04 Tm2106euo1 - Eg0001 CDMA System Performance

CDMA System Performance Siemens
CDMA System Performance
Contents
1 Digital Transmission 3
1.1 PCM30: Transmission in GSM fixed network part 6
2 PCM30 9
3 Power Control in CDMA 15
3.1 Effect of No Power Control 16
3.2 The NEAR – FAR Problem 18
3.3 Classification of Power Control Techniques 20
3.4 Power Control Techniques for DS-CDMA 22
3.4.1 REVERSE LINK OPEN-LOOP POWER CONTROL 24
3.4.2 FORWARD LINK POWER CONTROL 26
3.4.3 REVERSE LINK POWER CONTROL 27
3.4.4 REVERSE LINK CLOSED-LOOP POWER CONTROL 28
3.5 RAKE Receiver 31
3.5.1 RAKE Receiver Structure 34
4 HANDOFF 37
4.1 SOFT HANDOVER 38
4.1.1 THE IMPORTANCE OF SOFT HANDOFF 38
4.2 Softer Handover 40
4.3 Implementation of SOFT HANDOVER 42
5 MULTIUSER DETECTION 45
6 CDMA Security Codes 48
7 Security in CDMA 55
7.1 Authentication 58
7.2 Voice Privacy 60
8 Security in GSM 67
8.1 Encryption for secrecy in GSM 68
8.2 TMSI allocation 70
8.3 IMEI Check 72
TM2106EU01EG_0001
1
Siemens
TM2106EU01EG_0001
2
Digital Transmission
TM2106EU01EG_0001
3
Siemens
As mentioned befor, that voice speech undergoes several processes through the network
like: -
• Analog to Digital conversion (A/D).
• Speech Compression.
The reason for voice digitizing is to enable it to be transmitted through distances without
distortion or degradiation by using PCM or Pulse Code Modulation, and the amount of
information can be reduced by using Speech Compression by using CELP or Code Excited
Linear Predictive.
TM2106EU01EG_0001
4
Fig.1
Fig.2
TM2106EU01EG_0001
5
Siemens
1.1 PCM30: Transmission in GSM fixed network part

Information (conversations, data, signaling) is exclusively transmitted digitally via
PCM30 lines in the GSM-PLMNs fixed network part.
Pulse Code Modulation – PCM Sampling values of a speech information are transmitted
using binary code words (digitally) in PCM.
Due to the digital structure of the message, the PCM signals are less susceptible to
interference than analogue signals. Regenerators reconstruct the original digital signal at
the receiving end. Analogue signals, on the other hand, can only be amplified (including
noise peaks).
Amongst other things, during Pulse Code Modulation (PCM) an analogue oscillation is
converted into a digital signal. A PCM signal can be transmitted alone or be embedded in a
TDMA frame with other PCM signals (multiplexing). The conversion of an analogue
telephone signal into a digital signal is carried out in
Three steps:
1. Band limitation: A bandpass filter restricts the incoming signal to the audible frequencies,
i.e. to 300 to 3400 Hz.
2. Sampling: Sampling values are taken at fixed intervals from the limited telephone signal.
The sampling frequency must be greater than twice the highest frequency within the
analogue signal (Shannon Theorem). Internationally specified: 8000 Hz.
3. 8-bit coding: Every amplitude value of the sampled (Pulse Amplitude Modulated -
PAM) signal is transformed into an 8-bit word. The 8-bit word enables the analogue signal
to be represented in 256 quantization intervals.
Since the transmission of an 8-bit word requires only a portion of the sampling interval (125
micro seconds) of the analogue signal, the 8-bit information is temporally multiplexed
(TDMA-procedure). 8 bits are transmitted in each time slot.
Using PCM30 transmission systems, a total of 30 digital user values can be transmitted in
the time frame of the sampling period of an analogue value, i.e. in 125 microseconds.
TM2106EU01EG_0001
6
Fig.3
TM2106EU01EG_0001
7
Siemens
TM2106EU01EG_0001
8
2 PCM30
TM2106EU01EG_0001
9
Siemens
PCM30 transmission systems use digital transmission lines or radio relay. A PCM30 frame
consists of 32 time multiplexed time slots.
The 32 time slots can contain pulse code modulated message information (speech, data) or
signaling information in the form of 8-bit words.
The total bit rate of a PCM30 line is 2048 kbit/s
• Time slot 0: alternately frame identification word and service word (alarms).
• Time slots 1-15 and 17-31: calls or data.
• Time slot 16: signaling channel.
The pulse frames are transmitted in a direct sequence.
TM2106EU01EG_0001
10
Fig.4
TM2106EU01EG_0001
11
Siemens
• Code Excited Linear Predictive (CELP)

The key to reduce the bit rate is to send information about the speech instead of the
speech itself.
CELP samples the frequency componenets of the speech by using an algorithm, which
describes the speech in terms of different parameters.
These parameters are represented as the Linear Prediction of the speech.
This representation of parameters requires fewer bits to be represented and therefore the
speech is considered as compressed.
At the receiving end, these parameters are used to control a speech synthesizer, which
uses the inverse algorith to return the speech back.
The CELP conversion in CDMA is performed using Vocoding and Transcoding.
Vocoding converts the analog speech to compressed digital voice data (CELP).
Transcoding transforms the PCM formatted data into compressed formatted data (CELP).
TM2106EU01EG_0001
12
Fig.5
TM2106EU01EG_0001
13
Siemens
TM2106EU01EG_0001
14
3 POWER CONTROL in CDMA
TM2106EU01EG_0001
15
Siemens
In recent years the cellular communications market has exploded. The main goal of cellular
communications systems is to enable communication services irrespective of time and
location.
Due to the dramatic increase in number of users and In order to meet the growing demands
of subscribers for different kinds of services, such as conferencing, multimedia, data base
access, Internet, etc., it is necessary to have higher data rates up to 2Mb/s and more
stringent Quality of Service (QoS) requirements.
Since it is necessary to have higher data rates and more stringent QoS requirements, new
transmission technologies and improved radio resource management, especially power
control, and handoff, are required for cellular communication systems.
Power control is one of the most important system requirement, and it is analyzed for
cellular networks based on FDMA and TDMA, and for DS-CDMA cellular networks, In most
modern systems, both base stations and mobiles have the capability of real-time (dynamic)
adjustment of their transmit powers.
3.1 Effect of NO Power Control:

