GSM - Introduction

 GSM (Global System for Mobile communication) is a digital & a

TDMA mobile telephony system that is widely used in Europe
and other parts of the world.
 It operates in the 900 MHz and 1.8 GHz bands
 900 Mhz band includes
890Mhz-915Mhz for UPLINK
935Mhz-960Mhz for DOWNLINK
 1800 Mhz band includes
1710Mhz–1785Mhz for UPLINK
1805Mhz–1880Mhz for DOWNLINK
 Cellular Telephony

A
C
B
A
RBS

BTS, Base Tranceiver Station is a

BTS
network component which serves
one cell, and is controlled by a C
Base Station Controller. BTS

BTS

RBS, Radio Base Station is the

equipment needed at one site
 GSM ARCHITECTURE

 The GSM network can be logically divided into three broad parts
 The Mobile Station is carried by the subscriber

 the Base Station Subsystem controls the radio link with the
Mobile Station.

 The Network Subsystem, the main part of which is the

Mobile services Switching Center, performs the switching of
calls between the mobile and other fixed or mobile network
users, as well as management of mobile services, such as
authentication
 GSM ARCHITECTURE

SIM

MOBILE EQUIPMENT

Mobile station Base Station Subsystem Network subsystem

 Architecture
Call Delivery
2.
MSISDN
1.
3.
HLR 5. GMSC PSTN
MSISDN-- 5.MSRN MSISDN
>IMSI--> 6.
MSC/VLR IMSI 4.
Service Area MSC/VLRIMSI<-->MSRN

7.

BSC
8.

8. 9.

BTS BTS BTS

 THE MOBILE STATION

 The mobile station (MS) consists of

 the physical equipment, such as the radio transceiver,
display and digital signal processors
 a smart card called the Subscriber Identity Module (SIM).

 The mobile equipment is uniquely identified by the

International Mobile Equipment Identity (IMEI)

 The SIM card contains the International Mobile Subscriber

Identity (IMSI), identifying the subscriber, a secret key for
authentication, and other user information
 THE BASE STATION SUBSYSTEM

 The Base Station Subsystem is composed of two parts

 the Base Transceiver Station (BTS)
The Base Transceiver Station houses the radio tranceivers
that define a cell and handles the radio­link protocols with
the Mobile Station
 the Base Station Controller (BSC)
The BSC is the connection between the mobile and the
Mobile service Switching Center (MSC)
manages the radio resources for one or more BTSs
It handles radio­channel setup & frequency hopping
The BSC also translates the 13 kbps voice channel used
over the radio link to the standard 64 kbps channel used
by the Public Switched Telephone Network or ISDN.
.
 NETWORK SUBSYSTEM

 The Network subsystem consists of the

 Mobile services Switching Center (MSC)
It acts like a normal switching node of the PSTN or ISDN
In addition provides all the functionality needed to handle a
mobile subscriber, such as registration, authentication, location
updating, handovers, and call routing to a roaming subscriber.
 The Home Location Register (HLR)
The HLR contains all the administrative information of each
subscriber registered in the corresponding GSM network, along
with the current location of the mobile.
Visitor Location Register (VLR)
contains selected administrative information from the HLR
the VLR is implemented together with the MSC, so that the
geographical area controlled by the MSC corresponds to that
controlled by the VLR
NETWORK SUBSYSTEM- Contd

 The Equipment Identity Register (EIR)

a database that contains a list of all valid mobile
equipment on the network, where each mobile station is
identified by its International Mobile Equipment Identity
(IMEI).
An IMEI is marked as invalid if it has been reported
stolen or is not type approved.
 The Authentication Center (AuC)
a is a protected database that stores a copy of the secret
key stored in each subscriber's SIM card, which is used
for authentication and encryption over the radio channel.
H

SMSC
 GSM – NETWORK INTERFACES

 Each interface between the different elements of the GSM

network is defined
 Um interface   The "air" or radio interface standard that is
used for exchanges between a mobile (ME) and a base station
(BTS / BSC). For signalling, a modified version of the ISDN
LAPD, known as LAPDm is used.

