GSM

Global System for

Mobile Communication
 Contents

• GSM-Introduction
• Architecture
• Technical Specifications
• Frame Structure
• Channels
•Security
•Characteristics and features
•Applications
 What is GSM ?

Global System for Mobile (GSM) is a

second generation cellular standard
developed to cater voice services and
data delivery using digital modulation
 GSM: History
• Developed by Group Spéciale Mobile (founded 1982) which was an
initiative of CEPT ( Conference of European Post and
Telecommunication )
• Aim : to replace the incompatible analog system
• Presently the responsibility of GSM standardization resides with special
mobile group under ETSI ( European telecommunication Standards
Institute )
• Full set of specifications phase-I became available in 1990
• Under ETSI, GSM is named as “ Global System for Mobile
communication “
• Today many providers all over the world use GSM (more than 135
countries in Asia, Africa, Europe, Australia, America)
• More than 1300 million subscribers in world and 45 million subscriber in
India.
 GSM Services

● Tele-services
● Bearer or Data Services
● Supplementary services
 Tele Services

• Telecommunication services that enable voice communication

via mobile phones
• Offered services
- Mobile telephony
- Emergency calling
 Bearer Services

● Include various data services for information transfer

between GSM and other networks like PSTN, ISDN etc at
rates from 300 to 9600 bps
● Short Message Service (SMS)
–up to 160 character alphanumeric data transmission
to/from the mobile terminal
● Unified Messaging Services(UMS)
● Group 3 fax
● Voice mailbox
● Electronic mail
 Supplementary Services

Call related services :

•Call Waiting- Notification of an incoming call while on the handset
•Call Hold- Put a caller on hold to take another call
•Call Barring- All calls, outgoing calls, or incoming calls
•Call Forwarding- Calls can be sent to various numbers defined by
the user
•Multi Party Call Conferencing - Link multiple calls together
•CLIP – Caller line identification presentation
•CLIR – Caller line identification restriction
•CUG – Closed user group
 GSM System Architecture PSTN
ISDN
PDN
BSC
MS BTS
MSC
GMSC

BTS BSC
VLR
MS
OMC
BTS EIR
AUC
MS HLR
 GSM System Architecture-I
● Mobile Station (MS)
Mobile Equipment (ME)
Subscriber Identity Module (SIM)
● Base Station Subsystem (BSS)
Base Transceiver Station (BTS)
Base Station Controller (BSC)
● Network Switching Subsystem(NSS)
Mobile Switching Center (MSC)
Home Location Register (HLR)
Visitor Location Register (VLR)
Authentication Center (AUC)
Equipment Identity Register (EIR)
 System Architecture
Mobile Station (MS)

The Mobile Station is made up of two entities:

1. Mobile Equipment (ME)

2. Subscriber Identity Module (SIM)
 System Architecture
Mobile Station (MS)

Mobile Equipment

● Portable,vehicle mounted, hand held device

● Uniquely identified by an IMEI (International Mobile
Equipment Identity)
● Voice and data transmission
● Monitoring power and signal quality of surrounding cells
for optimum handover
● Power level : 0.8W – 20 W
● 160 character long SMS.
 System Architecture
Mobile Station (MS) contd.

Subscriber Identity Module (SIM)

● Smart card contains the International Mobile Subscriber

Identity (IMSI)
● Allows user to send and receive calls and receive other
subscribed services
● Encoded network identification details
- Key Ki,Kc and A3,A5 and A8 algorithms
● Protected by a password or PIN
● Can be moved from phone to phone – contains key
information to activate the phone
 System Architecture
Base Station Subsystem (BSS)

Base Station Subsystem is composed of two parts that

communicate across the standardized Abis interface allowing
operation between components made by different suppliers

1. Base Transceiver Station (BTS)

2. Base Station Controller (BSC)
 System Architecture
Base Station Subsystem (BSS)

Base Transceiver Station (BTS):

● Encodes,encrypts,multiplexes,modulates and feeds the

RF signals to the antenna.
● Frequency hopping
● Communicates with Mobile station and BSC
● Consists of Transceivers (TRX) units
 System Architecture
Base Station Subsystem (BSS)

Base Station Controller (BSC)

● Manages Radio resources for BTS

● Assigns Frequency and time slots for all MS’s in its area
● Handles call set up
● Transcoding and rate adaptation functionality
● Handover for each MS
● Radio Power control
● It communicates with MSC and BTS
 System Architecture
Network Switching Subsystem(NSS)

Mobile Switching Center (MSC)

● Heart of the network

● Manages communication between GSM and other networks
● Call setup function and basic switching
● Call routing
● Billing information and collection
● Mobility management
- Registration
- Location Updating
- Inter BSS and inter MSC call handoff
● MSC does gateway function while its customer roams to other network
by using HLR/VLR.
 System Architecture
Network Switching Subsystem
● Home Location Registers (HLR)

- permanent database about mobile subscribers in a large service

area(generally one per GSM network operator)
- database contains IMSI,MSISDN,prepaid/postpaid,roaming
restrictions,supplementary services.

