Global System for Mobile

Communication (GSM)
Li-Hsing Yen
Assistant Prof.
Dept. of CSIE, Chung Hua Univ.

GSM System Architecture

Um

MSC
MS
(ME/SIM)

MSC

PSTN, ISDN, PSPDN,

CSPDN

A-bis
A

F
B

C
A-bis
BSC
BTS

HLR

BSS

VLR

EIR

Um

MS
(ME/SIM)

AuC

VLR

NSS

Nomenclature
MS (Mobile Station) =
MT (Mobile Terminal ) +
TE (Terminal Equipment)
BSS (Base Station Subsystem) =
BTS (Base Transceiver Station) +
BSC (Base Station Controller)
NSS (Network Switching Subsystem)
MSC (Mobile Switching Center): telephony
switching function and authentication of user

HLR and VLR

HLR (Home Location Register)
a database to store and management
permanent data of subscribers

VLR (Visitor Location Register)

a database to store temporary information
about subscribers
needed by MSC in order to service visiting
subscribers

AuC and EIR

Authentication Center (AuC)
used in the security data management for
the authentication of subscribers.

Equipment Identity Register (EIR)

used to maintain a list of legitimate,
fraudulent, or faulty MSs.
optional in GSM network, and is not used
generally.

GSM Interfaces
Um
Radio interface between MS and BTS
each physical channel supports a number of
logical channels

Abis
between BTS and BSC (vender specific)
primary functions: traffic channel transmission,
terrestrial channel management, and radio
channel management

Frequency Division Duplex

n: Absolute Radio Frequency Channel Number (ARFCN). 1 n 124

Uplink

Guard band

890.0 MHz

200kHz

890.2 MHz
890.4 MHz

....

914.8 MHz

ms

F ul(n)=890+ 0.2*n
MHz

0
57
7

burst (contents of time slot)

Guard band

935.0 MHz

Downlink

935.2 MHz

F dl(n)=F ul(n)+45
MHz

935.4 MHz

....
959.8 MHz
.

time slot

Time Division Duplex

MS and BTS do not transmit simultaneously
(MS transmits 3 time slots after the BTS)
Downlink

5 6 7 0 1 2 3 4 5 6 7 0 1 2

Uplink

2 3 4 5 6 7 0 1 2 3 4 5 6 7

Timing advance: MS transmits its data a little earlier as

demanded by the three time slots delay rule.

Timing Advance
Propagation delay

Base station

send

Mobile station

recv

recv

send
send

Original timing

Timing advance
~ Propagation delay * 2

GSM Frame Structure

1 hyperframe = 2048 superframes (~3.5hr)
For speech
1 superframe = 51 multiframes = 6.12s
1 multiframe = 26 frames = 120ms

For Signaling
1 superframe = 26 multiframes
1 multiframe = 51 frames

1 frame = 8 time slots = 4.615 ms

1 time slot = 156.25 bit duration = 0.577ms

GSM Frame Hierarchy

3.48hr
Hyper
frame

0 1

Super
frame

0 1

Multiframe

0 1

Frame

0 1 2 3 4 5 6 7

Time
Slot

2047

48 49 50

23 24 25 120ms
4.615ms
0.57692ms

28 bits
Encrypted bits

Encrypted bits
57 bits

6.12s

57 bits

3 tail bits
Training sequence

8.25
guard bits

3 tail bits
Stealing bit

Normal Burst Format

Trail bits
always (0,0,0); provide start and stop bit pattern

encrypted bits
data is encrypted

stealing bits
indicate whether the burst was stolen for urgent
control signaling (FACCH signaling)

Guard bits
avoid overlapping with other bursts due to different
path delay

Training Sequence
A known bit pattern that differs for different
adjacent cells
to adapt the parameters of the receiver to the
current path propagation characteristics
to select the strongest signal in case of
multipath propagation
for multipath equalization
extract the desired signal from unwanted
reflections

GSM Protocol Stack

MS

CM
MM

Base
Transceiver
Station
(BTS)

MSC

Base
Station
Controller
(BSC)
RR

RR

CM
MM
DTAP

BSSMAP/DTAP

BSSMAP

LAPDm

RR
LAPDm

LAPD

LAPD

Layer 1

Layer 1

Layer 1

Layer 1

Um
(air interface)

