CHAPTER-1

INTRODUCTION TO GSM

GSM:-
Global System for Mobile Communication (GSM), is a set of European
Telecommunication Standards Institute specifying the infrastructure for a
digital cellular service. This standard is used in approx. 85 countries in the
world including such locations as Europe, Japan and Australia.

1.1 History of GSM:-

The Europeans realized GSM early on, and in 1982 the Conference of
European Posts and Telegraphs (CEPT) formed a study group called the
Group Special Mobile to study and develop a pan-European public land
mobile system.

In 1989, GSM responsibility was transferred to the European

Telecommunication Standards Institute (ETSI), and phase I of the GSM
specifications were published in 1990. Commercial service was started in
mid-1991, and by 1993 there were 36 GSM networks in 22 countries.
Although standardized in Europe, GSM is not only a European standard.
Over 200 GSM networks (including DCS1800 and PCS1900) are
operational in 110 countries around the world. In the beginning of 1994,
there were 1.3 million subscribers worldwide, which had grown to more than
55 million by October 1997. With North America making a delayed entry
into the GSM field with a derivative of GSM called PCS1900, GSM systems
exist on every continent, and the acronym GSM now aptly stands for Global
System for Mobile communications.

1.2 Components of a GSM network:-

1.2.1 Subscriber Equipment:-

Mobile Station (MS) - The mobile telephone.

1
1.2.2 The Network & Switching Subsystem (NSS):-
Home Location Register (HLR) - A database which stores data about GSM
subscribers, including the Individual Subscriber Authentication Key (Ki) for
each Subscriber Identity Module (SIM).

Mobile Services Switching Center (MSC) - The network element which

performs the telephony switching functions of the GSM network. The MSC
is responsible for toll ticketing, network interfacing, common channel
signaling.

Visitor Location Register (VLR) - A database which stores temporary

information about roaming GSM subscribers.

Authentication Center (AUC) - A database which contains the International

Mobile Subscriber Identity (IMSI) the Subscriber Authentication key (Ki),
and the defined algorithms for encryption.

Equipment Identity Register (EIR) - A database which contains information

about the identity of mobile equipment in order to prevent calls from stolen,
unauthorized, or defective mobile stations.

1.2.3 The Base Station Subsystem (BSS):-

Base Station Controller (BSC) - The network element which provides all the
control functions and physical links between the MSC and BTS. The BSC
provides functions such as handover, cell configuration data, and control of
radio frequency (RF) power levels in Base Transceiver Stations.

Base Transceiver Station (BTS) - The network element which handles the
radio interface to the mobile station. The BTS is the radio equipment
(transceivers and antennas) needed to service each cell in the network.

1.2.4 The Operation and Support Subsystem (OSS):-

Message Center - A network element which provides Short Message Service
(SMS), voice mail, fax mail, email, and paging.

Mobile Service Node (MSN) - A network element which provides mobile

intelligent network (IN) services.

2
Gateway Mobile Services Switching Center (GMSC) - A network element
used to interconnect two GSM networks.

GSM Interworking Unit (GIWU) - The network element which interfaces to

various data networks.

1.2.5 International Mobile Subscriber Identity (IMSI)

Number:-
The IMSI is a unique non-dialable number allocated to each mobile
subscriber in the GSM system that identifies the subscriber and his or her
subscription within the GSM network. The IMSI resides in the Subscriber
Identity Module (SIM), which is transportable across Mobile Station
Equipment (MSE). The IMSI is made up of three parts (1) the mobile
country code (MCC) consisting of three digits, (2) the Mobile Network Code
(MNC) consisting of two digits, and (3) the Mobile Subscriber Identity
Number (MSIN) with up to 10 digits.

1.2.6 Mobile Subscriber ISDN (MSISDN) Number:-

The MSISDN is the dial able number that callers use to reach a mobile
subscriber. Some phones can support multiple MSISDNs - for example, a
U.S.-based MSISDN and a Canadian-based MSISDN. Callers dialing either
number will reach the subscriber.

1.2.7 Mobile Station Equipment (MSE) Subscription Services:-

GSM carriers typically order Mobile Station Equipment (MSE) (or GSM
phones) from their suppliers (Nokia, Motorola, Sony, etc.) in large quantities
(e.g. 1000 Units). After receiving an order, the equipment supplier will
program the ordered MSE SIMs with a range of IMSI numbers.

Example: ABC Communications Inc. orders 1000 MSE Units with the
following range of IMSIs.

MCC MNC MSIN

Unit #1 310 68 4451000
Unit #1000 310 68 4451999

3
 Once the range of IMSI numbers has been determined, the HLR can be
populated with the new IMSI records that will be configured and activated at
a future date by authorized sales or service subscription representatives. The
fact that the HLR can be populated with ranges or blocks of IMSI numbers
creates efficiencies in the storage and retrieval of routing information.

The wireless carrier distributes the Mobile Station Equipment to Sales

Outlets that sell GSM subscription services. When a new subscriber orders a
GSM phone at one of the outlets, the service representative will create a
Service Order (SO) to enter the new subscriber's service subscription
information, including the MSISDN number. The key to the Service Order is
the IMSI that is programmed in the SIM. The SO is sent to the HLR, where
the IMSI record is created. It can either be set to an active state immediately,
allowing the new subscriber to send and receive telephone calls or it can be
activated at a future date.

1.3 Architecture of the GSM network:-

A GSM network is composed of several functional entities, whose functions
and interfaces are specified. Figure 1 shows the layout of a generic GSM
network. The GSM network can be divided into three broad parts. The
Mobile Station is carried by the subscriber. The Base Station Subsystem
controls the radio link with the Mobile Station. The Network Subsystem, the
main part of which is the Mobile services Switching Center (MSC),
performs the switching of calls between the mobile users, and between
mobile and fixed network users. The MSC also handles the mobility
management operations. The Mobile Station and the Base Station Subsystem
communicate across the Um interface, also known as the air interface or
radio link. The Base Station Subsystem communicates with the Mobile
services Switching Center across the A interface.

4
Figure 1. General architecture of a GSM network

1.3.1 Mobile Station:-

The mobile station (MS) consists of the mobile equipment (the terminal) and
a smart card called the Subscriber Identity Module (SIM). The SIM provides
personal mobility, so that the user can have access to subscribed services
irrespective of a specific terminal. By inserting the SIM card into another
GSM terminal, the user is able to receive calls at that terminal, make calls
from that terminal, and receive other subscribed services.

The mobile equipment is uniquely identified by the International Mobile

Equipment Identity (IMEI). The SIM card contains the International Mobile
Subscriber Identity (IMSI) used to identify the subscriber to the system, a
secret key for authentication, and other information. The IMEI and the IMSI
are independent, thereby allowing personal mobility. The SIM card may be
protected against unauthorized use by a password or personal identity
number.

1.3.2 Base Station Subsystem:-

The Base Station Subsystem is composed of two parts, the Base Transceiver
Station (BTS) and the Base Station Controller (BSC). These communicate
across the standardized Abis interface, allowing (as in the rest of the system)
operation between components made by different suppliers.

5
The Base Transceiver Station houses the radio transceivers that define a cell
and handles the radio-link protocols with the Mobile Station. In a large
urban area, there will potentially be a large number of BTSs deployed, thus
the requirements for a BTS are ruggedness, reliability, portability, and
minimum cost.

The Base Station Controller manages the radio resources for one or more
BTS. It handles radio-channel setup, frequency hopping, and handovers, as
described below. The BSC is the connection between the mobile station and
the Mobile service Switching Center (MSC).

1.3.3 Network Subsystem:-

The central component of the Network Subsystem is the Mobile services
Switching Center (MSC). It acts like a normal switching node of the PSTN
or ISDN, and additionally provides all the functionality needed to handle a
mobile subscriber, such as registration, authentication, location updating,
handovers, and call routing to a roaming subscriber. These services are
provided in conjunction with several functional entities, which together form
the Network Subsystem.

The MSC provides the connection to the fixed networks (such as the PSTN
or ISDN). Signaling between functional entities in the Network Subsystem
uses Signaling System Number 7 (SS7), used for trunk signaling in ISDN
and widely used in current public networks.

