Introduction to the GSM Network

GSM: Global System for Mobile communication

o Pan-European standard for communication with mobiles, already adopted by more
than 400 operators in 173 countries and now the world-wide reference for mobile
radio networks. Since 1995 (phase 2), this standard harmonizes the 900 MHz GSM
system and the 1800 or 1900 MHz Digital Cellular Systems (DCS).

GSM 900:
o 2 x 25 MHz frequency bands around 900 MHz. (extended : 2 x 35 MHz)
GSM 1800:
o 2 x 75 MHz frequency bands around 1800 MHz.
GSM 1900: (North and South American variant of the GSM 1800):
o 2 x 75 MHz frequency bands around 1900 MHz.

History

Mobile network "Prehistory":

o 1946: St Louis (Missouri)
o 1970 - 80: NATEL (Switzerland)
1st Generation: Analogue cellular networks
o 1979: Chicago:AMPS
o 1981: Sweden:NMT
o 1985: UK:
TACS
2nd Generation: Digital networks
o 1992: Europe: GSM
o 1995: US:
IS95 (CDMA)
3rd Generation: Universal(?) Standards
o 2001: Japan IMT-2000: UMTS

public
PABX

residential
PSTN

office

Small Cells

PSTN

PSTN

PABX

Medium Cells

GSM

Large Cells

From 2G to 3G

2G services

3G services

GPRS

GSM

UMTS

UMTS

Up to 160Kbps

Up to 2Mbps

Up to 2Mbps

Internet services

Multimedia

R97/98/99 (GSM)

Internet
services

VoiP

R99 (3GPP)

R5 (3GPP)

Multimedia

GERAN

E-GPRS

Up to 384Kbps

Internet services

VoiP

R99 (GSM)

R4/R5
(3GPP)

General Concepts: PLMN and Mobile Stations

...

...

...

...

...

...

PSTN

...

...

PLMN

...

...
PLMN
PSTN
ISDN
PDN

=
=
=
=

Public Land Mobile Network

Public Switched Telephone Network
Integrated Services Digital Network
Packet Data Network

ISDN

PDN

General Concepts: Cellular Coverage

Omni-directional

Unidirectional

Sectored

4
3
7

4
3
7

10

12

12
10

1
6

11

12

11

10

2
8

12
3

11

11

5
11

2
8

1
9

2
8

10

12

Example of a 12-Cell Three-sector Pattern

Radio Resources are limited :

downlink

...

...

uplink

...

...

...

...

...

...

To increase Spectrum Efficiency, specific

techniques are introduced :
o Power Control
o Handover
o Frequency Hopping
o Discontinuous Transmission (DTX)

GSM architecture
Operators

OSS

GSM

External
Networks

MS

BSS

NSS

Users

Types of Mobile Stations

Um
"plug-in" SIM

MT0
SIM card

TE1

MT1

TE2

TA
ISDN

MT2

TE2

(including
TAF)

ISDN concepts

MT
TE

= Mobile Termination
= Terminal Equipment
TE1 = ISDN
TE2 = V or X type
TA(F)
= Terminal Adaptor (Function)

GSM concepts

GSM architecture: Base Station System

NSS
BTS

PSTN/
ISDN

BSC

CBC
Other
BSCs

BTS

GSM architecture: Network and Switching System

MSC

PSTN/
ISDN

BSS

EIR
SMS-C

VLR
AuC
HLR

GCR

GSM architecture: GPRS

Circuit Switching
Packet Switching

MSC/VLR

PSTN/
ISDN

BSS with
PCU

GSM+GPRS

HLR

SGSN

GPRS
Backbone

GGSN
Internet

GSM interfaces and protocols

MS

Um (Radio)
BTS

BS
C

BS
C

MS - BTS

LAPDm

BTS

(GSM specific)

LAPD

BTS - BSC

Abis

(ISDN type)

MSC

MSC

G
VLR

C
D

VL
R

B
C
D
E
F
G
H
I

F
H
AuC

HLR

(SS7 basic) + BSSAP

(BSSAP = BSSMAP + DTAP)

E
B

BSC - MSC

EIR

GCR

MSC-VLR
(SM-G)MSC-HLR
HLR-VLR
(SM-G)MSC-MSC
MSC-EIR
VLR-VLR
HLR-AuC
MSC-GCR

PSTN
ISDN

PSTN /
ISDN

(SS7 basic) + MAP

MSC-PSTN (SS7 basic) + TUP or ISUP

MSC-ISDN

GPRS interfaces and protocols

MS

Um (Radio)