BTSM BTSM

Abis

SCCP

SCCP

MTP

MTP

Layer 1 - Physical Layer

Modulation
Equalization
Channel coding
block code
convolutional code

Interleaving
to distribute burst error

GSM Physical Layer (MS Side)

signaling

voice

voice

signaling

speech
decoding

speech
coding

channel decoding

channel coding

interleaving

de-interleaving

burst formatting

burst de-formatting

ciphering

deciphering

modulation

R/F

R/F

demodulation

GSM Speech Transmission

20 ms
speech encoding (RPE-LTP)
260 bits

channel encoding
456 bits
0
64

interleaving

57 114 171 228 285 342 399

121 178 235 292 349 406 7

392 449 50

burst
57 57 57 57 57 57 57 57
formatting

57 rows

107 164 221 278 335

57 57 57 57 57 57 57 57

57 57 57 57 57 57 57 57

frame

burst

GSM Speech Channel Coding

260 bits
Class 1a
50 bits
Parity bits
protecting 1a

Class 1b
132 bits

Class 2
78 bits
Tail
Bits

reordering
91 bits

91 bits

Convolutional Coding
378 bits

78 bits

456 bits

Tailing Bits and Reordering

:
reorder d(178)

d(0)
d(2)
d(4)

d(0)
d(1)
d(2)
d(3)

d(180)

d(179)
d(180)
d(181)
p(0)
p(1)
p(2)

p(0)
p(1)
p(2)
d(181)
d(179)
d(177)

:
d(3)
d(1)

u(0)
u(1)
u(2)

:
u(89)
u(90)
u(91)
u(92)
u(93)
u(94)
u(95)
u(96)

Tailing Bits
u(185)
u(186)
u(187)
u(188)

0
0
0
0

:
u(183)
u(184)

Parity Bits
The first 50 bits are protected by 3
parity bits p(0), p(2), p(3)
generator polynomial g(D)=D3+D+1
the remainder of
d(0)D52+d(1)D51+ +d(49)D3+p(0)D2+p(
1)D+p(2) divided by g(D) should be
1+D+D2

10

Convolutional Encoder for

GSM Speech (Rate=1/2, K=5)

U0 U188

ak

ak-1

ak-2

ak-3

ak-4

Interleaving
455

0
64
128
192
256
320
384
448
56
120
184
248
312
:
:
392

57
121
185
249
313
377
441
49
113
177
241
305
369
:
:
449

114
178
242
306
370
434
42
106
170
234
298
362
426
:
:
50

171
235
299
363
427
35
99
163
227
291
355
419
27
:
:
107

228
292
356
420
28
92
156
220
284
348
412
20
84
:
:
164

285
349
413
21
85
149
213
277
341
405
13
77
141
:
:
221

342
406
14
78
142
206
270
334
398
6
70
134
198
:
:
278

399
7
71
135
199
263
327
391
455
63
127
191
255
:
:
335

11

GSM Normal Burst Formatting

A

57 57 57 57 57 57 57 57

57 57 57 57 57 57 57 57

57 57 57 57 57 57 57 57

burst

frame

28 bits
BABA

BAB

ABAB

57 bits

ABA

57 bits

3 tail bits

Training sequence

8.25
guard
bits

3 tail bits
Stealing flag

Physical Vs. Logical Channels

Physical channels are all the available time
slots of a BTS
a BTS with 6 carriers has 48 physical channels

Logical channels are piggybacked on the

physical channels
logical channels are laid over the grid of physical
channels
each logical channel performs a specific task

12

GSM Logical Channels (I)

Speech traffic channels (TCH)
Full-rate TCH (TCH/F)
Half-rate TCH (TCH/H)

Broadcast channels (BCH)

Frequency correction channel (FCCH)
Synchronization channel (SCH)
Broadcast control channel (BCCH)

Cell broadcast channel (CBCH)

GSM Logical Channels (II)

Common control channels (CCCH)
Paging channel (PCH)
Access grant channel (AGCH)
Random access channel (RACH)

Dedicated control channel (DCCH)

Slow associated control channel (SACCH)
Stand-alone dedicated control channel (SDCCH)
Fast associated control channel (FACCH)

13

Broadcast Channels (BCH)

Frequency correction channel (FCCH)
the lighthouse of a BTS

Synchronization channel (SCH)

PLMN/base identifier of a BTS plus
synchronization information (frame number)

Broadcast control channel (BCCH)

to transmit system information 1-4, 7-8 (differs in
GSM 900, GSM 1800, and PCS 1900)

CBCH and CCCH

CBCH (Cell Broadcast Channel)
transmits cell broadcast messages

PCH (Paging Channel)

carries PAG_REQ message

AGCH (Access Grant Channel)

SDCCH channel assignment

RACH (Random Access Channel)

communication request from MS to BTS

14

Mapping of Logical Channels

Each BTS has a particular frequency carrier
called BCCH-TRX to transmit BCCH info
The following channel structure can be found
on time slot 0 of carrier BCCH-TRX

FCCH
SCH
BCCH information 1-4
Four SDCCH subchannels (optional)
CBCH (optional)