In case of no power control, if a mobile station signal is received at the base station with a
too low level of received power [MS is far from the cell site, or in an unusual high
attenuation channel], High level of interference is experienced by this mobile and its
performance (BER) will be degraded.
On the other hand, if the received power level is too high, the performance of this mobile is
acceptable, but increases interference to all other mobile stations that using the same
channel.
The necessity for power control in FDMA/TDMA-based cellular networks stems from the
requirement for co-channel interference management. This type of interference is caused
by frequency reuse due to limited available frequency spectrum. By a proper power
adjustment, the harmful effects of co-channel interference can be reduced. This allows a
more "dense" reuse of resources and thus higher capacity.
Fast power control is essential in CDMA systems. Since many subscribers transmit in the
same frequency band and as the same frequency can be used in principle in each cell
(re-use = 1), each user can cause interference for the others.
The power control is used to limit interferences. The capacity of the CDMA systems is
mainly limited by the level of the (inter-and intra-cell) interferences.
As a result, an optimized power control greatly optimizes the system capacity.
The power control is also used to solve the called “NEAR-FAR” problem.
TM2106EU01EG_0001
16
Fig.6
TM2106EU01EG_0001
17
Siemens
3.2 The NEAR – FAR Problem
For different UE with identical transmission power, the power received at the BTS of UE
located near the BTS is more powerful than the power of the more remote UE. This mean
that only the information of the UE near to the BTS can be interpreted . This must be
prevented as much as possible. In ideal cases , the power received at the BTS is identical
for all UE served by the BTS (assuming the transfer rates are identical) . This ideal situation
also represents the maximum capacity of the cell .
Genuine fast power control is necessary because of the mobility of the UE. This mobility
causes rapid variation in the attenuation of the power of the UE. Let us consider the shown
example:
If the mobiles are permitted to transmit the same power from two different distances, the
ratio of the received signals at the base station will be as in equation (1).
Equation (1) implies that if d1 ≠ d2 the received signal will be different for different mobiles
depending on the propagation environment and the respective distances. For example, if
d2 = 4d1 and γ = 4 (typical dense urban environment), P (UE1) from mobile1 will be 256
times (24dB) stronger than P (UE2) from mobile2, and the base station receiver will be
unable to recover P (UE1). Therefore, the transmitting power of each mobile has to be
controlled so that its received power at the cell site is constant to a predetermined level,
irrespective of the distance. Therefore, the objective of the mobile power control is to
produce a nominal received power from all mobiles in a given cell or a sector.
Because of that, well-defined power control is essential for proper functioning of the DS-
CDMA system. In the absence of power control the capacity of the DS-CDMA mobile
system is very low, even lower than that of mobile systems based on FDMA.
One of the reasons for the use of power control both in FDMA/TDMA and in DS-CDMA
networks is to prolong battery life by using a minimum of transmitter power to achieve the
required transmission quality.
According to the above-mentioned facts, for proper operation of a modern high-capacity

cellular radio system, power control is an essential feature.
TM2106EU01EG_0001
18
Fig.7
P (UE1)/ P (UE2) = (d2 /d1) γ (1)

Where
P(UE1) = received signal power from mobile 1.
P(UE2) = received signal power from mobile 2.
d1 & d2 = distances between mobil1 and mobile2 and the BTS respectively
γ = path-loss slope (propagation environment).
TM2106EU01EG_0001
19
Siemens
3.3 Classification of Power Control Techniques
According to what is measured to determine power control command, power control

techniques can be classified into three categories:
• Strength-based.
• SIR-based.
• BER-based.
• Strength-based.
In strength-based schemes the strength of a signal arriving at the base station from a
mobile is measured to determine whether it is higher or lower than the desired strength.
The command to lower or rais the transmit power is made accordingly.
• SIR-based.
In SIR-based schemes the measured quantity is the SIR where interference consists of
channel noise and multi-user interference. Strength-based power control is easier to
implement but SIR-based power control reflects better system performance such as QoS
and capacity. A serious problem associated with SIR-based power control is the potential to
get positive feedback to endanger the stability of the system. Positive feedback arises in a
situation when one mobile under instructions from the base station has to raise its transmit
power in order to deliver a desirable SIR to the base station, but the increase in its power
also results in an increase in interference to other mobiles so that these other mobiles are
then forced to also increase their power, etc. In the case of N mobiles in the system, this
becomes a typical non-cooperative N-person game problem.
• BER-based.
In BER-based power control, BER is defined as an average number of erroneous bits
compared to the original sequence of bits. If the signal and interference powers are
constant, the BER will be a function of the SIR, and in this case the QoS is equivalent.
However, in reality the SIR is time-variant and thus the average SIR will not correspond to
the average BER. In this case the BER is a better quality measure. Since the channel
coding is implemented in every practical system, power control can be based on the
average number of erroneous frames as well.
According to update strategies, power control algorithms can be classified as follows: -
• Those where the transmit power step size is fixed (fixed step size algorithm)
• Those where the transmit power step size is made adaptive to the channel variation.
TM2106EU01EG_0001
20
Fig.8
TM2106EU01EG_0001
21
Siemens
A specific example of the adaptive step size approach is the inverse update algorithm,
which increases or decreases the mobile users' transmit power by the actual difference
between the received signal power and the desired received signal power.
Power control command in fixed step size algorithms is a simple 1-bit command. It has
been shown that the inverse algorithm is superior to the fixed step size algorithm. However,
the fixed step size algorithm is easier to implement because the inverse algorithm needs
additional bandwidth on the return channel to carry the power control step size instead of
the1-bit control command as in fixed step size algorithm. A compromise would be to use an
adaptive delta-modulation algorithm.
TM2106EU01EG_0001
22
3.4 Power Control Techniques for DS-CDMA
One of the possible classifications is:

• Power control for reverse link (from mobiles to base stations).
• Power control for forward link (from base stations to mobiles).
Power control for DS-CDMA reverse link is the single most important system requirement
because of the Near/ Far effect. In this case, it is necessary to have a dynamic range for
control on the order of 80dB . For the forward link, no power control is required in a single
cell system, since all signals are transmitted together and hence vary together. However in
multiple cell systems, interference from neighboring cell sites fades independently from the
given cell site and thereby degrades performance. Thus it is necessary to apply power
control in this case also, to reduce intercell interference.
Also, power control techniques can be classified as follows:

• Closed-loop power control.
• Open-loop power control.
A combined technique consisting of closed-loop and open-loop power control
Closed-loop power control is feasible in a terrestrial cellular environment. However, in
mobile communications systems using multiple low earth orbital satellites, the fades occur
too rapidly for the closed-loop power control to track, due to the large round trip propagation
delay. In this case, the solution is open-loop power control.
In open-loop power control, the mobile user estimates the channel state on the forward link,
and this estimate is used as a measure of the channel state on the reverse link. These
techniques can compensate for path loss and large-scale variations such as shadowing,
but it is not possible to compensate multipath fading because reverse and forward links are
not correlated. It has been shown that capacity degrades by 5 percent for a 1dB open-loop
power control error, by 25 percent for a 2dB power control error, and by 44 percent for a
3dB power control error.
Power controls for DS-CDMA according to the IS-95 standard consists of reverse link open-
loop power control, reverse link closed-loop power control, and forward link power control.
TM2106EU01EG_0001
23
Siemens
3.4.1 Reverse link open-loop power control
Reverse link (mobile to base station) open loop power control is accomplished by adjusting
the mobile transmit power so that the received signal at the base station is constant
irrespective of the mobile distance; where each mobile computes the relative path loss and
compensates the loss by adjusting its transmitting power. The total received power at the
cell site is the sum of all powers, which determines the system capacity. As shown we can
say that the reverse link open loop power control is primarily a function of the mobile
stations. The base stations take an active role in the reverse link closed-loop power control
and the forward link power control.
TM2106EU01EG_0001
24
Fig. 9
TM2106EU01EG_0001
25
Siemens
3.4.2 Forward link power control:
Forward link (base station to mobile) power control is a one step process .The base station
controls its transmitting power so that a given mobile receives extra power to overcome
fading, interference, BER, etc. In this mechanism, the cell site reduces its transmitting
power while the mobile computes the frame error rate (FER). Once the mobile detects 1%
FER, it sends a request to stop the power reduction .The adjustment process occurs once
every 15 to 20 ms.
TM2106EU01EG_0001
26
3.4.3 Reverse Link Power Control
Power control for the reverse link is a combined technique consisting of closed-loop and
open-loop power controls. Also, it is a fixed step size algorithm and strength-based
distributed algorithm. The goal of open-loop power control is the estimation of a path loss
and a loss due to shadowing between the base and the mobile station. According to this
process, the mobiles transmit the initial power control signal.
However, multipath fading in a reverse and a forward DS-CDMA link is an independent
process since the frequency separation of these links is 45MHz and it greatly exceeds the
coherent bandwidth of the channel. Thus, closed-loop power control is used. Every cell site
demodulator measures the received signal-to-noise ratio (SNR) from each mobile station.
The measured SNR is compared to the desired SNR for that mobile station and a power
adjustment command is sent to the mobile station. This power adjustment command is
combined with the mobile station open-loop estimate to obtain the final value of the mobile
station transmit power. This command has the fixed step size of 0.5dB and it is transmitted
at a rate of once every 1.25ms. The base station measures the signal quality (BER) and
based on that determines the desired SNR for specific mobile station. In previously
described power control technique, the subscribers are power controlled by the base
station of their own cell. However, the interference level from subscribers in other cells
varies not only according to the attenuation in the path to the subscriber's cell site, but also
inversely to the attenuation from the interfering user to his own cell site, which through
power control by that cell site may increase or decrease the interference to the desired cell
site. It has been shown that the maximal number of subscribers in the cell is the highest
when there are no subscribers in the neighboring cells. As the number of subscribers in the
neighboring cells increases the maximal number of subscribers in the cell decreases. For
example, when there is a maximal number of users in the neighboring cells the reverse link
can support 108 users/cell, with 10–3 bit error rates better than 99 percent of the time. This
number becomes 132 users/cell if the neighboring cells are kept to half of this loading.
TM2106EU01EG_0001
27
Siemens
3.4.4 Reverse link closed-loop power control:
Reverse link closed-loop power control is accomplished by mans of power up or power

down command originating from the cell site. A single power control bit (1for power down
by 0.5 dB and 0 for power up by 0.5 dB) is inserted into the forward encoded data stream ,
every 1.25 ms. Upon receiving this command from the base station , the mobile responds
by adjusting the power by an amount (±0.5dB).
In order to lower processing delay and to save bandwidth in the forward link, command bits
for power control from the base to the mobile station are not coded and they are
susceptible to errors. It has been shown that every 1dB power control error standard
deviation increase roughly translates into a loss in capacity of 10 users.
The rate of power control adjustment command transmission must be high enough to
permit tracking of Raleigh fading in the reverse link. It is important that the latency in
determining the power control signal and the transmission process be kept small so that the
channel conditions will not change significantly before the control bit can be received and
acted upon. It has been shown that in a multi-cell system under flat fading conditions,
increasing the update rate from 800Hz to 2KHz, results in a capacity improvement on the
order of 50 percent. In the case of multipath fading, the capacity improvement is only 10
percent, and it can be concluded that increasing the update rate results in diminishing
capacity improvements, as the channel becomes more and more frequency-selective.
TM2106EU01EG_0001
28
Fig.10
TM2106EU01EG_0001
29
Siemens
TM2106EU01EG_0001
30
3.5 RAKE Receiver
TM2106EU01EG_0001
31
Siemens
A spread-spectrum signal waveform is well matched to the multipath channel. In a

multipath channel, the original transmitted signal reflects from obstacles such as buildings,
and mountains, and the receiver receives several copies of the signal with different delays.
If the signals arrive more than one chip apart from each other, the receiver can resolve
them. Actually, from each multipath signal’s point of view, other multipath signals can be
regarded as interference and they are suppressed by the processing gain. However, a
further benefit is obtained if the resolved multipath signals are combined using RAKE
receiver. Thus, the signal waveform of CDMA signals facilitates utilization of multipath
diversity. Expressing the same phenomenon in the frequency domain means that the
bandwidth of the transmitted signal is larger than the coherence bandwidth of the channel
and the channel is frequency selective (i.e., only part of the signal is affected by the fading).
TM2106EU01EG_0001
32
Fig.11
TM2106EU01EG_0001
33
Siemens
3.5.1 RAKE Receiver Structure

