Advanced Wireless Concepts

for

Hughes Software Systems

Gurgaon
by

S. Shankarnarayan
Revision 2
19th April 2001

1.

Introduction to GSM

a) GSM system architecture

VLR

HLR

MAP
MAP

VLR
MAP
PSTN /
ISDN

MSC

HLR
MAP

ISUP/MAP
MAP/ISUP

MSC

EIR
MAP

PLMN
BSSAP

BSC
BSS

LAPD/Q.931
BTS

LAPDm/Q.931
MS
Figure 1.1 - GSM system model - signaling view

-------------------------------------------------------------------------------------------------3

Radio interface
Um

Abis

BSC

MSC

Figure 1.2 - GSM system model - Interfaces

-------------------------------------------------------------------------------------------------4

c) GSM PLMN & frequency reuse

1) Cells, Location Area & Service Area

GSM Service Area

PLMN Service Area
(One per Operator)
V
L
R
V
MSC
L
R

MSC Service Area

MSC
H
L
R

V
L
R

MSC

Location Area

Location Area

Cell

Cell

Cell

Cell
Cell

Cell

Cell
Cell

Figure 1.3 - Cells, Location Area & Service Area

-------------------------------------------------------------------------------------------------5

2) Frequency spectrum of existing cellular systems

450 MHz NMT 450

800 MHz cellular AMPS, D-AMPS, TACS, PDC &
CDMA
900 MHz cellular NMT, GSM 900
1500 MHz PDC 1500
1800 MHz DCS GSM 1800 (DCS), DECT & PHS
1900 MHz PCS D-AMPS 1900, CDMA 1900

3) Frequency spectrum for GSM & System specifications

Frequency band:

Uplink:
Downlink:

890 - 915 MHz

935 - 960 MHz

Duplex distance

45 MHz

Carrier separation

200 KHz (1st carrier: 890.2)

Number of carriers

124

Modulation

GMSK

Transmission rate

270 Kbps

Access method

TDMA

Time-slots

8 per carrier

Speech coding

RPE-LTP-LPC
Regular Pulse ExcitationLong Term Prediction
Linear Predictive Coding

Diversity

Channel coding
Interleaving
Adaptive equalization
Frequency hopping

Extended frequency band

up-link
Downlink

880 - 915 MHz

925 - 960 MHz

-------------------------------------------------------------------------------------------------6

4) Co-channel Interference
I, Interferer f1
strength in dB

C, Carrier f1
strength in dB

C/I > 9dB

C
I

Figure 1.4 - Carrier-to-Interference ratio

C, Carrier f1
strength in dB

A, Interferer f2
strength in dB

C/A > -9dB

C
A

Figure 1.5 - Carrier-to-Adjacent ratio

The aspect of interference from carriers in other cells of the
same frequency or adjacent frequency (Carrier + 200Hz) should
be kept in view from the point of frequency reuse.
Both C/I & C/A should be greater than 9/-9dB as per GSM
specifications.
-------------------------------------------------------------------------------------------------7

5) Frequency Reuse & cell clusters

Cell structure

3/9 cell clusters

B
B
A

D
C

C
G

E
H
B
I

Each cell may use one or more carriers

Each cell in a 3-sectored cluster uses a unique set of
carriers
Each cluster in a 3/9-cluster uses a unique set of
carriers
Figure 1.6 a) - 3-cell cluster & 3/9 frequency reuse

7/21 cell clusters

G
F

B
A

C
D

Figure 1.6 b) - 7-cell cluster & 7/21 frequency reuse

-------------------------------------------------------------------------------------------------8

Frequency reuse in adjacent 3/9 cell clusters

B
A

D
C
H
G

B
A

F
C

D
C
H
G

H
G

F
B
A

D
H

I
D

A
I

E
D

D
C

B
A

G
F

G
I

Set of frequencies used in one cell is reused after a 2-cell gap

Figure 1.7 - 3/9-cluster group & frequency reuse

-------------------------------------------------------------------------------------------------9

Frequency reuse in 7/21 cell clusters

A
A
A
A
A
A
A

Set of frequencies used in one cell is reused again

after a 4-cell gap

Figure 1.8 - 7/21-cluster group & frequency reuse

-------------------------------------------------------------------------------------------------10

6) PLMN, frequency allocation & Reuse

PLMN Service Area

Location area
MSC/VLR

MSC/VLR

PLMN service area

One PLMN may be allocated only a part of the GSM

frequency spectrum
Figure 1.9 - A PLMN Service Area

Omni-cell & 3-sectored cell-structure

A2
A1

BTS site

A3

One BTS site covering three cells with directional

antennas each covering 120 degree angle at the trijunction of a 3-sectored cell-structure

Figure 1.10 - Omni cell & 3-sectored cell structure

-------------------------------------------------------------------------------------------------11

4/12 cell pattern using 12 frequency groups in 4 sites

D
1
D
3

D
1
D
2

A
1
A
3

C
3
A
2
B
3

A
1

A
3

C
1
C
3

A
2
B
3

A
2

D
3
C
2

B
1

B
1

D
2

D
3
B
2

C
1
C
3

A
2

C
2
B
1

B
3

D
1

C
2

B
3

A
1
A
3

B
2

C
3

D
1

B
2

C
1

D
2
C
3

D
1
D
3

A
3

C
2
B
1

B
3
D
2

A
1

B
2

C
1

A
2

D
2

A
1

C
2
B
1

D
2

A
3

D
3

D
3

A
1

D
1

A
3

C
1

B
2
C
1

C
3

C
2

A
2

Figure 1.11 - 4/12-cell pattern using 3-sectored cells

-------------------------------------------------------------------------------------------------12

12 frequency groups in 4 sites for the 4/12 cell pattern

A1

B1 C1 D1 A2

B2

C2

D2 A3

B3 C3 D3

C0

f1

f2

f3

f4

f5

f6

F7

f8

f9

10

11

12

C1

13

14

15

16

17

18

19

20

21

22

23

24

C2

25

26

27

28

29

30

31

32

33

34

35

36

Sector A1 has 3 carriers of frequency f1, f13 & f25

Figure 1.12 - 36 available frequencies allocated evenly to sectors
3/9 cell pattern using 12 frequency groups in 4 sites

C1

C1

C3
A1
C1

C3
A1

A3

B1

B3
A2

C1

B2

B3

B2

A2

A3

A1

A3

A1

B1

C2

C3

B1

C2

C3
B2

B3
A2

A3
C2

B1

C2

B3

B2

A2

Figure 1.13 - 3/9-cell pattern with 3 sites & 9 frequency groups

-------------------------------------------------------------------------------------------------13

Cell sizes

Large
Small
Micro
Pico

10 - 30 Km
1 - 3 Km
100-300 m
10 - 30 m (Used in DECT, 3G)

Figure 1.14 - Different cell sizes

Hierarchical cell structure
Layer 3 cells
Layer 2
1

Layer 2
1

Layer 2
1

Figure 1.15 - Layered cell structure

--------------------------------------------------------------------------------------------------

14
7) Traffic calculations
Traffic per subscriber
A = n T / 3600 Erlang (E)
Where,

n = number of calls per hour,

T = call holding time in seconds

e.g.,

if n = 2 & T = 90 then,

A = 2 * 90 / 3600 = 0.050 E or 50 mE
Number of 3-sector sites
Given,
Traffic per subscriber:
Total subscribers:
Available frequencies:
Cell pattern:
Grade of Service:

50 mE
50,000
36
4/12
0.02 or 2%

Calculation of 3-sector sites needed

Frequencies per cell:

Traffic channels (TCH):

22 [(3 * 8) - 2 (Control)]

Traffic per cell:

14.9 E (22 with GOS 2%)

As per Erlang table

Subscribers per cell:

298 (14.9 / 0.05)

Number of cells:

168 (50,000 / 298)

3-sector sites:

56 (168 / 3)

--------------------------------------------------------------------------------------------------

15

d) Cellular mobile technologies

1) Access methods
FDMA
(Analog)

TDMA
(Digital)

CDMA
(Digital)

Occupancy by one voice channel in time & frequency

domains
In CDMA, all channels concurrently occupy the whole
bandwidth all the time

Figure 1.16 - Illustration of FDMA, TDMA & CDMA access methods

--------------------------------------------------------------------------------------------------

16
2) First generation 1G technologies based on FDMA

NMT or Nordic Mobile Telephony (1981) proposed by Nordic

PTTs as two standards NMT 450 & NMT 900 with a carrier
spacing of 25 kHz. First system was launched in 1979.
Roaming was later introduced between several countries.

