1

Global System for Mobile

Communication (GSM)
Li-Hsing Yen
National University of Kaohsiung
GSM System Architecture
BSC
HLR VLR
EIR
BTS
VLR
MSC
MS
(ME/SIM)
MS
(ME/SIM)
A-bis
A-bis
Um
Um
C B
G
D
F
MSC
PSTN, ISDN, PSPDN,
CSPDN
E
A
NSS
BSS
AuC
2
Nomenclature
MS (Mobile Station) =
MT (Mobile Terminal ) +
TE (Terminal Equipment)
BSS (Base Station Subsystem) =
BTS (Base Transceiver Station) +
BSC (Base Station Controller)
NSS (Network Switching Subsystem)
MSC (Mobile Switching Center): telephony
switching function and authentication of user
HLR and VLR
HLR (Home Location Register)
a database to store and management
permanent data of subscribers
VLR (Visitor Location Register)
a database to store temporary information
about subscribers
needed by MSC in order to service visiting
subscribers
3
AuC and EIR
Authentication Center (AuC)
used in the security data management for
the authentication of subscribers.
Equipment Identity Register (EIR)
used to maintain a list of legitimate,
fraudulent, or faulty MSs.
optional in GSM network, and is not used
generally.
GSM Interfaces
U
m
Radio interface between MS and BTS
each physical channel supports a number of
logical channels
A
bis
between BTS and BSC (vender specific)
primary functions: traffic channel transmission,
terrestrial channel management, and radio
channel management
4
time slot
0 1 2 3 4 5 6 7 0
200kHz
. . . 7
890.0 MHz
914.8 MHz
890.2 MHz
890.4 MHz
burst
Guard band Uplink
Downlink
0
.
57
7
m
s
n: Absolute Radio Frequency Channel Number (ARFCN). 1 n 124
935.0 MHz
959.8 MHz
935.2 MHz
935.4 MHz
Guard band
.
.
.
.
.
.
.
.
(contents of time slot)
F
ul
(n)=890+ 0.2*n
MHz
F
dl
(n)=F
ul
(n)+45
MHz
Frequency Division Duplex
Uplink
Downlink
Time Division Duplex
7 0 1 2 3 4 5 6 7 0 1 5 6
7 0 1 2 3 4 5 6 2 3 4 5 6 7
2
MS and BTS do not transmit simultaneously
(MS transmits 3 time slots after the BTS)
Timing advance: MS transmits its data a little earlier as
demanded by the three time slots delay rule.
5
Timing Advance
Base station
Mobile station
send
recv
Propagation delay
send
recv
send
Original timing
Timing advance
~ Propagation delay * 2
GSM Frame Structure
1 hyperframe = 2048 superframes (~3.5hr)
For speech
1 superframe = 51 multiframes = 6.12s
1 multiframe = 26 frames = 120ms
For Signaling
1 superframe = 26 multiframes
1 multiframe = 51 frames
1 frame = 8 time slots = 4.615 ms
1 time slot = 156.25 bit duration = 0.577ms
6
Encrypted bits Encrypted bits
3 tail bits
3 tail bits
57 bits 57 bits
Training sequence Stealing bit
8.25
guard bits
28 bits
0 1 2047

0 1 48 49 50

0 1

23 24 25
0 1 2 3 4 5 6 7
Hyper
frame
Super
frame
Multi-
frame
Frame
Time
Slot
6.12s
120ms
4.615ms
0.57692ms
3.48hr
GSM Frame Hierarchy
Normal Burst Format
Trail bits
always (0,0,0); provide start and stop bit pattern
encrypted bits
data is encrypted
stealing bits
indicate whether the burst was stolen for urgent
control signaling (FACCH signaling)
Guard bits
avoid overlapping with other bursts due to different
path delay
7
Training Sequence
A known bit pattern that differs for different
adjacent cells
to adapt the parameters of the receiver to the
current path propagation characteristics
to select the strongest signal in case of
multipath propagation
for multipath equalization
extract the desired signal from unwanted
reflections
GSM Protocol Stack
Layer 1
LAPDm
RR
MM
CM
MS
Layer 1
LAPDm
RR
Layer 1
LAPD
BTSM
Layer 1
LAPD
RR
MTP
SCCP
BSSMAP
MM
CM
Base
Transceiver
Station
(BTS)
Base
Station
Controller
(BSC)
MSC
BTSM
DTAP
Um
(air interface)
Abis A
MTP
SCCP
BSSMAP/DTAP
8
Layer 1 - Physical Layer
Modulation
Equalization
Channel coding
block code
convolutional code
Interleaving
to distribute burst error
GSM Physical Layer (MS Side)
voice
voice
signaling
speech
coding
channel coding
interleaving
burst formatting
ciphering
modulation
speech
decoding
channel decoding
de-interleaving
burst de-formatting
deciphering
demodulation
signaling
R/F R/F
9
20 ms
260 bits
speech encoding (RPE-LTP)
456 bits
channel encoding
0 57 114 171 228 285 342 399
64 121 178 235 292 349 406 7
: : : : : : : :
392 449 50 107 164 221 278 335
57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57
57 rows
frame
burst
GSM Speech Transmission
interleaving
burst
formatting
GSM Speech Channel Coding
Class 1a
50 bits
Class 1b
132 bits
Class 2
78 bits
378 bits 78 bits
4 3
Convolutional Coding
Parity bits
protecting 1a
91 bits 91 bits
260 bits
456 bits
reordering
Tail
Bits
10
Tailing Bits and Reordering
d(0)
d(1)
d(2)
d(3)

