 Introduction

 GSM Architecture
 GSM Channels
 GSM Protocol Stack
 GSM Services
 GSM Handover
 GSM Security
5-Feb-24 2
 GSM Radio frequency spectra
5-Feb-24 4
890MHz 915MHz 935MHz 960MHz

0 124 0 124

5-Feb-24 5
 Time division multiple access-TDMA
 124 radio carriers, inter carrier spacing
200khz.
 890 to 915 Mhz mobile to base - UPLINK
 935 to 960 Mhz base to mobile - DOWNLINK
 8 channels/carrier
 GSM combines FDM and TDM: bandwidth is
subdivided into channels of 200khz, shared
by up to eight stations, assigning slots for
transmission on demand.
5-Feb-24 6
5-Feb-24 8
 MS
GSM - Network Structure
Um

BTS VLR HLR

BSC
Abis MSC
A B H
MS C AuC
BTS GMSC
E F
Abis
EIR
A E
MSC

BSC PSTN
Um
BTS X.25
VLR
X.25
OMC Server
9
 GSM Network
SS
Switching
AUC System
External
PSTN & VLR HLR EIR
PDN N/W OMC
MSC
MS Mobile Station
BTS Base transceiver System
BSC Base Station Controller
MSC Mobile Switching Center BSS BSC Base Station
HLR Home Location Register
VLR Visitor Location Register BTS
System
EIR Equipment Identity Register
AUC Authentication Center MS 10
OMC Operation And Maintenance Center
 radio cell
BSS
MS MS

Um radio cell

RSS BTS MS

BTS

Abis

BSC BSC
A

MSC MSC

NSS signaling
VLR VLR
ISDN, PSTN
HLR GMSC
PDN
IWF
O
OSS
EIR AUC OMC

5-Feb-24 11
 Handles the radio interface to the mobile station.
 Consists of one or more radio terminals for transmission
and reception
 Each Radio terminal represents an RF Channel
 TRX and MS communicates over Um interface
 Received data transcoding
 Voice encryption/decryption
 Signal processing functions of the radio interface
 Uplink Radio channel power measurements

12
 Provides all the control functions and physical links
between the MSC and BTS
 External Interfaces
▪ ‘Abis’ interface towards the BTS
▪ ‘A’ interface towards the MSC
 Monitors and controls several BTSs
 Management of channels on the radio interface
 Alarm Handling from the external interfaces
 Performs inter-cell Handover
 Switching from ‘Abis’ link to the ‘A’ link
 Interface to OMC for BSS Management

13
 Performs call switching
 Interface of the cellular network to PSTN
 Routes calls between PLMN and PSTN
 Queries HLR when calls come from PSTN to mobile
user
 Inter-BSC Handover
 Paging
 Billing

14
 Stores user data of all Subscribers related to the GMSC
▪ International Mobile Subscriber Identity(IMSI)
▪ Users telephone number (MS ISDN)
▪ Subscription information and services
▪ VLR address
▪ Reference to Authentication center for key (Ki)
 Referred when call comes from public land network

15
 Database that contains Subscriber
parameters and location information for all
mobile subscribers currently located in the
geographical area controlled by that VLR
 Identity of Mobile Subscriber
 Copy of subscriber data from HLR
 Generates and allocates a Temporary
Mobile Subscriber Identity(TMSI)
 Location Area Code
 Provides necessary data when mobile
originates call

16
 Stores Subscriber authentication data called Ki, a copy
of which is also stored in in the SIM card
 Generates security related parameters to authorize a
subscriber (SRES-Signed RESponse)
 Generates unique data pattern called Cipher key (Kc)
for user data encryption
 Provides triplets - RAND, SRES & Kc, to the HLR on
request.