AMPS or Advanced Mobile Phone System (1984) standard

proposed by FCC & EIA using 800-900 MHz band with a
carrier- spacing of 30 kHz. The first system was launched
in 1982. Networks based on AMPS are still existing in
some countries.

TACS or Total Access Communication System standard

(1985), derived from AMPS & proposed by Dept. of Trade &
Industries, UK. With extended specifications, it is known as
ETACS. Existing in several scattered countries, roaming is
not possible.

3) Second generation 2G technologies based on TDMA &

CDMA

IS-54 earlier known as ADC or American Digital Cellular,

also called as D-AMPS (1991), proposed by TIA, using
digital TDMA for communication channels and analog 10
Kbps FSK for control channels. This was an upgrade of
AMPS to digital technology with 3 full-rate or 6 half-rate
channels per 30 KHz carrier & initially known as
TDMA/AMPS. There is no noticeable addition in features or
services compared to AMPS.
There are about 75 million users in these networks spread
around in 34 countries.
IS-136 Rev. A is a later improvement over IS-54 using 48.6
Kbps digital modulated control channels. IS-136 provides
for SMS or short messaging capabilities.
IS-136 Rev. B is a recent version providing for HSCSD, etc.

-------------------------------------------------------------------------------------------------17

GSM 900 or Global Systems for Mobile Communication

(1991) standard proposed by CEPT/ETSI, based on TDMA
with 8 full-rate or 16 half rate channels per 200 KHz carrier.
The network architecture separates the radio functions from
switching functions and concentrates them in a Base
Switching System, BSS. GSM standard provides for SMS,
circuit-switched data & international roaming.
There are about 200 networks & 100 million subscribers in
110 countries.

DCS 1800 is a further development of GSM operating in

1800 MHz band.

PDC 800 is a Japanese digital cellular standard (1994)

using radio concepts from ADC and adopting the GSM
network architecture. Used only in Japan, there are about
33 million subscribers.
PDC 1500 standard has also been defined.

IS-95 or CDMA, originally proposed by Qualcom, is an

alternative to the TDMA access standards. This standard
uses a carrier (800 MHz) with 1.25 MHz band & spread
spectrum techniques in forward (down) & reverse (up) links.
IS-95 has also been used in the 1900 MHz band in US.
There are about 13 million subscribers in networks in North
America and South Korea (9million).
Since CDMA can coexist with TDMA such as IS-136 &
GSM, it is also preferred for WILL applications.

-------------------------------------------------------------------------------------------------18

e) Digital radio transmission

1) Access methods FDMA Vs TDMA
FDMA
f1

f2

TDMA
7

f4
6

Figure 1.17 - Illustration of FDMA Vs TDMA access methods

2) TDMA & propagation delay
Arrival of timeslots from mobiles
2

TDMA
3

Figure 1.18 - different overlapping arrival times

-------------------------------------------------------------------------------------------------19
Propagation delays & radio burst
It is not possible to transmit one PCM voice sample per timeslot
in digital TDMA over air as in the wire-line point to point digital
transmission.
We need to accumulate a number of PCM voice samples (say,
32, 64 or 128) before sending them all together as a burst from
one mobile. This will allow us to provide sufficient gap
between bursts from two mobiles located at different distances.
The gap will take care of some delay differences. 160 samples
for a period of 20ms are accumulated in GSM before the burst
transmission.
Round trip delay & echo
The burst method of a block of speech introduces long round
trip delays on an established voice connection. This will result
in echo on a connection to a POTS subscriber. GSM network
should take care to provide an echo canceller on such a
connection.
Low bit-rate coding of speech
Since the voice samples are buffered, it opens up the possibility
of digital processing of voice samples to reduce the bit rate for
voice transmission and number of bits per block of speech.
The speech coders defined for GSM use a hybrid approach of
combining the speech quality of waveform coders & low bit-rate
capability of vocoders. The speech is reduced to 13 Kbps in
GSM, known as full rate. There is provision for half rate.
3) Timing advance control
To reduce the gap between adjacent bursts from nearer &
farther mobile stations, GSM uses a technique of timing
advance. The mobiles moving away from the base station are
periodically asked to advance their burst transmission in terms
of a number of bit times. The mobiles moving towards the
base station are asked periodically to reduce the timing
advance (TA).

-------------------------------------------------------------------------------------------------20

Advance timing - n bits

Figure 1.19 - Periodic control of timing advance

Uplink

Downlink
6

5
Receive

Transmit with
Timing Advance

Figure 1.20 Burst transmission with timing advance

4) Transmission path loss & MS transmit power control
For a given antenna, the received power is inversely
proportional to the square of the distance between the transmit
& receive antennas.
The received power is also inversely proportional to the square
of the frequency.
Ls ~ d2f2 or in dB
Ls (dB) = 32.4 (dB) + 20 log (fMHz) + 20 log (dKm)
Where 32.4 is a constant of proportionality

-------------------------------------------------------------------------------------------------21

Increase power - m dB

Figure 1.21 - periodic control of transmit power

5) Log-normal fading

Figure 1.22 - Obstacles in the radio path & the shadowing effect

Signal level (dB)

Path loss

Log-normal fading
Log (distance)
Figure 1.23 - Log-normal fading due to shadowing effect on a moving MS

-------------------------------------------------------------------------------------------------22
If logarithm of the signal strength is measured along the path of
a mobile, the curve will take the form of a normal distribution
around a mean value that represents the path loss. The fading
dips are situated about 10 to 20 meters apart.
6) Rayleigh or multi-path fading
This occurs when the transmitted radio signal takes more than
one path to reach the mobile receiver. When the mobile is in
the direct line-of-sight path, it may receive the signal as several
reflections against big buildings.

Figure 1.24 - Multi-path or Rayleigh fading

Signal level (dB)

Rayleigh fading
Path loss

Log-normal fading
Log (distance)
Figure 1.25 - Rayleigh fading over log-normal fading

-------------------------------------------------------------------------------------------------23
This means that the received signal is a sum of many identical
signals differing mainly in phase. Two received signals that are
1800 out of phase may cancel each other out. Smaller phase
differences cause steep dips in the received signal.
7) Time dispersion of received signal bits
Time dispersion causes inter-symbol-interference between
consecutive bits received at a mobile.