RAKE receiver consists of correlators, each receiving a multipath signal. After despreading
by correlators, the signals are combined using, for example, maximal ratio combining.
Since the received multipath signals are fading independently, diversity order and thus
performance are improved. Fig. Illustrates the principle of RAKE receiver. After spreading
and modulation the signal is transmitted and it passes through a multipath channel, which
can be modeled by a tapped delay line (i.e., the reflected signals are delayed and
attenuated in the channel). In Fig. We have three multipath components with different
delays (t1, t2, and t3) and attenuation factors (a1, a2, and a3), each corresponding to a
different propagation path. The RAKE receiver has a receiver finger for each multipath
component. In each finger, the received signal is correlated by a spreading code, which is
time-aligned with the delay of the multipath signal. After despreading, the signals are
weighted and combined. In Fig., maximal ratio combining is used, that is, each signal is
weighted by the path gain (attenuation factor). Due to the mobile movement the scattering
environment will change, and thus, the delays and attenuation factors will change as well.
Therefore, it is necessary to measure the tapped delay line profile and to reallocate RAKE
fingers whenever there is need. Small-scale changes, less than one chip, are taken care of
by a code-tracking loop, which tracks the time delay of each multipath signal.
TM2106EU01EG_0001
34
Fig.12
TM2106EU01EG_0001
35
Siemens
TM2106EU01EG_0001
36
4 HANDOFF
TM2106EU01EG_0001
37
Siemens
The act of transferring support of a mobile from one base station to another is termed
handoff. Handoff occurs when a call has to be handed off from one cell to another as the
user moves between cells. In a traditional "hard" handoff, the connection to the current cell
is broken, and then the connection to the new cell is made. This is known as a "break-
before-make" handoff.
In a CDMA system the same frequency band is shared between all the cells. Thus there is
well-defined efficient bandwidth utilization. Though there is frequency reuse , the orthogonal
nature of the waveforms serves to distinguish between the signals that occupy the same
frequency band.
4.1 SOFT HANDOVER

In soft handover a mobile station is connected to more than one base station
simultaneously. Soft handover is used in CDMA to reduce the interference into other cells
and to improve performance through macro diversity.
4.1.1 The Importance Of Soft Handoff
In power controlled CDMA systems soft handoff is preferred over hard handoff strategies.
This is more pronounced when the IS-95 standard is considered wherein the transmitter
[the base station] power is adjusted dynamically during the operation. Here the power
control and soft handoff are used as means of interference-reduction, which is the primary
concern of such an advanced communication system. The previous and the new wideband
channels occupy the same frequency band in order to make an efficient use of bandwidth,
which makes the use of soft handoff very important. The primary aim is to maintain a
continuous link with the strongest signal base station otherwise a positive power control
feedback would result in system problems. Soft handoff ensures a continuous link to the
base station from which the strongest signal is issued. Soft handoff requires less power,
which reduces interference and increases capacity.
TM2106EU01EG_0001
38
Fig.13
TM2106EU01EG_0001
39
Siemens
4.2 Softer Handover

Is a soft handover between two sectors of a cell. As known that, in a cellular system there
is spatial separation between cells using the same frequencies). This is called the
frequency reuse concept.
Because of the processing gain, such spatial separation is not needed in CDMA, and
frequency reuse factor of one can be used. Usually, a mobile station performs a handover
when the signal strength of a neighboring cell exceeds the signal strength of the current cell
with a given threshold. Since in a CDMA system the neighboring cell frequencies are the
same as in the given cell, this type of approach would cause excessive interference into the
neighboring cells and thus a capacity degradation. In order to avoid this interference, an
instantaneous handover from the current cell to the new cell would be required when the
signal strength of the new cell exceeds the signal strength of the current cell. This is not,
however, feasible in practice. The handover mechanism should always allow the mobile
station to connect into a cell, which it receives with the highest power (i.e., with the lowest
pathloss).
TM2106EU01EG_0001
40
Fig.14
TM2106EU01EG_0001
41
Siemens
4.3 Implementation of SOFT HANDOVER

