2G Communication

1. GSM :

The Global System for Mobile Communications (GSM) is the most deployed wireless
network for cellular mobile telephony in the world. The ubiquity of GSM makes possible the
international roaming and enables subscribers to use the GSM network for phone calls and
data communication while travelling between countries. GSM is considered to be a second
generation (2G) mobile phone system, since it was the first mobile phone protocol that
employed digital signalling and speech channels. GSM networks operate mostly in the 900
MHz or 1800 MHz bands.

The data transmission rate of the GSM system is because GSM communication is circuit-
switched and connection oriented only 9600 bit/s or 14,400 bit/s with an improved codec
for the air interface. The low data transmission rate does not satisfy the rapidly increasing
demand of mobile subscribers for transferring large volumes of data. Faster data transmission
rates in the GSM network require packet-switched transport services like GPRS or concurrent
circuit-switched GSM connections as is provided by HSCSD (High Speed Circuit-Switched
Data) technology.With HSCSD, a theoretical data transmission rate of up to 76,800 bit/s
(89600 bit/s) for uplink or downlink can be achieved by using channel bundling to
combine several existing time slots in the air interface. Existing GSM networks can be
extended to support HSCSD by using modifyed base stations and specially designed mobile
telephones. However, the number of transmission channels can be increased by at most a
factor of 8, and therefore HSCSD will probably not become a major success.

The basic services voice transmission, call forwarding, roaming, and the SMS messaging
service were implemented in 1992-1996. In 1996 and later supplementary services were
added, including conference calls, call handover, call number negotiation and GSM in the
1800-MHz frequency band. In the next development step these services were augmented with
the functions of the SIM Application Toolkit, HSCSD and GPRS.

2. Standards
For GSM and there are about 130 individual specifications with a total size of more than
6000 pages. The numbering scheme GSM <specification number>, for example GSM 11.11,
is commonly used for specification series 01 to 13 (see Table cell1) in technical contexts
rather than the corresponding numbering scheme for ETSI standards ETSI TS <ETSI
number>, for eample ETSI TS 100977.

The specification GSM 01.04 (Abbreviations and acronyms) contains a summary of the
GSM technical vocabulary.

Specifications for GSM infrastructure and functionality are

o GSM 01.02 (General Description of a GSM Public Land Mobile Network (PLMN)),
which is the basis for the architecture of all GSM mobile telecommunications
networks.

o GSM 03.20 (Security Related Network Functions)

 o GSM 03.38 (Alphabets and Language-specific Information), which specifies a GSM
character set based on ASCII.

o GSM 11.10 (Mobile Station (MS) Conformance Specification), which contains a

very comprehensive test specification for GSM mobile stations.

o GSM 03.40 (Technical realization of the Short Message Service (SMS))

o GSM 02.34 (High Speed Circuit Switched Data (HSCSD); Stage 1)

Specifications for the SIM card and SIM based services are

o GSM 02.09 (Security Aspects)

o GSM 02.17 (SIM Functional Characteristics) specifies the GSM security module in
the mobile telephone and contains a relatively abstract description of the functional
requirements for the SIM.

o The most important card specific specification, GMS 11.11 (Specification of the
Subscriber Identity Module Mobile Equipment (SIM ME) interface), is based on
GSM 02.17. GSM 11.11 contains a precise and unambiguous specification of the
interface to the SIM in more than 170 pages. This interface specification does not
contain any details about the actual implementation.

o GSM 09.91 (Interworking aspects of the Subscriber Identity Module Mobile

Equipment (SIM ME) interface between Phase 1 and Phase 2)

o GSM 11.12 (Specification of the 3 Volt Subscriber Identity Module Mobile

Equipment (SIM ME) interface) and GSM 11.18 (Specification of the 1.8 Volt
Subscriber Identity Module Mobile Equipment (SIM ME) interface) specify the
electrical parameters of smart cards based on 3 V and 1.8 V technology to be used
SIM implementation.

