Global System for Mobile Communication (GSM) Li-Hsing Yen National University of Kaohsiung GSM System Architecture Um MSC MS (ME/SIM) MSC E PSTN, ISDN, PSPDN, CSPDN A-bis A F B C A-bis BSC BTS HLR BSS D VLR EIR G Um MS (ME/SIM) AuC VLR NSS 1 Nomenclature •MS (Mobile Station) = MT (Mobile Terminal ) + TE (Terminal Equipment) •BSS (Base Station Subsystem) = BTS (Base Transceiver Station) + BSC (Base Station Controller) •NSS (Network Switching Subsystem) •MSC (Mobile Switching Center): telephony switching function and authentication of user HLR and VLR •HLR (Home Location Register) –a database to store and management permanent data of subscribers •VLR (Visitor Location Register) –a database to store temporary information about subscribers –needed by MSC in order to service visiting subscribers 2 AuC and EIR •Authentication Center (AuC) –used in the security data management for the authentication of subscribers. •Equipment Identity Register (EIR) –used to maintain a list of legitimate, fraudulent, or faulty MSs. –optional in GSM network, and is not used generally. GSM Interfaces •Um –Radio interface between MS and BTS –each physical channel supports a number of logical channels •Abis –between BTS and BSC (vender specific) –primary functions: traffic channel transmission, terrestrial channel management, and radio channel management 3 Frequency Division Duplex n: Absolute Radio Frequency Channel Number (ARFCN). 1 n 124 Uplink Guard band 890.0 MHz 200kHz 890.2 MHz 890.4 MHz .... Ful(n)=890+ 0.2*n MHz . 0 57 7 ms 914.8 MHz burst (contents of time slot) Guard band 935.0 MHz Downlink 935.2 MHz Fdl(n)=Ful(n)+45 MHz 935.4 MHz .... 959.8 MHz . . . 7 0 1 2 3 4 5 6 7 0 time slot Time Division Duplex MS and BTS do not transmit simultaneously (MS transmits 3 time slots after the BTS) Downlink 5 6 7 0 1 2 3 4 5 6 7 0 1 2 Uplink 2 3 4 5 6 7 0 1 2 3 4 5 6 7 Timing advance: MS transmits its data a little earlier as demanded by the “ three time slots delay rule” . 4 Timing Advance Propagation delay Base station send Mobile station recv recv send send Original timing Timing advance ~ Propagation delay * 2 GSM Frame Structure •1 hyperframe = 2048 superframes (~3.5hr) •For speech –1 superframe = 51 multiframes = 6.12s –1 multiframe = 26 frames = 120ms •For Signaling –1 superframe = 26 multiframes –1 multiframe = 51 frames •1 frame = 8 time slots = 4.615 ms •1 time slot = 156.25 bit duration = 0.577ms 5 GSM Frame Hierarchy 0 1 Super frame 0 1 Multiframe 0 1 Frame 0 1 2 3 4 5 6 7 Time Slot 3.48hr … Hyper frame 2047 … 48 49 50 … 23 24 25 120ms 4.615ms 0.57692ms 28 bits Encrypted bits Encrypted bits 57 bits 6.12s 57 bits 3 tail bits Training sequence 8.25 guard bits 3 tail bits Stealing bit Normal Burst Format •Trail bits –always (0,0,0); provide start and stop bit pattern •encrypted bits –data is encrypted •stealing bits –indicate whether the burst was stolen for urgent control signaling (FACCH signaling) •Guard bits –avoid overlapping with other bursts due to different path delay 6 Training Sequence •A known bit pattern that differs for different adjacent cells •to adapt the parameters of the receiver to the current path propagation characteristics •to select the strongest signal in case of multipath propagation •for multipath equalization –extract the desired signal from unwanted reflections GSM Protocol Stack MS CM MM Base Transceiver Station (BTS) MSC Base Station Controller (BSC) RR RR CM MM DTAP BSSMAP/DTAP BSSMAP LAPDm RR LAPDm Layer 1 Layer 1 Um (air interface) BTSM BTSM LAPD LAPD Layer 1 Layer 1 Abis SCCP SCCP MTP MTP A 7 Layer 1 - Physical Layer •Modulation •Equalization •Channel coding –block code –convolutional code •Interleaving –to