www.univ.zte.com.

cn

Main contents
Mobile communication overview

Related knowledge about GSM

main components in GSM the interface and protocol between entities wireless area partition numbering plan

mobile service management

security management
www.univ.zte.com.cn

Mobile Communication Overview

www.univ.zte.com.cn

1 The first generation mobile communication analog cellular mobile communication

Feature: 1)frequency division multiple access(FDMA)

2)analog signal
3)narrow band Main mode: AMPS TACS NMT

www.univ.zte.com.cn

2 The second generation mobile communication digital cellular mobile communication

Feature: 1)time division multiple access(TDMA) narrow code division multiple access(N-CDMA) 2)digital signal 3)narrow band

Main mode:

GSM DAMPS
N-CDMA

www.univ.zte.com.cn

3 The third generation mobile communication IMT2000 (3G)

Feature:
1) code division multiple access(CDMA) 2) digital signal

3) broadband 2000 means: Frequency is 2000MHZ, Maximum service rate is 2000kbit/s.

Main mode: CDMA2000 WCDMA TD-SCDMA
www.univ.zte.com.cn

Related knowledge about

GSM

www.univ.zte.com.cn

Digital Public Land Mobile communication Network----PLMN

MSS BSS
BTS Abis No.7 BSSAP A BSC X.25 Um BTS X.25/ No.7 OMC Signaling Voice SC MSC/VLR No.7 TUP PSTN ISDN PSPDN HLR/AUC No.7 MAP EIR MSC/VLR

No.7 MAP TUP

PLMN

MS

www.univ.zte.com.cn

MS:Mobile Station BSC:Base Station Controller

BTS:Base Transceiver Station

MSC:Mobile Switching Center HLR:Home Location Register VLR:Visitor Location Register AUC:Authentication Center

EIR:Equipment Identity Register

SC:Short Message Center

OMC:Operation and Maintenance Center

www.univ.zte.com.cn

1.Main components of GSM

MS(mobile station) BSS(base station sub-system) MSS(mobile switching sub-system) OMC(operation and maintenance center)

www.univ.zte.com.cn

1.1 Mobile Station

Function It is the device of mobile subscriber. It includes two parts: mobile terminal and SIM card. Attention: Physical mobile terminal and mobile subscriber are different. What is the meaning.

www.univ.zte.com.cn

1.2 Base Station sub-System

FunctionIt provides trunks between wireless part
and fixed part of PLMN network. ---BSC

---BTS
BTS is in charge of wireless transmission. BSC performs the control and management function.

www.univ.zte.com.cn

1.3 Mobile Switching sub-System

FunctionIt performs GSM switching function as well as
manage mobile subscriber data and database for mobile service. It is interface between GSM network and other network (such as PLMN,PSPDN etc.) It includes 6 function units: ---MSC ---HLR ---EIR ---VLR ---AUC ---SC

www.univ.zte.com.cn

1.3.1 Mobile Switching Center(MSC)

Function

It is responsible for setting up,managing and clearing

connections as well as routing the calls to the proper cell. It provides the interface to the telephone system as well as provisioning for charging and accounting service. MSC get data for call handling from 3 databases: VLR/HLR/AUC GMSC(gateway):It is used to query the mobile subscriber location information,and connect the route to the VMSC which the subscriber in at that time.
www.univ.zte.com.cn

1.3.2 Visitor Location Register(VLR)

VLR is a dynamic database,it stores all related information of mobile subscribers that enter into its coverage area,which enables

MSC to set up incoming and outgoing calls.

Subscriber parameters include: subscriber number(MSISDN), location area identity(LAI),users status , services subscriber can

use, and so on.

