Global System for Mobile

(GSM)

David Tipper
Associate Professor
Graduate Program of Telecommunications and
Networking
University of Pittsburgh

Telcom 2700 Slides 8

Based largely on material from Jochen Schiller, Mobile Communications
2nd edition

Telcom 2700 1

Second Generation Cellular Systems

Motivation for 2G Digital Cellular:

Increase System Capacity
Add additional services/features (SMS, caller ID, etc..)
Reduce Cost
Improve Security
Interoperability among components/systems (GSM only)
2G Systems
Pacific Digital Cellular orphan technology
North American TDMA (NA-TDMA) orphan technology
Global System for Mobile (GSM)

IS-95 (cellular CDMA)

Telcom 2700 2
 GSM: History
1982 CEPT establishes Groupe Speciale Mobile
Motivation develop Pan-European mobile network
Support European roaming and interoperability in landline
Increase system capacity
Provide advanced features
Emphasis on STANDARDIZATION, supplier independence
Low cost infrastructure and terminals
1989 European Telecommunications Standardization
Institute (ETSI) takes over standardization
changes name: Global System for Mobile communication
1990 First Official Commercial launch in Europe
1995 GSM Specifications ported to 1900 MHz band
GSM is the most popular 2G technology
Telcom 2700 4

GSM Market

Telcom 2700 5
 GSM Overview
• FDD/ FDMA/TDMA – channel structure - 200 KHz
channels – each carriers 8 voice channels
• Higher Quality than Analog Systems
• Digital Voice 13.3Kbps
• Slow frequency hopping, adaptive equalizer, error
control coding, DTX
• Low power handsets – support sleep mode
• Security with encryption
• Wide roaming capability
• Subscriber Identity Modules (SIM cards)
• Digital data service
• fax, circuit switched data
• SMS short messaging service
• Additional features : call waiting, voice mail, group calling,
caller id etc.
Telcom 2700 6

Architecture of the GSM system

GSM is a PLMN (Public Land Mobile Network)
Several providers can setup mobile networks following the GSM
standard within each country
Major components
MS (mobile station)
BTS (base transceiver station) or BS or cell site
BSC (base station controller)
MSC (mobile switching center)
LR (location registers): VLR, HLR
AUC(Authentication database), EIR (Equipment Identity Register)
Subsystems
RSS (radio subsystem): covers all radio aspects
NSS (network and switching subsystem): call forwarding, handoff,
switching, location tracking, etc.
OSS (operation support subsystem): management of the network
Standardized interfaces
Allows provider to mix and match vendor equipment

Telcom 2700 7
 GSM System Architecture

BTS

BTS BSC
HLR VLR AUC
MS BTS

PSTN
BTS

BTS BSC MSC ISDN

BTS
Data
OMC Networks
Operation Support
MS Subsystem

Radio Station Subsystem Network Switching Subsystem Public Networks

Telcom 2700 8

Functional Architecture
Radio Subsystem (RSS) Network and Operation
Base Station Subsystem Switching Subsystem
(BSS) Subsystem (NSS) (OSS)

MS VLR
BSC
AuC
BTS
HLR
O
MS
OMC

BTS
BSC
EIR
MSC
MS
Interface to
Um BTS Abis A other networks
Radio Interface PSTN etc.
Telcom 2700 9
 GSM System Architecture
UM A-Bis A Interface B Interface
Interface Interface

B, C, D, E, F
OMC - Radio Mobile Application
BTS Protocol Interfaces
Mobile
BTS Base Switching
Station Center VLR
BTS Controller (MSC)
(BSC) D Interface
BTS C
BTS
Interface HLR

BTS Base E AUC

Station Interface F
EIR
BTS Controller Interface
(BSC)
Mobile VLR
Switching
Center
Traffic and Signaling (MSC)
Signaling only PSTN

VLR = Visitor Location Register BTS = Base Transceiver Station

HLR = Home Location Register ADC = Admission Data Center
EIR = Equipment Identity Register OMC = Operation Maintenance Center
AUC = Authentication Center
Telcom 2700 10

Mobile station
Terminal for the use of GSM services
A mobile station (MS) comprises several functional groups
MT (Mobile Terminal):
offers common functions used by all services the MS offers
end-point of the radio interface (Um)
TA (Terminal Adapter):
terminal adaptation, hides radio specific characteristics
TE (Terminal Equipment):
peripheral device of the MS, offers services to a user
does not contain GSM specific functions
SIM (Subscriber Identity Module):
personalization of the mobile terminal, stores user parameters (subscriber
number, authentication key, PIN, etc.)