The Home Location Register (HLR) and Visitor Location Register (VLR),
together with the MSC, provide the call-routing and roaming capabilities of
GSM. The HLR contains all the administrative information of each
subscriber registered in the corresponding GSM network, along with the
current location of the mobile.

The location of the mobile is typically in the form of the signaling address
of the VLR associated with the mobile station. The actual routing procedure
will be described later. There is logically one HLR per GSM network,
although it may be implemented as a distributed database.

The Visitor Location Register (VLR) contains selected administrative

information from the HLR, necessary for call control and provision of the

6
subscribed services, for each mobile currently located in the geographical
area controlled by the VLR.

Although each functional entity can be implemented as an independent unit,

all manufacturers of switching equipment to date implement the VLR
together with the MSC, so that the geographical area controlled by the MSC
corresponds to that controlled by the VLR, thus simplifying the signaling
required. Note that the MSC contains no information about particular mobile
stations --- this information is stored in the location registers.

The other two registers are used for authentication and security purposes.
The Equipment Identity Register (EIR) is a database that contains a list of all
valid mobile equipment on the network, where each mobile station is
identified by its International Mobile Equipment Identity (IMEI).

An IMEI is marked as invalid if it has been reported stolen or is not type

approved. The Authentication Center (AuC) is a protected database that
stores a copy of the secret key stored in each subscriber's SIM card, which is
used for authentication and encryption over the radio channel.

1.4 Encryption utilization in GSM:-

GSM networks utilize encryption for three purposes:

• Authentication
• Encryption
• Key generation

1.4.1 Algorithm utilized for encryption in GSM networks:-

The stream cipher is initialized with the Session Key (Kc) and the number of
each frame. The same Kc is used throughout the call, but the 22-bit frame
number changes during the call, thus generating a unique keystream for
every frame.

7
The same Session Key (Kc) is used as long as the Mobile Services
Switching Center (MSC) does not authenticate the Mobile Station again. In
practice, the same Session Key (Kc) may be in use for days.

Authentication is an optional procedure in the beginning of a call, but it is

usually not performed.

The A5 algorithm is implemented in the Mobile Station (MS).

1.4.2 Algorithm utilized for key generation in GSM networks:-

The key generation algorithm used in the GSM system is known as the A8
algorithm.

Most GSM network operators utilize the a version of the COMP128

algorithm as the implementation of the A8 algorithm.

A8's task is to generate the 64-bit Session Key (Kc), from the 128-bit
random challenge (RAND) received from the Mobile Services Switching
Center (MSC) and from the 128-bit Individual Subscriber Authentication
Key (Ki) from the Mobile Station's Subscriber Identity Module (SIM) or the
Home Location Register (HLR).

One Session Key (Kc) is used until the MSC decides to authenticate the MS
again. This might take days.

A8 actually generates 128 bits of output. The last 54 bits of those 128 bits
form the Session Key (Kc). Ten zebro-bits are appended to this key before it
is given as input to the A5 algorithm.

The A8 algorithm is implemented in the Subscriber Identity Module (SIM)

1.4.3 Ki, Kc, RAND, and SRES:-

Ki is the 128-bit Individual Subscriber Authentication Key utilized as a
secret key shared between the Mobile Station and the Home Location
Register of the subscriber's home network.

RAND is 128-bit random challenge generated by the Home Location

Register.

8
SRES is the 32-bit Signed Response generated by the Mobile Station and the
Mobile Services Switching Center.

Kc is the 64-bit ciphering key used as a Session Key for encryption of the
over-the-air channel. Kc is generated by the Mobile Station from the random
challenge presented by the GSM network and the Ki from the SIM utilizing
the A8 algorithm.

1.5 Radio link aspects:-

The International Telecommunication Union (ITU), which manages the
international allocation of radio spectrum (among many other functions),
allocated the bands 890-915 MHz for the uplink (mobile station to base
station) and 935-960 MHz for the downlink (base station to mobile station)
for mobile networks in Europe. Since this range was already being used in
the early 1980s by the analog systems of the day, the CEPT had the foresight
to reserve the top 10 MHz of each band for the GSM network that was still
being developed. Eventually, GSM will be allocated the entire 2x25 MHz
bandwidth.

1.5.1 Multiple access and channel structure:-

Since radio spectrum is a limited resource shared by all users, a method must
be devised to divide up the bandwidth among as many users as possible. The
method chosen by GSM is a combination of Time- and Frequency-Division
Multiple Access (TDMA/FDMA). The FDMA part involves the division by
frequency of the (maximum) 25 MHz bandwidth into 124 carrier frequencies
spaced 200 kHz apart. One or more carrier frequencies are assigned to each
base station. Each of these carrier frequencies is then divided in time, using a
TDMA scheme. The fundamental unit of time in this TDMA scheme is
called a burst period and it lasts 15/26 ms (or approx. 0.577 ms). Eight burst
periods are grouped into a TDMA frame (120/26 ms, or approx. 4.615 ms),
which forms the basic unit for the definition of logical channels. One
physical channel is one burst period per TDMA frame.

Channels are defined by the number and position of their corresponding

burst periods. All these definitions are cyclic, and the entire pattern repeats
approximately every 3 hours. Channels can be divided into dedicated
channels, which are allocated to a mobile station, and common channels,
which are used by mobile stations in idle mode.

9
1.5.2 Traffic channels:-
A traffic channel (TCH) is used to carry speech and data traffic. Traffic
channels are defined using a 26-frame multiform, or group of 26 TDMA
frames. The length of a 26-frame multiform is 120 ms, which is how the
length of a burst period is defined (120 ms divided by 26 frames divided by
8 burst periods per frame). Out of the 26 frames, 24 are used for traffic, 1 is
used for the Slow Associated Control Channel (SACCH) and 1 is currently
unused (see Figure 2). TCHs for the uplink and downlink are separated in
time by 3 burst periods, so that the mobile station does not have to transmit
and receive simultaneously, thus simplifying the electronics.

In addition to these full-rate TCHs, there are also half-rate TCHs defined,
although they are not yet implemented. Half-rate TCHs will effectively
double the capacity of a system once half-rate speech coders are specified
(i.e., speech coding at around 7 kbps, instead of 13 kbps). Eighth-rate TCHs
are also specified, and are used for signaling. In the recommendations, they
are called Stand-alone Dedicated Control Channels (SDCCH).

Figure 2. Organization of bursts, TDMA frames, and multiframes for speech

and data

1.5.3 Control channels:-

Common channels can be accessed both by idle mode and dedicated mode
mobiles. The common channels are used by idle mode mobiles to exchange
the signalling information required to change to dedicated mode. Mobiles

10
already in dedicated mode monitor the surrounding base stations for
handover and other information. The common channels are defined within a
51-frame multiframe, so that dedicated mobiles using the 26-frame
multiframe TCH structure can still monitor control channels. The common
channels include:
Broadcast Control Channel (BCCH)
Continually broadcasts, on the downlink, information including base
station identity, frequency allocations, and frequency-hopping
sequences.
Frequency Correction Channel (FCCH) and Synchronization Channel (SCH)
Used to synchronize the mobile to the time slot structure of a cell by
defining the boundaries of burst periods, and the time slot numbering.
Every cell in a GSM network broadcasts exactly one FCCH and one
SCH, which are by definition on time slot number 0 (within a TDMA
frame).
Random Access Channel (RACH)
Slotted Aloha channel used by the mobile to request access to the
network.
Paging Channel (PCH)
Used to alert the mobile station of an incoming call.
Access Grant Channel (AGCH)
Used to allocate an SDCCH to a mobile for signaling (in order to
obtain a dedicated channel), following a request on the RACH.

1.5.4 Burst structure:-

There are four different types of bursts used for transmission in GSM. The
normal burst is used to carry data and most signaling. It has a total length of
156.25 bits, made up of two 57 bit information bits, a 26 bit training
sequence used for equalization, 1 stealing bit for each information block
(used for FACCH), 3 tail bits at each end, and an 8.25 bit guard sequence, as
shown in Figure 2. The 156.25 bits are transmitted in 0.577 ms, giving a
gross bit rate of 270.833 kbps.