BSS
with
PCU

Gb

BSS - SGSN

BSSGP

Gn
Gr
Gc
Gf
Gs

SGSN-SGSN
SGSN-GGSN
SGSN-HLR
GGSN-HLR
SGSN-EIR
SGSN-MSC/VLR

IP
IP
SS7
IP/SS7
SS7
SS7

Gi

GGSN-Data Network

IP

Gs

Gn
GGSN

Gn

LAPDm
(GSM specific)

MSC

SGSN

SGSN

MS - BTS

BSS
with
PCU

Gr

Gf

Gc
HLR

EIR

Data
Network

Position of Transcoding Unit (TRAU)

BTS TRAU

MSC/VLR

BSC
Abis interface

BTS Site

BTS

BTS Site

BTS

BTS Site

A interface

BSC Site

BSC

MSC Site

MSC/VLR

TRAU

BSC Site

BSC

MSC Site

TRAU

BSC Site

MSC/VLR

MSC Site
2Mb link, each channel = 16 Kbps
2Mb link, each channel = 64 Kbps

RADIO INTERFACE: essential part of GSM specifications because of:

Inter-PLMN COMPATIBILITY
==> Complete Specification (to the nearest bit)
Very elaborate SPECTRUM EFFICIENCY optimization techniques:
Reduction of INTERFERENCE to Manage a large number of Mobiles per km

TRAFFIC: information interchanged from USER-TO-USER, after setting up the call,

requiring dedicated radio resource allocation. In GSM, traffic can be an interchange of
speech or data

SIGNALLING: information interchanges (in some cases, without the user's knowledge)
between the mobile equipment and network machines
o Out of Call : required for managing mobiles, eg. : location update
o During a Call :required for various reasons, eg.: handover, access to a supplementary
service, call release

MS status
Packet switcing mode (GPRS)

Circuit Switching Mode (GSM)

"Idle"

-on
itch
ff
Sw
h- o
c
it
Sw

MS
reachable

et
D

ut

t
en

MS not
reachable

of
End ction
sa
tr a n

rO
to
en
hm
ac

m
ch
ta
De

wo
Net

MS
reachable

"Connected"

"Idle"

e
im

o
tt
en
m rk
ch o
ta tw
At ne

MS not
reachable

ss
cce
rk A

T
of

Out of Time

"Stand-by"

"Ready"
Packet Tx or Rx

"Power Off"

Radio Resources
"Idle" Status

Access

"Connected" Status

procedure
Mobile
pre-synchronization

Channels
to be used
Main
Tasks
&
Types of
Interchange

Network Access

Common
Access
Channels

Common
Broadcast
Channels
Frequency
search
Timing
Synchro
System
Parameter
Analysis

Frequency
Monitoring

(Paging)
Access
Request
Dedicated
Channel
Assignment

Out of call
signalling phase

TRAFFIC phase
(Optional)

Dedicated
Signalling
Channels

Dedicated
Traffic
Channels

Same dedicated
channel used for:
- Authentication
- Signalling:

Traffic
Signalling

. Location Updating
. Short Messages
. (Traffic Channel
Assignment)

Physical Channels : the TDMA Frame

Frequency
axis

Time slot (or burst window)

TDMA frame = 4.615 ms

22
17

DOWNLINK
Band
(BTS ->MS)

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

1 "CHANNEL" (in 1 direction)

Time shift between

transmit and receive : 3 TS

1 BTS (eg. 3 carriers)

22
17

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

UPLINK
Band
MS -> BTS

Same "CHANNEL" (if bidirectional)

time axis

Physical Channels : the Normal Burst

TDMA frame = 4.615 ms

22
17

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7

CHANNEL

Time Slot (TS) or Burst Period (BP)

577 s

Burs
t

time axis

Training sequence
Data (114 bits)

guard time

26 bits

"Stealing Flags"

S=0

57 bits

57 bits

S=1

57 bits

57 bits

Traffic (or Signalling out of call)

Signalling during call

Training Sequences :
8 different bit patterns, chosen so that:
o They are easily recognizable (very accurate auto-correlation function)
o They are easily distinguishable from one another (little correlation between each
pattern)
Stealing Flags :

Logical Channels: Principle of Mapping with Physical Channels

example : "Beacon" frequency, downlink:

