GSM: History

Developed by Group Spciale Mobile (founded 1982) which was an

initiative of CEPT ( Conference of European Post and Telecommunication ) Aim : to replace the incompatible analog system Presently the responsibility of GSM standardization resides with special mobile group under ETSI ( European telecommunication Standards Institute ) Full set of specifications phase-I became available in 1990 Under ETSI, GSM is named as Global System for Mobile communication

Today many providers all over the world use GSM (more than 135
countries in Asia, Africa, Europe, Australia, America) More than 1300 million subscribers in world and 45 million subscriber in India.

Background and Fundamentals

What ? GSM: Global System for Mobile Communications Formerly: Group Special Mobile When ? 1982: GSM created to set standard 1988: Industrial development started 1991: First Systems Deployed Why ? Integrated European System with International Roaming Increase available cellular radio capacity Take advantage of digital price/performance Accommodate new technology and services

Evolution of Cellular Networks

1G

2G

2.5G

3G

4G

Analog

Digital

Circuit-switching

Packet-switching

3G AND 4G
3G : WCDMA,UMTS,EVDO,HSPA 3.9G:LTE,WIMAX,UMB as 4G

GSM Development Evolution

3G 2.5G
2 Mbps 384 kbps IMT-2000

2G
57.6 kbps 9.6 kbps GSM HSCSD

115 kbps
GPRS

EDGE

Page 8

Evolution from GSM to 3G The GSM Growth Phases

3G EDGE
GPRS 2.5G HSCSD

GSM 2G

Acronyms
GSM-GLOBAL SYSTEM FOR MOBILE communications HSCSD-HIGH SPEED CIRCUIT SWITCHED DATA GPRS-GENERAL PACKET RADIO SERVICE EDGE-ENHANCED DATA rates for GSM EVOLUTION (also called as EnhancedGPRS(EGPRS) UMTS-UNIVERASL MOBILE TELECCOMMUNICATION SYSTEM HSPSD-HIGH SPEED PACKET SWITCHED DATA IMT- INTERANATIONAL MOBILE TELECOMMUNICATION

GSM Reference Model

G OMC B VLR D VLR

A
Um
MS

Abis
BTS BSC MSC

HLR C F

AuC

E MSC PSTN ISDN EIR

System Architecture Overview

BS: Billing System OMC: Operation and Maintenance Centre PSTN: Public Switched Telephone Network OMC PABX VAS

Um
BTS SIM MS

Abis
BSC

A
MSC/ VLR AuC HLR

PSTN

MSCs

BS

Base Station Sub-system (BSS) MS: Mobile Station BTS: Base Transmitter Station BSC: Base Station Controller SIM: Subscriber Identity Module

Network Sub-system (NSS) MSC: Mobile Switching Centre HLR: Home Locatio Register VLR: Visitor Location Register AuC: Authentication Centre EIR: Equipment Identity Register

Value Added Services (VAS) SCP: Service Control Point SMSC: Short Message Service Centre VMS: Voice Mail System

EIR

Network Architecture
1 MSC=16 BSC, 1 BSC=1024 TRU OSS
HLR

(
PSTN ISDN

B T S B T S

BSC BSC
A-bis interface

MSC VLR

A Interface
B T S

Data Networks

Air interface

MSC VLR

BSC:BASE STATION CONTROLLER, BTS: BASE TRANSRECEIVER STATION, OSS: OPERATION AND SUPPORT SUBSYSTEM.ss

R.T.T.C. HYDERABAD

18

System Architecture Overview

Functional Architecture broadly divided into 4 parts: Mobile Station (MS). Base Station Subsystem (BSS). Network Switching Subsystem (NSS). Operation and Support Subsystem (OSS)

GSM SYSTEM ARCHITECURE

Mobile Station (MS) Mobile Equipment (ME) Subscriber Identity Module (SIM) Base Station Subsystem (BSS) Base Transceiver Station (BTS) Base Station Controller (BSC) Network Switching Subsystem(NSS) Mobile Switching Center (MSC) Home Location Register (HLR) Visitor Location Register (VLR) Authentication Center (AUC) Equipment Identity Register (EIR)

Different Interfaces in GSM

Page 21

Terrestrial Interface

The terrestrial interfaces comprises all the connections between the GSM system entities ,apart from the Um or air interface.

The terrestrial interfaces transport the traffic across the system and allows the passage of thousands of data messages to make the system function.
The standard interfaces used are 2 Mb/s Signaling System (C7 or SS7) Packet Switched Data Abis using the LAPD protocol (Link Access Procedure D )

Page 22

Interface Names
Each interface specified in GSM has a name associated with it.

NAME Um Abis Ater A B C D E F G H

INTERFACE

MS ----- BTS
BTS ----- BSC BSC ----- TRC MSC ------ BSC MSC ------ VLR

MSC ------ HLR

VLR ----- HLR MSC ------ MSC MSC ------ EIR VLR ------ VLR

HLR ------ AUC

Page 23

Mobile StationMS
Mobiles are classified into five classes according to their power rating.

SIM
CLASS POWER OUTPUT
1 2 3 4 5 20W 8W 5W 2W 0.8W

Page 24

BASE STATION SYSTEM (BSS)

MSC/VLR

BSC BSC

BSC

BSS
n BTS n BTS

26

FUNCTIONS OF BTS (Base Transceiver Station) Radio resources Signal Processing Signaling link management Synchronization Local maintenance handling Functional supervision and Testing Encryption and decryption

28

BTS

BTS

A Cell
A cell

is the geographic zone covered by one radio transmitter and receiver

2
7 1 3

7
1Frequency 6 4
Cell F11

Frequency Cell 2 F1

6
5

Cell Types

Omni-directional Cell

Omni

1
120 Degree Cell
120 degree

3
Page 36

CLUSTER
The cells are grouped into clusters. The number of cells in a cluster must be determined so that the cluster can be repeated continuously within the covering area of an operator Typical clusters contain 4, 7, 12 or 21 cells The smaller the number of cells per cluster is, the bigger the number of channels per cell

CLUSTER

CLUSTER(LIKE HONEYCOMB

CLUSTER

CLUSTER

FUNCTIONS OF BSC
Radio Resource management Internal BSC O&M Handling of MS connections

