1

A REPORT OF
SUMMER TRAINING
IN
MAHANAGAR TELEPHONE NIGAM
LIMITED
AT
KAROL BAGH, NEW DELHI
IN
GSM SERVICES (DOLPHIN
MOBILE)

Sub
mitted by:
Prad
eep Chauhan
VII
semester
Elec
tronics and Comm. Branch

1
 2

Instit
ute of Engg. & Tech.
Al
war
INDEX
1. Introduction
2
2. GSM Building blocks
4
3. Radio frequency allocation
5
4. TDMA timeslots
6
5. Cells and cell sizes
9
6. Mobile Station (MS)
11
7. Subscriber’s Identity Module (SIM)
14
8. Base Station Sub-system (BSS)
18
• Base Transreceiver Station (BTS)
19
• Base Station Controller (BSC)
22
• TRAU
23
9. BTS to BSC connection
25
10. Handovers
27
11. Cell selection
28
12. Network Switching Subsystem (NSS)
30
• MSC
• HLR etc.
2
 3

13. Mobile switching centre (MSC)

31
14. Home Location Register (HLR)
32
15. Visitor Location register (VLR)
33
16. Authentication centre
35
17. Interworking function (IWF)
37
18. Short Message Service Centre (SMSC)
38
19. Operations Sub System (OSS)
38
20. Network Management Centre (NMC)
39
21. Network interfaces
40
22. Call routing
43
23. GSM services
47
24. Future
51
25. References
53

Introduction
In order to overcome the difficulties that an analogue system
imposed the European Conference of Postal and
Telecommunications Administration (CEPT) looked at the problems
associated with analogue systems and in 1982 set up the “Groupo
Specialo Mobile” (GSM) committee to specify one common
European mobile telephone system. Later on “Groupo Speciale
Mobile” became known as Global System for Mobile
Communication.
3
 4

Global System for Mobile Communication

(GSM)
In order to solve the problems of analogue system the following

3%
three decisions were made:

• In 1982 two frequency bands, 890 Mhz to 915 Mhz and 935
Mhz to 960 Mhz ,were reserved primary for use by cellular
systems .
• In 1985 the decision was made3 to implement a digital
system. The next step was to choose between narrowband and
wideband solutions.
3 % (IN D IA)
• In 1987, it was concluded that digital technology working in
the TDMA would provide the optimum solution for the future
system.
• The narrowband TDMA solutions was chosen (less than 10
channels per carrier frequency is generally regarded as
narrowband TDMA system ) with the following advantages :

4%
Offers a possibility of channel splitting and advanced speech
coding in the future, resulting in improved spectral efficiency.
• Offers much greater variety services than analogue.
4
 5

• Has ISDN capability.

• Will utilize modern component development which in turn will
lead to lower system cost.
• Will allow considerable improvements to be made with regards
to the protection of information with the system.

GSM milestones

1982 GSM formed

1986 Field test
1987 TDMA chosen as access
method
1988 Memorandum of
understanding signed
1989 Validation of GSM system
1990 Preoperation system
1991 Commercial system started
1992 Coverage of large cities
1993 Coverage of main roads
1995 Coverage of rural areas

GSM operational requirements

In order to satisfy the defined objectives a list of operational
requirements was devised which consisted of the following:
• High audio quality and link integrity.
• High spectral efficiency.
• Identical systems in all countries.
• Inter system roaming (requiring standardized air interface).
• High degree of flexibility
• Integration with ISDN

GSM building blocks:

The GSM 1800 network can be split into 4 functional areas:
1. Mobile station (MS) – the mobile phone and Subscriber Identity
Module (SIM).
5
 6

2. Base Station System (BSS) - the radio base stations and their
controllers.
3. Switching System (SS) – the switch, location register and
network security features.
4. Operations Sub-system (OSS)- the operations and
maintenance of the network elements ,including the NMC.

GSM Network Elements

Obviously to have a useful telecom network the one should have
able to talk to other network operators. To do this the network has
interconnections to the public switched telephone network (PSTN),
PLMN (public land mobile network).

Radio frequency allocation

GSM uses a radio link between the mobile subscriber and the base
station. A feature of GSM?DCS which makes it attractive asa mobile
6
 7

telephone network is the standardization of frequency use across

equipment and handsets enabling the possibility of roaming
between networks and countries. The following frequencies have
been allocated for each system in the uplink direction (MS to BS)
and downlink (BS to MS) directions. The frequency and timeslots
used to convey the users information is known as the physical
channel.

GSM 900 - 872 to 915 Mhz uplink 917 to 960 Mhz

downlink
GSM 1800 - 1710 to 1782 Mhz uplink 1805 to 1880 Mhz
downlink

Absolute radio frequency channel number (ARFCN)

Channel spacing
The channel spacing between adjacent Tx or Rx channels is 200 Khz
which gives 374 available radio channels in the GSM 1800 band
(124 in the GSM 900 or 174 in EGSM). There appears to be 1
channel from each band missing i.e. 75 Mhz/ 200 Khz = 375.

7
 8

Well the channels do not start exactly on the frequency limit. As

they require a bandwidth of 200Khz, RF channel 1 starts 200 Khz
above 1710Mhz at 1710.2 Mhz .channel 375 falls naturally at the
upper frequency limit of 1785 Mhz and as it requires 200Khz
bandwidth any transmission on this channel would produce
radiation beyond the upper limit which would unacceptable .So
channel 375 is not used .This gives 200 Khz guard band at the top
and bottom of the frequency band.
Each radio channel frequency is identified by its absolute radio
frequency channel number (ARFCN).

TDMA timeslots:
Books sho0w how 32 timeslots each of 64 Khz could be used by
sharing the time available for a frame which produced a
“bandwidth” of 2.048 Mbits/sec.
This bandwidth would be far too wide to transmit over the air
interface of the GSM network where it is limited to just 200Khz .Only
eight timeslots are therefore transmitted and the bandwidth of each
individual one reduced to just 33Khza instead of the 64 Khz
terrestrial system mentioned in books.
Vocoder:
To conserve this bandwidth a more efficient method of turning the
speech waveform into a digital code was needed .GSM therefore
uses a more up to date process called vocoding.This method does
not take samples as in the PCM method but instead uses eight
filters plus an excitation signal to mimic the human voice .It records
such things as the pitch,frequency ,tone etc to produce a realistic

8
 9

digital representation of persons voice. The vocoder produces 260

bit blocks of vocoded voice information at a time which is
transmitted at 50 times per second .The resulting total bandwith of
the signal is just 13 Kbits?sec (260 *50 =13000), less than a quarter
of the PCM.
To send this 13 Kbits/ sec over the air interface a lot of protection is
required to ensure that it arrives intact. Therefore more bits are
added to protect the information .The training sequence was a
method of combining ISI adding 11Kbits/sec to the signal. The
vocoder function itself raises the bit rate from 13 Kbits/sec to
22.8Kbits/sec after 9.9 Kbits/sec of error protection are added.
Therefore the total bits/sec required for a single burst of information
is therefore 13 Kbits/sec +9.8 Kbits/sec + 11 Kbits/sec = 33.8
Kbits/sec per user.
Having an allocated bandwidth of 200 Khz it was concluded that 8
timeslots could be sent giving a total bit rate of 270.833 Kbits/sec
and through an efficient Gaussian shift modulation this could be
kept within the 200Khz bandwidth limit measured at the – 3dB
point.
This technique is called TDMA. In GSM the 8 time slots go together
to make up a TDMA frame and in 1second approximately 216
frames are sent over the radio path or air interface.

Timeslot offset
The mobile equipment would not transmit and receive at different
times, but would have to share electronic resources such as
oscillator time and antenna. As the mobile equipment has to
transmit and receive at different times more than 2 out of the eight
timeslots are used, 1 for transmission and 1 for reception and some
timeslots to retune. To overcome this difficulty a three timeslot
offset between reception and transmission paths is used.

BTS transmit 0 1 MS 3 4 MS 6 7
(TX) 1 2

9
 10

BTS receive (RX) 3 0 1 MS 3 4 MS 6 7

timeslot 1 2
offset
During times when the mobile equipment is not tuning to a transmit
or receive times, they must re-tune to a BCCH carrier and make a
measurement signal strength. The mobile equipment doesn’t listen
at this time to the BCCH channel; just the frequency and then re-
tunes back again.
Allowing 2 timeslots to re-tune to BCCH carrier and another 2 to re-
tune back does give the mobile equipment much time for
measurements. But measure it does ,as the BCCH carrier is always
transmitting something (control, traffic, dummy bursts) on the
maximum power.

BCCH (Broadcast Control Channel Carrier):

In each cell one frequency must be allocated to the BCCH. The
BCCH is allocated to first timeslot in this frequencies ‘ frame and
provides information about the cell and other facilities required for
mobile management which will be dealt with later. The BCCH
frequency can therefore only be used for seven users or less. The
only channel where adaptive power control is not used is the BCCH
carrier, where all timeslots transmit on maximum power all the
time. This is to allow mobiles to capture an accurate power
measurement of a neighboring cell during the 2 ms it has between
sending its burst up to the network on the its uplink and retuning to
its downlink frequency.
power

power

timeslots timeslots

relative power of timeslotson anon BCCH relative power of timeslotson aBCCH

carrier carrier

Cell and cell sizes:

10
 11

Maximum cell size will be achieved utilizing low frequencies and

high powered transmitters over a flat area. The cell size depends on
many factors but the main three are the required capacity of the
cell, geographical area and money. Optimum sifting is rarely
possible for many reasons and is usually a compromise. Items such
as planning constraints, unsuitable locations or having to share
masts with other GSM operators have to be taken into account.