Fortunately, the signal structure of CDMA is well suited for the implementation of soft
handover. This is because in the uplink, two or more base stations can receive the same
signal because of the reuse factor of one; and in the downlink the mobile station can
coherently combine the signals from different base stations since it sees them as just
additional multipath components. This provides an additional benefit called macro diversity
(i.e., the diversity gain provided by the reception of one or more additional signals).
A separate channel called pilot is usually used for the signal strength measurements for
handover purposes.
In the downlink, however, soft handover creates more interference to the system since the
new base station now transmits an additional signal for the mobile station. It is possible that
the mobile station cannot catch all the energy that the base station transmits due to a
limited number of RAKE fingers. Thus, the gain of soft handover in the downlink depends
on the gain of macro diversity and the loss of performance due to increased interference.
In the uplink the mobile station signal is received by the two base stations, which, after
demodulation and combining, pass the signal forward to the combining point, typically to
the base station controller (BSC). In the downlink the same information is transmitted via
both base stations, and the mobile station receives the information from two base stations
as separate multipath signals and can therefore combine them.
TM2106EU01EG_0001
42
Fig.15
TM2106EU01EG_0001
43
Siemens
TM2106EU01EG_0001
44
5 MULTIUSER DETECTION
TM2106EU01EG_0001
45
Siemens
The current CDMA receivers are based on the RAKE receiver principle, which considers
other users’ signals as interference. However, in an optimum receiver all signals would be
detected jointly or interference from other signals would be removed by subtracting them
from the desired signal. This is possible because the correlation properties between signals
are known (i.e., the interference is deterministic not random).
The capacity of a direct sequence CDMA system using RAKE receiver is interference
limited. In practice this means that when a new user, or interferer, enters the network, other
users’ service quality will go below the acceptable level. The more the network can resist
interference the more users can be served. Multiple access interference that disturbs a
base or mobile station is a sum of both intra- and inter-cell interference. Multiuser detection
(MUD), also called joint detection and interference cancellation (IC), provides a means of
reducing the effect of multiple access interference, and hence increases the system
capacity. In the first place MUD is considered to cancel only the intra-cell interference,
meaning that in a practical system the capacity will be limited by the efficiency of the
algorithm and the inter-cell interference. In addition to capacity improvement, MUD
alleviates the near/far problem typical to DS-CDMA systems. A mobile station close to a
base station may block the whole cell traffic by using too high a transmission power. If this
user is detected first and subtracted from the input signal, the other users do not see the
interference. Since optimal multiuser detection is very complex and in practice impossible
to implement for any reasonable number of users, a number of suboptimum multiuser and
interference cancellation receivers have been developed. The suboptimum receivers can
be divided into two main categories: linear detectors and interference cancellation. Linear
detectors apply a linear transform into the outputs of the matched filters that are trying to
remove the multiple access interference using too high a transmission power. If this user is
detected first and subtracted from the input signal, the other users do not see the
interference. Since optimal multiuser detection is very complex and in practice impossible
to implement for any reasonable number of users, a number of suboptimum multiuser and
interference cancellation receivers have been developed. The suboptimum receivers can
be divided into two main categories: linear detectors and interference cancellation. Linear
detectors apply a linear transform into the outputs of the matched filters that are trying to
remove the multiple access interference (i.e., the interference due to correlations between
user codes). Examples of linear detectors are decorrelator and linear minimum mean
square error (LMMSE) detectors. In interference cancellation multiple access interference is
first estimated and then subtracted from the received signal. Parallel interference
cancellation (PIC) and successive (serial) interference cancellation (SIC) are examples of
interference cancellation.
TM2106EU01EG_0001
46
Fig.16
TM2106EU01EG_0001
47
Siemens
TM2106EU01EG_0001
48
6 CDMA Security Codes
TM2106EU01EG_0001
49
Siemens
• A Key
A 64-bit cryptographic key variable stored in the semi-permanent memory of the mobile
station and also known to the Authentication Center (AC or HLR/AC) of the wireless
system. It is entered when the mobile station is first put into service with a particular
subscriber, and usually will remain unchanged unless the operator determines that its value
has been compromised. The A-key is used in the SSD generation procedure.
• SSD
SSD is a 128-bit pattern stored in the mobile station (in semi-permanent memory) and
readily available to the base station,
SSD is partitioned into two distinct subsets. Each subset is used to support a different
process.
SSD_A is used to support the authentication procedures; and
SSD_B is used to support CDMA voice privacy, and message confidentiality for CDMA
• SSD_A:
The SSD_A is a 64-bit binary quantity in the semi-permanent memory of the mobile station
and also known to the Authentication Center. It may be shared with the serving MSC.
• SSD_B
The SSD_B is used in the computation of the authentication response. A 64-bit binary
quantity in the semi permanent memory of the mobile station and also known to the
authentication Center. It may be shared with the serving MSC. It is used in the computation
of the CMEA key, VPM (Voice Privacy Mask) and Data Key (for data services).
• Random Challenge Memory (RAND)
A 32-bit value held in the mobile station. When operating in the analog mode, it is the
concatenation of the last RAND1_A and RAND1_B values received in Random Challenge
A and Random Challenge B Global Action Messages appended to the overhead message
train of the Forward Analog Control Channel. Both RAND1_A and RAND1_B must be
received on the same control channel and in the same Overhead Message Train in order
for a valid RAND to exist. When operating in the CDMA Mode, it is equal to the RAND
value received in the last Access Parameters Message of the CDMA Paging Channel.
RANDs is used in conjunction with SSD_A and other parameters, as appropriate, to
authenticate mobile station originations, terminations and registrations.
TM2106EU01EG_0001
50
Fig.17
Fig.18
TM2106EU01EG_0001
51
Siemens
• ESN:
The Electronic Serial Number ESN is a 32-bit binary number that uniquely identifies the
mobile station to any cellular system. It must be factory-set and not readily alterable in the
field. Modification of the ESN will require a special facility not normally available to
subscribers. The circuitry that provides the ESN must be isolated from fraudulent contact
and tampering. Electronic storage devices mounted in sockets or connected with a cable
are deemed not to comply with this requirement. Attempts to change the ESN circuitry must
render the mobile station inoperative. At the time of issuance of initial type acceptance, the
manufacturer shall be assigned a Manufacturer’s (MFR) Code within the eight most-
significant bits (bit 31 through bit 24) of the 32-bit serial number. Bits 23 through 18 shall be
reserved (initially all zero), and bits17 through 0 shall be uniquely assigned by each
manufacturer. When a manufacturer has used substantially all possible combinations of
serial numbers within bits 17 through 0, the manufacturer may submit notification to the
FCC. The FCC will allocate the next sequential binary number within the reserve block (bits
23 through 18).
• IMSI
Mobile stations are identified by the International Mobile Station Identity (IMSI). The IMSI
consists of up to 15 numerical characters (0-9). The first three digits of the IMSI are the
mobile country code (MCC), and the remaining digits are the national mobile station identity
(NMSI). The NMSI consists of the mobile network code (MNC) and the mobile station
identification number (MSIN).
An IMSI that is 15 digits in length is called a class 0 IMSI (the NMSI is 12 digits in length);
an IMSI that is less than 15 digits in length is called a class 1 IMSI (the NMSI is less than
12 digits in length). The IMSI_S is a 10-digit (34-bit) number derived from the IMSI. When
the IMSI has ten or more digits, IMSI_S is equal to the last ten digits. When the IMSI has
fewer than ten digits, the least significant digits of IMSI_S are equal to the IMSI and zeros
are added to the most significant side to obtain a total of ten digits. The 10-digit IMSI_S
consists of 3- and 7-digit parts, called IMSI_S2 and IMSI_S1, respectively; IMSI_S is
mapped into a 34-bit number.
• ORYX:
ORYX is the algorithm used to encrypt data sent over digital cellular phones. It is a stream
cipher based on three 32-bit LFSRs. It is distinct from CMEA, which is a block cipher used
to encrypt the cellular data control channel.
• CAVE:
CAVE expands to Cellular Authentication Voice and Encryption Algorithm.
• CMEA:
CMEA is the encryption algorithm developed by the Telecommunications Industry
Association to encrypt digital cellular phone data. It uses a 64-bit key and features a
variable block length. CMEA is used to encrypt the control channel of cellular phones. It is
distinct from ORYX, an also insecure stream cipher that is used to encrypt data transmitted
over digital cellular phones.
TM2106EU01EG_0001
52
Fig.19
Fig.20
Fig.21
Fig.22
TM2106EU01EG_0001
53
Siemens
TM2106EU01EG_0001
54
7 Security in CDMA
TM2106EU01EG_0001
55
Siemens
Since the birth of the cellular industry, security has been a major concern for both service
providers and subscribers. Service providers are primarily concerned with security to
prevent fraudulent operations such as cloning or subscription fraud, while subscribers are
mainly concerned with privacy issues.
The security protocols with CDMA networks are among the best in the industry.
By design, CDMA technology makes eavesdropping very difficult, whether intentional or
accidental.
Unique to CDMA systems, is the 42-bit PN (Pseudo-Random Noise) Sequence called
“Long Code” to scramble voice and data.
CDMA network security protocols rely on a 64-bit authentication key (A-Key) and the
Electronic Serial Number (ESN) of the mobile. A random binary number called RANDSSD,
which is generated in the HLR/AC, also plays a role in the authentication procedures.
The A-Key is programmed into the mobile and is stored in the Authentication Center (AC) of
the network. In addition to authentication, the A-Key is used to generate the sub-keys for
voice privacy and message encryption.
CDMA uses the standardized CAVE (Cellular Authentication and Voice Encryption)
algorithm to generate a 128-bit sub-key called the “Shared Secret Data” (SSD). The A-Key,
the ESN and the network-supplied RANDSSD are the inputs to the CAVE that generates
SSD. The SSD has two parts: SSD_A (64 bit), for creating authentication signatures and
SSD_B (64 bit), for generating keys to encrypt voice and signaling messages. The SSD can
be shared with roaming service providers to allow local authentication. A fresh SSD can be
generated when a mobile returns to the home network or roams to a different system.
TM2106EU01EG_0001
56
TM2106EU01EG_0001
57
Siemens
7.1 Authentication
Authentication is the process by which information is exchanged between a MS and the BS
for the purpose of confirming the identity of the MS. A successful outcome of the
authentication process will occur only when it can be demonstrated that the MS and BS
process identical sets of shared secret data (SSD). For example, in a CDMA authentication
protocol, a MS and BS each have matching sealed authenticators (i.e. identical SSD),
actually a short message digest of symbols produced and distributed by the authentication
algorithm.
The shared secret data (SSD) is a 128-bit pattern stored in the MS and readily available to
the BS. The SSD is partitioned into two distinct subsets used to support a different process,
that is SSD-A and SSD-B. The 64-bit SSD-A is used to support the authentication and the
64-bit SSD-B is used for CDMA voice privacy and data confidentiality.
SSD is updated using SSD-generation procedure initialized with the mobile station specific
information (ESN), random data (RANDSSD) and the mobile's
A-Key. The 64-bit A-key is stored in the mobile station and to its associated Home Location
Register / authentication Center (HLR/AC).
• When shall Authentication be performed?
Authentication is performed when the mobile is performing any of the following procedures.
1. Registration: When the mobile does autonomous registration.
2. Origination: When the mobile station originates a call.
3. Terminations: When the mobile station responds with a page message.
4. Mobile Station Data: When it sends a Data Burst Message. E.g. SMS
5. Base Station Challenge: During SSD Update.
TM2106EU01EG_0001
58
Fig.23
TM2106EU01EG_0001
59
Siemens
7.2 Voice privacy