17
 EIR is a database that contains a list of all valid
mobile station equipment within the network,
where each mobile station is identified by its
International Mobile Equipment Identity(IMEI).
 EIR has three databases.,
▪ White list - For all known,good IMEI’s
▪ Black list - For all bad or stolen handsets
▪ Grey list - For handsets/IMEI’s that are
on observation

18
 LAI identifies a location area which is a group of
cells..
 It is transmitted in the BCCH.
 When the MS moves into another LA (detected by
monitoring LAI transmitted on the BCCH) it must
perform a LU.
 LAI = MCC + MNC + LAC
▪ MCC= Mobile Country Code(3 digits), identifies the country
▪ MNC= Mobile Network Code(1-2 digits), identifies the GSM-
PLMN
▪ LAC= Location Area Code, identifies a location area within a
GSM PLMN network. The maximum length of LAC is 16
bits,enabling 65536 different location areas to be defined in
one GSM PLMN.
19
Traffic

«bla bla bla...»

Signaling « RING ! »
riiiiing

Network
 From Speech to RF Signal
Blah... Blah... Blah... Blah… Blah… Blah...
Digitizing and
Source Decoding
Source Coding

Channel Coding Channel Decoding

Interleaving De-interleaving

Ciphering Deciphering

Burst Formatting Burst De-formatting

Modulating Demodulating
 Speech
Digitizing and Source
Step 1 source coding decoding

Channel Channel
Step 2 coding decoding

Interleaving De-interleaving

Step 3
Burst deformatting
Burst formatting

Deciphering
Step 4 Ciphering

Demodulation
Step 5 Modulation equalization

Step 6 Diversity
Transmission

23
Physical channels : The combination of an ARFCN
and a time slot defines a physical channel.

Logical channels : These are channels specified by

GSM which are mapped on physical channels.

24
Physical channel:
• One timeslot of a TDMA-frame on one carrier is referred to
as a physical channel.
• There are 8 physical channels per carrier in GSM, channel
0-7(timeslot 0-7)

Logical channel:
• A great variety of information must be transmitted between
BTS and the MS,for e.g. user data and control signaling.
Depending on the kind of information transmitted we refer to
different logical channels.
• These logical channels are mapped on physical
channel.
25
 935-960 MHz
124 channels (200 kHz)
downlink

890-915 MHz
124 channels (200 kHz)
uplink

higher GSM frame structures

time

GSM TDMA frame

1 2 3 4 5 6 7 8
4.615 ms

GSM time-slot (normal burst)

guard guard
space tail user data S Training S user data tail space

3 bits 57 bits 1 26 bits 1 57 bits 3

546.5 µs
 935-960 MHz
124 channels (200 kHz)
downlink

890-915 MHz
124 channels (200 kHz)
uplink
higher GSM frame structures
time

GSM TDMA frame

1 2 3 4 5 6 7 8
4.615 ms

GSM time-slot (normal burst)

guard guard
space tail user data S Training S user data tail space
3 bits 57 bits 1 26 bits 1 57 bits 3
546.5 µs
577 µs

Winter 2001 ICS 243E - Ch4. Wireless Telecomm. Sys. 4.27

 hyperframe
0 1 2 ... 2045 2046 2047 3 h 28 min 53.76 s

superframe
0 1 2 ... 48 49 50
6.12 s
0 1 ... 24 25

multiframe
0 1 ... 24 25 120 ms

0 1 2 ... 48 49 50 235.4 ms

frame
0 1 ... 6 7 4.615 ms
slot
burst 577 µs
29
30
Speech in GSM is digitally coded at a rate of 13 kbps

184 bits
( 20 ms)
260 bits every 20 ms

Convolutional Encoder
456 bits every 20 ms

GMSK
31
32
Jan 22, 2015 33
Jan 22, 2015 34
Traffic Channels Control Channels
(TCHs)

Broadcast Common Control Dedicated Control

Channels Channels Channels
(BCHs) (CCCHs) (DCCHs)

(down uplink)
Full Half
Downlink Downlink Uplink
rate rate
Fast Slow

FCCH SCH
TCH /F TCH /H BCCH PCH AGCH CBCH RACH SDCCH FACCH SACCH
Traffic Multiframing Signaling Multiframing Traffic Multiframing

35
 TCH carries the voice data.
 Two blocks of 57 bits contain voice data in the normal
burst.
 One TCH is allocated for every active call.
 Full rate traffic channel occupies one physical
channel(one TS on a carrier) and carries voice data at
13kbps
 Two half rate (6.5kbps) TCHs can share one physical
channel.