Power versus frequency

The GSM 1800 frequency used by orange tends to travel a shorter
distance than the GSM 900 band for a given power, however as
maximum cell sizes are rarely used this makes little difference in
practice. Power of the base station can be set to any allowed level
to compensate for this if necessary.

T
r
a
n
s
m
i
t
t
e
d

p GSM 1800
o MHz
w GSM 900
e
MHz
r

Distance

11
 12

The GSM networks are split into many radio cells or just cells.
Each cell is capable of supporting between 1 and 10 radio
frequency channels at the same time. The size or coverage of
the cell will depend upon many things:
• Number of subscribers in the cell – its capacity .
• Power outputs of the transmitters – higher power means
further distance.
• Geographical environment – hilly areas provide natural
obstructions to the radio path.
• Frequency of operations – lower frequencies travel
further
• Available infrastructure cost.
• Timing advance.

Maximum cell size

Maximum cell size will be achieved utilizing low frequencies. High
powered transmitters over a flat area. Rural districts where there is
a smaller population are best suited to large cells.
Minimum cell size
Minimum cell size will depend upon the capacity of the cell ,if a
large number of subscribers are located in a small area then the cell
does not needed to be large to support the required capacity and in
fact has to be small in order to achieve the larger population
coverage using the frequency reuse mentioned earlier.
Large cells:
• 35 Km max radius for GSM.
• High coverage
• Low capacity
• Lower infrastructure costs.
• Higher power consumption
• Prone to dead zones
• Good for remote areas.

Small cells:
• High coverage achieved by using many small cells.
• Up to around 8Km radius.
• High capacity.
• Higher infrastructure costs.
12
 13

• Lower power consumption.

• Fewer dead zones.
• Ideal for built up areas.
Whether the cells are large or small depends upon the planning and
capacity requirements of the network. The committees who wrote
the specifications for GSM have effectively set the maximum cell
radius of 35 Km. Practically though this range will be a lot smaller
depending upon the local terrain. For GSM 1800 the cell size is
restricted more by handset power than anything else and the cell
radius is typically up to 8km.
Macrocells, microcells and picocells:
To provide a network that quality coverage over a wide
geographical area means providing radio coverage using many
adjacent cells, either bordering each other or overlapping in places.
To cover a large town or city many different size cells may be
required, some to cover the dense urban areas and other to cover
the edges of the town. The outcome of this is the concept behind
macrocells, microcells and picocells.
To cover business parks and areas of high population density, small
cells with high traffic capacity are utilized. These are microcells.
When the mobile reaches the boundary of the current cell it will try
and hand over to another cell, if there is no cell to hand over to, the
call will drop and the users will not b4e happy.
To catch all potential dropped calls from microcells and pico cells an
umbrella cell is used, this is called a macrocell.
The typical sizes for a GSM 1800 network below:
• Rural use – approx 8 to 10 km radius.
• Suburban – up to 8Km radius.
• Urban - up to 500 m radius
• Microcell - up to 20 m
• Picocell - below 200 m

The mobile station(MS):

The mobile station represents the user end of the mobile telephone
network and is usually the only equipment that the user ever sees
of the “network”. The mobile station (MS) comprises all user

13
 14

equipment and software needed for communication with a Wireless

telephone network. MS refers to the Mobile Phone.i.e. The handset
held by the users in the mobile network. This is the terminology of
2G systems, like, GSM. In the 3G systems, MS is now referred as
User Equipment UE. In GSM, the Mobile Station consists of four main
components:

Mobile Terminal (MT) – offers common functions that are used by

all the service the Mobile Station offers. It is equivalent to the
network termination of an ISDN access and is also the end-point of
the radio interface.
Terminal Equipment (TE) - is a peripheral device of the Mobile
Station and offers services to the user. It does not contain any
functions specific to GSM. Terminal Adapter (TA) - hides radio-
specific characteristics.
Subscriber Identity Module (SIM) - is a personalization of the
Mobile Station and stores user specific parameters (such as mobile
number, contacts etc).

Some of the functions undertaken by

the MS are:
• Voice and data transmission.
• Frequency and time
synchronization.
• Monitoring of power and signal
quality of the surrounding cells
for both the idle and dedicated
mode.
• Provision of location updates.
• Equalization of multipath
fades.
• Display of short messages
• Timing advance.

14
 15

Block diagram of MS

Component Purpose
Microphone Captures your voice for conversion from analogue to digital mode
Speaker Allows monitoring of remote phone
LCD Display Shows Call, Phone, Signal & Network Info
Keypad Allows access to specific remote phones
Battery + While battery housings on cellphones are standard input deigns, some
Meter cellphones also have some "battery processing" intelligence built in. For
example, they will check the charge level to start or stop the charge when the
phone is connected to a desktop, car or quick charger and even automatically
discharge the battery for you when necessary. This is usually linked to the LCD
display and to an audible beep to warn you of the battery charge status.
LED Lights Status Information, usually Green, white & Red.
Digital Signal The DSP chipset is a critical component. It co-ordinates the voice, SMS and
Processor data/fax features of a cellphone. It processes speech, handles voice activity
detection, as well as discontinuous GSM transmission and reception. Another
section amplifies the input signal received from the microphone, while another
converts this microphone voice signal from "analogue" to "digital". The digital
conversion is necessary because the GSM cellular standard is a completely
digital system.
CODEC This DSP's voice processing is done in tandem with highly sophisticated
compression technique mediated by the "CODEC" (compressor/decompressor)
portion of the cellphone. T
RF Unit The CODEC chipset instantly transfers this "compressed" information to the
cellphone’s Radio Frequency (RF) unit. This RF unit, which is essentially the
transmit and receive section of the cellphone, then sends out the voice or data
information via the cellphone antenna, over the air and on to the nearest

15
 16

cellular base station - and ultimately to your call destination.

The incoming voice also travels much the same route, although it is first
uncompressed from it’s incoming digital form into an audible analogue form
which is then piped out as sound through the cellphone’s speaker. This
analogue-to-digital and digital-to-analogue voice conversion via the CODEC is
done at very high speeds, so that you never really experience any delay
between talking and the other person hearing you (and visa versa).
SIM Card When you switch on your phone with a "live" SIM card inside, the subscriber
Reader information on the chip inside the SIM card is read by the SIM card reader and
then transmitted digitally to the network via the RF unit. The same route is
followed when you hit the Call button (and it’s variants) on the cellphone: the
number you’ve inputted is instantly and digitally transferred to the network for
processing.
External At the bottom of most cellphones there is an external connector system. You
Connectors can usually plug in a data/fax adapter, or a battery charger, or a personal
hands free device, or a car-kit with external antenna connections. You’ll also
find many with separate "speaker" and LED lights that are activated when the
phone rings and/or when the battery is low. Many phones also have tiny LED
lights under the keypad that light up when you press a key and/or when the
phone rings.
On-Board Many cellphones also have a certain amount of on-board memory chip capacity
Memory available for storing outgoing telephone numbers, your own telephone number,
as well as incoming and outgoing SMS messages. Some allow copying between
the (limited) memory on the SIM card and the phone’s own internal memory.
Antenna Cellphone manufacturers are implementing many weird and wonderful
System permutations of antenna system designs. While some are stubby, fixed types,
the most predominant designs though are those with thin, pull-out steel rods all
of whom usually fit snugly into a special antenna shaft. These antenna designs,
be they the stubby or pull-out types, all conform to the same circa 900 MHz
frequency transmit and receive range required by the GSM specification.

International mobile equipment identity (IMEI)

Each piece of mobile equipment is uniquely identified by its
international mobile equipment identifier or IMEI number. The IMEI
is more than just a serial number of the mobile, it also shows type
approval, manufacturer and country of production.
When a mobile is attaching to a network the IMEI is checked against
the while, grey or black list of IMEI’s that are stored in the
equipment identity register. If the IMEI is in the black list the mobile
is not allowed on the network eg. Stolen phones.

6 digits 2 digits 6 digits 1digi

t

16
 17

Type approval code final serial number

spare
Assembly
Code
International Mobile Equipment Identity

Subscriber identity module:

A Subscriber Identity Module (SIM) is a removable smart card for
mobile phones. SIM cards securely store the service-subscriber key
used to identify a mobile phone. The SIM card allows users to
change phones by simply removing the SIM card from one mobile
phone and inserting it into another mobile phone.
The use of SIM cards is mandatory in the GSM world. The equivalent
of a SIM in UMTS is called the Universal Integrated Circuit Card
(UICC), whereas the Removable User Identity Module (RUIM) is
more popular in CDMA phones.
SIM cards are available in two standard sizes. The first is the size of
a credit card (85.60 mm × 53.98 mm x 0.76 mm). The newer, more
popular miniature-version has a width of 25 mm, a height of 15
mm, and a thickness of 0.76 mm.