o GSM 11.14 (Specification of the SIM Application Toolkit for the Subscriber Identity
Module Mobile Equipment (SIM ME) interface) describes a platform for secure
supplementary services in the SIM. These services are referred to as the SIM
Application Toolkit (SAT). This specification, published in 1996, offers network
operators the possibility of loading their own applications into the SIM for controlling
the mobile telephone. GSM 11.14 specifies in detail how functions such as driving the
display, polling the keypad, sending short messages (SMS), and other functions
related to suitable value-added applications must be implemented in the SIM.
 o GSM 11.17 (Subscriber Identity Module (SIM) conformance test specification)

o The requirements specifications GSM 02.48 (Specification of security mechanisms

for the SIM application toolkit, stage 1) and GSM 03.48 (Specification of security
mechanisms for the SIM application toolkit, stage 2), which is based on GSM 02.48,
describe two important security mechanism type for the SIM:

i. Security mechanisms for end-to-end communications between the background

system and the SIM that are protected against eavesdropping and
manipulation. In practice, these mechanisms are primarily used for secure data
transmission via the air interface (over the air, or OTA).

ii. A description in GSM 03.48 of the basic bearer independent mechanism for
remote file management (RFM) and remote applet management. As an
example, this mechanism is also presented using transport via SMS.

o The specification GSM 02.19 is the basis for all smart card operating systems with
executable program code. This specification contains a list of all basic services for a
language-independent API for executable program code in the SIM.

o GSM 03.19, which is based on GSM 02.19, specifies a detailed implementation of a

Java Card API for SIMs based on the Java Card 2.1 specification. This standard is the
key document for using Java Cards with GSM.

o GSM 11.13 (Test Specification for SIM API for Java Card) specifies the test
environment, test applications, test procedures, test coverage and individual test cases.
The described tests are aimed exclusively at the IT aspects of a Java Card
implementation for GSM.

o GSM 11.19 (Specification of the Cordless Telephony System Subscriber Identity

Module for both Fixed Part and Mobile)

o GSM 02.22 (Personalization of GSM Mobile Equipment (ME); Mobile Functionality

Specification) describes mechanisms for personalizing and depersonalizing mobile
equipment using specific data in the SIM (commonly known as SIM Lock).

The GSM specifications related to the SIM are not being developed any further, since the
functionality of the SIM is fully adequate for the current needs of the GSM system. The only
modifications that are still routinely made to the relevant specifications involve clarifications
of passages that are subject to interpretation.

3. System Architecture
A GSM Public Land Mobile Network (PLMN) consists of at least one Service Area
controlled by a Mobile Switching Center (MSC) connected to the Public Switched Telephone
Network (PSTN), see Figure gsm1.

Figure gsm1. The architecture of a GSM Public Land Mobile Network (PLMN)

A Base Station Subsystem (BSS) consists of

a Base Station Controller (BSC)

at least one radio saccess point or Base Transceiver Station (BTS) for Mobile Stations (MS),
which are mobile phones or other handheld devices (for example PDA computers) with phone
interface.

A BTS, with its aerial and associated radio frequency components, is the actual transmission
and reception component. A Network Cell is the area of radio coverage by one BTS. One or
more BTSs are in turn managed by a BSC. A network cell cluster covered by one or several
BSSs can be managed as a Location Area (LA). All these BSSs must however be controlled
by a single MSC. In Figure gsm2 is shown three LAs of 3, 4 and 4 cells respectively with a
MS moving across cell and LA boundaries.

Figure gsm2. A MS moving across cell and LA boundaries.

3 LAs consisting of 4 and 5 cells respectively are shown.
 A more detailed architecture of a single MSC controlled Service Area is outlined in Figure
gsm3.

Figure gsm3. The GSM network architecture for a single MSC controlled Service Area

The components of the tree GSM network subsystems

Radio Subsystem (RSS) consisting of the BSSs and all BSS connected MS devices .

Network and Switching Subsystem (NSS)

Operation Subsystem (OSS)

specified in GSM 01.02 (General description of a GSM Public Land Mobile

Network(PLMN)) and the GSM components

ME = Mobile Equipment

BTS = Base Receiving Station

BSC = Base Station Controller

MSC = Mobile Switching Center

VLR = Visitor Location Register

OMC = Operation and Maintenance Center

AuC = Authentication Center

HLR = Home Location Register

 EIR = Equipment Identity Register

SMSC = Short Message Service Centre

are shown in Figure gsm3.