distribute burst error GSM Physical Layer (MS Side) signaling voice voice signaling speech decoding speech coding channel decoding channel coding interleaving de-interleaving burst formatting burst de-formatting ciphering deciphering modulation R/F R/F demodulation 8 GSM Speech Transmission 20 ms speech encoding (RPE-LTP) 260 bits channel encoding 456 bits 0 64 interleaving : 57 114 171 228 285 342 399 121 178 235 292 349 406 7 : : 392 449 50 burst 57 57 57 57 57 57 57 57 formatting : : : : : 57 rows 107 164 221 278 335 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 frame burst GSM Speech Channel Coding 260 bits Class 1a 50 bits Parity bits protecting 1a Class 1b 132 bits Class 2 78 bits Tail Bits reordering 91 bits 3 91 bits 4 Convolutional Coding 378 bits 78 bits 456 bits 9 Tailing Bits and Reordering d(0) d(1) d(2) d(3) … d(179) d(180) d(181) p(0) p(1) p(2) d(0) d(2) d(4) : reorder d(178) d(180) p(0) p(1) p(2) d(181) d(179) d(177) : d(3) d(1) u(0) u(1) u(2) : : u(89) u(90) u(91) u(92) u(93) u(94) u(95) u(96) Tailing Bits u(185) u(186) u(187) u(188) 0 0 0 0 : u(183) u(184) Parity Bits •The first 50 bits are protected by 3 parity bits p(0), p(1), p(2) •generator polynomial g(D)=D3+D+1 •the remainder of d(0)D52+d(1)D51+…+d(49)D3+p(0)D2+p( 1)D+p(2) divided by g(D) should be 1+D+D2 10 Convolutional Encoder for GSM Speech (Rate=1/2, K=5) U0 … U188 ak ak-1 ak-2 ak-3 ak-4 Interleaving 455 0 0 64 128 192 256 320 384 448 56 120 184 248 312 : : 392 57 121 185 249 313 377 441 49 113 177 241 305 369 : : 449 114 178 242 306 370 434 42 106 170 234 298 362 426 : : 50 171 235 299 363 427 35 99 163 227 291 355 419 27 : : 107 228 292 356 420 28 92 156 220 284 348 412 20 84 : : 164 285 349 413 21 85 149 213 277 341 405 13 77 141 : : 221 342 406 14 78 142 206 270 334 398 6 70 134 198 : : 278 399 7 71 135 199 263 327 391 455 63 127 191 255 : : 335 11 GSM Normal Burst Formatting A B C 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 burst frame 28 bits BABA… … BAB ABAB… 57 bits … ABA 57 bits 3 tail bits Training sequence 8.25 guard bits 3 tail bits Stealing flag Physical Vs. Logical Channels •Physical channels are all the available time slots of a BTS –a BTS with 6 carriers has 48 physical channels •Logical channels are piggybacked on the physical channels –logical channels are laid over the grid of physical channels –each logical channel performs a specific task 12 GSM Logical Channels (I) •Speech traffic channels (TCH) –Full-rate TCH (TCH/F) –Half-rate TCH (TCH/H) •Broadcast channels (BCH) –Frequency correction channel (FCCH) –Synchronization channel (SCH) –Broadcast control channel (BCCH) •Cell broadcast channel (CBCH) GSM Logical Channels (II) •Common control channels (CCCH) –Paging channel (PCH) –Access grant channel (AGCH) –Random access channel (RACH) •Dedicated control channel (DCCH) –Slow associated control channel (SACCH) –Stand-alone dedicated control channel (SDCCH) –Fast associated control channel (FACCH) 13 Broadcast Channels (BCH) •Frequency correction channel (FCCH) –the “ lighthouse”of a BTS •Synchronization channel (SCH) –PLMN/base identifier of a BTS plus synchronization information (frame number) •Broadcast control channel (BCCH) –to transmit system information 1-4, 7-8 (differs in GSM 900, GSM 1800, and PCS 1900) CBCH and CCCH •CBCH (Cell Broadcast Channel) –transmits cell broadcast messages •PCH (Paging Channel) –carries PAG_REQ message •AGCH (Access Grant Channel) –SDCCH channel assignment •RACH (Random Access Channel) –communication request from MS to BTS 14 Mapping of Logical Channels •Each BTS has a particular frequency carrier called BCCH-TRX to transmit BCCH info •The following channel structure