36
 LOGICAL
CHANNELS

COMMON DEDICATED
CHANNELS CHANNELS

BROADCAST COMMON DEDICATED TRAFFIC

CHANNELS CONTROL CONTROL CHANNELS
CHANNELS CHANNELS

FCCH SCH BCCH SDCCH SACCH FACCH

PCH RACH AGCH TCH/F TCH/H TCH/EFR

37
 Logical channels

Control channels Traffic channels

Half Full
CCCH DCCH
BCH rate rate

FCCHSCH BCCH CBCH PCH AGCH RACH SDCCH SACCH FACCH

38
 Broadcast Channel-BCH
▪ Alloted one ARFCN & is ON all the time in every cell. Present
in TS0 and other 7 TS used by TCH.
 Frequency correction channel-FCCH
▪ To make sure this is the BCCH carrier.
▪ Allow the MS to synchronize to the frequency.
▪ Carries a 142 bit zero sequence and repeats once in every
10 frames on the BCH.
 Synchronization Channel-SCH
▪ This is used by the MS to synchronize to the TDMA frame
structure within the particular cell.
▪ Listening to the SCH the MS receives the TDMA frame
number and also the BSIC ( in the coded part- 39 bits).
▪ Repeats once in every 10 frames.
39
 BCCH
▪ The last information the MS must receive in order to receive
calls or make calls is some information concerning the cell.
This is BCCH.
▪ This include the information of Max power allowed in the cell.
▪ List of channels in use in the cell.
▪ BCCH carriers for the neighboring cells,Location Area
Identity etc.
▪ BCCH occupies 4 frames (normal bursts) on BCH and
repeats once every Multiframe.
▪ This is transmitted Downlink point to multipoint.
 Cell Broadcast Channel - CBCH
▪ Used for the Transmission of generally accessible
information like Short Message Services(SMS)
40
 CCCH-
▪ Shares TS-0 with BCH on a Multiframe.
 Random access channel-RACH:
▪ Used by Mobile Station for requesting for a channel. When
the mobile realizes it is paged it answers by requesting a
signaling channel (SDCCH) on RACH. RACH is also used by
the MS if it wants to originate a call.
▪ Initially MS doesn’t know the path delay (timing advance),
hence uses a short burst (with a large guard period = 68.25
bits).
▪ MS sends normal burst only after getting the timing advance
info on the SACCH.
▪ It is transmitted in Uplink point to point.

41
 Access Grant Channel-AGCH
▪ On request for a signaling channel by MS the network assigns a
signaling channel(SDCCH) through AGCH. AGCH is transmitted
on the downlink point to point.
 Paging Channel-PCH
▪ The information on this channel is a paging message including
the MS’s identity(IMSI/TMSI).This is transmitted on Downlink,
point-to-multipoint.

42
 Stand alone dedicated control channel(SDCCH)
 AGCH assigns SDCCH as signaling channel on request
by MS.The MS is informed about which
frequency(ARFCN) & timeslot to use for traffic.
 Used for location update, subscriber authentication,
ciphering information, equipment validation and
assignment of TCH.
 This is used both sides, up and Downlink point-point.

43
 Slow associated control channel-SACCH
▪ Transmission of radio link signal measurement, power control
etc.
▪ Average signal strengths(RXLev) and quality of service (RXQual)
of the serving base station and of the neighboring cells is sent on
SACCH (on uplink).
▪ Mobile receives information like what TX power it has to transmit
and the timing advance. It is associated with TCH or SDCCH
 Fast associated control channel-FACCH
▪ Used for Hand over commands and during call setup and
release. FACCH data is sent over TCH with stealing flag set

44
 In telecommunication system - signalling is
required to coordinate the necessarily
distributed functional entities of the network.

