Architecture
7/12/12
11
Introduction
7/12/12
22
Introduction / History
Developed by Group Spciale Mobile (founded 1982) which was an initiative of CEPT (Conference of European Post and Telecommunication ) to replace the incompatible analog system Presently the responsibility of GSM standardization resides with special mobile group under ETSI (European telecommunication Standards Institute ) Under ETSI, GSM is named as Global System for Mobile communication it is a 2G cellular standard developed to cater voice services and data delivery using digital modulation. GSM uses a combination of time division multiple access (TDMA) and Frequency Division Multiple Access (FDMA). Tri-band phones use the 900, 1800 and 1900 MHz GSM frequencies. Quad band phones are also available covering the 850, 900, 1800 and 1900 MHz GSM frequency bands.
7/12/12
33
More than 3 billion subscribers in world and 400 million subscriber in India
7/12/12
44
GSM Frequencies
7/12/12
GSM Services
Services offered by GSM
Tele-services
Telecommunication services that enable voice communication via mobile phones Offered services include Mobile telephony and Emergency calling
Include various data services for information transfer between GSM and other networks like PSTN, ISDN 7/12/12 rates from 300 to 9600 bps . 66 etc at
Architecture
7/12/12
77
GSM Architecture
7/12/12
88
7/12/12
99
BSC (Base Station Controller) It is a high-capacity switch with radio communication and mobility control capabilities. The functions include radio channel allocation, location update, handover, timing advance, power control and paging. BTS (Base transceiver station) It is a radio transceiver station that communicates with the mobile stations. Its backend is connected to the BSC. 1010 7/12/12 Its transmitting power defines . size of a cell. the
MSC (mobile switching center)/ VLR (Visitor Location Register) MSC performs the telephony switching function. A mobile station must be attached to a single MSC at a time (either homed or visitor), if it is currently active (not switched off). The VLR is a database attached to an MSC to contain information about its currently associated mobile stations (not. just for visitors). 7/12/12 1111
EIR (Equipment Identity Register) The EIR in the GSM system is the logical entity which is responsible for storing in the network the International Mobile Equipment Identities (IMEIs), used in the GSM system. The equipment is classified as "white listed", "grey listed", "black listed" or it may be unknown.
GMSC (Gateway MSC) GMSC is the switching entity that controls mobile terminating calls. On call establishment towards a GSM subscriber, a GMSC contacts the HLR of that subscriber, to obtain the address. of the MSC where that subscriber is currently registered. 7/12/12 1212
7/12/12
1313
7/12/12
1414
CM (Connection Management) - Call control, short message service and supplementary service
RR (Radio Resource Management) - Setup, maintenance and release of radio channels - Control of radio transmission quality
LAPDm (Link Access Protocol D-channel modified) - Modified version of ISDN LAPD protocol
BTSM (Base Transceiver Station Management) - Radio resources control messages between BSC and BTS - BSSAP (Base Station System Application Part)
7/12/12
1515
PSTN
SS 7
AuC
BSS Base Station System BTS Base Transceiver Station BSC Base Station Controller
NSS Network Sub-System MSC Mobile-service Switching Controller VLR Visitor Location Register HLR Home Location Register
Abis-interface The Abis-interface is the interface between the BTS and the BSC The transmission rate is 2.048 Mbps, which is partitioned into 32 channels of 64 Kbps each
A-interface The BSS-MSC interface is used to carry information concerning: BSS management, Call handling and Mobility management
C-interface Interface between HLR and MSC The Gateway MSC must interrogate the HLR of the 7/12/12 . required subscriber to obtain routing information for a call
1717
B-interface
Interface between the MSC and its associated VLR. When MSC needs data related to a given mobile station currently located in its area, it interrogates the VLR This interface is internal to the MSC/VLR; signaling on it is not standardized D-interface Interface between HLR and VLR. This interface is used to exchange the data related to the location of the mobile station and to the management of the subscriber
G-interface When a mobile subscriber moves from a VLR area to another Location Registration is done. This procedure may result in retrieval of the IMSI and authentication parameters 7/12/12 . from the old VLR.