TS 0 1 2 3 4 5 6 7

BTS

MS

Frequency Correction

Timing synchronization

SDCCH
PCH

Subscriber paging

Power Control

AGCH
FCCH
SCH

SACCH

BCCH
TCH

PCH

FACCH

AGCH

Traffic samples -> MSj

In call signalling -> MSj

Out of call signalling receipt

SACCH

SDCCH

Out of call signalling -> MSi

Power Control -> MSi

In call signalling receipt

BCCH

Response to access request

Traffic sample decoding

FACCH

SCH

System information

TCH

FCCH

Mobile presynchronization

Subscriber paging
Response to access request

Logical Channels - Time Division Multiplexing (GSM)

1 TDMA frame = 120/26 # 4.615 ms
TS

"TRAFFIC" type Multiframe :

0 1 2 3 4 5 6 7 8 9 10

232425 0 1 2 3 4 5 6 7 8 9 10

20

Multiframe : 26 frames

20

23 2425

120 ms

"SIGNALLING" type Multiframe :

1 2 3 4 5 6 7 8 9 10

20

30

Multiframe : 51 frames

40

50 0 1

(= 235 ms approx.)

Logical Channels - Time Division Multiplexing (GPRS)

1 TDMA frame = 120/26 # 4.615 ms
TS

52 Frame - Multiframe on pdch:

0 1 2 3 4 5 6 7 8 9 10

Block 0

Block 1

Block 2

20

Block 3

Block 4

30

Block 5

Block 6

Multiframe : 52 frames

Block 7

40

Block 8

Block 9

50 51 1

Block 10

Block 11

(= 240 ms.)

TFI 28

TFI 2

Data Flow to User A

Data Flow to User B

0 1 2 3 4 5 6 7 8 9 10

Block 0

Block 1

20

Block 2

Block 3

Block 4

Block 5

TFI =28 TFI =28 TFI = 2

BSN =21 BSN =22 BSN =23

BSN =24 BSN =25 BSN =12

Data

Data

Data

Data Flow to User C

30

TFI =28 TFI =28 TFI =28

Data

TFI 19

Data

40

Block 6

Block 7

Block 8

Block 9

TFI = 2

TFI = 2

TFI = 2

TFI = 19 TFI = 19 TFI = 19

BSN =13 BSN =14 BSN =15

Data

50 51 0

Data

Data

Block 10 Block 11

BSN =75 BSN =76 BSN =77

Data

Data

Data

Data

Multiframe : 52 frames (= 240 ms.)

Radio Interface - Channel Mapping

1 2 3 4 5 6 7 8 9 10

20 21

31

41

51 1

F S B B B B c c c c F S c c c c c c c c F S c c c c c c c c F S c c c c c c c c F S c c c c c c c c - F S

Multiframe : 51 frames (= 235 ms approx.)

F = FCCH

S = SCH

LOGICAL
CHANNEL

OCCURRENCE
and/or USABLE BIT
RATE

FCCH
Frequency
Correction

- Locking the mobile local oscillator on the exact frequency

- Roughly estimating the position of the receive window

- Exact synchronization of receive window

- Decoding the Frame Number (from 0 to 2,715,647)

as FCCH (46 ms), 8 TS

after

BCCH
Broadcast
Control

ROLES and USES of INFORMATION CARRIED

1 every 10 frames
(46 ms)

SCH
Synchro

B = BCCH

- General information (system) concerning the station:

1 TS every 4 consec. frames

every 51 frames,
giving 456 usable bits
every 235 ms

- Identity of operator, access authorized or not,

- Organization of logical channels in the cell (paging...),
- Frequencies used, Frequency hopping...,
- Time-Outs applicable...

UPLINK
1

10

(Multiframes : 51 frames)

20 21
f

31

41
C

51

DOWNLINK
f = FCCH

LOGICAL
CHANNEL
RACH
Random
Access
AGCH
Access
Grant
PCH
Paging

s = SCH

b = BCCH

C C C C = CCCH (PCH or AGCH)

OCCURRENCE
and/or USABLE BIT
RATE
Only uplink

These 2 sub-channels
share the "CCCH"
channel based
on variable rules
according to cell and
operator

R = RACH

ROLES and USES of INFORMATION CARRIED

- used by the mobile to request access to the network
("Channel Request" message with mobile short format identity)
- used by the network to acknowledge the access request and
assign a dedicated channel to the mobile ("immediate
assignment" message with identity echo)
- used by the network to signal a call to a mobile:
Short format identity, unambiguous in the cell

