GSM Base Transceiver Station

Presentation by:
Naveen Jakhar
ITS – 2014 Batch

1
Topics covered in this presentation:
 What is a Base Transceiver Station ?
 Components of any BTS
 BTS transceiver, BTS O&M module, clock module
 BTS Transmitter and Receiver Characteristics
 BTS configurations
 BTS functions and Protocols on Um and Abis Interface
 BTS security aspects
 Conclusion

2
Introduction to Base Transceiver Station:
 BTS stands for Base Transceiver Station
 A BTS is an equipment that facilitates wireless communication
between user equipment (UE) and a network
 UEs are devices like mobile phones, WLL (Wireless in Local
Loop) phones, computers with wireless Internet connectivity
 The network can be that of any of the wireless communication
technologies like GSM, CDMA, wireless local loop, Wi-Fi (wireless
fidelity), WiMAX (Worldwide Interoperability for Microwave
Access) or other wide area network(WAN) technology

3
Introduction to Base Transceiver Station:
 BTS is also referred to as the radio base station (RBS), node
B(in 3G Networks) or, simply, the base station (BS)
 The term BTS is applicable to
any of the wireless communication
standards, it is generally associated
with mobile communication technologies
like GSM and CDMA

4
Base Transceiver Station(BTS) components:
 BTS provides the wireless connectivity to Mobile Station on one side
via Air Interface (also called 𝑈𝑚 𝐼𝑛𝑡𝑒𝑟𝑓𝑎𝑐𝑒)
 BTS is connected to BSC via Abis Interface
 Any BTS is having these components:
 Transceiver (TRX) Power amplifier (PA)
 Combiner Multiplexer
 Antenna Baseband receiver unit (BBxx)
 Control function Alarm extension system
 Clock Module Operation and Maintenance module

5
Base Station Transceiver:
 BTS Transceiver is responsible for transmission and reception of
signals
 GSM recommendations allow one BTS to host up to 16 TRX
 In field, majority of BTS have one to 4 TRX at max
 TRX is having two parts: one, a low frequency part for digital signal
processing and other, high frequency part for GMSK modulation and
demodulation
 Both parts are connected via a separate or an integrated frequency
hopping unit

6
Base Transceiver Diagram:

7
Base station components:
 Combiner combines feeds from several TRXs so that they could be
sent out through a single antenna thus reducing the number of
antennas that need be installed
 Power Amplifier Class C, aids in signal amplification from TRX for
transmission through the antenna
 Duplexer is used for separating sending and receiving signals to or
from the antenna
 Antenna is an external part of the BTS and it is used to transmit the
signals to other entity

8
Base station components:
 Alarm Extension system collects working status alarms of various
units in the BTS and extends them to operations and maintenance
(O&M) monitoring stations

Control functions controls and manages the various units of BTS,

including any software. On-the-spot configurations, status changes,
software upgrades, etc. are done through the control function
module

9
BTS Operations and Maintenance module:
 It consists of at least one central unit, which administers all other
parts of BTS
 O&M module is connected to BSC by means of a special O&M
channel
 O&M module allows a remote access from BSC for any software
update
A BTS is controlled by a parent BSC via the base station control
function(BCF), implemented in O&M module
 O&M module also provides a Human Machine Interface, which
allows for local control of BTS

10
BTS Clock module:
 Clock generation and distribution module is present inside O&M
module
 Reference clock is derived from PCM signals on Abis Interface
 BTS internal clock generation is mandatory – when a BTS is to be
tested in standalone environment & when PCM clock is not available
due to link failure
 GSM requires that all TRX of a BTS use same clock. The accuracy of
the signal has to have a precision of at least 0.05 ppm
1 MHz clock, precision should be .05 Hz

11
BTS Input and Output filters:
 Input and output filters are used to limit the bandwidth of received
and transmitted signal
 The input filter typically is a non-adjustable wideband filter that
allows GSM 900MHz, DCS 1800 MHz, PCS 1900 MHz frequencies to
pass in the uplink direction
 The output filter is an adjustable wideband filter used in downlink
direction which limits the signal to 200 KHz bandwidth

12
BTS Transmitter Characteristics:
 Output Power
 Output RF Spectrum
 Spurious emissions
 Radiofrequency tolerance
 Output level dynamic operation
 Modulation accuracy
 Intermodulation attenuation

13
BTS Transmitter Specifications:
For a normal BTS, the maximum output power measured at the input
of the BSS Tx combiner, shall be, according to its class, as defined in
the following table

14
Micro and pico -BTS Transmitter Specifications:
 For a micro-BTS or a pico-BTS, the maximum output power per
carrier measured at the antenna connector after all stages of
combining shall be, according to its class, defined in the following
table.