The F burst, used on the FCCH, and the S burst, used on the SCH, have the
same length as a normal burst, but a different internal structure, which
differentiates them from normal bursts (thus allowing synchronization). The
access burst is shorter than the normal burst, and is used only on the RACH.

11
1.5.5 Speech coding:-
GSM is a digital system, so speech which is inherently analog, has to be
digitized. The method employed by ISDN, and by current telephone systems
for multiplexing voice lines over high speed trunks and optical fiber lines, is
Pulse Coded Modulation (PCM). The output stream from PCM is 64 kbps,
too high a rate to be feasible over a radio link. The 64 kbps signal, although
simple to implement, contains much redundancy. The GSM group studied
several speech coding algorithms on the basis of subjective speech quality
and complexity (which is related to cost, processing delay, and power
consumption once implemented) before arriving at the choice of a Regular
Pulse Excited -- Linear Predictive Coder (RPE--LPC) with a Long Term
Predictor loop. Basically, information from previous samples, which does
not change very quickly, is used to predict the current sample.

1.6 Interfaces used:-

Interfaces used in connection between components and their functions are
illustrated as follows:

12
 CHAPTER-2
CORE ARCHITECTURE OF NETWORK AND SWITCHING
SUBSYTEM

Network switching subsystem (NSS) is the component of a GSM system

that carries out switching functions and manages the communications
between mobile phones and the Public Switched Telephone Network
(PSTN). It is owned and deployed by mobile phone operators and allows
mobile phones to communicate with each other and telephones in the wider
telecommunications network. The architecture closely resembles a telephone
exchange, but there are additional functions which are needed because the
phones are not fixed in one location. Each of these functions handle different
aspects of mobility management and are described in more detail below. The
Network Switching Subsystem, also referred to as the GSM core network,
usually refers to the circuit-switched core network, used for traditional GSM
services such as voice calls, SMS, and circuit switched data calls. There is
also an overlay architecture on the GSM core network to provide packet-
switched data services and is known as the GPRS core network. This allows
mobile phones to have access to services such as WAP, MMS, and Internet
access. All mobile phones manufactured today have both circuit and packet
based services, so most operators have a GPRS network in addition to the
standard GSM core network.

13
Mobile switching center (MSC):-

Description:-
The mobile switching center (MSC) is the primary service delivery node for
GSM, responsible for handling voice calls and SMS as well as other services
(such as conference calls, FAX and circuit switched data). The MSC sets up
and releases the end-to-end connection, handles mobility and hand-over
requirements during the call and takes care of charging and real time pre-
paid account monitoring.

In the GSM mobile phone system, in contrast with earlier analogue services,
fax and data information is sent directly digitally encoded to the MSC. Only
at the MSC is this re-coded into an "analogue" signal (although actually this
will almost certainly mean sound encoded digitally as PCM signal in a 64-
kbit/s timeslot, known as a DS0 in America).

There are various different names for MSCs in different contexts which
reflects their complex role in the network, all of these terms though could
refer to the same MSC, but doing different things at different times.The
gateway MSC (G-MSC) is the MSC that determines which visited MSC the
subscriber who is being called is currently located. It also interfaces with the
PSTN. All mobile to mobile calls and PSTN to mobile calls are routed
through a G-MSC. The term is only valid in the context of one call since any
MSC may provide both the gateway function and the Visited MSC function,
however, some manufacturers design dedicated high capacity MSCs which
do not have any BSSs connected to them. These MSCs will then be the
Gateway MSC for many of the calls they handle.

The visited MSC (V-MSC) is the MSC where a customer is currently

located. The VLR associated with this MSC will have the subscriber's data
in it.The anchor MSC is the MSC from which a handover has been initiated.
The target MSC is the MSC toward which a Handover should take place. A
mobile switching centre server is a part of the redesigned MSC concept
starting from 3GPP.

14
Mobile switching centre server (MSCS):-
The mobile switching centre server is a soft-switch variant of the mobile
switching centre, which provides circuit-switched calling, mobility
management, and GSM services to the mobile phones roaming within the
area that it serves. MSS functionality enables split between control
(signalling) and user plane (bearer in network element called as media
gateway/MG), which guarantees more optimal placement of network
elements within the network. MSS and MGW media gateway makes it
possible to cross-connect circuit switched calls switched by using IP, ATM
AAL2 as well as TDM. More information is available in 3GPP TS 23.205.

Other GSM core network elements connected to the MSC:-

The MSC connects to the following elements:

The home location register (HLR) for obtaining data about the SIM and
mobile services ISDN number (MSISDN; i.e., the telephone number). The
base station subsystem which handles the radio communication with 2G and
2.5G mobile phones. The UMTS terrestrial radio access network (UTRAN)
which handles the radio communication with 3G mobile phones. The visitor
location register (VLR) for determining where other mobile subscribers are
located. Other MSCs for procedures such as handover.

Implemented procedures:-
Tasks of the MSC include:

Delivering calls to subscribers as they arrive based on information from the

VLR. Connecting outgoing calls to other mobile subscribers or the PSTN.
Delivering SMSs from subscribers to the short message service centre
(SMSC) and vice versa. Arranging handovers from BSC to BSC. Carrying
out handovers from this MSC to another. Supporting supplementary services
such as conference calls or call hold. Generating billing information.

Home location register (HLR):-

The home location register (HLR) is a central database that contains details
of each mobile phone subscriber that is authorized to use the GSM core
network. There can be several logical, and physical, HLRs per public land

15
mobile network (PLMN), though one international mobile subscriber
identity (IMSI)/MSISDN pair can be associated with only one logical HLR
(which can span several physical nodes) at a time.

The HLR stores details of every SIM card issued by the mobile phone
operator. Each SIM has a unique identifier called an IMSI which is the
primary key to each HLR record.

The next important items of data associated with the SIM are the MSISDNs,
which are the telephone numbers used by mobile phones to make and
receive calls. The primary MSISDN is the number used for making and
receiving voice calls and SMS, but it is possible for a SIM to have other
secondary MSISDNs associated with it for fax and data calls. Each MSISDN
is also a primary key to the HLR record. The HLR data is stored for as long
as a subscriber remains with the mobile phone operator.

Examples of other data stored in the HLR against an IMSI record is:

GSM services that the subscriber has requested or been given.

GPRS settings to allow the subscriber to access packet services.

Current location of subscriber (VLR and serving GPRS support

node/SGSN).

Call divert settings applicable for each associated MSISDN.

The HLR is a system which directly receives and processes MAP

transactions and messages from elements in the GSM network, for example,
the location update messages received as mobile phones roam around.

Other GSM core network elements connected to the HLR:-

The HLR connects to the following elements:

The G-MSC for handling incoming calls

The VLR for handling requests from mobile phones to attach to the network

The SMSC for handling incoming SMS

16
The voice mail system for delivering notifications to the mobile phone that a
message is waiting

The AUC for authentication and ciphering and exchange of data (triplets)

Procedures implemented:-
The main function of the HLR is to manage the fact that SIMs and phones
move around a lot. The following procedures are implemented to deal with
this:

Manage the mobility of subscribers by means of updating their position in

administrative areas called 'location areas', which are identified with a LAC.
The action of a user of moving from one LA to another is followed by the
HLR with a Location area update procedure.

Send the subscriber data to a VLR or SGSN when a subscriber first roams
there.

Broker between the G-MSC or SMSC and the subscriber's current VLR in
order to allow incoming calls or text messages to be delivered.

Remove subscriber data from the previous VLR when a subscriber has
roamed away from it.

Authentication centre (AUC):-

Description:-
The authentication centre (AUC) is a function to authenticate each SIM card
that attempts to connect to the GSM core network (typically when the phone
is powered on). Once the authentication is successful, the HLR is allowed to
manage the SIM and services described above. An encryption key is also
generated that is subsequently used to encrypt all wireless communications
(voice, SMS, etc.) between the mobile phone and the GSM core network.

If the authentication fails, then no services are possible from that particular
combination of SIM card and mobile phone operator attempted. There is an
additional form of identification check performed on the serial number of the
mobile phone described in the EIR section below, but this is not relevant to

17
the AUC processing. Proper implementation of security in and around the
AUC is a key part of an operator's strategy to avoid SIM cloning.