A MSC is also through a Gateway MSC (GMSC) connected to other MSCs and to the Public
Switched Telephone Network (PSTN) with the Integrated Services Digital Network (ISDN)
option. The Inter-Working Function (IWF) of GMSC connects the circuit switched data paths
of a GSM network with the PSTN/ISDN. A GMSC is usually integrated in an MSC, see
Figure gsm4.

Figure gsm4. Basic GSM network components

2.1 Network and Switching Subsystem (NSS)

NSS consists of the Mobile Switching Center (MSC) and the Visitor Location Register
(VLR). A MSC manages multiple BSSs and is responsible for

setting up, managing and shutting down connections,

handling call charges

supervising supplementary services, such as call forwarding, call blocking and conference
calling.
VLR contains information about all MSs currently within range of the associated MSC. This
information is needed for routing a call to a particular MS (mobile telephone) via the proper
BSS and radio cell. The VLR also maintains a list of MSs belonging to subscribers of other
GSM networks. Such subscribers have logged or roamed into the network of the associated
MSC. The area covered by a MSC is actually called a MSC/VLR Service Area , which can
consist of several LAs as is shown in Figure gsm5.

Figure gsm5. A MSC/VLR Service Area

2.2 Operation Subsystem (OSS)

The OSS consists of

the Operation and Maintenance Center (OMC)

the Authentication Center (AuC),

the Home Location Register (HLR)

the Equipment Identity Register (EIR).

OMC is responsible for

regular network operation

subscriber administration

call billing.

AuC is the security component on the network side. AuC generates and manages all
cryptographic keys and algorithms needed for network operation, especially for
authentication of the MSs (i.e., the SIMs). HLR contains all of the subscriber data as well as
the localization data for each of the MS. EIR contains essential data, such as the serial
numbers of all MSs represented in the network. OSS also controls the Short Message Service
Centre (SMSC) for transmission of SMS messages. SMSC need information in HLR for the
routing of SMS messages.

2.3 GSM Network Areas

In GSM, there is a strong distinction between subscribers, which are identified by their SIM,
and the hardware they use for making phone calls and data communication calls. For
identification both entities before and during GSM service allocation, several identification
numbers exist and are stored in HLR, VLR and EIR.

The following identification numbers are stored in the HLR:

International Mobile Subscriber Identity (IMSI), a permanent ID assigned to each GSM

network subscriber.

International Mobile Subscriber ISDN Number (MSISDN), the ISDN number (phone
number) permanently assigned to each GSM subscriber.

Mobile Station Roaming Number (MSRN), a temporary ISDN number of a subscriber. This
number is assigned by the local VLR each time, the subscriber enters its MSC/VLR area. The
MSRN is then sent to the HLR and to the GMSC.

The address of current VLR and MSC (if available), an address of the area the subscriber is
currently in.

Local Mobile Subscriber Identity (if available), a short ID temporarily assigned to an active
subscriber by an VLR and sent to the HLR.

The following identification numbers are stored temporarily at the VLR associated with the
MSC which is currently controlling an active MS:

IMSI

MSISDN

MSRN

Location Area Identity (LAI), the ID of the Location Area (LA), in which subscriber is or
has been connected to a GSM network.

Temporary Mobile Subscriber Identity (TMSI), temporarily assigned to an active MS in

order to prevent the IMSI from being transmitted too often over the radio interface. The TMSI
is periodically changed during a call.

Equipment Identity Register (EIR) is a database for mobile equipment information of all
subscribers. In this database, three lists (white, black and gray) store identification
numbers, which are unique to all mobile terminals. The white list contains allowed terminals,
the black list contains unallowed terminals (e.g. stolen or lost), and the gray contains
terminals with known bugs.

