CHAPTER 1 - INTRODUCTION GSM is an acronym that stands for Global System for Mobile Communications. The original french acronym stands for Groupe Spécial Mobile. It was originally developed in 1984 as a standard for a mobile telephone system that could be used across Europe. GSM is now an international standard for mobile service. It offers high mobility. Subscribers can easily roam worldwide and access any GSM network. GSM is a digital cellular network. At the time the standard was developed it offered much higher capacity than the then-current analog systems. It also allowed for a more optimal allocation of the radio spectrum, which therefore allows for a larger number of subscribers. GSM offers a number of services including voice communications, Short Message Service (SMS), fax, voice mail, and other supplemental services such as call forwarding and caller ID. Currently there are several bands in use in GSM. 450 MHz, 850 MHZ, 900 MHz, 1800 MHz, and 1900 MHz are the most common ones. Some bands also have Extended GSM (EGSM) bands added to them, increasing the amount of spectrum available for each band. GSM makes use of Frequency Division Multiple Access (FDMA) and Time Division Multiple Access (TDMA). *TDMA will be discussed later UPLINKS/DOWNLINKS & REVERSE FORWARD GSM allows for use of duplex operation. Each band has a frequency range for the uplink (cell phone to tower) and a separate range for the downlink (tower to the cell phone). The uplink is also known as the Reverse and the downlink is also known as the Forward. In this tutorial, I will use the terms uplink and downlink. Uplink and Downlink FREQUENCY DIVISION MULTIPLE ACCESS (FDMA) GSM divides the allocated spectrum for each band up into idividual carrier frequencies. Carrier separation is 200 khz. This is the FDMA aspect of GSM. ABSOLUTE RADIO FREQUENCY CHANNEL NUMBER (ARFCN) The ARFCN is a number that describes a pair of frequencies, one uplink and one downlink. The uplink and downlink frequencies each have a bandwidth of 200 kHz. The uplink and downlink have a specific offset that varies for each 1|P a g e band. The offset is the frequency separation of the uplink from the downlink. Every time the ARFCN increases, the uplink will increase by 200 khz and the downlink also increases by 200 khz. An ARFCN has an allowed bandwidth of 200 kHz, which corresponds exactly to the carrier separation. The frequency of the ARFCN refers to its center frequency. If an ARFCN has a frequency of 914.80 MHz, then it occupies the frequency space from 914.7 MHz to 914.9 MHz (200 kHz total). Remember that this is the allocated bandwidth. Because of the nature of the modulation method (GMSK) and data rate used in GSM, the actual physical bandwidth will be about 135.4 kHz. The unused bandwidth for each ARFCN acts as a buffer between other ARFCN to avoid interference. *Note: Although GSM operates in duplex (separate frequencies for transmit and receive), the mobile station does not transmit and receive at the same time. A switch is used to toggle the antenna between the transmitter and receiver. The following table summarizes the frequency ranges, offsets, and ARFCNs for several popular bands. GSM Bands The following diagram illustrates an ARFCN with paired uplink and downlink frequencies for ARFCN 1 in the GSM 900 band. GSM900 ARFCN 1 CALCULATING UPLINK/DOWNLINK FREQUENCIES 2|P a g e The following is a way to calculate the uplink and downlink frequencies for some of the bands, given the band, the ARFCN, and the offset. GSM 900 Up = 890.0 + (ARFCN * .2) Down = Up + 45.0 Example Given the ARFCN 72, and we know the offset is 45MHz for the GSM900 band: Up = 890.0 + (72 * 0.2) Up = 890.0 + (14.4) Up = 904.40 MHz Down = Up + Offset Down = 904.40 + 45.0 Down = 949.40 MHz The uplink/downlink pair for GSM900 ARFCN72 is 904.40/949.40 (MHz) Note that channel 0 (890.0 MHz) is used as a guard band in GSM-900 and is not usable for traffic. Here are the formulas for EGSM900, DCS1800, and PCS1900: EGSM900 Up = 890.0 + (ARFCN * .2) (ARFCN 0-124) Up = 890.0 + ((ARFCN-1024)*0.2) (ARFCN 975 - 1023) Down = Up + 45.0 ***Notice that the extended portion of the E-GSM band actually occurs below the regular band in frequency. ARFCN 974-1023 occur from 880.0 MHz to 889.80MHz. The regular GSM (0-124) occurs from 890.0 MHz to 914.8MHz. ARFCN 974 (880.0 MHZ) is used as a guard band and so is not usable for traffic. ARFCN 0 (890.0 MHz), which is used as a guard band in regular GSM-900, is available for use as a traffic channel in E-GSM since this channel happens to be in the middle of this band and a guard channel is not necessary there. DCS1800 Up = 1710.0 + ((ARFCN - 511) * .2) Down = Up + 95.0 PCS1900 Up = 1850.0 + ((ARFCN - 512) * .2) Down = Up + 80.0 NUMBERING SYSTEM (IDENTIFIERS) MOBILE SUBSCRIBER ISDN (MSISDN) The MSISDN is the subscriber's phone number. It is the number that another person would dial in order to reach the subscriber. The MSISDN is composed of three parts: Country Code (CC) - This is the international dialing code for whichever country the MS is registered to. National Destination Code (NDC) - In GSM, an NDC is assigned to each PLMN. In some cases, a PLMN may need more than one NDC. Subscriber Number (SN) - This is a number assigned to the subscriber by the service provider (PLMN). MSISDN 3|P a g e The combination of the NDC and the SN is known as the National (significant) Mobile Number. This number identifies a subscriber within the GSM PLMN. National (significant) Mobile Number INTERNATIONAL MOBILE SUBSCRIBER IDENTITY (IMSI) The IMSI is how the subscriber is identified to the network. It uniquely identifies the subscriber within the GSM global network. The IMSI is burned into the SIM card and is paired with an MSISDN. The IMSI is composed of three parts: Mobile Country Code (MCC) - This number identifies which country the subscriber's network is in. It has 3 digits. Mobile Network Code (MNC) - This number identifies the home GSM PLMN of the subscriber (Cingular, TMobile,MTN,Glo etc.). It has 2 or 3 digits. Some networks may have more than one MNC allocated to it. Mobile Subscriber Identification Number (MSIN) - This number uniquely identifies a user within the home GSM network. IMSI TEMPORARY MOBILE SUBSCRIBER IDENTITY (TMSI) The TMSI is a 32-bit number (4 octets) that is temporarily assigned to a MS and is used on the network in lieu of the IMSI. It is designed to protect the privacy of the subscriber and prevent the IMSI from being discovered. The VLR will assign the TMSI to a MS when it registers in that Location Area. The network may also require the VLR to assign a new TMSI to a MS periodically or even every time it completes a transaction. The TMSI is stored on the SIM card. The TMSI is always assigned when in cipher mode. (traffic is encrypted). INTERNATIONAL MOBILE EQUIPMENT IDENTITY (IMEI) The IMEI uniquely identifies the Mobile Equipment (the phone itself). It is essentially a serial number that is burned into the phone by the manufacturer. The current format for the IMEI is composed of three parts: Type Allocation Code (TAC) - 8 digits Serial Number (SNR) - 6 digits Check Digit (SP) - 1 digit IMEI Type Allocation Code (TAC) - This number uniquely identifies the model of a wireless device. It is composed of 8 digits. Under the new system (as of April 2004), the first two digits of a TAC are the Reporting Body Identifier (RBI) of the GSM approved group that allocated this model type. Serial Number (SNR) - This number is a manufacturer defined serial number for the model of wireless device. Check Digit (SP) - This number is a check digit known as a Luhn Check Digit. It is used to ensure that the first 14 digits were transmitted/received correctly. On many devices the IMEI number can be retrieved by entering *#06# Former IMEI Structure Prior to April, 2004 the IMEI had a different structure: 4|P a g e Type Allocation Code (TAC) - 6 digits Final Assembly Code (FAC) - 2 digits Serial Number (SNR) - 6 digits Check Digit - 1 digit Former IMEI Structure As of April 2004, the use of the FAC was no longer required. The current practice is for the TAC for a new model to get approved by national regulating bodies, known as the Reporting Body Identifier. INTERNATIONAL MOBILE EQUIPMENT IDENTITY/SOFTWARE VERSION (IMEISV) This is a newer form of the IMEI that omits the Spare digit at the end and adds a 2-digit Software Version Number (SVN) at the end. The SVN identifies the software version that the wireless device is using. This results in a 16-digit IMEI: Type Allocation Code (TAC) - 8 digits Serial Number (SNR) - 6 digits Software Version Number (SVN) - 2 digits IMEISV MOBILE STATION ROAMING NUMBER (MSRN) The MSRN is a number that is used to route calls to the Mobile switching Center (MSC) that is associated with the VLR that the MS is registered with. Process: When someone places a call to a MS the network will query the Home Location Register (HLR) to find out which VLR the MS is currently registered with. The HLR will send a request to the VLR of the MS indicating a call setup. The VLR generates the MSRN for the call and sends it back to the HLR. The network then passes the MSRN to the MSC that is originating the call. The originating MSC then contacts the desired MS's MSC and uses the MSRN to setup the call. The format of the MSRN is similar to the MSISDN. It will start with the CC and be followed by the NDC. The remaining digits are allocated however the network wants to. Some form of sequential numbering is often employed. It is important to remember that the MSRN is assigned to a call and not to a MS itself. The MSRN is essentially a reference number assigned to a call that is so that the MSC/VLR knows which MS the call is for and to enable call setup. For that reason, the MSRN is sometimes dubbed Mobile Station Routing number. 5|P a g e CHAPTER 2 - GSM NETWORK ARCHITECTURE A GSM network is made up of multiple components and interfaces that facilitate sending and receiving of signaling and traffic messages. It is a collection of transceivers, controllers, switches, routers, and registers. A Public Land Mobile Network (PLMN) is a network that is owned and operated by one GSM service provider or administration, which includes all of the components and equipment as described below. For example, all of the equipment and network resources that is owned and operated by Cingular is considered a PLMN. MOBILE STATION (MS) The Mobile Station (MS) is made up of two components: Mobile Equipment (ME) This refers to the physical phone itself. The phone must be able to operate on a GSM network. Older phones operated on a single band only. Newer phones are dual-band, triple-band, and even quad-band capable. A quadband phone has the technical capability to operate on any GSM network worldwide. Each phone is uniquely identified by the International Mobile Equipment Identity (IMEI) number. This number is burned into the phone by the manufacturer. The IMEI can usually be found by removing the battery of the phone and reading the panel in the battery well. It is possible to change the IMEI on a phone to reflect a different IMEI. This is known as IMEI spoofing or IMEI cloning. This is usually done on stolen phones. The average user does not have the technical ability to change a phone's IMEI. Subscriber Identity Module (SIM The SIM is a small smart card that is inserted into the phone and carries information specific to the subscriber, such as IMSI, TMSI, Ki (used for encryption), Service Provider Name (SPN), and Local Area Identity (LAI). The SIM can also store phone numbers (MSISDN) dialed and received, the Kc (used for encryption), phone books, and data for other applications. A SIM card can be removed from one phone, inserted into another GSM capable phone and the subscriber will get the same service as always. Each SIM card is protected by a 4-digit Personal Identification Number (PIN). In order to unlock a card, the user must enter the PIN. If a PIN is entered incorrectly three times in a row, the card blocks itself and can not be used. It can only be unblocked with an 8-digit Personal Unblocking Key (PUK), which is also stored on the SIM card. BASE TRANSCEIVER STATION (BTS) The BTS is the Mobile Station's access point to the network. It is responsible for carrying out radio communications between the network and the MS. It handles speech encoding, encryption, multiplexing (TDMA), and modulation/demodulation of the radio signals. It is also capable of frequency hopping. A BTS will have between 1 and 16 Transceivers (TRX), depending on the geography and user demand of an area. Each TRX represents one ARFCN. One BTS usually covers a single 120 degree sector of an area. Usually a tower with 3 BTSs will accommodate all 360 degrees around the tower. However, depending on geography and user demand of an area, a cell may be divided up into one or two sectors, or a cell may be serviced by several BTSs with redundant sector coverage. 6|P a g e A BTS is assigned a Cell Identity. The cell identity is 16-bit number (double octet) that identifies that cell in a particular Location Area. The cell identity is part of the Cell Global Identification (CGI), which is discussed in the section about the Visitor Location Register (VLR). 