The AUC does not engage directly in the authentication process, but instead
generates data known as triplets for the MSC to use during the procedure.
The security of the process depends upon a shared secret between the AUC
and the SIM called the Ki. The Ki is securely burned into the SIM during
manufacture and is also securely replicated onto the AUC. This Ki is never
transmitted between the AUC and SIM, but is combined with the IMSI to
produce a challenge/response for identification purposes and an encryption
key called Kc for use in over the air communications.

Visitor location register (VLR):-

Description:-
The visitor location register is a temporary database of the subscribers who
have roamed into the particular area which it serves. Each base station in the
network is served by exactly one VLR, hence a subscriber cannot be present
in more than one VLR at a time.

The data stored in the VLR has either been received from the HLR, or
collected from the MS. In practice, for performance reasons, most vendors
integrate the VLR directly to the V-MSC and, where this is not done, the
VLR is very tightly linked with the MSC via a proprietary interface.

Data available in VLR includes:

IMSI (the subscriber's identity number).

Authentication data.

MSISDN (the subscriber's phone number).

GSM services that the subscriber is allowed to access.

access point (GPRS) subscribed.

The HLR address of the subscriber.

18
Other GSM core network elements connected to the VLR:-
The VLR connects to the following elements:

The V-MSC to pass needed data for its procedures; e.g., authentication or
call setup.

The HLR to request data for mobile phones attached to its serving area.

Other VLRs to transfer temporary data concerning the mobile when they
roam into new VLR areas. For example, the temporal mobile subscriber
identity (TMSI).

Procedures implemented:-
The primary functions of the VLR are:

To inform the HLR that a subscriber has arrived in the particular area
covered by the VLR.

To track where the subscriber is within the VLR area (location area) when
no call is ongoing.

To allow or disallow which services the subscriber may use.

To allocate roaming numbers during the processing of incoming calls.

To purge the subscriber record if a subscriber becomes inactive whilst in the

area of a VLR. The VLR deletes the subscriber's data after a fixed time
period of inactivity and informs the HLR (e.g., when the phone has been
switched off and left off or when the subscriber has moved to an area with
no coverage for a long time).

To delete the subscriber record when a subscriber explicitly moves to

another, as instructed by the HLR.

Equipment Identity Register (EIR):-

The equipment identity register is often integrated to the HLR. The EIR
keeps a list of mobile phones (identified by their IMEI) which are to be
banned from the network or monitored. This is designed to allow tracking of

19
stolen mobile phones. In theory all data about all stolen mobile phones
should be distributed to all EIRs in the world through a Central EIR. It is
clear, however, that there are some countries where this is not in operation.
The EIR data does not have to change in real time, which means that this
function can be less distributed than the function of the HLR. The EIR is a
database that contains information about the identity of the mobile
equipment that prevents calls from stolen, unauthorized or defective mobile
stations. Some EIR also have the capability to log Handset attempts and
store it in a log file.

Other support functions:-

Connected more or less directly to the GSM core network are many other
functions.

Billing centre (BC):-

The billing centre is responsible for processing the toll tickets generated by
the VLRs and HLRs and generating a bill for each subscriber. It is also
responsible for to generate billing data of roaming subscriber.

Short message service centre (SMSC):-

The short message service centre supports the sending and reception of text
messages.

Multimedia messaging service centre (MMSC):-

The multimedia messaging service centre supports the sending of
multimedia messages (e.g., images, audio, video and their combinations) to
(or from) MMS-enabled Handsets.

Voicemail system (VMS):-

The voicemail system records and stores voicemails.

2.1 Signaling used :-

The basic signaling implemented is Digital Signaling. There are two types of
Digital Signaling. They are:

20
CAS-Channel Associated Signal.

CCS-Common Channel Signal.

In GSM, CCS 7 signaling is adopted.

Common Channel Signaling 7

Common Channel Signaling 7 (CCS7 or C7), also known as Signaling
System #7 (SS7), is a telecommunications protocol suite defined by the ITU-
T which is used by the telephone companies for interoffice signaling SS7
uses out of band or common-channel signaling (CCS) techniques. SS7/C7
uses a separated packet-switched network for the signaling purpose. SS7 is
known as C7 outside North America.

The primary function of SS7 / C7 is to provide call control, remote network

management, and maintenance capabilities for the inter- office telephone
network. SS7 performs these functions by exchanging control messages
between SS7 / C7 telephone exchanges (signaling points or SPs) and SS7 /
C7 signaling transfer points (STPs). Basically, the SS7 / C7 control network
tells the switching office which paths to establish over the circuit-switched
network. The STPs route SS7 control packets across the signaling network.
A switching office may or may not be an STP.

The SS7 network and protocol are used for providing intelligent network
services such as:

• basic call setup, management, and tear down

• wireless services such as personal communications services (PCS),
wireless roaming, and mobile subscriber authentication

The current SS7 / C7 network, one of the largest data network in the world,
connects together local telcos, cellular, and long-distance networks
nationwide and worldwide.

Protocol Structure - SS7/C7: Signaling System # 7 for

Telephony Signaling

SS7/C7 protocol suite covers all 7 layers of the OSI model as showing in the
following diagram:

21
 Application ASP provides the functions of Layers 4 through 6
ASP
Service Part of the OSI model.
Bearer BICC is a call control protocol based on ISUP
Independent used between serving nodes to support the ISDN
BICC
Call Control services independent of the bearer technology and
protocol signalling message transport technology used.
BISUP is an ATM protocol intended to support
services such as high-definition television
B-ISDN User
BISUP (HDTV), multilingual TV, voice and image
Part
storage and retrieval, video conferencing, high-
speed LANs and multimedia.
DUP defines the necessary call control, and
facility registration and cancellation related
DUP Data User Part elements for international common channel
signalling by use of SS7 for circuit-switched data
transmission services.
ISUP supports basic telephone call
connect/disconnect between end offices. ISUP
ISUP ISDN User Part was derived from TUP, but supports ISDN and
intelligent networking functions. ISUP also links
the cellular and PCS network to the PSTN.

22
 Mobile MAP is used to share cellular subscriber
MAP Application information among different networks.
Part
MTP acrosses physical, data link and network
layers. It defines what interface to be used,
Message provides the network with sequenced delivery of
MTP
Transfer Part all SS7 message packets; and provides routing,
message discrimination and message distribution
functions.
Signalling SCCP provides end-to-end routing. SCCP is
SCCP Connection required for routing TCAP messages to their
Control Part proper database.
Transaction TCAP facilitates connection to an external
Capabilities database
TCAP
Application
Part
Telephone User TUP is an analog protocol that performs basic
TUP
Part telephone call connect and disconnect.

2.2 Advantages of CCS#7/SS7:-

Same signaling link so different number of signaling get removed. It
can access more number of customers. Since only 4 bits is needed for
signaling that will be carried at 2 Mbps rate.

On the basis of OSI layer, application, presentation and session layer

is needed but it is employed here. But their functions are get provided under
different categories. Transporting of information is provided under the
SCCP(Signal Connection Control Protocol). Network, datalink and physical
layer functions are implemented under the name of MTP(Message Transfer
Port) which get classified as MTP1, MTP2, MTP3. Application oriented
function is provided under the name of User layer.

Here point code includes OPC (Origin of the Point Code) and DPC
(Destination of Point Code). Considering security purpose instead of IMSI,
TMSI (Temporary Mobile Subscriber Identity) is used in air which is
assigned by VLR. After getting TMSI, LAI and cell ID MSC will check for
VLR. When LAI get mismatched, BTS will send new LAI to MS. At the
23
home HLR and VLR, the LAI also get transferred. Data rate in air interface
is half rate is 5.6kbps , full rate is 13kbps. TCU is used to converting13kbps
(BSC) to 64kbps(MSC).

2.3 Functions of MSC:-

Provisioning, Service provisioning, Call processing, Switching, Charging,
Paging, Handovers, Management of logical radio link, Management between
various entities, communication with HLR, VLR and with other MSC,
control of connected BSC.