When the subscriber leaves this area, it should register in another VLR,and old VLR will delete all the data about this subscriber.

www.univ.zte.com.cn

1.3.3 Home Location Register(HLR)

HLR: It is a static database. when a user apply for mobile service, all data about this subscriber will be stored in HLR.
Information: --- basic service information: including MSISDN, IMSI,the telecom service, support service,users type, and so on; --- supplement service information; ---the mobile location information (MSC/VLR address),so as to realize the call route to the MS and billing.
www.univ.zte.com.cn

1.3.4 Authentication Center(AUC)

It is used to prevent unauthorized subscriber from access GSM
network or from a mobile number being used by unauthorized person. It operates closely with the HLR.

AUC stores correlative parameters information for subscriber

authentication, encryption to prevent unauthorized access and guarantee the safety of mobile subscriber communication.

www.univ.zte.com.cn

1.3.5 Equipment identity Register(EIR

It is used to manage the international mobile station equipment identification number (IMEI) of all mobile station devices and check whether each mobile station device is a legal equipment. It includes one or more database to store the IMEI. All IMEI are stored separately in three lists: white name lists, grey name lists, and black name lists. Network will judge whether the IMEI is a legal device and decide to either accept or reject the device.

www.univ.zte.com.cn

1.3.6 Short Message Center(SC

It provides the short message service(SMS). It provides the delivery and receiving of short message between mobile subscriber and fixed subscriber or between mobile subscribers.

www.univ.zte.com.cn

1.4

Operation and maintenance center (OMC)

The operation and maintenance center realizes the management of network. The specific function include: maintain and measure system, monitor systems status,performance management,traffic statistics and so on. It can improve the overall system working efficiency and service quality.
OMC includes two parts:for system(MSS) and for radio(BSS).

www.univ.zte.com.cn

2.The interface and protocol between entities

The difference between interface and protocol: The interface:the connection point between 2 adjacent entities. The protocol: illustrate the rules followed when information exchanged at the connection point.

www.univ.zte.com.cn

Main interface:
Um interface Abis interface A interface

BTS MS BTS

BSC BSC MSC

www.univ.zte.com.cn

2.1 Um interface:
Um interface defines the communication interface between MS and BTS, also called air interface.Um interface is the most important interface in all interfaces.
it realizes the compatibility between all kinds of MS and different network, so that the MS can roam.(it is open interface) it adopts some anti-jamming technology and measurements to reduce interferer and improve the frequency spectrum efficiency.

It realizes the physical connection between MS and GSM network(that is wireless link)at the same time it is also in charge of transferring of the information about RR, MM and CM.
www.univ.zte.com.cn

Note:
RR:radio resource management

MM:mobile management
CM:connection management

www.univ.zte.com.cn

2.2 Abis interface:

the intra-interface between the BTS and BSC,used for remote connection 2Mb/s PCM system It is an inner interface.

www.univ.zte.com.cn

2.3 A interface and protocol

It is an interface between BSC and MSC It is based on 2.048Mbit/s PCM CCS signaling (SPC CODE:14 Bits) Information through this interface include: MS management, mobility management,BTS management and so on.

It is a open interface.

www.univ.zte.com.cn

2.4 MSS interface and protocol

BSC A

MSC
B VLR

F C D

EIR HLR/AUC

BTS

E VLR B

BSS

MSC

MSS

www.univ.zte.com.cn

2.4.1 B interface:
the interface between MSC and VLR. MSC transfers the location update information of roaming subscriber to VLR MSC queries information of called roaming subscriber

from VLR when setting up the calls

Always associated with VLR, use inner interface.

www.univ.zte.com.cn

2.4.2. C interface
The interface between MSC and HLR.
When a MS is called,MSC must query the routing message of called MS from HLR through this interface to locate called MS,and HLR will return the routing message(visit MSC/VLR number) to MSC. VMSC/VLR send the MSRN assigned to the called subscriber to HLR.

www.univ.zte.com.cn

2.4.3. D interface
The interface between VLR and HLR. This interface is used to transfer location information and subscriber data information between VLR and HLR.(location Information,route information, service information and etc.)