Memory storage size

The typical low cost SIM card (GSM 11.11 only) has little memory, 2-
3 KB as described in GSM 11.11 (telephone directory and so on).
Such data storage is used by the phone directly. The market
segment of low cost SIM is constantly shrinking.
SIMs with additional applications (GSM11.14) are available in many
storage sizes, the largest being the 1 GiB SIM. Smaller sized SIMs
such as the 32 KB and 16 KB are the most prevalent in areas with
less-developed GSM networks. There are also Large Memory SIMs,
on the order of 128-1024 megabytes. At the end of 2006 the most
common GSM SIM in the US is 64 KB - this stemmed from Nov 2004
when the Cingular and AT&T merger triggered the supply of 64 KB
SIMs over 32 KB to better support both networks (and make them
look like one).

17
 18

The SIM card contains the following subscriber and network

parameters. This list is only some items stored in the SIM.

• MSISIDN – Mobile station international service digital network

number. This is the telephone no. of the mobile subscriber and is
the one dialed by callers to the mobile. The MSISDN contains the
country code, national destination code and
subscriber number. The MSISDN is permanently stored on the
SIM.

Country code National Subscribers no. Service

destination code operator
(+) 91
(INDIA)
(+) 91
(INDIA)
(+) 91
(INDIA)
(+) 44 (UK)
(+) 44(UK)

• IMSI –International mobile subscriber identity number. This

number uniquely identifies the subscriber to the network. It
usually only transmitted once, that occasion being the time of
attachment onto the network, once attached the role of the IMSE
is taken up by the temporary mobile taken up by the temporary
mobile subscriber identity (TMSI). The length of the IMSI is 15
digits or less and contains a mobile country code, mobile network
code and mobile station identification number (MSIN). The IMSI is
permanently stored on the SIM.
Mobile Mobile Mobile operato
country network code station r
code 2 digits identity no.
3 digits – 10 digits
or less
262 01 12345685 Germany
D1
234 10 123456789 UK cellnet

18
 19

234 33 123456789 UK orange

• KI - Authentication key. The Ki is a 128-bit value used in

authenticating the SIMs on the mobile network. Each SIM holds a
unique Ki assigned to it by the operator during the
personalization process. The Ki is also stored on a database
(known as Home Location Register or HLR) on the carrier’s
network.
The SIM card is designed so that the Ki cannot be obtained using
the smart-card interface. Instead, the SIM card provides a
function, "RUN GSM ALGORITHM", that allows the phone to pass
data to the SIM card to be signed with the Ki. This, by design,
makes usage of the SIM card mandatory unless the Ki can be
extracted from the SIM card, or the carrier is willing to reveal the
Ki. In practice, the GSM "crypto" algorithm for computing SRES_2
from the Ki has a weak point. This allows the extraction of the Ki
from a SIM card and the making of a duplicate SIM card.

Authentication process
1. When the Mobile Equipment starts up, it obtains the IMSI from
the SIM card, and passes this to the mobile operator requesting
access and authentication. The Mobile Equipment may have to
pass a PIN to the SIM card before the SIM card will reveal this
information.
2. The operator network searches its database for the incoming IMSI
and its associated Ki.
3. The operator network then generates a Random Number (RAND)
and signs it with the Ki associated with the IMSI (and stored on
the SIM card), computing another number known as Signed
Response (SRES_1).
4. The operator network then sends the RAND to the Mobile
Equipment, which passes it to the SIM card. The SIM card signs it
with its Ki, producing SRES_2 which it gives to the Mobile
Equipment along with encryption key Kc. The Mobile Equipment
passes SRES_2 on to the operator network.
5. The operator network then compares its computed SRES_1 with
the computed SRES_2 that the Mobile Equipment returned. If the
two numbers match the SIM is authenticated and the Mobile
19
 20

Equipment granted access to the operator's network. Kc is used

to encrypt all further communications between the Mobile
Equipment and the network.
• LAI - Location area identity. The SIM stores network state
information which is broadcast to it from the network, such as
the Location Area Identity (LAI). Operator networks are divided
into Location Areas, each having a unique LAI number. When the
Mobile changes its location from one Location Area to another it
stores its new LAI in SIM and sends it to the operator network to
inform network with its new location. If the handset is turned off
and back on again it will take data off the SIM and search for the
LAI it was in. the LAI is used as the pointer to which BTS need to
transmit a paging message.
• PIN - A personal identification number (PIN) is a secret numeric
password shared between a user and a system that can be used
to authenticate the user to the system. Typically, the user is
required to provide a non-confidential user identifier or token
(such as a banking card) and a confidential PIN to gain access to
the system. Upon receiving the User ID and PIN, the system looks
up the PIN based upon the User ID and compares the looked-up
PIN with the received PIN. The user is granted access only when
the number entered matches with the number stored in the
system. If after three failed attempts the SIM locks up and cannot
be used until an 8 digit personal user key (PUK) ids entered. Use
of the PIN can be changed via the keypad.
• TMSI- the temporary mobile subscriber identity is used in place
of the IMSI. The IMSI is used in conjunction with the LAI to ensure
that the correct mobile is paged in a location area. The TMSI is
assigned after a mobile is registered in a particular visitor
location register and location area. When the mobile moves to a
new location area, a new TMSI is assigned.
• BCCH carrier frequency- This is the frequency of the broadcast
/ beacon carrier of the cell in which the mobile is currently
located.
• PLMN Access- This is a list of preferred and “forbidden” PLMN’s.
When a mobile tries to gain access to any network the PLMN on
top of the preferred PLMN list will be tried first, when a mobile
tries to attach to a network and is prevented access, the PLMN
network code is stored in this “forbidden” list.
20
 21

• PLMN bar class – during very busy periods of traffic whole

groups of subscribers are effectively barred access to the
network. The PLMN bar class is a set of 15 groups, the first 10
groups are equal in size and allocation to va group is determined
by operator and set onto the SIM at production time. Five further
groupd ar4e set aside for “very important subscribers” and used
in times of congestion or emergency.

Access class Description

1 - 10 Normal
subscribers
11 PLMN choice
12 Security service
13 Public utilities
14 Emergency
services
Base 15 PLMN staff
Station Subsystem:
The Base Station Subsystem (BSS) is the section of a traditional
cellular telephone network which is responsible for handling traffic
and signaling between a mobile phone and the Network Switching
Subsystem. The BSS carries out transcoding of speech channels,
allocation of radio channels to mobile phones, paging, quality
management of transmission and reception over the Air interface
and many other tasks related to the radio network.
The BSS composed of three sub-systems namely, Base
Transreceiver Station (BTS),
Base Station controller (BSC), Transcoder and Rate Adaption Unit
(TRAU).

21
 22

Base Station
Controller
M
MS (BSC)
SS

BT Transcoder and
S rate adaptation
unit (TRAU)

BASE STATION SUBSYSTEM (BSS)

Base Transreceiver Station (BTS)

The Base Transceiver Station, or BTS, contains the equipment for

transmitting and receiving of radio signals (transceivers), antennas,
and equipment for encrypting and decrypting communications with
the Base Station Controller (BSC). Typically a BTS for anything other
than a picocell will have several transceivers (TRXs) which allow it
to serve several different frequencies and different sectors of the
cell (in the case of sectorised base stations). A BTS is controlled by
a parent BSC via the Base Station Control Function (BCF). The BCF
is implemented as a discrete unit or even incorporated in a TRX in
compact base stations. The BCF provides an Operations and
Maintenance (O&M) connection to the Network Management
System (NMS), and manages operational states of each TRX, as well
as software handling and alarm collection.
The functions of a BTS vary depending on the
cellular technology used and the cellular
telephone provider. There are vendors in
which the BTS is a plain transceiver which
receives information from the MS (Mobile
Station) through the Um (Air Interface) and
then converts it to a TDM ("PCM") based
interface, the Abis, and sends it towards the
BSC. There are vendors which build their BTSs
so the information is preprocessed, target cell

22
 23

lists are generated and even intracell handover

(HO) can be fully handled. The advantage in this
case is less load on the expensive Abis interface.
The BTSs are equipped with radios that are able to
modulate layer 1 of interface Um; for GSM 2G+
the modulation type is GMSK, while for EDGE-
enabled networks it is GMSK and 8-PSK.
Antenna combiners are implemented to use the
same antenna for several TRXs (carriers), the
more TRXs are combined the greater the combiner loss will be. Up
to 8:1 combiners are found in micro and pico cells only.
Frequency hopping is often used to increase overall BTS
performance, this involves the rapid switching of voice traffic
between TRXs in a sector. A hopping sequence is followed by the
TRXs and handsets using the sector. Several hopping sequences are
available, the sequence in use for a particular cell is continually
broadcast by that cell so that it is known to the handsets.
A TRX transmits and receives according to the GSM standards,
which specify eight TDMA timeslots per radio frequency. A TRX may
lose some of this capacity as some information is required to be
broadcast to handsets in the area that the BTS serves. This
information allows the handsets to identify the network and gain
access to it. This signalling makes use of a channel known as the
BCCH (Broadcast Control Channel).
Aerial systems:
Multi channel cells with more than one TRX feed an aerial system
via an aerial combining unit. This combines the output power from
the various TRX and feeds them to the one of the two aerials via a
common co-axial cable. Provision is also made to have connections
to both aerials for spatial diversity reception mentioned earlier.
Sectorisation:
By using directional antennas on a base station, each pointing in
different directions, it is possible to sectorise the base station so
that several different cells are served from the same location.
Typically these directional antennas have a beamwidth of 65 to 85
degrees. This increases the traffic capacity of the base station
(each frequency can carry eight voice channels) whilst not greatly
increasing the interference caused to neighboring cells (in any
given direction, only a small number of frequencies are being
23
 24

broadcast). Typically two antennas are used per sector, at spacing

of ten or more wavelengths apart. This allows the operator to
overcome the effects of fading due to physical phenomena such as
multipath reception. Some amplification of the received signal as it
leaves the antenna is often used to preserve the balance between
uplink and downlink signal.
This picture shows a typical sectorised aerial system. Three pairs of
aerials are used each on one of the three faces of the lattice mast
giving three cells. They arranged to give unidirectional signals at
approximately 120 degrees to each other to help in coverage. A
polar diagram of how the signals propagate is shown below.
Also attached to the mast are microwave dishes conveying signals
that have already been received by the BTS to the BSC or other BTS
sites. Light conductors are also fitted to the mast.