In call processor one block is allocated for memory block and for storing
CDR data (call detailed record) that is time duration etc. that get generated
after completion of a call. Another equipment called data storage unit will be
allocated is hard disk. After CDR gets filled MSC is pushed towards data
storage unit. Billing application is categorized according to the user.
Signaling or signal processing unit is used for processing signal messages.

2.4 Functions of HLR:-

Storage of subscriber data that includes IMSI, MSISDN. Subscriber
parameters that includes prepaid, postpaid, roaming, STD, ISD, validity,
payment etc ,. Service parameters that includes basic- voice data, sms,,
supplementary- clip, call forward, waiting and barring, value added- PRPT.
Location registration, It also includes VLR data that give current location.

2.5 Functions of VLR:-

It includes HLR data., Also includes the HLR register number, It provides
location updating, It provides TMSI for security purpose, It includes the
status of the mobile station, It organizes subscriber data of home PLMN and
also visitor’s data.

2.6 Functions of AuC:-

It generates authentication vectors and triplets which get implemented by
using Ki parameters that is available at SIM card, HLR or AuC. In HLR
IMSI is used and in VLR TMSI and IMSI is used. Then the channel and
time slot will be allotted. Ki includes 8 octets individually having 4
hexadecimal numbers.

24
 CHAPTER-3

NORTEL SWITCH AND ITS FUNCTIONS

We are going to study about the MSC – GSM Digital Switch

Different vendors like NORTEL Networks, MOTOROLA, SIEMENS,

HUAWEI etc. are manufacturing the GSM MSC switches.

NORTEL Networks Switch is taken for our study

3.1 DMS-Digital Multiplexing Switch:-

It is having the following features. When a mobile user makes a call, it

has to reach MSC for switching purpose. MSC does the Call Processing,
Call Routing and Switching of the calls originated from the mobile user or
calls terminating to the mobile users.

3.1.1Architecture:
The architecture of the DMS uses modular concepts in both hardware and
software. Each hardware module has its own microprocessor. By distributing
microprocessor controlled modules throughout the DMS, the master Central
Processing Unit (CPU) is relieved of many time-consuming functions and
thus can perform higher level functions.

3.2 DMS Features:-

DMS-Digital Multiplexing Switch is having the following features. To
complete these calls, MSCs are connected to each other. A call may go
through several offices before reaching destination. Cos are connected via
trunks. Some DMS-type switches are purchased by long distances and
Federal Communication Commission (FCC) are regulated in the North
American market.

It is a software-controlled, large scale switching system. The new generation

of is a multiprocessor environment, with shared memory, allowing for
parallel processing, scalable capacity and increased reliability. The HLR
delivered on extended Core Architecture(XA_Core) multiprocessor platform
allows a greater number of active subscribers. XA_core replaces existing

25
BRISC processor and memory and System Load Module (SLM) in both
Supernode and Supernode SE (SNSE) module.

3.3 Main functional blocks Nortel Switch:-

The major functional blocks of Nortel switch is described below: The DMS
Bus connects all the nodes/components of the switch and performs
intercommunication between them. It acts as an interface to all elements.
Call processor. Switching processor. Data manager. Integrated services
module. Signaling unit. Trunk Terminationg Unit

The three functional layers of the DMS-MSC hardware architecture that

make up the functional hardware entities are:

Service Processing Hardware:

26
Call Processor (XA_core) & Data Manager (SDM)

Messaging and Connectivity Hardware:

 Switching Network - Enhanced NETwork (ENET)
 Connectivity Bus - DMS-Bus (also called as Message Switch or MS)

Physical access hardware:

 Pheripheral modules(PMs)
 Link pheripheral processors (LPPs)
 Input/ output modules(IOMs)

3.3.1 XA-Core :-
It is the computing engine for the entire DMS-MSC and is a part of the
service processing hardware layer of the DMS-MSC. It controls all events
on switch, including call processing, call accounting and switching
performance. It contains a dedicated processor system known as Supporting
Operating System (SOS).

3.3.2 XA-Core functions:-

Call feature processing, Call supervision (monitoring and control functions
associated with a call), translation of call address digits( telephone numbers),
selection of outgoing trunks, ENET connection control, subset of ISDN user
part (user part is the portion of ISDN protocol), operation, administration
and maintenance of DMS components, loading of switch software and
monitoring of processor sanity, loading of peripheral softwares.

ENET: Enhanced Network

It is a non-blocking single stage Time Switch.
Each Cross point card have 2000 input channels and 2000 output channels.
That is simultaneously 2000 calls can be switched by providing one cross
point card.

27
Since all elements are expandable and modular in nature, the no. of cross
point cards can be increased for provision according to the need of the
switch.

ISM (Integrated Service Module):

Various announcement, tones, call conferencing are controlled by this unit.
This ISM includes EDRAM (Enhanced Digital Recording Announcement
Machine)

AXU- Alarm Cross connect Unit- Alarm extension and display is also
provided for the security of the components of the Nortel networks.

SPDC (Power Distribution cabinet)

SPDC (Power Distribution cabinet) provide power supply for all the
cabinets. The Input voltage for all the cabinets is – 48 V D.C. A Power
plant is installed and from the commercial AC supply, it coverts and derives
-48v D.C supply for the working of MSC, and other relevant units.

Battery Back up facility is also available to meet the AC Power supply

failures. In all the cabinets dc to dc power convertors are equipped for
delivering different dc output like +5 volt , - 5 volt, -9 volt etc for the
functioning of the cards available in the shelves.

Different communication links connect the elements to MS BUS.

OC-3 link: data rate 155.52Mbps.

DS-512 link: data rate 49.152Mbps.

DS-30 link: data rate 2.56Mbps.

For example connectivity from XACORE to MS Bus is OC 3 Link.

3.4 Hardware Equipment of Nortel Networks:-

The hardware equipment includes the following items:

28
 Cards: It is a Printed Circuit Board. It is having electronic
components. Also known as a circuit packs and are equipped in shelves.

Shelves: It contain many number of slots for the provision of

cards.Each shelf will do a specific function and houses the relevant cards in
it. for example ENET shelf holds all the switching cross point cards and its
control processors.

Cabinets: It is also known as bays or frames, which are enclosed

metal framework structures that are hold up into four shelves.

DMS-MSC: it contains of the combination of cabinets.

The external distribution cables, their associated protective devices, and the
internal cable to the central office line unit terminals are wired and laced
neatly.

29
3.5 OMC-S Design Features:-

OMCS : Operation Maintenance Controlled Switch:- A server – client

configuration technique is adopted for performing OMCS function. Network
service platform is the application to be loaded on the server and client
systems for connecting the server with the client. CEM (Core Element
Manager) – it is the application used for managing the entire core elements
of the DMS.

By using the network service platform and CEM, the existing design
features can be viewed for display. The hardware details, cards presented in
it, shelves connected to it, dummy card, connection between each cards and
current status of the cards can be viewed by using this design concept.

The opening of the platform is shown as follows: Since the main design is
concerned with the Chennai location the Chennai lab get assigned as
CHNLAB.

By opening the entire group the details get furnished with indication the
main MSC of that connection. The connection to this MSC can be studied by
studying the Core Element Manager of the chosen MSC.

30
This can be illustrated as follows:

Here the total no. of alarms over the DMS MSC is displayed and also its
nature is indicated by different colours. The next step of the design is to
show the connected elements of the Chennai MSC. This will illustrate the
elements as NET, COMPCORE, CCS, TRKGRP, MS. The details will be
further included while discussing the interior parts of the elements.

This display is shown below:

31
The arrow mark that indicated in the design will show the details of the sub
components that get connected to the MSC.

Here considering COMPCORE that indicates the components that get

attached to it. The color indication will identify the status of the element

The arrow mark indicates the further components attached to it.

32
Further the XAC-0(XA-Core) is indicating the further components that get
attached to it. The further components are indicating their service provided
by them to the core components.

Here XA-Core consisting of many shelves that would include the cards that
get specified for some applications. It also includes$ the both rear and front
part where different functions will be carried out. This will basically
including both SM(Shared Memory) and PE(Processor Element) that
controls the basic data that is needed for the controlling purpose.