43

MSC-BSS Configurations

MSC

BSS

A-bis BSC A-bis

BTS BTS BTS

BTS

BTS

BTS

44

Switching System (SS)

SS7 Signalling Traffic Path
F
EIR A

VLR

D
C HLR E AUC

MSC

Other MSC

(PSTN) (BSS)

46

MSC Functions
Switcing and call routing Charging Service provisioning Communication with HLR Communication with VLR Communication with other MSCs Control of connected BSCs

Gateway to SMS between SMS centers and MS

48

Home Location Register(HLR)

Permanent data in HLR
Data stored is changed only by commands. IMSI, MS-ISDN number. Category of MS ( whether pay phone or not ) Roaming restriction ( allowed or not ). Supplementary services like call forwarding Temporary data in HLR The data changes from call to call & is dynamic MSRN RAND /SRES and Kc(Authentication triplets) VLR address , MSC address. Messages waiting data used for SMS
50

VISITOR LOCATION REGISTER (VLR)

It contains data of all mobiles roaming in its area. One VLR may be incharge of one or more LA. VLR is updated by HLR on entry of MS its area. VLR assigns TMSI which keeps on changing. IMSI & TMSI, MSISDN, MSRN, Location Area Supplementary service parameters, Authentication Key

52

EQUIPMENT IDENTITY REGISTER ( EIR )

This data base stores IMEI for all registered mobile equipments and is unique to every ME. Only one EIR per PLMN. White list : IMEI, assigned to valid ME. Black list : IMEI reported stolen Gray list : IMEI having problems like faulty software, wrong make of equipment etc.

54

AUthentication Center (AUC)

To authenticate the subs. attempting to use a network. AUC is connected to HLR which provides it with authentication parameters and ciphering keys used to ensure network security

Information provided is called a TRIPLET consists of

1. RAND(non predictable random number) 2. SRES(Signed response) 3. Kc(ciphering key)

56

GSM uses concept of cells One cell covers small part of network Network has many cells Frequency used in one cell can be used in another cells This is known as Frequency Re-use
F4 F3 F1 F4 F3 F1 F2 F2

RF Planning and Design Frequency Planning

Clusters

F= 1,2,3,4,5,6,7,8,9,10

F2 F1 F2

Co-Channel ( Re-use ) Cells

F= F= F= 2 3 7 F= F=4, F=6,1 1 F=5, 8 F= 0 F= 9 F= 2 F= 3 F= F= 7 F= 2 3 F=4, 7 F= F=6,1 1 F=5, 8 F=4, 0 F=6,1 1 9 F=5, 8 0 9

FREQUENCY REUSE

CELLS PATTERN

Interference
Interference in GSM systems are classified into three major categories .

Co-Channel Interference
Adjacent Channel Interference

External Interference

Co - Channel interference

C / Ic 9 db Interference on a channel caused by another cell/mobile using the same frequency. C/Ic is the measure of co-channel interference GSM specifies the C/Ic threshold of 9dB for a service quality of 0.4% BER. 9db also includes 2db implementation margin 9db is decided considering the implementation of Synthesised Frequency Hopping Without SFH, the preferred threshold is 12 dB.
Ic
C

Co-Channel Interference
Noise

Ic

ARFCN "N"

ARFCN "N"

Causes

Distant Cells due to tight frequency re-use patterns. Distant Cells due to errors in frequency planning. Mulitpath from Distant cells( strong reflector, Water). C/Ic will degrade the Ec/No, so if Noise floor itself is high, then even a high value of C/Ic can deteriorate quality.

Adjacent Channel Interference

Interference caused when wanted and unwanted GSM RF channels coexist.

Ia
C

GSM receivers are designed for an Adjacent Channel Suppression of minimum 18db at an offset of 200 Khz, 50db at 400 Khz and 58db at 600 Khz.

Adjacent Channel Interference

ACS = 18db & C/c = 9db This means if Ia is 9db above C, then with 18db ACS, it equals Thresholds C/Ic. C/ Ia1 = - 9 db

C/ Ia2 = - 41 db C/ Ia3 = - 49 db
49 db

41 db 9db

N-3 N-2

N-1

N+1 N+2 N+3

Adjacent Channel Interference

Causes
Adjacent ARFCN's in same cells Adjacent ARFCN's in adjacent cells Distant Cells due to tight frequency re-use patterns. Distant Cells due to errors in frequency planning. Mulitpath from Distant cells( strong reflector, Water). Improper Receiver filters ( low ACS ) C/Ia will degrade the Ec/No, so if Noise floor itself is high, then even a low value of C/Ia can deteriorate quality.

External Interference

Interference coming on a GSM signal from an undesired source, i.e neither a co/adj channel cell or MS.

Sources

Malfunctioning or Maladjusted Transmitters

Base station malfunction, rogue mobile

Paging, broadcast, etc. Intermodulation Products

Strong signals in adjacent channels

Harmonics from Other Bands

GSM Specifications-1
RF Spectrum(the standrds now using in INDIA) GSM 900 Mobile to BTS (uplink): 890-915 Mhz BTS to Mobile(downlink):935-960 Mhz Bandwidth : 2* 25 Mhz GSM 1800 Mobile to BTS (uplink): 1710-1785 Mhz BTS to Mobile(downlink) 1805-1880 Mhz Bandwidth : 2* 75 Mhz

Air Interface Frequency allocation

Radio Channel DOWNLINK 935 - 960 MHz 1805-1880 MHz

UPLINK 890-915 MHz 1710-1785 MHz

Cell Site
Air Interface

Mobile

UP

890.0

890.2

890.4

914.8

915.0

DOWN 935.0

935.2

935.4

959.8

960.0

FREE SPACE PATH LOSS

FSPL=(4*Pi*d*f/c)sqr As f increses FSPL increses

TIME SLOTS
Time Division Multiple Access (TDMA)
Each carrier frequency subdivided in time domain into 8 time slots Each mobile transmits data in a frequency, in its particular time slot Burst period = 0.577 milli secs. 8 time slots called a TDMA frame. Period is .577 * 8 = 4.616 milli secs
0.577 ms 0 1 2 3 4.616 ms 4 5 6 7

..