● Visitor Location Registers (VLR)

- Temporary database which updates whenever new MS enters its area,

by HLR database
- Controls those mobiles roaming in its area
- Reduces number of queries to HLR
- Database contains IMSI,TMSI,MSISDN,MSRN,Location
Area,authentication key
 System Architecture
Network Switching Subsystem
● Authentication Center (AUC)
- Protects against intruders in air interface
- Maintains authentication keys and algorithms and provides
security triplets ( RAND,SRES,Kc)
- Generally associated with HLR

● Equipment Identity Register (EIR)

- Database that is used to track handsets using the IMEI
(International Mobile Equipment Identity)
- Made up of three sub-classes: The White List, The Black
List and the Gray List
- Only one EIR per PLMN
 International Mobile Equipment
Identity (IMEI) key
● IMEI – a unique 15 digit number identifying each phone, is
incorporated in the cellular phone by the manufacturer
● IMEI ex.: 994456245689001
● when a phone tries to access a network, the service provider
verifies its IMEI with a database of stolen phone numbers; if
it is found in the database, the service provider denies the
connection
● the IMEI is located on a white sticker/label under the battery,
but it can also be displayed by typing *#06# on the phone
 International Mobile Subscriber
Identity (IMSI) key
(MCC+MNC+MSIN)
● IMSI – a 15-digit unique number provided by the service
provider and incorporated in the SIM card which identifies
the subscriber
● IMSI enables a service provider to link a phone number with
a subscriber
● first 3 digits of the IMSI are the country code
Temporary Mobile Subscriber Identity
(TMSI) key
● TMSI – is a temporary number, shorter than the IMSI,
assigned by the service provider to the phone on a temporary
basis
● TMSI key identifies the phone and its owner in the cell it is
located; when the phone moves to a different cell it gets a
new TMSI key
● as TMSI keys are shorter than IMSI keys they are more
efficient to send
● TMSI key are used for securing GSM networks
 GSM Specifications-1
●RF Spectrum
GSM 900
Mobile to BTS (uplink): 890-915 Mhz
BTS to Mobile(downlink):935-960 Mhz
Bandwidth : 2* 25 Mhz

GSM 1800
Mobile to BTS (uplink): 1710-1785 Mhz
BTS to Mobile(downlink) 1805-1880 Mhz
Bandwidth : 2* 75 Mhz
 GSM Specification-II

● Carrier Separation : 200 Khz

● Duplex Distance : 45 Mhz
● No. of RF carriers : 124
● Access Method : TDMA/FDMA
● Modulation Method : GMSK
● Modulation data rate : 270.833 Kbps
GSM uplink/downlink frequency
bands
● uplink and downlink take place in different time slots using
TDMA
● uplink and downlink channels have a bandwidth of 25 MHz
● these channels are further split up in a 124 carrier
frequencies (1 control channels and the rest as traffic
channels); each carrier frequency is spaced 200 KHz apart to
avoid interference
● these carrier frequencies are further devided by time using
TDMA and each time slot lasts for 0.577 ms.
 GSM uplink/downlink frequency
bands used

GSM Frequency Uplink/BTS Transmit Downlink/BTS Receive

band

900 MHz 935-960 MHz 890-915 MHz

1800 MHz 1805-1880 MHz 1710-1785 MHz

1900 MHz 1930-1990 MHz 1850-1910 MHz

GSM Access Scheme and Channel
Structure
● GSM uses FDMA and TDMA to transmit voice and data
● the uplink channel between the cell phone and the BTS uses
FDMA and a specific frequency band
● the downlink channel between the BTS and the cell phone
uses a different frequency band and the TDMA technique
● there is sufficient frequency separation between the uplink
freq. band and the downlink freq. band to avoid interference
● each uplink and downlink frequency bands is further split up
as Control Channel (used to set up and manage calls) and
Traffic Channel (used to carry voice)
 Logical Channels
Half rate 11.4kbps
Speech
TCH
(traffic) Full rate 22.8kbps
2.4 kbps
Data
4.8 kbps
9.6 kbps
BCCH FCCH(Frequency correction)