D0

D1

D2

D3

D4

D5

D6

D7

A0

A1

A2

A3

D0

D1

D2

D3

D4

D5

D6

D7

A4

A5

A6

A7

DOWNLINK
A1

A2

A3

D0

D1

D2

D3

D4

D5

D6

D7

A0

A5

A6

A7

D0

D1

D2

D3

D4

D5

D6

D7

A4

UPLINK

(Multiframes : 51 frames)
D = SDCCH

LOGICAL
CHANNEL
SDCCH
Standalone
Dedicated
Control
SACCH
Slow
Associated
Control

A = SACCH

OCCURRENCE
and/or USABLE BIT
RATE
8 TSs every 2x51 frames,
giving 456 bits / 235 ms
---> 1.94 kbit/s

- Out of call signalling, such as location update, authentication,

transition to encrypted mode, assignment of a traffic
channel...

4 TSs every 2x51 frames,

giving 456 bits / 470 ms
---> 950 bit/s

- Non-urgent procedures (background), occurrence ~0.5

sec:measurement reports, power monitoring, timing advance,
+ Short Message Service (SMS)

ROLES and USES of INFORMATION CARRIED

1 "FULL-RATE" + 1 SACCH :
T T T T T T T T T T T T
T T T T T T T T T T T T - T T T T T T T T T T T T A T T T T T T T T T T T T 0 1 2 3 4 5 6 7 8 9 10 11 A 12 13 14 15 16 17 18 19 20 21 22 23

Multiframe : 26 frames (= 120 ms)

T i = Sample i, TCH/F channel

A = Associated SACCH

2 "HALF-RATE" + 2 SACCHs :
T T T T T T T T T T T T A T T T T T T T T T T T T A T
T
T
T
T
T
A
T
T
T
T
T
T A
T
T
T
T
T
T
T
T
T
T
T
2
0 0 1 1 2 2 3 3 4 4 5 5 1 6 6 7 7 8 8 9 9 10 10 11 11 2
1 T

Ti = Sample i, channel TCH/H n2

Ti = Sample i, channel TCH/H n1
A1 = SACCH associated with TCH 1 A2 = SACCH associated with TCH 2
LOGICAL
CHANNEL
TCH/F
TCH/H
Traffic
Full & Half Rate

SACCH
Slow
Associated
Control

OCCURRENCE
and/or USABLE BIT
RATE
24 TSs every 120 ms
---> 22.8 kbit/s
12 TSs every 120 ms
---> 11.4 kbit/s
4 TS every 480 ms --->
~ 1 kbit/s
TCH cycle stealing :--->
max 11.4 or 22.8 kbit/s

ROLES and USES of INFORMATION CARRIED

- Traffic at max rate 13 kbit/s
(Speech encoded at 13 kbit/s or Data at up to 9600 bit/s)
- Traffic at max rate 5.6 kbit/s
(Speech encoded at 5.6 kbit/s or Data at up to 4800 bit/s)
- Non-urgent procedures (background), occurrence ~ 0.5 sec:
(as SACCH associated with a SDCCH)
- Signalling after TCH set-up: end of call processing, "high
speed" signalling
TS
0 1 2 3 4 5 6 7

"Beacon" frequency
0 1 2 3 4 5 6 7

Other
frequencies

0 1 2 3 4 5 6 7
0 1 2 3 4 5 6 7

BTS
FCCH + SCH + BCCH
TS 0

RACH
TS 1

PCH + AGCH

downlink direction

8 SDCCH/8 + 8 SACCH/8

other TSs: TCH (+ SACCH / FACCH)

uplink direction
in each direction
in each direction

10

Examples :

Number of Frequencies

Number of TCH Channels ERLANGS (formula B, blocking 2%)

3
4
5

22
30
38

Beacon
frequency

TS
0 1 2 3 4 5 6 7

Other
frequency

0 1 2 3 4 5 6 7

TS 0 of beacon
frequency:
other TSs:

BTS

15
22
29

(FCCH

+ SCH + BCCH) + (PCH + AGCH + RACH) + (4 SDCCH/4 + 4 SACCH/4)

TCH + SACCH (+ FACCH))

Structure of the Multiframe in "Time Slot" 0 (Config. n 1: combined BCCH) :

DOWNLINK

(Multiframes of 51 frames)

F S

F S

F S

D0

D1

F S

D2

D3

F S

A0

A1

F S

F S

F S

D0

D1

F S

D2

D3

F S

A2

A3

UPLINK
D3

R R

A2

A3

R R R R R R R R R R R R R R R R R R R R R R R

D0

D1

R R

D2

D3

R R

A0

A1

R R R R R R R R R R R R R R R R R R R R R R R

D0

D1

R R

D2

F = FCCH

S = SCH

B = BCCH

C = CCCH (PCH or AGCH)