COMPARISON
GSM 900 GSM-1800 or DCS-1800 Uplink 890 - 915 MHz 1710 - 1785 MHz Downlink 935 - 960 MHz 1805 - 1880 MHz Duplex Distance 45 MHz 95 MHz Carrier Separation 200 kHz 200 kHz Number of Channels 25 MHz / 200 kHz = 124 75 MHz / 200 kHz = 374 Channels defined in Switch 1, 2, .123, 124 512 , 513 .884, 885 Modulation GMSK GMSK Access Method FDMA+TDMA+FR FDMA+TDMA+FR Speech coding LPC-RPE-LTP LPC-RPE-LTP transmission rate 270kpbs 270kbps

ARFCN

freq reuse

ACRONYMS
LPC-LINEAR PREDICTIVE CODING RPE-REGULAR PULSE EXCITATION LTP-LONG TERM PREDICTION GMSK-GAUSSIAN MINIMUM SHIFT KEYING ARFCN-ABSOLUTE RADO FREQUNCY CHANNEL DCS-DIGITAL CELLULAR SYSTEM

GSM Operation
Speech Speech

Speech coding 13 Kbps Channel Coding 22.8 Kbps Interleaving

Speech decoding

Channel decoding

De-interleaving

22.8 Kbps
Burst Formatting 33.6 Kbps Burst Formatting

Ciphering
33.6 Kbps Modulation

De-ciphering

Radio Interface
270.83 Kbps

Demodulation

VOICE TRANSFORM PROCESS

Acronyms
SIM-SUBSCRIBER IDENTITY MODULE (USED IN GSM) R-UIM - REMOVABLE USER IDENTITY MODULE(USED IN CDMA)

ICCID
INTEGRATED CIRCUIT CARD ID SIM is internationally identified by using this code

SIM
Microprocessor,memory.(ROM,RAM,EEPROM) Fixed data stored for the subscription: IMSI,TMSI,Service table Authentication Key( ki), language pref, Security Algorithms:kc,A3,A5,A8 PIN number (Personal Identification Number) and error counter. PUK number (Personal Unlock Key) and error counter. BCCH information Forbidden PLMN.

IMSI
International Mobile Subscriber Identity uniquely identifies a subscriber in a GSM/PLMN. Stored SIM,HLR and VLR IMSI = MCC + MNC + MSIN. MCC = Mobile Country Code MNC = Mobile Network Code MSIN = Mobile Subscriber Identification Number

PIN MANAGEMENT

The PIN number consist of 4 to 8 digit and it is loaded by the service activator an subscription time. Afterwards the PIN number can be changed as many times an user wishes including the length of the PIN number. The user can disable the PIN function but again can be inhibited at subscription time by a authorized person. If an incorrect PIN is entered, an indication is given to the user. After 3 consecutive entries the SIM is blocked, even if if the SIM is removed or the mobile is switch off and on. If the SIM card is blocked the user cannot access the network. The unblocking of the SIM card can only be done by keying in the PUK (Personal Unlock Key). PUK is 8 digit and is given to the user at subscription time. If an incorrect PUK is entered more than 10 times then the PUK will not work anymore and the SIM card will continue to be blocked until taken to the mobile vendor service center.

IMEI
International Mobile station Equipment Identity

uniquely identifies a mobile station(MS) IMEI = TAC + FAC + SNR TAC = Type Approval Code-6digits FAC = Final Assembly Code (manufacturer)2d SNR = Serial Number (7 digits) Total 15 digits To know *#06# in MS Check list-WHITE,GREY,BLACK at EIR

The First Database

The Subscriber Identity Module (SIM)

A small memory device mounted on a card that contains user specific identification the SIM + mobile equipment = mobile station (MS), a device able to access services in a GSM network via the Air interface.

+
Mobile Equipment Subscriber Identity Module

=
Mobile Station

Air Interface GSM Network

TMSI
Temporary Mobile Subscriber Identity Temporary number used instead of the IMSI to identify an MS Raises the subscribers confidentiality and is known within the serving MSC/VLR-area and changed at certain events or time intervals Max length 4 octets(bytes) Assigned only after successful Authentication But the size must be 1/2 of the size of IMSI

MSISDN
Mobile Station ISDN Number MSISDN = CC + NDC + SN CC = Country Code NDC = National Destination Code SN = Subscriber Number Actual phone no IDSN-International subscriber dialing number

MSRN
Mobile Station Roaming Number MSRN = CC + NDC + SN In order to provide a temporary number to be used for routing, the HLR requests the current MSC/VLR to allocate and return MSRN

USE OF MSRN

Relation between areas in GSM

Location CellArea Location Area MSC Service Area PLMN Service Area GSM Service Area 93

Wireless Coverage Area Structure

LAC
LOCATION AREA CODE VLR assigns locally for one local area

Hierarchy of Areas

Cell Location Area (locating & paging area) MSC Service Area (area controlled by one MSC) PLMN ( one or more per country) GSM Service Area ( all member countries) Location Area Identity (LAI) 3 digits 2 Octet (max) MNC Mobile Network Code LAC Location Area Code

3 digits MCC Mobile Country Code

GSM

LAI
Location Area Identity Used for location updating of MS LAI = MCC + MNC + LAC It is global identity Max length 16 bits so 65,535 different locations within GSM/PLMN area

CGI
Cell Global Identity cell identification within the GSM network CGI = MCC + MNC + LAC + CI CI-Cell identifier(16 bits so 65535 sectors)

BSIC
Base Station Identity Code BSIC allows a mobile station to distinguish between different neighboring base stations. BSIC = NCC + BCC NCC = Network Color Code (3 bits), identifies the GSM PLMN BCC = Base Station Color Code (3 bits) distinguish between BTS using the same BCCH frequencies

Physical and Logical Channel

The physical channel is the medium over which the information is carried: 200KHz and 0.577ms
The logical channel consists of the information carried over the physical channels

0
Timeslot

1 2

3 4

5 6

7 0

1 2

The information carried in one time slot is called a burst

TDMA FRAME

TDMA FRAME

Two types of Logical Channel

Traffic Channel (TCH) : Transmits traffic information, include data and speech.

Control Channel (CCH) : Or Signaling Channel, transmits all kinds of control information.