TE TA MT
Um
R S

Telcom 2700 11
 Radio Station Subsystem (RSS)
radio statiion network and switching
subsystem subsystem

MS MS
Components
MS (Mobile Station)
BSS (Base Station Subsystem):
Um consisting of
BTS Abis BTS (Base Transceiver Station):
BSC MSC antenna + digital radio equipment
BTS BSC (Base Station Controller):
controlling several transceivers, map
radio channels (Um) onto terrestrial
channels A

Interfaces
A Um : radio interface
BTS
BSC MSC
Abis : standardized, open interface with
BTS
16 kbit/s user channels
BSS
A: standardized, open interface with
64 kbit/s user channels as in wired
telephone network

Telcom 2700 12

Base Transceiver Station and Base Station

Controller
Tasks of a RSS are distributed over BSC and BTS
BTS comprises radio specific functions
BSC is the switching center for radio channels
Functions BTS BSC
Management of radio channels X
Frequency hopping (FH) X X
Management of terrestrial channels X
Mapping of terrestrial onto radio channels X
Channel coding and decoding X
Rate adaptation X X
Encryption and decryption X X
Paging X X
Uplink signal measurements X
Traffic measurement X
Handover management X

Telcom 2700 13
 GSM Air Interface Um

Uses Physical FDMA/TDMA/FDD physical

In 900 MHz band: 890-915 MHz Uplink band, 935-960 MHz
Downlink
Radio carrier is a 200kHz channel => 125 pairs of radio channels
Called Absolute Radio Frequency Channel Number (ARFCN)
ARFCN numbers given by f(n) = 890 +.2n MHz for Uplink band n = 0,
…124
Corresponding downlink is f(n) + 45 MHz
Channels and ARFCN slightly different in other frequency bands
A TDMA frame is defined on the radio carrier (8 users per carrier)
Channel rate is 270.833 kbps
(RELPC) digital speech 13.3kbps
Two types of logical channels map onto physical channels
Control Channels (call setup, power adjustment, etc..)
Traffic Channels (voice or data) = 22.8kbps = 1 slot in a TDMA frame

Telcom 2700 14

GSM - TDMA/FDMA
935-960 MHz
124 channels (200 kHz)
downlink
cy
en
qu

890-915 MHz
fre

124 channels (200 kHz)

uplink
higher GSM frame structures
time

GSM TDMA frame

1 2 3 4 5 6 7 8
4.615 ms

GSM time-slot (normal burst)

guard guard
space tail user data S Training S user data tail space
3 bits 57 bits 1 26 bits 1 57 bits 3
546.5 µs
577 µs

Telcom 2700 15
 GSM: FDD Channels

BS to MS Downlink
0 1 2 3 4 5 6 7 0 1 2

1.73 ms 45 MHz
MS to BS Uplink

200 KHz 5 6 7 0 1 2 3 4 5 6 7

Frame= 4.62 ms

Uplink and Downlink channels have a 3 slot offset – so that

MS doesn’t have to transmit and receive simultaneously
MS can also take measurements during this offset time and delay
between next frame
Telcom 2700 16

GSM Normal Burst

Training sequence is
4.615 ms utilized for seting
adaptive equalizer
parameters
0 1 2 3 4 5 6 7
Guard Period = 30.5
microsecs
Needed to allow for
clock misalignment
T Data S Train S Data T Guard and propagation time
3 57 1 26 1 57 3 8.25 of mobiles as
different distances
from BTS
577 us
T: tail bits, S:flag, Train: equalizer training sequence