R = RACH

Dn/An = SDCCH / SACCH/4

Radio Interface - Timing Advance

forward propagation time
return propagation time

BTS

T.A. measured by BTS

TS i

TS i

BTS

Tx
Rx

MS1

MS

Rx

Presynchronized Tx
forward propagation time

Access Burst

TS i
Tx
BTS
Rx

TS i

MS1

Rx

(after TA)

Tx

- TA

Radio Interface - Subscriber Paging

The Network knows the LOCATION AREA (LA) in which the mobile is travelling.
An LA can cover more than one cell.
The PCH channel is used to signal a Call to a mobile. The same "Paging" message is
transmitted to all cells in the area (shaded areas above).
Only a mobile in "IDLE" state (pre-synchronized) can respond to paging.
11

BSC

Radio Interface - Access to the Network

An access request is always initiated by the MS. (when an MS is called, the "paging"
procedure is used).
The RACH channel is used to transmit the "CHANNEL REQUEST" message.
The channel is called "random" since the mobile chooses the call TS randomly. This means
that there is a risk of collision.
Collisions are resolved by retransmission after pseudo-random delays.
MS1

MS2

MS3

MS4

MS4

MS5

MS5

Radio Interface - Logical Channel Summary

Family

Abbreviation

FCCH
Broadcast

SCH
BCCH
RACH
PCH

CCCH

AGCH
CBCH
NCH

Dedicated
signalling
(out of call)
Dedicated
Traffic +
signalling
(during call)

SDCCH

Name

Type

Role/Info carried

Burst format

Frequency Correction CHannel MP

--> MS

Frequency for synthesizer alignment

Frequency

Synchronization CHannel

MP

--> MS

Timing sync - Frame N

Sync

Broadcast Common CHannel

MP

--> MS

Broadcast system information

Normal

Random Access CHannel

PP

<-- MS

Network access (Channel request)

Access

Paging CHannel

PP

--> MS

Subscriber paging (paging)

Normal

Access Grant CHannel

PP

--> MS

SDCCH channel assignment (Imm.Ass)

Normal

Cell Broadcast Control CHannel MP

--> MS Broadcast short messages (SMS/CB)

Normal

Notification CHannel

--> MS

Standalone Dedicated Ctrl CH.

MP

Accessibility notification (VGCS/VBS)

Normal

PP <---->

Out of call signalling

Normal

SACC
H
TCH/F

Slow Associated Control CH.

PP <---->

Measurements - P Contr. - Timing adv.

Normal

Traffic / Full Rate CHannel

PP <---->

13 kbit/s traffic

Normal

TCH/H

Traffic / Half Rate CHannel

PP <---->

5.6 kbit/s traffic (phase 2)

Normal

SACCH

Slow Associated Control CH.

PP <---->

Measurements - P Contr. - Timing adv.

Normal

FACCH

Fast Associated Control CH.

PP <---->

In call signalling (cycle stealing)

Normal

Radio Interface - Discontinuous Transmission

Principles (Mandatory in the mobile and on the BTS uplink path) :
DTX (Discontinuous Transmission) : reduced rate transmission (~ 500 bit/s) during silences
VAD (Voice Activity Detection): Measurement of signal strength for detecting moments of
"silence (neither speech nor tone) - adaptive-threshold FILTER
Comfort Noise Generation: In receive mode, reconstitution of background noise based on
the characteristics received in Silence Descriptor (SID) frames, to avoid giving the receiving
user the impression that the line has been cut off
12

SPEECH
TRAU --> BTS

SILENCE

TRAU
S*

MS

S' S' S'

S'

SID FRAME

S' S' S' S"

480 ms

...

...

BTS

MS <--> BTS

Radio Interface - Radio Channel generation

Speech
Digitization
and
Encoding

Burst

Channel
Encoding

Interleaving

Formatting

Encryption

Modulation

Transmission

POWER CONTROL
FR Speech frames :
260 bits / 20 ms :13 kbit/s

22.8 kbit/s
(per channel)

Deinterleaving

Channel
Decoding

Speech
Decoding

Burst
Deformatting

270.8 kbit/s

Decryption

Demodulation

(modulated)