120 ° Sector The interface between the MS and the BTS is known as the Um Interface or the Air Interface. Um Interface BASE STATION CONTROLLER (BSC) The BSC controls multiple BTSs. It handles allocation of radio channels, frequency administration, power and signal measurements from the MS, and handovers from one BTS to another (if both BTSs are controlled by the same BSC). A BSC also functions as a "funneler". It reduces the number of connections to the Mobile Switching Center (MSC) and allows for higher capacity connections to the MSC. A BSC may be collocated with a BTS or it may be geographically separate. It may even be collocated with the Mobile Switching Center (MSC). Base Station Controller The interface between the BTS and the BSC is known as the Abis Interface 7|P a g e Abis Interface The Base Transceiver Station (BTS) and the Base Station Controller (BSC) together make up the Base Station System (BSS). MOBILE SWITCHING CENTER (MSC) The MSC is the heart of the GSM network. It handles call routing, call setup, and basic switching functions. An MSC handles multiple BSCs and also interfaces with other MSC's and registers. It also handles inter-BSC handoffs as well as coordinates with other MSC's for inter-MSC handoffs. Mobile Switching Center The interface between the BSC and the MSC is known as the A Interface A Interface GATEWAY MOBILE SWITCHING CENTER (GMSC) There is another important type of MSC, called a Gateway Mobile Switching Center (GMSC). The GMSC functions as a gateway between two networks. If a mobile subscriber wants to place a call to a regular land line, then the call would have to go through a GMSC in order to switch to the Public Switched Telephone Network (PSTN). 8|P a g e Gateway Mobile Switching Center For example, if a subscriber on the Cingular network wants to call a subscriber on a T-Mobile network, the call would have to go through a GMSC. Connections Between Two Networks The interface between two Mobile Switching Centers (MSC) is called the E Interface E Interface HOME LOCATION REGISTER (HLR) The HLR is a large database that permanently stores data about subscribers. The HLR maintains subscriber-specific information such as the MSISDN, IMSI, current location of the MS, roaming restrictions, and subscriber supplemental features. There is logically only one HLR in any given network, but generally speaking each network has multiple physical HLRs spread out across its network. VISITOR LOCATION REGISTER (VLR) The VLR is a database that contains a subset of the information located on the HLR. It contains similar information as the HLR, but only for subscribers currently in its Location Area. There is a VLR for every Location Area. The VLR reduces the overall number of queries to the HLR and thus reduces network traffic. VLRs are often identified by the Location Area Code (LAC) for the area they service. 9|P a g e Visitor Location Register Location Area Code (LAC) A LAC is a fixed-length code (two octets) that identifies a location area within the network. Each Location Area is serviced by a VLR, so we can think of a Location Area Code (LAC) being assigned to a VLR. Location Area Identity (LAI) An LAI is a globally unique number that identifies the country, network provider, and LAC of any given Location Area, which coincides with a VLR. It is composed of the Mobile Country Code (MCC), the Mobile Network Code (MNC), and the Location Area Code (LAC). The MCC and the MNC are the same numbers used when forming the IMSI. Cell Global Identification (CGI) The CGI is a number that uniquely identifies a specific cell within its location area, network, and country. The CGI is composed of the MCC, MNC, LAI, and Cell Identity (CI) Cell Global Identity The VLR also has one other very important function: the assignment of a Temporary Mobile Subscriber Identity (TMSI). TMSIs are assigned by the VLR to a MS as it comes into its Location Area. TMSIs are only allocated when in cipher mode. The interface between the MSC and the VLR is known as the B Interface and the interface between the VLR and the HLR is known as the D Interface. The interface between two VLRs is called the G Interface GSM Interfaces 10 | P a g e EQUIPMENT IDENTITY REGISTER (EIR) The EIR is a database that keeps tracks of handsets on the network using the IMEI. There is only one EIR per network. It is composed of three lists. The white list, the gray list, and the black list. The black list is a list if IMEIs that are to be denied service by the network for some reason. Reasons include the IMEI being listed as stolen or cloned or if the handset is malfunctioning or doesnt have the technical capabilities to operate on the network. The gray list is a list of IMEIs that are to be monitored for suspicious activity. This could include handsets that are behaving oddly or not performing as the network expects it to. The white list is an unpopulated list. That means if an IMEI is not on the black list or on the gray list, then it is considered good and is "on the white list". The interface between the MSC and the EIR is called the F Interface. Equipment Identity Register AUTHENTICATION CENTER (AuC) The AuC is responsible for generating the necessary cryptovariables for authentication and encryption on the network. These variables are the RAND, SRES, and Kc. The Auc also stores the Ki for each IMSI on the network. Although it is not required, the Auc is normally physically collocated with the HLR. Authentication Center There is one last interface that we haven't discussed. The interface between the HLR and a GMSC is called the C Interface. You will see it in the full network diagram below.This completes the introduction to the network architecture of a GSM network. Below you will find a network diagram with all of the components as well as the names of all of the interfaces. 11 | P a g e Full GSM Network 12 | P a g e CHAPTER 3 - TIME DIVISION MULTIPLE ACCESS INTRODUCTION GSM uses Time Division Multiple Acces (TDMA) as its access scheme. This is how the MS interfaces with the network. TDMA is the protocol used on the Air (Um) Link. GSM uses Gaussian Minimum-Shift Keying (GMSK) as its modulation methods. Time Division means that the frequency is divided up into blocks of time and only certain logical channels are transmitted at certain times. Logical channels will be introduced in the next lesson.The time divisions in TDMA are known as Time Slots. TIME SLOTS A frequency is divided up into 8 time slots, numbered 0 to 7. Time Slots On a side note, also remember that GSM carrier frequencies are separated by 200kHz and that GSM operates in duplex. A channel number assigned to a pair of frequencies, one uplink and one downlink, is known as an Absolute Radio Frequency Channel Number (ARFCN). Each time slot lasts 576.9 µs. A time slot is the basic radio resource used to facilitate communication between the MS and the BTS. Time Slot Duration DATA RATES As stated earlier, GSM uses Gaussian Minimum-Shift Keying (GMSK) as its modulation method. GMSK provides a modulation rate of 270.833 kilobits per second (kb/s). At that rate, a maximum of 156.25 bits can be transmitted in each time slot (576.9 µs). Math: 270.833 kb/s × 1000 = 270,833 bits/sec (Converting from kilobits to bits) 270,833 b/sec ÷ 1,000,000 = .207833 b/µs (Calculating bits per miscrosecond) .207833 b/µs × 576.9 µs = 156.25 bits (Calculating number of bits per time slot) So, 156.25 bits can be transmitted in a single time slot Bits per Time Slot 13 | P a g e DATA BURST The data transmitted during a single time slot is known as a burst. Each burst allows 8.25 bits for guard time within a time slot. This is to prevent bursts from overlapping and interfering with transmissions in other time slots. Subtracting this from the 156.25 bits, there are 148 bits usable for each burst. There are four main types of bursts in TDMA: 1. Normal Burst (NB) 2. Frequency Correction Burst (FB) 3. Synchronization Burst (SB) 4. Access Burst (AB) 1. Normal Burst The data transmitted during a single time slot is known as a burst. Each burst allows 8.25 bits for guard time. This is to prevent bursts from overlapping and interfering with transmissions in other time slots. Out of 156.25, this leaves 148 bits usable for each burst. Here is the structure of a normal burst: Burst Tail Bits - Each burst leaves 3 bits on each end in which no data is transmitted. This is designed to compensate for the time it takes for the power to rise up to its peak during a transmission. The bits at the end compensate for the powering down at the end of the transmission. Data Bits - There are two data payloads of 57 bits each. Stealing Flags - Indicates whether the burst is being used for voice/data (set to "0") or if the burst is being "stolen" by the FACCH to be used for singalling (set to "1"). *The FACCH is discussed later. Training Sequence - The training sequence bits are used to overcome multi-path fading and propagation effects through a method called equalization. *Note: 3GPP TS 45.001 Standard does not describe stealing bits, and instead allows for two 58-bit data payloads in a burst. However, it is common practice in GSM networks to use 57-bit payloads and stealing bits. This diagram illustrates a single burst inside a time slot. Remember that 8.25 bits are not used in order to allow for a guard time. 14 | P a g e Burst within a Time Slot Since each burst has two 57-bit data segments, we can see that a single burst has a data payload of 114 bits. 2. Frequency Correction Burst This burst is used for frequency synchronization of the mobile station. It is an unmodulated carrier that shifts in frequency. It has the same guard time as a normal bit (8.25 bits). The broadcast of the FB usually occurs on the logical channel FCCH. Frequency Correction Burst 3. Synchronization Burst This burst is used for time synchronization of the mobile. The data payload carries the TDMA Frame Number (FN) and the Base Station Identity Code (BSIC). It is broadcast with the frequency correction burst. The Synchronization Burst is broadcast on the Synchronization Channel (SCH). Synchronization Burst 4. Access Burst This burst is used the by mobile station for random access. It has a much longer guard period (68.25 bits compared to the 8.25 bits in a normal burst). It is designed to compensate for the unknown distance of the mobile station from the tower, when the MS wants access to a new BTS, it will not know the correct Timing Advance. 15 | P a g e Access Burst Calculating the Data Throughput Since each burst has two 57-bit data segments, we can see that a single burst has a data payload of 114 bits. Each burst lasts 576.9 µs, so we can calculate the theoretical bit rate of a single time slot: 114 bits ÷ 576.9 µs = .1976 bits/µs (Calculating bits per µs) .1976 bits/µs × 1,000,000 = 197,607 bits/sec nbsp; (Converting µs to sec) Since there are 8 time slots per carrier frequency, each time slot would only get 1/8 of this bit rate, so... 197,607 bits ÷ 8 = 24,700 bits (Calculating bit rate for one of eight time slots.) 