
MS
GMSC/I WF
2. MSISDN
BTS MS 8. TMSI
6. TMSI
GSM: Identification
Identification of Mobile Subscriber
International Mobile Subscriber Identity (IMSI) Temporary IMSI (TMSI) Mobile Subscriber ISDN number (MSISDN)
IMSI
International Mobile Subscriber Identity Stored in SIM, not more than 15 digits
3 digits for Mobile Country Code (MCC) 3 digits for Mobile Network Code (MNC) It uniquely identifies the home GSM PLMN of the mobile subscriber. Not more than 10 digits for National Mobile Station Identity (MSIN) The first 3 digits identify the logical HLR-ID of the mobile subscriber
MSISDN
real telephone number of a MS It is stored centrally in the HLR MS can have several MSISDNs depending on SIM It follows international ISDN numering plan
Country Code (CC): upto 3 decimal places National Destination Code (NDC): 2-3 decimal places Subscriber Number (SN) : maximal 10 decimal places
MSISDN = CC + NDC + SN
Is registered by the Network operator and stored in Equipment Identity Register (EIR)
MSRN
Mobile Station Roaming Number Temporary location-dependent on ISDN number Calls are routed to MS by using MSRN Is assigned by locally responsible VLR to each MS in its area
Is done either at each registration or when HLR requests it for setting up a connection for incoming call Is done in such a way that current MSC can be determined from it
GSM roaming
VLR registers users roaming in its area
Recognizes mobile station is from another PLMN If roaming is allowed, VLR finds the mobiles HLR in its home PLMN VLR constructs a global title from IMSI to allow signaling from VLR to mobiles HLR via public telephone network VLR generates a mobile subscriber roaming number (MSRN) used to route incoming calls to mobile station MSRN is sent to mobiles HLR
GSM roaming
VLR contains
MSRN TMSI Location area where mobile station has registered Info for supplementary services (if any) IMSI HLR or global title Local identity for mobile station (if any)
GSM handoffs
Intra-BSS: if old and new BTSs are attached to same base station
MSC is not involved
Intra-MSC: if old and new BTSs are attached to different base stations but within same MSC
Inter-MSC: if MSCs are changed
GSM Security
Objectives: security system is under control of service provider - sharing of secrets between different cellular systems is unnecessary Based on tokens (security triplets) When roaming, visited system sends to home system for sets of security triplets
Challenge (a pseudorandom number) Challenge response generated by authentication algorithm Temporary encryption key for voice privacy
GSM Security
Fetched triplets are stored in VLR
Every call uses up one triplet (discarded) Another set must be fetched when exhausted
Visited system IMSI/TMSI + LAI Registration request IMSI/TMSI identifies user, LAI points to old VLR, requests data to authenticate user
GSM Security
Visited system
Requests triplets from home system, chooses a triplet Compares to stored response in triplet, registration successful if matches Assigns new TMSI
GSM Security
Location update HLR Acknowledge
Visited system
Registration cancel
Old VLR
GSM Security
3 security problems: unauthorized access, privacy from eavesdropping, protection of subscriber identity/location Unauthorized (fraudulent) access
GSM handsets must be presented with a subscriber identity module (SIM) SIM must be validated with personal identification number (PIN) SIM also stores subscriber authentication key, authentication algorithm, cipher key generation algorithm, encryption algorithm
GSM Security
During registration (when roaming), mobile station receives challenge and uses authentication key and authentication algorithm to generate challenge response to verify users identity
GSM Security
Anonymity of users
Supported by temporary mobile subscriber ID (TMSI) When registered, mobile station sends globally-unique international mobile subscriber ID (IMSI) to network Network assigns TMSI for use during call - IMSI is not sent over radio link Only network and mobile station know true identity New TMSI is assigned when roam into new area
GSM Summary
Uplink frequencies Downlink frequencies Total GSM bandwidth 890-915 MHz 935-960 MHz 25 MHz up + 25 MHz down
Channel bandwidth
Number of RF carriers Multiple access Users/carrier Number of simul. users Speech coding rate FEC coded speech rate
200 kHz
124 TDMA 8 992 13 kb/s 22.8 kb/s
4 sec