Most of the voice privacy mask is ignored, but the last 42 bits are used as an offset for the
output of a linear feedback shift register. Cryptographically this is also not very strong, but
this output is used as a spreading code for the spread spectrum transmission. This means
that, without knowing the code in advance, it is difficult to even sort out the signal from the
background noise.
• Signaling data privacy
Data such as numbers dialed, short messages (paging), and DTMF tones are put into data
packets and are encrypted using CMEA (Cellular Message Encryption Algorithm). This is a
variable length block cipher, which works by a table walk using a key-derived somewhat
random table, a self-inverse “folding” and the inverse of the first step. This makes the
algorithm itself self-inverse, which isn’t such a hot idea in retrospect.
TM2106EU01EG_0001
60
Fig.24
Fig.25
Fig.26
TM2106EU01EG_0001
61
Siemens
Signaling Message Encryption

In an effort to enhance the authentication process and to protect sensitive subscriber
information (such as PINS), a method is available to encrypt certain fields of selected traffic
channel signaling messages.
Signaling message encryption is controlled for each call individually. The initial encryption
mode for the call is established by the value of the signaling encryption field in the
encryption message at the channel assignment. Every reverse traffic channel message
contains an encryption field, which identifies the message encryption mode active at the
time the message was created.
The mobile uses the SSD_B and the CAVE algorithm to generate a Private Long Code
Mask (derived from an intermediate value called Voice Privacy Mask, which was used in
legacy TDMA systems), a Cellular Message Encryption Algorithm (CMEA) key (64 bits),
and a Data Key (32 bits). The Private Long Code Mask is utilized in both the mobile and the
network to change the characteristics of a Long code. This modified Long code is used for
voice scrambling, which adds an extra level of privacy over the CDMA air interface. The
Private Long Code Mask doesn’t encrypt information, it simply replaces the well-known
value used in the encoding of a CDMA signal with a private value known only to both the
mobile and the network. It is therefore extremely difficult to eavesdrop on conversations
without knowing the Private Long Code Mask.
Additionally, the mobile and the network use the CMEA key with the Enhanced CMEA
(ECMEA) algorithm to encrypt signaling messages sent over the air and to decrypt the
information received. A separate data key , and an encryption algorithm called ORYX, are
used by the mobile and the network to encrypt and decrypt data traffic on the CDMA
channels.
• Anonymity
CDMA systems support the assignment of a Temporary Mobile Station Identifier (TMSI) to
a mobile to represent communications to and from a certain mobile in over the air
transmissions.
This feature makes it more difficult to correlate a mobile user’s transmission to a mobile
user.
TM2106EU01EG_0001
62
Fig.27
TM2106EU01EG_0001
63
Siemens
SSD update procedure