Telcom 2700 17
 GSM operation from speech Input to Output

Speech Speech

Digitizing and Source

source coding decoding

Channel Channel
coding decoding

Interleaving De-Interleaving

Burst Burst
Formatting Formatting

Ciphering De-ciphering
Radio
Channel
Modulation Demodulation

Telcom 2700 18

GSM Speech Coding

104 kbps 13 kbps

RPE-LTP Channel
Analog Low-pass
A/D speech
speech filter
encoder encoder

8000 samples/s,
13 bits/sample

Telcom 2700 19
 GSM Speech Coding (cont)

Regular pulse excited - long term prediction (RPE-LRP)

speech encoder (RELP speech coder)

160 samples/ RPE-LTP 36 LPC bits/20 ms 260 bits/20 ms

20 ms from A/D speech 9 LTP bits/5 ms to channel
(= 2080 bits) encoder encoder
47 RPE bits/5 ms

LPC: linear prediction coding filter

LTP: long term prediction – pitch + input
RPE: Residual Prediction Error:

Telcom 2700 20

Error protection for speech signals in GSM

Type Ia Type Ib Type II

50bits 132bits 78bits
Parity
check

50 3 132 4

Convolutional Code
Rate ½, constraint length 5

378 78
456 bits per 20ms speech frame

Telcom 2700 21
 Interleaving Format
speech 20 ms 20 ms
Speech Speech RPE-LTP encoding
coder coder
260 260
Channel Channel
encoding encoding

456 bit 456 bit

D D D D D D D D D D D D D D D D
1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 8

Interleaving
1 2 3 4 5 6 7 8
Stream of
Timeslots Single frame
(only one time slot sent in a frame)

Out of first 20 msec Out of second 20 msec Guard

tail
data data tail
Normal burst 26 bit
3 57 bit 1 (training) 1 57 bit 3 8.25

Interleave distance = 8
Telcom 2700 22

Modulation
• Variation on Frequency Shift Keying (FSK)
• Avoids sudden phase shifts MSK (Minimum Shift Keying)

• Bit stream separated into even and odd bits, the duration of each
bit is doubled

Gaussian
FM
NRZ Data Low Pass GMSK Output at RF
Transmitter
Filter

Depending on the bit values (even, odd) the higher or lower

frequency, original or inverted is chosen
The frequency of one carrier is twice the frequency of the other

Telcom 2700 23
 Example of MSK
1 0 1 1 0 1 0
data bit
even 0101
even bits odd 0011

odd bits signal hnnh

value - - ++

low h: high frequency

frequency n: low frequency
+: original signal
-: inverted signal
high
frequency

MSK
signal
t

No phase shifts!

Telcom 2700 24

GSM Frequency Hopping

Optionally, TDMA is combined with frequency
hopping to address problem of channel fading
TDMA bursts are transmitted in a precalculated
sequence of different frequencies (algorithm
programmed in mobile station)
If a TDMA burst happens to be in a deep fade,
then next burst most probably will not be
Helps to make transmission quality more uniform
among all subscribers
Improves frequency resuse
Hops at the frame level – 217 hops/sec

Telcom 2700 25
 Frequency-hopped signal in GSM

Frame N-1

Frame 2

Frame N
Frame 1
Frequency 4.615 msec

Frame 3
Frame N+1

Time

Telcom 2700 26

GSM Air Interface Specifications Summary

Parameter Specifications
Reverse Channel Frequency 890 – 915 MHz
Forward Channel Frequency 935 – 960 MHz
ARFCN Number 0 to 124
Tx/Rx Frequency Spacing 45 MHz
Tx/Rx Time Slot Spacing 3 Time slots
Modulation Data Rate 270.833333 kbps
Frame Period 4.615 ms
Users per Frame (Full Rate) 8
Time slot Period 576.9 μs
Bit Period 3.692 μs
Modulation GMSK
ARFCN Channel Spacing 200 kHz
Interleaving (max. delay) 40 ms
Voice Coder Bit Rate 13.3 kbps
Telcom 2700 27
 GSM System Identifiers
Notation Name Size (bits) Description

IMSI International mobile 15 digits (50 bits) Directory number conforming to international
subscriber identity convention – assigned by operating company
to subscriber