24,700 bits ÷ 1000 = 24.7 kbits/sec (Converting bits to kilobits) So, using GMSK modulation there is a maximum bit rate of 24.7 kb/s for a single time slot. Note that this bit rate does not account for any error correction bits. Any bits used for error correction would have to be stolen from the 114-bit data payload of each burst. TDMA FRAME STRUCTURE & HIERARCHY TDMA Frame Each sequence of 8 time slots is known as a TDMA frame. The duration of a TDMA frame is 4.615 milliseconds (ms) (576.9 µs × 8). * Remember that a TDMA frame is 8 time slots and that no one resource will be given an entire TDMA frame, the resources must share them. A TDMA Frame Multiframe A Multiframe is composed of multiple TDMA frames. There are two types of multiframes: 1. Control Channel Multiframes 2. Traffic Channel Multiframes 1. Control Channel Multiframe Is composed of 51 TDMA frames with a total duration of 235.4ms 16 | P a g e Control Channel Multiframe 2. Traffic Channel Multiframe Is composed of 26 TDMA frames with a total duration of 120ms. Traffic Channel Multiframe The next diagram shows a Traffic Channel (TCH) Multiframe with TS2 (green) being allocated to a Mobile Station (MS). The red arrow indicates the sequence of transmission. The sequence starts in TDMA frame 0 at TS0, proceeds through all eight time slots, then starts again with TDMA frame 1. In this example, the MS has been allocated a Traffic Channel in TS2. Therefore the MS will only transmit/receive during TS2 of each TDMA frame. Single Time Slot Allocated 17 | P a g e Superframe A Superframe is composed of multiple Multiframes. Again, there is a superframe for Control Channels and one for Traffic Channels. Control Channel Superframe Is composed of 26 Control Channel (CCH) multiframes (each CCH multiframe has 51 TDMA frames) with a duration of 6.12 seconds Traffic Channel Superframe Is composed of 51 Traffic Channel (TCH) multiframes (each TCH) multiframe has 26 TDMA frames) and has a duration of 6.12 seconds Each superframe, whether it is a CCH or TCH frame, consists of 1326 TDMA frames (51 * 26) *Note: The CCH and TCH frame sequences will synchronize every superframe. Hyperframe A hyperframe is composed of 2048 superframes with a duration of 3h 28m 53s 76ms (12,533.76 seconds) and consists of 2,715,648 TDMA frames Each TDMA frame is numbered according to its sequence within the hyperframe, starting from 0 and ending at 2,715,647. The TDMA frame number within a hyperframe is abbreviated FN. The FN is one of the variables used in GSM encryption algorithms. The following diagram shows the relationship between all of the various time segments introduced in this tutorial. Relationship of All Time Segments 18 | P a g e CHAPTER 4 - LOGICAL CHANNELS Introduction As you remember from the Introduction to TDMA, GSM divides up each ARFCN into 8 time slots. These 8 timeslots are further broken up into logical channels. Logical channels can be thought of as just different types of data that is transmitted only on certain frames in a certain timeslot. Different time slots will carry different logical channels, depending on the structure the BSS uses. There are two main categories of logical channels in GSM: Signaling Channels Traffic Channels (TCH) SIGNALING CHANNELS These are the main types of signaling Channels: Broadcast Channels (BCH) - Transmitted by the BTS to the MS. This channel carries system parameters needed to identify the network, synchronize time and frequency with the network, and gain access to the network. Common Control Channels (CCH) - Used for signaling between the BTS and the MS and to request and grant access to the network. Standalone Dedicated Control Channels (SDCCH) - Used for call setup. Associated Control Channels (ACCH) - Used for signaling associated with calls and call-setup. An ACCH is always allocated in conjunction with a TCH or a SDCCH. *keep in mind, these are only categories of logical channels, they are not logical channels themselves. The above categories can be divided into the following logical channels: Broadcast Channels (BCH) Broadcast Control Channel (BCCH) Frequency Correction Channel (FCCH) Synchronization Channel (SCH) Cell Broadcast Channel (CBCH) Common Control Channels (CCCH) Paging Channel (PCH) Random Access Channel (RACH) Access Grant Channel (AGCH) Dedicated Control Channel (DCCH) Standalone Dedicated Control Channel (SDCCH) Fast Associated Control Channel (FACCH) Slow Associated Control Channel (SACCH) Let's examine each type of logical channel individually Broadcast Channels (BCH) Broadcast Control Channel (BCCH) - DOWNLINK - This channel contains system parameters needed to identify the network and gain access. These paramters include the Location Area Code (LAC), the Mobile Network Code (MNC), the frequencies of neighboring cells, and access parameters. Frequency Correction Channel (FCCH) - DOWNLINK - This channel is used by the MS as a frequency reference. This channel contains frequency correction bursts. Synchronization Channel (SCH) - DOWNLINK - This channel is used by the MS to learn the Base Station Information 19 | P a g e Code (BSIC) as well as the TDMA frame number (FN). This lets the MS know what TDMA frame they are on within the hyperframe. Cell Broadcast Channel (CBCH) - DOWNLINK - This channel is not truly its own type of logical channel. The CBCH is for point-to-multipoint messages. It is used to broadcast specific information to network subscribers; such as weather, traffic, sports, stocks, etc. Messages can be of any nature depending on what service is provided. Messages are normally public service type messages or announcements. The CBCH isn’t allocated a slot for itself, it is assigned to an SDCCH. It only occurs on the downlink. The CBCH usually occupies the second subslot of the SDCCH. The mobile will not acknowledge any of the messages. Common Control Channels (CCCH) Paging Channel (PCH) - DOWNLINK - This channel is used to inform the MS that it has incoming traffic. The traffic could be a voice call, SMS, or some other form of traffic. Random Access Channel (RACH) - UPLINK This channel is used by a MS to request an initial dedicated channel from the BTS. This would be the first transmission made by a MS to access the network and request radio resources. The MS sends an Access Burst on this channel in order to request access. Access Grant Channel (AGCH) - DOWNLINK - This channel is used by a BTS to notify the MS of the assignement of an initial SDCCH for initial signaling. Dedicated Control Channels (DCCH) Standalone Dedicated Control Channel (SDCCH) - UPLINK/DOWNLINK - This channel is used for signaling and call setup between the MS and the BTS. Fast Associated Control Channel (FACCH) - UPLINK/DOWNLINK - This channel is used for control requirements such as handoffs. There is no TS and frame allocation dedicated to a FAACH. The FAACH is a burst-stealing channel, it steals a Timeslot from a Traffic Channel (TCH). Slow Associated Control Channel (SACCH) - UPLINK/DOWNLINK - This channel is a continuous stream channel that is used for control and supervisory signals associated with the traffic channels. Signaling Channel Mapping Normally the first two timeslots are allocated to signaling channels. Remember that Control Channel (aka signaling channels) are composed of 51 TDMA frames. On a time slot Within the multiframe, the 51 TDMA frames are divided up and allocated to the various logical channels. There are several channel combinations allowed in GSM. Some of the more common ones are: FCCH + SCH + BCCH + CCCH BCCH + CCCH FCCH + SCH + BCCH + CCCH + SDCCH/4(0..3) + SACCH/C4(0..3) SDCCH/8(0 .7) + SACCH/C8(0 . 7) FCCH + SCH + BCCH + CCCH Downlink Uplink 20 | P a g e BCCH + CCCH Downlink Uplink FCCH + SCH + BCCH + CCCH + SDCCH/4(0..3) + SACCH/C4(0..3) The SACCH that is associated with each SDCCH is only transmitted every other multiframe. Each SACCH only gets half of the transmit time as the SDCCH that it is associated with. So, in one multiframe, SACCH0 and SACCH1 would be transmitted, and in the next multiframe, SACCH2 and SACCH3 would be transmitted. The two sequential multiframes would look like this: Downlink Uplink You will also notice that the downlink and uplink multiframes do not align with each other. This is done so that if the BTS sends an information request to the MS, it does not have to wait an entire multiframe to receive the needed information. The uplink is transmitted 15 TDMA frames behind the downlink. For example, the BTS might send an authentication request to the MS on SDCCH0 (downlink) which corresponds to TDMA frames 22-25. The MS then has enough time to process the request and reply on SDCCH0 (uplink) which immediately follows it on TDMA frames 3740. SDCCH/8(0 .7) + SACCH/C8(0 . 7) Once again, the SACCH that is associated with an SDCCH is only transmitted every other multiframe. Two consecutive multiframes would look like this: Downlink Uplink 21 | P a g e TRAFFIC CHANNELS (TCH) Traffic Channels are used to carry two types of information to and from the user: Encoded Speech Data Encoded Speech Encoded speech is voice audio that is converted into digital form and compressed. There are two basic types of Encoded Speech channels: Full Rate Speech TCH (TCH/FS) - 13 kb/s Half Rate Speech TCH (TCH/HS) - 5.6 kb/s Data Data refers to user data such as text messages, picture messages, internet browsing, etc. It includes pretty much everything except speech. Full rate Data TCH (TCH/F14.1) - 14.4 kb/s Full rate Data TCH (TCH/F9.6) - 9.6 kb/s Full rate Data TCH (TCH/F4.8) - 4.8 kb/s Half rate Data TCH (TCH/F4.8) - 4.8 kb/s Full rate Data TCH (TCH/F2.4) - ≤2.4 kb/s Half rate Data TCH (TCH/H2.4) - ≤2.4 kb/s Traffic Channel Mapping Time slots 2 through 7 are normally used for Traffic Channels (TCH) Traffic Channel Multiframes are composed of only 26 TDMA frames. On each multiframe, there are 24 frames for Traffic Channels, 1 frame for a SACCH, and the last frame is Idle. Remember that a MS (or other device) only gets one time slot per TDMA frame to transmit, so in the following diagrams we are looking at a single time slot. Full Rate Traffic Channel (TCH/FS) When using Half-Rate Speech Encoding (TCH/HS), the speech encoding bit rate is 5.6 kb/s, so one time slot can handle two half-rate channels. In this case, one channel will transmit every other TDMA frame, and the other channel would be transmitted on the other frames. The final frame (25), which is normally used as an Idle frame, is now used as a SACCH for the second half-rate channel. Half Rate Traffic Channel (TCH/HS) ARFCN Mapping This diagram shows a sample Multiframe with logical channels mapped to time slots and TDMA frames. This is just one possible configuration for an ARFCN. *For illustrative purposes, half of the traffic channels are full-rate and the other half are half-rate TS0 22 | P a g e TS1 TS2 TS3 TS4 TS5 TS6 TS7 *Remember that CCH Multiframes have 51 frames and TCH Multiframes only have 26. Their sequences will synchronize every superframe. OFFSET Even though GSM uses a full duplex radio channel, the MS and the BTS do not transmit at the exact same time. If a MS is assigned a given time slot, both the MS and the BTS will transmit during that given time slot, but their timing is offset. The uplink is exactly 3 time slots behind the downlink. For example, if the MS was allocated a TCH on TS3, the BTS would transmit when the downlink is on TS3 and the MS is set to receive on TS3. At this point, the uplink is only on TS0. Once the uplink reaches TS3, the MS would begin to transmit, and the BTS is set to receive on TS3. At this 23 | P a g e point, the downlink would be at TS6. When the MS is not transmitting or receiving, it switches frequencies to monitor the BCCH of adjacent cells. Speech/Data Throughput When looking at a Time slot allocated to a TCH, you will notice that TCH does not occur on every single frame within a time slot. There is one reserved for a SACCH and one that is Idle. So, in a TCH Multiframe, only 24 of the 26 frames are used for traffic (voice/data). This leaves us with a data throughput of 22.8 kb/s. Here is the math: 1. Calculate bits per TCH Multiframe: We know that there are 114 bits of data on a single burst, and we know that only 24 of the 26 frames in a TCH multiframe are used to send user data. 114 bits × 24 frames = 2736 bits per TCH multiframe So, we know that on a single timeslot over the duration of one TCH multiframe, the data throughput is 2736 bits. 2. Calculate bits per millisecond (ms): From step one above, we know that the throughput of a single TCH multiframe is 2736 bits. We also know that the duration of a TCH multiframe is 120ms. 2736 bits / 120 ms = 22.8 bits per millisecond 3. Convert milliseconds (ms) to seconds: Now we need to put the value into terms of seconds. There are 1000 milliseconds in a second, so we simply multiply the value by 1000. 22.8 bits/millisecond × 1000 = 22,800 bits per second (22.8 kb/s) 4. Convert bits to kilobits: Finally, we want to put it into terms of kilobits per second, wich is the most common term for referring to data throughput. We know a kilobit is 1000 bits, so we simply divide the term by 1000. 22,800 bits/s ÷ 1000 = 22.8 kb/s So now we see why the data throughput of a single allocated timeslot is 22.8 kb/s. There is an easier method to come to this number: We know that only 24 of the 26 frames carry data, so we can say that the new throughput would be 24/26 of the original throughput. If we convert this to decimal form: 24÷26 = .9231 We know from the TDMA Tutorial that the data throughput of a single timeslot is 24.7 kb/s. Apply this 24/26 ratio to the 24.7 kb/s throughput: 24 | P a g e 24.7 × .9231 = 22.8 kb/s You can see that we get the same answer as above. A single BTS may have several Transceivers (TRX) assigned to it, each having its own ARFCN, each ARFCN having 8 time slots. The logical channels that support signaling will normally only be on one ARFCN. All of the other ARFCNs assigned to a BTS will allocate all 8 time slots to Traffic Channels, to support multiple users. The following diagram is an example of how a medium-sized cell might be set up with 4 TRX (ARFCNs). Sample Medium-Size Cell FREQUENCY HOPPING Each radio frequency Channel (ARFCN) is influenced differently by propagation conditions. What affects channel 23 may not affect channel 78 at all. Within a given cell, some frequencies will have good propagation in a certain area and some will have poor propagation in that area. In order to take advantage of the good propagation and to defeat the poor propagation, GSM utilizes frequency hopping. Frequency hopping means that a transceiver hops from one frequency to another in a predetermined sequence. If a transceiver hops through all of the avilable frequencies in a cell then it will average out the propagation. GSM uses Slow Frequency Hopping (SFH). It is considered slow becuase the system hops relatively slow, compared with other frequency hopping systems. In GSM, the operating frequency is changed every TDMA frame. The main reason for using slow frequency hopping is because the MS must also change its frequency often in order to monitor adjacent cells. The device in a transceiver that generates the frequency is called a frequency synthesizer. On a MS, a synthesizer must be able to change its frequency within the time frame of one time slot, which is equal to 577 µs. GSM does not require the BTS to utilize frequency hopping. However, a MS must be capable of utilizing frequency hopping when told to do so. The frequency hopping and timing sequence is known as the hopping algorithm. There are two types of hopping algorithms available to a MS. Cyclic Hopping - The transceiver hops through a predefined list of frequencies in sequential order. Random Hopping - The transceiver hops through the list of frequencies in a random manner. The sequence appears random but it is actually a set order. There are a total of 63 different hopping algorithms available in GSM. When the MS is told to switch to frequency hopping mode, the BTS will assign it a list of channels and the Hopping Sequence Number (HSN), which corresponds to the particular hopping algorithm that will be used. The base channel on the BTS does not frequency hop. This channel, located in time slot 0, holds the Broadcast Control Channels which the MS needs to monitor to determine strength measurements, determine access parameters, and synchronize with the system. 