Authentication refers to the process by which the base station confirms the identity of the
mobile station. The successful authentication can be achieved only when the base station
possesses identical sets of shared secret data (SSD) with the mobile station.
The base station sends an SSD update message order on either the paging channel or the
forward traffic channel.
Upon receipt of the SSD update message, the mobile station sets the input parameters
(RANDSSD, ESN, A-Key) to the SSD-generation algorithm.
The mobile station then executes the SSD-generation procedure
SSD-A NEW and SSD-B NEW are generated as the outputs of the SSD-generation
procedure
The mobile station then elects a 32-bit random number (RANDBS), and sends it to the base
station in a base station challenge order on the access channel or reverse channel
Both the mobile station and the base station then set the input parameters (RANDBS, ESN,
MIN 1, SSD-A-NEW) of the Auth-Signature procedure (including DM algorithm) and
execute the Auth-Signature procedure
AUTHBS is set to the 18-bit result AUTH-SIGNATURE.
The base station sends its computed value of AUTHBS to the mobile station in a base
station challenge confirmation order on the paging channel or the forward traffic channel.
Upon receipt of the base station challenge confirmation order, the mobile station compares
the received value of AUTHBS to its internally generated value.
If the comparison is successful, the mobile station executes the SSD-Update procedure to
set SSD-A and SSD-B to SSD-A-New and SSD-B-NEW, respectively. The mobile station
then sends an SSD update confirmation order to the base station, indicating successful
completion of the SSD update. The base station sets SSD-A and SSD-B to the values
computed by the HLR/AC
If the comparison has failed, the mobile station discards SSD-A-NEW and SSD-B-New. The
mobile station then sends an SSD update reject order to the base station, indicating
unsuccessful completion of the SSD update
SSD updates are carried out only in the mobile station and its associated HLR/AC , not in
the serving system. The serving system obtains a copy of the SSD computed by the
HLR/AC via the intersystem communication with the mobile station's HLR/AL.
TM2106EU01EG_0001
64
Fig.28
TM2106EU01EG_0001
65
Siemens
TM2106EU01EG_0001
66
8 Security in GSM
TM2106EU01EG_0001
67
Siemens
In GSM, the picture is quite different, although conceptually similar. The challenge is
unique, and is generated within the home system (the system where the phone is
registered). The algorithm and the master key are both stored on a smart card called a SIM
(Subscriber Identity Module). This allows for the possibility that the algorithm may actually
vary with different service providers, and indeed this is the case for about 40% of phones.
The interface to which the algorithm adheres is called A3, and it accepts a 64 bit challenge
and produces a 64 bit response, based on the secret key in the SIM. At the same time, an
algorithm whose interface is called A8 calculates the corresponding session key for privacy
during the call. The “standard” algorithm performing these functions together is called
COMP128. This algorithm is held tightly secret by the GSM MoU (Memorandum of
Understanding Group); only the interface to it is public. Because the algorithm might not
even be known at a visited system, the home system has to perform all of the verification
and key generation functions. As an optimization for network traffic, a number of triplets are
forwarded upon the first access.
These consist of:
1. A challenge to be sent to the mobile station
2. The expected response
3. The session key to be used after authentication succeeds.
Relying on the secrecy of the algorithm is rarely a good move, and indeed COMP128 was
disclosed in 1998. Furthermore, the algorithm is weak, allowing disclosure of the A-Key with
a few million interactions with the SIM card.
8.1 Encryption for secrecy in GSM

In GSM the situation for secrecy of voice, signaling data and user data is simple. Once the
session has been authenticated, encryption is turned on and everything is protected by the
same algorithm, a stream cipher notionally known as A5. Actually, there are three different
algorithms, which are negotiated between the phone and the network. A5/1 is based on
three shift registers with complicated stepping control; the exact algorithm was reverse
engineered early in 1999.
A5/2 is a weakened version of A5/1, in which the stepping is controlled by a fourth
independent shift register. There is also the option of “no encryption”, colloquially called
A5/0. The first two of these algorithms are also tightly controlled by the GSM MoU. Unlike
the A3/A8 algorithm(s), though, these ones are built into the phone itself, because the SIM
doesn’t have enough CPU power to calculate the outputs in real time.
TM2106EU01EG_0001
68
Fig.29
TM2106EU01EG_0001
69
Siemens
8.2 TMSI allocation

Since the network is aware of the identity of the mobile subscriber with whom it is in contact. Thus, during
the initial phase of communication setup, when the identity of the mobile subscriber is still unknown, the
transmitted signaling information cannot be ciphered. During this phase a third party may identify a subscriber
and the desired service.
In order to protect the identity of the subscriber in this phase, a temporary identification of the subscriber is
distributed: the Temporary Mobile Subscriber Identity TMSI.
The TMSI is used instead of the real user identity, the International Mobile Subscriber
Identity IMSI. This TMSI is allocated by the VLR, which is associated to the VMSC.
The MS usually identifies itself with the TMSI in the initial access phase to the VLR.
The VLR uses this TMSI to re-identify the IMSI. This is only possible if the TMSI has been allocated by the
same VLR. If not, the VLR has to request the VLR, which has allocated the TMSI to the MS, to deliver the
IMSI. Therefore, the TMSI is in most cases transmitted together with the old LAI, which identifies uniquely a
VLR. The request VLR - VLR is only possible, if both VLR belong to the same PLMN.
Therefore, the IMSI has to be transmitted via Um at the first registration in a new PLMN and obviously at the
very first usage of the SIM card (i.e. in the case of Location Registrations).
A new TMSI (TMSI re-allocation) can optionally be allocated to the MS after every authentication & cipher
start (and the optional IMEI check).
TM2106EU01EG_0001
70
Fig.30
TM2106EU01EG_0001
71
Siemens
8.3 IMEI Check

In contrast to the other security mechanism authentication, ciphering and TMSI allocation, the check of the
International Mobile Equipment Identity IMEI is optional. It depends on the operator’s decision whether an EIR
is implemented and IMEI checks are done.
IMEI check serves to identify stolen, expired or faulty mobile equipment. An IMEI clearly identifies a particular
mobile device and contains information about the place of manufacture, type approval code and the serial
number of the equipment.
The IMEI consists of: Type Approval Code TAC, Final Assembly Code FAC, and Serial
Number SNR and a Software Version Number SVN.
If an IMEI check in the PLMN is intended, the Mobile Station MS will be requested to submit the IMEI during
call setup after authentication and cipher command. The MS sends back its IMEI. The IMEI is routed to the
EIR of the PLMN.
A check occurs here to find out whether the IMEI is registered on the black or gray list, i.e. whether the MS is
blocked from further use of the PLMN, or whether it has to be observed.
TM2106EU01EG_0001
72
Fig.31
TM2106EU01EG_0001
73
Siemens
CALL PROCESSING
In getting to a traffic channel, a mobile station goes through several states:
• System initialization
• System idle state
• System access
• Traffic channel state.
In system initialization state the mobile acquires a pilot channel by searching all the PN Offsets possibilities
and selecting the strongest pilot signal. Once the pilot is acquired, the sync channel is acquired using the W32
Walsh function and the detected pilot channel.
Then the mobile obtains the system configuration and timing information.
Next the mobile enters the system idle state where it monitors the paging channel.
If a call is being placed or received, the mobile enters the system access state where the necessary
parameters are exchanged.
The mobile transmits its response on the access channel and the base station transmits its response on the
paging channel.
When the access attempt is successful the mobile enters the traffic state.
TM2106EU01EG_0001
74
Fig.32
TM2106EU01EG_0001
75
Siemens
Mobile Station Initialization State
The Mobile Station Initialization State consists of the following substates:
• System Determination Substate:

In this substate, the mobile station selects which system to use.
• Pilot Channel Acquisition Substate:

In this substate, the mobile station acquires the Pilot Channel of a CDMA system.
• Sync Channel Acquisition Substate:

In this substate, the mobile station obtains system configuration and timing information for a CDMA system.
• Timing Change Substate:

In this substate, the mobile station synchronizes its timing to that of a CDMA system. While in the Mobile
Station Initialization State, the mobile station shall update all active registration timers
TM2106EU01EG_0001
76
Fig.33
TM2106EU01EG_0001
77
Siemens
Mobile Termination Call

1. To receive a call, the BTS uses the paging channel to send a “page” message to the
MS, which notifies it that, it has a call.
2. The MS responds by sending a page response message to the BTS via the access
channel.
3. The BTS sets up forward and reverse traffic channel to be used during the call.
4. The BTS also, begins time synchronization with the MS, by sending “Null Data” over
the forward traffic channel, then sending a channel assignment message over the
paging channel.
5. After receiving the “channel assignment” message, the MS sets up the traffic
channel and receive the “Null Data “ sequence to identify the start of a connection.
6. After being in synchronization, the BTS sends a “Base Station Acknowledge”
message via the forward traffic channel, and the MS responds by sending “Null
Data” over the reverse traffic channel.
7. Then the BTS transmits “alerting” message over the forward traffic channel to alert
the user.
8. When answering, the MS sends a “Connect” message and the call is established
now until one of the users ends it by hanging up.
9. The BTS detects that and sends a “Release “ message over the forward traffic
channel.
10. The MS also responds by sending a “Release “ message over the reverse traffic
channel, after that the two traffic channels are seted free.
TM2106EU01EG_0001
78
Fig.34
Fig.35
TM2106EU01EG_0001
79
Siemens
Mobile Originating Call

1. After dialing the called number, the MS sends “origination” message on the Access
channel.
2. The BTS responds by setting up traffic channel, and transmitting “Null data” over the
forward traffic channel.
3. After that the BTS sends a “channel Assignment” message to the MS over a Paging
channel telling the MS which traffic channels to use during the call.
4. The MS sets up the traffic channel and begins sending preamble information.
5. The BTS sends a “Base Station Acknowledgment” message to the MS through the
forward traffic channel,
6. The MS starts transmitting “Null data” over the reverse traffic channel.
7. Now, the forward and the reverse channels between the MS and the BTS are
established and the caller will hear a ring back tone –“if the called subscriber is idle”-
.
8. The conversation continues until one of the users hangs up, assuming that the MS
user ends the call, the MS sends a “release” message over the reverse traffic
channel.
9. The BTS then sends a “release” message via the forward traffic channel, which frees
up both the forward and reverse traffic channels.
TM2106EU01EG_0001
80
Fig.36
Fig.37
TM2106EU01EG_0001
81
Siemens
PROTOCOL LAYERING
The following Figure shows a simplified logical view of the CDMA protocol structure for the Paging Channel,
Access Channel, Forward Traffic Channel and Reverse Traffic Channel. This protocol is divided into
conceptual layers. Layer 1 is the physical layer of the digital radio channel, including those functions
associated with the transmission of bits, such as modulation, coding, framing, and canalization via radio
waves.
Between Layer 1 and Layer 2 is a Multiplex Sublayer containing the multiplexing functions that allow sharing
of the digital radio channel for user data and signaling processes. For user data, protocol layering above the
Multiplex Sublayer is service option dependent and, where used, will be described in standards for the service
options.
For the signaling protocol described in this standard, two higher layers are defined.
Signaling protocol Layer 2 is the protocol associated with the reliable delivery of signaling
Layer 3 messages between the base station and the mobile station, such as message retransmission and
duplicate detection. Signaling Layer 3 is the protocol associated with call processing, radio channel control,
and mobile station control, including call setup, handoff, power control, and mobile station lockout.
TM2106EU01EG_0001
82
Fig.38
TM2106EU01EG_0001
83
Siemens
TM2106EU01EG_0001
84

04 Tm2106euo1 - Eg0001 CDMA System Performance

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

04 Tm2106euo1 - Eg0001 CDMA System Performance

Uploaded by

Copyright:

Available Formats

CDMA System Performance Siemens

CDMA System Performance

1.1 PCM30: Transmission in GSM fixed network part

• Code Excited Linear Predictive (CELP)

3 POWER CONTROL in CDMA

3.1 Effect of NO Power Control:

3.2 The NEAR – FAR Problem

According to the above-mentioned facts, for proper operation of a modern high-capacity

P (UE1)/ P (UE2) = (d2 /d1) γ (1)

3.3 Classification of Power Control Techniques

According to what is measured to determine power control command, power control

3.4 Power Control Techniques for DS-CDMA

One of the possible classifications is:

Also, power control techniques can be classified as follows:

3.4.1 Reverse link open-loop power control

3.4.2 Forward link power control:

3.4.3 Reverse Link Power Control

3.4.4 Reverse link closed-loop power control:

Reverse link closed-loop power control is accomplished by mans of power up or power

3.5 RAKE Receiver

A spread-spectrum signal waveform is well matched to the multipath channel. In a

3.5.1 RAKE Receiver Structure

4.1 SOFT HANDOVER

4.1.1 The Importance Of Soft Handoff

4.2 Softer Handover

4.3 Implementation of SOFT HANDOVER

6 CDMA Security Codes

7.2 Voice privacy

Signaling Message Encryption

SSD update procedure

8.1 Encryption for secrecy in GSM

8.2 TMSI allocation

8.3 IMEI Check

Mobile Station Initialization State

The Mobile Station Initialization State consists of the following substates:

• System Determination Substate:

• Pilot Channel Acquisition Substate:

• Sync Channel Acquisition Substate:

• Timing Change Substate:

Mobile Termination Call

Mobile Originating Call

You might also like