TMSI Temporary mobile 32 bits Assigned by visitor location register to a

subscriber identity subscriber

IMEI International mobile 15 digits Assigned by manufacturer to a mobile station

equipment identifier

Ki Authentication Key 128 bits Secret key assigned by the operating

company to a subscriber

Kc Cipher Key 64 bits Computed by network and mobile station

- Mobile Station class mark 32 bits Indicates properties of a mobile station

BSIC Base Station identity code 6 bits Assigned by operating company to each BTS

- Training Sequence 26 bits Assigned by operating company to each BTS

LAI Location Area Identity 40 bits Assigned by operating company to each BTS

Telcom 2700 28

GSM Channels
Physical Channel – 1 time slot on a uplink/downlink radio carrier.
125 radio carriers, 8 slots per carrier => 1000 physical channels
Traffic Channels
Full rate (TCH/F) at 22.8 kb/s or half rate (TCH/H) at 11.4 kb/s
Physical channel = full rate traffic channel (1 timeslot) or 2 half rate
traffic channels (1 timeslot in alternating frames)
Full rate channel may carry 13 kb/s speech or data at 12, 6, or 3.6 kb/s
Half rate channel may carry 6.5 kb/s speech or data at 6 or 3.6 kb/s
Control Channels
Three groups of logical control channels
1. BCH (broadcast channels): point-to-multipoint downlink only
2. CCCH (common control channel): for paging and access
3. DCCH (dedicated control channel): bi-directional point-to-point signaling

Telcom 2700 29
 GSM Channels

Telcom 2700 30

Framing Scheme in GSM (Traffic Channels)

Framing scheme is implemented for encryption and identifying time slots

1 2 3 4 Hyperframe: 3 hours 28 min 53.76 s 2048

1 2 3 4 Superframe: 6.12 s 51

1 2 3 4 Traffic Multiframe: 120 ms 26

1 2 3 5 6 7 8 Frame: 4.615 ms

TB Data (57 bits) TS Data (57 bits) TB GP Slot: 577 μs

Telcom 2700 31
 GSM Logical Channels (cont)
BCH (broadcast channels): point-to-multipoint downlink only
BCCH (broadcast control channel): send cell identities, organization
info about common control channels, cell service available, etc
FCCH (frequency correction channel): send a frequency correction
data burst to effect a constant frequency shift of RF carrier
SCH (synchronization channel): send TDMA frame number and base
station identity code to synchronize MSs

CCCH (common control channel): for paging and access

PCH (paging channel): to page MSs
AGCH (access grant channel): to assign MSs to stand-alone
dedicated control channels for initial assignment
RACH (random access channel): for MS to send requests for
dedicated connections

Telcom 2700 32

GSM Logical Channels (cont)

DCCH (dedicated control channel): bidirectional point-to-
point -- main signaling channels
SDCCH (stand-alone dedicated control channel): for service
request, subscriber authentication, equipment validation,
assignment to a traffic channel
SACCH (slow associated control channel): for signaling associated
with a traffic channel, eg, signal strength measurements
FACCH (fast associated control channel): for preemptive signaling
on a traffic channel, eg, for handoff messages –sets S (stealing
Flag in traffic slot)

Control channels are organized in a complex frame

structure
Certain ARFCNs are assigned as having a control channel – TS0 is
used for control channel
One control channel per sector per cell.

Telcom 2700 33
 Framing Scheme in GSM (Control Channels)

Framing scheme is implemented for encryption and identifying time slots

1 2 3 4 Hyperframe: 3 hours 28 min 53.76 s 2048

1 2 3 4 Superframe: 6.12 s 26

1 2 3 4 Control Multiframe: 235.4 ms 51

1 2 3 5 6 7 8 Frame: 4.615 ms

TB Data (57 bits) TS Data (57 bits) TB GP Slot: 577 μs

Telcom 2700 34

Control Channel Multiframe (Forward link TS0)

Control Multiframe = 51 TDMA Frames
235 ms

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 20 21 22 39 40 41 42 49 50
… … …
F S B B B B C C C C F S C C C F S C C F S C C I

F: FCCH burst (BCH)

S: SCH burst (BCH)
B: BCCH burst (BCH)
C: PCH/AGCH burst (CCCH)
I: Idle

Control Channel Multiframe (Reverse link for TS0)

Control Multiframe = 51 TDMA Frames
235 ms

0 1 2 3 4 5 6 46 47 48 49 50
………………………………..
R R R R R R R R R R R R

R: Reverse RACH burst (CH)

Telcom 2700 35
 GSM Reverse Access Channel Protocol
begin

Send
message

Other
no Transmissions
yes
In this slot
?

yes Base detects

no
messages?