can be found on time slot 0 of carrier BCCH-TRX –FCCH –SCH –BCCH information 1-4 –Four SDCCH subchannels (optional) –CBCH (optional) Example Mapping of Logical Channels on Time Slot 0 (Downlink) FN= 0 - 5 FN= 6 - 9 FN= 10 - 11 FN= 12 - 15 FN= 16 - 19 FN= 20 - 21 FCCH + SCH + BCCH 1 - 4 Block 0 reserved for CCCH FCCH/SCH Block 1 reserved for CCCH Block 2 reserved for CCCH FCCH/SCH Block 3 FN= 22 - 25 CCCH/SDCCH Block 4 FN= 26 - 29 CCCH/SDCCH FCCH/SCH FN= 30 - 31 Block 5 CCCH/SDCCH FN= 32 - 35 Block 6 FN= 36 - 39 CCCH/SDCCH FCCH/SCH FN= 40 - 41 Block 7 FN= 42 - 45 CCCH/SACCH FN= 46 - 49 Block 7 CCCH/SACCH FN= 50 not used 15 Example Mapping of Logical Channels on Time Slot 2 (Downlink) FN= 0 - 11 FN= 12 FN= 13 - 24 FN= 25 TCH SACCH TCH not used GSM Layer 2: LAPDm •Functions –organization of Layer 3 information into frames –peer-to-peer transmission of signaling data in defined frame formats –recognition of frame formats –establishment, maintenance, and termination of one or more (parallel) data links on signaling channels 16 Layer 3 Protocol Architecture: Mobile Station Side MNREG-SAP MNCC-SAP MNSS-SAP MNSMS-SAP CM CC SS SMS TI MM CC MM TI SS PD TI SMS PD RR SAPI=3 SACCH SDCCH FACCH SACCH SDCCH BCCH RACH AGCH+PCH SAPI=0 Layer 3 - RR Sublayer •The RR sublayer handles all the procedures necessary to establish, maintain, and release dedicated radio connections –channel allocation –handover A –timing advance power –power control level –frequency hopping B A B time 17 Three Cases of Hand-over MSC BSC BTS MS MSC BSC BTS BSC BTS 1. different BTS, same BSC MS MS BTS 2. different BSC, same MSC MS MS MS 3. different MSC, same PLMN (old MSC=anchor MSC new MSC=relay MSC) Layer 3 - MM Sublayer •The MM sublayer copes with all the effects of handling a mobile user that are not directly related to radio functions –location area –location registration & call delivery –location update & paging 18 Authentication & Encryption/Decryption in GSM Mobile Station Home System RAND SIM Ki A8 Ki A3 accept A3 A8 SRES Kc Y SRES =? SRES N authentication reject frame number Kc Visited System A5 S1 S2 plain text Kc encryption A5 S1 S2 ciphered data plain text MS BTS BSC MSC VLR HLR channel request HLR channel activation command channel activation acknowledge cancellation 5 ack 3 location update location update request subscriber information old VLR 2 IMSI, auth. para. old TMSI, old VLR ID channel assignment authentication request new VLR 1 4 ack new TMSI authentication response comparison of authentication parameters assignment of TMSI acknowledgement of TMSI entry of the new area and identity into the VLR & HLR MS channel release 19 Layer 3 - CM Sublayer •The CM sublayer manages all the functions necessary for circuit-switched call control –call establishment procedures for mobileoriginated calls and mobile-terminated calls –in-call modification –call reestablishment –Dual Tone Multi Frequency (DTMF) control procedure for DTMF transmission Contents of CM •Call Control (CC) •Short Message Service (SMS) •Supplementary Service (SS) 20 Paging Procedure MS BSS Paging Request Message on PCH Channel Request on RACH Assign SDCCH on AGCH SABM (Paging Response) Call Setup Procedure: Mobile Terminated Call +886935... dial MSISDN 1 1 request roaming number GMSC (INTX) 1 1 HLR VLR 2 2 allocate MSRN MSC 3 other switches routing other switches 3 3 MS INTerrogating eXchange (INTX) Mobile Station ISDN Number (MSISDN) (Country Code, see E.164) Mobile Station Roaming Number (MSRN) (Mobile Country Code, see E.212) 21 Dual Tone Multiple Frequency (DTMF) in PSTN Switch DTMF Dialing Switch PBX Connected DTMF in GSM MSC SETUP Dialing MSC PBX START_DTMF STOP_DTMF Connected 22