Global System for Mobile

Communication (GSM)
Li-Hsing Yen
Assistant Prof.
Dept. of CSIE, Chung Hua Univ.

GSM System Architecture

Um

MSC
MS
(ME/SIM) MSC E PSTN, ISDN, PSPDN,
CSPDN

A-bis
A F

C B
A-bis

BSC EIR
HLR VLR
D
BTS BSS
G
Um

NSS
AuC VLR
MS
(ME/SIM)

1
 Nomenclature
• MS (Mobile Station) =
MT (Mobile Terminal ) +
TE (Terminal Equipment)
• BSS (Base Station Subsystem) =
BTS (Base Transceiver Station) +
BSC (Base Station Controller)
• NSS (Network Switching Subsystem)
• MSC (Mobile Switching Center): telephony
switching function and authentication of user

HLR and VLR

• HLR (Home Location Register)
– a database to store and management
permanent data of subscribers
• VLR (Visitor Location Register)
– a database to store temporary information
about subscribers
– needed by MSC in order to service visiting
subscribers

2
 AuC and EIR
• Authentication Center (AuC)
– used in the security data management for
the authentication of subscribers.
• Equipment Identity Register (EIR)
– used to maintain a list of legitimate,
fraudulent, or faulty MSs.
– optional in GSM network, and is not used
generally.

GSM Interfaces
• Um
– Radio interface between MS and BTS
– each physical channel supports a number of
logical channels
• Abis
– between BTS and BSC (vender specific)
– primary functions: traffic channel transmission,
terrestrial channel management, and radio
channel management

3
 Frequency Division Duplex
n: Absolute Radio Frequency Channel Number (ARFCN). 1 ≤ n ≤ 124
Uplink 890.0 MHz Guard band
890.2 MHz 200kHz
F ul(n)=890+ 0.2*n 890.4 MHz
MHz
....

.
57
7
914.8 MHz

ms
burst (contents of time slot)
Downlink 935.0 MHz Guard band
935.2 MHz

F dl(n)=F ul(n)+45 935.4 MHz

MHz
....

959.8 MHz
. . . 7 0 1 2 3 4 5 6 7 0 time slot

Time Division Duplex

MS and BTS do not transmit simultaneously
(MS transmits 3 time slots after the BTS)

Downlink 5 6 7 0 1 2 3 4 5 6 7 0 1 2

Uplink 2 3 4 5 6 7 0 1 2 3 4 5 6 7

Timing advance: MS transmits its data a little earlier as

demanded by the “three time slots delay rule”.

4
 Timing Advance
Propagation delay

Base station send recv

Mobile station recv send

send Original timing

Timing advance
~ Propagation delay * 2

GSM Frame Structure

• 1 hyperframe = 2048 superframes (~3.5hr)
• For speech
– 1 superframe = 51 multiframes = 6.12s
– 1 multiframe = 26 frames = 120ms
• For Signaling
– 1 superframe = 26 multiframes
– 1 multiframe = 51 frames
• 1 frame = 8 time slots = 4.615 ms
• 1 time slot = 156.25 bit duration = 0.577ms

5
 GSM Frame Hierarchy
3.48hr
Hyper …
0 1 2047
frame

Super 0 1 … 48 49 50 6.12s
frame

Multi- …
0 1 23 24 25 120ms
frame

Frame 0 1 2 3 4 5 6 7 4.615ms

28 bits
0.57692ms
Time 8.25
Encrypted bits Encrypted bits
Slot guard bits
57 bits 57 bits
3 tail bits 3 tail bits
Training sequence Stealing bit

Normal Burst Format

• Trail bits
– always (0,0,0); provide start and stop bit pattern
• encrypted bits
– data is encrypted
• stealing bits
– indicate whether the burst was stolen for urgent
control signaling (FACCH signaling)
• Guard bits
– avoid overlapping with other bursts due to different
path delay

6
 Training Sequence
• A known bit pattern that differs for different
adjacent cells
• to adapt the parameters of the receiver to the
current path propagation characteristics
• to select the strongest signal in case of
multipath propagation
• for multipath equalization
– extract the desired signal from unwanted
reflections

GSM Protocol Stack

MS Base Base MSC
Transceiver Station
CM Station Controller CM
MM (BTS) (BSC) MM
DTAP
RR BSSMAP/DTAP
RR BSSMAP
RR BTSM BTSM
SCCP SCCP
LAPDm LAPDm LAPD LAPD
Layer 1 Layer 1 Layer 1 Layer 1 MTP MTP

Um Abis A
(air interface)

7
 Layer 1 - Physical Layer
• Modulation
• Equalization
• Channel coding
– block code
– convolutional code
• Interleaving
– to distribute burst error