24
 25

Sector
A

MAS
Sector T
C

Sector
B

Polar diagram of sectorised mast

Base Station Controller:
The Base Station Controller (BSC) provides, classically, the
intelligence behind the BTSs. Typically a BSC has 10s or even 100s
of BTSs under its control. The BSC handles allocation of radio
channels, receives measurements from the mobile phones, controls
handovers from BTS to BTS (except in the case of an inter-BSC
handover in which case control is in part the responsibility of the
Anchor MSC). A key function of the BSC is to act as a concentrator
where many different low capacity connections to BTSs (with
relatively low utilization) become reduced to a smaller number of
25
 26

connections towards the Mobile Switching Center (MSC) (with a high

level of utilization). Overall, this means that networks are often
structured to have many BSCs distributed into regions near their
BTSs which are then connected to large centralized MSC sites.
The BSC is undoubtedly the most robust element in the BSS as it is
not only a BTS controller but, for some vendors, a full switching
center, as well as an SS7 node with connections to the MSC and
SGSN (when using GPRS). It also provides all the required data to
the Operation Support Subsystem (OSS) as well as to the
performance measuring centers.
A BSC is often based on a distributed computing architecture, with
redundancy applied to critical functional units to ensure availability
in the event of fault conditions. Redundancy often extends beyond
the BSC equipment itself and is commonly used in the power
supplies and in the transmission equipment providing the A-ter
interface to PCU.
The databases for all the sites, including information such as carrier
frequencies, frequency hopping lists, power reduction levels,
receiving levels for cell border calculation, are stored in the BSC.
This data is obtained directly from radio planning engineering which
involves modeling of the signal propagation as well as traffic
projections.
At maximum configuration , the Nokia BSC used by Orange can
manage potentially up to 248 BTS containing up to 512 TRX
although this situation is , where possible , generally avoided as,
from a network planning viewpoint , this is definitely ‘placing all the
eggs in one basket’!
The BSC acts as a switch dynamically creating and ‘tearing down’
the connections between the 2Mbit/s links connecting the BSS to
the core network (NSS) on the other. It manages ‘handovers’
between the BTSs under its control, and between itself and other
BSS, and also acts as the operations and maintenance interface to
the OSS for the same BTS group.

Transcoder and rate adaptation unit (TRAU):

Although functionally part of the BSS, in the most of the networks

transcoders (TRAU) are always physically located with the mobile
services switching centre (MSC). The transcoding function converts
26
 27

the voice channel coding between the GSM (Regular Pulse Excited-
Long Term Prediction, also known as RPE-LPC) coder and the CCITT
standard PCM (G.711 A-law or u-law). Since the PCM coding is 64
kbit/s and the GSM coding is 13 kbit/s, this also involves a buffering
function so that PCM 8-bit words can be recoded to construct GSM
20 ms traffic blocks, to compress voice channels from the 64 kbit/s
PCM standard to the 13 kbit/s rate used on the air interface. Some
networks use 32 kbit/s ADPCM on the terrestrial side of the network
instead of 64 kbit/s PCM and the TRAU converts accordingly. When
the traffic is not voice but data such as fax or email, the TRAU
enables its Rate Adaptation Unit function to give compatibility
between the BSS data rates and the MSC capability. Since the
transcoder packs the 13Kbit/s data into 16 kbit/s by adding 3 kbit/s
of control information which allows up to four to be accommodated
in a single 64 kbit/s PCM data channel. Thus a single PCM 2 Mbit/s
link can be made carry up to 120 GSM calls at 16 kbit/s instead of
the normal 30 channels at 64kbit/s.
The radio interface does not provide sufficient bandwidth to
transmit speech at 64 Kbit/s ,so GSM needs to transcode the A-law
PCM voice channel from the PSTN into a suitable form for GSM. The
MSC was designed very close to the design of an ISDN switch in
particular only 64 kbit/s circuits are switched. The transcoding could
be carried out between BSC and BTS but this would mean BSC’s
switching at 64 kbit/s and would also require 2 Mbit/s links. In
between the MSC and BSC is the other option so if the transcoder is
located at the MSC site the number of leased lines used is reduced.
If the transcoder is located remotely from the BSC it is known as a
remote transcoder.

MSC Regular pulse

BSC
excitation
with
8000x8 bit 50x260 bit
long term
samples samples
prediction
= 64 = 13
Kbit/sec Kbit/sec

So what does the transcoder actually do? The quick not too
technical answer is to say that the input is 8000 * 8 bit samples

27
 28

every second of A- law PCM encoded speech and the output is

50*260 bit blocks of transcoded speech.
2.048
Mbit/sec
0123112028293031

8 8 8 8
bits bits bits bits
AAAAAA BBBBBB DDDDDD
CCCCCC
AA BB CC DD

TRANSCODING

012311172028293031

2.048
Mbit/sec 2 bits for A

ABBCCD D

16
Kbits
/sec

Transcoding of 64 Kbits/s into 16 Kbits/s

The transcoder takes the 8 bits from the network supplied 64

Kbits/s and converts it into 2 bit data for transmission to the BSC.
The data is transcoded in the same manner as the mobile station
using one of the mobile stations using onof the methods shown in
the diagram on the previous page. Each 64 kbit timeslot now hold 2
bits of data from each of 4 users as shown above.
BTS to BSC connection:
A BTS may be located with a BSC in the same cabinet with some
manufacturers or located some distance away. There are two main
ways to configure a BSS, either in star configuration or daisy
chained.
BSS linking – ‘Star’: In this each BTS is directly connect to the
BSC. This makes the network faster and more resilient to faults. If a

28
 29

BTS site goes down, no other BTSs are affected, however due to the
extra links required between individual BTS’s it is a more expensive
method than daisy

BT
BT
S
S
BS
C

BT BT
S S
BT
S

Star configuration

BSS linking- ‘Daisy chained’: It is a method in which all BTSs are

linked together with the information for the BTS at the end of the
chain having to pass through all previous BTSs. Daisy chaining is
cheaper to configure than star as there are less links to pay for. The
disadvantages to using a daisy chain are delays and resilience to
faults. The GSM specifications put a limit on the number of BTSs in
the chain to a maximum of 10 and also limit the distance between
BSC and the last BTS in the chain to 340 Km. The reason for these
limits is due to the delay incurred across the distance or links. Also
if one BTS or link goes down all BTSs further down the chain
become inoperative until the fault is fixed. The method to overcome
this is to have a closed loop configuration, where an extra
redundant link is provided between BSC and last BTS in the chain.
This method provides an alternative path for traffic if a link goes
down.

29
 30

BT
S

BS
C
BT BT
S S
BT BT
S S

Daisy chain configuration

Cell monitoring:
During a call, the BSC may make a decision that a handover is
required based on received signal level and quality measurements
taken from uplink. Downlink measurements of the link from the
serving cell are performed by the mobile, and also of the signal
strength of the BCCHs of the neighbor cells. Twice per second, a
measurement report containing all the results is sent uplink to the
BSC which is responsible for deciding when a handover to another
cell is required.
Thus every mobile continuously monitors its current serving cell
and up to 32 neighbors cells and report back to the BTS, the RF
levels of the top six strongest signals. It has time to do this as,
unlike the BTS, as it transmits and receives only one burst per
TDMA frame.
Location area:
Each MSC in the network has an associated visitor location register
(VLR) which contains a copy of some of the subscriber details that
are stored in HLR. The VLR is perhaps best described as the MSC’s
active database and as such the subscriber details copies it
contains exist only till the subscriber is active in the area covered
by its MSC. The copy of records in the VLRs are therefore dynamic
and are created, updated and deleted as the subscribers moves
from one place to another place.
For each subscriber, the VLR also records the location area identity
(LAI). Each VLR therefore control several LAIs and as subscribers
30
 31

move between them, their VLR records receive a LAI update. When
any mobile moves between MSCs (VLR) the subscribers home
location register is also updated with the address detai8ls of the
new VLR. The LAI enables the network to know the whereabouts of
each active subscriber so that paging messages can be directed
only to the correct location.

Handovers:
There are basically three types of GSM handover:
1. Intra BSC
2. Inter BSC
3. Inter MSC

Intra BSC:
The MS remains under the control of same BSC but changes BTSs.
Inter BSC:
The mobile station changes BSC as well as BTS and also changes
LAI as one BSC controls one LA. The VLR is also updated with the
new LAI and informs the HLR.

MS
C
BS
BS
C
C MS

LA LA
LA
1 2
1
Inter BSC handover

Inter MSC:

31
 32

The mobile not only changes BTSs and BSCs but changes MSCs as
well. As new BSA is used a new location area is assigned and stored
in the VLR and the HLR updated. The VLR records are erased.
MS MS
C C

MS BS
BS
C
C

LA LA
1 2

Inter MSC handover

Cell selection:
There are four purposes for handovers which are:
1. Maintenance of high signal quality.
2. Recovering co-channel interference from another cell.
3. Traffic balancing among cells.
4. Recovering the failure of a control channel.