25 | P a g e If a BTS uses multiple transceivers (TRX) then only one TRX will hold the the Broadcast Channels on time slot 0. All of the other TRXs may use time slot 0 for traffic or signaling and may take part in the frequency hopping. There are two types of frequency hopping method available for the BTS: synthesizer hopping and baseband hopping. Synthesizer Hopping - This requires the TRX itself to change frequencies according to the hopping sequence. So, one TRX would hop between multiple frequencies on the same sequence that the MS is required to. Baseband Hopping - In this method there are several TRX and each one stays on a fixed frequency within the hopping frequency plan. Each TRX would be assigned a single time slot within a TDMA frame. For example, time slot 1 might be assigned to TRX 2 in one TDMA frame and in the next TDMA frame it would be assigned to TRX 3, and the next frame would be TRX 3. So, the data on each time slot would be sent on a different frequency each frame, but the TRXs on the BTS do not need to change frequency. The BTS simply routes the data to the appropriate TRX, and the MS knows which TRX to be on for any given TDMA frame. Baseband Frequency Hopping 26 | P a g e CHAPTER 5 - AUTHENTICATION & ENCRYPTION Introduction Authentication - Whenever a MS requests access to a network, the network must authenticate the MS. Authentication verifies the identity and validity of the SIM card to the network and ensures that the subscriber is authorized access to the network. Encryption - In GSM, encryption refers to the process of creating authentication and ciphering crypto-variables using a special key and an encryption algorithm. Ciphering - Ciphering refers to the process of changing plaintext data into encrypted data using a special key and a special encryption algorithm. Transmissions between the MS and the BTS on the Um link are enciphered. Ki - The Ki is the individual subscriber authentication key. It is a 128-bit number that is paired with an IMSI when the SIM card is created. The Ki is only stored on the SIM card and at the Authentication Center (AuC). The Ki will never be transmitted across the network on any link. RAND - The RAND is a random 128-bit number that is generated by the AuC when the network requests to authenticate a subscriber. The RAND is used to generate the Signed Response (SRES) and Kc crypto-variables. Signed Response - The SRES is a 32-bit crypto-variable used in the authentication process. The MS is challenged by being given the RAND by the network, the SRES is the expected correct response. The MS receives the RAND as a challenge and uses it to calculate the SRES. The SRES is passed up to the network to as a response to the challenge. A3 Algorithm - The A3 algorithm computes a 32-bit Signed Response (SRES). The Ki and RAND are inputted into the A3 algorithm and the result is the 32-bit SRES. The A3 algorithm resides on the SIM card and at the AuC. A8 Algorithm - The A8 algorithm computes a 64-bit ciphering key (Kc). The Ki and the RAND are inputted into the A8 algorithm and the result is the 64-bit Kc. The A8 algorithm resides on the ISM card and at the AuC. COMP128 - A keyed hash function that combines the A3 and A8 algorithms into a single function. The 128-bit Ki and 128-bit RAND are input into the COMP128 which generates a 32-bit SRES and a 54-bit Kc in a single function. COMP128 is weak because it can give away information about the Ki. Kc - The Kc is the 64-bit ciphering key that is used in the A5 encryption algorithm to encipher and decipher the data that is being transmitted on the Um interface. A5 - The A5 encryption algorithm is used to encipher and decipher the data that is being transmitted on the Um interface. The Kc and the plaintext data are inputted into the A5 algorithm and the output is enciphered data. The A5 algorithm is a function of the Mobile Equipment (ME) and not a function of the SIM card. The BTS also makes use of the A5 algorithm. There are three versions of the A5 algorithm: A5/1 - The current standard for U.S. and European networks. A5/1 is a stream cipher. A5/2 - The deliberately weakened version of A5/1 that is intended for export to non-western countries. A5/2 is a stream cipher. A5/3 - A newly developed algorithm not yet in full use. A5/3 is a block cipher. Triplets - The RAND, SRES, and Kc together are known as the Triplets. The AuC will send these three crypto-variables to the requesting MSC/VLR so it can authenticate and encipher. Authentication Procedures 1. When a MS requests access to the network, the MSC/VLR will normally require the MS to authenticate. The MSC will forward the IMSI to the HLR and request authentication Triplets. The network can have the MS authenticate whenever it wants and this can vary from network to network. The network can require the MS to authenticate every time an event is initiated (location update, mobile-originated 27 | P a g e call, mobile-terminated call, etc.), every so many events, or even after a certain time period has elapsed. The network will almost always require authentication whenever the MS moves into a new Location Area and does a Location Update. 2. When the HLR receives the IMSI and the authentication request, it first checks its database to make sure the IMSI is valid and belongs to the network. Once it has accomplished this, it will forward the IMSI and authentication request to the Authentication Center (AuC). 3. The AuC will use the IMSI to look up the Ki associated with that IMSI. The Ki is the individual subscriber authentication key. It is a 128-bit number that is paired with an IMSI when the SIM card is created. The Ki is only stored on the SIM card and at the AuC. The Auc will also generate a 128-bit random number called the RAND. 4. The RAND and the Ki are inputted into the A3 encryption algorithm. The output is the 32-bit Signed Response (SRES). The SRES is essentially the "challenge" sent to the MS when authentication is requested. 28 | P a g e 5. The RAND and Ki are input into the A8 encryption algorithm. The output is the 64-bit Kc. The Kc is the ciphering key that is used in the A5 encryption algorithm to encipher and decipher the data that is being transmitted on the Um interface. 6. The RAND, SRES, and Kc are collectively known as the Triplets. The AuC may generate many sets of Triplets and send them to the requesting MSC/VLR. This is in order to reduce the signaling overhead that would result if the MSC/VLR requested one set of triplets every time it wanted to authenticate the MS. It should be noted that a set of triplets is unique to one IMSI, it can not be used with any other IMSI. 7. Once the AuC has generated the triplets (or sets of triplets), it forwards them to the HLR. The HLR subsequently sends them to the requesting MSC/VLR 8. The MSC stores the Kc and the SRES but forwards the RAND to the MS and orders it to authenticate. 29 | P a g e 9. The MS has the Ki stored on the SIM card. The A3 and A8 algorithms also reside on the SIM card. The RAND and Ki are inputted into the A3 and A8 encryption algorithms to generate the SRES and the Kc respectively. Ciphering Procedure 1. The MS stores the Kc on the SIM card and sends the generated SRES back to the network. The MSC receives the MS generated SRES and compares it to the SRES generated by the AuC. If they match, then the MS is authenticated. 2. Once the MS is authenticated, the MSC passes the Kc to the BSS (the BTS to be specific), and orders the BTS and MS to switch to Cipher Mode. The Kc will never be passed on the Air Interface (Um), it will be stored at the BTS. 3. The BTS inputs the Kc and the data payload into the A5 encryption algorithm resulting in an enciphered data stream. The MS also inputs the Kc and the data payload into the A5 encryption algorithm resulting in an enciphered data stream. It should be noted that the A5 algorithm is a function of the Mobile Equipment (ME) and not the SIM card COMP128 COMP128 is a single keyed hash function that takes the place of the A3 and A8 algorithms and generates the SRES and Kc in a single function. The Ki and RAND are fed into the COMP128 hash and the result is a 32-bit SRES and a 54- 30 | P a g e bit Kc. Note that the A8 algorithm generates a 64-bit Kc. So it is obvious that the COMP128 hash generates a much weaker Kc. 31 | P a g e CHAPTER 6 - TIMING ADVANCES Introduction A Timing Advance (TA) is used to compensate for the propagation delay as the signal travels between the Mobile Station (MS) and Base Transceiver Station (BTS). The Base Station System (BSS) assigns the TA to the MS based on how far away it perceives the MS to be. Determination of the TA is a normally a function of the Base Station Controller (BSC), bit this function can be handled anywhere in the BSS, depending on the manufacturer. Time Division Multiple Access (TDMA) requires precise timing of both the MS and BTS systems. When a MS wants to gain access to the network, it sends an access burst on the RACH. The further away the MS is from the BTS, the longer it will take the access burst to arrive at the BTS, due to propagation delay. Eventually there comes a certain point where the access burst would arrive so late that it would occur outside its designated timeslot and would interfere with the next time slot. Access Burst As you recall from the TDMA Tutorial, an access burst has 68.25 guard bits at the end of it. This guard time is to compensate for propagation delay due to the unknown distance of the MS from the BTS. It allows an access burst to arrive up to 68.25 bits later than it is supposed to without interfering with the next time slot. 68.25 bits doesnt mean much to us in the sense of time, so we must convert 68.25 bits into a frame of time. To do this, it is necessary to calculate the duration of a single bit, the duration is the amount of time it would take to transmit a single bit. Duration of a Single Bit As you recall, GSM uses Gaussian Minimum Shift Keying (GMSK) as its modulation method, which has a data throughput of 270.833 kilobits/second (kb/s). Calculate duration of a bit. Description Convert kilobits to bits Calculate seconds per bit Convert seconds to microseconds Formula 270.833 kb × 1000 1 sec ÷ 270,833 bits .00000369 sec × 1,000,000 Result 270,833 bits .00000369 seconds 3.69 µs So now we know that it takes 3.69µs to transmit a single bit. 32 | P a g e Propagation Delay Now, if an access burst has a guard period of 68.25 bits this results in a maximum delay time of approximately 252µs (3.69µs × 68.25 bits). This means that a signal from the MS could arrive up to 252µs after it is expected and it would not interfere with the next time slot. The next step is to calculate how far away a mobile station would have to be for a radio wave to take 252µs to arrive at the BTS, this would be the theoretical maximum distance that a MS could transmit and still arrive within the correct time slot. Using the speed of light, we can calculate the distance that a radio wave would travel in a given time frame. The speed of light (c) is 300,000 km/s. Description Formula Result Convert km to m 300,000km × 1000 300,000,000m Convert m/s to m/µs 300,000,000 ÷ 1,000,000 300 m/µs Calculate distance for 252µs 300 m/µs × 252µs 75600m Convert m to km 75,600m ÷ 1000 75.6km So, we can determine that a MS could theoretically be up to 75.6km away from a BTS when it transmits its access burst and still not interfere with the next time slot. However, we must take into account that the MS synchronizes with the signal it receives from the BTS. We must account for the time it takes for the synchronization signal to travel from the BTS to the MS. When the MS receives the synchronization signal