Global System for Mobile Communication (GSM)

Li-Hsing Yen National University of Kaohsiung

GSM System Architecture

Um MSC MS (ME/SIM) MSC E PSTN, ISDN, PSPDN, CSPDN

A-bis A C A-bis BSC BTS Um EIR B F

HLR

BSS

VLR G

MS (ME/SIM)

AuC

VLR

NSS

Nomenclature
MS (Mobile Station) = MT (Mobile Terminal ) + TE (Terminal Equipment) BSS (Base Station Subsystem) = BTS (Base Transceiver Station) + BSC (Base Station Controller) NSS (Network Switching Subsystem) MSC (Mobile Switching Center): telephony switching function and authentication of user

HLR and VLR

HLR (Home Location Register)
a database to store and management permanent data of subscribers

VLR (Visitor Location Register)

a database to store temporary information about subscribers needed by MSC in order to service visiting subscribers

AuC and EIR

Authentication Center (AuC)
used in the security data management for the authentication of subscribers.

Equipment Identity Register (EIR)

used to maintain a list of legitimate, fraudulent, or faulty MSs. optional in GSM network, and is not used generally.

GSM Interfaces
Um
Radio interface between MS and BTS each physical channel supports a number of logical channels

Abis
between BTS and BSC (vender specific) primary functions: traffic channel transmission, terrestrial channel management, and radio channel management

Frequency Division Duplex

n: Absolute Radio Frequency Channel Number (ARFCN). 1 n 124

Uplink
Ful(n)=890+ 0.2*n MHz

890.0 MHz 890.2 MHz 890.4 MHz

Guard band 200kHz

914.8 MHz

Downlink
Fdl(n)=Ful(n)+45 MHz

935.0 MHz 935.2 MHz 935.4 MHz

959.8 MHz . . . 7 0 1 2 3 4 5 6 7 0

Time Division Duplex

MS and BTS do not transmit simultaneously (MS transmits 3 time slots after the BTS)
Downlink 5 6 7 0 1 2 3 4 5 6 7 0 1 2

.... ....

0 57 7

Guard band

. ms

burst (contents of time slot)

time slot

Uplink

2 3 4 5 6 7 0 1 2 3 4 5 6 7

Timing advance: MS transmits its data a little earlier as demanded by the three time slots delay rule .

Timing Advance
Propagation delay

Base station

send

recv

Mobile station

recv

send send Original timing

Timing advance ~ Propagation delay * 2

GSM Frame Structure

1 hyperframe = 2048 superframes (~3.5hr) For speech
1 superframe = 51 multiframes = 6.12s 1 multiframe = 26 frames = 120ms

For Signaling
1 superframe = 26 multiframes 1 multiframe = 51 frames

1 frame = 8 time slots = 4.615 ms 1 time slot = 156.25 bit duration = 0.577ms

GSM Frame Hierarchy

Hyper frame Super frame Multiframe Frame 0 1 0 1

48 49 50 23 24 25 120ms 4.615ms
28 bits Encrypted bits 57 bits Encrypted bits 57 bits Training sequence

3.48hr 2047 6.12s

0 1

0 1 2 3 4 5 6 7

0.57692ms
8.25 guard bits

Time Slot

3 tail bits

3 tail bits Stealing bit

Normal Burst Format

Trail bits
always (0,0,0); provide start and stop bit pattern

encrypted bits
data is encrypted

stealing bits
indicate whether the burst was stolen for urgent control signaling (FACCH signaling)

Guard bits
avoid overlapping with other bursts due to different path delay

Training Sequence
A known bit pattern that differs for different adjacent cells to adapt the parameters of the receiver to the current path propagation characteristics to select the strongest signal in case of multipath propagation for multipath equalization
extract the desired signal from unwanted reflections

GSM Protocol Stack

MS

CM MM RR
LAPDm Layer 1

Base Transceiver Station (BTS)

RR

Base Station Controller (BSC)

DTAP

MSC

CM MM
BSSMAP/DTAP

BSSMAP

RR LAPDm Layer 1

BTSM BTSM

LAPD Layer 1

LAPD Layer 1

SCCP MTP

SCCP MTP

Um (air interface)