Another
no messages with
yes yes no
Max attempts?
same 5-bit
code?

Access Access Access

Succeeds conflict Fails Random
Time delay

GSM Access protocol for the random access channel RACCH.

Telcom 2700 36

System architecture: network and switching

subsystem
network fixed partner
subsystem networks Components
MSC (Mobile Services Switching Center):
ISDN
PSTN IWF (Interworking Functions)
MSC
ISDN (Integrated Services Digital Network)
PSTN (Public Switched Telephone Network)
EIR
PSPDN (Packet Switched Public Data Net.)
CSPDN (Circuit Switched Public Data Net.)
SS7

HLR

Databases
HLR (Home Location Register)
VLR
VLR (Visitor Location Register)
ISDN
MSC
PSTN
EIR (Equipment Identity Register)
IWF
PSPDN
CSPDN

Telcom 2700 38
 Network and switching subsystem
NSS is the main component of the public mobile network GSM
switching, mobility management, interconnection to other networks,
system control
Components
Mobile Services Switching Center (MSC)
controls all connections via a separated network to/from a mobile
terminal within the domain of the MSC - several BSC can belong to a
MSC
Databases (important: scalability, high capacity, low delay)
Home Location Register (HLR)
central master database containing static user data, (mobile number,
billing address, service subscribed, etc.) and dynamic data of all
subscribers last VLR location
Visitor Location Register (VLR)
local dynamic database for a subset of HLR data, including data about
all user currently in the domain of the MSC attached to VLR

Telcom 2700 39

Mobile Services Switching Center

The MSC (mobile switching center) plays a central role in GSM
switching functions
additional functions for mobility support
management of network resources
interworking functions via Gateway MSC (GMSC)
integration of several databases
Functions of a MSC
specific functions for paging and call forwarding
termination of SS7 (signaling system no. 7)
mobility specific signaling
location registration and forwarding of location information
provision of new services (fax, data calls)
support of short message service (SMS)
generation and forwarding of accounting and billing information

Telcom 2700 40
 Operation subsystem
OSS (Operation Subsystem) enables centralized
operation, management, and maintenance
Components
Authentication Center (AUC)
generates user specific authentication parameters on request of a
VLR
authentication parameters used for authentication of mobile
terminals and encryption of user data on the air interface within the
GSM system
Equipment Identity Register (EIR)
registers GSM mobile stations and user rights
stolen or malfunctioning mobile stations can be locked and
sometimes even localized
Operation and Maintenance Center (OMC)
different control capabilities for the radio subsystem and the
network subsystem
Telcom 2700 41

GSM Protocol Stack

Three Layers specified in the protocol
Network layer has three sublayers
1. Call Management
Establishment, maintenance, and termination of circuit-switched
calls
2. Mobility Management
Registration, authentication, and location tracking
3. Radio Resource Management
Establishment, maintenance, and termination of radio channel
connections
Link Layer
Uses variation of ISDN LAPD protocol – termed LAPDm
Physical layer (already discussed)
Time slot on a 200 KHz carrier – absolute radio frequency
channel number (ARFCN)
Telcom 2700 42
 GSM Protocol Stack
Air Interface
Um Abis A

CM CM

MM MM

RRM RRM RRM RRM

SCCP SCCP

LAPDm LAPDm LAPD LAPD MTP MTP

radio radio 64 kbps 64 kbps 64 kbps 64 kbps

Mobile Base transceiver Base transceiver Mobile services
station station controller switching center
CM: call management SCCP: signal connection control part (SS7)
MM: mobility management MTP: message transfer part (SS7)
RRM: radio resources management LAPD: link access protocol-D channel (ISDN)