1818
IMSI is embedded on the SIM card and is used to identify a subscriber. The IMSI is also contained in the subscription data in the HLR.
MCC (Mobile Country Code) It identifies the country for mobile networks. The MCC is not used for call establishment.
MNC (Mobile Network Code ) It identifies the mobile network within a country . MCC and MNC together identify a PLMN for MNC usage. The MNC may be two or three digits in length.
MSIN (mobile subscriber identification number ) It is the subscriber identifier within a PLMN.
7/12/12
1919
The MSISDN is not stored on the subscribers SIM card and is normally not available in the MS.
The MSISDN is provisioned in the HLR, as part of the subscribers profile, and is sent to MSC during registration.
CC (Country Code) It identifies the country or group of countries of the subscriber. NDC (National Destination Code) Each PLMN in a country has one or more NDCs allocated to it; the NDC may be used to route a call to the appropriate network. SN (Subscriber Number) It identifies the subscriber within the number plan of a PLMN.
7/12/12
2020
The IMEI is composed of Type Allocation Code (TAC). Its length is of 8 digits. Serial Number (SNR) is an individual serial number uniquely identifying each equipment within each TAC. Its length is 6 digits. Spare digit: this digit shall be zero.
7/12/12
2121
Radio Interface
7/12/12
2222
(1/6)
7/12/12
2323
(2/6)
For speech 1 superframe = 51 multiframes and 1 multiframe = 26 frames For Signaling 1 superframe = 26 multiframes and 1 multiframe = 51 frames . 2424
7/12/12
(3/6)
The data transmitted during a single time slot is known as a burst. Each burst allows 8.25 bits for guard time. Prevents bursts from overlapping.
Tail Bits - Each burst leaves 3 bits on each end in which no data is transmitted. This is designed to compensate for the time it takes for the power to rise up to its peak during a transmission. The bits at the end compensate for the powering down at the end of the transmission.
Data Bits/Encrypted bits - There are two data payloads of 57 bits each. Stealing Flags - Indicates whether the burst is being used for voice/data
Training Sequence - The training sequence bits are used to overcome multi-path fading and propagation effects through a method called equalization. 7/12/12 . 2525
(4/6)
Physical channels Using FDMA and TDMA techniques, each carrier is divided into 8 timeslots
Logical channels
Logical channels There are two main categories of logical channels in GSM: Control Channels Traffic Channels are used to carry two types of information to and from the user - Encoded Speech and Data 7/12/12 .
2626
(5/6)
MS scans for this signal after switch on and tunes to it Contains BSIC code used by the MS to check the frequency measured by it is coming from a particular BS
BCCH Detailed BTS and cell information Common Control Channels Logical Channel Description PCH RACH AGCH 7/12/12 Used to broadcast paging message for mobile terminated call Only uplink channel and used to initiate a transaction to the paging channel Answer to RACH and assigns an SDCCH . 2727
(6/6)
Used for system signalling,callsetup, assignment of traffic channel Transmits measurement reports and used for radio control Used for handover, It is mapped to a traffic channel and steals 20ms of traffic channel
7/12/12
2828
7/12/12
2929
7/12/12
3030
7/12/12
3131
7/12/12
3232
7/12/12
3333
Location Update
7/12/12
3434
Location Area Cells are grouped into Location Areas updates sent only when LA is changed; paging message sent to all cells in last known LA
