Global System for Mobile Communication (GSM)

Global System for Mobile

Communication (GSM)

Li-Hsing Yen

National University of Kaohsiung

GSM System Architecture

BSC HLR VLR EIR BTS VLR MSC MS (ME/SIM) MS (ME/SIM) A-bis A-bis Um Um C B G D F MSC PSTN, ISDN, PSPDN, CSPDN E A NSS BSS AuC

Nomenclature

•MS (Mobile Station) = MT (Mobile Terminal ) + TE (Terminal Equipment)

•BSS (Base Station Subsystem) = BTS (Base Transceiver Station) + BSC (Base Station Controller)

•NSS (Network Switching Subsystem)

•MSC (Mobile Switching Center): telephony switching function and authentication of user

HLR and VLR

•HLR

(Home Location Register)

–a database to store and management permanent data of subscribers

•VLR

(Visitor Location Register)

–a database to store temporary information about subscribers

–needed by MSC in order to service visiting subscribers

AuC and EIR

•Authentication Center (

AuC

)

–used in the security data management for the authentication of subscribers.

•Equipment Identity Register (

EIR

)

–used to maintain a list of legitimate,

fraudulent, or faulty MSs.

–optional in GSM network, and is not used generally.

GSM Interfaces

•U_m

–Radio interface between MS and BTS

–each physical channel supports a number of logical channels

•A_bis

–between BTS and BSC (vender specific) –primary functions: traffic channel transmission,

terrestrial channel management, and radio channel management

time slot 0 1 2 3 4 5 6 7 0 200kHz . . . 7 890.0 MHz 914.8 MHz 890.2 MHz 890.4 MHz burst Guard band Uplink Downlink 0 . 57 7 m s

n: Absolute Radio Frequency Channel Number (ARFCN).1n 124

935.0 MHz 959.8 MHz 935.2 MHz 935.4 MHz Guard band . . . . . . . .

(contents of time slot)

F_ul(n)=890+ 0.2*n MHz

Fdl(n)=Ful(n)+45

MHz

Frequency Division Duplex

Uplink Downlink

Time Division Duplex

7 0 1 2 3 4 5 6 7 0 1

5 6

7 0 1 2 3 4 5 6

2 3 4 5 6 7

2

MS and BTS do not transmit simultaneously (MS transmits 3 time slots after the BTS)

Timing advance: MS transmits its data a little earlier as

Timing Advance

Base station Mobile station send recv Propagation delay send recv

send _{Original timing}

Timing advance ~ Propagation delay * 2

GSM Frame Structure

•1 hyperframe = 2048 superframes (~3.5hr) •For speech –1 superframe = 51 multiframes = 6.12s –1 multiframe = 26 frames = 120ms •For Signaling –1 superframe = 26 multiframes –1 multiframe = 51 frames

•1 frame = 8 time slots = 4.615 ms

Encrypted bits Encrypted bits

3 tail bits 3 tail bits

57 bits 57 bits

Training sequence Stealing bit

8.25 guard bits 28 bits 0 1 … 2047 0 1 … 48 49 50 0 1 … 23 24 25 0 1 2 3 4 5 6 7 Hyper frame Super frame Multi-frame Frame Time Slot 6.12s 120ms 4.615ms 0.57692ms 3.48hr

GSM Frame Hierarchy

Normal Burst Format

•Trail bits

–always (0,0,0); provide start and stop bit pattern •encrypted bits

–data is encrypted •stealing bits

–indicate whether the burst was stolen for urgent control signaling (FACCH signaling)

•Guard bits

–avoid overlapping with other bursts due to different path delay

Training Sequence

•A known bit pattern that differs for different adjacent cells

•to adapt the parameters of the receiver to the current path propagation characteristics

•to select the strongest signal in case of multipath propagation

•for multipath equalization

–extract the desired signal from unwanted reflections

GSM Protocol Stack

Layer 1 LAPDm RR MM CM MS Layer 1 LAPDm RR Layer 1 LAPD BTSM Layer 1 LAPD RR MTP SCCP BSSMAP MM CM Base Transceiver Station (BTS) Base Station Controller (BSC) MSC BTSM DTAP Um (air interface) Abis A MTP SCCP BSSMAP/DTAP

Layer 1 - Physical Layer

•Modulation

•Equalization

•Channel coding

–block code –convolutional code

•Interleaving

–to distribute burst error

GSM Physical Layer (MS Side)

voice voice signaling speech coding channel coding interleaving burst formatting ciphering modulation speech decoding channel decoding de-interleaving burst de-formatting deciphering demodulation signaling R/F R/F