from the BTS, it has no way of determining how far away it is from the BTS. So, when the MS receives the syncronization signal on the SCH, it synchronizes its time with the timing of the system. However, by the time the signal arrives at the MS, the timing of the BTS has already progressed some. Therefore, the timing of the MS will now be behind the timing of the BTS for an amount of time equal to the travel time from the BTS to the MS. For example, if a MS were exactly 75.6km away from the BTS, then it would take 252µs for the signal to travel from the BTS to the MS. 33 | P a g e The MS would then synchronize with this timing and send its access burst on the RACH. It would take 252µs for this signal to return to the BTS. The total round trip time would be 504µs. So, by the time the signal from the MS arrives at the BTS, it will be 504µs behind the timing of the BTS. 504µs equals about 136.5 bits. The 68.25 bits of guard time would absorb some of the delay of 136.5 bits, but the access burst would still cut into the next time slot a whopping 68.25bits. Maximum Size of a Cell In order to compensate for the two-way trip of the radio link, we must divide the maximum delay distance in half. So, dividing 75.6km in half, we get approximately 37.8 km. If a MS is further out than 37.8km and transmits an access burst it will most likely interfere with the following time slot. Any distance less than 37.8km and the access burst should arrive within the guard time allowed for an access burst and it will not interfere with the next time slot. In GSM, the maximum distance of a cell is standardized at 35km. This is due mainly to the number of timing advances allowed in GSM, which is explained below. How a BSS Determines a Timing Advance In order to determine the propagation delay between the MS and the BSS, the BSS uses the synchronization sequence within an access burst. The BSS examines the synchronization sequence and sees how long it arrived after the time that it expected it to arrive. As we learned from above, the duration of a single bit is approximately 3.69µs. So, if the BSS sees that the synchronization is late by a single bit, then it knows that the propagation delay is 3.69µs. This is how the BSS knows which TA to send to the MS. 34 | P a g e For each 3.69µs of propagation delay, the TA will be incremented by 1. If the delay is less than 3.69µs, no adjustment is used and this is known as TA0. For every TA, the MS will start its transmission 3.69µs (or one bit) early. Each TA really corresponds to a range of propagation delay. Each TA is essentially equal to a 1-bit delay detected in the synchronization sequence. TA From To 0 0µs 3.69µs 1 3.69µs 7.38µs 2 7.38µs 11.07µs 3 11.07µs 14.76µs ... ... ... 63 232.47µs 236.16µs The Distance of a Timing Advance When calculating the distances involved for each TA, we must remember that the total propagation delay accounts for a two-way trip of the radio wave. The first leg is the synchronization signal traveling from the BTS to the MS, and the second leg is the access burst traveling from the MS to the BTS. If we want to know the true distance of the MS from the BTS, we must divide the total propagation delay in half. For example, if the BSS determines the total propagation delay to be 3.69µs, we can determine the distance of the MS from the BTS. Description Formula Result Determine one-way propagation time 3.69µs ÷ 2 1.845µs Calculate distance(using speed of light.) 300 m/µs × .845µs 553.5m We determined earlier that for each propagation delay of 3.69µs the TA is inceremented by one. We just learned that a propagation delay of 3.69µs equals a one-way distance of 553.5 meters. So, we see that each TA is equal to a distance of 553.5 meters from the tower. Starting from the BTS (0 meters) a new TA will start every 553.5m. 35 | P a g e TA Ring 0 1 2 3 ... 63 Start 0 553.5m 1107m 1660.5m ... 34.87km End 553.5m 1107m 1660.5m 2214m ... 35.42km The TA becomes very important when the MS switches over to using a normal burst in order to transmit data. The normal burst does not have the 68.25 bits of guard time. The normal burst only has 8.25 bits of guard time, so the MS must transmit with more precise timing. With a guard time of 8.25 bits, the normal burst can only be received up to 30.44µs late and not interfere with the next time slot. Because of the two-way trip of the radio signal, if the MS transmits more than 15.22µs after it is supposed to then it will interfere with the next time slot. 36 | P a g e CHAPTER 7 - SPEECH CODING Analog to Digital Conversion In order to fully understand speech and channel coding it is easier to start from the very beginning of the process. The first step in speech coding is to transform the sound waves of our voices (and other ambient noise) into an electrical signal. This is done by a microphone. A microphone consists of a diaphragm, a magnet, and a coil of wire. When you speak into it, sound waves created by your voice vibrate the diaphragm which is connected to the magnet which is inside the coil of wire. These vibrations cause the magnet to move inside the coil at the same frequency as your voice. A magnet moving in a coil of wire creates an electric current. This current which is at the same frequency as the sound waves is carried by wires to whereever you wish it to go like an amplifier, transmitter, etc. Once it gets to its destination the process is reversed and it comes out as sound. Speakers basically being the opposite of microphones. The signal created by a microphone is an analog signal. Since GSM is an all digital system, this analog signal is not suitable for use on a GSM network. The analog signal must be converted into digital form. This is done by using an Analog to Digital Converter (ADC). In order to reduce the amount of data needed to represent the sound wave, the analog signal is first inputted into a band pass filter. Band pass means that the filter only allows signal that fall within a certain frequency range to pass through it, and all other signals are cut off, or attenuated. The BP filter only allows frequencies between 300Hz and 3.4 kHz to pass through it. This limits the amount of data that the Analog/Digital Converter is required to process. Band Pass Filter The filtered signal is inputted into the analog/digital converter. The analog/digital converter performs two tasks. It converts an analog signal into a digital signal and it does the opposite, converts a digital signal into an analog signal. In the case of a cell phone, the analog signal created by a microphone is passed to the analog/digital converter. The A/D converter measures the analog signal, or samples it 8000 times per second. This means that the ADC takes a sample of the analog signal every .125 sec (125 µs). Each sample is quantified with a 13-bit data block. If we calculate 13 bits per sample at 8000 samples per second, we determine a data rate of 104,000 bits per second, or 104 kb/s. Analog/Digital Converter A data rate of 104 kbps is far too large to be economically handled by a radio transmitter. In order to reduce the bitrate, the signal is inputted into a speech encoder.A speech encoder is a device that compresses the data of a speech signal. There are many types of speech encoding schemes available. The speech encoder used in GSM is 37 | P a g e called Linear Predictive Coding (LPC) and Regular Pulse Excitation (RPE). LPC is a very complicated and math-heavy process, so it will only be summarized here. Linear Predictive Coding (LPC) Remember that the ADC quantifies each audio sample with a 13-bit "word". In LPC, 160 of the 13-bit samples from the converter are saved up and stored into short-term memory. Remember that a sample is taken every 125 µs, so 160 samples covers an audio block of 20ms. This 20ms audio block consists of 2080 bits. LPC-RPE analyzes each 20ms set of data and determines 8 coefficients used for filtering as well as an excitation signal. LPC basically identifies specific bits that correspond to specific aspects of human voice, such as vocal modifiers (teeth, tongue, etc.) and assigns coefficients to them. The excitation signal represents things like pitch and loudness. LPC identifies a number of correlations of human voice and redundancies in human speech and removes them. The LPC/RPE sequence is then fed into the Long-Term Prediction (LTP) Analysis function. The LTP function compares the sequence it receives with earlier sequences stored in its memory and selects the sequence that most resembles the current sequence. The LTP function then calculates the difference between the two sequences. Now the LTP function only has to translate the difference value as well as a pointer indicating which earlier sequence it used for comparison. By doing this is prevents encoding redundant data. You can envision this by thinking about the sounds we make when we talk. When we pronounce a syllable, each little sound has a specific duration that seems short when we are talking but often lasts longer than 20ms. So, one sound might be represented by several 20ms-block of exactly the same data. Rather than transmit redundant data, LPC only includes data that tells the receiving which data is redundant so that it can be created on the receiving end. Using LPC/RPE and LTP, the speech encoder reduces the 20ms block from 2,080 bits to to 260 bits. Note that this is a reduction by eight times. 260 bits every 20ms gives us a net data rate of 13 kilobits per second (kbps). Speech Encoding This bitrate of 13kbps is known as Full Rate Speech (FS). There is another method for encoding speech called Half Rate Speech (HS), which results in a bit rate of approximately 5.6kbps. The explanations in the remainder of this tutorial are based on a full-rate speech bitrate (13kbps). Calculate the net data rate: Description Formula Convert ms to sec 20 ms ÷ 1000 Calculate bits per second 260 bits ÷ .02 seconds Convert bits to kilobits 13,000 bps ÷ 1000 Result .02 seconds 13,000 bits per second (bps) 13 kilobits per sec (kbps) As we all know, the audio signal must be transmitted across a radio link from the handset to the Base Station Transceiver (BTS). The signal on this radio link is subject to atmospherics and fading which results in a large amount of data loss and degrades the audio. In order to prevent degradation of audio, the data stream is put through a series of error detection and error correction procedures called channel coding. The first phase of channel coding is called block coding. 38 | P a g e Block Coding A single 260-bit (20ms) audio block is delivered to the block-coder. The 260 bits are divided up into classes according to their importance in reconstructing the audio. Class I are the bits that are most important in reconstructing the audio. The class II bits are the less important bits. Class I bits are further divided into two categories, Ia and Ib. Classes of Bits The class Ia bits are protected by a cyclic code. The cyclic code is run on the 50 Ia bits and calculates 3 parity bits which are then appended to the end of the Ia bits. Only the class Ia bits are protected by this cyclic code. The Ia and Ib bits are then combined and an additional 4 bits are added to the tail of the class I bits (Ia and Ib together). All four bits are zeros (0000) and are needed for the next step which is "convolutional coding". There is no protection for class II bits. As you can see, block coding adds seven bits to the audio block, 3 parity bits and 4 tail bits, therefore, a 260-bit block becomes a 267-bit block. Block Coding Convolutional Coding This 267-bit block is then inputted into a convolutional code. Convolutional coding allows errors to be detected and to be corrected to a limited degree. The class I "protected" bits are inputted into a complex convolutional code that outputs 2 bits for every bit that enters it. The second bit that is produced is known as a redundancy bit. The number of class I bits is doubled from 189 to 378. This coding uses 5 consecutive bits to calculate the redundancy bit, this is why there are 4 bits added to the class I bits when the cyclic code was calculated. When the last data bit enters the register, it uses the remaining four bits to calculate the redundancy bit for the last data bit. The class II bits are not run through the convolutional code. After convolutional coding, the audio block is 456 bits 39 | P a g e Convolutional Coding Reordering, Partitioning, and Interleaving Now, one problem remains. All of this error detection and error correction coding will not do any good if the entire 456-bit block is lost or garbled. In order to alleviate this, the bits are reordered and partioned onto eight separate sub-blocks. If one sub-block is lost then only one-eighth of the data for each audio block is lost and those bits can be recovered using the convolutional code on the receiving end. This is known as interleaving. Each 456-bit block is reordered and partitioned into 8 sub-blocks of 57 bits each. These eight 57-bit sub-blocks are then interleaved onto 8 separate bursts. As you remember from the TDMA Tutorial, each burst is