 Abis interface   This is a BSS internal interface linking the

BSC and a BTS, and it has not been totally standardised.
The Abis interface allows control of the radio equipment and
radio frequency allocation in the BTS.
GSM – NETWORK INTERFACES
 A interface   The A interface is used to provide
communication between the BSS and the MSC. The interface
carries information to enable the channels, timeslots and the
like to be allocated to the mobile equipments being serviced
by the BSSs. The messaging required within the network to
enable handover etc to be undertaken is carried over the
interface.

 B interface   The B interface exists between the MSC and the

VLR . It uses a protocol known as the MAP/B protocol. As
most VLRs are collocated with an MSC, this makes the
interface purely an "internal" interface. The interface is used
whenever the MSC needs access to data regarding a MS
located in its area.
GSM – NETWORK INTERFACES
 C interface   The C interface is located between the HLR and
a GMSC or a SMS-G. When a call originates from outside the
network, i.e. from the PSTN or another mobile network it ahs
to pass through the gateway so that routing information
required to complete the call may be gained. The protocol
used for communication is MAP/C

 D interface   The D interface is situated between the VLR and

HLR. It uses the MAP/D protocol to exchange the data
related to the location of the ME and to the management of
the subscriber.
GSM – NETWORK INTERFACES
 E interface   The E interface provides communication
between two MSCs. The E interface exchanges data related to
handover between the anchor and relay MSCs using the
MAP/E protocol.

 F interface   The F interface is used between an MSC and

EIR. It uses the MAP/F protocol. The communications along
this interface are used to confirm the status of the IMEI of the
ME gaining access to the network.,br>
GSM – NETWORK INTERFACES
 G interface   The G interface interconnects two VLRs of
different MSCs and uses the MAP/G protocol to transfer
subscriber information, during e.g. a location update
procedure.

 H interface   The H interface exists between the MSC the

SMS-G. It transfers short messages and uses the MAP/H
protocol.

 I interface   The I interface can be found between the MSC

and the ME. Messages exchanged over the I interface are
relayed transparently through the BSS.,br>,br>
 AIR INTERFACE
 TDMA, each carrier is divided into eight timeslots.
 Bit rate of 270 kbit/s
 Duplex distance of 45 MHz (GSM 900), 95 MHz (GSM 1800) or 80 MHz
(GSM 1900)
 Channel separation of 200 kHz
 GMSK modulation (Gaussian Minimum Shift Keying)

GSM900 E-GSM900 GSM1800

Uplink 890-915 MHz 880-915 MHz 1710-1785 MHz

Downlink 935-960 MHz 925-960 MHz 1805-1880 MHz
THE CHANNELS OF AIR INTERFACE
RADIO CHANNEL-LOGICAL

CONTROL CHANNELS VOICE CHANNEL

BCH CCCH DCCH TCH-FR TCH-HR

SDCCH
BCCH PCH
SACCH
FCCH AGCH
FACCH
SCH RACH

CBCH
WHEN A MOBILE STATION IS SWITCHED ON
 A-Bis Interface

 E1 carrier with 32 timeslots each with 64kbps is used for A-Bis

interface
 The Abis interface contains compressed voice and GSM
information
 SIGNALLING IN GSM

 The Exchange of control information within the GSM network is

standardized by ITU-T and is known as Signaling System
Number 7 (SS7)
 The main purpose is to set up and tear down telephone calls.
Other uses include number translation, prepaid billing
mechanisms, short message service (SMS), and a variety of other
mass market services.
 SS7 signaling is done out-of-band, meaning that SS7 signaling
messages are transported over a separate data connection.
 THE SS7 PROTOCOL
PROTOCOL STACK FOR SS7

Database oriented Radio N/w related Call control related

MAP INAP CAP DTAP BSSMAP

ISUP APP
TUP OMAP

TCAP BSSAP

SCCP NETW
(sccp&
MTP LAYER - III

MTP LAYER - II DATA

MTP LAYER - I PHYSIC

HOW A GSM NETWORK WORKS
 LOCATION UPDATE

 The mobile station has to get locked with the network subscribed
to use the services assured by the service provider this procedure
is Location updating
 Location updates can be of
 IMSI ATTACH – When a mobile is switched on
 FORCED – When a mobile moves from one
location to another
 PERIODIC – Avoid MS being detached from the
network
LOCATION UPDATE-CALL FLOW
2