Telcom 2700 43

GSM Data Link LAPDm Messages

Telcom 2700 44
 GSM RRM Messages

Telcom 2700 45

GSM MM Messages

Telcom 2700 46
 GSM CM Messages

Telcom 2700 47

Sample GSM Message

Assignment Command
message on FACCH used in handoff to inform of new channel info
Bit Position Information
1-4 Protocol Discriminator 0110 (RRM – message)
5-8 Transaction identifier
9-16 Message Type 00101110
17-40 Channel Description
41-48 Power Command
variable Optional Data

Telcom 2700 48
 GSM Call Management

Call Operation Types

Registration
Upon powering up, the MS scans common control
channels and locks onto channel with strongest signal
Searches for FCCH on RF carrier, finds SCH to synch up
After synchronization the MS decodes BCCH – decides
whether to update location register or not.
Once registered or locked on to BCCH
Mobile Originating (MO) Call
Mobile types in number presses Send
Mobile Terminating (MT) Call
Mobile registered and phone On – received incoming
call

Telcom 2700 49

GSM Registration

Lock on strong freq. RF + FCCH

and find FCCH
Find SCH channel for SCH sync + training
sync. and training
Gets cell and BCCH system parameters
system parameters

Request stand alone RACH channel request

dedicated channel
AGCH channel assignment
SDCCH established

Telcom 2700 50
 GSM Registration (cont)

Make location update SDCCH location update

request
SDCCH challenge
Computes challenge
response to verify
SDCCH challenge response
identity
SDCCH ciphered mode
Initiate encryption of
data for transmission Ack ciphered mode

Location update confirm

Complete location
update process Ack

Telcom 2700 51

Location Registration
Register at power up/call placement/(power down)/ when detect a new
location area id
Walkthrough Roaming case
1. Mobile-> MSC signals HLR update VLR pointer
2. Auc verifies user- may issue challenge/response
3. HLR – gives VLR mobile service profile
4. HLR – deregisters mobile from last VLR location
Target ITU-T bound on location registration ≤ 4sec
Location Update Types
Intra – VLR ( LAs attached to same VLR)
Only change LA id in VLR ( local signaling)
Target ITU-T location update time ≤ 2 sec

Inter –VLR ( LAs attached to different VLR)

must signal HLR to update VLR pointer
Target ITU-T Location update time ≤ 4 sec

Telcom 2700 52
 Location Update Call Flow

Telcom 2700 54

MTC/MOC general behavior

MS MTC BTS MS MOC BTS
paging request
channel request channel request
immediate assignment immediate assignment
paging response service request
authentication request authentication request
authentication response authentication response
ciphering command ciphering command
ciphering complete ciphering complete
setup setup
call confirmed call confirmed
assignment command assignment command
assignment complete assignment complete
alerting alerting
connect connect
connect acknowledge connect acknowledge
data/speech exchange data/speech exchange

Telcom 2700 55
 GSM MOC Calling from MS

MSC

Dial called Setup Request Fetches subscriber info

party from VLR to process
Call Proceeding
call, acks caller

Radio channel Allocates trunk +

Tune to radio channel
radio freq. Ack
Complete Call connected
through PSTN
Alerting
Alerts caller
Connect
Called party picks up
Connect ack Call can proceed
Telcom 2700 57

GSM MTC Calling to MS

MSC

Request PCH page request Incoming call from PSTN

dedicated
RACH channel request
control
channel AGCH assignment Allocates control
channel
SDCCH paging response
Answer page
SDCCH challenge
Request authentication
Computes SDCCH challenge response
response
SDCCH ciphering mode Request ciphering on
Begin channel
Ciphering mode complete
ciphering
Telcom 2700 59
 GSM MTC Calling to MS (cont)

MSC

SDCCH setup
Notify call
SDCCH setup ack
Accept call
SDCCH assignment
Assign traffic channel
Tune to Assignment complete
freq.
FACCH alerting/connect
Alert called party
Start FACCH connect ack
connection
Telcom 2700 60