1
0

1
1

2
1

1
0

3
Figure 1.26 - Inter-symbol-interference due to time dispersion

-------------------------------------------------------------------------------------------------24
Bit rate in GSM

270 Kbps

Bit cell period

3.7 microseconds

Bit traverse distance in 1 bit

period - straight path

1.1 Km

Interfering reflected bit traverse

distance, possibly

2.2 Km

A moving car 1 Km from a base station may find the preceding

bit arriving via a reflected path at the same time as the arrival of
a new bit.
Depending on the distance and the surroundings, a reflected bit
may interfere with another bit transmitted two bit-times later.
8) Coding of speech to reduce bit rate
To economize on the frequency spectrum & bandwidth
requirements per channel & carrier, GSM employs speech
coding to reduce the bit rate to 13 Kbps per voice channel.
A block of 160 speech samples over a period of 20 ms is
digitally processed using DSP technology to reduce the number
of bits to 260 bits per block. Compare this to 1280 bits
needed as PCM samples.
Speech coding scheme

Block of 160 samples

over 20 ms (2080 bits)

RPE-LTP-LPC

Speech
coder

Block of 260 bits

Figure 1.27 - Speech coding in GSM

-------------------------------------------------------------------------------------------------25
9) Coding of speech for error control
Error control codes
Log normal fading, multi-path fading, time dispersion, etc. result
in bit errors in the received bit stream. Bit error ratio or BER of
the received bit stream is a measure of the transmission quality.
By using redundancy & spreading out the information bits, It is
possible to reduce BER and also be able to detect as well as
correct errors. These are known as Error Control codes.
Error control codes can be divided into Block Codes and
Convolution Codes.
Block coding

INFO

Block
coder

INFO+ Check bits

Figure 1.28 - Principle of Block coding

Figure 1.24 shows the principle of block coding. Redundant
check bits are generated and added by the block coder to the
information bits in a block. The check bits added are based
and dependent on the bit stream in that block of information
bits.
Block codes are used for data blocks where we are interested
in detecting errors and ask for retransmission. This method of
error correction by retransmission is known as ARQ. In the
case of data, we can afford to wait for retransmission since data
transmission is tolerant of delays and delay variations.
Voice & video, known as isochronous services do not admit
delay variations. In these cases, we have either to ignore
errors or correct them in real time.

-------------------------------------------------------------------------------------------------26
Convolution coding

Info

Info

Convolution
coder

Coded info

Figure 1.29 - Principle of convolution coding

In convolution coding, the output of the coder depends not only
on the current input block but also on the preceding block(s). If
the output has two bits for each input bit, then the rate of
redundancy is said to be 1 : 2.
Convolution codes are suitable for voice and video, as it is
possible to correct errors in this method.
Channel coding in GSM - Error control
GSM uses a two-step approach of block and convolution
coding of speech blocks.

50 VI bits

Block
coder

53
Convolution
coder

132 important + 4 tail

bits

78 not so important bits

Figure 1.30 - Channel coding in GSM

456 bits

-------------------------------------------------------------------------------------------------27
First step:

3 parity bits are added in the block coder to the

50 very important bits in the information block.

Second step:

53 block coded bits + 132 important bits + 4

tail bits are convolution coded with a rate of
1:2. The output of convolution coder has 378
bits.

Third step:

Add the 78 rest of the not so important bits to

the output of the convolution coder to get the
final block of spread out block of 456 bits of
the original speech block.

The two-step approach is used in GSM both for speech & data.
The schemes for speech and data are somewhat different.
We are able to correct errors as far as possible by convolution
coding. The block coding helps to detect errors and determine
if the information block is too damaged to use and if so to
ignore it.
Channel coding is effective in detecting and correcting single
errors and very short burst errors. What if the burst errors are
too long?
10)Segmentation & interleaving for burst error control
Principle of Interleaving for Burst Error control

Figure 1.31 a) - Principle of interleaving for burst error control

-------------------------------------------------------------------------------------------------28
Interleaving is a way of separating consecutive bits that would
be affected by burst errors and sending them in a nonconsecutive way by spreading them out over long periods.
Interleaving is a way of separating consecutive bits that would
be affected by burst errors and sending them in a nonconsecutive way by spreading them out over long periods.
In figure 1.28 a), blocks of speech are segmented into four
parts numbered 1 to 4. At the time of sending, segments
numbered 1 from four consecutive blocks together sent as a
frame. Similarly, frames 2, 3 & 4 are transmitted consecutively.

Regrouped information block

Figure 1.31 b) - Principle of interleaving & spreading of burst errors

Suppose frame 2 underwent heavy burst errors and had to be
rejected. Figure 1.28 b) shows the regrouped information
where the burst errored parts have been spread out.
Now, with the help of channel coding it may be possible to
reconstruct the original information with error correction.
GSM adopts a two-level interleaving scheme.
First level of interleaving in GSM
In the first level of interleaving, the 456 bits from the channel
coder are interleaved into eight segments of 57 bits each. The
consecutive eight bits from the original information are spread
out into these eight segments. That is to say that each of
these segments holds 57 non-consecutive information bits.
See figure 1.29 where each column is a segment of 57 nonconsecutive bits.

-------------------------------------------------------------------------------------------------29

1
9
17
25
.
.
.
.
.
.
441
449

2
10
18
26
.
.
.
.
.
.
442
450

3
11
19
27
.
.
.
.
.
.
443
451

4
12
20
28
.
.
.
.
.
.
444
452

5
13
21
29
.
.
.
.
.
.
445
453

6
14
22
30
.
.
.
.
.
.
446
454

7
15
23
31
.
.
.
.
.
.
447
455

8
16
24
32
.
.
.
.
.
.
448
456

8 segments of 57 bits each

Figure 1.32 - First level of interleaving & spreading in GSM
Second level of interleaving in GSM
Figure 1.30 shows four blocks of channel coded and first level
interleaved speech blocks.
Speech block
A
8 segments

Speech block
B
8 segments

Speech block
C
8 segments

Speech block
D
8 segments

Figure 1.33 a) - Four channel coded speech blocks with 1st level of
interleaving
Speech block
A
8 segments

Speech block
B
8 segments

Speech block
C
8 segments

Speech block
D
8 segments

Figure 1.33 b) - Four channel coded speech blocks with interleaved

segments from consecutive blocks

-------------------------------------------------------------------------------------------------30

Speech segments
3

57

26

57

Figure 1.34 - Normal burst over air in GSM containing 2 speech segments
Figure 2.34 shows a normal radio burst that has space for two
segments of 57 bits of speech.

A - S1

Z - S5

A - S2

Z - S6

A - S3

Z - S7

A - S4

Z - S8

B - S1

A - S5

B - S2

A - S6

B - S3

A - S7

B - S4

A - S8

C - S1
C - S2

B - S5
B - S6

C - S3

B - S7

C - S4

B - S8

D - S1

C - S5

D - S2

C - S6

D - S3

C - S7

D - S4

C - S8

Figure 1.35 a) - 2nd level interleaved segments -1

--------------------------------------------------------------------------------------------------

31

A (S1-S4)

B (S1-S4)

C (S1-S4)

D (S1-S4)

Z (S5-S8)

A (S5-S8)

B (S5-S8)

C (S5-S8)

Figure 1.35 b) - 2nd level interleaved segments -2

A-S1/Z-S5

A-S1/Z-S5

A-S2/Z-S6

A-S2/Z-S6

A-S3/Z-S7

A-S3Z-S7

A-S4/Z-S8

A-S4/Z-S8

B-S1/A-S5

B-S1/A-S5

B-S2/A-S6

B-S2/A-S6

B-S3/A-S7

B-S3/A-S7

B-S4/A-S8

B-S4/A-S8

C-S1/B-S5

C-S1/B-S5

C-S2/B-S6

C-S2/B-S6

C-S3/B-S7

C-S3/B-S7

C-S4/B-S8

C-S4/B-S8

D-S1/C-S5

D-S1/C-S5

D-S2/C-S6

D-S2/C-S6

D-S3/C-S7

D-S3/C-S7

D-S4/C-S8

D-S4/C-S8

B-S1/A-S5

B-S1/A-S5

B1, A5, B17, A21, B33, A37,

B9, A13, B25, A29, B41,

Figure 1.36 - Normal bursts carrying 2nd level bit-interleaved segments

32
Each burst in GSM actually holds two segments from two
consecutive speech blocks. In other words, eight segments of
a speech block are spread over eight consecutive bursts with
interleaving of consecutive bits from the two segments.
See figure 2.36
Each burst shown is sent in consecutive TDMA frames in the
allocated timeslot or the physical channel.
Round trip delay
The duration of a TDMA frame is about 5 ms each. As the
speech block is spread over 8 TDMA frames, there is a delay of
40 ms over the radio for the entire block to be sent.
Speech coding itself introduces a delay of 20 ms due to
buffering of 160 samples.
In the base station system, these interleaved segments are
accumulated, trascoded into PCM format and sent forward as
PCM samples over a period of 20 ms thereon.
Thus the various coding & interleaving schemes introduce a
one-way delay of 80 ms or a round trip delay of 160 ms on a
speech connection.
Therefore we need an echo canceller on a connection from a
mobile to a POTS subscriber involving a two-wire to four-wire
converter to avoid talker echo for the mobile user.
11) Modulation of carrier in GSM
GSM uses GMSK (Gaussian Minimum Shift Keying) modulation
scheme. This is a BPSK Phase Shift Keying technique with
two phases wherein the phase shift is controlled to be smooth
rather than abrupt as in the conventional method.
GMSK reduces the carrier bandwidth requirements at the cost
of lesser resistance to noise.