1
7
8
9 10
11 4
12 6

1. SABM + MM LOCATION UPDATING

2REQUEST
. MM LOCATION UPDATING
REQUEST
3 .MAP/G SEND PARAMETERS&SEND PARAMETERS RESULT
3
4 . MAP/D UPDATE LOCATION
5 . MAP/D CANCEL LOCATION& CANCEL LOCATION RESULT
6 . MAP/D INSERT SUBSCRIBER DATA & INSERT SUBSCRIBER DATA RESULT
7 . MM AUTHENTICATION REQUEST & AUTHENTICATION RESPONSE
8 .BSSMAP CIPHER MODE COMMAND
9. RR CIPHERING MODE COMMAND & CIPHERING MODE COMPLETE
10.BSSMAP CIPHER MODE
COMPLETE
11.MM LOCATION UPDATING
ACCEPT
12. MM TMSI REALLOCATION COMPLETE
LOCATION UPDATE-CALL FLOW

 SABM + MM LOCATION UPDATING REQUEST

 The BSC receives the location update with the SABM.
 MM LOCATION UPDATING REQUEST :
 The location updating request is forwarded to the MSC in
the "BSSMAP COMPLETE LAYER 3 INFORMATION"
message.
 During location update the MS sends a Location update
request(TIMSI or IMSI & LAI) to the MSC.
 MAP/G SEND PARAMETERS&SEND PARAMETERS
RESULT :
 The new MSC VLR does not find the TMSI in its database. It
uses the old Location Area Indicator (LAI) to obtain the
address of the old MSC VLR
 A request is sent to the old MSC VLR, requesting the IMSI of
the subscriber.
LOCATION UPDATE-CALL FLOW
 The Old MSC VLR provides the IMSI corresponding to the
TMSI.
 Note that the IMSI could have been obtained from the
mobile.
 MAP/D UPDATE LOCATION :
 The MSC sends an update location message to the HLR. This
message is needed for two reasons:
 (1) The HLR needs to update its record to point to the
new MSC when queried for location.
 (2) The new MSC does not have information about this
subscriber.
LOCATION UPDATE-CALL FLOW
 MAP/D CANCEL LOCATION& CANCEL LOCATION
RESULT
 The Old MSC is asked to delete the record for this subscriber
& the TMSI assigned to the mobile is also released. The Old
MSC replies back to the HLR.
 MAP/D INSERT SUBSCRIBER DATA & INSERT SUBSCRIBER
DATA RESULT
 Pass information about the new subscriber to the new MSC.
message contains the a 64-bit ciphering key used as a Session
Key (Kc), a 128-bit random challenge (RAND) and a 32-bit
Signed Response (SRES). These parameters will be used in
the authentication process.
LOCATION UPDATE-CALL FLOW
 The new MSC replies back to the HLR
 MM AUTHENTICATION REQUEST & AUTHENTICATION
RESPONSE
 The MSC VLR decides to authenticate the subscriber. The
RAND value received from the HLR is sent to the mobile
 The SIM applies secret GSM algorithms on the RAND and
the secret key Ki to obtain the session key Kc and SRES.
 BSSMAP CIPHER MODE COMMAND
 The MSC initiates ciphering of the data being sent on the
channel to the BSC.
LOCATION UPDATE-CALL FLOW
 RR CIPHERING MODE COMMAND & CIPHERING MODE
COMPLETE
 The BSC sends the CIPHERING MODE COMMAND to the
mobile
 Ciphering is enabled and CIPHERING MODE COMPLETE
message is transmitted with ciphering.
 BSSMAP CIPHER MODE COMPLETE
 The BSC replies back to the MSC, indicating that ciphering
has been successfully enabled
 MM LOCATION UPDATING ACCEPT
 The new MSC replies back to the mobile . The message also
assigns a new Temporary Mobile Subscriber Id (TMSI) to the
terminal.
LOCATION UPDATE-CALL FLOW
 MM TMSI REALLOCATION COMPLETE
 The GSM mobile replies back indicating that the new
TMSI allocation has been completed.
 MOBILE TERMINATING CALL(MTC)

 Knowledge of the location area is not adequate for setting up

terminating call as the location area might spawn several cells.
 Setting up a terminating call is a two step process.
(1)Interrogation procedure to locate the subscriber
(2) Actual call setup after the subscriber has been located.

