GSM Systems Training

(SYSTRA)
Objectives
O At the end of the module, participants
will be able to:
Identify GSM sub-systems
Describe GSM Authentication and Mobility
Management processes
Define common GSM terminology
Explain basic call flow scenarios

Course Outline
O GSM Background
Evolution
History
O Traffic and Mobility Management
Location update
Authentication / Security issues
Call flow scenarios
Charging
Services
O Basic Signalling
O RF and Transmission
O Q & A

Introduction to GSM
The Evolution of the Mobile Phone
1G
1G is short for first-generation
wireless telephone technology,
cellphones. These are the analog
cellphone standards that were
introduced in the 1980s .
The Evolution of the Mobile Phone
2G
3G
2.5G
2G is short for second-
generation wireless telephone
technology; Uses digital
signaling to connect the radio
towers to the rest of the
telephone system
2.5G services enable
high-speed data
transfer over
upgraded existing
2G networks.
3G provides the
ability to transfer
simultaneously
both voice data &
non-voice data
THE GSM NETWORK
AC
Base Station Subsystem (BSS) Network Subsystem (NSS)
Network
Management
Subsystem (NMS)
Base Transceiver Station (BTS)
Mobile Station
Base Station
Controller (BSC)
Transcoder
(TCSM)
To other
networks
Authentication
Center
Equipment
Identity
Register
Visitor
Location
Register
Mobile
Switching
Center
HLR
VLR
EIR
MSC
Air I/F
Abis I/F
A I/F
Ater I/F
MS BSS NSS
NMS
Air A
O&M
VLR
MSC
VLR
MSC
HLR
-Call Control (End-to-End supervision, connect-supervise-terminate)
-Charging
-Mobility Management
-Signalling with other networks and the BSS
-Subscriber Data Handling (Refers to subscriber data available in the
network, e.g. IMSI, Authentication Keys, temporary data in the VLRs)
NSS Functions
BTS
BTS
BTS BSC
BSC
TC
TC
- Radio Path Control (Frequencies
to be used)
- BTS and TC Control (O&M
functions)
- Synchronization (Master & Slave
hierarchy, Primary Reference
Clock (PRC)
- Air and A Interface Signalling
- Connection Establishment
between MS and NSS
- Mobility Management and
Speech Transcoding
- Collection of Statistical Data
BSS Functions
- Fault Management
- Configuration Management
- Performance Management
NMS/OSS Functions
Traffic & Mobility
Management
Where is the subscriber?
Who is the subscriber?
What does the subscriber wants?
How does Mobile operator provide service to
Subscriber ?
VLR
HLR
MS
Databases in GSM Network
Subscriber Identity Module (SIM)
- Subscriber Identity Data (MSISDN , IMSI)
- Network Authentication Data (Ki, Algorithm)
- Local Authentication Data(PIN1,2,PUK1,2)
- Register Data
Home Location Register (HLR)
- Permanent Data (MIN-IMSI, Services)
- Regular update of subscribers current VLR (VLR
ADDRESS)
GSM Databases
Visitor Location Register (VLR)
- Temporary Data (MIN-IMSI services, LAC etc)
- Kept as long as subscriber is within its coverage area
- Updated from HLR
- Always associated with a MSC
GSM Databases
IMEI = TAC(6) + FAC(2) + SNR(6) + SP(1)
+ TAC = Type Approval Code, Identifies the mobile equipment
+ FAC = Final Assembly Code, Identifies which assembly series the
mobile belongs
+ SNR = Serial Number, Identifies the mobile uniquely as one assembly
series
+ SP = Spare, For future use
GSM Addresses and Identifiers
IMSI = MCC + MNC + MSIN
+ MCC = Mobile Country Code, 3 decimal places
+ MNC = Mobile Network Code, 2 decimal places
+ MSIN = Mobile Subscriber Identification Number, maximum 10
decimal places

+ IMSI maximum length = 15 digits
GSM Addresses and Identifiers
MSISDN = CC + NDC + MSIN
+ CC = Country Code, up to 3 decimal places
+ NDC = National Destination Code, typically 2-3 decimal places
+ SN = Subscriber Number, maximum 10 decimal places

