Global System for Mobile

Communication (GSM)
Li-Hsing Yen
National University of Kaohsiung

GSM System Architecture

Um

MSC
MS
(ME/SIM) MSC E PSTN, ISDN, PSPDN,
CSPDN

A-bis
A F

C B
A-bis

BSC EIR
HLR VLR
D
BTS BSS
G
Um

NSS
AuC VLR
MS
(ME/SIM)

1
 Nomenclature
MS (Mobile Station) =
MT (Mobile Terminal ) +
TE (Terminal Equipment)
BSS (Base Station Subsystem) =
BTS (Base Transceiver Station) +
BSC (Base Station Controller)
NSS (Network Switching Subsystem)
MSC (Mobile Switching Center): telephony
switching function and authentication of user

HLR and VLR

HLR (Home Location Register)
a database to store and management
permanent data of subscribers
VLR (Visitor Location Register)
a database to store temporary information
about subscribers
needed by MSC in order to service visiting
subscribers

2
 AuC and EIR
Authentication Center (AuC)
used in the security data management for
the authentication of subscribers.
Equipment Identity Register (EIR)
used to maintain a list of legitimate,
fraudulent, or faulty MSs.
optional in GSM network, and is not used
generally.

GSM Interfaces
Um
Radio interface between MS and BTS
each physical channel supports a number of
logical channels
Abis
between BTS and BSC (vender specific)
primary functions: traffic channel transmission,
terrestrial channel management, and radio
channel management

3
 Frequency Division Duplex
n: Absolute Radio Frequency Channel Number (ARFCN). 1 n 124
Uplink 890.0 MHz Guard band
890.2 MHz 200kHz
Ful(n)=890+ 0.2*n 890.4 MHz
MHz
....

.
57
914.8 MHz
7

ms
burst (contents of time slot)
Downlink 935.0 MHz Guard band
935.2 MHz

Fdl(n)=Ful(n)+45 935.4 MHz

MHz
....

959.8 MHz
. . . 7 0 1 2 3 4 5 6 7 0 time slot

Time Division Duplex

MS and BTS do not transmit simultaneously
(MS transmits 3 time slots after the BTS)

Downlink 5 6 7 0 1 2 3 4 5 6 7 0 1 2

Uplink 2 3 4 5 6 7 0 1 2 3 4 5 6 7

Timing advance: MS transmits its data a little earlier as

demanded by the three time slots delay rule .

4
 Timing Advance
Propagation delay

Base station send recv

Mobile station recv send

send Original timing

Timing advance
~ Propagation delay * 2

GSM Frame Structure

1 hyperframe = 2048 superframes (~3.5hr)
For speech
1 superframe = 51 multiframes = 6.12s
1 multiframe = 26 frames = 120ms
For Signaling
1 superframe = 26 multiframes
1 multiframe = 51 frames
1 frame = 8 time slots = 4.615 ms
1 time slot = 156.25 bit duration = 0.577ms

5
 GSM Frame Hierarchy
3.48hr
Hyper
0 1 2047
frame

Super 0 1 48 49 50 6.12s
frame

Multi-
0 1 23 24 25 120ms
frame

Frame 0 1 2 3 4 5 6 7 4.615ms

28 bits
0.57692ms
Time 8.25
Encrypted bits Encrypted bits
Slot guard bits
57 bits 57 bits
3 tail bits 3 tail bits
Training sequence Stealing bit

Normal Burst Format

Trail bits
always (0,0,0); provide start and stop bit pattern
encrypted bits
data is encrypted
stealing bits
indicate whether the burst was stolen for urgent
control signaling (FACCH signaling)
Guard bits
avoid overlapping with other bursts due to different
path delay

6
 Training Sequence
A known bit pattern that differs for different
adjacent cells
to adapt the parameters of the receiver to the
current path propagation characteristics
to select the strongest signal in case of
multipath propagation
for multipath equalization
extract the desired signal from unwanted
reflections

GSM Protocol Stack

MS Base Base MSC
Transceiver Station
CM Station Controller CM
MM (BTS) (BSC) MM
DTAP
RR BSSMAP/DTAP
RR BSSMAP
RR BTSM BTSM
SCCP SCCP
LAPDm LAPDm LAPD LAPD
Layer 1 Layer 1 Layer 1 Layer 1 MTP MTP

Um Abis A
(air interface)

7
 Layer 1 - Physical Layer
Modulation
Equalization
Channel coding
block code
convolutional code
Interleaving
to distribute burst error