 Example of a call from PSTN to a GSM mobile is illustrated here

 MOBILE TERMINATING CALL(MTC)

BSSMAP PAGING (TIMSI)

9
RR PAGING REQUEST 8
RR SABM + RR PAGING
10 11
RESPONSE
CC SETUP 12

MOBILE EQUIPMENT

MAP/D PRN 3

4
MAP/D PRN resp (MSRN)

)
2

N
SR
(M
lt
su
ISUP IAM

)
N
re
ISUP ACM

SD
I
SR

SI
M
C

I(
P/

SR
A
M
6

C
P/
5

A
13

M
1 ISUP IAM

ISUP ACM
13
MOBILE TERMINATING CALL(MTC)

 ISUP INITIAL ADDRESS MESSAGE

 PSTN subscriber calls the mobile phone by dialing the GSM
phone number (MSISDN).
 The PSTN will use the MSISDN to locate the GMSC
(GatewayMobile Switching Center) for the service provider.
 Once the GMSC has been identified, the PSTN sends the
ISUP Initial Address Message to the GMSC.
MAP/C SEND ROUTING INFORMATION & PROVIDE
ROAMING NUMBER RESULT
 The GMSC requests routinginformation for the GSM
subscriber from the HLR (Home Location Register).
MOBILE TERMINATING CALL(MTC)

MAP/D PROVIDE ROAMING NUMBER

 The HLR has identified that the subscriber is currently being
served by the Maryland MSC VLR. The HLR then asks the
MSC VLR to assign a temporary roaming phone number to
the subscriber.
 The Maryland MSC VLR allocates a temporary roaming
phone number (MSRN –Mobile Station Roaming Number)
 HLR passes the MSRN to the GMSC.
ISUP INITIAL ADDRESS MESSAGE
 The GMSC uses the MSRN to route the call to the
Maryland MSC VLR.
 The Maryland MSC VLR receives the call. At this point, the
MSRN is marked free and may be reassigned for other calls.
MOBILE TERMINATING CALL(MTC)

BSSMAP PAGING
 Now the MSC VLR needs to locate the subscriber in the
location area. Since the location area might spawn several
cells, a paging mechanism is used to locate the subscriber.
The MSC VLR uses a TMSI (Temporary Mobile Subscriber
Identify) to address the mobile phone. The TMSI is used so
as to protect the privacy of the called subscriber. Note that,
the BSSMAP PAGING message will be sent to all the BSCs
that handle the Maryland Location Area.
RR PAGING REQUEST
 All cells in the location area will broadcast the Page message
on the Paging Channel (PCH). All mobile phones listen to
this channel every few seconds. The mobile is located in the
Betheda cell. It receives this page message.
MOBILE TERMINATING CALL(MTC)

RR SABM + RR PAGING RESPONSE

 The mobile tunes to the assigned channel and transmits the
page response and the SABM to initiate the RR session
SCCP CONNECTION REQUEST + RR PAGING RESPONSE
 The BSC sends a SCCP connection request to the MSC
VLR. The page response message is piggy backed with the
request.
CC SETUP
 The MSC VLR receives the page response and sends a call
setup to the mobile.
ISUP ADDRESS COMPLETE MESSAGE
 The MSC receives the alert indication and sends an ISUP
address complete message to the GMSC.
 The GMSC sends the address complete to the PSTN switch.
 MOBILE ORIGINATING CALL(MOC)

1 1

2
5
MOBILE EQUIPMENT

1. CC SETUP
2. CC CALL PROCEEDING
3
3.ISUP INITIAL ADDRESS MESSAGE
4. ISUP ADDRESS COMPLETE MESSAGE
5.CC ALERTING
4
6. ISUP ANSWER MESSAGE
6
7. CC CONNECT & CC CONNECT ACKNOWLEDGE