The basic design gets illustrated as follows:

33
The next item considered is CCS(Common Channel Signal). This item is
configured for signaling purpose. This configuration is done at call
processor. It is used for configuring from MSC to various routes. This
signaling links will carry information pertaining to connected nodes that is
other MSC, BSCs, PSTN exchanges, etc…

The link set that includes the circuits that get configured for the basic
functions. The basic components that get involved in both the link set and
root set are TESTBSCTL, TESTCDOT, LIGHTGSMTL.

The various functions for them are TESTBSCTL is used for moving the
control to the BSC, TESTCDOT is used for moving the control to the PSTN
Exchange, LIGHTGSMTL is used for moving the control to the another
MSC.

34
The other component included here is NET, which includes the basic
structure as shelves having front and rear parts. This gets mainly included in
the function of providing network and routing of the different paths or
components that get connected to it.

The major parts get included in this are link and the clock circuit. Link gets
controlled over the circuits that get assigned for the specific purpose. It
basically includes the circuits that are enabling different functions.

Clock is providing the similar function as that of the synchronize clock that
are basically present in the microprocessors. Since the basic data controller
is microprocessor it includes the basic function as clock for their functions.

The Trunk: The trunk components that included in this design configuring
the functions as two way trunk, BCC trunk, MSC trunk, trunk sum.

35
 Trunk is the unit where all the components gets terminated. It is the one that
provide route for all the connection.

The basic trunk design includes the following components and as follows:

The further design processing of the 2W_TRK includes the LIGHTGSMTL,

TESTCODT and other further components that get connected with the
2W_TRK. Each basic unit that get connected to this 2W_TRK performs
their own task. LIGHTGSMTL is the one that helps in the connection to the
other MSC. TESTCODT is the one that helps in the connection to the PSTN
Exchange. Since it is the terminating terminal for all the components the
number of connection with that of the trunking unit exceeds the other
components.

The connection with different units as follows:

36
The trunk unit indicates the different users that get connected to it. This gets
connected with TESTCODT. The different users that get connected with the
trunk unit in this design are 31 users simultaneously.

37
 CHAPTER-4

DATA INPUTS NEEDED FOR STUDY PURPOSE AND

OBSERVATION

Mobile Subscriber Roaming:-

When a mobile subscriber roams into a new location area (new VLR), the
VLR automatically determines that it must update the HLR with the new
location information, which it does using an SS7 Location Update Request
Message. The Location Update Message is routed to the HLR through the
SS7 network, based on the global title translation of the IMSI that is stored
within the SCCP Called Party Address portion of the message. The HLR
responds with a message that informs the VLR whether the subscriber
should be provided service in the new location.

Mobile Subscriber ISDN Number (MSISDN) Call Routing:-

When a user dials a GSM mobile subscriber's MSISDN, the PSTN routes the
call to the Home MSC based on the dialed telephone number. The MSC
must then query the HLR based on the MSISDN, to attain routing
information required to route the call to the subscribers' current location.

The MSC stores global title translation tables that are used to determine the
HLR associated with the MSISDN. When only one HLR exists, the
translation tables are trivial. When more than one HLR is used however, the
translations become extremely challenging, with one translation record per
subscriber (see the example below). Having determined the appropriate HLR
address, the MSC sends a Routing Information Request to it.

When the HLR receives the Routing Information Request, it maps the
MSISDN to the IMSI, and ascertains the subscribers' profile including the
current VLR at which the subscriber is registered. The HLR then queries the
VLR for a Mobile Station Roaming Number (MSRN). The MSRN is
essentially an ISDN telephone number at which the mobile subscriber can
currently be reached. The MSRN is a temporary number that is valid only
for the duration of a single call.

38
The HLR generates a response message, which includes the MSRN, and
sends it back across the SS7 network to the MSC. Finally, the MSC attempts
to complete the call using the MSRN provided.

Adding a Second HLR to the GSM Network:-

As a GSM wireless carrier's subscriber base grows, it will eventually
become necessary to add a second HLR to their network. This requirement
might be prompted by a service subscription record storage capacity issue,
or perhaps an SS7 message processing performance issue. It might possibly
be prompted by a need to increase the overall network reliability.

The new HLR can be populated with service subscription records as new
subscribers are brought into service or existing service subscription records
can be ported from the old HLR to the new HLR to more evenly distribute
the SS7 traffic load.

Typically, when new subscribers are brought into service, the second HLR
will be populated with blocks of IMSI numbers that are allocated when new
MSE equipment is ordered. As the following example shows, this grouping
of IMSI numbers within a single HLR simplifies the routing translations that
are required within the SS7 network for VLR to HLR Location Update
Request transactions. Global Title Translation (GTT) tables will contain
single translation records that translate an entire range of IMSIs numbers
into an HLR address. Even if some individual records are moved between
the HLRs, as shown in the example, the treatment of IMSIs as blocks results
in a significant simplification of the Global Translation tables.

Much more complicated SS7 message routing Global Title Translations are
required for Routing Information Request transactions between the MSCs
distributed over the entire wireless carrier serving area and the two or more
HLRs. MSC Routing Information Requests are routed to the appropriate
HLR based on the dialed MSISDN and not the IMSI. Unlike the IMSI
numbers, the MSISDN numbers cannot easily be arranged in groups to
reside within a single HLR and therefore, the MSC must contain an
MSISDN to HLR address association record for every mobile subscriber
homed on each of the MSCs. As the example illustrates, the MSC routing
tables quickly grow much more extensive than the STP tables. The network
administration becomes increasingly complex and prone to error.

39
4.1 HLR data:-
It provides data for subscriber creation by adding entries in the data tables.
There are four tables to be accessed and subscribers entry to be added.

• GHLRAUTH
• GHLRBSVC
• GHLRSSOP
• GHLRDATA

The data will be entered in the table by giving the command “ADD”

GHLRAUTH:-
In this table GSM - HLR gets authenticated. IMSI, Ki values gets entered in
this table. In this table IMSI number get its format from ICCID (Integrated
Circuit Card Identity ) number. ICCID is nothing but the number that is
available at the backside of the SIM card.

It is the one which provides the MCC, MNC and MSIN where
MCC(Mobile Country Code) represents the country of the MSC, MNC
(Mobile Network Code) represents the network operator of the MSC, MSIN
(Mobile Subscriber Identity Number) is the unique subscriber number. It is
derived from the ICCID by using the following format.

The format available is: 12-11-10-0-14-15-16-17-18-19. In this order IMSI

number will be derived.

Integrated Circuit Card Identifier: SIM Module:

Used for Deriving Unique Mobile Subscriber’s ID through

IMSI and ISDN numbers

40
ICCID format – 20 digits
 1-2 = Industrial code of the telecom (89)
 3-4 = Country code (91)
 5-6 = Mobile network code (74/XX)
 7th = Last digit of the year (2011=1)
 8-9 = Month (mm)
th
 10 = For feature use
th
 11 = Zonal code
th
 12 = HLR code
th
 13 = Prepaid/Postpaid
 14-19 = Running counter (Random)
 20 = Check digit generated by Luhn

Formula

After getting the number, the corresponding Ki value and the CS

value are entered.

By using ‘format pack’ command the details will get aligned.

By using ‘lis all’ command all the details get detailed out.

Here enter the MCC, MNC, MSIN number that to be generated along with
the Ki and CS value. Also include the value of MKVER(MK Version) as 1,
ALSEL(Algorithm Selector)as 8 and ALGPARM_SEL as NIL.

GHLRBSVC:-
This table provides basic service to the network, provides identity for newly
entered mobile subscriber. Mainly it provides some basic telephony services.

Here also “format pack” and “lis all” commands are used for viewing the
details.

By using the add command MCC, MNC, MSIN, BSVC-TPHNY(telephony)

and enter the SIM number that we have generated as CC-91,NDC-94, SN-
42000007 and BCI-SEL as nil. This will provide the telephony service for
the SIM card number that has generated. And it is illustrated as follows:
41
GHLRSSOP:-
This table provides some supplementary services like caller id, call waiting,
call forwarding, call diverting, Calling Line Identification Presentation
(CLIP) etc..