 The transfer of signalling information in GSM

follows the layered OSI model

5-Feb-24 46
Layer 3

Layer 2

Layer 1

TDMA/FDMA

5-Feb-24 47
 Um Abis A
MS BTS BSC MSC

CM CM

MM MM

BSSAP
BSSAP
RR
RR’
RR’ BTSM BTSM
SS7 SS7
LAPDm LAPDm LAPD LAPD

radio radio PCM PCM PCM PCM

16/64 kbit/s 64 kbit/s /

2.048 Mbit/s
5-Feb-24 49
 Um
▪ Radio interface between MS and BTS
▪ each physical channel supports a number of logical channels
 Abis
▪ Between BTS and BSC
▪ primary functions: traffic channel transmission, terrestrial channel
management, and radio channel management
 A
▪ Between BSC and MSC
▪ Primary functions: message transfer between different BSCs to the
MSC

5-Feb-24 50
 Modulation Techniques
▪ Gaussian Minimum Shift Keying (GMSK)
 Channel Coding
▪ Block Code
▪ Convolutional Code
 Interleaving
▪ To distribute burst error
 Power control methodology
▪ to minimize the co-channel interference
 Time synchronization approaches

5-Feb-24 51
 Connection-based Network
▪ Traffic
▪ Signaling and Control
 Signaling and control data are conveyed through
Layer II and Layer III messages in GSM
 Purpose of Layer II is to check the flow of packets
for Layer III
 DLL checks the address and sequence # for Layer III
 Also manages ACKs for transmission of the packets

Jan 22, 2015 52

 DLL over the radio link is based on a modified LAPD
(Link Access Protocol for the D channel) referred to
as LAPDm (m like mobile)

 On the A-bis interface, the layer 2 protocol is based

on the LAPD from ISDN.

 The Message Transfer Protocol (MTP) level 2 of the

SS7 protocol is used at the A interface.

Jan 22, 2015 53

 Functions of LAPDm
▪ Organization of Layer 3 information into frames
▪ Peer-to-peer transmission of signaling data in
defined frame formats
▪ Recognition of frame formats
▪ Establishment, maintenance, and termination of
one or more (parallel) data links on signaling
channels

Jan 22, 2015 54

 B-channel ( Bearer Channel)
▪ A 64 kbps channel used for voice, video, data, or multimedia calls.

 D-channel (Delta Channel)

▪ A 16 kbps or 64 kbps channel used primarily for communications (or
"signaling") between switching equipment in the ISDN network and
the ISDN equipment

Jan 22, 2015 55

 Communication of network resources, mobility, code format
and call-related management messages between various
network entities
 A number of mechanisms needed to establish, maintain and
terminate a mobile communication session
 Layer III implements the protocols needed to support these
mechanisms
 A signaling protocol, the registration process, is composed of
a sequence of communication events or messages
 Layer III defines the details of implementation of messages
on the logical channels encapsulated in DLL frames

Jan 22, 2015 56

 Radio Resource Management (RR)
 Mobility Management (MM)
 Connection Management (CM)

 Transaction Identifier (TI): to identify a protocol that consists of a

sequence of message, allows multiple protocols to operate in parallel
 Protocol Discriminator (PD): Identifies the category of the operation
(management, supplementary services, call control)
 Message Type (MT): Identifies the type of messages for a given PD
 Information Elements (IE): An optional field for the time that an
instruction carries some information that is specified by an IE identifier
(IEI).

Jan 22, 2015 57

 Handles all procedures necessary to
establish, maintain & release dedicated
radion connections
▪ Channel allocation
▪ Handover
▪ Timing advance
▪ Power control
▪ Frequency hopping

Jan 22, 2015 58

 Location management
▪ Involves the procedures and signaling for location
updating, so that the mobile’s current location is
stored at the HLR
▪ Allowing incoming calls to be properly routed.

 Security
▪ Involves the authentication of the mobile

Jan 22, 2015 59
Jan 22, 2015 60
 Call Control Sub Layer
▪ Manages call routing, establishment, maintenance, and
release ( Closely related to ISDN call control.)
 Supplementary Services Sub Layer
▪ Manages the implementation of the various supplementary
services (Call Forwarding/waiting/hold )
▪ Allows users to access and modify their service subscription.
 Short Message Service Sub Layer
▪ Handles the routing and delivery of short messages, both
from and to the mobile subscriber.