3
4
6
MOBILE TERMINATING CALL(MTC)

 CC SETUP
 The Mobile sends the setup message to establish a voice call.
The message contains the dialed digits and other information
needed for call
 CC CALL PROCEEDING
 The mobile is informed that the call setup is in progress.
 At this point, the mobile phone displays a message on the
screen to indicate that call setup is being attempted.
 ISUP INITIAL ADDRESS MESSAGE
 The MSC routes the call and sends the call towards the called
subscriber(SS7, Dialed Digits)
MOBILE TERMINATING CALL(MTC)

 ISUP ADDRESS COMPLETE MESSAGE

 The PSTN indicates to the MSC that it has received all the
digits and the called subscriber is being rung.
 CC ALERTING
 The MSC informs the mobile that the called subscriber is
being alerted via a ring.
 ISUP ANSWER MESSAGE
 Once the called subscriber answers the call, ISUP ANM is
sent by the B-MSC to the A-MSC
 CC CONNECT & CC CONNECT ACKNOWLEDGE
 The MSC informs the mobile that the call has been
answered.
 SMS - OVERVIEW

 SMS stands for Short Message Service

 SMS was first introduced in 1991 in Europe as a text messaging
service based on European Telecommunications Standards
Institute (ETSI) standards for mobile networks
 SMS is being used in a wide range of social and business
applications such as electronic voting, delivery of stock
quotations, delivery of e-mail notification
 SMS supports the sending and receiving of text, images,
animation and sound
 SMS messages are originated and received by Short Messaging
Entities (SME). Examples of SMEs are: mobile phones; servers;
personal computers
 Basic SMS Network Architecture

SMS-GMSC/
SME SMSC MSC/SGSN MS
SMS-IWMSC

Outside the scope

of GSM specifications
HLR VLR
 SMS - OVERVIEW
 Short Message Entity (SME) – sends or receives short messages
 Short Message Service Centre (SC) – stores-and-forwards
messages between the SME and the MS
 Gateway MSC For Short Message Service (SMS-GMSC) -
receives messages from the SC, interrogates the HLR for routing
information and forward the messages to the MSC or SGSN
 Home Location Register (HLR) - a database used for
permanent storage and management of user/subscriber
profiles
 Inter-Working MSC For Short Message Service (SMS-IWMSC) -
receives messages from the MSC or SGSN and forwards them to
the SC
 SMS - OVERVIEW
 Mobile Service Centre (MSC) – performs switching
functions for mobile stations in a geographical area
 Visitor Location Register (VLR) - a database that
contains temporary information about roaming
subscribers. The MSC and the VLR are always
on the same platform.
 Serving GPRS Support Node (SGSN) – performs
packet switching functions for mobile stations in a
geographical area. The SGSN is used instead of the
MSC when SMS info is transferred over GPRS.
 Mobile Station (MS) – a device on the mobile network
capable of receiving and sending short messages
SMS TERMINATING (SMS - MT)
SMS TERMINATING (SMS - MT)

 1.The Short message is transferred from SC to SMS-GMSC

 2.SMS-GMSC queries the HLR(SRI) and receives the routing
information for the mobile subscriber (SRI-ACK).
 3. The SMS-GMSC sends the short message to the MSC using the
forwardShortMessage operation(FSM).
 4. The MSC retrieves the subscriber information from the VLR.
This operation may include an authentication procedure.
 5. The MSC transfers the short message to the mobile station.`
 6. The MSC returns the outcome of the forwardShortMessage
operation to the SMS-GMSC(FSM-ACK).
 7. If requested by the SMC, the SMSC returns a status report
indicating delivery of the short message.
 Message Flow SM-MO
MS
SMS- MSC VLR
SMSC HLR
IWMSC
Access Request