Reception

Radio Interface - GMSK Modulation

(t)
/2
GMSK
MSK
-Tb

-Tb/2

t
Tb/2

Tb

dB
0
-10

200
KHz

-20
-30

-70
-200

-100

100

200

300

400

GMSK = Gaussian Minimum Shift Keying:

convolution of an MSK ramp (/2 - width: 1
bit), by a Gaussian function: 0-1 or 1-0 bit
transitions => smooth" transitions of /2
Properties:
o Gradual transitions avoid the need to filter
signal harmonics which are very weak
o Spectrum efficiency ~ 1 bit/Hertz (270.8
kbaud/200 kHz)
o Modulation spectrum: To prevent
catastophic interference, it is essential to
avoid using adjacent frequencies in adjacent
cells.

kHz

Radio Interface - Raleigh fading

" f "

"GAP" in frequency " f " reception

13

Radio Interface - Frequency Hopping

N-frequency hopping groups can be defined for each TS (N>=4)

The overall system capacity remains unchanged (eg. : 32 mobiles on 4 frequencies)

FCCH/ SCH/ BCCH/ CCCH

No Hopping

SDCCH

TS
0 1 2 3 4 5 6 7

"Beacon" frequency

Other
frequencies

TS0 : Hopping over 4 frequencies TS3 : Hopping over 5 frequencies

Radio Interface - Power Control

Power Control (PC) is used to minimize interferences
PC algorithm in BSC (processing and decision)
PC Mandatory for MS: steps of 2dB every 60 msec , option for BTS: 15 steps of 2 dB

Output
Power
39
(dBm)

Possible values of Output Power

(GSM 900 MS)
8W
2W

33

Example of PC Commands
(GSM 900 MS)

Output
Power
(dBm)

P max MS 2W

33
28 dB

PC
steps
19
13
~ 3 mW

time
= 60 ms

(commands)

19
15
PC Level

19 17

31

31

29 dBm

Radio Interface - Space Diversity

Rx
Chain 1

...

...

RESULT

Rx
Chain 2

14

Space Diversity is used against fading in the uplink direction

The same signal with different multi-paths is received in the Base Station where it is
processed within 2 independent chains : a Discriminator then identifies the best signal

GSM number and identities: Subscriber identifications

IMEI / IMEISV
( International Mobile Equipment Identity )
( International Mobile Equipment Identity and Software Version number) (Phase 2+)

...

...
TAC

IMEI
:

FAC

SNR

SP

(SPare)

Serial NumbeR
Type Approval Code
Final Assembly Code
Software Version Number
TAC

IMEISV:

FAC

SNR

SVN

GSM number and identities: Mobile Equipment identification

IMSI

MS - ISDN

( International Mobile Subscriber Identity )

International Identity E212 compliant

Nature

Format
Meaning
N of digits

( Mobile

MCC
Mobile
Country
Code

MNC

H1 H2

Directory Number

MSIN
x x x ........ x x x

CC

Mobile Mobile Subscriber Identity Number

National including H1 H2 identifying the HLR
Code
NMSI

234
U.K.

Station - Integrated Service Digital Network n )

ISDN type, E.164/E.213 compliant

NDC

M1 M2

Country National
Code Destination
Code*

( national identity )
max 10

1 to 3

SN
xx xx xx xx

Subscriber Number
( national identity )
including M1 M2 identifying the HLR

2 to 4

total up to 15

* instead of identifying a geographic area, the NDC identifies an OPERATOR:

Examples

208
France

01
Orange

69 xx xx xx xx LYON
94 xx xx xx xx MASSENA

10
Cegetel

Characteristics

44
44
44
44
33

802
385
956
973
607/8

33

609

Cellnet GSM
Vodafone GSM
Mercury DCS
Hutchinson DCS
61 MC DU to 69 MC DU
01 MC DU to 09 MC DU
11 xxxx to 3x xxxx

LYON
MASSENA
LA FOURCHE

Allocated to an IMSI (by MMC) in the HLR

Stored in SIM module and AuC

GSM number and identities: Geographic identification

MCC

MNC

LAC

CI

LAI
CGI
15

BSS / NSS Protocols and Software Modules: general

SS (SMS)

(SMS)
SS
CC

SS (SMS)

CC
(Relays)

(Relays)

MM
MM
DTAP

DTAP

BSS
MAP

RR
RR

BSS
MAP

MAP

MAP

TCAP

TCAP

SCCP

SCCP

SCCP

SCCP

MTP 3

MTP 3

MTP 3

MTP 3

LAPD

MTP 2

MTP 2

MTP 2

MTP 2

S.C.1

S.C.1

S.C.1

S.C.1

3
RR'
2

LAPDm

S.C.1

BTSM

LAPDm

LAPD

S.C.1

S.C.1

Um
MS

BTSM

A bis
BTS

A
BSC

S.C.1
(D)