-------------------------------------------------------------------------------------------------33
12)Frequency hopping (slow) & Rayleigh fading
The Rayleigh fading pattern mentioned earlier is frequencydependent. This means that the fading dips will occur at
different places for different frequencies. If we keep changing
the frequencies during a call and if only one of them has a
fading dip, we lose only a fraction of the information. With
complex signal processing, it may be possible to restore the
information. Se figure 1.33 for frequency hopping in GSM.
0

2 3

5 6

7 0

3 4

5 6

Carrier, C1
Uplink

3 4

2 3

5 6

5 6 7

7 0

0 1 2
3 4

Downlink

5 6

5 6

5 6

Carrier, C2
0

3 4

5 6 7 0 1

Figure 1.37 - Frequency hopping between two carriers

Frequency hopping can be over several carriers in cyclic
fashion over consecutive TDMA frames but using the same
timeslot all the time.
13)Antenna (or space) diversity & deep fading
The method involves using two receiver antennas at the base
stations independently receiving the same signal and influenced
by fading differently. The risk of both being affected by deep
fading at the same time is small. By choosing the better of the
two received signals, the degree of fading can be reduced.
The distance between the two antennas should be such that the
correlation between the two received signals is small.
At 900 MHz, we can gain 3 dB with an antenna distance of 5-6
meters.

-------------------------------------------------------------------------------------------------34

Time
Figure 1.38 - Antenna diversity
14)The Viterbi equalizer & time dispersion
The equalizer in GSM is to reduce the effect of time dispersion
causing adjacent inter-symbol-interference. The principle is
based on creating a mathematical model of the air interface
channel and calculating the most probable transmitted data.

Received burst
Data

T'

Correlator

Data

Difference

Channel
model

Probable transmitted bit sequence

Figure 1.39 - Viterbi equalizer

Chose
? pattern
so that the
difference
is
minimized

-------------------------------------------------------------------------------------------------35
A pattern known as the training sequence is included in the
middle of the burst in the GSM for this purpose. The GSM
specification prescribes an equalizer capable of handling a
reflected signal delayed upto four bit times. This corresponds
to 15 microseconds or a path difference of 4.5 Km between the
direct and reflected signals.
How the Viterbi equalizer works?

Channel is assumed to be constant during one burst.

Known training sequence T is compared with T' of the
received burst in a correlator.
A probable transmitted bit sequence is fed through a
channel model and output is compared with the received bit
sequence.
Based on the difference, the Viterbi equalizer selects a more
probable transmitted bit sequence and again feeds it
through the channel model.
The process is repeated until good enough bit sequence is
found.
A powerful algorithm is used to neglect the least likely bit
patterns.

15)The time advance

The base station periodically sends a value between 0 & 63
telling a moving mobile as to how many bit times (3.7 micro
seconds) the mobile should advance its burst transmission
relative to synchronization time.
This is one of the parameters limiting the size of the cell.
16)Encryption of speech, signaling or data
As a matter of security over the air interface, GSM employs
encryption of all the important communications between MS &
the MSC on a per call or access basis. The ciphering key is
derived using an algorithm in the MS itself based on a random
number linked to the identity of the MS. The random number is
sent by the MSC during the establishment of the
communication channel between MS & the MSC. We will see
more of this later.

-------------------------------------------------------------------------------------------------36
17)Digital transmission summary
Block schematic of a Mobile Station (MS)
Figure 1.36 shows the different signal processing parts involved
in the transmission and reception of speech.
Antenna

Antenna

Transmitter
Modulator

Receiver
Demodulator

33.8 Kbps
Burst formatting

Viterbi equalizer

Ciphering

Deciphering

Interleaving

Deinterleaving

22.8 Kbps
Channel coding

Viterbi decoding

13 Kbps
Speech coding

Speech decoding

Speech blocking
8 KHz, 13 bits
A/D conversion

D/A conversion

Microphone

Earphone

Figure 1.40 - Block schematic of transmission functions of an MS

The receiving part

A channel model is created in the equalizer where also an

estimated bit sequence pattern is calculated for each burst.
-------------------------------------------------------------------------------------------------37
After all the eight bursts of a 20 ms speech block have been
received, they are reassembled into 456 bits block.
The sequence is decoded in the Viterbi decoder to detect and
correct errors encountered in transmission. The decoder uses
"soft information" (as to the probability that a bit is zero) from
the equalizer to improve error correction.
Block schematic of the Base station & the network part

Transmitter
Modulator

Receiver
Demodulator

33.8 Kbps
Burst formatting

Viterbi equalizer

Ciphering

Deciphering

Interleaving

Deinterleaving

22.8 Kbps
Channel coding

Viterbi decoding

13 Kbps
Speech coding

13 Kbps
Speech decoding

Speech blocking

TRAU

8 KHz, 13 bits, linear

Transcoding
8 KHz, 8 bits
64 Kbps, PCM

8 KHz, 13 bits

Transcoding
8 KHz, 8 bits
64 Kbps, PCM

Figure 1.41 - Block schematic of transmission functions in the network

-------------------------------------------------------------------------------------------------38
Transcoder
The network has a transcoder for D/D conversion between
PCM samples & linear-coded 13 bit samples.
18)Transcoder & rate adaptation unit or TRAU
TRAU functionally belongs to BTS but can be remotely located
in the BSC as is the normal practice or even the MSC. But a
remote TRAU is still controlled by the BTS.

TRAU
Abis

B
S
C

M
A

BTS

S
C

16 Kbps channels
13 Kbps speech + 3 Kbps
BTS-TRAU signaling

Figure 1.42 TRAU placed in BSC & Abis interface

BTS-TRAU signaling
Synchronization of the 20ms blocks
Time alignment i.e., BTS control of the phasing of
incoming 20ms blocks from the TRAU
Speech/data discrimination and the type of adaptation
needed for data
Bad frame indication to TRAU by BTS
Indication whether DTX is to be applied on the downlink
Silence Descriptor (SID) indication on the uplink

-------------------------------------------------------------------------------------------------39
4 channels
of 64 Kbps

ET
TRAU

BTS

G.703
Abis

ET

G.703
A

MSC

4 channels of 16 Kbps
in one 64 Kbps channel

Figure 1.43 TRAU in between 16 Kbps & 64 Kbps channels

-------------------------------------------------------------------------------------------------40

f) GSM Components
1) GSM system model
Switching System (SS)
AUC
SM-SC
SMS
Gateway

HLR

GMSC

GMSC

MSC/VLR

MSC/VLR

EIR
GMSC
To/from
PSTN/ISDN

MSC/VLR

GIWU

BSC

BTS
Base station system (BSS)

Operation &
Support
System
(OSS)

Figure 1.44 - GSM system model

-------------------------------------------------------------------------------------------------41
2) System components
The Switching System (SS)

Mobile Services Switching Centre (MSC)

MSC handles call processing, signaling, switching, charging,
authentication of MS identity, etc.
MSC is a regular digital switch with digital trunk interfaces
with CCS 7 signaling and mobile-related software.

Visitor Location Register (VLR)

VLR obtains & stores the subscriber data of all the Mobile
Stations (MS) currently visiting the MSC service area and
keeps track of the current location, i.e., location area (LA),
of all of them.
VLR is normally integrated with MSC and is known as
MSC/VLR.