Authenticate

Message Transfer

sendInfoFor-

MO-SMS
forwardShortMessage

Message
Transfer

Delivery

Report
Delivery Report
Delivery

Report
 HANDOVER

 The process of changing cells during a call is in GSM terms

referred to as Handover
 It is same as LU but is done when the ME is Active or on call.
 To be able to choose the best target cell measurements are
performed by the MS and the BTS.
 Handovers can be
 Handover between cells controlled by the same BSC
 Handover between cells: different BSCs but the same
MSC/VLR
 Handover between cells controlled by different MSC/VLRs
 Handover between cells controlled by different PLMN
 HANDOVER

 Handover request : The old BSC detects the necessity of the

handover with the last received information from its BTS’s,
suspends the transmission of all messages except for the radio
resource management sub-layer messages with the MS, and
sends the message ‘handover request’ to the MSC. The MSC
forwards this message to the new BSC
 Handover command : The new BSC prepares its BTS for
receiving the new MS Then, the new BSC initiates the handover
by transmitting the handover command message to the MS
through the old BSC .This step permits the MS to locate the radio
channel of the new BTS/BSC.
 HANDOVER

 Handover bursts : Upon receipt of the handover command

message, the MS disconnects the old radio channels and initiates
the establishment of lower layer connections in the new radio
channels. In order to establish these connections the MS sends a
handover burst message to the new BSC and, when successful,
the transmission suspended with the old BSC is re-established
again between the MS and the new BSC through its BTS.
Handover between cells: different
BSCs but the same MSC/VLR
Handover between cells: different
BSCs but the same MSC/VLR
 The serving (old) BSC sends a Handover required message to the
MSC together with the identity of the target cell.
 2. MSC knows which BSC that controls this BTS and sends a
Handover request to this BSC.
 3. New BSC orders target BTS to activate a TCH.
 4. New BSC sends a message to the MS via MSC, old BSC and
old BTS containing information about the frequency and time
slot to change to, and what output power to use. This
information is sent over FACCH (Fast Associated Control
Channel).
Handover between cells: different
BSCs but the same MSC/VLR
 5. MS tunes to the new frequency, and transmits Handover (HO)
access bursts in the correct time slot. Since MS has no
information yet on the Timing Advance, the HO bursts are very
short (only 8 bits of information). The HO bursts are transmitted
on FACCH.
 6. When the new BTS detects the HO bursts it sends information
about timing advance. This is sent on FACCH.
 7. MS sends Handover Complete message to MSC via new BSC.
 8. The MSC sends an order to old BSC previously to release the
old TCH.
 9. The old BSC tells the old BTS to release the previously used
TCH.
Handover between cells controlled by
different MSC/VLRs
Handover between cells controlled by
different MSC/VLRs
 The serving (old) BSC sends a Handover required message to the
serving MSC, MSC–A, together with the identity of the target
cell.
 2. MSC–A realizes that this cell belongs to another MSC, MSC–B,
and asks for help.
 3. MSC–B allocates a handover number in order to reroute the
call. A Handover request is then sent to the new BSC.
 4. New BSC orders target BTS to activate a TCH.
 5. MSC–B receives the information, and passes it on to MSC–A
together with the handover number.
 6. A link is set up to MSC–B.
Handover between cells controlled by
different MSC/VLRs
 7. MSC–A sends a HO command to MS, via old BSC containing
information on which frequency and time slot to use, and what
output power to use. This information is sent over FACCH (Fast
Associated Control Channel).
 8. MS tunes to the new frequency, and transmits Handover (HO)
access bursts in the correct time slot. The HO bursts are
transmitted on FACCH.
 9. When the new BTS detects the HO bursts it sends information
about timing advance. This is sent on FACCH.
 10. MS sends Handover Complete message to old MSC via new
BSC and new MSC/VLR.
Handover between cells controlled by
different MSC/VLRs
 11. A new path in the group switch in MSC–A is established, and
the call is switched through.
 The old TCH is deactivated (not shown in the picture).
 The old MSC, MSC–A, will retain the main control of the call
until the call is cleared. After call release the MS must perform a
location updating, since a Location Area never belongs to more
than one MSC/VLR Service Area.
 The HLR will be updated by the VLR–B, and will in turn tell
VLR–A to delete all information about the MS.