20 ms

260 bits

speech encoding (RPE-LTP)

456 bits channel encoding 0 57 114 171 228 285 342 399 64 121 178 235 292 349 406 7 : : : : : : : : 392 449 50 107 164 221 278 335 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 rows frame burst

GSM Speech Transmission

interleaving burst formatting

GSM Speech Channel Coding

Class 1a 50 bits Class 1b 132 bits Class 2 78 bits 378 bits 78 bits 4 3 Convolutional Coding Parity bits protecting 1a 91 bits 91 bits 260 bits 456 bits reordering Tail Bits

Tailing Bits and Reordering

d(0) d(1) d(2) d(3) … d(179) d(180) d(181) p(0) p(1) p(2) d(0) d(2) d(4) d(180) d(178) : d(181) d(179) d(177) d(1) d(3) : u(0) u(1) u(2) u(90) u(89) : : p(1) p(2) p(0) u(91) u(92) u(95) u(94) u(93) u(96) u(183) : u(184) u(185) u(186) u(187) u(188) 0 0 0 0 Tailing Bits reorder

Parity Bits

•The first 50 bits are protected by 3

parity bits p(0), p(1), p(2)

•generator polynomial g(D)=D

3

_+D+1

•the remainder of

d(0)D

52

_+d(1)D

51

+…+d(49)D

3

_+p(0)D

2

_+p(

1)D+p(2) divided by g(D) should be

1+D+D

2

Convolutional Encoder for

GSM Speech (Rate=1/2, K=5)

a_k a_k-1 a_k-2 a_k-3 a_k-4 U₀… U₁₈₈

Interleaving

0 455 0 64 128 192 256 320 384 448 56 120 184 248 312 : : 392 57 121 185 249 313 377 441 49 113 177 241 305 369 : : 449 114 178 242 306 370 434 42 106 170 234 298 362 426 : : 50 171 235 299 363 427 35 99 163 227 291 355 419 27 : : 107 228 292 356 420 28 92 156 220 284 348 412 20 84 : : 164 285 349 413 21 85 149 213 277 341 405 13 77 141 : : 221 342 406 14 78 142 206 270 334 398 6 70 134 198 : : 278 399 7 71 135 199 263 327 391 455 63 127 191 255 : : 335

GSM Normal Burst Formatting

57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 frame B A B A … burst A B C A B A B … 3 tail bits … B A B … A B A 3 tail bits 57 bits 57 bits

Training sequence Stealing flag

8.25 guard bits 28 bits

Physical Vs. Logical Channels

•Physical channels are all the available time slots of a BTS

–a BTS with 6 carriers has 48 physical channels

•Logical channels are piggybacked on the physical channels

–logical channels are laid over the grid of physical channels

GSM Logical Channels (I)

•Speech traffic channels (TCH)

–Full-rate TCH (TCH/F) –Half-rate TCH (TCH/H)

•Broadcast channels (BCH)

–Frequency correction channel (FCCH) –Synchronization channel (SCH)

–Broadcast control channel (BCCH)

•Cell broadcast channel (CBCH)

GSM Logical Channels (II)

•Common control channels (CCCH)

–Paging channel (PCH)

–Access grant channel (AGCH) –Random access channel (RACH)

•Dedicated control channel (DCCH)

–Slow associated control channel (SACCH)

–Stand-alone dedicated control channel (SDCCH) –Fast associated control channel (FACCH)

Broadcast Channels (BCH)

•Frequency correction channel (FCCH)

–the “lighthouse”of a BTS

•Synchronization channel (SCH)

–PLMN/base identifier of a BTS plus

synchronization information (frame number)

•Broadcast control channel (BCCH)

–to transmit system information 1-4, 7-8 (differs in GSM 900, GSM 1800, and PCS 1900)

CBCH and CCCH

•CBCH (Cell Broadcast Channel)

–transmits cell broadcast messages

•PCH (Paging Channel)

–carries PAG_REQ message

•AGCH (Access Grant Channel)

–SDCCH channel assignment

•RACH (Random Access Channel)

Mapping of Logical Channels

•Each BTS has a particular frequency carrier called BCCH-TRX to transmit BCCH info •The following channel structure can be found

on time slot 0 of carrier BCCH-TRX

–FCCH –SCH

–BCCH information 1-4

–Four SDCCH subchannels (optional) –CBCH (optional)