GSM Features
Discontinuous Transmission (DTX)
Handset/BSC contain voice activity detectors (much of a conversation is
silence!)
If no speech detected NO information is transmitted – TDMA slot left empty
Saves battery power in mobile
Reduces co-channel and adjacent channel interference
Comfort Noise is periodically played back if long silence period
Power control
Both mobile and BTS regulate power (increase and decrease)
Mobile power adjusted in 2 dB levels, BTS power adjusted in 4 dB levels
Conserves battery power in mobile
Reduces interference
Mobile Assisted Handoff (MAHO)
Mobile takes measurements of signals strength of radio channels in adjacent
cells - reports to BSC and MSC to pick cell for handoff
Sleep Mode
Handset once registered with network will be assigned a sleep mode level
Checks paging channel for page/SMS periodically depending on level
Telcom 2700 61
 GSM Mobility Management

Mobility Types
Track location of users for incoming calls/SMS
Location registration/authentication/paging
Divide coverage area into non-overlapping groups of
cells – assign each a unique id
Location Area ID periodically broadcast by each cell
As a mobile moves/turns phone on – it listens to location
area id – if different from last one registered in – performs a
location update/authentication procedure with VLR and
possibly HLR
Call in progress mobility
Handoff call from one BTS to another BTS
MAHO by mobile reporting measurements of signal
strength

Telcom 2700 62

Location Management

Location Area ( LA)

Divide coverage into non-overlapping groups of cells
Assign each LA a unique id
Location Area ID is periodically broadcast by each cell
Two level database hierarchy HLR/VLR
HLR points to VLR where mobile located
Location
VLR entry points to LA where mobile last located Location
Area 1
Area 3

In large networks may have HLR split among

Location
regions with aggregate info cross region Area 2

Telcom 2700 63
 Location Area and Cell Identification Parameters
MCC – Mobile Country Code LAI – Location Area Identity
Uniquely identify the country of the GSM subscriber Uniquely identifies a location area in the network
Made up of MCC + MNC + LAC
MNC – Mobile Network Code
Identifies the GSM operator within the country. Each CGI – Cell Global Identifier
country can have several GSM operators each having a Uniquely identifies the cell within the network
unique MNC. Made up of LAI + CI

LAC – Location Area Code

Defines a location area, which consists of a group of cells.
Each MNC can have several LACs.

CI – Cell Identity
Uniquely identifies a cell in a location area.
Mobile network code
unique to each
operator
in a country

Location Areas
Define group of cells

Cell Identity
Unique to each cell

Telcom 2700 64

GSM Handoffs
Handoff major decision-making stages
Identify the need
Identify the candidate
Evaluate the candidates
Select a target cell
Types of handoffs
Intra-Cell : Handoff between sectors of same cell
Intra-BSS: if old and new BTSs are attached to same base
station
MSC is not involved
Intra-MSC: if old and new BTSs are attached to different
base stations but within same MSC
Inter-MSC: if MSCs are changed
Handoff Forward, Handoff Back, Handoff to a Third

Telcom 2700 65
 Types of Handoff
Inter-BSC Intersystem handoff
Intracell Standard

MS MS MS MS

BTS BTS BTS BTS

BSC BSC BSC

MSC MSC

Telcom 2700 66

GSM - Handoff
Handoff initiation:
Base station or MS notices signal is weakening (when the
received signal strength goes below a certain threshold value)
Base station or MS sends a handoff measurement request
message to its BSC/MSC
BSC/MSC requests
neighbor base stations to report their reception of mobile’s signal
strength
MS to measure strength of neighbor base stations on downlink
(called Mobile Assisted Handoff)
BSC/MSC picks neighbor base station with highest received signal
strength combination in up and downlink to handoff too

Telcom 2700 67
 GSM - Mobile Assisted Handoff
Mobile listens to the

HC
BCCH of six neighboring

BC
base stations

BTS1
BTS2 Break before Make
handoff (hard handoff)

2. Request channel
3. Activate Channel
s
ent

BTS1 MSC BTS2

re m

4.
u

7.
eas

Se

6. Handoff Detection

Co
nd

mm
rt m

s
Ha

un
es
epo

ic a
cc
nd

tio
of

ff A s
1. R

n
fC

Re
do s t
om

an Bur

su
me
m

H
5.