Handovers must takes place before a noticeable degradation of the

signal quality occurs at the mobile. Before a decision is made the
signal quality must be measured over a period of time to ensure
that the quality degradation is real and not due to multipath fading.
The objectives are then to achieve handover without the knowledge
of the mobile user and to prevent the mobile from being
immediately handed over again.
The two main reasons for handover are to ensure quality at the
mobile (mobile initiated handover) and traffic balancing (handover
initiated by the network).
As stated earlier when a mobile is in idle mode it monitors around
30 BCCH carriers of surrounding cells. It uses the following
measurements to calculate C1 parameters in order to decide
whether to handover to an adjacent cell.
32
 33

The mobile does C1 calculations on all cells it can hear and camps
onto the highest C1 cell. It then again calculates C1 for all top 6
cells given to it by the network.

Parameters for C1 calculations:

a. The averaged downlink signal strength from the selected
cell- DLss.
b. The received level access minimum – RXLEV_ACESS_MIN.
c. The maximum uplink TX power for access –
MS_TXPOWER_MAX_CCH.
d. The nominal power of the mobile in dBs – P.
The RXLEV_ACESS_MIN and the MS_TXPOWER_MAX_CCH are
parameters that are sent by every Base station on the BCCH and
these can be set by the operator to control the cell boundaries.
The cell is only considered when the C1 value is positive and forces
a mobile to move closer before handover is considered. The C1
calculation also depends upon the mobile power capability and
therefore cell boundaries will differ for different power classes. The
C1 of the neighbor must be higher than the serving cell for at least
five seconds before a handover takes place.

C1 formula
C1 = A – Max (B,0) dB

Where:
A =DLss - RXLEV_ACESS_MIN
B = MS_TXPOWER_MAX_CCH - P
Example:
GSM 1800 cell
GSM class 1 mobile power output 1 watt i.e P= 30 dB
RXLEV_ACESS_MIN = 100 dB
MS_TXPOWER_MAX_CCH = 30 dB
DLss = - 80 dB

A = (-80) – (-100) = 20 dB
B = 30 -30 = 0 dB
C1 = 20- 0 = 20 dB i.e. the cells C1 is positive and is a suitable
candidate for handover.

33
 34

Measurements of the top other live cells then takes place and if the
C1 parameters are above those of the serving cell for at least five
seconds the mobile is handed over.

Network switching system:

The switching system (SS) is responsible for performing call
processing and subscriber-related functions. The switching system
includes the following functional units.
• Home location register (HLR)—The HLR is a database used
for storage and management of subscriptions. The HLR is
considered the most important database, as it stores
permanent data about subscribers, including a subscriber's
service profile, location information, and activity status. When
an individual buys a subscription from one of the PCS
operators, he or she is registered in the HLR of that operator.
• Mobile services switching center (MSC)—The MSC
performs the telephony switching functions of the system. It
controls calls to and from other telephone and data systems. It
also performs such functions as toll ticketing, network
interfacing, common channel signaling, and others.
• Visitor location register (VLR)—The VLR is a database that
contains temporary information about subscribers that is
needed by the MSC in order to service visiting subscribers. The
VLR is always integrated with the MSC. When a mobile station
roams into a new MSC area, the VLR connected to that MSC
will request data about the mobile station from the HLR. Later,
if the mobile station makes a call, the VLR will have the
information needed for call setup without having to interrogate
the HLR each time.
• Authentication center (AUC)—A unit called the AUC
provides authentication and encryption parameters that verify
the user's identity and ensure the confidentiality of each call.
The AUC protects network operators from different types of
fraud found in today's cellular world.
• equipment identity register (EIR)—The EIR is a database
that contains information about the identity of mobile
equipment that prevents calls from stolen, unauthorized, or
defective mobile stations. The AUC and EIR are implemented
as stand-alone nodes or as a combined AUC/EIR node.
34
 35

Mobile Switching Centre (MSC):

The main function of the mobile switching centre is to manage and

co-ordinate to setup calls between GSM mobile and PSTN users. The
Mobile Switching Centre or MSC is a sophisticated telephone
exchange which provides circuit-switched calling, mobility
management, and GSM services to the mobile phones roaming
within the area that it serves. This means voice, data and fax
services, as well as SMS and call divert.
In the GSM mobile phone system, in contrast with earlier analogue
services, fax and data information is sent directly digitally encoded
to the MSC. Only at the MSC is this re-coded into an "analogue"
signal (although actually this will almost certainly mean sound
encoded digitally as PCM signal in a 64-kbit/s timeslot, known as a
DS0 in America).
There are various different names for MSCs in different contexts
which reflects their complex role in the network, all of these terms
though could refer to the same MSC, but doing different things at
different times.
A Gateway MSC is the MSC that determines which visited MSC the
subscriber who is being called is currently located. It also interfaces
with the Public Switched Telephone Network. All mobile to mobile
calls and PSTN to mobile calls are routed through a GMSC. The term
is only valid in the context of one call since any MSC may provide
both the gateway function and the Visited MSC function; however,
some manufacturers design dedicated high capacity MSCs which do
not have any BSSes connected to them. These MSCs will then be
the Gateway MSC for many of the calls they handle.
The Visited MSC is the MSC where a customer is currently located.
The VLR associated with this MSC will have the subscriber's data in
it.
The Anchor MSC is the MSC from which a handover has been
initiated. The Target MSC is the MSC toward which a Handover
should take place.

Mobile Switching Centre Server (MSC-S)

The Mobile Switching Centre Server or MSC Server is a soft switch
variant of Mobile Switching Centre, which provides circuit-switched
35
 36

calling, mobility management, and GSM services to the mobile

phones roaming within the area that it serves. MSC Server
functionality enables split between control (signaling) and user
plane (bearer in network element called as Media Gateway), which
guarantees more optimal placement of network elements within the
network.
MSC Server and MGW Media Gateway makes it possible to cross-
connect circuit switched calls switched by using IP, ATM AAL2 as
well as TDM.

The MSC connects to the following elements:

• The HLR for obtaining data about the SIM and MSISDN
• The Base Station Subsystem which handles the radio
communication with 2G and 2.5G mobile phones.
• The UTRAN which handles the radio communication with 3G
mobile phones.
• The VLR for determining where other mobile subscribers are
located.
• Other MSCs for procedures such as handover.
Tasks of the MSC include
• delivering calls to subscribers as they arrive based on
information from the VLR
• Connecting outgoing calls to other mobile subscribers or the
PSTN.
• delivering SMSs from subscribers to the SMSC and vice versa
• arranging handovers from BSC to BSC
• carrying out handovers from this MSC to another
• Supporting supplementary services such as conference calls or
call hold.
• Collecting billing information.

Home Location Register:

The Home Location Register or HLR is a central database that

contains details of each mobile phone subscriber that is authorized
to use the GSM core network. The HLR is the reference database for
subscriber parameters, various identification numbers and
addresses as well as authentication parameters, services
subscribed and special routing information are stored. Current
36
 37

subscriber status, including a subscriber’s temporary roaming

number and associated visitor location register if the mobile is
roaming, is maintained.
There is one HLR in one Public Land Mobile Network. HLR is a single
database but can be maintained as separate databases when the
data to be stored is more than the capacity.
The permanent data stored in an HLR includes the following:
• International mobile subscriber identity.
• Mobile subscriber international ISDN number (MSISDN).
• Mobile subscriber category (prepaid or postpaid).
• Roaming restriction (allowed or not).
• Supplementary services (allowed or not)
• Authentication key
The temporary data consists of the following:
• Mobile station roaming number.
• Visitor location registers address, which identifies the MSC
area where the mobile subscriber is registered.
• Roaming restriction.
• Messages waiting data.

The HLR data is stored for as long as a subscriber remains with the
mobile phone operator.
At first glance, the HLR seems to be just a database which is merely
accessed by other network elements which do the actual processing
for mobile phone services. In fact the HLR is a system which directly
receives and processes MAP transactions and messages. If the HLR
fails, then the mobile network is effectively disabled as it is the HLR
which manages the Location Updates as mobile phones roam
around.
A subscriber network details are only stored once in the network.
Initially there was only one HLR per network but this was found to
be slow at retrieving the details. Each HLR has the ability to stor the
details of 300000 subscribers.
HLR is accessed when:-
• Phone turned off.
• Phone turned on.
• Authentication.
37
 38

• Changing MSC.
• Call diverts settings altered.

Visitor Location Register (VLR):

Unlike the HLR, each MSC contained within the network will have an
associated visitors Location register (VLR). The functions of the VLR
are as follows:
• Works with the home location register and authentication
center regarding the mobile subscribers authentication.
• Relays cipher key from the home location register to the BSS
for encryption and decryption.
• Controls allocation of new TMSI numbers.
• Support paging.
• Tracks state of all mobile subscribers in its area.
The visitor location register contains a temporary copy of some of
the subscriber’s details that are stored in the HLR. The details are
copied from the HLR into a VLR when the MS enters an area
covered by that VLR, when the MS exits that area the details are
removed from the VLR. The details are only stored for as long as
the subscriber is active in the area covered by the VLR. The reason
for having the VLR is to avoid continual and excessive references to
the HLR, which would require many more signaling connections and
be costly.
The most important piece of data stored in the VLR is the current
location area identity (LAI). This pinpoints a mobile subscriber’s
location to a group of cells. The VLR also generates “toll tickets”
that detail the type and duration of a call. The toll tickets are
forwarded to the operations sub system (OSS) and used in the
billing.
The additional data stored by the visitor location register is:
• IMSI number.
• MSISDN number.
• MSRN
• Temporary mobile subscriber identity (TMSI).
• LAI
• Identity of the current MSC.