d(179)
d(180)
d(181)
p(0)
p(1)
p(2)
d(0)
d(2)
d(4)
d(180)
d(178)
:
d(181)
d(179)
d(177)
d(1)
d(3)
:
u(0)
u(1)
u(2)
u(90)
u(89)
: :
p(1)
p(2)
p(0)
u(91)
u(92)
u(95)
u(94)
u(93)
u(96)
u(183)
:
u(184)
u(185)
u(186)
u(187)
u(188)
0
0
0
0
Tailing Bits
reorder
Parity Bits
The first 50 bits are protected by 3
parity bits p(0), p(1), p(2)
generator polynomial g(D)=D
3
+D+1
the remainder of
d(0)D
52
+d(1)D
51
++d(49)D
3
+p(0)D
2
+p(
1)D+p(2) divided by g(D) should be
1+D+D
2
11
Convolutional Encoder for
GSM Speech (Rate=1/2, K=5)
a
k
a
k-4
a
k-1
a
k-2
a
k-3
U
0
U
188
Interleaving
0
455
0
64
128
192
256
320
384
448
56
120
184
248
312
:
:
392
57
121
185
249
313
377
441
49
113
177
241
305
369
:
:
449
114
178
242
306
370
434
42
106
170
234
298
362
426
:
:
50
171
235
299
363
427
35
99
163
227
291
355
419
27
:
:
107
228
292
356
420
28
92
156
220
284
348
412
20
84
:
:
164
285
349
413
21
85
149
213
277
341
405
13
77
141
:
:
221
342
406
14
78
142
206
270
334
398
6
70
134
198
:
:
278
399
7
71
135
199
263
327
391
455
63
127
191
255
:
:
335
12
GSM Normal Burst Formatting
57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57
frame
B A B A
burst
A B C
A B A B
3 tail bits
B A B A B A
3 tail bits
57 bits 57 bits
Training sequence Stealing flag
8.25
guard
bits
28 bits
Physical Vs. Logical Channels
Physical channels are all the available time
slots of a BTS
a BTS with 6 carriers has 48 physical channels
Logical channels are piggybacked on the
physical channels
logical channels are laid over the grid of physical
channels
each logical channel performs a specific task
13
GSM Logical Channels (I)
Speech traffic channels (TCH)
Full-rate TCH (TCH/F)
Half-rate TCH (TCH/H)
Broadcast channels (BCH)
Frequency correction channel (FCCH)
Synchronization channel (SCH)
Broadcast control channel (BCCH)
Cell broadcast channel (CBCH)
GSM Logical Channels (II)
Common control channels (CCCH)
Paging channel (PCH)
Access grant channel (AGCH)
Random access channel (RACH)
Dedicated control channel (DCCH)
Slow associated control channel (SACCH)
Stand-alone dedicated control channel (SDCCH)
Fast associated control channel (FACCH)
14
Broadcast Channels (BCH)
Frequency correction channel (FCCH)
the lighthouse of a BTS
Synchronization channel (SCH)
PLMN/base identifier of a BTS plus
synchronization information (frame number)
Broadcast control channel (BCCH)
to transmit system information 1-4, 7-8 (differs in
GSM 900, GSM 1800, and PCS 1900)
CBCH and CCCH
CBCH (Cell Broadcast Channel)
transmits cell broadcast messages
PCH (Paging Channel)
carries PAG_REQ message
AGCH (Access Grant Channel)
SDCCH channel assignment
RACH (Random Access Channel)
communication request from MS to BTS
15
Mapping of Logical Channels
Each BTS has a particular frequency carrier
called BCCH-TRX to transmit BCCH info
The following channel structure can be found
on time slot 0 of carrier BCCH-TRX
FCCH
SCH
BCCH information 1-4
Four SDCCH subchannels (optional)
CBCH (optional)
Example Mapping of Logical
Channels on Time Slot 0 (Downlink)
FCCH + SCH
+
BCCH 1 - 4
Block 0
reserved for
CCCH
FCCH/SCH
Block 1
reserved for
CCCH
Block 2
reserved for
CCCH
FCCH/SCH
Block 3
CCCH/SDCCH
Block 4
CCCH/SDCCH
Block 5
CCCH/SDCCH
FCCH/SCH
FCCH/SCH
Block 6
CCCH/SDCCH
Block 7
CCCH/SACCH
Block 7