2.4 GSM Network Areas

The area covered by one GSM operator is called the PLMN Service Area, which can consist
of several MSC/VLR Service Areas as i shown in Figure gsm6. A typical PLMN Service Area
is thus the area of a country, a state, or a region. A GSM Network Area is thus a hierarchy
with the levels

PLMN Service Area

MSC/VLR Service Area, see Figure gsm5

Location Area (LA), see Figure gsm2

Network Cell.

Figure gsm6. A PLMN Service Area for a GSM operator

Protocol Architecture

A GSM network is a bearer data communication protocol families. Any protocol stack for
data communication, for example TCP/IP, can be implemented to use a bearer. GSM protocol
architecture is - as for ISDN - structured into three independent planes (see Figure gsm7):

I. User plane

II. Control plane

III. Management plane

 Figure gsm7. GSM protocol architecture planes

The user plane defines protocols to carry connection oriented voice and user data. At the
radio interface Um, user plane data will be carried by the logical traffic channel called TCH.
The control plane defines a set of protocols for controlling these connections with signalling
information, for example signalling for connection setup. Such signalling data is carried over
logical control channels called D-channels (Dm-channels). As the control channels often have
spare capacities, also user data, the packet oriented SMS data, is transported over these
channels (see Figure gsm8). All logical channels, however, will be finally multiplexed onto
the physical channel.

Management plane function are:

plane management functions related to the system as a whole including plane coordination

functions related to resources and parameters residing in the layers of the control and/or
user plane.

Management of network element configuration and network element faults are examples of
management plane functionality
 Figure gsm8. Logical channels for user plane data and control plane signalling

The basic GSM bearer service, Circuit Switched Data (CSD), simply consists of transmitting
and receiving signals representing data instead of voice across the air interface. Modems are
used for the conversion between data bit streams and modulated radio signals. Data
transmission is either transparent or non-transparent.

3.1 Transparent User Data Transmission

Protocol architecture for transparent connection oriented user data is shown in Figure gsm9.
X.21, X.25, and V.24 are serial data transmission interface standards. G.703, G.705, and
G.732 are ISDN standards protocols. The bearer service does not try to correct detected errors
and relies on Forward Error Correction (FEC) only. The sender thus is guaranteed a constant
bitrate and may send data at this rate without flow control. For the sender the underlying
transport system is thus transparent.
Figure gsm9. The protocol architecture for transparent user data transmission uses only the
physical layer L1.

3.2 Non-Transparent User Data Transmission

The Radio Link Protocol (RLP) is used on the data link layer. One part of this protocol is
located in the MS, the other is located in the MSC, see Figure gsm10. The data is transported
in numbered frames of equal size, where each frame has to be acknowledged by the receiver.
One acknowledge frame can however acknowledge more than one data frame. In RLP, there
are two different frame types:

1. Information frames to carry the user data

2. Control frames to carry control information for controlling the connection and sending
acknowledgements.

However, information frames can also transport control information. If an error is detected
inside an information frame, the receiver sends a resend command to the sender, either for
this particular frame or all frames beginning from the erroneous frame. Due to frame resends
because of bad radio connections, the net bitrate of such a channel may change drastically.
The sending TE must thus be flow-controlled in order to adapt to the available bitrate. This is
done by the Non-Transparent Protocol (NTP), where the TE is connected to (generally over a
serial data transmission interface). For the sender, the transport system is thus not transparent
anymore.

Figure gsm10. Protocol architecture for non-transparent user data transmssion.

3.3 Signaling Transmission

For establishing, controlling and deleting connections, GSM network nodes exchange signals
with each other. The following interfaces are defined between the GSM network nodesnodes:

MS-BTS: Um
 BTS-BSC: Abis

BSC-MSC: A

MSC-VLR: B

MSC-HLR: C

VLR-HLR: D

MSC-MSC: E

MSC-EIR: F

VLR-VLR: G

These signals are physically sent via the wireless physical channel in the Um interface, and
over digital lines for other interfaces. The protocol architecture of signaling transmission at
the Um, Abis and A interfaces is shown in Figure gsm11.