Gateway MSC (GMSC)

This is a software function for finding out the current MSC
service area in which a called MS is currently located. This
function is required for all mobile- terminated calls and is
resident in MSC. GMSC function interrogates the HLR to
obtain this information required for further routing the call.

Home Location Register (HLR)

HLR has all the subscriber data of all the subscribers to a
PLMN. The subscriber data for a new visitor to an MSC
service area is supplied to the MSC/VLR for temporary
storage as long as the MS stays in its service area. It also
updates the current location, i.e., MSC service area, of the
subscriber. This information is provided to GMSC, on
interrogation.
HLR is generally integrated with one of the MSC/VLR in the
PLMN. There can be more than one HLR in a PLMN. A
block of MSISDN numbers would be allocated to each HLR.
HLR can also be implemented as a stand-alone node.

-------------------------------------------------------------------------------------------------42

Authentication Centre (AUC)

For authenticating an MS identity during registration, call
origination, etc, security data known as triplets are needed
by the MSC. This security data against each MS identity is
generated in the AUC and is supplied to HLR & MSC.
AUC can be implemented on a PC or on a UNIX platform.

Equipment Identity Register (EIR)

EIR is a database for validation of Mobile Equipment (ME)
with lists of type-approved & barred ME numbers.

GSM Interworking Unit (GIWU)

This is required for circuit-switched voice-band data
communication between an MS with digital data & a POTS
line with MODEM or analog data.

SM-SC & SMS Gateway

These two nodes together enable Short Message Service
or SMS (limited to 160 characters) to be offered to mobile
users.

Short Message Service Centre or SM-SC is a store and - forward centre for short messages.

SMS Gateway finds out the current location (MSC

service area) from the HLR & enables mobile-terminated
messages to be forwarded to the MS.
The node also has the function of SMS-IWMSC required
for relaying short messages to the SM-SC for storage.

The Base Station Sub-system (BSS)

All the radio-related functions & activities have been separated
from the MSC and concentrated in the BSS in the GSM. The
BSS consists of two components.

Base Station Controller (BSC)

This node also consists of a digital switch with digital trunk

terminations and GSM radio-related interfaces & software
functions.
-------------------------------------------------------------------------------------------------43
Administration of the radio network, switching of mobile
subscribers during a call, paging a called MS, locating a
mobile subscriber moving from cell to cell during
conversation, handovers, collection of statistics such as
traffic per cell, etc. are some of the functions of BSC.
Transcoder Rate Adapter Unit (TRAU), an important
component of the BSS is also normally located in the BSC.

Base Transceiver Station (BTS)

It consists of radio transmitter & receiver, mast, antennas
and signal processing specific to radio interface. A number
of BTSs can be located at a site, sharing a common mast.

The Operation and Support Sub-system (OSS)

The individual MSC/VLR & BSC nodes handle the basic &
routine O&M tasks such as handle traffic measurement,
analysis and fault diagnosis. OSS is centralised node, which
provides the network operator with user-friendly tools for
planning, operating and maintaining a cellular network
efficiently and with a high quality of service. Some of the
functions of the OSS are:

Radio configuration - e.g., adding cells & carriers

Network supervision & operation - e.g., network modeling

and alarm handling

Switching configuration - e.g., expansion, soft patches and

software updates

Performance management - e.g., generation of statistical

reports

The Mobile Station (MS)

The MS consists of the Mobile Equipment (ME) from a vendor

and a Subscriber Identity Module (SIM) provided and/or
programmed by the network operator.

ME is uniquely identified by an International Mobile

Equipment Identity (IMEI).
-------------------------------------------------------------------------------------------------44

An International Mobile Subscriber Identity (IMSI)

uniquely identifies a mobile subscriber or MS to a specific
GSM PLMN. IMSI is embodied into the SIM, which can be
inserted into any ME. The SIM has all the information
related to the mobile subscriber.

IMSI is used between the MS and the MSC at the time of

the initial registration of an MS visiting the MSC service
area.

Thereafter IMSI is not normally used over the radio path

for security reasons. On registration, the MSC allocates
a Temporary Mobile subscriber Identity (TMSI), which
is also changed from time to time. TMSI is used by MSC
for paging MS. MS uses TMSI during location updating
and mobile-originated calls.

GSM subscribers are also publicly identified by Mobile

Station ISDN number (MSISDN). A caller uses
MSISDN to call a mobile subscriber. MSISDN consists
of:
Country Code (CC) + National Destination Code
(NDC) + Subscriber Number (SN)

The call is routed to the home PLMN of the mobile

subscriber. It is the HLR that translates the MSISDN to
IMSI, knows the MSC/VLR service area where the MS is
currently located & helps in routing the call to the specific
MSC.
Another identity known as Mobile Subscriber Roaming
Number (MSRN) is used internally in the PLMN to route
the incoming call to the specific MSC.

-------------------------------------------------------------------------------------------------45

g) GSM Identities
1) Mobile Station ISDN Number (MSISDN) (E.164)
International MSISDN (15 digits)

CC

NDC

SN

National mobile number

CC
NDC
SN

Country Code
(1~3 digits)
National Destination code
(2-3 digits)
Identifies the GSM PLMN Area Code
Subscriber Number

2) International Mobile Subscriber Identity (IMSI) (E.212)

IMSI (Max 15 digits)

MCC

MNC

MSIN
National MSI

MCC
MNC
MSIN

Mobile Country Code

(3 digits)
Mobile Network Code
(2 digits)
Mobile Subscriber Identification Number

3) Mobile Station Roaming Number (GSM Rec.)

CC
SN

NDC

SN

Subscriber Number, in effect the address of the

MSC/VLR node within the PLMN

4) Temporary Mobile Station Identity (TMSI) (GSM Rec.)

Max 4 octets long

TMSI is of only local significance.
-------------------------------------------------------------------------------------------------46
5) International Mobile Equipment Identity (IMEI) (GSM Rec.)

TAC

FAC

SNR

Sp

TAC

Type Approval Code

(Central GSM body)

6 digits

FAC

Final Assembly Code

(Manufacturer)

2 digits

SNR

Serial Number
6 digits
Unique number within a TAC + FAC

Sp

Spare
(Future Use)

1 digit

6) Location Area Identity (LAI) (GSM Rec.)

MCC

MNC

LAC

MCC

Mobile Country Code

(As in IMSI)

3 digits

MNC

Mobile Network Code

(As in IMSI)

2 digits

LAC

Location Area Code

(PLMN operator)

16 bits

LAI

is used for location updating of MS.

All cells in a location area broadcast the LAI.

MS recognizes when it enters a new LA.

-------------------------------------------------------------------------------------------------47
7) Cell Global Identity (CGI) (GSM Rec.)

MCC

MNC

CI

LAC

CI

Cell Identity
(PLMN Operator)

16 bits

Each cell broadcasts its CGI. MS listens to this information in

the current & surrounding cells.
8) Base Station Identity Code (BSIC) (GSM Rec.)

NCC

BCC

NCC

PLMN Colour Code

3 bits (xyy)
x
operator
yy
country
(to distinguish between neighbouring operators)

BCC

Base Station Colour Code

3 bits
(to distinguish between neighbouring base stations)

9) Global Title (GT) (E.164)

CC

NDC

SN

GT is an address such as dialed digits, say MSISDN, as per

CCITT/ITU Rec. E.164. The SN can be a node address.

GT is used in the No.7 SS to route a message to a remote node

without a circuit-switched connection. SCCP with routing
function is used at the originating & intermediate nodes. The
GT is contained as a parameter inside the message.
For example the first two digits in the subscriber number (SN) in
the MSISDN identifies an HLR. The GMSC function identifies
an appropriate HLR from the received MSISDN.
-------------------------------------------------------------------------------------------------48
10) Mobile Global Title (MGT) (GSM Rec.)