15
BTS Transmitter Specifications:
 The tolerance of the actual maximum output power of the BTS for
each supported modulation shall be ±2 dB under normal conditions
and ±2.5 dB under extreme conditions
 Power can be increased in steps, each step size is of 2 dB with
accuracy of ±1 dB
 dBc (decibels relative to the carrier) is the power ratio of a signal to a
carrier signal, expressed in decibels
The Residual output power, if a timeslot is not activated, shall be
maintained at, or below, a level of -30 dBc on the frequency channel

16
BTS Receiver Characteristics:
 Blocking Characteristics

 AM Suppression Characteristics

 Intermodulation Characteristics

 Spurious emissions

17
BTS Receiver Blocking Characteristics:
 The blocking characteristics of the receiver are specified separately
for in-band and out-of-band performance

18
BTS configurations:
 BTS Configurations depend on load, subscriber behaviour and area
to be covered
 Three different configurations of BTS:
 Standard omnidirectional configuration
 Umbrella shape configuration
 Sectorized or Cell configuration

19
BTS Standard Omnidirectional Configuration:
 Omnidirectional antennas are used

 No fine load balancing with respect to the load and clutter

 Inefficient resource utilization

 Low antenna gain

20
BTS Umbrella Cell Configuration:
 Umbrella cell configuration consists of one BTS with high
transmission power and an antenna installed high above the ground
that serves as an umbrella for a number of BTSs with low
transmission power
and small diameters
 Use of Umbrella cell
Configuration ?

21
BTS Umbrella Cell Configuration:
 Umbrella cell configuration – high rise antenna may be a solution to
provide coverage for fast moving cars (how can they be detected –
using timing advance parameter – updated after every 480 ms by
MEAS_RES message)and antennas with lesser height can provide
coverage to dense areas within a city
 Umbrella configuration not specified by GSM, so additional design
updates required in BTS and BSC
 Drawback: Interference and non-reuse of frequency

22
BTS Sectorized(Collocated) Configuration:
 Several BTSs are collocated at one site but their antennas cover only
an area of 120 or 180 degrees
 Fairly easy to fine-synchronize the cells with each other and thus
allows for synchronised handover between the two cells
 Re-use of frequencies
 Sectorization eases the demand for frequencies especially in urban
areas

23
BTS Sectorized(Collocated) Configuration:

24
BTS functions:
 BTS is an important component of BSS
 Channel encoding and decoding
 Burst formatting and Interleaving
 Encryption and decryption (ciphering)
 setup of LAPD connection on BSC side and LAPDm on Um interface
 GMSK modulation and demodulation
 Creation and transmission of BCCH
 Measurements of signal strength and forward the results to BSC

25
BTS Interface Protocols and signal transfer :
 𝑼𝒎 interface :
This interface uses LAPDm protocol for signalling, to conduct call
control,measurement reporting reporting, handover, power
control, authentication, authorization, location update and so on. Traffic and
signaling are sent in bursts of 0.577 ms at intervals of 4.615 ms, to form data
blocks each 20 ms
LAPDm does not have CRC for Error detection
 Abis Interface :
Uses TDM sub channels for traffic (TCH), LAPD protocol for BTS supervision and
telecom signalling, and carries synchronization from the BSC to the BTS and MS

26
BTS Interface Protocols:

27
BTS Interface Protocols and signal transfer :
 GSM Layer 1:
 FDMA/TDMA is the air interface(radio), also called Um interface

 At Mobile Station, FDMA/TDMA is used which is also followed at

BTS, BTS takes this format from MS and convert it to 64kbps digital
format for the digital link and interfaces with BSC

28
BTS Interface Protocols and signal transfer :
 GSM Layer 2:
 Layer 2 is the data link layer, which does following three main
functions.
 Establish and maintain the link
 Flow control
 Error detection
 Work on layer 3 frames
.

29
BTS Interface Protocols and signal transfer :
 GSM Layer 2:
At Layer-2 LAPD and LAPDm is used. LAPD is the ISDN(Integrated Services
Digital Network) protocol for D Channel

LAPDm is the modified version of LAPD for mobile station

LAPDm does not have CRC for Error detection

LAPD at BTS converts potentially unreliable physical link of MS into reliable

link

30
Security aspects at BTS:
 All BTS are comprised of software and radio equipment and most of
the vendors use a similar transceiver code base – means all can be
attacked using this flaw
 A malicious hacker can take control of BTS from any remote place –
results in compromised BTS functionalities
 The attacker could impersonate a parallel BTS communicating with it
and could send GSM data bursts to the transceiver itself, thus
conducting attacks such as IMSI detaching, encryption downgrading,
and denial of service against mobile subscribers

31
Conclusion and way forward:
 BTS is an important device for Mobile communication and any
security breach at BTS would expose the entire mobile network to
many vulnerabilities
 Vendors are coming up with these improvements in BTS design:
 change firewall rules to block traffic coming from external networks
to specific ports
 Enhanced authentication process
 perform additional code audits before releasing alpha version of any
software patch

32
References:
Book GSM networks : Protocols, Terminology and Implementation by
Gunnair Heine
3GPP TS 05.05 version 8.20.0 Release 1999, ETSI TS 100 910 V8.20.0
(2005-11)
 http://www.securityweek.com/critical-vulnerabilities-affect-open-
source-base-transceiver-stations
http://www.rfwireless-world.com/
http://whytelecom.com/
https://en.wikipedia.org/wiki/Base_transceiver_station

33
 Thank You
Communication – The Human Connection – is the key to Personal and Career Success

34