MSC / VLR

NSS
(eg. : HLR)

BSS / NSS Protocols and Software Modules: Radio Interface

Protocol
Discriminator

Meaning

RR

Radio Resource
Management

MM

Mobility Management

CC

Call Control

SS

Supplementary Services

SMS

Short Message Service

Function
- Paging management
- Ciphering mode management
- Frequency redefinition
- Dedicated channel assignment
- Handover management
- Measurements and power control
- Location Updating
- Ciphering mode management
- Frequency redefinition
- Dedicated channel assignment

Entities

MS - BSC
(and BTS)

MS MSC / VLR

- Call handling and routing

- DTMF facilities
- Access to Supplementary Services

MS - MSC

- Short Message Service

(+ SMS-C)

(+ HLR)

16

BSS / NSS Protocols and Software Modules: GPRS protocols

Layer Model for Signalling plan (GPRS)

SM

G
SMS

G
SMS

SM

GMM

GMM

GTP

GTP

LLC

LLC

UDP

UDP

BSSGP

IP

IP

Frame
Relay
L1 bis

L2

L2

L1

L1

relay

RLC
MAC

RLC
MAC

L1 RF

L1 RF

BSSG
P

Frame
Relay
L1 bis

Um

Gn

Gb

MS

BSS

GSN

SGSN

GSN

Layer Model for Transmission plan (GPRS)

Appli
IP / X25

IP / X25
SNDCP

SNDCP

LLC

LLC
relay

RLC

RLC
MAC

MAC
Physical
Layer

Physical
Layer

Frame
Relay
L1 bis

Um

Frame
Relay
L1 bis

Gb

MS

IP/X25

BSSGP

BSSG
P

SNDCP

L2

L2

L1

L1

Gn

BSS

Header

GTP
UDP &
TCP
IP

GTP
UDP &
TCP
IP

SGSN

GGSN

Data
Data

Header

Compression of each part

Division of the SDU in 2 blocks

Header

Header

Label added for each block

= < 1520 Bytes

LLC
RLC MAC

Header

CRC

PHYSICAL

Header

CRC

CRC

LLC Encapsulation

CRC

CRC

LLC frame splitted

into blocks
RLC Encapsulation

Channel Coding CS1 to CS4

Block 1Block 2Block 3Block 4Block 5Block 6Block 7Block 8
Block 1

Block 2

Block 3

Block 8

17

Level 3 GSM procedures: Setting up the radio connection

Um

...

...

A bis

MS
RACH

BTS

RR CHANNEL REQUEST

MSC

BSC

BTSMCHANNEL REQUIRED
ASSIGNMENT of an
SDCCH Channel
BTSM CHANNEL ACTIV.
SDCCH N

ACTIVATION of
Channel indicated
BTSM
RR IMMEDIATE ASSIGN.
SDCCH N
CONNECTION to the
SDCCH Channel
MM CM_SERVICE REQUEST
SDCCH
SABM

CHANNEL ACTIV. ACK

RR IMM. ASSIGN. CMD

AGCH

T3101
ESTABLISH INDIC.

SCCP CONNECT REQUEST

MM CM_SERVICE REQUEST
MM CM_SERVICE REQUEST
T9105
MM CM_SERVICE REQUEST
SCCP CONNECT CONFIRM
SDCCH
UA

Level 3 GSM procedures: Security Functions

Authentication
o Checks that the Mobile Station is the required station and not an intruder
Ciphering
o All Information (Signalling, Speech and Data) is sent in ciphered mode, to avoid
monitoring and intruders (who could analyze signalling data)
Temporary Identification (TMSI)
o used instead of IMSI for safety reason: tracing of MS not so easy on air interface
o Allocated at least when MS is registered in a new VLR (but may be allocated at each
transaction)

...

...

SIM card
Ki

Random number selection

RAND (128 bits)

Radio Channel

AuC

Identification key (128 bits)

Ki

RAND

A3

A3

A3

A3
SRES

Signed ref. (32 bits)

SRES

=?
OK

A8
A8

A8

Cipher command

Kc : Cipher key

A8
BTS

Kc

for the call (64 bits)

A5
Speech - Data - Signalling

A5

Ciphering/Deciphering

Ciphered data

A5

A5
Speech - Data - Signalling

Ciphering/Deciphering

18

Level 3 GSM procedures: Mobile Originating Call

...

...