Traffic Channel (TCH)

TCH Traffic Channels

Speech

Data

TCH/FS

TCH/HS

TCH/9.6

TCH/2.4

TCH Traffic Channel TCH/FS Full rate Speech Channel TCH/HS Half rate Speech Channel TCH/9.6 Data Channel 9.6kb/s TCH/4.8 Data Channel 4.8kb/s TCH/2.4 Data Channel 2.4Kb/s

TCH/4.8

Control Channel (CCH)

CCH (Control Channels) DCCH SDCCH ACCH BCCH SACCH CCCH SCH RACH CBCH FCCH

BCH

Synch. CH.

FACCH

Broadcast Control Channel BCCH Common Control Channel CCCH Dedicated Control Channel DCCH Associated Control Channel ACCH

PCH/AGCH

Hyperframe and Superframe Structure

3h 28min 53s 760ms 0 6.12s 0 0 1 2 1 1 2

1 Hyperframe = 2048 superframes = 2,715,648 TDMA frames

2045 2046 2047

1 Superframe = 1326 TDMAframes = 51(26 fr) 0r 26(51 fr) multiframes 3 47 48 24 49 25 50

120ms
0 1 2 23 24 25 0 1 2

235.38ms
48 49 50

Traffic 26 - Frame Multiframe 4.615ms 0 1 2 3 4 5 6 7

Control 51 - Frame Multiframe

TDMA Frame

GSM Frame Structure

E

GSM BURSTS(.577ms)
Normal Burst Dummy Burst Frequency Control Burst(F-Burst) Sync Burst(S-Burst) Access Burst

GSM 900/DCS 1800

Logical Channels
Half rate 11.4kbps TCH (traffic) Speech Full rate 22.8kbps Data

2.4 kbps 4.8 kbps 9.6 kbps

FCCH(Frequency correction) SCH(Synchronization) PCH(Paging)

BCH

CCCH CCH (control) Dedicated

RACH(Random Access) AGCH(Access Grant) SDCCH(Stand Alone) SACCH(Slow-associated) FACCH(Fast-associated)

LOGICAL CHANNELS
TCH CBCH

3 Broadcast Channels 1) FCCH 2) SCH 3) BCCH

3 Common Control Channels 1) PCH 2) RACH 3) AGCH

3 Dedicated Control Channels 1) SDCCH 2) SACCH 3) FACCH

TCH = TRAFFIC CHANNEL

Full rate => Used for speech at 13 Kbits/s or sending data at 9.6 Kbits/s Half rate => Used for speech at 6.5 Kbits/s or sending data at 4.8 Kbits/s Enhanced Full rate => Used for speech at 13 Kbits/s or sending data at 9.6 Kbits/s but with almost Land line quality

BROADCAST CHANNELS
FCCH = FREQUENCY CORRECTION CHANNEL => To tell the Mobile that this is the BCCH carrier => To able the Mobile to synchronize to the frequency (Downlink only) SCH = SYNCHRONISATION CHANNEL => Used for sending BSIC (Base station Identity Code) => Give TDMA frame number to the Mobile. (Downlink only) BCCH = BROADCAST CONTROL CHANNEL => Used for sending information to the mobile like CGI (Cell Global identity), LAI (Location Area Identity), BCCH carriers of the neighboring cells, maximum output power allowed in the cell and other broadcast messages like barred cell. (Downlink only)

COMMON CONTROL CHANNELS

PCH = PAGING CHANNEL => Used for paging the Mobile. (Downlink only) Reason could be an incoming call or an incoming Short Message.
RACH = RANDOM ACCESS CHANNEL => Used for responding to the paging (terminating), Location updating or to make call access (originating) by asking for a signaling channel. (Uplink only) AGCH = ACCESS GRANT CHANNEL => Used to allocate SDCCH to the mobile. (Downlink only)

DEDICATED CONTROL CHANNELS

SDCCH = STAND ALONE DEDICATED CONTROL CHANNEL => Used for allocating voice channel (TCH) to the mobile (call setup) and Location updating. => Send Short Text message to Idle Mobile (Uplink & Downlink) SACCH = SLOW ASSOCIATED CONTROL CHANNEL => Used for sending information to the mobile like CGI (Cell Global identity), LAI (Location Area Identity), BCCH of all the neighbors and TA (Timing Advance) => Send Short Text message to Busy Mobile (Downlink => Used for sending signal strength & bit error rate measurement of the serving cell and signal strength of the BCCHs of the neighboring cells. (Uplink) FACCH = FAST ASSOCIATED CONTROL CHANNEL => Used for handover. (Uplink & Downlink)

How to use these channels?

Power-off Search for frequency correction burst Search for synchronous burst Extract system information Idle mode Monitor paging message PCH RACH AGCH SDCCH SDCCH TCH FACCH FCCH SCH BCCH

Send access burst

Allocate signaling channel Dedicated mode Set up the call Allocate voice channel Conversation Idle mode

Release the call

CBCH = CELL BROADCAST CHANNEL

=> Used for sending short messages to all the mobiles within a geographic area. Typical example is Traffic congestion in a major road or a major accident in an area. Up to 93 characters can be sent. => If the mobile is in the Idle mode then the short message will be send through the CBCH. If the mobile is Busy, it will not be sent.

NOT TO BE CONFUSED WITH SMS !!!!!!!! (SHORT MESSAGE SERVICE)

=> SMS messages are short TEXT messages up to 160 characters in length that you can send or receive. The messages are not sent straight to the other mobile but is sent to message centre operated by the Network provider. => If the mobile was switched off or is at outside of the coverage area, the message is stored in the Message Service Center. The message will be offered to the subscriber when the mobile is switched on again or has reentered the coverage area again. => If the mobile is in the Idle mode the short message will be send through the SDCCH. If the mobile is Busy the short message will send through the SACCH.

Call Routing
Call Originating from MS Call termination to MS

Outgoing Call

1. MS sends dialled number to BSS 2. BSS sends dialled number to MSC 3,4 MSC checks VLR if MS is allowed the requested service.If so,MSC asks BSS to allocate resources for call. 5 MSC routes the call to GMSC 6 GMSC routes the call to local exchange of called user 7, 8, 9,10 Answer back(ring back) tone is routed from called user to MS via GMSC,MSC,BSS

Incoming Call

1. Calling a GSM subscribers 2. Forwarding call to GSMC 3. Signal Setup to HLR 4. 5. Request MSRN from VLR 6. Forward responsible MSC to GMSC 7. Forward Call to current MSC 8. 9. Get current status of MS 10.11. Paging of MS 12.13. MS answers 14.15. Security checks 16.17. Set up connection

Handover Types
Intra-Cell Handover

BSC BTS

Call is handed from timeslot 3 to timeslot 5

Handover takes place in the same cell from one timeslot to another timeslot of the same carrier or different carriers( but the same cell). Intra-cell handover is triggered only if the cause is interference. Intra-cell handover can be enabled or disabled in a cell.