Jan 22, 2015 61

 Four Classes of Services in GSM
▪ Bearer Services (BS)
▪ Teleservices (TS)
▪ Supplementary Services (SS)
▪ Value-added Services (VAS)

5-Feb-24 63
 Provide lower layer access (GSM layers 1-3)
 Classified by demands bearer service makes
on network
 In order to provide end-to-end bearer GSM
must connect to other networks
▪ PSTN, ISDN, PSPDN, CSPDN

5-Feb-24 64
 Provide the service visible to the user
 Require support by higher layers

5-Feb-24 65
5-Feb-24 66
 Supplementary services supplement bearer
and teleservices
 Supplementary Services are devided into
▪ Call-independent or non-call related SS
▪ Call-related SS
▪ Unstructured SS
 Offerings of SS depend on network ser vice
provider

5-Feb-24 67
 Call Forwarding (call offering) SS
▪ Call forwarding unconditional (CFU)
▪ Call forwarding on mobile subscriber busy (CFB)
▪ Call forwarding on no reply (CFNRy)
▪ Call forwarding on not reachable (CFNRc)
 Call Barring (call restriction) SS
▪ Barring of all outgoing calls (BOAC)
▪ Barring of outgoing international call
▪ Barring of outgoing international calls except those to HPLMN
▪ Barring of all incoming calls
▪ Barring of incoming calls when roaming
5-Feb-24 68
 Line identification SS
▪ Calling line identification representation (CLIP)
▪ Calling line identification restriction (CLIR)
▪ Connected line identification presentation (COLP)
▪ Connected line identification restriction (COLR)

5-Feb-24 69
 
1, 2: connection request
VLR
3, 4: security check
5-8: check resources (free circuit) 3 4
6 5
9-10: set up call PSTN GMSC MSC
7 8
2 9

MS
1 BSS
10

5-Feb-24 71
Mobile Originated Call
• Request for Service
• Authentication
• Ciphering
• Equipment Validation
• Call Setup
• Handovers
• Call Release

72
 Mobile Originating Call
MS BSS MSC PSTN
1 CHANNEL REQUEST VLR
Dialing
IMMEDIATE ASSIGNMENT
2

2 CM SERVICE REQUEST2 CM SERVICE REQUEST

3 Authentication procedure
3 Ciphering procedure
Sending 4 SETUP (basic) or 4 SETUP
Number EMERGENCY 5
IAM
CALL PROCEEDING 6 Ring
CALL PROCEEDING
7
7
Ringing
7 Assignment procedure
ACM 8
ALERTING9
Ringing
ANM 10
Path CONNECT 11
Established CONNECT ACKnowledge ACM = Address Complete Message
11 ANM = ANswer Message
IAM = Initial Address Message

73
1: calling a GSM subscriber 4
HLR VLR
2: forwarding call to GMSC 5
3: signal call setup to HLR 8 9
3 6 14 15
4, 5: request MSRN from VLR
6: forward responsible calling
PSTN GMSC
7 MSC
station
MSC to GMSC 1 2
7: forward call to 10 10 13 10
 current MSC 16
8, 9: get current status of MS BSS BSS BSS
10, 11: paging of MS 11 11 11
12, 13: MS answers
14, 15: security checks 11 12
17
16, 17: set up connection
MS

5-Feb-24 74
Mobile Terminated Call
• Paging
• Authentication
• Ciphering
• Equipment Validation
• Call Setup
• Handovers
• Call Release

75
 Mobile Terminating Call
1 - Paging Principle
LA1

6 BSC1 4
BTS11

5
MSC/
3 1
BTS12 PSTN
6 GMSC
5 VLR
BSC2
BTS21
2
BTS22
HLR
LA2
BTS23 BSC3

BTS31

76
 Mobile Terminating Call
2 - Detailed Procedure
Visitor PLMN International Home PLMN
SS7
VLR HLR
Provide Roaming Number
(IMSI) 4

Roaming Number
5 (MSRN)