+ MSISDN maximum length = 15 decimal places / digits
GSM Addresses and Identifiers
MSRN = CC + NDC + MSIN
+ CC = Country Code, up to 3 decimal places
+ NDC = Network Code, typically 2-3 decimal places
+ SN = Subscriber Number, typically 10 decimal places


GSM Addresses and Identifiers
LAI = CC + MNC + LAC
+ CC = Country Code, up to 3 decimal places
+ MNC = Mobile Network Code, 2 decimal places
+ LAC = Location Area Code, maximum 5 decimal places
+ LAC (hex ) < FFFF(hex) / 65535 (dec)


GSM Addresses and Identifiers
Loc Up
HLR
MSC
VLR
2
MSC
BSC1 BTS1
LAI1
B
VLR
1
IMSI Request
IMSI
HLR DB
MSISDN IMSI VLR Address Sub. Data
63+919+220xxxx 515+03+1234567890 vlr2 services
Authen
Loc Up + TMSI
Location Update: First Time LU

The Mobile Station
continues to monitor
the broadcast
information
If the Location Area
Identity (LAI) being
broadcast by the
network is other the
one stored in the
SIM, the mobile
station starts the
location update
procedure
Generic Location Update

VLR

VLR

HLR
MSC
(OLD)
MSC
(NEW
)
LA 1
LA 4
LA 3
LA 2
MSC/VLR Area
PLMN Area
Paging is done in all
cells of the LA where
the subscriber is
currently located
It can cross BSC
boundaries. LA
design is arbitrary.
The idea is to have a
small paging area that
could accommodate
the most number of
subscribers
Location Area
Note: Location update is always initiated by the Mobile
station
Power On
Also known as IMSI Attach and location
registration
Done every time the mobile is switched on
Periodic Location Update
Performed after a preset timer expires, since
the last transaction with the network
Timer value is dependent on the network
operator (defined in the BSC)
Other Types of Location Update
Mobile
Network
MSISDN
+639192205071
Dialed number is Mobile Subscriber International ISDN Number (MSISDN)
MSISDN =CC +NDC +SN
Country Code = 63 (Philippines)
National Destination Code = 919 (Smart)
Subscriber Number = 2205071
Call Setup: PSTN to Mobile
VLR
MSC
PSTN
MSISDN
HLR
HLR Inquiry
HLR
MSISDN IMSI VLR ADDRESS SERVICES
+639192205071 515030012205071 VLR15 . . . . . .