Data Link Layer (Layer 2) Protocols

Link Access Procedure for the Dm-channel (LAPDm)is a GSM specific protocol to provide secure
Dm-channels between MS and BTS for layer 3 protocols. LAPDm is similar to High Level
Data Link Control (HDLC) and works in two modes. Unacknowledged operation means
sending UI-frames without acknowledgement, without flow control and and without error
correction. In acknowledged operation, data is transported in I-frames, data must be
acknowledged, error correction is based on resending, and flow control is carried out.

Link Access Procedure for the D-channel (LAPD) provides secure D-channels for ISDN.

Message Transfer Part (MTP)is the standard ISDN message transport part for SS7. It includes
the lower 3 ISDN network layers, i.e. it routes and transports signaling messages. Since MM
and CM require identifiable connections for signals, the Signaling Connection Control Part
(SCCP) is inserted at the network layer (layer 3).
 Figure gsm11. GSM protocol architecture for control data (signalling) transmission.

Network Layer (Layer 3) Protocols

Radio Resource Management (RR) is a protocol to create, maintain and delete radio link channels.
RR defines a subset of RR. This protocol is also responsible for measuring the channel
quality measurement, radio field strength and synchronization control, handover and data
ciphering. A RR message contains a protocol discriminator for protocol identification, a
transaction ID, and a message type. The data itself is carried in an Information Element (IE)
of fixed or variable length (here, an additional Length Indicator (IE) is necessary).

Mobility Management (MM) is a protocol for supporting Terminal Equipment (TE) mobility. MM
procedures need a pre-established RR connection consisting of a logical channel and a
LAPDm connection. Signaling is carried out between the MS and the MSC, thus it is
transparent to the BSS. There are three MM procedure categories:

I. Common procedures like TMSI reallocation, authentication, identity requests, and IMSI
detachments can always be carried out independently of each other.

II. Specific procedures are mutually exclusive. A specific procedure like a lopcation update and
an IMSI attachment cannot be executed as long as another one is being executed. Specific
procedures are also mutually exclusive to MM-connections.

III. Mobility management procedures create, maintain and tear down MM connections. MM
connections are created upon requests from the higher Call Management (CM) sublayer.
Each CM instance is assigned its own MM connection.

Call Management (CM) is a protocol containing three subprotocols:

 I. Call Control (CC) creates, maintains and deletes calls. Several parallel calls can be
established. Thus for each call, one CC instance is created in the MS, and another one in the
MSC. CC instances communicate with each other via dedicated MM instances they own.

II. The Short Message Service (SMS) is divided into the SMS Control Layer (SMS-CL) and the
SMS Relay Layer (SMS-RL). These layers need previously established MM, RR and LAPDm
connections.

III. Supplementary Services (SS) provide an entry point to access the GSM supplementary
services. Applications from upper layers may enter the CM via the Service Access Points
(SAP) MNCC-SAP, MNSS-SAP and MNSMS-SAP or bypass the CM by directly entering the
MMREG-SAP of MM.

Signaling Connection Control Part (SCCP) is

a SS7 protocol for establishing and maintaining
identifiable control connections. At the A-interface, SCCP offers connection oriented and
connectionless transport services.

is a signaling protocol at the A interface. BSSAP

Base Station System Application Part (BSSAP)
uses services offered by the SCCP and is further divided into three sub-parts:

I. The Direct Transfer Application Part (DTAP) offers services for signaling between the MS and
the MSC (CM,MM). DTAP signals only use connection oriented SCCP services.

II. The Base Station System Management Application Part (BSSMAP) transports signals
concerning a single MS, physical channels of the radio link as well as global commands for
the BSC resource management between an MSC and an BSC. BSSMAP procedures use
connection oriented and connectionless SCCP services.

III. The Base Station System Operation and Maintenance Application Part (BSSOMAP)
transports network management messages from the OMC over the MSC to a BSC.

Mobile Application Part (MAP) is the GSM specific enhancement of SS7 for

management of roaming functions like location registration/updating, IMSI attach/detach

and handover

subscriber management

IMEI management

authentication and identification

SMS.

MAP has special interfaces to other GSM network nodes.