www.univ.zte.com.cn

2.4.4. E interface:
the interface between MSC and MSC. it is used to hand-over channel when MS moves between 2 MSC offices during the call so that the call will not be disconnected. this interface transfers inter-office signaling which controls voice connection between MSCs

www.univ.zte.com.cn

2.4.5. F interface :
The interface between MSC and EIR. It is used for MSC to check IMEI of MS

2.4.6. The interface between MSC and PSTN:

The inter-office signaling interface, used for setting up voice connection between PSTN and PLMN.

www.univ.zte.com.cn

3. Wireless area partition

GSM service area
PLMN Service area

MSC Service area

Location area

Cell

Wireless coverage area structure

www.univ.zte.com.cn

3.1.Cell
The smallest area that can not be divided.

3.2.Location area:
The area where MS moves without updating location.

It includes some cells.

It only belongs to one MSC. It includes one or more BSC.

One location area has one LAI to identify each other.

www.univ.zte.com.cn

3.3.MSC service area:

The area that all the cell controlled by one MSC covered. One MSC composes one or more location areas.

3.4 .PLMN service area:

It includes one or more MSC service areas.

3.5.GSM service area:

It includes global PLMN networks .

www.univ.zte.com.cn

4.Numbering Plan
4.1 ISDN number (MSISDN) of mobile subscribers
A MSISDN number is the number dialed by the caller subscriber in PLMN. Composition of a MSISDN number.

Country number

code

+valid

national

ISDN

International mobile subscriber ISDN number

www.univ.zte.com.cn

4.2 International mobile subscriber identification number (IMSI) IMSI is an unique number that can identify a mobile subscriber in the PLMN network. Composition of an IMSI number
MCC MNC MSIN

International mobile subscriber identification National subscriber identification

www.univ.zte.com.cn

mobile

MCC mobile country code

MNC mobile network code,

MSIN mobile subscriber identification number, a 10-digit equi-length number.

IMSI is used in all signaling in a GSM mobile communication network, stored in HLR, VLR and the SIM card.

www.univ.zte.com.cn

4.3 International mobile equipment identification number (IMEI) IMEI is an unique number that can identify a mobile device in the GSM network.
TAC(Type Approval Code) : 6 digits, assigned by certain department; FAC(Final Assembly Code) : 2 digits,decide the place of manufacturing or assembling, coded by manufacturer; SNR(Serial NumbeR) : 6 digits, assigned by manufacturer in sequence; Spare bit : 1 digit.

TAC

FAC

SNR

Spare bit

www.univ.zte.com.cn

4.4 .MSC/VLR number

MSC/VLR number is used in the No.7 signaling. MSC/VLR number structure : CC+NDC+

4.5.HLR number
HLR number is used in the No.7 signaling .

HLR number structure : CC+NDC+

www.univ.zte.com.cn

4.6 Mobile subscriber roaming number (MSRN)

MSRN is a number temporarily assigned by VLR to a called mobile subscriber which it registers in according to the request of HLR (of called party) in each call for the network to re-route.

This number will be released and can be assigned to other mobile subscriber afterward.

www.univ.zte.com.cn

4.7 Hand-over number (HON)

HON is a number assigned to a mobile subscriber by
the destination MSC/VLR temporarily for routing during inter-office handover.

This number is part of a MSRN number.

It is used only during inter-office handover of a mobile subscriber. After the connection, it is released

and used by other subscribers.

www.univ.zte.com.cn

4.8 Temporary mobile subscriber identification number (TMSI) TMSI is an identification number assigned temporarily to a visiting mobile subscriber by VLR for the secrecy of IMSI. It is a 4-byte BCD code, used only locally, and assigned by each MSC/VLR independently.

www.univ.zte.com.cn

4.9 Location area identification number (LAI)

LAI is used to identify the location area.
Its number structure is: MCCMNCLAC

MCC and MNC : same as the MCC and MNC in IMSI.