CC

NDC

E.164
MSIN

MSIN
E.212

Mobile Station Identification Number 10 digits

MSIN identifies the MS & also its HLR

CC/NDC identifies the country & the PLMN & possibly the HLR
where the MS is registered.
IMSI & MGT
When an MS is turned on in (or enters) the MSC/VLR service
area of a PLMN, the MS has to be registered as a new visitor in
the VLR. VLR needs to address the HLR where the
subscription information of the mobile subscriber is registered.
The information obtained from the MS for this purpose is IMSI
consisting of MCC + MNC + MSIN. There are two possibilities.

The HLR is in the same PLMN as the VLR. That is the MS

is in the home PLMN. Analysis of MCC + MNC identifies
this case. Further analysis of MNC itself or MSIN identifies
the HLR where the subscriber profile of the MS is registered.

Analysis of MCC + MNC indicates another PLMN, possibly

in another country. Then the VLR has to send a message
via the public national/international-signaling network to the
HLR of the home PLMN. This has to go as an SCCP
message for which the IMSI must be converted to MGT.

Conversion of IMSI to MGT

IMSI

MCC

MNC

MSIN

MGT

CC

NDC

MSIN

-------------------------------------------------------------------------------------------------49
Translation of IMSI to MGT in the VLR

CC is derived directly from the MCC translation.

NDC is derived either directly from the MNC or in
conjunction with the initial digits of the MSIN
The MSIN from IMSI is directly mapped in to the MSIN part
of the MGT.

This translation is done in the application layer of the VLR.

h) Digital Radio Interface

1) TDMA frame, time slot & logical channels
0

Downlink

Uplink

Figure 1.45 - TDMA frame & timeslots

Timeslot & physical channels
Each timeslot of a TDMA frame - downlink or uplink - is known
as a physical channel.

Logical channel
Using multi-frame mode, different logical channels can be
mapped independently in either direction. These "logical
channels" carrying control information are generally mapped on
to one or two timeslots of one carrier, C0, in a cell. The
remaining "logical channels" are used to carry traffic such as
voice.
-------------------------------------------------------------------------------------------------50

Logical
channel
s
Control
channel
s

Traffic
channel
s

CCC
H

BCH

DCC
H

FCC
H

BCC
H

SCH

Figure 1.46 - Control channels, traffic channels & broadcast channels

Broadcast channels (BCH)
The carrier carrying the BCCH channel, normally C0, is also
known as the BCCH-carrier. The BCCH-carrier is used to
broadcast a lot of information required by an MS. A list of
allocated BCCH carriers for the home network operator is
programmed into SIM. An MS is also capable of scanning the
whole GSM frequency band.
When an MS is turned on, it has to camp on to the nearest BTS
preferably of the home PLMN. When it finds the strongest
carrier, it has to find the BCCH-carrier in the cell. The BCH

bursts are normally transmitted at the maximum power for the

cell so that a farthest new arrival can lock on to it.
Frequency correction channel - FCCH
This channel carrying a sine wave signal is broadcast downlink
for an MS to synchronise to the frequency. This is on the same
carrier as that of the BCCH.
-------------------------------------------------------------------------------------------------51
Synchronisation channel (SCH)
This carries information regarding the TDMA frame structure
and frame number in this cell to which an MS has to lock on to,
when it enters a cell or when it is turned on. The MS also
comes to know that this is GSM base station. SCH also carries
BSIC information. SCH is a downlink channel.
Broadcast control channel (BCCH)
After locking on to the frequency and frame structure in the cell,
MS needs some more general information broadcast on the
BCCH. The LAI, the maximum output power in the cell, BCCHcarriers of the neighbouring cells on which the MS will perform
the measurements, etc. BCCH is a downlink channel.
If the MS has just been turned on or has entered a new location
area, it has to carry out a procedure known as location
updating.
The MS is now ready to roam around, camp on a cell, listen to
paging, originate calls, etc.
Common control channels (CCCH)
Control
channel
s

PCH

CCC
H

BCH

RAC
H

AGCH

DCC
H

Figure 1.47 - Common control channels

Paging channel - PCH
Mobile subscribers are paged on this downlink channel for
incoming calls or short messages, using their TMSI. Every MS
in a cell will periodically listen to this channel.
-------------------------------------------------------------------------------------------------52
Random access channel - RACH
When an MS wants to do location updating, responds to a
paging message or wants to originate a call, it sends a short
burst on the RACH requesting for a dedicated signaling
channel. For security reasons, the MS uses a random number
for identity. The actual communication between the MS and
the MSC will take place later on the dedicated channel. If the
request is not granted within a specific time period, the MS
repeats the request. RACH is an uplink channel.
Access grant channel - AGCH
In response to requests from different MSs, the network
allocates a specific dedicated signaling channel (SDCCH)
against each request for further communication. The response
to each request is sent on the downlink AGCH. The MS is to
now access the corresponding timeslot in the relevant carrier.
Dedicated control channels (DCCH)

Control
channel
s
CCC
H

BCH

SDCC
H

DCC
H
SACC
H

FACCH

Figure 1.48 - Dedicated control channels

Stand alone-dedicated control channel - SDCCH
As per the allocation conveyed over the AGCH, both the MS &
the BTS switch over to the assigned SDCCH for a secure
communication between the MS & the MSC.
-------------------------------------------------------------------------------------------------53
The signaling communication can be a short message delivery
(or cell broadcast) in idle mode or call setup procedure for an
incoming or originated call.
Slow associated control channel - SACCH
While an MS is busy on a call over a traffic channel (TCH) or in
communication with MSC on the SDCCH, MS takes periodic
carrier-signal strength measurements on own base station &
neighbouring base stations. These measurement results have
to be conveyed to the BSC on the uplink. Similarly, based on
the analysis of measurements taken by BTS & the MS, the BSC
has to convey information on timing advance & MS transmitter
power control.
SACCH is designed for this purpose. SACCH is interleaved
either with SDCCH or TCH periodically.
Fast associated control channel - FACCH
While an MS is in conversation & based on the analysis of
signal strength measurements the BSC decides that a
handover to a neighbouring cell, FACCH is used. FACCH
works on the principle of stealing a segment of speech or TCH.
2) TDMA frames, logical channels, multiframes, superframes
and hyperframe
Logical channels - TDMA frame, timeslot & burst
C

C0

C1

C2

C0, C1 & C2
C
T

Carriers in a cell
Control channels on timeslot 0 & 1 of C0
Traffic channels on remaining timeslots of
C0, C1 & C2

Figure 1.49 - Mapping of control channels on C0 or BCCH carrier

-------------------------------------------------------------------------------------------------54
TDMA frame, timeslot & burst
4.615 ms
0

0.577 ms & 156.25 bits

3

57 bits

26 bits

57 bits

Training

Data

Data

Normal burst - 148 bits

Figure 1.50 - Relationship between a TDMA burst & timeslot
TDMA frame & two types of multiframes
Used for TCH
(Type A) multiframe of 26 TDMA frames - 120 ms
0

22

- - -

23

24

25

TDMA frame - 4.615 ms

0

Used for Control channels

(Type B) multiframe of 51 TDMA frames - 3060/13 ms
2

47

- - -

TDMA frame - 4.615 ms

0

48

49

50

Figure 1.51 - Relationship between TDMA frame & multiframe

-------------------------------------------------------------------------------------------------55
TDMA frames, multiframes & superframe
Superframe of 26 type B multiframes - 1326 TDMA frames - 6.12s
0

22

- - -

23

24

25

Superframe of 51 type A multiframes - 1326 TDMA frames - 6.12s

0

47

- - -

48

49

50

Figure 1.52 - Relationship between multiframes & superframe

TDMA frames, multiframes, superframes & hyperframe
(Cycle for frequency hopping & ciphering)
3 hours 28 minutes 53.760 seconds
Hyperframe of 2048 superframes - 2,715,648 TDMA frames
0