composed of two 57-bit data blocks, for a total data payload of 114 bits. The first four sub-blocks (0 through 3) are mapped onto the even bits of four consecutive bursts. The last four subblocks (4 through 7) are mapped onto the odd bits of the next 4 consecutive bursts. So, the entire block is spread out across 8 separate bursts. Taking a look at the diagram below we see three 456-bit blocks, labeled A, B, and C. Each block is sub-divided into eight sub-blocks numbered 0-7. Let's take a look at Block B. We can see that each sub-block is mapped to a burst on a single time-slot. Block B is mapped onto 8 separate bursts or time-slots. For illustrative purposes, the time-slots are labeled S through Z. Let's expand time-slot V for a close-up view. We can see how the bits are mapped onto a burst. The bits from Block B, sub-block 3 (B3) are mapped onto the even numbered bits of the burst (bits 0,2,4....108,110,112). You will also notice that the odd bits are being mapped from data from block A, sub-block 7 (bits 1,3,5....109,111,113). Each burst contains 57 bits of data from two separate 456-bit blocks. This process is known as interleaving. Reordering, Partitioning, and Interleaving 40 | P a g e In the following diagram, we examine time-slot W. We see that bits from B4 are mapped onto the odd-number bits (bits 1,3,5....109,111,113) and we would see bits from C1 mapped onto the even number bits (bits 0,2,4....108,110,112). This process continues indefinitely as data is transmitted. Time-slots W, X, Y, and Z would all be mapped identically. The next time-slot would have data from Block C and Block D mapped onto it. This process continues for as long as there is data being generated. Interleaving The process of interleaving effectively distributes a single 456 bit audio block over 8 separate bursts. If one burst is lost, only 1/8 of the data is lost, and the missing bits can be recovered using the convolutional code. Now, you might notice that the data it takes to represent a 20ms (456-bits) audio block is spread out across 8 timeslots. If you remember that each TDMA frame is approximately 4.615ms, we can determine that it takes about 37ms to transmit one single 456-bit block. It seems like transmitting 20ms worth of audio over a period of 37ms would not work. However, this is not what is truly happening. If you look at a series of blocks as they are mapped onto time-slots you will notice that one sub-block ends every four time-slots, which is approximately 18ms. The only effect this has is that the audio stream is effectively delayed by 20ms, which is truly negligible. In the diagram below, we can see how this works. The diagram shows 16 bursts. Remember that a burst occurs on a single time-slot and the the duration of a time-slot is 577 µs. Eight time-slots make up a TDMA frame, which is 4.615ms. Since a single resource is only given one time-slot in which to transmit, we only get to transmit once every TDMA frame. Therefore, we only get to transmit one burst every 4.615ms. * If this is not clear, please review the TDMA chapter. During each time-slot, a burst is transmitted that carries data from two different 456-bit blocks. In the diagram below, Burst 1 carries data from A and B, burst 5 has B and C, burst 9 has C and D, etc. Looking at the diagram, we can see that it does take approximately 37ms for Block B to transmit all of its data, (bursts 1-8). However, in bursts 58, data from block C is also being transmitted. Once block B has finished transmitting all of its data (burst 8), block C has already transmitted half of its data and only requires 4 more bursts to complete its data. Block A completes transmitting its data at the end of the fourth burst. Block B finishes in the eighth, block C, in the 12th, and block D in the 16th. Viewing it this way shows us that every fourth burst comepletes the data for one block, which takes approximately 18ms. 41 | P a g e The following diagram illustrates the entire process, from audio sampling to partitioning and interleaving. Data and signalling messages will be covered in a future tutorial. 42 | P a g e CHAPTER 8 - GSM EVENTS Whenever a Mobile Station (MS) needs some kind of service from the network, a series of messages are sent across different links in order to facilitate this service. Some examples include Location Update, IMSI Attach, IMSI Detach, and placing and receiving calls. These different events are discussed in detail below: IMSI ATTACH A MS performs an IMSI Attach any time it comes onto a network. If a phone is just powering up, it will contact the network and perform an IMSI Attach, letting the network know where the MS is. The following processes are involved in an IMSI Attach event. A. Channel Request 1. The MS will send a Channel Request (CHAN_REQ) message to the BSS on the RACH. 2. The BSS responds on the AGCH with an Immediate Assignment (IMM_ASS_CMD) message and assigns an SDCCH to the MS. 3. The MS immediately switches to the assigned SDCCH and sends a Location Update Request (LOC_UPD_REQ) to the BSS. The MS will send either an IMSI or a TMSI to the BSS. 4. The BSS will acknowledge the message. This acknowledgement only tells the MS that the BTS has received the message, it does not indicate the location update has been processed. B. IMSI Verification / Request Triplets 5. The BSS forwards the Location Update Request to the MSC/VLR. 6. The MSC/VLR forwards the IMSI to the HLR and requests verification of the IMSI as well as Authentication Triplets. 7. The HLR will forward the IMSI to the Authentication Center (AuC) and request authentication triplets. 8. The AuC generates the triplets and sends them along with the IMSI, back to the HLR. 9. The HLR validates the IMSI by ensuring it is allowed on the network and is allowed subscriber services. It then forwards the IMSI and Triplets to the MSC/VLR. C. Authentication 10. The MSC/VLR stores the SRES and the Kc and forwards the RAND to the BSS and orders the BSS to authenticate the MS. 11. The BSS sends the MS an Authentication Request (AUTH_REQ) message to the MS. The only parameter sent in the message is the RAND. 43 | P a g e 12. The MS uses the RAND to calculate the SRES and sends the SRES back to the BSS on the SDCCH in an Authentication Response (AUTH_RSP). The BSS forwards the SRES up to the MSC/VLR. 13. The MSC/VLR compares the SRES generated by the AuC with the SRES generated by the MS. If they match, then authentication is completed successfully. D. Encryption 14. The MSC/VLR forwards the Kc for the MS to the BSS. The Kc is NOT sent across the Air Interface to the MS. The BSS stores the Kc and forwards the Set Cipher Mode (CIPH_MOD_CMD) command to the MS. The CIPH_MOD_CMD only tells the MS which encryption to use (A5/X), no other information is included. 15. The MS immediately switches to cipher mode using the A5 encryption algorithm. All transmissions are now enciphered. It sends a Ciphering Mode Complete (CIPH_MOD_COM) message to the BSS. 16. The MSC/VLR sends a Location Updating Accept (LOC_UPD_ACC) message to the BSS. It also generates a new TMSI for the MS. TMSI assignment is a function of the VLR. The BSS will either send the TMSI in the LOC_UPD_ACC message or it will send a separate TMSI Reallocation Command message (TMSI_REAL_CMD). In both cases, since the Air Interface is now in cipher mode, the TMSI is not compromised. E. Location Update 17. The MS sends a TMSI Reallocation Complete message (TMSI_REAL_COM) up to the MSC/VLR. 18. The BSS instructs the MS to go into idle mode by sending it a Channel Release (CHAN_REL) message. The BSS then deassigns the SDCCH. 19. The MSC/VLR sends an Update Location message to the HLR. The HLR records which MSC/VLR the MS is currently in, so it knows which MSC to point to when it is queried for the location of the MS IMSI DETACH A MS will perform an IMSI Detach when it powers off. An IMSI Detach message informs the network that the MS is no longer on the network and should not be paged. This allows the network to process a call rejection faster, instead of waiting for paging requests to not be answered. In most networks, the MSC/VLR will initiate an IMSI Detach if the MS has not been active on the network for a specified period of time. A. Channel Request and IMSI Detach Request 1. The MS requests a channel in the same manner it does in the Location Update and IMSI Attach. The MS sends a Channel Request message on the RACH. The BSS replies on the AGCH and assigns the MS a SDCCH. 2. The MS sends an IMSI Detach Indication (IMSI_DET_IND) message to the BSS on the SDCCH. The BSS forwards the message to the MSC/VLR 44 | P a g e B. IMSI Detach Request 3. The MSC/VLR sends a Location Cancel Request to the HLR. 4. The HLR marks the IMSI as detached and removes any pointers for the IMSI from its registry. It then sends a Location Cancel Acknowledgemnt message to the MSC/VLR. LOCATION UPDATE A MS will need to update its location whenever it moves to a tower that is serviced by a different VLR then the one it is currently on. An MS c an move from BTS to BTS without ever telling the network, as long as it is within the same location area. Once it moves to a new location area, it is required to inform the network. A. The MS moves to another Location Area As a MS moves around it is constantly monitoring the signal strength of the BCCH of its current BTS, as well as neighboring BTS's to determine if the neighbors have a stronger signal. When the MS is in idle mode (not in a call), it will determine for itself when to move from its current BTS to a more attractive one. When the MS switches from a BTS in one VLR to a BTS in a different VLR, it must do an location update, so the network knows which MSC/VLR the MS is currently using. In the diagram on the below, we see two different location areas serviced by two different VLR's. The MS is currently sitting on BTS-2 in Location Area 1. As the MS moves towards the edge of the location area, it measures BTS-3 as being stronger and decides to switch to that BTS. Since BTS-3 is in another location area, it will need to do a location update. B. Channel Request Just like the IMSI Attach, and every other time the MS requests access, it goes through the same procedures. 1. The MS requests a channel by sending a Channel Request (CHAN_REQ) message on the RACH. 2. The BTS responds by sending an Immediate Assignment Command message (IMM_ASS_CMD) on the AGCH. 3. The MS switches to the assigned SDCCH and replies with a Location Update Request (LOC_UPD_REQ). Included in the LOC_UPD_REQ is the TMSI the MS is currently using as well as the Location Area Identifier (LAI) of the VLR it is leaving. 4. The BTS acknowledges receipt of the message 45 | P a g e C. Gaining VLR requests data from Losing VLR 5. The BSS forwards the Location Update Request to the gaining MSC/VLR. 6. The gaining MSC/VLR does not recognize the TMSI/IMSI of the MS, so it contacts the losing MSC/VLR that corresponds to the LAI that was provided by the MS. The new MSC/VLR requests the subscriber data for the given TMSI. 7. The gaining MSC/VLR will then authenticate the MS. There are two ways this could occur. First, the losing MSC/VLR may have forwarded any sets of triplets that it was retaining for the MS. The gaining MSC/VLR would then just use the next set of triplets. Second, the gaining MSC/VLR could contact the HLR and request authentication triplets from the AuC and proceed with authentication that way. D. Location Update 8. Once the MS has been authenticated and is in Cipher Mode, the MSC/VLR sends a Location Update Accept message (LOC_UPD_ACC) through the BSS to the MS. The LOC_UPD_ACC may have a TMSI assignment in it, otherwise the TMSI will be assigned in a TMSI_REAL_CMD message. 9. The MS will respond with a TMSI Reallocation Complete message (TMSI_REAL_COM) indicating it has received the TMSI. 10. The BSS then sends the MS a Channel Release message (CHAN_REL) instructing it to go into idle mode. The BSS then unassigns the SDCCH. As far as the MS is concerned, the location update has been completed E. Updating the Registers The Gaining MSC/VLR sends an Update Location message to the HLR. The HLR updates its records to point to the gaining MSC/VLR when it is asked for its location. It also passes on subscriber information for the MS to the gaining MSC/VLR. The HLR sends a Cancel Location message to the losing MSC/VLR. The losing MSC/VLR deletes the MS's record and also releases the TMSI for reassignment. The losing MSC/VLR sends a Cancel Location Result message back to the HLR, confirming the cancellation. MOBILE ORIGINATED CALL A Mobile Originated Call is a call that is initiated by the MS. The following example is a mobile-originated call that terminates outside the PLMN. A. Request Access 1. The MS sends a Channel Request (CHAN_REQ) message on the RACH. 2. The BSS responds with a radio resource assignment (IMM_ASS_CMD) on the AGCH. 3. The MS sends a Service Request (CM_SERV_REQ) message to the BSS on the SDCCH. 46 | P a g e B. Authentication 4. Before the network will provide any services to the MS, the network will require the MS to authenticate itself. The BSS sends an Authentication Request (AUTH_REQ) message to the MS. The RAND serves as the "challenge" for authentication. 