LAC is a location area code that uniquely identifies each location area in digital PLMN. It is a 2-byte hexadecimal BCD code represented by L1L2L3L4 (with the range of 0000FFFF, able to define 65536 different location areas.)

www.univ.zte.com.cn

4.10.Global Cell IdentificationGCI

It is used to identify certain cell in a location area.
Structure: MCC+MNC+LAC+CI CI:2 bytes BCD code .

www.univ.zte.com.cn

5.Mobile service management

MS status Roaming and updating location

Paging

www.univ.zte.com.cn

5.1 MS status
Mobile subscriber
MS switch on free MS switch off MS busy

1)MS switch on
The Network should label with attached flag.

www.univ.zte.com.cn

Case 1: If MS switch on for the first time(HLR operate) IMSI

Updating location request

Record MSC /VLR number

HLR
updating locate accept

MSC/VLR

SIM card record LAI

VLR attach label on this IMSI

www.univ.zte.com.cn

Case 2: Ms switch on again,the LAI it received is the same as LAI stored in SIM card,VLR only label with attached flag. Case 3: The LAI it received is different from the LAI stored in SIM card.MS send the message location updating request to MSC/VLR to update the LAI,VLR will judge if the data of this MS is in its database.

If it has,update the new LAI.

If it hasnt ,repeat the case 1.
www.univ.zte.com.cn

2) Ms switches off MS get detached from the network

3) MS busy Assign a service channel to MS for transferring voice and label with busy for this mobile subscriber.

www.univ.zte.com.cn

5.2 Periodical registration

The GSM system takes the compulsory registration measure,requiring MS to register periodically. If the GSM system has not received the periodical registration information from a certain MS,the VLR of this MS will record it with hidden detachmentstatus. Only when it receives the correct

periodical registration information again,will it change MS

back into the attached status.
www.univ.zte.com.cn

5.3 Basic location updating

Location area has been changed, and MS set up location updating.
2 cases: 1)MS location area is changed ,but in the same MSC 2)MS roams from one MSC to another MSC.

www.univ.zte.com.cn

Location updating in same MSC

BSC

Location area 1
2

M S

MSC/VLR 2
3

Location 4 area BSC 2

M S

www.univ.zte.com.cn

Location updating between MSCs

5 HLR 2 3

MSC/VLR1

M S

MSC/VLR2

1 4

M S

www.univ.zte.com.cn

5.4 Fix subscriber call mobile subscriber

PSTN 1 GMSC 2 5 HLR 1.MSISDN 2. MSISDN 3. IMSI 4. MSRN 5. MSRN 6. MSRN 6 MSC/VLR 4 3 MS

www.univ.zte.com.cn

5.5 Mobile subscriber call mobile subscriber

HLR/AUC 5 2 MSC1/VLR2 3 MSC2/VLR2

6 9

1 MS1

10

8 MS2

www.univ.zte.com.cn

6. Security management
To guarantees system security ,the following measures are taken:
1.prevent access of unauthorized subscribers,which is realized through authentication;

2.protecting subscriber privacy by encrypting;

3.prevent access of invalid mobile device,which is realized through checking IMEI in EIR;

4.preventing subscriber IMSI from being stolen,realized by TMSI assignment .

www.univ.zte.com.cn

6.1 Authentication service

Authentication is to protect legal subscribers and prevent intrusion of illegal subscribers. Subscriber authentication should be performed with the subscriber triad parameters (RAND , SRES ,Kc)provided by the system.

www.univ.zte.com.cn

MS
Kc
Step4 obtain Kc and SRES by calculation according to Ki and RAND Ki

VLR (MSC, HLR) AUC Step3 transfer RAND

Kc Step2 transfer A8 3-parameter RAND Kc Ki RAND SRES
Step1 obtain Kc and SRES by calculation with RAND generated by Ki obtained from query SRES into IMSI

A8

RAND Kc SRES

A3

Step5

=?
SteP6 compare SRES authentication determination

A3

transfer
SRES

www.univ.zte.com.cn

Authentication
MS
Ki
RAND

NETWORK
RAND generator

Ki
Algorithm A3 Algorithm A3 SRES SRES

www.univ.zte.com.cn