By using format pack and lis all commands view all the contents of the
table. Similarly by using add command enter IMSI number and conform
SSPROV as CLIP and over ride as Not Permitted (NP). This gets conformed
by saying yes to the commands.

GHLRDATA:-
It provides data for the activation of the number, activated status will be
executed in this table only. It is the table by which the mobile gate activated
for further commitments.

By using pos(positioning command) take the control to the current location

in our field value. Then by using cha (changing command) change the
corresponding needed values else just enter that will not change the value.

4.2 HLRADMIN:-

It is a tool used to view the details from the HLR regarding the current SIM
number that has been uploaded. It provides the details about MSISDN, VLR,
Location Update, MSC number, services provided to them etc…

By using ‘qmsisdn’ followed by the MSISDN number will provide the

details about the number.

4.3 CCS-7 Signaling:-

It provides basic signaling features for the subscribers. It allows common

channel for the subscriber there by reducing the number of channels that get
associated. The links that has been served by this channel is illustrated in the
table format where the further details like networking, hardware details are
also been provided.

42
 CHAPTER-5

CALL PROCESSING

5.1 Mobility management:-

The Mobility Management layer (MM) is built on top of the RR layer, and
handles the functions that arise from the mobility of the subscriber, as well
as the authentication and security aspects. Location management is
concerned with the procedures that enable the system to know the current
location of a powered-on mobile station so that incoming call routing can be
completed.

5.2 Location updating:-

A powered-on mobile is informed of an incoming call by a paging message
sent over the PAGCH channel of a cell. One extreme would be to page every
cell in the network for each call, which is obviously a waste of radio
bandwidth. The other extreme would be for the mobile to notify the system,
via location updating messages, of its current location at the individual cell
level. This would require paging messages to be sent to exactly one cell, but
would be very wasteful due to the large number of location updating
messages. A compromise solution used in GSM is to group cells into
location areas. Updating messages are required when moving between
location areas, and mobile stations are paged in the cells of their current
location area.

The location updating procedures, and subsequent call routing, use the MSC
and two location registers: the Home Location Register (HLR) and the
Visitor Location Register (VLR). When a mobile station is switched on in a
new location area, or it moves to a new location area or different operator's
PLMN, it must register with the network to indicate its current location. In
the normal case, a location update message is sent to the new MSC/VLR,
which records the location area information, and then sends the location
information to the subscriber's HLR. The information sent to the HLR is
normally the SS7 address of the new VLR, although it may be a routing
number. The reason a routing number is not normally assigned, even though
it would reduce signaling, is that there is only a limited number of routing
numbers available in the new MSC/VLR and they are allocated on demand
for incoming calls. If the subscriber is entitled to service, the HLR sends a
subset of the subscriber information, needed for call control, to the new
43
MSC/VLR, and sends a message to the old MSC/VLR to cancel the old
registration.

For reliability reasons, GSM also has a periodic location updating procedure.
If an HLR or MSC/VLR fails, to have each mobile register simultaneously
to bring the database up to date would cause overloading. Therefore, the
database is updated as location updating events occur. The enabling of
periodic updating, and the time period between periodic updates, is
controlled by the operator, and is a trade-off between signaling traffic and
speed of recovery. If a mobile does not register after the updating time
period, it is deregistered.

A procedure related to location updating is the IMSI attach and detach. A

detach lets the network know that the mobile station is unreachable, and
avoids having to needlessly allocate channels and send paging messages. An
attach is similar to a location update, and informs the system that the mobile
is reachable again. The activation of IMSI attach/detach is up to the operator
on an individual cell basis.

5.3 Authentication and security:-

Since the radio medium can be accessed by anyone, authentication of users
to prove that they are who they claim to be, is a very important element of a
mobile network. Authentication involves two functional entities, the SIM
card in the mobile, and the Authentication Center (AuC). Each subscriber is
given a secret key, one copy of which is stored in the SIM card and the other
in the AuC. During authentication, the AuC generates a random number that
it sends to the mobile. Both the mobile and the AuC then use the random
number, in conjuction with the subscriber's secret key and a ciphering
algorithm called A3, to generate a signed response (SRES) that is sent back
to the AuC. If the number sent by the mobile is the same as the one
calculated by the AuC, the subscriber is authenticated.

The same initial random number and subscriber key are also used to
compute the ciphering key using an algorithm called A8. This ciphering key,
together with the TDMA frame number, use the A5 algorithm to create a
114 bit sequence that is XORed with the 114 bits of a burst (the two 57 bit
blocks). Enciphering is an option for the fairly paranoid, since the signal is
already coded, interleaved, and transmitted in a TDMA manner, thus
providing protection from all but the most persistent and dedicated
eavesdroppers.

44
Another level of security is performed on the mobile equipment itself, as
opposed to the mobile subscriber. As mentioned earlier, each GSM terminal
is identified by a unique International Mobile Equipment Identity (IMEI)
number. A list of IMEIs in the network is stored in the Equipment Identity
Register (EIR). The status returned in response to an IMEI query to the EIR
is one of the following:

White-listed - The terminal is allowed to connect to the network.

Grey-listed - The terminal is under observation from the network for
possible problems.
Black-listed - The terminal has either been reported stolen, or is not type
approved (the correct type of terminal for a GSM network). The terminal is
not allowed to connect to the network.

5.4 Call routing:-

Unlike routing in the fixed network, where a terminal is semi-permanently
wired to a central office, a GSM user can roam nationally and even
internationally. The directory number dialed to reach a mobile subscriber is
called the Mobile Subscriber ISDN (MSISDN), which is defined by the
E.164 numbering plan. This number includes a country code and a National
Destination Code which identifies the subscriber's operator. The first few
digits of the remaining subscriber number may identify the subscriber's HLR
within the home PLMN.

An incoming mobile terminating call is directed to the Gateway MSC

(GMSC) function. The GMSC is basically a switch which is able to
interrogate the subscriber's HLR to obtain routing information, and thus
contains a table linking MSISDNs to their corresponding HLR. A
simplification is to have a GSMC handle one specific PLMN. It should be
noted that the GMSC function is distinct from the MSC function, but is
usually implemented in an MSC.

The routing information that is returned to the GMSC is the Mobile Station
Roaming Number (MSRN), which is also defined by the E.164 numbering
plan. MSRNs are related to the geographical numbering plan, and not
assigned to subscribers, nor are they visible to subscribers.

The most general routing procedure begins with the GMSC querying the
called subscriber's HLR for an MSRN. The HLR typically stores only the

45
SS7 address of the subscriber's current VLR, and does not have the MSRN
(see the location updating section). The HLR must therefore query the
subscriber's current VLR, which will temporarily allocate an MSRN from its
pool for the call. This MSRN is returned to the HLR and back to the GMSC,
which can then route the call to the new MSC. At the new MSC, the IMSI
corresponding to the MSRN is looked up, and the mobile is paged in its
current location area (see Figure 4).

Authentication, Ciphering and Equipment Validation Phases:-

The Authentication and Ciphering phases that might be performed here to

setup a mobile-to-land call are the same as seen before in the location update
scenarios. The Equipment Validation phase is done in the same way as in the
mobile-to-land scenario The call with the mobile is setup; a voice path is
created between the MS and the MSC by allocating a radio traffic channel
and a voice trunk
• After the MSC receives a setup a voice path is created between the
MS is informed that a call will be setup via a setup message
• The MS upon receiving upon receiving a setup message, performs
• comp ability checking before responding to the setup message. It is
possible that the MS might be incompatible for certain types call

46
 setup. Assuming that the passes comp ability checking it
acknowledges the call setup with a setup confirm message
• In this scenario it is assumed that the mobile subscriber answers the
phone. The MS in response to this action stops alerting and sends a
connect message to the MSC
• The MSC removes audible to the PSTN and connects the PSTN trunk
to the BSS trunk(terrestrial channel) and sends a connect message via
the GMSC to the PSTN. The caller and called party now have a
complete talk path. This event typically denotes the beginning of the
call for billing purposes
• The MSC sends the MS a connect acknowledgment message

5.5 Steps involved in call processing:-

5.5.1 Steps in release phase network imitated:-

• The release triggered by the land user is done in a similar way as the
release triggered by the mobile user
• The MSC receives a Release message from the network to terminate
the end-to-end connection
• This cause the sending of a disconnect message toward the MS
• The MS answers by a release message. The MSC release the
connection to the PSTN.
The mobile-to-mobile call is established using the same phases as seen
earlier
• The originating mobile part where the phases are the same as those of
a mobile-to-land call except that the call setup phase is partially
performed. Which means that only the call setup with Mobile is done
• The terminating mobile part consist of the same phases as the land-to-
mobile call scenario except again that the call setup phase performs
only the call setup with mobile

5.5.2 Orginating Mobile

47
 The Phases of Originating Mobile Request for service,
Authentication(optional),Ciphering(optional),Equipment
validation(optional),call setup, release

5.5.3 Terminating Mobile

The Phases of Terminating Mobile Routing analysis, Paging,
Authentication (optional),Ciphering(optional), Equipment
validation(optional),call setup, release.