GSM Physical Layer (MS Side)

signaling voice signaling
voice
speech speech
coding decoding

channel coding channel decoding

interleaving de-interleaving

burst formatting burst de-formatting

ciphering deciphering

modulation R/F R/F demodulation

8
 GSM Speech Transmission
20 ms

speech encoding (RPE-LTP)

260 bits

channel encoding
456 bits

0 57 114 171 228 285 342 399

64 121 178 235 292 349 406 7

interleaving : :
392 449 50
: : : : :
107 164 221 278 335
: 57 rows

burst 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57
formatting

frame
burst

GSM Speech Channel Coding

260 bits
Class 1a Class 1b Class 2
50 bits 132 bits 78 bits
Parity bits reordering Tail
protecting 1a Bits
91 bits 3 91 bits 4

Convolutional Coding
378 bits 78 bits

456 bits

9
 Tailing Bits and Reordering
d(0) u(0)
d(0) d(2) u(1)
d(1) d(4) u(2)
d(2)
:
reorder d(178) : :
d(3) u(89)
Tailing Bits
d(180) u(90)

p(0) u(91) u(185) 0

p(1) u(92) u(186) 0
d(179) p(2) u(93) u(187) 0
d(180) u(94) u(188) 0
d(181)
d(181) u(95)
d(179)
u(96)
p(0) d(177)
:
p(1) :
d(3) u(183)
p(2)
d(1) u(184)

Parity Bits
The first 50 bits are protected by 3
parity bits p(0), p(1), p(2)
generator polynomial g(D)=D3+D+1
the remainder of
d(0)D52+d(1)D51++d(49)D3+p(0)D2+p(
1)D+p(2) divided by g(D) should be
1+D+D2

10
 Convolutional Encoder for
GSM Speech (Rate=1/2, K=5)

U0 U188
ak ak-1 ak-2 ak-3 ak-4

Interleaving
0 455

0 57 114 171 228 285 342 399

64 121 178 235 292 349 406 7
128 185 242 299 356 413 14 71
192 249 306 363 420 21 78 135
256 313 370 427 28 85 142 199
320 377 434 35 92 149 206 263
384 441 42 99 156 213 270 327
448 49 106 163 220 277 334 391
56 113 170 227 284 341 398 455
120 177 234 291 348 405 6 63
184 241 298 355 412 13 70 127
248 305 362 419 20 77 134 191
312 369 426 27 84 141 198 255
: : : : : : : :
: : : : : : : :
392 449 50 107 164 221 278 335

11
 GSM Normal Burst Formatting
A B C
57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57

burst frame

28 bits
8.25
BABA BAB ABAB ABA guard
bits
57 bits 57 bits
3 tail bits 3 tail bits
Training sequence Stealing flag

Physical Vs. Logical Channels

Physical channels are all the available time
slots of a BTS
a BTS with 6 carriers has 48 physical channels
Logical channels are piggybacked on the
physical channels
logical channels are laid over the grid of physical
channels
each logical channel performs a specific task

12
 GSM Logical Channels (I)
Speech traffic channels (TCH)
Full-rate TCH (TCH/F)
Half-rate TCH (TCH/H)
Broadcast channels (BCH)
Frequency correction channel (FCCH)
Synchronization channel (SCH)
Broadcast control channel (BCCH)
Cell broadcast channel (CBCH)

GSM Logical Channels (II)

Common control channels (CCCH)
Paging channel (PCH)
Access grant channel (AGCH)
Random access channel (RACH)
Dedicated control channel (DCCH)
Slow associated control channel (SACCH)
Stand-alone dedicated control channel (SDCCH)
Fast associated control channel (FACCH)

13
 Broadcast Channels (BCH)
Frequency correction channel (FCCH)
the
lighthouseof a BTS
Synchronization channel (SCH)
PLMN/base identifier of a BTS plus
synchronization information (frame number)
Broadcast control channel (BCCH)
to transmit system information 1-4, 7-8 (differs in
GSM 900, GSM 1800, and PCS 1900)

CBCH and CCCH

CBCH (Cell Broadcast Channel)
transmits cell broadcast messages
PCH (Paging Channel)
carries PAG_REQ message
AGCH (Access Grant Channel)
SDCCH channel assignment
RACH (Random Access Channel)
communication request from MS to BTS

14
 Mapping of Logical Channels
Each BTS has a particular frequency carrier
called BCCH-TRX to transmit BCCH info
The following channel structure can be found
on time slot 0 of carrier BCCH-TRX
FCCH
SCH
BCCH information 1-4
Four SDCCH subchannels (optional)
CBCH (optional)