Abis

Layer 1 - Physical Layer

Modulation Equalization Channel coding
block code convolutional code

Interleaving
to distribute burst error

GSM Physical Layer (MS Side)

signaling voice
speech coding

voice
speech decoding

signaling

channel coding

channel decoding

interleaving
burst formatting

de-interleaving
burst de-formatting

ciphering modulation R/F R/F

deciphering demodulation

GSM Speech Transmission

20 ms speech encoding (RPE-LTP)
260 bits

channel encoding
456 bits
0 64 57 114 171 228 285 342 399 121 178 235 292 349 406 7

interleaving burst 57 57 57 57 57 57 57 57 formatting

57 rows

392 449 50

107 164 221 278 335

57 57 57 57 57 57 57 57

57 57 57 57 57 57 57 57

burst

frame

GSM Speech Channel Coding

260 bits Class 1a 50 bits Parity bits protecting 1a 91 bits Class 1b 132 bits Class 2 78 bits Tail Bits 4

reordering
3 91 bits

Convolutional Coding
378 bits 456 bits 78 bits

Tailing Bits and Reordering

d(0) d(1) d(2) d(3) d(0) d(2) d(4) u(0) u(1) u(2)

: reorder d(178)
d(180) p(0) p(1) p(2) d(181) d(179) d(177)

:
u(89) u(90) u(91) u(92) u(93) u(94) u(95) u(96) : u(183) u(184)

Tailing Bits
u(185) u(186) u(187) u(188) 0 0 0 0

d(179) d(180) d(181) p(0) p(1) p(2)

The first 50 bits are protected by 3 parity bits p(0), p(1), p(2) generator polynomial g(D)=D3+D+1 the remainder of d(0)D52+d(1)D51++d(49)D3+p(0)D2+p( 1)D+p(2) divided by g(D) should be 1+D+D2

:
d(3) d(1)

Parity Bits

10

Convolutional Encoder for GSM Speech (Rate=1/2, K=5)

U0 U188

ak

ak-1

ak-2

ak-3

ak-4

Interleaving
0 455
0 64 128 192 256 320 384 448 56 120 184 248 312 : : 392 57 121 185 249 313 377 441 49 113 177 241 305 369 : : 449 114 178 242 306 370 434 42 106 170 234 298 362 426 : : 50 171 235 299 363 427 35 99 163 227 291 355 419 27 : : 107 228 292 356 420 28 92 156 220 284 348 412 20 84 : : 164 285 349 413 21 85 149 213 277 341 405 13 77 141 : : 221 342 406 14 78 142 206 270 334 398 6 70 134 198 : : 278 399 7 71 135 199 263 327 391 455 63 127 191 255 : : 335

11

GSM Normal Burst Formatting

A
57 57 57 57 57 57 57 57

B
57 57 57 57 57 57 57 57

C
57 57 57 57 57 57 57 57

burst
28 bits
BABA BAB ABAB ABA

frame

57 bits 3 tail bits

57 bits

8.25 guard bits

Training sequence

3 tail bits Stealing flag

Physical Vs. Logical Channels

Physical channels are all the available time slots of a BTS
a BTS with 6 carriers has 48 physical channels

Logical channels are piggybacked on the physical channels

logical channels are laid over the grid of physical channels each logical channel performs a specific task

12

GSM Logical Channels (I)

Speech traffic channels (TCH)
Full-rate TCH (TCH/F) Half-rate TCH (TCH/H)

Broadcast channels (BCH)

Frequency correction channel (FCCH) Synchronization channel (SCH) Broadcast control channel (BCCH)

Cell broadcast channel (CBCH)

GSM Logical Channels (II)

Common control channels (CCCH)
Paging channel (PCH) Access grant channel (AGCH) Random access channel (RACH)

Dedicated control channel (DCCH)

Slow associated control channel (SACCH) Stand-alone dedicated control channel (SDCCH) Fast associated control channel (FACCH)

13

Broadcast Channels (BCH)

Frequency correction channel (FCCH)
the lighthouse of a BTS

Synchronization channel (SCH)

PLMN/base identifier of a BTS plus synchronization information (frame number)

Broadcast control channel (BCCH)

to transmit system information 1-4, 7-8 (differs in GSM 900, GSM 1800, and PCS 1900)

CBCH and CCCH

CBCH (Cell Broadcast Channel)
transmits cell broadcast messages

PCH (Paging Channel)

carries PAG_REQ message

AGCH (Access Grant Channel)

SDCCH channel assignment

RACH (Random Access Channel)

communication request from MS to BTS

14

Mapping of Logical Channels

Each BTS has a particular frequency carrier called BCCH-TRX to transmit BCCH info The following channel structure can be found on time slot 0 of carrier BCCH-TRX
FCCH SCH BCCH information 1-4 Four SDCCH subchannels (optional) CBCH (optional)