Page 121

Intra-BSC Handover

BSC1
0 1 2 3 4 5 6 7

BTS1

Call is handed from timeslot 3 of cell1 to timeslot 1 of cell2 . Both the cells are controlled by the same BSC.

Handover takes place between different cell which are controlled by the same BSC.

Page 122

Inter-BSC Handover

BSC1
0 1 2 3 4 5 6 7

MSC

BTS1

Call is handed from timeslot of cell1 to timeslot 1 of cell2 Both the cells are controlled by the different BSC.

BSC2 BTS2

Handover takes place between different cell which are controlled by the different BSC.

Page 123

Inter-MSC Handover

MSC1

BSS1 BTS1
0 1 2 3 4 5 6 7

Call is handed from timeslot 3 of cell1 to timeslot 1 of cell2 . Both the cells are controlled by the different BSC, each BSC being controlled by different MSC

MSC2

BSS2

BT Handover takes place between different S2 cell which are controlled by the different BSC and
each BSC is controlled by different MSC.

Page 124

Handovers

Between 1 and 2 Inter BTS / Intra BSC Between 1 and 3 Inter BSC/ Intra MSC Between 1 and 4 Inter MSC

Handover (1)
HLR

PSTN

MSC/VLR 1

MSC/VLR 2

BSC1

BSC2

BSC3

A
BTS1 Measurement Report
BTS2 BTS3 BTS4

Handover (2)
HLR PSTN MSC/VLR 1

MSC/VLR 2

BSC1

BSC2

BSC3

A
BTS1 BTS2 BTS3 BTS4

I am OK

Handover (3)
HLR PSTN MSC/VLR 1

MSC/VLR 2

BSC1

BSC2

BSC3

A
BTS1 BTS2 BTS3 BTS4

B Measurement Report

Handover (4)
HLR PSTN MSC/VLR 1

MSC/VLR 2

BSC1

BSC2

BSC3

A
BTS1 BTS2 BTS3 BTS4

BI am OK

Handover (5)
HLR PSTN MSC/VLR 1

MSC/VLR 2

BSC1

BSC2

BSC3

A
BTS1 BTS2 BTS3 BTS4

Measurement Report

Handover (6)
HLR PSTN MSC/VLR 1 MSC/VLR 2

BSC1

BSC2

BSC3

A
BTS1 BTS2 BTS3 BTS4

I am OK

Handover (7)
HLR PSTN MSC/VLR 1 MSC/VLR 2

BSC1

BSC2

BSC3

A
BTS1 BTS2 BTS3 BTS4

Security in GSM
On air interface, GSM uses encryption and TMSI instead of IMSI. SIM is provided 4-8 digit PIN to validate the ownership of SIM 3 algorithms are specified : - A3 algorithm for authentication - A5 algorithm for encryption - A8 algorithm for key generation

Technical Terms Used w.r.t. MM(Mobility Management)

A3-Authentication Algorithm
Authentication is used to check the validity(or authorization) of a mobile subscriber to access the PLMN and protects the latter against the unauthorized use. At the time of service provisioning the -IMSI -Ki(Individual Subscriber Authentication Key) -A3(Authentication Algorithm) -A8(Cipher Key Algorithm) and -A5(Encryption Algorithm) are programmed into SIM by the GSM operator. The IMSI &Ki are are specific to each MS A3,A8 can be different for different N/W operators A5 is unique

136

A3-Authentication Algorithm
The AC generate Kis associated with IMSIs and provide for each IMSI a set of triplets consisting of RAND(Random Number) -SRES(Signed Response) -Kc(Ciphering Key)

At MS K i
RAND(128 bits)

Ki

At N/W

A3 SRES

A3 SRES
Equal

137

A5-Ciphering Algorithm
Ciphering is used to encrypt data on radio interface

Frame No

RAN Ki D A8
Kc(64 bits), Kc Generation is done at the time of authentication
A5

Ciphering Stream

XOR
Information Bits(114 bits)

Ciphered Bits

139

Authentication in GSM

Key generation and Encryption

GSM Generic Authentication Process

RAND Ki

Ki
IMSI

RAND Radio Path

A3

A3 SRES Compare

IMSI

Response

SRES 142

Yes/No

GSM Encryption Process

Plain Text

KEY

Encryption Process Cipher-text

143

AUTHENTICATION & ENCRIPTION

AUC
Database
IMSI1

ki1

Kc
Algorithm for Ciphering A8 Algorithm for Authentication A3

SRES RAND

HLR

IMSI2
IMSI3

ki2 ki3

Kc
64 bits SRES 32 bits RAND

Generation of Random Number RAND

144

 Transmission: data transmission function, providing methods of carrying subscriber data and transmitting signalings between different entities in various segments along the communication path. RR: radio resources management. setting up and releasing stable connections between mobile stations and MSC at the call setup stage, which is mainly performed by MS and BSC.Such as: assignment a channel ,handover,system informations ,measurment report. MM: refers to mobility and safety management, mobile station processing -- environment changing, making choices of cells possibly belonging to different networks, so that the calling subscriber is able to set up a valid process; infrastructures are required to manage subscriber location data (location updating), authentification. CM: refers to communication management, i.e., under subscriber requests, setting up connections between subscribers, maintaining and releasing calls (which can be divided into CC - call control, SSM supplementary service management, and SMS - short messages service); OAM: Operation, Administration and Maintenance platform, providing operation methods for operators. The service is supplied by the transmission layer directly.

