1. GSM :
The Global System for Mobile Communications (GSM) is the most deployed wireless
network for cellular mobile telephony in the world. The ubiquity of GSM makes possible the
international roaming and enables subscribers to use the GSM network for phone calls and
data communication while travelling between countries. GSM is considered to be a second
generation (2G) mobile phone system, since it was the first mobile phone protocol that
employed digital signalling and speech channels. GSM networks operate mostly in the 900
MHz or 1800 MHz bands.
The data transmission rate of the GSM system is because GSM communication is circuit-
switched and connection oriented only 9600 bit/s or 14,400 bit/s with an improved codec
for the air interface. The low data transmission rate does not satisfy the rapidly increasing
demand of mobile subscribers for transferring large volumes of data. Faster data transmission
rates in the GSM network require packet-switched transport services like GPRS or concurrent
circuit-switched GSM connections as is provided by HSCSD (High Speed Circuit-Switched
Data) technology.With HSCSD, a theoretical data transmission rate of up to 76,800 bit/s
(89600 bit/s) for uplink or downlink can be achieved by using channel bundling to
combine several existing time slots in the air interface. Existing GSM networks can be
extended to support HSCSD by using modifyed base stations and specially designed mobile
telephones. However, the number of transmission channels can be increased by at most a
factor of 8, and therefore HSCSD will probably not become a major success.
The basic services voice transmission, call forwarding, roaming, and the SMS messaging
service were implemented in 1992-1996. In 1996 and later supplementary services were
added, including conference calls, call handover, call number negotiation and GSM in the
1800-MHz frequency band. In the next development step these services were augmented with
the functions of the SIM Application Toolkit, HSCSD and GPRS.
2. Standards
For GSM and there are about 130 individual specifications with a total size of more than
6000 pages. The numbering scheme GSM <specification number>, for example GSM 11.11,
is commonly used for specification series 01 to 13 (see Table cell1) in technical contexts
rather than the corresponding numbering scheme for ETSI standards ETSI TS <ETSI
number>, for eample ETSI TS 100977.
The specification GSM 01.04 (Abbreviations and acronyms) contains a summary of the
GSM technical vocabulary.
o GSM 01.02 (General Description of a GSM Public Land Mobile Network (PLMN)),
which is the basis for the architecture of all GSM mobile telecommunications
networks.
Specifications for the SIM card and SIM based services are
o GSM 02.17 (SIM Functional Characteristics) specifies the GSM security module in
the mobile telephone and contains a relatively abstract description of the functional
requirements for the SIM.
o The most important card specific specification, GMS 11.11 (Specification of the
Subscriber Identity Module Mobile Equipment (SIM ME) interface), is based on
GSM 02.17. GSM 11.11 contains a precise and unambiguous specification of the
interface to the SIM in more than 170 pages. This interface specification does not
contain any details about the actual implementation.
o GSM 11.14 (Specification of the SIM Application Toolkit for the Subscriber Identity
Module Mobile Equipment (SIM ME) interface) describes a platform for secure
supplementary services in the SIM. These services are referred to as the SIM
Application Toolkit (SAT). This specification, published in 1996, offers network
operators the possibility of loading their own applications into the SIM for controlling
the mobile telephone. GSM 11.14 specifies in detail how functions such as driving the
display, polling the keypad, sending short messages (SMS), and other functions
related to suitable value-added applications must be implemented in the SIM.
o GSM 11.17 (Subscriber Identity Module (SIM) conformance test specification)
ii. A description in GSM 03.48 of the basic bearer independent mechanism for
remote file management (RFM) and remote applet management. As an
example, this mechanism is also presented using transport via SMS.
o The specification GSM 02.19 is the basis for all smart card operating systems with
executable program code. This specification contains a list of all basic services for a
language-independent API for executable program code in the SIM.
o GSM 11.13 (Test Specification for SIM API for Java Card) specifies the test
environment, test applications, test procedures, test coverage and individual test cases.
The described tests are aimed exclusively at the IT aspects of a Java Card
implementation for GSM.
The GSM specifications related to the SIM are not being developed any further, since the
functionality of the SIM is fully adequate for the current needs of the GSM system. The only
modifications that are still routinely made to the relevant specifications involve clarifications
of passages that are subject to interpretation.
3. System Architecture
A GSM Public Land Mobile Network (PLMN) consists of at least one Service Area
controlled by a Mobile Switching Center (MSC) connected to the Public Switched Telephone
Network (PSTN), see Figure gsm1.
Figure gsm1. The architecture of a GSM Public Land Mobile Network (PLMN)
at least one radio saccess point or Base Transceiver Station (BTS) for Mobile Stations (MS),
which are mobile phones or other handheld devices (for example PDA computers) with phone
interface.