Example Mapping of Logical Channels on Time Slot 0 (Downlink)

FN= 0 - 5 FN= 6 - 9 FN= 10 - 11 FN= 12 - 15 FN= 16 - 19 FN= 20 - 21 FCCH + SCH + BCCH 1 - 4 Block 0 reserved for CCCH FCCH/SCH Block 1 reserved for CCCH Block 2 reserved for CCCH FCCH/SCH Block 4 FN= 26 - 29 CCCH/SDCCH FCCH/SCH FN= 30 - 31 Block 5 CCCH/SDCCH FN= 32 - 35 Block 6 FN= 36 - 39 CCCH/SDCCH FCCH/SCH FN= 40 - 41 Block 7 FN= 42 - 45 CCCH/SACCH FN= 46 - 49 Block 7 CCCH/SACCH FN= 50 not used

Block 3 FN= 22 - 25 CCCH/SDCCH

15

Example Mapping of Logical Channels on Time Slot 2 (Downlink)

FN= 0 - 11 TCH

FN= 12

SACCH

FN= 13 - 24

TCH

FN= 25

not used

GSM Layer 2: LAPDm

Functions
organization of Layer 3 information into frames peer-to-peer transmission of signaling data in defined frame formats recognition of frame formats establishment, maintenance, and termination of one or more (parallel) data links on signaling channels

16

Layer 3 Protocol Architecture: Mobile Station Side

MNREG-SAP MNCC-SAP MNSS-SAP MNSMS-SAP

CM CC SS SMS

TI

TI

TI

MM

MM CC

SS PD

SMS

PD

RR

SAPI=0
RACH BCCH

SAPI=3
SDCCH SACCH SDCCH SACCH FACCH

Layer 3 - RR Sublayer
The RR sublayer handles all the procedures necessary to establish, maintain, and release dedicated radio connections channel allocation handover A timing advance power power control level frequency hopping
B

AGCH+PCH

time

17

Three Cases of Hand-over

MSC MSC

BSC

BSC

BSC

BTS MS

BTS MS MS

BTS

BTS 1. different BTS, same BSC

MS MS MS

2. different BSC, same MSC

3. different MSC, same PLMN (old MSC=anchor MSC new MSC=relay MSC)

Layer 3 - MM Sublayer
The MM sublayer copes with all the effects of handling a mobile user that are not directly related to radio functions
location area location registration & call delivery location update & paging

18

Authentication & Encryption/Decryption in GSM

Mobile Station
SIM Ki

Home System
RAND

Ki

A8

A3
accept
Y

A3
SRES SRES

A8
Kc

SRES

=?
N

reject

authentication

Kc

frame number

Kc

encryption

A5
S1
plain text

Visited System
S2
ciphered data

A5
S1 S2
plain text

MS
HLR

BTS BSC MSC VLR HLR

channel request channel activation command channel activation acknowledge cancellation 5 ack 3 location update channel assignment location update request authentication request new VLR 1 4 ack new TMSI authentication response comparison of authentication parameters assignment of TMSI acknowledgement of TMSI entry of the new area and identity into the VLR & HLR channel release

subscriber information old VLR 2 IMSI, auth. para. old TMSI, old VLR ID

MS

19

Layer 3 - CM Sublayer
The CM sublayer manages all the functions necessary for circuit-switched call control call establishment procedures for mobileoriginated calls and mobile-terminated calls in-call modification call reestablishment Dual Tone Multi Frequency (DTMF) control procedure for DTMF transmission

Contents of CM
Call Control (CC) Short Message Service (SMS) Supplementary Service (SS)

20

Paging Procedure
MS
Paging Request Message on PCH Channel Request on RACH Assign SDCCH on AGCH SABM (Paging Response)

BSS

Call Setup Procedure: Mobile Terminated Call

+886935...
dial MSISDN 1 1 GMSC (INTX) 3 request roaming number 1 HLR 2 allocate MSRN 2 1 VLR

MSC other switches

3 3

other switches

routing

MS INTerrogating eXchange (INTX) Mobile Station ISDN Number (MSISDN) (Country Code, see E.164) Mobile Station Roaming Number (MSRN) (Mobile Country Code, see E.212)

21

Dual Tone Multiple Frequency (DTMF) in PSTN

Switch DTMF

Dialing Switch PBX

Connected

DTMF in GSM
MSC SETUP

Dialing MSC START_DTMF STOP_DTMF

Connected

PBX

22