Temporary mobile subscriber identity (TMSI):

38
 39

A method to maintain security of the subscriber identity, to prevent

hi- tech call tracking, is to replace the IMSI with temporary ID called
TMSI. This IMSI alias prevents the IMSI being transmitted over the
radio link. The first time the subscriber accesses the network the
IMSI is used, after successful authentication a TMSI is allocated. The
TMSI can be up to 4 octets (32 bits) in length and is used in
conjunction with LAI. It is allocated by the network on a location
area basis and by using TMSI and LAI the subscriber is uniquely
identified.
The TMSI may be updated when:
• A new call is setup
• The MS enters a different location area
• The MS enters a different VLR area.
Mobile station roaming number (MSRN):
When a MS attaches to a MSC the address of the VLR is sent back to
HLR. If the HLR knows where the MS is, then there is no need for all
call information to go via the HLR. Instead the MSC allocates a
MSRN on a call by call basis to the MS. Using the MSRN, an
incoming call routed to the VLR without going to the HLR, only
signaling information needs go to the HLR.

Country code National destination Subscriber number

1 to 3 digits code 9 to 10 digits
2 to 3 digits
15 digits Max
Mobile station roaming number

As Service location register:

The structure of the IMSI and MSIDN are such that not only do they
give details of the country and network they also point to which HLR
the subscriber the subscriber belongs to. For example the IMSI is
constructed from the mobile country code, mobile network code
and MS id number. With this number a subscriber can be identified
to belonging to a particular PLMN in a particular country. It would
help more if there were extra details given in the IMSI, such as
where the HLR is supporting the subscriber located. Well believe it
or not it does, the first digits of the IMSIDN actually identifies the
HLR where the subscribers records are contained.

39
 40

However, using this system has put a restriction on available

numbers that can still be used. Once IMSI or MSISDN number has
been issued it takes a lot of effort to be able to re-use them. If for
example a subscriber no longer wishes to be on the network or
upgrades to bronze, silver or a gold number the original numbers
are no longer required and cannot be used. As each HLR stores a
maximum of 300k subscribers records, if there is a high “churn” it
would not be enough database space and numbers.
Purpose of the service location register:
• De-restricts the number 0range of the HLR.
• Any MSISDN can go onto any HLR.
• Number portability.
• Voice mailboxes can be spread over all VPS elements.
• Can differentiate between different networks.
• Reduce network signaling.
Authentication centre:
The authentication centre (AUC) provides security function to
network, stored in the AUC is information that uniquely identifies a
MS. When a MS tries to access a network a check is made using
information stored on the SIM card and that stored in the AUC, if the
result of the check is true then the MS is allowed onto the network.
The network can also instigate an authentication check of a MS
when a call is being set up.
The authentication centre is a computer system that resides with in
the HLR, performing the management of the authentication and
security parameters. Subscriber information stored on the SIM is
compared with subscriber information in the HLR. If the information
is same then the subscriber is authenticated and allowed in the
network.
The purpose of security on the network covers the following four
points:
• Prevention of unauthorized access to the network.
• Protection of the subscriber’s phone calls and data from
an eaves dropper.
• Protection of the subscriber’s identity.
• Prevention of establishing the location of the subscriber.
The parameters and algorithm used in the authentication and
encryption processes are detailed below:
40
 41

KI- The subscriber’s authentication key is the hub of the

authentication process. It is stored at two places only, SIM and AUC.
KI is not readable by the subscriber and it is never transmitted over
the air interface.
RAND – a random number generated by the AUC and sent to HLR
and mobile equipment for use by the SIM. RAND is 128 bits long,
which gives 3.4 x 10^38 possible numbers to choose from.
SRES- signed response is a 32 bit number. SRES is the result from
the A3 algorithm and is sent back by the SIM.
KC- Chipper key used in the encryption process. The A8 algorithm
produces KC.
A3- Authentication algorithm stored in the AUC and SIM.
A8- Encryption/ciphering key generation algorithm stored in AUC
and SIM.
Triplet- RAND, SRES and KC collectively make up an authentication
triplet. Triplets are generated in the AUC and are forwarded to the
HLR and VLR. It is possible that 5 triplets may be generated and
forwarded to the VLR. Thus saving time and resources by reducing
the number of references to AUC.

41
 42

Air
Authentication
interfa
centre ce SIM
HL
R

RAN
RAN D
KI KI
D

A3 & A8
algorithms A3 & A8
algorithms
SRE
Are they S
equal to
VLR each other
YE YE
S S
Not allowe
allowe
allowed d
AUTHENTICATION PROCESS

Interworking function (IWF):

The GSM network should have to be interface with the various
forms of public and private networks currently available. It is the job
of the interworking function to provide this interfacing. The IWF
required interface to the following:
• Public Service Telephone Network (PSTN)
• Integrated Service Digital Network (ISDN).
• Circuit Switched Public Data Networks (CSPDN).
• Public Switched Public Data Networks (PSPDN).
The interworking function provides the mobile user access to data
rate and protocol conversion facilities so that data can be
transmitted between GSM Data Terminal Equipment (DTE) and
Landline data terminal equipment.

Short message service centre (SMC):

42
 43

The short message service centers are capable of sending

messages up to 160 characters in length to individual mobiles. The
messages may be readable text messages or configuration and
provisioning messages for the SIM.
Operation
When a user sends a text message (SMS message) to another user,
the message gets stored in the SMSC which delivers it to the
destination user when they are available. This is a store and
forward operation. The SMSC usually has a configurable time limit
for how long it will store the message, and users can usually specify
a shorter time limit if they want.
A message may also come from an application, for example voice
mail server sending voice mail incoming message alerts. Mobile
operators allow businesses to interact with their SMSC to submit the
messages in bulk. From SMSC point of view, such applications are
called SME (Short Message Entities). In this case the SMSC is
responsible for locating SMSC of the destination user and
submitting the message there.

Operations sub-system(OSS):
The operations subsystem (OSS) provides a means for an operator
to closely monitor the network and make changes if necessary. The
OSS can be split into regions with a higher authority monitoring.
The regional OSS functions are performed at Operations and
Maintenance Centre (OMC) and higher level functions by Network
Management Centre (NMC).
The functions of the OSS are based upon the concept of
telecommunications management network (TMN) where all NMC
and OMC machines are linked with NSS
and BSS. This linkage follows a layered approach with NMC at the
top and BSS at the bottom.
In summary network management for the any network consists of
the following:
•Network management centre for the global technical
management of the network with administrative and
commercial control of functions.
•Operations and management centre is a device based
regionally for the operation of individual network
components within the network.
43
 44

Network Management Centre (NMC):

The NMC is responsible for the control of the entire network and the
overseeing of all the service effecting maintenance undertaken 24
hours a day. The NMC resides at the top of the management
hierarchy chain.
The NMC gathers information from the network via the operations
and maintenance centers and filters it using the network
management software, NMS 5000 system (in orange, London).
The functions of the Network management software are to provide
control of the following areas:
Subscriber management: customers provisioning, the registering
and de-registering of a customer’s SIM onto the network. The
system provides a data entry point for positioning customer’s
details. It also performs the billing functions.
Performance management: they are responsible for monitoring
the quality of service, failed call attempts, signal quality
measurements and number of location update requests.
Configuration management: The configuration of the network is
held in database at the OMC. When an equipment provider supplies
an updated software version to the operator, when it is released on
to the network is overviewed and controlled from within the NMC.
The OMC provides a means to control release of software at a
suitable to time. Other configuration parameters are master copy of
BSC configuration database, which enables software changes to be
made to all network elements these two can be accessed via the
NMC.
Security management: with millions of rupees of equipment and
services accessible via software it would be disastrous for a network
operator if illegal entry were made to the system by someone or
group who were intent on causing disruption to the network. The
system provides security functions to stop “hackers” by ensuring
passwords are authenticated to access the OMC.
Maintenance, alarm and fault management: monitoring
events, promoting events to alarm conditions and realizing the
effect of the alarm are some examples of what by maintenance. If

44
 45

the fault is urgent and needs immediate attention, an engineer can

be tasked with visiting the site for further examination.
Network interfaces:

Figure shows the GSM interfaces; they are briefly explained below.
• Um The air interface is used for exchanges between a MS
and a BSS. LAPDm, a modified version of the ISDN LAPD,
is used for signaling.
• Abis This is a BSS internal interface linking the BSC and a
BTS, and it has not been standardized. The Abis
interface allows control of the radio equipment and radio
frequency allocation in the BTS.
• A The A interface is between the BSS and the MSC. The A
interface manages the allocation of suitable radio
resources to the MSs and mobility management.
• B The B interface between the MSC and the VLR uses the
MAP/B protocol. Most MSCs are associated with a VLR,
making the B interface "internal". Whenever the MSC
needs access to data regarding a MS located in its area,
it interrogates the VLR using the MAP/B protocol over
the B interface.
• C The C interface is between the HLR and a GMSC or a
45
 46

SMS-G. Each call originating outside of GSM (i.e., a MS

terminating call from the PSTN) has to go through a
Gateway to obtain the routing information required to
complete the call, and the MAP/C protocol over the C
interface is used for this purpose. Also, the MSC may
optionally forward billing information to the HLR after
call clearing.
• D The D interface is between the VLR and HLR, and uses
the MAP/D protocol to exchange the data related to the
location of the MS and to the management of the
subscriber.
• E The E interface interconnects two MSCs. The E interface
exchanges data related to handover between the anchor
and relay MSCs using the MAP/E protocol.
• F The F interface connects the MSC to the EIR, and uses
the MAP/F protocol to verify the status of the IMEI that
the MSC has retrieved from the MS.
• G The G interface interconnects two VLRs of different
MSCs and uses the MAP/G protocol to transfer subscriber
information, during e.g. a location update procedure.
• H The H interface is between the MSC and the SMS-G, and
uses the MAP/H protocol to support the transfer of short
messages.
• I The I interface (not shown in Figure 1) is the interface
between the MSC and the MS. Messages exchanged
over the I interface are relayed transparently through
the BSS.