GSM Physical Layer (MS Side)

signaling voice signaling
voice
speech speech
coding decoding

channel coding channel decoding

interleaving de-interleaving

burst formatting burst de-formatting

ciphering deciphering

modulation R/F R/F demodulation

8
 GSM Speech Transmission
20 ms

speech encoding (RPE-LTP)

260 bits

channel encoding
456 bits

0 57 114 171 228 285 342 399

64 121 178 235 292 349 406 7

interleaving : :
392 449 50
: : : : :
107 164 221 278 335
: 57 rows

burst 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57
formatting

frame
burst

GSM Speech Channel Coding

260 bits
Class 1a Class 1b Class 2
50 bits 132 bits 78 bits
Parity bits reordering Tail
protecting 1a Bits
91 bits 3 91 bits 4

Convolutional Coding
378 bits 78 bits

456 bits

9
 Tailing Bits and Reordering
d(0) u(0)
d(0) d(2) u(1)
d(1) d(4) u(2)
d(2) : : :
d(3) reorder d(178) u(89) Tailing Bits
d(180) u(90)
…

p(0) u(91) u(185) 0

p(1) u(92) u(186) 0
d(179) p(2) u(93) u(187) 0
d(180) u(94) u(188) 0
d(181)
d(181) u(95)
d(179)
u(96)
p(0) d(177)
: :
p(1)
d(3) u(183)
p(2)
d(1) u(184)

Parity Bits
• The first 50 bits are protected by 3
parity bits p(0), p(2), p(3)
• generator polynomial g(D)=D3+D+1
• the remainder of
d(0)D52+d(1)D51+… +d(49)D3+p(0)D2+p(
1)D+p(2) divided by g(D) should be
1+D+D2

10
 Convolutional Encoder for
GSM Speech (Rate=1/2, K=5)

U0 … U188
ak ak-1 ak-2 ak-3 ak-4

Interleaving
0 455

0 57 114 171 228 285 342 399

64 121 178 235 292 349 406 7
128 185 242 299 356 413 14 71
192 249 306 363 420 21 78 135
256 313 370 427 28 85 142 199
320 377 434 35 92 149 206 263
384 441 42 99 156 213 270 327
448 49 106 163 220 277 334 391
56 113 170 227 284 341 398 455
120 177 234 291 348 405 6 63
184 241 298 355 412 13 70 127
248 305 362 419 20 77 134 191
312 369 426 27 84 141 198 255
: : : : : : : :
: : : : : : : :
392 449 50 107 164 221 278 335

11
 GSM Normal Burst Formatting
A B C
57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57

burst frame

28 bits
8.25
BABA… … BAB ABAB… … ABA guard
bits
57 bits 57 bits
3 tail bits 3 tail bits
Training sequence Stealing flag

Physical Vs. Logical Channels

• Physical channels are all the available time
slots of a BTS
– a BTS with 6 carriers has 48 physical channels
• Logical channels are piggybacked on the
physical channels
– logical channels are laid over the grid of physical
channels
– each logical channel performs a specific task

12
 GSM Logical Channels (I)
• Speech traffic channels (TCH)
– Full-rate TCH (TCH/F)
– Half-rate TCH (TCH/H)
• Broadcast channels (BCH)
– Frequency correction channel (FCCH)
– Synchronization channel (SCH)
– Broadcast control channel (BCCH)
• Cell broadcast channel (CBCH)

GSM Logical Channels (II)

• Common control channels (CCCH)
– Paging channel (PCH)
– Access grant channel (AGCH)
– Random access channel (RACH)
• Dedicated control channel (DCCH)
– Slow associated control channel (SACCH)
– Stand-alone dedicated control channel (SDCCH)
– Fast associated control channel (FACCH)

13
 Broadcast Channels (BCH)
• Frequency correction channel (FCCH)
– the “lighthouse” of a BTS
• Synchronization channel (SCH)
– PLMN/base identifier of a BTS plus
synchronization information (frame number)
• Broadcast control channel (BCCH)
– to transmit system information 1-4, 7-8 (differs in
GSM 900, GSM 1800, and PCS 1900)

CBCH and CCCH

• CBCH (Cell Broadcast Channel)
– transmits cell broadcast messages
• PCH (Paging Channel)
– carries PAG_REQ message
• AGCH (Access Grant Channel)
– SDCCH channel assignment
• RACH (Random Access Channel)
– communication request from MS to BTS

14
 Mapping of Logical Channels
• Each BTS has a particular frequency carrier
called BCCH-TRX to transmit BCCH info
• The following channel structure can be found
on time slot 0 of carrier BCCH-TRX
– FCCH
– SCH
– BCCH information 1-4
– Four SDCCH subchannels (optional)
– CBCH (optional)