2044

2045 2046

2047

Superframe of 1326 TDMA frames - 6.12s

0

1322

1323 1324

1325

Figure 1.53 - Relationship between superframes & hyperframe

3) Mapping of logical control channels on physical channels
in multiframe structure (FCCH +SCH + BCCH + CCCH)

CCCH & BCH channels are mapped on to timeslot 0 of the first

carrier, C0 or the BCCH-carrier, in a cell. Timeslot 1 of the
BCCH-carrier is used for SDCCH & SACCH. Timeslots 2 to 7
are used for TCH.
The multiframe structures for Control channels & traffic
channels are different even if they are in the same carrier.
-------------------------------------------------------------------------------------------------56
Downlink, C0, timeslot 0 - Multiframe mapping
TDMA frame - 4.615 ms

TDMA frame - 4.615 ms

0 1 2

0 1 2

F S

B
B

F S

F S

Timeslot 0, C0, downlink - from 51 TDMA frames

F
S
B
C

FCCH
SCH
BCCH
PCH /
AGCH
IDLE

Frequency correction channel

Synchronisation channel
Broadcast control channel
Paging channel /
Access grant channel

Figure 1.54 - Mapping of common control & broadcast channels

Uplink, C0, timeslot 0 - Multiframe mapping

TDMA frame - 4.615 ms

TDMA frame - 4.615 ms

0 1 2

0 1 2

Each burst on the uplink is a RACH

Timeslot 0, C0, uplink

RACH

Random access channel

Figure 1.55 Continuous mapping of RACH on the uplink

-------------------------------------------------------------------------------------------------57
Uplink & downlink, C0, timeslot 1 - Multiframe mapping
TDMA frame - 4.615 ms

TDMA frame - 4.615 ms

0 1 2

0 1 2

D0

D7

A0

A3

Timeslot 0, C0, downlink - from 2 cycles of 51 TDMA frames

D0

D7

A5

A7

A4

D0

A7

D7

A0

Timeslot 0, C0, uplink - from 2 cycles of 51 TDMA frames

A3

A1
D0
D7
A0
A7
I

I
SDCCH 0
SDCCH 7
SACCH 0
SACCH 7
IDLE

D0

D7

A4

TDMA frame 101 in a

102 frame cycle

SDCCH is used to exchange information between MSC/VLR &

MS during location updating or call setup.

SACCH is used downlink to send timing advance & power

control information. MS sends measurement report on the
uplink. SACCH is associated with SDCCH.
Figure 1.56 - Mapping of SDCCH & SACCH - C0, timeslot 1

-------------------------------------------------------------------------------------------------58
4) Mapping of logical traffic channels on physical channels
Timeslots 0 & 1 on C0
Timeslots 2 ~ 7 on C0
Timeslots 0 ~ 7 on C1 ~ C3

logical control channels

logical traffic channels
logical traffic channels

If there are 5 or more carriers, another timeslot on C4 can be used

for signaling. However, there is only one BCCH-carrier per cell.
C0, timeslot 2 (or 3 ~ 7) - Multiframe mapping of TCH
TDMA frame - 4.615 ms

TDMA frame - 4.615 ms

1 2 3

1 2 3

TDMA fra

7 0

1 2 3

Timeslot 2, C0, - from 26 TDMA frames

T
A
I

TCH
SACCH
IDLE

Traffic channel
Slow associated control channel

Figure 1.57 - Mapping of traffic channel TCH on timeslot 2

SACCH
During conversation, the MS has to periodically send
measurement results. Like wise, the BSC has to send

timing advance & power control information to the MS.

Therefore an SACCH is interleaved every 26 TDMA frames
on the same physical channel as that of the associated
TCH.
IDLE
The MS uses the idle-TDMA-frame period is to take
measurements.

-------------------------------------------------------------------------------------------------59

TDMA frame - n
0 1 2 3

TDMA

TDMA frame - n+1

0 1 2 3

4 5 6 7

0 1 2 3

4 5 6 7 0 1 2 3

4 5 6 7 0 1 2 3

TDMA frame - n

4 5 6 7 0 1 2 3

TDMA frame - n+1

Downlink

TDMA

Uplink

Figure 1.58 Down-link reception & uplink transmission

5) Time to take measurements
TDMA frame - 24
0

TDMA frame - 25
7

1
0

3
2

TDMA frame - 24

TDMA frame - Idle

4
3

TDMA frame - 25

Downlink

TDMA frame - Idle

Uplink

Figure 1.59 - Time to measure & Idle TDMA frame

Measurements & Reporting

During a call an MS has to continuously take measurements on the
signal strength of own as well as neighbouring cells. The results
must be reported to the BSC on the uplink SACCH. The mobile is
informed through system information on the downlink SACCH as
to which neighbouring BCCH carriers to monitor.

-------------------------------------------------------------------------------------------------60

Actions by the MS, say on TS 2

1. MS receives the burst and measures the signal strength
2. MS transmits
3. MS measures the signal strength of at least one of the
surrounding cells
4. MS reads BSIC on SCH for one of the six strongest
surrounding cells
The MS is not synchronized with the adjacent cell and does
not know as to when TS 0 will occur on that cell
It has to monitor for at least 8 timeslot periods to read TS 0

C
B

B
B

C
C

C
C

C
C

C
C

C
C

C
C

C
C

C
C

C
C

C
C

C
C

C
C

C
C

C
C

C
C

C
C

C
C
C

B
B
B

Figure 1.59 TCH multiframe sliding over FCCH/SCH multiframe

-------------------------------------------------------------------------------------------------61

i) RACH & network access by mobile

1) Access burst format
Tail

Synch

INFO

Tail

Guard period

41

36

60 + 8.25

Figure 1.60 Short access burst with long guard period

Reasons for access

Location updating
Originating a call
Responding to paging, etc.

Information available to mobile for access

Max transmit power in the cell but not the actual one
Timing advance not known

2) Access burst arrival times & delays

Frame 1, ts1
Access burst

Frame 1, ts0
AB 1

Frame 2, ts0
Arrival time
& delay

AB 2

Figure 1.61 Different arrival times of bursts & delays on the RACH
-------------------------------------------------------------------------------------------------62
3) Channel request & information in the Access Burst
Establishment cause

Random discriminator

Figure 1.62 Contents in the channel request message on the RACH

4) Channel request & initial channel assignment
B
S
C
Channel request
Channel required

RACH

Frame No. Delay estimate

Immediate assignment Cause, random No., frame
No., initial timing advance, initial power control &
dedicated channel identity
AGCH
Figure 1.63 Channel request & access grant
5) Channel request & retransmission
MS

BTS
Channel request

Random
timer

Channel request

Figure 1.64 Retransmission of channel request message

-------------------------------------------------------------------------------------------------63

j) GSM traffic cases

1) Location updating normal type

2b

2a
2c

VLR
BSC

MSC

HLR
4a

3
4b
6
7b

5a

5b

7a
1)
2)
3)
4)
5)
6)
7)

System information
RR connection establishment
Service indication
Authentication
Updating
Acceptance
Channel release

Figure 1.65 - Location updating, normal type

-------------------------------------------------------------------------------------------------64
2) IMSI detach

BSC

MSC

VLR
3

2
Figure 1.66 - IMSI detach

3) Location updating, IMSI attach

1

BSC

MSC

VLR
3

2
5

Figure 1.67 - Location updating, IMSI attach type

HLR
4

-------------------------------------------------------------------------------------------------65
4) Call from MS
1b
1a

1c
BSC

MSC

VLR

2
3
4
5

6
7
8
1a-c)
2)
3)
4)
5)
6)
7)
8)

RR connection establishment
Service indication
Authentication
Ciphering mode setting
Call initiation
Assignment of a TCH
Call confirmation
Call accepted

Figure 1.68 - Mobile originated call

-------------------------------------------------------------------------------------------------66