A BTS, with its aerial and associated radio frequency components, is the actual transmission
and reception component. A Network Cell is the area of radio coverage by one BTS. One or
more BTSs are in turn managed by a BSC. A network cell cluster covered by one or several
BSSs can be managed as a Location Area (LA). All these BSSs must however be controlled
by a single MSC. In Figure gsm2 is shown three LAs of 3, 4 and 4 cells respectively with a
MS moving across cell and LA boundaries.
Figure gsm3. The GSM network architecture for a single MSC controlled Service Area
Radio Subsystem (RSS) consisting of the BSSs and all BSS connected MS devices .
ME = Mobile Equipment
A MSC is also through a Gateway MSC (GMSC) connected to other MSCs and to the Public
Switched Telephone Network (PSTN) with the Integrated Services Digital Network (ISDN)
option. The Inter-Working Function (IWF) of GMSC connects the circuit switched data paths
of a GSM network with the PSTN/ISDN. A GMSC is usually integrated in an MSC, see
Figure gsm4.
NSS consists of the Mobile Switching Center (MSC) and the Visitor Location Register
(VLR). A MSC manages multiple BSSs and is responsible for
supervising supplementary services, such as call forwarding, call blocking and conference
calling.
VLR contains information about all MSs currently within range of the associated MSC. This
information is needed for routing a call to a particular MS (mobile telephone) via the proper
BSS and radio cell. The VLR also maintains a list of MSs belonging to subscribers of other
GSM networks. Such subscribers have logged or roamed into the network of the associated
MSC. The area covered by a MSC is actually called a MSC/VLR Service Area , which can
consist of several LAs as is shown in Figure gsm5.
subscriber administration
call billing.
AuC is the security component on the network side. AuC generates and manages all
cryptographic keys and algorithms needed for network operation, especially for
authentication of the MSs (i.e., the SIMs). HLR contains all of the subscriber data as well as
the localization data for each of the MS. EIR contains essential data, such as the serial
numbers of all MSs represented in the network. OSS also controls the Short Message Service
Centre (SMSC) for transmission of SMS messages. SMSC need information in HLR for the
routing of SMS messages.
International Mobile Subscriber ISDN Number (MSISDN), the ISDN number (phone
number) permanently assigned to each GSM subscriber.
Mobile Station Roaming Number (MSRN), a temporary ISDN number of a subscriber. This
number is assigned by the local VLR each time, the subscriber enters its MSC/VLR area. The
MSRN is then sent to the HLR and to the GMSC.
The address of current VLR and MSC (if available), an address of the area the subscriber is
currently in.
Local Mobile Subscriber Identity (if available), a short ID temporarily assigned to an active
subscriber by an VLR and sent to the HLR.
The following identification numbers are stored temporarily at the VLR associated with the
MSC which is currently controlling an active MS:
IMSI
MSISDN
MSRN
Location Area Identity (LAI), the ID of the Location Area (LA), in which subscriber is or
has been connected to a GSM network.
Equipment Identity Register (EIR) is a database for mobile equipment information of all
subscribers. In this database, three lists (white, black and gray) store identification
numbers, which are unique to all mobile terminals. The white list contains allowed terminals,
the black list contains unallowed terminals (e.g. stolen or lost), and the gray contains
terminals with known bugs.
The area covered by one GSM operator is called the PLMN Service Area, which can consist
of several MSC/VLR Service Areas as i shown in Figure gsm6. A typical PLMN Service Area
is thus the area of a country, a state, or a region. A GSM Network Area is thus a hierarchy
with the levels
Network Cell.
Protocol Architecture
A GSM network is a bearer data communication protocol families. Any protocol stack for
data communication, for example TCP/IP, can be implemented to use a bearer. GSM protocol
architecture is - as for ISDN - structured into three independent planes (see Figure gsm7):
I. User plane
The user plane defines protocols to carry connection oriented voice and user data. At the
radio interface Um, user plane data will be carried by the logical traffic channel called TCH.
The control plane defines a set of protocols for controlling these connections with signalling
information, for example signalling for connection setup. Such signalling data is carried over
logical control channels called D-channels (Dm-channels). As the control channels often have
spare capacities, also user data, the packet oriented SMS data, is transported over these
channels (see Figure gsm8). All logical channels, however, will be finally multiplexed onto
the physical channel.
plane management functions related to the system as a whole including plane coordination
functions related to resources and parameters residing in the layers of the control and/or
user plane.