Example Mapping of Logical

Channels on Time Slot 0 (Downlink)
FCCH + SCH Block 4
FN= 0 - 5 + FN= 26 - 29
CCCH/SDCCH
BCCH 1 - 4
Block 0 FCCH/SCH FN= 30 - 31
FN= 6 - 9 reserved for
CCCH Block 5
FCCH/SCH CCCH/SDCCH FN= 32 - 35
FN= 10 - 11
Block 1 Block 6
reserved for FN= 36 - 39
FN= 12 - 15 CCCH/SDCCH
CCCH
Block 2 FCCH/SCH FN= 40 - 41
FN= 16 - 19 reserved for
CCCH Block 7 FN= 42 - 45
FN= 20 - 21 FCCH/SCH CCCH/SACCH
Block 3 Block 7 FN= 46 - 49
FN= 22 - 25 CCCH/SDCCH CCCH/SACCH
not used FN= 50

15
 Example Mapping of Logical
Channels on Time Slot 2 (Downlink)

FN= 0 - 11 TCH

FN= 12 SACCH

FN= 13 - 24 TCH

FN= 25 not used

GSM Layer 2: LAPDm

• Functions
– organization of Layer 3 information into
frames
– peer-to-peer transmission of signaling data
in defined frame formats
– recognition of frame formats
– establishment, maintenance, and
termination of one or more (parallel) data
links on signaling channels

16
 Layer 3 Protocol Architecture:
Mobile Station Side
MNREG-SAP MNCC-SAP MNSS-SAP MNSMS-SAP

CM
CC SS SMS

TI TI TI
MM CC SS SMS
MM PD

PD

RR

SAPI=0 SAPI=3
AGCH+PCH

SDCCH

SACCH

FACCH

SDCCH

SACCH
RACH

BCCH

Layer 3 - RR Sublayer
• The RR sublayer handles all the procedures
necessary to establish, maintain, and release
dedicated radio connections
– channel allocation
B
– handover
A
– timing advance
– power control power
level
– frequency hopping
time
A B

17
 Three Cases of Hand-over
MSC MSC

BSC BSC BSC

BTS BTS BTS BTS

MS MS 1. different BTS, same BSC

MS MS 2. different BSC, same MSC

3. different MSC, same PLMN

MS MS
(old MSC=anchor MSC
new MSC=relay MSC)

Layer 3 - MM Sublayer
• The MM sublayer copes with all the
effects of handling a mobile user that
are not directly related to radio functions
– location area
– location registration & call delivery
– location update & paging

18
 Authentication & Encryption/Decryption in GSM
Mobile Station Home System
RAND
SIM Ki Ki

A8 A3 A3 A8

accept SRES Kc
Y

SRES =? SRES
N
reject authentication

frame number Kc encryption

Kc
Visited
A5 System A5
S1 S2 S1 S2

plain text ciphered data plain text

MS BTS BSC MSC VLR HLR

channel request
HLR channel activation command
channel activation acknowledge
cancellation 5 ack 3 location update channel assignment
subscriber location update request
information authentication request
old 2 new authentication response
VLR IMSI, VLR comparison of authentication parameters
auth. para.
assignment of TMSI
1 4 ack
old TMSI, acknowledgement of TMSI
old VLR ID new TMSI
entry of the new area and
MS identity into the VLR & HLR

channel release

19
 Layer 3 - CM Sublayer
• The CM sublayer manages all the functions
necessary for circuit-switched call control
– call establishment procedures for mobile-
originated calls and mobile-terminated calls
– in-call modification
– call reestablishment
– Dual Tone Multi Frequency (DTMF) control
procedure for DTMF transmission

Contents of CM
• Call Control (CC)
• Short Message Service (SMS)
• Supplementary Service (SS)

20
 Paging Procedure

MS BSS
Paging Request Message on PCH

Channel Request on RACH

Assign SDCCH on AGCH

SABM (Paging Response)

Call Setup Procedure: Mobile

Terminated Call
+886935... request roaming number
GMSC 1 1
HLR VLR
dial MSISDN (INTX) 2 2
1 1 allocate MSRN
3 MSC
other routing other
3
switches switches 3

MS
INTerrogating eXchange (INTX)
Mobile Station ISDN Number (MSISDN) (Country Code, see E.164)
Mobile Station Roaming Number (MSRN) (Mobile Country Code, see E.212)

21
 Dual Tone Multiple Frequency
(DTMF) in PSTN
Switch
DTMF

Dialing

Switch PBX

Connected

DTMF in GSM
MSC

SETUP

Dialing

MSC PBX

START_DTMF

STOP_DTMF

Connected

22