5.5.4 Call release:-

The speech path is released. The user enters the digits of the telephone with
STD code incase of land line or without STD code incase of mobile and
presses the "send" key after all digits have been entered
• MS transmits a channel request message over the Random Access
Channel(RACH)
• Once the BSS receives the Channel Request message, it allocates a
Stand-alone Dedicated Control Channel(SDCCH) and forwards this
channel assignment information to the MS over the access Grant
Channel(AGCH).It is over the SDCCH that the MS will communicate
with the BSS and MSC until a traffic channel is assigned.
• The MS transmits a service request message to the BSS over the
SDCCH.
• Included in this message is the MS TMSI and Location Area
Identification(LAI).The BSS forwards the service request message to
the MSC/VLR.

48
5.5.5 Equipment Validation:-
The Mobile Equipment (ME) validation process is the means by which a
specific piece of ME can be identified to prevent the use of stolen,
unauthorized or malfunctioning equipment in the network. Each
equipment is uniquely identified by an International Mobile Equipment
Identity (IMEI) code. IMEI which is incorporated into ME by the
manufacturer, has three components, such as

• Type approval code (TAC)

• Final Assembly Code (FAC)
• Serial Number (SNR)
The IMEI code is secure and physically protected against
unauthorized change.
• The Equipment Identity Register(EIR) is responsible for storing the
IMEI codes that identify the mobile-equipment deployed in the GSM
system.

5.5.6 Steps in Equipment Validation:-

At this point in time, the MS has been authenticated and the radio
channel is being encrypted. The MSC will interrogate the MS for its

49
equipment number and checks the equipment against information in
the Equipment Identity Register(EIR)

• The MSC transmits a request to the MS requesting it to respond with

its IMEI
• The MS upon receiving this request, reads its equipment serial
number and returns this value to the MSC
• The MSC then requests the EIR to check the IMEI for validity. The
EIR will first check to see if the IMEI value is within a valid range .If
so, it then checks to see if the IMEI is on a suspect or known list of
invalid equipment
• The EIR returns to the MSC the results of the IMEI validation. If the
results are negative, the MSC might abort the call or possibly let the
call continue but inform the network service provider of the event. In
this scenario we will assume that the IMEI is valid

5.5.7 Steps in call setup phase:-

The call is setup with the MS. A voice path is created between the MS and
the MSC by allocating a radio traffic channel and a voice trunk.
• The MS transmits a call setup request message to the MSC/VLR after
it has ciphered the radio channel. Included in this request message are

50
 the dialed digits. The MSC upon receiving the call setup request
message, will request the VLR to supply subscriber parameters
necessary for handling the call. The VLR will check for call barring
conditions, such as the MS being barred from making specific
outgoing calls (e.g. international calls) or possibly if some
supplementary services are active which prevent the call from being
granted. If the VLR determines that the call cannot be processed, the
VLR will provide the reason to the MSC. In this scenario, we will
assume that this procedure is successful. The VLR returns a message
to the MSC containing the service parameters for the particular
subscriber.
• The MSC informs the MS that the call is proceeding.

5.5.8 Voice Path Establishment:-

The next four steps involve establishing a voice path between the MSC and
the MS
• The MSC allocates a trunk to the BSS currently serving the MS. The
MSC sends a message to the BSS supplying it with the trunk number
allocated (TN), and requests the BSS to allocate a radio traffic
channel(TCH) for the MS

51
 • The BSS allocates a radio traffic channel and transmits this
assignment to the MS over the SDCCH
• The MS tunes to the assigned radio traffic channel and transmits an
acknowledgement to the BSS.
• The BSS connects the radio traffic channel to the assigned trunk of the
MSC. Since a small portion of a radio traffic channel is available for
out-of-band signaling, the SDCCH is no longer used for signaling
between the BSS and MS. The BSS de-allocates the SDCCH. The
BSS then transmits a trunk and radio assignment complete message to
the MSC

5.5.9 Optional Phases:-

The authentication ciphering, equipment validation and handover phases are
optional. The service provider may decide that some of these phase might
not take place in a land-to-mobile call

The following is a scenario of a mobile-terminating call. It is assumed

that the MS is already registered with the system and has been allocated a
Temporary Mobile Identity Number(TMSI).It is also assumed that a land

52
subscriber dials the directory number of the mobile subscriber and the call
enters the GSM network via a Gateway MSC(GMSC)
• The PSTN routes the call to the GMSC of this directory number.
based on the Mobile Subscriber ISDN Number(MSISDN)
• The GMSC not knowing whether this MS is roaming in its own
service area or not sends a message with the MSISDN in it to the HLR
• The HLR requests the MSC/VLR to provide routing information
about this
• The MSC/VLR returns to the GMSC via the HLR a directory number
where the MS can be reached which is referred to as the MS Roaming
Number(MSRN)
• The call is routed from the GMSC to the visited MSC

5.6 Call capturing:-

The call has been initialized between the two mobile stations which have
been inserted which contain the newly activated SIM cards generated by us.
Here the call has been initiated by 9442000007. First the request for the call
has been given to the MSC. From MSC Base Station will receive
acknowledgement. Then the call set up will be made and then the paging
will be done by MSC and the response will be received from BS.

53
Then the ID request will be provided and then the call set up is made from
which the connection is made and the alert will be given to the opponent.
After the conversation is over the call will get released and when the
opponent also get cancelled the set up clear of the call set up will be
provided.

5.7 CALL DETAIL RECORD View:-

The calling details, called duration, date and time of the call, number of calls
made, the MSC number and also further details will recorded in a file known
as CDR(Customer Detailed Record). It is the one in which the details will be
furnished and can be retrieved later. It is highly used in the case where the
details are needed for authentication purpose, needed for verification for the
list whether belong to the white, grey or black list.

The details for the calls generated the number created by us will be stored in
CDR file is given as follows:
The CDR file will be stored in the root file which can be entered by logging
in and entering the password. This will provide the contents in the root file.
It contains the list that having many options which include set, listfile, query
etc…

The further details can be obtained as from the table is tools and from there
cdr view can be analyzed by giving the corresponding file name from where
the further details can be obtained. From which the date, time and further
details can be obtained.

Here the IICID number is 899174503421200083. And the MSISDN number

is 1240000083. The SIM card number considered here is 919442000008 and
the other party to be considered as IICID number is 899174503421200084
and the IMSI number is 1240000084. The MSISDN number considered here
is 91942000007.

The details of the called number and the details have been furnished as
above for the given numbers.

CONCLUSION

54
 We are studied the Network & Switching Subsystem in GSM Now
we know the call connecting, call routing, location updating. What are all the
procedure to create a subscriber and give the other facility like call
forwarding, call waiting, conference call.

Call recorder billing section how the location identity.We are tested
in practically in BSNL RGMTTC

References
55
1. R. Blake, “ Wireless Communication Technology”, Thomson Delmar,
2003

2. W.C.Y.Lee, "Mobile Communications Engineering: Theory and

applications, Second Edition, McGraw-Hill International, 1998.

3. Stephen G. Wilson, “ Digital Modulation and Coding”, Pearson
Education, 2003.
4. RGMTTC -Basic Traning manual

56