9 6
Send 1
Send info Routing Routing
PAGE to I/C
PAGING Information Information MSISDN
(TMSI + LA) (MSRN)
REQUEST (MSRN) (MSISDN)
(TMSI)
8 3
11 PAGING IAM (MSRN) IAM
REQUEST
BSS (TMSI + LA) 10 VMSC 7 GMSC (MSISDN) 2 ISDN
PN

IAM : Initial Address Message IMSI : International Mobile Subscriber Identity

MSISDN : Mobile Station Integrated Services Digital GMSC : Gateway MSC
network Number VMSC : Visitor MSC
MSRN : Mobile Station Roaming Number TMSI : Temporary Mobile Subscriber Identity

77
 Mobile Terminating Call
3 - End to End Procedure
MS BSS VMSC GMSC PSTN

IAM 1
IAM 2
PAGING REQUEST4 PAGING REQUEST3 (MSISDN)
(MSRN) Dialing
(TMSI or IMSI, LA)
5 CHANNEL REQUEST
(LAC, Cell ID)
IMMEDIATE ASSIGNMENT
6
(SDCCH or TCH)
7 CM SERVICE REQUEST PAGING RESPONSE
7
(Paging Response)
(TMSI or IMSI, LA)
8 Authentication procedure
9 Ciphering procedure
Ringing
10 Setup, Assignment, Alerting 11
Address Complete Message
12 CONNECT ANswer Message
12
Path
Established 78
 Call Release
1 - Mobile Initiated
MS BSS MSC PSTN

1 Call in progress
2 DISCONNECT DISCONNECT
2

RELEASE RELEASE 3
3

4 RELEASE COMPLETE
5 Release
CHANNEL RELEASE
6

7 RELEASE INDICATION

RF Channel Release
procedure 8
9 Release
tone

79
Call Release
2 - PSTN Initiated
1
BSS 1 1
3 3 MSC REL 2
4 BSC 4 PSTN
5 BTS 5 6 RLC

1
2
Purpose:
informs the mobile
then releases radio
and network resources.

On hook

80
 Handover is the process of switching a radio
 connection from one BS to another in order
to maintain seamless radio connection during
mobile station movement
 Types
▪ Hard Handover or Soft Handover
▪ MS Initiated or Network Initiated

5-Feb-24 82
 receive level receive level
BTSold BTSold

HO_MARGIN

MS MS

BTSold BTSnew

5-Feb-24 83
 Intra-cell
 Inter-cell, Intra-BSC
 Inter-BSC,Intra-MSC
 Inter-MSC

5-Feb-24 84
 MS BTSold BSCold MSC BSCnew BTSnew
measurement measurement
report result

HO decision
HO required HO request
resource allocation
ch. activation

HO command HO request ack ch. activation ack

HO command HO command
HO access
Link establishment

HO complete HO complete
clear command clear command
clear complete clear complete

5-Feb-24 85
 Security services
 Access control/authentication
 user SIM (Subscriber Identity Module): secret PIN
 SIM network: challenge response method
 confidentiality
 voice and signaling encrypted on the wireless link (after
successful authentication)
 anonymity
 temporary identity TMSI
 newly assigned at each new location update (LUP)
 encrypted transmission

5-Feb-24 87
 3 algorithms specified in GSM
▪ A3 for authentication (“secret”, open interface)
▪ A5 for encryption (standardized)
▪ A8 for key generation (“secret”, open interface)

5-Feb-24 88
 mobile network SIM

RAND
Ki RAND RAND Ki

AC 128 bit 128 bit 128 bit 128 bit

A3 A3
SIM
SRES* 32 bit SRES 32 bit

MSC SRES
SRES* =? SRES SRES
32 bit

5-Feb-24 Ki: individual subscriber authentication key SRES: signed response 89

 mobile network (BTS) MS with SIM

RAND
Ki RAND RAND Ki
AC 128 bit 128 bit 128 bit 128 bit SIM

A8 A8

cipher Kc
key 64 bit Kc
64 bit
data encrypted SRES
data
BSS MS
data
A5 A5
5-Feb-24 90