Location registration MS has to register with the PLMN to get communication services Registration is required for a change of PLMN MS has to report to current PLMN with its IMSI and receive new TMSI by executing Location Registration process. The TMSI is stored in SIM, so that even after power on or off, there is only normal Location Update. If the MS recognizes by reading the LAI broadcast on BCCH that it is in new LA, it performs Location Update to update the HLR records. Location update procedure could also be performed periodically, independent of the MS movement. The difference in Location Registration and Location Update is that in location update the MS has already been assigned a TMSI. 7/12/12 . 3535
VLR 1
HLR: Home Location Register VLR: Visitor Location Register MSC: Mobile Switching Center LA: Location Area MS: Mobile Station
A location update request message_ack MAP_UPDATE_LOCATION_AREA_ack MAP_UPDATE_LOCATION_AREA A location update request message LA1
M S
LA2
7/12/12
3636
VLR 1
A MAP_UPDATE_LOCATION_AREA MAP_UPDATE_LOCATION_AREA_ack location update request message_ack A location update request message MAP_UPDATE_LOCATION_ack MAP_UPDATE_LOCATION
LA1
M S
LA2
7/12/12
3737
VLR 1
MAP_UPDATE_LOCATION_AREA_ack A location update request message_ack
LA1
M S
LA2 MAP_SEND_IDENTIFICATION_ack MAP_UPDATE_LOCATION_AREA AMAP_UPDATE_LOCATION_ack MAP_SEND_IDENTIFICATION location update request MAP_UPDATE_LOCATION message .
7/12/12
3838
Handover
7/12/12
3939
Handover
(1/2)
There are four different types of handover in the GSM system. Handover involves transferring a call between: Channels (time slots) in the same cell Cells (Base Transceiver Stations) under the control of the same Base Station Controller (BSC) Cells under the control of different BSCs, but belonging to the same Mobile services Switching Center (MSC) Cells under the control of different MSCs Handovers are initiated by the BSS/MSC (as a means of traffic load balancing). During its idle time slots, the mobile scans the Broadcast Control Channel of up to 16 neighboring cells, and forms a list of the six best candidates for possible handover, based on the received signal strength. This information is passed to the BSC and MSC, at least once per second, and is used by the handover algorithm. . 4040
7/12/12
Handover
Connection route
9
(2/2)
8
MSC -A
1
MSC -B
6
MSC -C
8
4 B T S 1 2
B S C
B T S 2 5
B S C
B T S 3
B S C
B T S 3
7/12/12
4141
Security
7/12/12
4242
GSM Authentication
Authentication Mechanism
On receiving a random challenge from the network, the mobile encrypts the challenge using A3 algorithm and the key Ki assigned to the mobile, and sends the response back
The Response so sent is passed through an algorithm A8 by both mobile and network to derive Kc, which is used for encryption
7/12/12
4343
References
3GPP TS 23.002 version 3.6.0 Release 1999 q GSM Networks - Protocols, Terminology and Implementation.pdf
q
7/12/12
4444
Abbreviations
(1/2)
7/12/12
AUC Authentication Center BSC Base Station Controller BSS Base Station Subsystem BTS Base Transceiver System (Antenna System + Radio Base Station) EIR Equipment Identification Register (for IMEI verification) IMEI International Mobile Equipment Identity GMSC Gateway MSC HLR Home Location Register ISDN Integrated Services Digital Network IWF Interworking Function ILR Interworking Location Register (roaming between AMPS and GSM system) IWMSC Interworking MSC MS Mobile Station MSC Mobile Switching Center NSS Network Switching Subsystem OSS Operation and Support System PDN Public Data Network PLMN Public Land Mobile Network PSTN Public Switched Telephone Network SMS Short Message Service SABME Set Asynchronous Balance Mode Extended VLR Visitor Location Register
4545
Abbreviations
AGCH Access Grant Channel BCCH Broadcast Common Control Channel CBCH Cell Broadcast Channel FACCH Fast Associated Control Channel FCCH Frequency Correction Channel PCH Paging Channel RACH Random Access Channel SDCCH Standalone Dedicated Control Channel SACCH Slow Associated Control Channel SCH Synchronization Channel
(2/2)
7/12/12
4646