Standard interfaces:
The standard interfaces utilized within the GSM network are as
follows:
• 2.048Mbit/s trunks – 32 x 64 kbit/s timeslots.
• C7 signaling system.
• X.25 packet switch system.
• Link access protocol data (LAPD)- used on the Abis.

46
 47

Whatever the interconnect and whatever the required function, all

the application share a common physical bearer between the two
points as well as being developed in accordance to the open system
interconnect reference model(OSIRM).
OSI layers: there are seven OSI layers which are used starting at
the physical layer at the bottom to the application layer at the top.
The layers in GSM are specified below with the various signaling
protocols named.
X.25 interfaces: X.25 is a standard well proven protocol for
sending data at 64 Kbit/s over public data networks. Instead of
passing the data by using analogue signals X.25 uses digital signals
made up into packets of data. The packets have sequence and
control information added and is sent as frames via 64 Kbit/sec
timeslots on 2.048 Mbit/sec links.
Typical uses of X.25 in the GSM network are for linking the OMC to
various other entities such as MSC, BSC and HLR. By using X.25
data can be passed to/ from these entities error free and quickly. An
example of where this is required is in the download of software
from OMC to BSC.
C7 signaling: C7 is common channel signaling system used for
national and international signaling between switches. Being a
common channel system C7 can be thought of as a separate data
network carrying up to 31 primary signaling channels over 1 x
2.048 Mbit/sec link. This gives the advantage that the traffic and
signaling go via different transmission routes and the signaling
channel is only used as and when signaling is needed.
The features of C7 are below:
• Fast – signaling rate of 64 Kbit/sec.
• Efficient – the link is only utilized as and when required by a
channel. When not being used by one channel the resources
are utilized by another channel.
• Reliable – transfer information in the correct sequences
without loss or duplication. Contains an error detection and
correction mechanism.

47
 48

Call routing:
it is of two types:
• Outgoing calls (calls originating from MS).
• Incoming calls (calls terminating at MS).

Outgoing calls: Once a mobile phone has successfully attached to

a GSM network as described above, calls may be made from the
phone to any other phone on the global Public Switched Telephone
Network assuming the subscriber has an arrangement with their
"home" phone company to allow the call.

The user dials the telephone number, presses the send or talk key,
and the mobile phone sends a call setup request message to the
mobile phone network via the mobile phone mast (BTS) it is in
contact with.
The element in the mobile phone network that handles the call
request is the Visited Mobile Switching Center (Visited MSC). The
MSC will check against the subscriber's temporary record held in
48
 49

the Visitor Location Register to see if the outgoing call is allowed. If

so, the MSC then routes the call in the same way that a telephone
exchange does in a fixed network.
If the subscriber is on a Pay As You Go tariff (sometimes known as
Prepaid (for example, in Australia)), then an additional check is
made to see if the subscriber has enough credit to proceed. If not,
the call is rejected. If the call is allowed to continue, then it is
continually monitored and the appropriate amount is decremented
from the subscriber's account. When the credit reaches zero, the
call is cut off by the network. The systems that monitor and provide
the prepaid services are not part of the GSM standard services, but
instead an example of intelligent network services that a mobile
phone operator may decide to implement in addition to the
standard GSM ones.

Incoming calls:

PSTN to Mobile:
,--------------------------------------------------------------------------,
| Fixed PSTN/ISDN Gateway Home Location PSTN/ISDN Mobile |
| Subscriber exchange MSC Register exchange MSC/VLR Station |
| | | | | | | | |
| |--------->| MSISDN | | | | | |
| | MSISDN |-------->| MSISDN | | | | |
| | | |- - - - ->| | | | |
| | | | MSRN | | | | |
| | | |<- - - - -| | | | |
| | | | MSRN | | | | |
| | | |-------------------->| MSRN | | |
| | | | | |--------->| TMSI | |
| | | | | | |--------->| |
| | ,---, ,---, | ,---, ,---, | |
| | | S | | S | | | S | | S | | |
| `---' `---' `---' `---' |
| ,---, |
| | S | indicates a switching node. |
| `---' |
`--------------------------------------------------------------------------'
FIGURE 4
Introduction:
Call routing to a roaming mobile is easily performed. The most
general case is shown in Figure 4, where a call from a fixed network
(Public Switched Telecommunications Network or Integrated
Services Digital Network) is placed to a mobile subscriber. Using
the Mobile Subscriber's telephone number (MSISDN, the ISDN
numbering plan specified in the ITUT E.164 recommendation), the
49
 50

call is routed through the fixed land network to a gateway MSC for
the GSM network (an MSC that interfaces with the fixed land
network, thus requiring an echo canceller). The gateway MSC uses
the MSISDN to query the Home Location Register, which returns the
current roaming number (MSRN). The MSRN is used by the
gateway MSC to route the call to the current MSC (which is usually
coupled with the VLR). The VLR then converts the roaming number
to the mobile's TMSI, and a paging call is broadcast by the cells
under the control of the current BSC to inform the mobile.
How incoming calls are made to a mobile
Step One: Contact the Gateway MSC
When someone places a call to a mobile phone, they dial the
telephone number (also called a MSISDN) associated with the phone
user and the call is routed to the mobile phone operator's Gateway
Mobile Switching Centre. The Gateway MSC, as the name suggests,
acts as the "entrance" from exterior portions of the Public Switched
Telephone Network onto the provider's network.
As noted above, the phone is free to roam anywhere in the
operator's network or on the networks of roaming partners,
including in other countries. So the first job of the Gateway MSC is
to determine the current location of the mobile phone in order to
connect the call. It does this by consulting the Home Location
Register (HLR), which, as described above, knows which Visitor
Location Register (VLR) the phone is associated with, if any.
Step Two: Determine how to route the call
When the HLR receives this query message, it determines whether
the call should be routed to another number (called a divert), or if it
is to be routed directly to the mobile.
If the owner of the phone has previously requested that all
incoming calls be diverted to another number, known as the Call
Forward Unconditional (CFU) Number, then this number is stored in
the Home Location Register. If that is the case, then the CFU
number is returned to the Gateway MSC for immediate routing to
that destination.
If the mobile phone is not currently associated with a Visited
Location Register (because the phone has been turned off or is not
in range) then the Home Location Register returns a number known
as the Call Forward Not Reachable (CFNRc) number to the Gateway
MSC, and the call is forwarded there. Many operators may set this
50
 51

value automatically to the phone's voice mail number, so that

callers may leave a message. The mobile phone may sometimes
override the default setting.
Finally, if the Home Location Register knows that the phone is in the
jurisdiction of a particular Visited Location Register, then it will
request a temporary number (called an MSRN) from that VLR. This
number is relayed to the Gateway MSC, which uses it to route the
call to another Mobile Switching Center, called the Visiting MSC.
Step Three: Ringing the phone
When the call is received by the Visiting MSC, the MSRN is used to
find the phone's record in the Visited Location Register. This record
identifies the phone's location area. Paging occurs to all mobile
phone masts in that area. When the subscriber's mobile responds,
the exact location of the mobile is
returned to the Visited MSC. The
VMSC then forwards the call to the
appropriate phone mast, and the
phone rings. If the subscriber answers,
a speech path is created through the
Visiting MSC and Gateway MSC back
to the network of the person making
the call, and a normal telephone call
follows.
It is also possible that the phone call is
not answered. If the subscriber is busy
on another call (and call waiting is not
being used) the Visited MSC routes
the call to a pre-determined Call
Forward Busy (CFB) number. Similarly, if the subscriber does not
answer the call after a period of time (typically 30 seconds) then
the Visited MSC routes the call to a pre-determined Call Forward No
Reply (CFNRY) number. Once again, the operator may decide to set
this value by default to the voice mail of the mobile so that callers
can leave a message....