5. The MS calulates the proper SRES based on the RAND that was given and sends the SRES to the BSS in an Authentication Response (AUTH_RESP) message. 6. The BSS verifies the SRES. If the SRES is correct then the MS is authenticated and allowed access to the network. The BSS will send a Service Accept (CM_SERV_ACC) message letting the MS know that the service request was received and processed. 7. Once authenticated, the BSS orders the MS to switch to cipher mode with the CIPH_MOD_CMD message. C. Initial Call Setup 8. The MS will immediately switch to cipher mode and send a Cipher Mode Complete (CIPH_MOD_COM) message. 9. The MS then sends a Call Setup (SETUP) message to the BSS. The message includes the address information (MSISDN) of the called party. 10. The BSS assigns a TCH to the MS by sending an Assignment Command (ASS_CMD) message. This message includes which Transceiver (TRX) and which Time Slot (TS) to use. *The BSS does not actually assign a TCH to the MS until the MSC sends a Call Proceeding (CALL_PROC) message to the BSS indicating that the IAM has been sent. 11. The MS imemdiately switches to the assigned TCH. The MS sends an Assignment Complete (ASS_COM) message back to the BTS on the FACCH. *Remember that a FACCH is not a separate channel, it is simply a stolen time slot from the TCH that is used for signalling data instead of voice traffic D. Call Setup 12. The MSC sends an Initial Address Message (IAM) to the GMSC. The IAM contains the MSISDN of the called party as the MS dialed it. The MSC will also send a Call Proceeding (CALL_PROC) message down to the BSS and this is when the BSS would assign a TCH to the MS, as described in step 10 above. 13. Based on the dialed number, the GMSC decides where to route the IAM within the PSTN. 47 | P a g e 14. The PSTN will continue to route the IAM until it reaches the correct Switching Center and the call routing is complete. The PSTN will then establish the call circuit and send an Address Complete Message (ACM) back to the GMSC. 15. The GMSC then forwards the ACM back to the responsible MSC indicating that the call circuit has been established. E. Call Establishment 16. Once the MSC receives the ACM, it sends an ALERT message to the MS indicating that the call is going through. The BSS sends the ALERT message on the FACCH. Once the MS receives the ALERT, it will generate the ringing sound in the earpiece. The BSS sends an alerting message the subscriber will hear the line ringing. 17. Once the called party answers the phone, the PSTN will send an Answer message to the MSC. The MSC forwards this to the MS in a Connection (CON) message. 18. Once the MS receives the CON message, it switches over to voice and begins the call. All voice traffic occurs on the assigned TCH. F. Call Termination 19. When either the caller or the called party hangs up, the call will be disconnected. Either party can initiate the disconnect. In this example, the MS initiates the disconnect. The MS sends a Disconnect (DISC) message to the BTS on the FACCH. 20. The BSS forwards the DISC to the MSC. Once the MSC receives the DISC message, it sends a Release (REL) message through the GMSC to the PSTN as well as down through the BSS to the MS. 21. The MS responds by sending a Release Complete (REL_COM) message to the BSS on the FACCH. The BSS forwards the REL_COM message up to the MSC. Once the MSC receives the REL_COM message the call is considered ended from the call control perspective. 22. Although the call has ended, the BSS still has a TCH allocated to the MS. The MSC sends a Channel Release (CHAN_REL) message to the BSS. The BSS forwards the CHAN_REL message to the MS. 23. The MS responds with a DISC (LAPDm) message and returns to an idle mode. The BSS deallocates the channel and releases the TRX. MOBILE TERMINATED CALL The term Mobile Terminated Call refers to when the MS is the receiver of a call. In this example, the call is originating from outside the PLMN. A. Route Establishment 1. The calling party dials the MSISDN for the mobile subscriber. The PSTN identifies the network (PLMN) that the dialed MSISDN belongs to and will locate a GMSC for that network. The PSTN sends an Initial Address message to the GMSC. 2. The GMSC forwards the MSISDN to the HLR and requests routing information for it. The HLR looks up the MSISDN and determines the IMSI and the SS7 address for the MSC/VLR that is servicing the MS. 3. The HLR then contacts the servicing MSC/VLR and asks it to assign a Mobile Station Routing Number (MSRN) to the call. 4. The MSC/VLR allocates the MSRN and forwards it to the HLR. *Note: It is important to remember that the MSC/VLR assigns a MSRN to the call not to the MS itself. 5. The HLR forwards the MSRN as well as routing information for the servicing MSC/VLR to the GMSC. 6. The GMSC sends an Initial Addressing message to the servicing MSC/VLR and uses the MSRN to route the call to the MSC/VLR. Once the servicing MSC/VLR receives the call, the MSRN can be released and may be made available for reassignment. 48 | P a g e B. Paging the Mobile Station 7. The MSC/VLR then orders all of its BSCs and BTSs to page the MS. Since the MSC/VLR does not know exactly which BSC and BTS the MS is monitoring, the page will be sent out across the entire Location Area. C. Initial Setup 8. The MS receives the Page Request (PAG_REQ) on the PCH. The MS recognizes that the page is intended for it, based on a TMSI or an IMSI. 9. The MS sends a Channel Request (CHAN_REQ) message on the RACH. 10. The BSS responds on the AGCH by sending an Immediate Assignment (IMM ASS) message which assigns an SDCCH to the MS. At this point, the network does not know that the MS is the one that it is paging, it only knows that this MS wants access to the network. 11. The MS immediately switches to the assigned SDCCH and sends a Paging Response (PAG_RES) message on the SDCCH. This lets the network know that the MS is responding to its page. 49 | P a g e D. Authentication 12. Before the network will provide any services to the MS, the network will require the MS to authenticate itself. The BSS sends an Authentication Request (AUTH_REQ) message to the MS. The RAND serves as the "challenge" for authentication. 13. The MS calulates the proper SRES based on the RAND that was given and sends the SRES to the BSS in an Authentication Response (AUTH_RESP) message. 14. The BSS verifies the SRES. If the SRES is correct then the MS is authenticated and allowed access to the network. 15. Once the MSC/VLR has authenticated the MS, it will order the BSS and MS to switch to cipher mode using the CIPH_MOD_CMD message. Once the MS in in encryption mode, the VLR will normally assign a new TMSI to the MS E. Establishing a Channel 16. Once the MS is authenticated and in encryption mode, The MSC sends a Setup Message to the BSS, the BSS forwards the SETUP message to the MS on the assigned SDCCH.the assigned SDCCH. The SETUP message may include the Calling Line Identification Presentation (CLIP), which is essentially caller ID. 17. The MS responds by sending a Call Confirmed (CALL_CON) message; which indicates that the MS is able to establish the requested connection. The BSS relays the message up to the MSC. F. Call Setup 18. The BSS then sends an Assignment Command (ASS_CMD) message to the MS on the assigned SDCCH. The ASS_CMD message assigns a Traffic Channel (TCH) to the MS. 19. The MS immediately switches to the TCH and responds with an Assignment Complete (ASS_COM) message on the FACCH. The MS begins ringing once it has established the TCH. 20. *Remember that all signaling that occurs on the traffic channel actually occurs on a FACCH, which is a time slot that is stolen from the TCH and used for signaling. 21. The MS sends an ALERT message to the MSC on the FACCH. The BSS forwards the ALERT message through the PSTN to the calling party and the caller hears the line ringing. G. Establishing the Call 22. Once the user answers the call (by pressing the send button), the MS will send a Connect CON message to the MSC. The Connect message is forwarded back to the caller's switch to activate the call. 23. The MSC sends a Connect Acknowledge CON_ACK message to the MS and the call is established. H. Disconnecting the Call 24. A disconnect happens the same way as for any other call. In this example, the calling party initiates the disconnect. 25. When the calling party hangs up, the calling party's switch initiates a Release (REL) message. The message is forwarded to the serving MSC, which is then forwarded to the BSS. 26. The BSS will send a Disconnect (DISC) message to the MS on the FACCH. 27. The MS confirms release of the call by sending a Release (REL) message on the FACCH, which is forwarded to the MSC. 28. The MSC sends e Release Complete (REL_COM) message through the BSS to the MS. As far as call control (CC) is concerned, the connection has been terminated. 29. The MS still has a TCH assigned to it, so the BSS sends a Channel Release (CHAN_REL) message to the MS. This releases the radio resource on the Air Interface. 30. The MS responds be sending a final Disconnect message and returns to idle. 50 | P a g e CHAPTER 9 - CELL SELECTION AND RESELECTION There are many factors involved in maintaining the radio link (Um interface) between the Mobile Station (MS) and the Base Transceiver Station (BTS). As the MS moves throughout the network the signal strength of the BTS will increase and decrease and the MS will have to continuously monitor the signal strengths of nearby towers and update which BTS's it camps on. This page covers all of the parameters that the MS and network will use in order to ensure the the MS chooses the strongest tower to monitor and other network considerations. Signal Strength The first and arguably most important consideration in radio link management is signal strength. In GSM (and most other RF communications) the standard measure of signal strength is dBm (decibels** in milliwatts). The term received signal strength indicator (RSSI) is often used but in GSM the term received-signal level (RXLEV) is preferred. The distinction is that the term RSSI was generally used on analog networks and RXLEV is used on digital networks. On this website RSSI will be used for general reference to signal strength and RXLEV for the actual value that is passed over the network. RXLEV RXLEV is a number from 0 to 63 that corresponds to a dBm value range. 0 represents the weakest signal and 63 the strongest. RSSI below -110 dBm are generally considered unreadable in GSM. RSSI in the area of -50 dBm are rarely seen and would indicate that the MS is right next to the BTS. The main factor that affects RSSI is distance from the tower. However, other factors such as terrain, elevation, and large objects such as buildings can dampen signal strength. RXQUAL Although a strong RSSI is desirable, it does not guarantee a quality signal. RXQUAL is a value that represents the quality of the received signal. The MS determines the Bit Error Rate (BER) of the signal and reports it back to the network. The BER is simply a percentage of the number of bits it receives that did not pass error checking. The bits may have been garbled along the RF path or lost due to fading or interference. The higher the BER the lower the signal quality. RXQUAL is given as a number from 0 to 7 and represents a percentage range of BER. 51 | P a g e Cell Selection and Reselection Cell selection refers to the initial registration that a MS will make with a network. This normally only occurs when the phone powers up or when the MS roams from one network to another. Cell reselection refers to the process of a MS choosing a new cell to monitor once it has already registered and is camped on a cell. It is important to distinguish that selection and reselection are done by the MS itself and not governed by the network. The network would only be responsible for this function when the MS is in a Traffic Channel (TCH). When the MS reselects a new cell it will not inform the network that it has done so unless that new cell is in a new Location Area (LA). There are many parameters involved in selection and reselection of a new cell. The MS must ensure it is getting the best signal and the network must ensure that the MS does not cause unneeded strain on the network by switching cells when unnecessary or undesired. C1 C1 is the path-loss parameter that is used to determine the strongest cell for selection. The MS will calculate a C1 for each tower it can see and select the cell tower with the highest C1. The C1 uses the following parameters for calculation: The formula for calculating C1 is given as: C1 = (A) - Max(B,0) where: A = (RXLEV - RLAM) B = MS Transmit Power Max CCH -Max RF Output of MS At first this may seem complicated but if we examine the various parameters and how they affect the C1 score then it becomes more clear. A - This value is merely a dB value for the difference between what RSSI is required to select that cell and what