PSTN routes the call to GSM network
GMSC analyses the received MSISDN
GMSC requests the HLR for routing information to know where to
route the call (HLR Inquiry)
HLR looks up its database for the corresponding International
Mobile Subscriber Identity (IMSI)
IMSI =MCC +MNC +MSIN
Mobile Country Code = 515
Mobile Network Code = 03
Mobile Subscriber Identification
Number = 1234567
VLR15
MSC
Request for
routing info
HLR takes the address of the subscriber from its database and sends a
routing info request to the target MSC/VLR
Target MSC/VLR allocates a Mobile Subscriber Roaming Number
(MSRN)
MSRN =CC +NDC +SN
VLR
MSC
HLR
PSTN
MSISDN
VLR15
MSC
MSRN to HLR
VLR
MSC
HLR
PSTN
MSRN
Target MSC forwards the MSRN to HLR
HLR forwards the MSRN to the originating MSC
Originating MSC analyses the MSRN and routes it to the target
MSC
MSRN
VLR
MSC
VLR
MSC
HLR
PSTN
BSC
HLR
ENQ
MSRN
Hello Billy!
MSRN
Request
+639192205071
PSTN-originated call
Handover: Changing the traffic channel that MS is using
Handover: Occurs during the subscriber is making a call
In GSM, MS station helps the network in doing handover by
sending signal measurement reports to its BSC
Uses the hard handover principle (release and connect)
Handover
Handover due to traffic reasons
When capacity of cells nears maximum, MS in the periphery
of the cell maybe handed over to neighboring cell with lower
traffic load.
MSC starts the procedure
Handover due to signal quality and strength
When the quality or the strength of the radio signal falls below
certain parameters specified in the BSC
The BSC controlling the current cell makes the decision
There are four types of this handover
Handover Reasons
Intra Cell Intra BSC Handover
BTS
TC BSC
NSS
Air
A
Old Channel
New Channel
BTS
TC BSC
NSS
Air
A
Inter Cell Intra BSC Handover
BTS
Old Cell
New Cell
BTS
TC BSC
NSS
Air
A
Inter Cell Inter BSC Handover
BTS
TC BSC
VLR
MSC
New Cell
Old Cell
BTS
TC BSC
NSS
Air
A
Inter MSC Handover
BTS
TC BSC
VLR
MSC
New Cell
Old Cell
VLR
MSC
HON =CC +NDC +SN
The source MSC is known as Anchor MSC
Call is routed from source MSC to target MSC with the use of
Handover Number, HON.
Handover number has a similar structure to MSRN.
Inter-MSC Handover
Authentication
Verification of the subscriber
Ciphering
Encryption of the user speech in the Air Interface
IMEI Checking
Verification of the Mobile Equipment by checking the validity of
the International Mobile Equipment Identity (IMEI)
User Confidentiality
Avoidance of the broadcast of users IMSI in the air interface
Security
+ Each subscriber has authentication keys, Ki, stored in the
Authentication center and SIM card.
+ Comparison of Ki without broadcasting it in the air interface
+ Authentication always performed by the VLR before call establishment
and location update.
Authentication
VLR
MSC
NSS
AC
BSS
BSC TC
BTS
ME + SIM
Air A
A5
A5
A3
A3
A8
A8
Location of Security Algorithms
+ The validity of a mobile phone may be checked to ensure its proper
operation as well as presentation against stolen phones.
+ The Equipment Identity Register, which is implemented as part of the
HLR, contains 3 listing of IMEI
- White List
- Gray List
- Black List
IMEI Checking
+ IMSI is a confidential identity of the subscriber.
+ After a successful first time location update, a mobile subscriber is
allocated a Temporary Mobile Subscriber Identity (TMSI)
+ The next time a transaction between the GSM network and the MS is
initiated, the subscriber is identified by the use of TMSI.
User Confidentiality
GSM Security Management
AC VLR BTS Air I nterface ME SIM
A3
A8 A8 A5
A5
A3
Authentication
EIR
ME
IMEI Checking
Ciphering
COMPARING
RAND
Ki
Ki
SRES
SRES
A3 A3
A8
Kc
Kc
Traffic
Traffic
TDMA FN
TDMA FN
A8
A5
A5
Request of IMEI
Provide IMEI
Encrypted Data
Encrypted Data
AC
VLR
Random Number
Generator
Ki
A3 A8
RAND SRES Kc
Authentication Triplets
RAND SRES Kc
Authentication Triplets
Authentication Triplet
VLR
MSC
Short Message Service
Center (SMSC)
Air
BSS
A
NSS
SMS-MO
SMS-MT
SMS: MO and MT
BTS
BTS
BTS
BTS
BSC
NSS
BSS
NMS
Air A
SMS-Cell
Broadcast
SMS: Cell Broadcast
Signalling
BTS
BSC
MSC
SS#7
SS#7
PSTN / HLRs
/ other MSCs
LAPD
LAPDm
Signalling in GSM Network
RF ACCESS
and
Transmission
GSM 900 890 - 915 MHz 935 - 960 MHz (124 channels)
Uplink Downlink
GSM 1800
1710 - 1785 MHz 1805 - 1880 MHz (374 channels)
GSM 1900 1850 - 1910 MHz 1930 - 1990 MHz
BTS
MS
DCS (Digital Communication System)
PCS (Personal Communication System)
GSM Frequency Allocation
Downlink 935-960 MHz 1805-1880 MHz
GSM 900 DCS 1800
Uplink 890-915 MHz 1710-1785 MHz
Duplex Distance 45 MHz 95 MHz
Carrier Separation 200KHz 200KHz
No. of Channels 25MHz/200KHz=124 75MHz/200KHz=374
Carrier Pairs (uplink/downlink)
890.0 935.0 1710.0 1805.0
890.2 935.2 1710.2 1805.2
890.4 935.4 1710.4 1805.4
. . . .
. . . .
. . . .
914.8 959.8 1784.8 1879.8
915.0 960.0 1785.0 1880.0
Remarks Wide Coverage
Better indoor
penetration
Higher Capacity in terms of available
channels
Less prone to co-channel interference
Carrier Frequency Range
f1
f2
f3
FDMA
Frequency Division
4}4}
4 4 4