1 TDMA FRAME 200 kHz 4.615 ms

0.577 ms
TS 0 TS 1 TS 2 TS 3 TS 4 TS 5 TS 6 TS 7

FCCH, SCH, BCCH PCH, RACH, AGCH

SDCCH, SACCH CBCH

TCH, SACCH FACCH

TCH, SACCH FACCH

TCH, SACCH FACCH

TCH, SACCH FACCH

TCH, SACCH FACCH

TCH, SACCH FACCH

4.615 ms
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7

4.615 ms
TS0 TS1 TS2 TS3 TS4 TS5 TS6 TS7

F D T T T T T T S D T T T T T T
F = FCCH S = SCH B = BCCH C = PCH or AGCH D = SDCCH A = SACCH T = TCH

R D T T T T T T R D T T T T T T
R = RACH A = SACCH T = TCH

B B B B C C C C F S C C C C
. . .

D T T T T T T D T T T T T T D D D D D D D D D D D D
. . .

R R R R R R R R R R R R R R
. . .

D T T T T T T D T T T T T T D D D D D D D D D D D D
. . .

T T T T T T T T A T T T
. . .

T T T T T T T T T T T T
. . .

T T T T T T T T A T T T
. . .

T T T T T T T T T T T T
. . .

T T T T T T T T A T T T
. . .

T T T T T T T T T T T T
. . .

T T T T T T T T A T T T
. . .

T T T T T T T T I T T T
. . .

T T T T T T T T A T T T
. . .

T T T T T T T T I T T T
. . .

T T T T T T T T A T T T
. . .

T T T T T T T T I T T T
. . .

1 Frame (Downlink - BTS transmit) 1 carrier = 200 kHz

1 Frame (Uplink - Mobile transmit) 1 carrier = 200 kHz

Downlink Uplink

0 1 2 3 4 5 6 7

0 1

2 3 4 5

6 7 0 1 2 3 4 5 6 7

...

..

5 6 7 0 1

2 3 4 5 6

0 1 2 3 4 5 6 7 0 1 2 3 4 5 6 7 3 TIMESLOT 3 * 0.577ms = 1.73ms

..

3 TIMESLOT 3 * 0.577ms = 1.73ms

3 TIMESLOT 3 * 0.577ms = 1.73ms

TCH UP-DOWNLINK OFFSET

This means that the mobile does not transmit and receive at the same time. Also note that : in TS 0 : All the Logical Channels will repeat itself after 51 frames in TS 1 : All the Logical Channels will repeat itself after 102 frames in TS 2 to 7 : All the Logical Channels will repeat itself after 26 frames

MOBILE STATIONS ISDN NUMBER (MSISDN) => Is the mobile number used in a GSM PLMN (Public Land Mobile Network) MSISDN = Country Code + National Destination Code + Subscriber number e.x. 63 + 0918 + 8889999 Maximum length is 15 digits. INTERNATIONAL MOBILE SUBSCRIBER IDENTITY (IMSI) => Is the subscriber number used over radio path for all signaling in the GSM PLMN. This number is stored in SIM (Subscriber Identity Module), HLR (Home Location Register, and VLR (Visitor Location Register). IMSI = MCC + MNC + MSIN = Mobile Country Code + Mobile Network Code + Mobile Identification Number [ 3 digit ] [ 2 digit ] [ 11 digit ] e.x. 502 + 19 + 2345451 TEMPORARY MOBILE SUBSCRIBER IDENTITY (TMSI) => Is used for the subscriber's confidentiality. Since the TMSI has only local significance (within MSC/VLR) the structure of the TMSI can be chosen by the Vendor. But the size must be 1/2 of the size of IMSI. Each time a mobile request for location updating or call setup, MSC/VLR allocates to the IMSI a new TMSI, so the TMSI is used on the signaling path, protecting the IMSI identity. Plus since the TMSI is half the size of IMSI, we can page twice the amount compared to IMSI.

LOCATION AREA IDENTITY (LAI) => Is used to uniquely identify each location area in the GSM PLMN. When the system receives an incoming call it knows in which location area it should page the mobile and does not page the entire network. LAI = MCC + MNC + LAC Mobile Country Code + Mobile Network Code + Location Area Code [ 3 digit ] [ 2 digit ] [ 1 to 65 536 ] e.x. = 502 + 20 + 60001 CELL GLOBAL IDENTITY (CGI) => Is used for cell identification within the GSM network. LAI = MCC + MNC + LAC + CI Mobile Country Code + Mobile Network Code + Location Area Code + Cell Identity [ 3 digit ] [ 2 digit ] [ 1 to 65 536 ] [ 1 to 65 536 ] e.x. = 502 + 20 + 60001 + 50001 BASE STATION IDENTITY CODE (BSIC) => Is used to distinguish co channel Frequency used in the neighboring cell. BSIC = NCC + BCC Network Color Code + Base Station Color Code [ 1 to 7 ] [ 1 to 7 ]

SUBSCRIBER IDENTITY MODULE (SIM)

SIM is used to provide storage on subscriber related information as following : IMSI ,Temporary network data like TMSI, LAI, Location update status. Subscriber Authentication Key (Ki) and Ciphering Key (Kc) which are used for security purposes. BCCH information : List of carrier frequencies to be used for cell selection. Forbidden PLMN. Language preference. PIN number (Personal Identification Number) and PIN error counter. PUK number (Personal Unlock Key) and PUK error counter. PIN management The PIN number consist of 4 to 8 digit and it is loaded by the service activator an subscription time. Afterwards the PIN number can be changed as many times an user wishes including the length of the PIN number. The user can disable the PIN function but again can be inhibited at subscription time by a authorized person. If an incorrect PIN is entered, an indication is given to the user. After 3 consecutive entries the SIM is blocked, even if if the SIM is removed or the mobile is switch off and on. If the SIM card is blocked the user cannot access the network. The unblocking of the SIM card can only be done by keying in the PUK (Personal Unlock Key). PUK is 8 digit and is given to the user at subscription time. If an incorrect PUK is entered more than 10 times then the PUK will not work anymore and the SIM card will continue to be blocked until taken to the mobile vendor service center. Two physical types of SIM are specified : ID - 1 SIM - Looks like a Credit card Plug in SIM - Look like a small chip is installed semi permanent in the mobile equipment.

When the mobile is in idle mode it must always be camped to a BCCH carrier. Why ???
There are 3 reasons: 1) For the PLMN to know in which location area the mobile is so that it can page the mobile when an incoming call or Short Text Message is received. 2) The Mobile can initiate a call by accessing the network on Random Access Channel (RACH) of the cell which it camped on. 3) To receive system information from the PLMN like Traffic congestion and major Accidents.