1. Calling a GSM subscribers

2. Forwarding call to GSMC
3. Signal Setup to HLR
4. 5. Request MSRN from VLR
51
 52

6. Forward responsible MSC to GMSC

7. Forward Call to current MSC
8. 9. Get current status of MS
10. 11. Paging of MS
12. 13. MS answers
14. 15. Security checks
16. 17. Set up connection

Incoming calls

Data transmission:
The Public Switched Telephone Network (PSTN) is essentially a
collection of interconnected systems for taking an audio signal from
one place and delivering it to another. Older analogue phone
networks simply converted sound waves into electrical pulses and
back again. The modern phone system digitally encodes audio
signals so that they can be combined and transmitted long
distances over fiber optic cables and other means, without losing
signal quality in the process. When someone uses a computer with
a traditional modem, they are encoding a (relatively slow) data
stream into a series of audio chirps, which are then relayed by the
PSTN in the same way as regular voice calls. This means that
computer data is being encoded as phone audio, which is then
being re-encoded as phone system data, and then back to phone
quality audio, which is finally converted back to computer data at
the destination.
GSM voice calls are essentially an extension of the PSTN, dealing
only with audio signals. Behind the scenes, we know these audio
channels happen to be transmitted as digital radio signals.
The GSM standard also provides separate facilities for transmitting
digital data directly, without any of the inefficient conversions back
and forth to audio form. This allows a mobile "phone" to act like any
other computer on the Internet, sending and receiving data via the
Internet Protocol or X.25.

52
 53

The mobile may also be connected to a desktop computer, laptop,

or PDA, for use as a network interface. (Like a modem or ethernet
card, but using a GSM-compatible data protocol instead of a PSTN-
compatible audio channel or an ethernet link to transmit data.)
Newer GSM phones can be controlled by a standardised Hayes AT
command set through a serial cable or a wireless link (using IrDA or
Bluetooth). The AT commands can control anything from ring tones
to data compression algorithms.
In addition to general Internet access, other special services may be
provided by the mobile phone operator, such as SMS.

GSM services:

General Packet Radio Service (GPRS)

A packet-switched connection chops data into distinct chunks,
known as packets, which may arrive at their destination via
different routes, at different times, out of sequence, or (hopefully
only occasionally) not at all. An intermediate protocol, like TCP,
might be used to ensure the original data stream is reassembled at
the destination (by putting packets in order and retransmitting
missing ones, if necessary).
The General Packet Radio Service (GPRS) is a packet-switched data
transmission protocol which was incorporated into the GSM
standard in 1997. It is backwards-compatible with systems that use
pre-1997 versions of the standard. GPRS does this by sending
packets to the local mobile phone mast (BTS) on channels not being
used by circuit-switched voice calls or data connections. Multiple
GPRS users can share a single unused channel because each of
them uses it only for occasional short bursts.
The advantage of packet-switched connections is that bandwidth is
only used when there is actually data to transmit. This type of
connection is thus generally billed by the kilobyte instead of by the
second, and is usually a cheaper alternative for applications that
only need to send and receive data sporadically, like instant
messaging.
GPRS is usually described as a 2.5G technology; see the main
article for more information.
EDGE: Enhanced Data rates for GSM Evolution (EDGE) or Enhanced
GPRS (EGPRS), is a digital mobile phone technology that allows it to
53
 54

increase data transmission rate and improve data transmission

reliability. Althougth technically a 3G network technology it is
generally classified as the unofficial standard 2.75G, due to its
slower network speed. EDGE has been introduced into GSM
networks around the world since 2003, initially in North America.
It can be used for any packet switched application such as an
Internet connection. High-speed data applications such as video
services and other multimedia benefit from EGPRS' increased data
capacity. EDGE Circuit Switched is a possible future development.
EDGE Evolution continues in Release 7 of the 3GPP standard
providing doubled performance e.g. to complement High-Speed
Packet Access (HSPA).
In addition to Gaussian minimum-shift keying (GMSK), EDGE uses 8
phase shift keying (8PSK) for the upper five of its nine modulation
and coding schemes. EDGE produces a 3-bit word for every change
in carrier phase. This effectively triples the gross data rate offered
by GSM. EDGE, like GPRS, uses a rate adaptation algorithm that
adapts the modulation and coding scheme (MCS) according to the
quality of the radio channel, and thus the bit rate and robustness of
data transmission. It introduces a new technology not found in
GPRS, Incremental Redundancy, which, instead of retransmitting
disturbed packets, sends more redundancy information to be
combined in the receiver. This increases the probability of correct
decoding.
EDGE can carry data speeds up to 236.8 kbit/s for 4 timeslots
(theoretical maximum is 473.6 kbit/s for 8 timeslots) in packet
mode and will therefore meet the International Telecommunications
Union's requirement for a 3G network, and has been accepted by
the ITU as part of the IMT-2000 family of 3G standards. It also
enhances the circuit data mode called HSCSD, increasing the data
rate of this service.
Bluetooth: Bluetooth is an industrial specification for wireless
personal area networks (PANs). Bluetooth provides a way to
connect and exchange information between devices such as mobile
phones, laptops, PCs, printers, digital cameras, and video game
consoles over a secure, globally unlicensed short-range radio
frequency. The Bluetooth specifications are developed and licensed
by the Bluetooth Special Interest Group.

54
 55

Bluetooth is a radio standard and communications protocol

primarily designed for low power consumption, with a short range
(power-class-dependent: 1 metre, 10 metres, 100 m)[1] based on
low-cost transceiver microchips in each device.
Bluetooth lets these devices communicate with each other when
they are in range. The devices use a radio communications system,
so they do not have to be in line of sight of each other, and can
even be in other rooms, as long as the received transmission is
powerful enough.

Maximum Permitted Power Range

Class
(mW/dBm) (approximate)

Class 1 100 mW (20 dBm) ~100 meters

Class 2 2.5 mW (4 dBm) ~10 meters

Class 3 1 mW (0 dBm) ~1 meter

Supplementary Services:
GSM supports a comprehensive set of supplementary services that
complement and support the telephony and data services described
above. They are all defined in GSM standards.A partial listing of
supplementary services follows.
Call forwarding: This service gives the subscriber the ability to
forward incoming calls to another number if the called mobile unit is
not reachable, if it is busy, if there is no reply, or if call forwarding is
allowed unconditionally.
Barring of Outgoing Calls: This service makes it possible for a
mobile subscriber to prevent all outgoing calls.
Barring of Incoming Calls: This function allows the subscriber to
prevent incoming calls. The following two conditions for incoming
call barring exist: baring of all incoming calls and barring of
incoming calls when roaming outside the home PLMN.

55
 56

Advice of Charge (AoC): The AoC service provides the mobile

subscriber with an estimate of the call charges. There are two types
of AoC information: one that provides the subscriber with an
estimate of the bill and one that can be used for immediate
charging purposes. AoC for data calls is provided on the basis of
time measurements.
Call Hold: This service enables the subscriber to interrupt an
ongoing call and then subsequently reestablish the call. The call
hold service is only applicable to normal telephony.
Call Waiting: This service enables the mobile subscriber to be
notified of an incoming call during a conversation. The subscriber
can answer, reject, or ignore the incoming call. Call waiting is
applicable to all GSM telecommunications services using a circuit-
switched connection.
Multiparty service: The multiparty service enables a mobile
subscriber to establish a multiparty conversation - that is, a
simultaneous conversation between three and six subscribers. This
service is only applicable to normal telephony.
Calling Line Identification presentation/restriction: These
services supply the called party with the integrated services digital
network (ISDN) number of the calling party. The restriction service
enables the calling party to restrict the presentation. The restriction
overrides the presentation.
Closed User Groups (CUGs): CUGs are generally comparable to a
PBX. They are a group of subscribers who are capable of only
calling themselves and certain numbers.
Explicit Call Transfer (ECT): This service allows a user who has
two calls to connect these two calls together and release its
connections to both other parties.

Future:

4G technology :
4G can be used simply because unlike other technologies, the
cellular technologies today are classified based upon transmission
rates. As we discussed earlier, difference between 1G and 2G was

56
 57

that 1G used Analog systems, while 2G used digital technology. The

technology used for 2G. 3G and4G is essentially the same (digital).

The rate of transmitting data in 2G is 10 Kilobits per second to a

max of 100 Kilobits per second, for third generation mobile (3G)
data rates are 384 kbps (download) maximum, In 4G technology,
the rate of download is 20 Mega bits per second.

As the technology is progressing so are the capabilities. Today

phones can be used like laptops and large files, emails can be
downloaded to the phone itself. People can play online games,
listen to radio and songs, have conferences with people at distant
places and receive streaming videos (live shows).

Apart from the higher speeds for downloading data and

images, 4G will have additional features such as
• The technology not restricted to cell phones alone
• Technology used with computers, televisions and
electronic gadgets
• Implemented across Wi-Fi and WIMAX.
• In short experts say 4G would be MAGIC.
• MAGIC —Mobile Multimedia Communications;
anywhere, anytime with anyone; global mobility
support; integrated wireless solution; and
customized personal service.
• Extensive usage of WIMAX technology
WiMAX
WiMAX (World Interoperability for Microwave Access,
Inc.), is being touted as the prime 4G technology. It will
allow cell phone users to download data at broadband
speeds. Use their cell phones just like an efficient and
fast computer
The main advantages of WIMAX are
• The high speed of broadband service
• Wireless rather than wired access, so it would be a
lot less expensive than cable or DSL and much
57
 58

easier to extend to suburban and rural areas

switching
• Broad coverage like the cell phone network instead
of small WiFi hotspots

Thus the chief technologies used in 3G and 4G would be

Wi-Fi and WIMAX. 4G is poised to take the world of
mobile communications by storm.

References:
• www.wikipedia.com
• www.google.com

• Orange GSM mobile manual book (London,

UK).

58
59

59