MS

Network
CHAN REQ
IMM ASSIGN
SERV REQ
AUTH REQ

RR - Connection
Establishment
Service indication
Authentication

AUTH RESP
CIPH MODE CMD
CIPH MODE COM

Cipher mode setting

SETUP
CALL PROC

Call initiation

ASSIGN CMD
ASSIGN COM

Assignment of a
Traffic channel

ALERT

Call confirmation

CONNECT
CONNECT ACK
Call accepted

Figure 1.69 - Mobile originated call messages

-------------------------------------------------------------------------------------------------67
5) Call to MS from PSTN/ISDN
Translation of
MSISDN to IMSI
2 MSISDN
1 MSISDN

GMSC
MSC/VLR

6 MSRN (IAM)

HLR
5 MSRN
2 MSRN

MSC /
VLR 2

MSC /
VLR 3

7
BSC
8
9

8
9

2 IMSI

Figure 1.70 - Mobile terminated call

-------------------------------------------------------------------------------------------------68

MS
PAGING REQ

Network
Paging the MS

CHAN REQ
IMM ASSIGN
PAGING RESP
AUTH REQ

RR - Connection
Establishment
Service indication
Authentication

AUTH RESP
CIPH MODE CMD
CIPH MODE COM

Cipher mode setting

SETUP
CALL CONFIRM

Call initiation

ASSIGN CMD
ASSIGN COM

Assignment of a
Traffic channel

ALERT
CONNECT

Call confirmation

CONNECT ACK
Call accepted

Figure 1.71 - Mobile terminated call messages

-------------------------------------------------------------------------------------------------69

j) MS states & modes

1) MS detached or turned off having been registered in
MSC/VLR
When the MS does not respond to paging messages and there
has been no contact between the MS & the network, due to
either MS being powered off or out of reach, the state is known
as "MS detached".
2) MS attached or turned on
When the MS has been turned on or entered the MSC service
area, been registered as a visitor and has been in periodic
contact, the state is known as "MS attached".
While being attached, an MS can be in idle or busy mode.
Idle mode
The MS may be moving around from cell to cell in the same
location area or enter a cell in a new location area. The MS
keeps listening to cell broadcasts and initiates "Location
updating" whenever it enters a new location area. Thus the
MSC/VLR is aware of the location of the MS. In case of an
incoming call, the MSC/VLR can page for the MS in all the cells
of the current location area.
Busy mode
When the MS is involved in an incoming or originating call or
call setup stage, it is said to be busy. While it is busy it can be
moving around from cell to cell. The MS & the BTS keep
taking the signal measurements of the current & surrounding
cells periodically so that the BSC can know when the MS
moves towards a new cell area. This is known as locating.

As the MS nears the border of a new cell, the BSC takes a

decision to switch the call via a traffic channel in the new cell.
The changeover procedure is known as handover.

-------------------------------------------------------------------------------------------------70
3) Location updating - periodic registration - idle mode
It is possible that the IMSI detach was not registered in the VLR
due to poor radio link quality and the system may continue to
assume that the MS is still in the same LA.
To avoid ambiguity, MS carries out periodic registration
procedure once every 30 minutes. If there is no response to
the request for a channel, MS will make repeated attempts.
The system information on the BCCH tells all MSs about the
frequency of periodic registration.
4) Implicit detach - idle mode
If the periodic registration does not take place and a timer times
out, the MS is marked as detached in the VLR. This can
happen when the MS has been turned off outside the radio
coverage area.

-------------------------------------------------------------------------------------------------71

k) The Mobile Station (MS)

1) The Subscriber Identity Module (SIM)
The MS can be operated only when a valid SIM is present.
However, emergency calls to emergency numbers can be made
without a SIM.
SIM Storage types for subscriber related information

Fixed data : IMSI, subscriber authentication key (KI), access

control class, security algorithms, etc.
Temporary network data: TMSI, LAI, ciphering key (Kc),
forbidden PLMNs, etc.
Service related data: language preference, advice of charge,
etc.

Security features

Authentication algorithm, A3
Subscriber authentication key, KI
Ciphering key generation algorithm, A8
Ciphering key, Kc
Control of access to data stored & performed in the SIM

Subscriber data in the Mobile Equipment (ME)

All subscriber-related information transferred to the ME during
operation must be deleted after the removal of SIM &
deactivation of the MS. Examples of such data are PIN
(Personal Identification Number) and the PUK (Personal Unlock
Key) codes.
PIN management

Changing the PIN code by the subscriber

PIN disabling function
Inhibition of PIN disabling function
Indication of incorrect PIN entry
SIM blocking on three repeated entries of incorrect PIN

-------------------------------------------------------------------------------------------------72
Unblocking of SIM & PUK
Unblocking of SIM is possible under the control of PUK.
PUK is an 8-digit numeric only code. Indication is given if an
incorrect PUK is entered. After 10 repeated incorrect entries,
SIM is blocked.

l) Authentication of an MS
1) The authentication key, Ki
This is allocated at the time of subscription and stored in the
SIM as well as the authentication centre that provides the
system with so-called Triplets. The IMSI allocated to the
subscriber is also stored in the SIM & the HLR.
2) The Triplets
Against each registered IMSI, the HLR keeps a stock of triplets.
Whenever it is exhausted, the HLR requests for triplets against
an IMSI. See figure 1.57.

Request for
triplets
HLR

IMSI

AUC

3 or 5 triplets
Figure 1.72 - Request from HLR & response from AUC.

Generation of Triplets in the AUC (See figure 1.58)

A non-predictable random number, RAND, is generated.

RAND & Ki are used to generate Signed Response (SRES)
and Ciphering Key Kc via algorithms A3 & A8.
RAND, SRES & Kc are delivered to HLR as Triplets.

-------------------------------------------------------------------------------------------------73

RAND
generator

RAND

Database

A3
SRES (32 bits)
Authentication
Algorithm

A3
A8
IMSI - KI
IMSI - KI
IMSI - Ki
IMSI - Ki
RAND
SRES
IMSI
KI
Kc

A8
Ciphering
Algorithm

Kc (64 bits)

Random number
Signed Response
International mobile subscriber identity
Subscriber authentication key
Ciphering key

Figure 1.73 - Generation of triplets in the AUC.

Authentication procedure
The MSC/VLR stores upto 10 triplets against each IMSI
registered in its service area. Whenever a new visiting IMSI is
registered or whenever its stock is depleted, the VLR obtains a
fresh batch of triplets for use later on.

RAND

SRES

MSC/VLR

4
Calculates
SRES & Kc

Compares received
SRES with that in
the triplet

Figure 1.74 - Authentication procedure

-------------------------------------------------------------------------------------------------74
Encryption & ciphering procedure
M

Encrypted
4
M

M + Kc

MSC /
VLR

TDMA
frame No.

M'

Kc

+
+

114 bits

Kc

Cipher
mode
completed

A5

A5

TDMA
frame No.

Decryption
of M'
successful?

Figure 1.75 Cipher mode setting procedure

Kc (64)

MS

BTS

Kc (64)

FN (22)

A5

A5

FN (22)

S1 (114)

S2 (114)

S1 (114)

S2 (114)

Encrypted 114 bits

Encrypted 114 bits

Figure 1.76 Ciphering & deciphering of speech/data/signaling

-------------------------------------------------------------------------------------------------75
On successful completion of cipher mode command, all
information over the air interface will be ciphered and all data,
speech & signaling information are protected.

IMEI
IMSI (except at the time of registration as a new visitor)
Calling & called party addresses in the SETUP message
All information during conversation

Equipment identification

The MSC/VLR requests for IMEI from the MS after the

cipher mode is complete.
MS sends IMEI to MSC which then sends it to EIR
EIR can check it against 3 possible lists of IMEIs
White list of all valid IMEIs in all GSM countries
Black list of all IMEIs known as barred
Grey list of faulty or non-approved IMEIs

See figure 1.61

IMEI
request

IMEI

4
MSC
/
VLR 3

Access /
barred
Check

EIR

Figure 1.77 - Equipment identification

-------------------------------------------------------------------------------------------------76