AN IDLE MOBILE DOES 4 TASKS:

PLMN SELECTION
CELL SELECTION CELL RESELECTION

LOCATION UPDATING

PLMN SELECTION
When the mobile is switched on it will select the registered PLMN in the mobile if there exist one. If there is no registered PLMN or the registered PLMN is not available (no coverage) then the mobile will try to select another PLMN either automatically or manually depending on it mode.

AUTOMATIC MODE The automatic mode uses a list of PLMNS in an order of priority. The priority will be : 1)The last network on which you were registered. 2) Home PLMN. 3) Each PLMN stored in the SIM card in priority order. 4) Other PLMN with signal level above -85 dBm in random order. 5) All other PLMN in decreasing signal strength.

MANUAL MODE In the manual mode the mobile will try to connect to the Home PLMN first. If it is unsuccessful then it will provide a list of available PLMN and ask the user to choose one. If the second chosen PLMN is not successful then the mobile will make an indication to the user to select another PLMN. Until the users selects another network a message No access will be displayed. If there is no GSM or DCS coverage at all then a message No Network will be displayed.

CELL SELECTION
Once the mobile is switched on and the registered home PLMN was selected (e.x. SMART), it will next search for a BCCH frequency list, stored in its memory or in its SIM card. The list can have up to 32 BCCH frequencies for the mobile to scan. This reduces the time of cell selection, compared to scanning the whole frequency band. If this feature is turned off at the switch then the mobile has to scan the entire frequency band for the strongest BCCH carrier. The BCCH frequency list is called BA (BCCH Allocation) list and there are 2 types, Active and Idle. Idle is a list of BCCH used for scanning when the mobile is in an idle mode and Active is a list of BCCH used during mobile busy mode. Why 2 List ??? When the mobile is in idle mode it may want to scan a longer list of BCCH and tune to the strongest whereas when in Active mode the list of BCCH should be shorter (correspond to defined neighbors) so that the mobile will scan the short list and get a more accurate signal strength measurements to achieve better handover performance. It is also to reduce the time spend by the mobile to decode the BSIC. Recommendation : ACTIVE MODE LIST SHOULD NOT BE MORE THAN 15 BCCH FREQUENCIES. If there is no BA list stored in the Mobile or SIM card then the mobile will scan all the 124 GSM channels and 374 DCS channel and arrange the frequencies in a DESCENDING order of signal strength. It will take the mobile 3 to 5 seconds to scan the whole band. After which it will tune to the strongest frequency. The mobile will check if this is a BCCH carrier by looking out for the frequency correction burst send by the FCCH (Frequency Correction Channel). If it is the BCCH carrier than mobile tunes to this carrier to read the SCH (Synchronization Channel) for the BSIC parameter. Next it will read the BCCH for system information like CGI (Cell Global identity), LAI (Location Area Identity), BCCH carriers of the neighboring cells (BA List), maximum output power allowed in the cell and other broadcast messages like barred cell. [Continues ]

CELL SELECTION
Next the mobile will compare if the selected cell belongs to a forbidden PLMN stored in its SIM card. It will look at the 2 digit Network Mobile Code transmitted by the BCCH on the LAI (Location Area Identity). If those 2 digits ware registered as forbidden in the SIM card then the mobile will not select this cell. The mobile then will tune to the second strongest BCCH carrier and subsequently does the same process over and over again until it finds the right cell. Once it finds the right cell it will start using the BA (BCCH allocation) list transmitted by the BCCH carrier for cell reselection, will be discussed later.

Lets say the chosen PLMN is correct, able to read the FCH, SCH and BCCH and the chosen Cell is accessible (no cell barring), DOES THIS MEAN THAT THE MOBILE NOW CAN CAMP ON THIS SITE ???

NO !!!!!!!!!!!

THERE IS ONE LAST CRITERIA CALLED C1 CELL SELECTION CRITERION WHICH MUST BE CALCULATED BY THE MOBILE AND IF THE C1 VALUE IS GREATER THAN 0 THEN THE MOBILE CAN CAMP ON THIS CELL OR ELSE THE NEXT CELL WITH C1 > 0 WILL BE SELECTED

C1-CELL SELECTION CRITERION

C1 = A - Max (B,0) and C1 > 0 for the mobile to camp on this BTS where: A = RxLev - RxLevAccMin B = MsTxPwrMaxCCH - P
RxLev = Signal strength received by the mobile RxLevAccMin = Minimum Signal level to be received by the mobile from BTS (BCCH) before it could access the BTS MsTxPwrMaxCCH = Maximum Transmit Power allowed to access the BTS (using RACH) P = Mobile Class power

C1 = (RxLev - RxLevAccMin) - Max(MsTxPwrMaxCCH - P, 0) Ex : C1 = ( -80 - (-100) ) - Max (33 - 33, 0) = -80 + 100 - Max (0, 0) = 20 => C1 > 0 so mobile will camp on this site

ShortCut : If RxLevel > RxLevAccMin then Mobile can camp on this site

ACCMIN (Ericsson)
RxLevAccessMin (Nokia) SSACC (TACS) (Uplink)

Minimum Signal level that must be received by the mobile from BTS (BCCH) before it could access the BTS

= -102 (GSM900)

= -100 (DCS1800)

General rule : The signal received by the mobile should be 2 dB higher than the mobile sensitivity

What is the accurate way of setting the RxLevAccessMin parameter ?