CCCH/SACCH
not used
FN= 0 - 5
FN= 6 - 9
FN= 10 - 11
FN= 12 - 15
FN= 16 - 19
FN= 20 - 21
FN= 22 - 25
FN= 26 - 29
FN= 30 - 31
FN= 32 - 35
FN= 36 - 39
FN= 40 - 41
FN= 42 - 45
FN= 46 - 49
FN= 50
16
Example Mapping of Logical
Channels on Time Slot 2 (Downlink)
TCH
SACCH
FN= 0 - 11
FN= 12
FN= 13 - 24
FN= 25
TCH
not used
GSM Layer 2: LAPDm
Functions
organization of Layer 3 information into
frames
peer-to-peer transmission of signaling data
in defined frame formats
recognition of frame formats
establishment, maintenance, and
termination of one or more (parallel) data
links on signaling channels
17
R
A
C
H
B
C
C
H
A
G
C
H
+
P
C
H
S
D
C
C
H
S
A
C
C
H
F
A
C
C
H
S
D
C
C
H
S
A
C
C
H
SAPI=0 SAPI=3
RR
MM
MM CC SS SMS
PD
PD
TI TI TI
SMS SS
MNSMS-SAP MNSS-SAP MNCC-SAP MNREG-SAP
CM
CC
Layer 3 Protocol Architecture:
Mobile Station Side
Layer 3 - RR Sublayer
The RR sublayer handles all the procedures
necessary to establish, maintain, and release
dedicated radio connections
channel allocation
handover
timing advance
power control
frequency hopping
A
B
A B
time
power
level
18
Three Cases of Hand-over
MSC
BSC BSC
BTS BTS BTS
MSC
BSC
BTS
MS MS
MS MS
MS MS
1. different BTS, same BSC
2. different BSC, same MSC
3. different MSC, same PLMN
(old MSC=anchor MSC
new MSC=relay MSC)
Layer 3 - MM Sublayer
The MM sublayer copes with all the
effects of handling a mobile user that
are not directly related to radio functions
location area
location registration & call delivery
location update & paging
19
Ki Ki
RAND
A3 A3 A8 A8
SRES
SRES
Home System
Visited
System
=?
Y
N
reject
accept
Mobile Station
authentication
encryption
Kc
Kc
Kc frame number
A5
plain text ciphered data
SRES
S1 S2
A5
S1 S2
plain text
Authentication & Encryption/Decryption in GSM
SIM
MS BTS BSC MSC VLR HLR
channel request
channel activation command
location update request
authentication request
authentication response
assignment of TMSI
channel activation acknowledge
channel assignment
comparison of authentication parameters
channel release
acknowledgement of TMSI
entry of the new area and
identity into the VLR & HLR
old
VLR
HLR
new
VLR
MS
1 4
3 5
2
old TMSI,
old VLR ID
new TMSI
location update cancellation
IMSI,
auth. para.
ack
subscriber
information
ack
20
Layer 3 - CM Sublayer
The CM sublayer manages all the functions
necessary for circuit-switched call control
call establishment procedures for mobile-
originated calls and mobile-terminated calls
in-call modification
call reestablishment
Dual Tone Multi Frequency (DTMF) control
procedure for DTMF transmission
Contents of CM
Call Control (CC)
Short Message Service (SMS)
Supplementary Service (SS)
21
Paging Procedure
MS BSS
Paging Request Message on PCH
Channel Request on RACH
Assign SDCCH on AGCH
SABM (Paging Response)
Call Setup Procedure: Mobile
Terminated Call
MSC
MS
VLR HLR
GMSC
(INTX)
other
switches
other
switches
1 1
1 1
2 2
3
3
3
request roaming number
dial MSISDN
allocate MSRN
routing
INTerrogating eXchange (INTX)
Mobile Station ISDN Number (MSISDN) (Country Code, see E.164)
Mobile Station Roaming Number (MSRN) (Mobile Country Code, see E.212)
+886935...
22
Dual Tone Multiple Frequency
(DTMF) in PSTN
DTMF
Switch
Dialing
PBX
Switch
Connected
DTMF in GSM
SETUP
MSC
START_DTMF
STOP_DTMF
MSC PBX
Dialing
Connected