Example Mapping of Logical

Channels on Time Slot 0 (Downlink)
FN= 0 - 5
FN= 6 - 9
FN= 10 - 11
FN= 12 - 15
FN= 16 - 19
FN= 20 - 21

FCCH + SCH
+
BCCH 1 - 4
Block 0
reserved for
CCCH
FCCH/SCH
Block 1
reserved for
CCCH
Block 2
reserved for
CCCH
FCCH/SCH

Block 3
FN= 22 - 25 CCCH/SDCCH

Block 4
FN= 26 - 29
CCCH/SDCCH
FCCH/SCH FN= 30 - 31
Block 5
CCCH/SDCCH FN= 32 - 35
Block 6
FN= 36 - 39
CCCH/SDCCH
FCCH/SCH FN= 40 - 41
Block 7
FN= 42 - 45
CCCH/SACCH
FN= 46 - 49
Block 7
CCCH/SACCH
FN= 50
not used

15

Example Mapping of Logical

Channels on Time Slot 2 (Downlink)
FN= 0 - 11

FN= 12

FN= 13 - 24

FN= 25

TCH

SACCH

TCH

not used

GSM Layer 2: LAPDm

Functions
organization of Layer 3 information into
frames
peer-to-peer transmission of signaling data
in defined frame formats
recognition of frame formats
establishment, maintenance, and
termination of one or more (parallel) data
links on signaling channels

16

Layer 3 Protocol Architecture:

Mobile Station Side
MNREG-SAP

MNCC-SAP

MNSS-SAP MNSMS-SAP

CM
CC

SS

SMS

TI

MM CC

MM

TI

SS
PD

TI

SMS

PD

RR

SAPI=3
SACCH

SDCCH

FACCH

SACCH

SDCCH

BCCH

RACH

AGCH+PCH

SAPI=0

Layer 3 - RR Sublayer
The RR sublayer handles all the procedures
necessary to establish, maintain, and release
dedicated radio connections
channel allocation
handover
A
timing advance
power
power control
level
frequency hopping
B

time

17

Three Cases of Hand-over

MSC

BSC

MSC

BSC

BTS

BTS

MS

MS
MS

BSC

BTS

BTS
1. different BTS, same BSC

2. different BSC, same MSC

MS
MS

MS

3. different MSC, same PLMN

(old MSC=anchor MSC
new MSC=relay MSC)

Layer 3 - MM Sublayer
The MM sublayer copes with all the
effects of handling a mobile user that
are not directly related to radio functions
location area
location registration & call delivery
location update & paging

18

Authentication & Encryption/Decryption in GSM

Mobile Station

Home System
RAND

SIM

Ki

A8

Ki

A3
accept

A3

A8

SRES

Kc

SRES

=?

SRES

authentication

reject

frame number

Kc

Visited
System

A5
S1

S2

plain text

Kc

encryption

A5
S1

S2

ciphered data

plain text

MS

BTS BSC MSC VLR HLR

channel request
channel activation command

HLR

channel activation acknowledge

cancellation 5 ack

location update

location update request

subscriber
information
old
VLR

2
IMSI,
auth. para.

old TMSI,
old VLR ID

channel assignment
authentication request

new
VLR
4 ack

new TMSI

authentication response
comparison of authentication parameters
assignment of TMSI
acknowledgement of TMSI
entry of the new area and
identity into the VLR & HLR

MS
channel release

19

Layer 3 - CM Sublayer
The CM sublayer manages all the functions
necessary for circuit-switched call control
call establishment procedures for mobileoriginated calls and mobile-terminated calls
in-call modification
call reestablishment
Dual Tone Multi Frequency (DTMF) control
procedure for DTMF transmission

Contents of CM
Call Control (CC)
Short Message Service (SMS)
Supplementary Service (SS)

20

Paging Procedure
MS

BSS
Paging Request Message on PCH
Channel Request on RACH
Assign SDCCH on AGCH
SABM (Paging Response)

Call Setup Procedure: Mobile

Terminated Call
+886935...
dial MSISDN
1
1

request roaming number

GMSC
(INTX)

1
HLR

VLR

allocate MSRN

MSC

other
switches

routing

other
switches

MS
INTerrogating eXchange (INTX)
Mobile Station ISDN Number (MSISDN) (Country Code, see E.164)
Mobile Station Roaming Number (MSRN) (Mobile Country Code, see E.212)

21

Dual Tone Multiple Frequency

(DTMF) in PSTN
Switch
DTMF

Dialing
Switch

PBX

Connected

DTMF in GSM
MSC
SETUP

Dialing
MSC

PBX

START_DTMF
STOP_DTMF
Connected

22