RxLevAccessMin = Mobile Sensitivity + Body loss + Multipath loss + Interference Margin
Mobile Sensitivity = -104 for GSM900 and -102 for DCS1800 Body loss = 3 dB recommended by ETSI and 5 dB recommended by Ericsson for GSM 900 = 3 dB recommended by ETSI and 3 dB recommended by Ericsson for DCS 1800 Multipath loss = Signal loss from base station due to reflection by buildings, etc before reaching mobile. Normally the Multipath loss is around 3 dB but can be overcome by Antenna Diversity which has gain around 3 dB too. (Space diversity = 3 dB, 90 degrees polarized diversity = 3 dB, 45 degrees slant polarized diversity = 4.5 dB) Interference Margin = Margin allocated to overcome C/I and C/N, the recommended value is 2 dB RxLevAccessMin = Mobile Sensitivity + Body loss + Multipath loss + Interference Margin RxLevAccessMin = -104 + 3 + 0 + 2 (for GSM 900 with ETSI standard) = - 99 dBm RxLevAccessMin = -104 + 5 + 0 + 2 (for GSM 900 with Ericsson standard) = - 97 dBm RxLevAccessMin = -104 + 3 + 0 + 2 (for DCS 1800) = - 99 dBm

Class Class Class Class Class

1 2 3 4 5

TACS 10 Watt (40dBm) 4 Watt (36dBm) 1 Watt (30dBm) 0.6 Watt (28dBm) *

GSM 900 20 Watt (43dBm) 8 Watt (39dBm) 5 Watt (37dBm) 2 Watt (33dBm) 0.8 Watt (29dBm)

DCS 1800 1 Watt (30dBm) 0.25 Watt (24dBm) 4 Watt (36dBm) * *

Mobile Sensitivity BTS Sensitivity

TACS -113 dBm -116 dBm

GSM 900 -104 dBm -107 dBm

DCS 1800 -102 dBm -106 dBm

CCHPWR (Ericsson) MsTxPwrMaxCCH(Nokia) PLC (TACS)

Maximum Transmit Power allowed to access the BTS (using RACH) - Mobile is Idle

= 33 dBm (GSM900)

= 30 dBm (DCS1800)

= 0 (28 dBm) (TACS)

MsTxPwr (Ericsson) MsTxPwrMax(Nokia) PLVM (TACS)

Maximum Transmit Power allowed to use in a BTS during busy status (Using TCH) - Mobile is Busy

= 33 dBm (GSM900)

= 30 dBm (DCS1800)

= 0 (28 dBm) (TACS)

MsTxPwrMin(Nokia)

Minimum Transmit Power allowed to use in a BTS during busy status (Using TCH) - Mobile is Busy

= 13 dBm (GSM900)

= 13 dBm (DCS1800)

Switch on the Mobile For 2 to 3 seconds the Mobile will scan all the 124 channels in GSM900 and 374 channels in DCS1800 Mobile will compare the signal strength of the 124 channels and tune to the strongest

Tune to the second strongest channel

No

Mobile will check if it is a BCCH carrier ? Yes The mobile will synchronize to this carrier and read the BCCH info like LAI, CGI

No

Does the BCCH belong to the wanted PLMN, E.x: Smart, Globe, Islacom ? Yes

Yes

Is the Cell Barred from accessing ? No

No

Is C1 >0 ? Yes Camp on this site !!!

CELL RESELECTION
1) Perform Cell reselection measurement first
After the cell has been successfully selected, the mobile now will start reselection tasks. It will continuously make measurements on its neighboring cells (as indicated by the BA list) to initiate cell reselection if necessary. At least 5 measurement sample per neighboring cell is needed. A running average of the received signal level will be maintained for each carrier in the BA list.
All system information messages sent on the current BCCH on the serving cell must be read by the mobile every 30 seconds to monitor changes in cell parameters (ex: MsTxPwrMax). The mobile also has to read the 6 strongest BCCH every 5 minutes to receive its cell parameters (ex: MsTxPwrMax). The 6 strongest can be seen from the BA list which has the updated measurement of the 32 BCCH carrier. The neighboring list for the best 6 neighbors is updated every 60 seconds, which means the mobile has to measure each neighbor by 10 seconds. The mobile also has to read the BSIC of the 6 strongest BCCH every 30 seconds to confirm that it is still monitoring the same cells. If a new BSIC is detected, then the BCCH of this BSIC will be read to receive the cell parameters.

BSIC Serving cell Six neighbors

BCCH Every 30 secs Every 5 minute

[Continues ]

Every 30 secs

CELL RESELECTION
2) Cell reselection Criteria :
The mobile will reselect and camp on another cell if any of the following criteria is satisfied : a) The serving cell is barred. b) C1 value in the current cell is below 0 for 5 seconds which indicates that the path loss is high and the mobile needs to change cell. c) The Mobile has unsuccessfully tried to access the network as defined by the MAXRET (Ericsson) parameter or MaxNumberRetransmissions (Nokia). MAXRET is the maximum number of retransmission a mobile can do when it is accessing the system It is defined per cell.

Assuming that one of the criteria above was satisfied then the mobile will select a cell with a better C1. However if the cell belongs to a different location area then the C1 for that cell has to exceed a reselection hysterisis parameter called CRH (Ericsson) or CellReselectHyseteris (Nokia) for the reselection to happen !!
[Continues ]

CELL RESELECTION
If the mobile is moving in a border area between location areas, it might repeatedly change between location areas. Each change requires location updating and cause heavy signaling load and risk paging message being lost. To prevent this, a cell reselect hysteresis parameter CRH is used. The cell in a different location area will only be selected if the C1 of that cell is higher than the C1 of the current serving cell by the value of the Reselect Hysteresis.

Since the Value of CRH maybe different for each cell, the CRH used for comparison will be the one broadcast by the serving cell. If the value is set very low then the mobile will Ping-Pong between location areas which will increase signaling load. If the value is set very high the mobile may camp in the wrong cell too long.

Recommendations : Set the value to 6 LA 1

C1 = 1 CRH = 4

LA 2

C1 = 6

Serving cell

Target cell

BASIC COMPARISON
MOBILE IDLE
When the mobile is idle, it listens to the best cell to camp. Mobile decides to choose the cell by itself without the help of BSC. This is done by comparing signal strength of each BCCH frequency and if found the strongest then it will camp once the C1 > 0 (Cell Selection Criterion). If after camping to this cell, it finds that a neighboring cell is much better then it will change to that neighboring cell. If the new cell is in same location area the mobile does not have to inform the BSC about its new cell but if the new cell is from a different different location area then the mobile will perform a location updating to inform the BSC.

MOBILE BUSY
A mobile is considered busy when there is a call going on (speech, data or fax) or it is in the middle of a call setup. At this stage the mobile cannot decide by itself whether it is necessary for the mobile to handover to a better cell. Only BSC can determine if a mobile has to change to another cell other than the serving cell. BSC makes the decision based on measurement reports sent by both Mobile and BTS. This decision making is called locating. In a busy state, mobiles can receive Short Text Message (SMS) but cannot receive Cell Broadcast Messages.