signal strength the MS sees the tower at. If the RLAM is -110dB and the MS sees the tower at -90dB then the value of A is 20dB. The higher the value of A the higher the C1 and the more attractive this tower will be to the MS. B - Just because a MS can receive a tower's signal does not mean that the MS has enough power to reach that tower. The tower tells the MS what maximum power level that the MS may use to transmit to that tower. If the phone is capable of transmitting at this power than there is no problem. However, what if the phone can not transmit at that power level? The signal from the MS may not have enough power to reach the tower. Any lack in transmitting power of the MS must be taken into account when calculating C1. B is essentially the value of this difference. Let's say a cell tower requires the MS to be able to transmit at a 30dB power level but this MS is only capable of transmitting at 26dB. In this case the value of B would be 4dB. This value is subtracted from the value of A which has the result of lowering the value of C1. If the MS is capable of transmitting at the required power or higher then B will be zero and no adjustments to C1 will be made. In summary, the two main factors in determining C1 are the strength of the received signal and the transmission power the MS is capable of. C1 alone is only used for cell selection. When a MS is already camped on a cell and it wants to move to another cell it will reselect it. Cell reselection uses a different criteria C2. C2 C2 is the parameter used for cell reselection. Once a MS is camped on a cell it will continuously monitor the strength of neighbor cells. Every BCCH sends out a BCCH Allocation (BA) List. This is a list of neighbor cells (ARFCNs) that the MS must monitor while camped on a particular cell. The MS will monitor these ARFCNs for signal strength and only reselect a cell that is on this list. The MS will calculate a C2 value for each cell on the BA list. The cell tower with the 52 | P a g e highest C2 wins and the MS will move to that cell and camp on it. Keep in mind the C2 is calculated by the MS and the MS decides which cell tower to camp on. The cell that the MS camps on is known as the serving cell. As long as the losing cell and the gaining cell are both in the same Location Area the MS will not notify the network that is is selecting a new cell. The MS only needs to notify the network if it is reselecting the cell that is in a new location area in which case it will do a location update. The C2 is calculated using the following parameters: The formula for calculating C2 is: C2 = C1 + CRO - (Temp_Offset * H) H = 1 if the MS has been monitoring a particular cell for less than the penalty time. H = 0 if the MS has been monitoring the particular cell for longer than the penalty time. H = 0 if the particular cell is the serving cell (the one the MS is currently camped on). Let's look at an example to see how the temporary offset works. The following chart shows two example cell towers and values for C1 and C2 parameters. The time progresses as the MS moves away from cell A and towards cell B. For sake of simplicity, we are assuming that the MS can transmit at the max power allowed and that neither cell is using CRO. 0 seconds - The MS is camped on cell A. The MS calculates the C2 value as 38. Since the RXLEV for cell B is not above the RLAM the C1 (and C2) are below 0. A MS will not select a cell with a C1 below 0 and it will not reselect a cell with a C2 below 0. 10 seconds - The RXLEV for cell B meets the minimum threshold (RLAM). The MS starts a timer as soon as it puts it on its strongest neighbor list. The penalty time for cell B is 40 seconds, so for the first 40 seconds that cell B is on the strongest neighbor list it will apply the temporary offset to the C2 value. After including the offset, the C2 for cell B is -20 dBm. 20 seconds - The C2 for cell A continues to drop as the C2 for cell B continues to rise. With a C2 of 25, cell A is still the most attractive. 30 seconds - Cell A drops to a C2 of 21 and cell B has a C2 of -5. 53 | P a g e 40 seconds - Cell A drops to a C2 of 18. Cell B rises to a C2 of 3. Notice here that if it were not for the temporary offset, the C2 for cell B would be at 23. At this point the MS would normally reselect cell B. However, due to the temporary offset, cell A is still the most attractive. 50 seconds - At this point the penalty time for cell B has expired and the temporary offset is no longer applied. The C2 for cell B raises from 3 to 27. The C2 for cell B wins over the C2 for cell A and the MS reselects cell B. The temporary offset would be used if the network wanted to discourage mobile stations from reselecting a cell as soon as the MS saw it. This is commonly found in pico-cells. This forces a MS to be in the area of the cell for a certain period before reselecting it. It prevents mobile stations that just happen to be passing by from reselecting the cell. In order to reselect the cell, the MS must be in the area for a certain period of time or be close enough that the RXLEV overcomes the negative offset value. Cell Reselection Offset (CRO) - CRO is a value from 0 to 63. Each step represents a 2 dBm step (0 to 126 dBm). This value is added to C1. A higher CRO value will make the cell tower more attractive to the MS. The higher the CRO, the more attractive the cell will be. The network might assign a CRO value to a cell if the network wanted to encourage mobile stations to utilize that cell. The network might want to do this in order to reduce the load on other cells during times of high traffic volume or to force MS's to a certain band. Neighbor List - The neighbor list is a list of the 6 strongest cells that the MS can see. The RXLEV for these cells is transmitted in a measurement report from the MS to the BTS on the SACCH whenever the MS has been allocated an SDCCH or a TCH. The BSC and MSC use these measurements to determine if the MS needs to move to a different cell. Whenever a cell is in an active SDCCH or TCH the network will always manage the handoff. The MS will only move from one cell to another by itself when it is in idle mode. Cell Reselection Hysteresis (CRH) When a MS reselects a new cell it does not need to notify the network unless that new cell is in a different Location Area. When a MS moves into a new location area it must do a location update which generates signal messaging between the BTS, BSC, MSC, VLR, and HLR. If a MS is located along the border of two location areas then it will see cells in both location areas. A MS along the borderline might reselect a cell in one location area and then a few minutes later reselect a cell in the other location area and continuously bounce back and forth between location areas generating too much signaling overhead and putting strain on the network. In order to mitigate this problem the CRH is used. It is a value that is similar to the temporary offset value of C2. CRH is applied to C2 when the desired cell is in a different location area. This results in making the cell in this different location area less desirable to the MS. The MS must move close enough to the new location area to overcome the offset thus ensuring the MS is truly close enough to the new location area to warrant a location update. Once the MS reselects the cell in the new location area it will perform a location update. The MS will then apply the CRH value to all cells it sees in the old location area which will make them less attractive to the MS and ensure the MS does not continually bounce back and forth between two location areas. Cell Bar Access (CBA) Cell Bar Access is a single bit (0 or 1) value sent down on the BCCH. If CBA is set to 1 then MS's are not allowed to select that cell. If the value is set to 0 then MS's may select it. CBA would be used on umbrella cells in order to prevent MS's from selecting it. The umbrella cell would be reserved for when the network needs to manage high levels of traffic. This gives the network total control of access to the umbrella cell. Cell Bar Qualifier (CBQ) This value is similar to the CBA but it applies to reselection. A cell that has CBQ set to 1 does not allow MS's to reselect it. CBQ set to 0 allows normal access to that cell. 54 | P a g e APPENDIX I - POWER MEASUREMENTS The Decibel In GSM power level measurements are specified in dBm. In order to understand power measurements it is important to fully understand how the decibel works. The Bel is not really a measure of power; it is a measure of change from one value to another. It is based on a logarithmic base-10 scale. Here is the formula: Where P1 is the original value and P2 is the new changed value. Let's look at an example. Our original value is 10 and our changed value is 20. So a change from a value of 10 to a value of 20 is equal to 0.3 Bels. The logarithm can be calculated using any scientific calculator or the calculator provided on any Windows system: Let's look at another one. Lets say we start with a value of 20 and move to 40. You will notice that in both of these examples the result is the same, 0.3 Bels. Remember that bels are a unit of change. Every time you double a value there is a change of 0.3 bels. 55 | P a g e For most purposes, the Bel is too large of a unit since in most cases it will result in a number below 1.To create a more manageable number we use the decibel (abbreviated dB) which is 1/10 of a bel. For every Bel there are 10 decibels, so: Decibel = Bel * 10 So is the examples above, a change from 10 to 20 would be 3 dB. Again, a change from 20 to 40 is 3dB. Let's look at two more examples: As we can, whenever a value is multiplied by ten we get a change of 10 decibels. This brings rise to a general rule about calculating decibels; the rule of tens and threes. Any time a value is doubled this results in a change of 3dB Any time a value is multiplied by ten it is a change of 10dB When a value is reduced by half it is a change of -3dB When a value is reduced by 1/10 it is a -10dB change. dBm Since a change of 3dB or 10dB could have any value for the original value, it doesn't do us much good to cite a change in dB unless we know the starting value. For this reason we must standardize the starting value within the industry so that we all know what value we are using as a reference. In radio communications the dBm is used. The m represents milliwatts (1/1000 of a watt.) This tells us that any value given in dB is in relation to a starting value of 1 milliwatt (mW). Let's look at an example. What is 100 mW equal to in dBm? We know that our standardized reference point (P1) is 1 mW. So the formula will be: We see that 100mW is equal to 20dBm. 56 | P a g e If a power level is below 1 milliwatt then the resulting dBm will be a negative number. For example, how many dBm is 1 microwatt (1 millionth of a watt) So, whenever we see a positive dBm we know that the power in watts is above 1 mW and if we have a negative dBm we know that the power in watts is below 1dBm. Now that we know how to convert a power in watts to dBm; we can look at the operation in reverse. What if we are given a value in dBm and we want to translate that to milliwatts? Here is the process: 1. Convert decibels back to bels. (divide by 10) 2. Raise 10 to this power. 3. Multiply it by the reference value (1 milliwatt). 4. The result is the value in milliwatts. Here is what the formula looks like: Since our reference value will never change and is equal to 1 (mW) then we don't need to have it in the formula. We can simplify the formula: Let's look at a few examples: 1. How many milliwatts is a value of 50 dB? We see that 50 dBm is equal to 100000 mW (which is equal to 100 Watts). 57 | P a g e 2. How many milliwatts is a value of -60 dBm? We see that -60 dBm is equal to .000001 mW. If you don't have a calculator handy you can always use the rule of tens and threes to estimate the value in dBm. We know that 0 dBm is equal to 1 milliwatt. Increasing from 0 dBm to 10 dBm is a ten-fold increase to 10 milliwatts. Increasing from 0 dBm to 3 dBm is doubling power to 2 milliwatts. Increasing from 0 dBm to 20 dBm is a ten-fold increase twice - from 1 mW to 10 mW and then to 100 mW. Increasing from 0 dBm to 6 dBm is doubling the power twice - from 1 mW to 2 mW and then to 4 mW. Example: How many watts is 26 dbM? from 0 dBm to 10 dBm - ten times the power - 1 mW to 10 mW from 10 dBm to 20dBm - ten times the power - 10 mW to 100 mW from 20 dBm to 23 dBm - twice the power - 100 mW to 200 mW from 23 dBm to 26 dBm - twice the power - 200 mW to 400 mW 26 dBm is approximately 400 mW. The same rule can be used to calculate negative dBm values. -10 dBm divides the power by 10 -3 dBm divides the power in half. Example: How many watts is -26 dbM? from 0 dBm to -10 dBm - 1/10 the power- 1 mW to .1 mW from -10 dBm to -20dBm - ten times the power - .1 mW to .001 mW (or 10 microwatts) from -20 dBm to -23 dBm - twice the power - 10 microwatts to 5 microwatts from -23 dBm to -26 dBm - twice the power - 5 microwatts to 2.5 microwatts -26 dBm is approximately 2.5 microwatts. 58 | P a g e