s
an
d

Telcom 2700 69

Handoff Procedure

MS BTSold BSCold MSC BSCnew BTSnew

measurement measurement
report result

HO decision
HO required HO request
resource allocation
ch. activation

HO command HO request ack ch. activation ack

HO command HO command
HO access
Link establishment

HO complete HO complete
clear command clear command
clear complete clear complete

Telcom 2700 70
 Security in GSM
Security services
access control/authentication
user ⌫ SIM (Subscriber Identity Module): secret PIN (personal
identification number)
SIM ⌫ network: challenge response method
confidentiality
voice and signaling encrypted on the wireless link (after successful
authentication)
anonymity
“secret”:
temporary identity TMSI
• A3 and A8
(Temporary Mobile Subscriber Identity) available via the
newly assigned at each new location update (LUP) Internet
• network providers
encrypted transmission
can use stronger
3 algorithms specified in GSM mechanisms
A3 for authentication (“secret”, open interface)
A5 for encryption (standardized)
A8 for key generation (“secret”, open interface)

Telcom 2700 71

GSM System Architecture

UM A-Bis A Interface B Interface
Interface Interface

B, C, D, E, F
OMC - Radio MAP Interfaces
BTS
Mobile
BTS Base Switching
Station Center VLR
BTS Controller (MSC)
(BSC) D Interface
BTS C
BTS
Interface HLR

BTS Base E AUC

Station Interface F
EIR
BTS Controller Interface
(BSC)
Mobile VLR
Switching
Center
Traffic and Signaling (MSC)
Signaling only PSTN

VLR = Visitor Location Register BTS = Base Transceiver Station

HLR = Home Location Register ADC = Admission Data Center
EIR = Equipment Identity Register OMC = Operation Maintenance Center
AUC = Authentication Center
Telcom 2700 72
 Authentication and Encoding

A Interface

Mobile Station Base Station Controller

Speech and data in clear
Ki RAND
Service
Encoded Signaling in clear
Speech,
Switching
A5 Point
Data, and
A8 Signaling
SRES
A3

Encoded Kc
Kc
Speech
Data and
Speech and Data RAND VLR
Signaling
Base SRES Radio
A5 transceiver Control
Signaling in Clear
Point
station

Telcom 2700 73

Authentication Procedure in GSM

AUC
SRES Signed Response 32 bit Random IMSI (1) Ki(1)
A3 Authentication Algorithm Number
Ki 128-bit subscriber key unique to each subscriber
RAND 128-bit random number
RAND : :
IMSI (X) Ki(X)

A3

SRES

Ki RAND, SRES
RAND
COMPARES SRES VALUES RECEIVED
FROM AUC AND MOBILE STATION
A3
IF IDENTICAL THEN MS IS AUTHENTICATED
SRES
SRES
MSC
MS
Telcom 2700 74
 Ciphering Procedure in GSM
AUC
Kc 64 bit Ciphering Key Random IMSI (1) Ki(1)
A8 Ciphering Algorithm Number
Ki 128-bit subscriber key unique to each subscriber
RAND 128-bit random number
RAND : :
IMSI (X) Ki(X)

A8

Kc

Ki RAND, Kc
RAND
SEND RAND TO MOBILE STATION AND Kc
A8 TO
Kc to BTS BSC FOR CIPHERING

Kc
MSC
MS
Telcom 2700 75

Data services in GSM

Circuit Switched Data transmission standardized at 9.6 kbit/s
advanced coding allows 14.4 kbit/s in a standard TDMA slot
Widely deployed and used by WAP GSM phones
not enough bandwidth for multimedia applications
HSCSD (High-Speed Circuit Switched Data)
already standardized
bundling of several time-slots on a radio carrier to get higher data
rate : called AIUR (Air Interface User Rate)
maximum rate 57.6 kbit/s using 4 slots, 14.4 kbps each
(4 slot limit to allow MS to transmit then listen to downlink channel)
Advantages: ready to use, constant quality, simple no additional
equipment needed in network just software upgrades
Disadvantage: channels blocked for voice transmission,
expensive, not supported by all service providers
Most operators now have 2.5G solutions like GRPS or EDGE
in place – 3G slowly being rolled out

Telcom 2700 76