} } }
CDMA
Code Division
*+4^==*+4^=
******
4444444
========
TDMA Time
Division
BTS Configuration
Omni directional
BTS f1, f2, f3
3 sectorized BTS
f5, f6
f1, f2
f3, f4
2 sectorized BTS
f1
f2
Nokia Implementation
THE GSM NETWORK
AC
Base Station Subsystem (BSS) Network Subsystem (NSS)
Network
Management
Subsystem (NMS)
Base Transceiver Station (BTS)
Mobile Station
Base Station
Controller (BSC)
Transcoder
(TCSM)
To other
networks
Authentication
Center
Equipment
Identity
Register
Visitor
Location
Register
Mobile
Switching
Center
HLR
VLR
EIR
MSC
Air I/F
Abis I/F
A I/F
Ater I/F
THE GSM NETWORK
(NOKIA Implementation)
Base Station Subsystem (BSS) Network Subsystem (NSS)
Network
Management
Subsystem (NMS)
Base Transceiver Station (BTS)
Mobile Station
Short Message Service
Center (SMSC)
Base Station
Controller (BSC)
Transcoder
(TCSM)
To other
networks
Mobile
Switching
Center MSC
Air I/F
Abis I/F
A I/F
Ater I/F
AC EIR
HLR
VLR
Home
Location
Register
Co-located
Next Steps
Evolution of GSM to the 3rd Generation Mobile System
3rd Generation
UMTS
HSCSD
GPRS
EDGE
HSCSD: High Speed Circuit Switched Data
TDMA Timeslot
TDMA Frame
BTS
Multiple Burst from
each mobile station
28.8 Kbits/s
57.6 Kbits/s
+ Transmission of data in packet form
+ Achieve higher cost efficiency in data transmission compared to
traditional circuit mode
+ Dynamic data transmission speed
+ Mobile can stay connected to the network all day
+ Charging per data
GPRS
BTS
BSC
MSC
SGSN
GGSN
Intranet
PSTN
Network
SS7
NW
SMSC
HLR
CG
Billing
System
Router
Server
Local
Area NW
Corporate
GPRS
Backbone
IP Network
BG
InterPLMN
Network
Gateway GPRS
Support Node
Firewall
Serving GPRS
Support Node
Border
Gateway
Charging
Gateway
Home Location
Register
Short Message
Service Centre
Legal
Intercept
Internet
DNS
Domain
Name
Systems
PCU
Integrated Network
Management
GPRS Network
+ Uses advance modulation technique (GMSK to 8PSK)
+ Reduce overhead that is used for error protection
+ Still using the 200Khz GSM channel and the current frequency
band
+ Increase data transmission speed /TSL (14.4 Kbps -> up to
70Kbps)
+ Enable mobile users to retrieve data and handle multimedia
services
+ Require minor changes in the network hardware and software
EDGE
To bring internet content (down-sized version) to the MSs
WAP is global standard for all digital systems e.g.. GSM, CDMA, and 3G
systems
WML (Wireless Markup Language) is the tag-based display language used
for WAP application and it is the down-sized variation of HTML providing
navigation support, data input, hyperlinks
Still use the data connection at 9.6Kbps
WAP: Wireless Application Protocol
Main objectives of IMT-2000
Full coverage and mobility for 144Kbits/s, preferably 384Kbits/s
Limited coverage and mobility for 2Mbits/s
Efficient use of radio spectrum compared with existing systems
Flexible architecture to allow introduction of new services
Wide Area/High Mobility
2nd Generation System
Evolved 2nd Generation Systems (GSM-HSCSD, GPRS)
GSM-EDGE
Short Distance/Low Mobility
10Kbps
144Kbps
384Kbps
2Mbps
IMT-2000
3G Mobile Systems
MSC HLR
3G-IWU
SGSN
GGSN
Packet Subsystem
NSS
IN Service Control Point
Radio
Network
Controller
BSC
UMTS
Base
Station
GSM
Base
Station
UMTS
Mobile
GSM/UMTS
Mobile
GSM
Mobile
3G Network Architecture
Q & A
End
Thank You