Example Mapping of Logical

Channels on Time Slot 0 (Downlink)
FCCH + SCH Block 4
FN= 0 - 5 + FN= 26 - 29
CCCH/SDCCH
BCCH 1 - 4
Block 0 FCCH/SCH FN= 30 - 31
FN= 6 - 9 reserved for
CCCH Block 5
FCCH/SCH CCCH/SDCCH FN= 32 - 35
FN= 10 - 11
Block 1 Block 6
reserved for FN= 36 - 39
FN= 12 - 15 CCCH/SDCCH
CCCH
Block 2 FCCH/SCH FN= 40 - 41
FN= 16 - 19 reserved for
CCCH Block 7 FN= 42 - 45
FN= 20 - 21 FCCH/SCH CCCH/SACCH
Block 3 Block 7 FN= 46 - 49
FN= 22 - 25 CCCH/SDCCH CCCH/SACCH
not used FN= 50

15
 Example Mapping of Logical
Channels on Time Slot 2 (Downlink)

FN= 0 - 11 TCH

FN= 12 SACCH

FN= 13 - 24 TCH

FN= 25 not used

GSM Layer 2: LAPDm

Functions
organization of Layer 3 information into
frames
peer-to-peer transmission of signaling data
in defined frame formats
recognition of frame formats
establishment, maintenance, and
termination of one or more (parallel) data
links on signaling channels

16
 Layer 3 Protocol Architecture:
Mobile Station Side
MNREG-SAP MNCC-SAP MNSS-SAP MNSMS-SAP

CM
CC SS SMS

TI TI TI
MM CC SS SMS
MM PD

PD

RR

SAPI=0 SAPI=3
AGCH+PCH

SDCCH

SACCH
SDCCH

SACCH

FACCH
RACH

BCCH

Layer 3 - RR Sublayer
The RR sublayer handles all the procedures
necessary to establish, maintain, and release
dedicated radio connections
channel allocation
B
handover
A
timing advance
power control power
level
frequency hopping
time
A B

17
 Three Cases of Hand-over
MSC MSC

BSC BSC BSC

BTS BTS BTS BTS

MS MS 1. different BTS, same BSC

MS MS 2. different BSC, same MSC

3. different MSC, same PLMN

MS MS
(old MSC=anchor MSC
new MSC=relay MSC)

Layer 3 - MM Sublayer
The MM sublayer copes with all the
effects of handling a mobile user that
are not directly related to radio functions
location area
location registration & call delivery
location update & paging

18
 Authentication & Encryption/Decryption in GSM
Mobile Station Home System
RAND
SIM Ki Ki

A8 A3 A3 A8

accept SRES Kc
Y

SRES =? SRES
N
reject authentication

frame number Kc encryption

Kc
Visited
A5 System A5
S1 S2 S1 S2

plain text ciphered data plain text

MS BTS BSC MSC VLR HLR

channel request
HLR channel activation command
channel activation acknowledge

cancellation 5 ack 3 location update channel assignment

subscriber location update request

information authentication request
old 2 new authentication response
VLR IMSI, VLR comparison of authentication parameters
auth. para.
assignment of TMSI
1 4 ack
old TMSI, acknowledgement of TMSI
old VLR ID new TMSI
entry of the new area and
MS identity into the VLR & HLR

channel release

19
 Layer 3 - CM Sublayer
The CM sublayer manages all the functions
necessary for circuit-switched call control
call establishment procedures for mobile-
originated calls and mobile-terminated calls
in-call modification
call reestablishment
Dual Tone Multi Frequency (DTMF) control
procedure for DTMF transmission

Contents of CM
Call Control (CC)
Short Message Service (SMS)
Supplementary Service (SS)

20
 Paging Procedure

MS BSS
Paging Request Message on PCH

Channel Request on RACH

Assign SDCCH on AGCH

SABM (Paging Response)

Call Setup Procedure: Mobile

Terminated Call
+886935... request roaming number

GMSC 1 1
HLR VLR
dial MSISDN (INTX) 2 2
1 1 allocate MSRN
3 MSC
other routing other
3
switches switches 3

MS
INTerrogating eXchange (INTX)
Mobile Station ISDN Number (MSISDN) (Country Code, see E.164)
Mobile Station Roaming Number (MSRN) (Mobile Country Code, see E.212)

21
 Dual Tone Multiple Frequency
(DTMF) in PSTN
Switch
DTMF

Dialing

Switch PBX

Connected

DTMF in GSM
MSC

SETUP

Dialing

MSC PBX

START_DTMF

STOP_DTMF

Connected

22