Example Mapping of Logical

Channels on Time Slot 0 (Downlink)

FCCH + SCH + BCCH 1 - 4 Block 0 reserved for CCCH FCCH/SCH Block 1 reserved for CCCH Block 2 reserved for CCCH FCCH/SCH Block 3 CCCH/SDCCH Block 4 CCCH/SDCCH Block 5 CCCH/SDCCH FCCH/SCH FCCH/SCH Block 6 CCCH/SDCCH Block 7 CCCH/SACCH Block 7 CCCH/SACCH not used FN= 0 - 5 FN= 6 - 9 FN= 10 - 11 FN= 12 - 15 FN= 16 - 19 FN= 20 - 21 FN= 22 - 25 FN= 26 - 29 FN= 30 - 31 FN= 32 - 35 FN= 36 - 39 FN= 40 - 41 FN= 42 - 45 FN= 46 - 49 FN= 50

Example Mapping of Logical

Channels on Time Slot 2 (Downlink)

TCH SACCH FN= 0 - 11 FN= 12 FN= 13 - 24 FN= 25 TCH not used

GSM Layer 2: LAPDm

•Functions

–organization of Layer 3 information into frames

–peer-to-peer transmission of signaling data in defined frame formats

–recognition of frame formats –establishment, maintenance, and

termination of one or more (parallel) data links on signaling channels

R A C H B C C H A G C H + P C H S D C C H S A C C H F A C C H S D C C H S A C C H SAPI=0 SAPI=3 RR MM MM CC SS SMS PD PD TI TI TI SMS SS MNSMS-SAP MNSS-SAP MNCC-SAP MNREG-SAP CM CC

Layer 3 Protocol Architecture:

Mobile Station Side

Layer 3 - RR Sublayer

•The RR sublayer handles all the procedures necessary to establish, maintain, and release dedicated radio connections

–channel allocation –handover –timing advance –power control –frequency hopping A B A B time power level

Three Cases of Hand-over

MSC BSC BSC BTS BTS BTS MSC BSC BTS MS MS MS MS MS MS 1. different BTS, same BSC 2.different BSC, same MSC 3. different MSC, same PLMN (old MSC=anchor MSC new MSC=relay MSC)

Layer 3 - MM Sublayer

•The MM sublayer copes with all the

effects of handling a mobile user that

are not directly related to radio functions

–location area

–location registration & call delivery –location update & paging

Ki Ki RAND A3 A3 A8 A8 SRES SRES Home System Visited System =? Y N reject accept Mobile Station authentication encryption Kc Kc frame number Kc A5 plain text ciphered data SRES S1 S2 A5 S1 S2 plain text

Authentication & Encryption/Decryption in GSM

SIM

MS BTS BSC MSC VLR HLR

channel request

channel activation command

location update request authentication request authentication response

assignment of TMSI

channel activation acknowledge channel assignment

comparison of authentication parameters

channel release

acknowledgement of TMSI

entry of the new area and identity into the VLR & HLR old VLR HLR new VLR MS 1 4 3 5 2 old TMSI,

old VLR ID new TMSI location update cancellation IMSI, auth. para. ack subscriber information ack

Layer 3 - CM Sublayer

•The CM sublayer manages all the functions necessary for circuit-switched call control

–call establishment procedures for mobile-originated calls and mobile-terminated calls –in-call modification

–call reestablishment

–Dual Tone Multi Frequency (DTMF) control procedure for DTMF transmission

Contents of CM

•Call Control (CC)

•Short Message Service (SMS)

•Supplementary Service (SS)

Paging Procedure

MS BSS

Paging Request Message on PCH Channel Request on RACH

Assign SDCCH on AGCH SABM (Paging Response)

Call Setup Procedure: Mobile

Terminated Call

MSC MS VLR HLR GMSC (INTX) other switches other switches 1 1 1 1 2 2 3 3 3 request roaming number

dial MSISDN

allocate MSRN routing

INTerrogating eXchange (INTX)

Mobile Station ISDN Number (MSISDN) (Country Code, see E.164)

Mobile Station Roaming Number (MSRN) (Mobile Country Code, see E.212)

Dual Tone Multiple Frequency

(DTMF) in PSTN

DTMF Switch Dialing PBX Switch Connected

DTMF in GSM

SETUP MSC START_DTMF STOP_DTMF MSC PBX Dialing Connected