Management of network element configuration and network element faults are examples of
management plane functionality
Figure gsm8. Logical channels for user plane data and control plane signalling
The basic GSM bearer service, Circuit Switched Data (CSD), simply consists of transmitting
and receiving signals representing data instead of voice across the air interface. Modems are
used for the conversion between data bit streams and modulated radio signals. Data
transmission is either transparent or non-transparent.
Protocol architecture for transparent connection oriented user data is shown in Figure gsm9.
X.21, X.25, and V.24 are serial data transmission interface standards. G.703, G.705, and
G.732 are ISDN standards protocols. The bearer service does not try to correct detected errors
and relies on Forward Error Correction (FEC) only. The sender thus is guaranteed a constant
bitrate and may send data at this rate without flow control. For the sender the underlying
transport system is thus transparent.
Figure gsm9. The protocol architecture for transparent user data transmission uses only the
physical layer L1.
The Radio Link Protocol (RLP) is used on the data link layer. One part of this protocol is
located in the MS, the other is located in the MSC, see Figure gsm10. The data is transported
in numbered frames of equal size, where each frame has to be acknowledged by the receiver.
One acknowledge frame can however acknowledge more than one data frame. In RLP, there
are two different frame types:
2. Control frames to carry control information for controlling the connection and sending
acknowledgements.
However, information frames can also transport control information. If an error is detected
inside an information frame, the receiver sends a resend command to the sender, either for
this particular frame or all frames beginning from the erroneous frame. Due to frame resends
because of bad radio connections, the net bitrate of such a channel may change drastically.
The sending TE must thus be flow-controlled in order to adapt to the available bitrate. This is
done by the Non-Transparent Protocol (NTP), where the TE is connected to (generally over a
serial data transmission interface). For the sender, the transport system is thus not transparent
anymore.
For establishing, controlling and deleting connections, GSM network nodes exchange signals
with each other. The following interfaces are defined between the GSM network nodesnodes:
MS-BTS: Um
BTS-BSC: Abis
BSC-MSC: A
MSC-VLR: B
MSC-HLR: C
VLR-HLR: D
MSC-MSC: E
MSC-EIR: F
VLR-VLR: G
These signals are physically sent via the wireless physical channel in the Um interface, and
over digital lines for other interfaces. The protocol architecture of signaling transmission at
the Um, Abis and A interfaces is shown in Figure gsm11.
Link Access Procedure for the D-channel (LAPD) provides secure D-channels for ISDN.
Message Transfer Part (MTP)is the standard ISDN message transport part for SS7. It includes
the lower 3 ISDN network layers, i.e. it routes and transports signaling messages. Since MM
and CM require identifiable connections for signals, the Signaling Connection Control Part
(SCCP) is inserted at the network layer (layer 3).
Figure gsm11. GSM protocol architecture for control data (signalling) transmission.
Mobility Management (MM) is a protocol for supporting Terminal Equipment (TE) mobility. MM
procedures need a pre-established RR connection consisting of a logical channel and a
LAPDm connection. Signaling is carried out between the MS and the MSC, thus it is
transparent to the BSS. There are three MM procedure categories:
I. Common procedures like TMSI reallocation, authentication, identity requests, and IMSI
detachments can always be carried out independently of each other.
II. Specific procedures are mutually exclusive. A specific procedure like a lopcation update and
an IMSI attachment cannot be executed as long as another one is being executed. Specific
procedures are also mutually exclusive to MM-connections.
III. Mobility management procedures create, maintain and tear down MM connections. MM
connections are created upon requests from the higher Call Management (CM) sublayer.
Each CM instance is assigned its own MM connection.
II. The Short Message Service (SMS) is divided into the SMS Control Layer (SMS-CL) and the
SMS Relay Layer (SMS-RL). These layers need previously established MM, RR and LAPDm
connections.
III. Supplementary Services (SS) provide an entry point to access the GSM supplementary
services. Applications from upper layers may enter the CM via the Service Access Points
(SAP) MNCC-SAP, MNSS-SAP and MNSMS-SAP or bypass the CM by directly entering the
MMREG-SAP of MM.
I. The Direct Transfer Application Part (DTAP) offers services for signaling between the MS and
the MSC (CM,MM). DTAP signals only use connection oriented SCCP services.
II. The Base Station System Management Application Part (BSSMAP) transports signals
concerning a single MS, physical channels of the radio link as well as global commands for
the BSC resource management between an MSC and an BSC. BSSMAP procedures use
connection oriented and connectionless SCCP services.
III. The Base Station System Operation and Maintenance Application Part (BSSOMAP)
transports network management messages from the OMC over the MSC to a BSC.
Mobile Application Part (MAP) is the GSM specific enhancement of SS7 for
subscriber management
IMEI management
SMS.