Um

A bis

BTS

MS

PSTN or ISDN

MSC/VLR

BSC

RR CHANNEL REQUEST

RACH

RR IMMEDIATE ASSIGN. SDCCH N

AGCH
SDCCH

SABM
MM CM Serv. Req.
UA

ESTABLISH INDIC.
MM CM Serv. Req.

SCCP CONNECT REQUEST

MM CM Serv. Req.
SCCP CONNECT CONFIRM

AUTHENTICATION
CIPHERING
Ciphered
SDCCH

CC

SET - UP

DATA INDICATION CC Set - Up

CC CALL PROCEEDING

DATA REQUEST
CC Call Proceeding.

SCCP DATA CC Set - Up

ISUP IAM

SCCP DATA
CC Call Proceeding.

CIC selection
SCCP DATA
BTSM PHYS. CTX REQ.
BSSMAP
Assignment Request
BTSM PHYS. CTX CONF.TCH allocation
BTSM CHANNEL ACTIV. TCH
BTSM CHANNEL ACTIV. ACK
RR ASSIGNMENT CMD TCH

...

...

DATA REQUEST
RR Assignment Cmd
RELEASE REQ *Local End

Um

MS
FACCH

A bis
BTS

SABM
UA

ASSIGNMENT COMPL.

T3107
* if no answer from MS

A
BSC

PSTN or ISDN

MSC/VLR

ESTABLISH INDIC.

DATA INDICATION
Assign. compl.

SCCP DATA
Assign. compl.

RF CHANNEL REL.
RF CHANNEL REL. ACK
DATA REQUESTAlerting

SCCP DATAAlerting

ACM Called P. ringing

ALERTING

SCCP DATAConnect

ANM

CONNECT

DATA REQUESTConnect

CONNECT ACK

DATA IND.

Connect
Ack

Off-hooking

SCCP DATA
Connect
Ack

CONVERSATION PHASE

19

Level 3 GSM procedures: Mobile Terminating Call

GSM
Network
PSTN or ISDN

... MOBILE

...
PAGING REQUEST
CHANNEL REQUEST
IMMEDIATE ASSIGNMENT

SET-UP of an
RR CONNECTION (MT)

PAGING RESULT

SERVICE INDICATION

AUTHENTICATION REQUEST
AUTHENTICATION RESPONSE
CIPHERING MODE CMD
CIPHERING MODE COMPLETE
SET UP
CALL CONFIRMED
ASSIGNMENT CMD
ASSIGNMENT COM

AUTHENTICATION

TRANSITION to CIPHERING mode

START OF CALL
TRAFFIC CHANNEL
ASSIGNMENT
CALL CONFIRMATION

ALERTING
CONNECT
CONNECT ACK

CALL ACCEPTED

Level 3 GSM procedures: International Call

VMSC VLR

...

...

Visited PLMN

International SCCP
Gateways

Incoming

COUNTRY 3
Outgoing
Home PLMN

Outgoing

interrogation

Incoming

HLR

GMSC
PSTN
COUNTRY 1
COUNTRY 2

Level 3 GSM procedures: Location Updating

General
o This procedure is always initiated by the Mobile Station and involves providing the
VLR (and HLR if required) with its current position,
o The visited VLR stores the Location Area (LA),
o The LA n (LAI) received is updated dynamically in SIM non-volatile memory.
20

Normal Location Update

o When the mobile is switched on without having stored the LAI (eg.: initial use of
SIM),
o When the mobile is switched on in a different LA from the LA stored in the SIM,
o When the pre-synchronized mobile moves from one LA to another (same or different
VLR).
Periodic Location Update
o When the SIM internal counter overflows
(This counter is automatically incremented by the mobile when it is switched on)

Level 3 GSM procedures: Handover

3 Phases :
o Identification of requirement, Selection of a new cell, Execution
Mobile Station:
o Continuous Quality and Received Power Control
o Continuous adjacent cell Power monitoring
o Transmission of measurement reports to the BTS (every 0.5s)
Network:
o The BTS measures the Quality and the received Power from the mobile
o The BSC runs the Power Control and Handover central algorithm
o The BSC controls the handover operation
Handover Types:
o Intra-BSC / Inter - BSC, Intra - MSC / Inter - MSC (first and subsequent)
o Internal (within the same BTS) if there is uplink or downlink interference
o Synchronized / non-synchronized

BTS 1

MSC /
VLR

BTS 2
BSC

BSC

PSTN

MSC /
VLR

(Intra BSC)
BSC

MSC /
VLR

BSC

21