SCH(Synchronization)
PCH(Paging)
CCCH
RACH(Random Access)
CCH AGCH(Access Grant)
(control)
SDCCH(Stand Alone)
DCCH
SACCH(Slow-associated)
FACCH(Fast-associated)
 GSM Operation
Speech Speech

Speech coding Speech decoding

13 Kbps
Channel Coding Channel decoding
22.8 Kbps

Interleaving De-interleaving
22.8 Kbps

Burst Formatting Burst Formatting

33.6 Kbps

Ciphering De-ciphering
33.6 Kbps
Radio Interface Demodulatio
Modulation
270.83 Kbps n
Physical Channel
GSM-Frame Structure
 Broadcast Channel
● type of control channel used for the initial synchronization
between the cell phone and the BTS
● is composed from:
– Frequency Correction Channel (FCCH) – is composed from a sequence
of 148 zeros transmitted by the BTS
– Synchronization Channel (SCH) – follows the FCCH and contains BTS
identification and location information
– Broadcast Control Channel (BCCH) – contains the frequency allocation
information used by cell phones to adjust their frequency to that of the
network; is continuously broadcasted by the BTS
 GSM Control Channel
● is used to communicate management data (setting up calls,
location) between BTS and the cell phone within a GSM cell
● only data is exchanged through the control channel (no voice)
● a specific frequency from the frequency band allocated to a
cell and a specific time slot are allocated for the control
channel (beacon frequency); a single control channel for a
cell
● GSM control channels can have the following types:
– broadcast channel
– common control channel
– dedicated control channel
 Common Control Channels
● type of control chan. used for call initiation
● is composed of:
– Paging Channel (PCH) – the BTS uses this channel to inform the cell
phone about an incoming call; the cell phone periodically monitors
this channel
– Random Access Channel (RACH) – is an uplink channel used by the
cell phone to initiate a call; the cell phone uses this channel only when
required; if 2 phones try to access the RACH at the same time, they
cause interference and will wait a random time before they try again;
once a cell phone correctly accesses the RACH, BTS send an
acknowledgement
– Access Grant Channel (AGCH) – channel used to set up a call; once
the cell phone has used PCH or RACH to receive or initiate a call, it
uses AGCH to communicate to the BTS
 Dedicated Control Channels
● control channel sed to manage calls
● is comprised from:
– Standalone Dedicated Control Channel (SDCCH) – used along with
SACCH to send and receive messages; relays signalling information
– Slow Associated Control Channel (SACCH) – on the downlink BTS
broadcasts messages of the beacon frequency of neighboring cells to
the cell phones; on the uplink BTS receives acknowledgement
messages from the cell phone
– Fast Associated Control Channel (FACCH) – used to transmit
unscheduled urgent messages; FACCH is faster than SACCH as it can
carry 50 messages per second, while SACCH an caryy only 4.
 Traffic Channel
● is used to carry voice data
● based on the TDMA the traffic (voice channel) is divided in 8
different time slots numbered from 0 to 7
● the BTS sends signals to a particular cell phone in a specific
time slot (from those 8 time slots) and the cell phone replies in
a different time slot
 GSM Protocol Stack
📫 In any telecommunication system, signalling is required to coordinate
the necessarily distributed functional entities of the network.
📫 The transfer of signalling information in GSM follows the layered OSI
model
● Layer 1: Physical Layer
● Radio Transmission
● Layer 2: Data Link Layer (DLL)
● provides error-free transmission between adjacent entities, based on the
ISDN’s LAPD protocol for the Um and Abis interfaces, and on SS7’s Message
Transfer Protocol (MTP) for the other Layer interfaces
● Layer 3: Networking or Messaging Layer
● Responsible for the communication of network resources, mobility, code
format and call-related management messages between various network
entities
 GSM Protocol Stack
📫 In any telecommunication system, signalling is required to coordinate
the necessarily distributed functional entities of the network.
📫 The transfer of signalling information in GSM follows the layered OSI
model
● Layer 1: Physical Layer
● Radio Transmission
● Layer 2: Data Link Layer (DLL)
● provides error-free transmission between adjacent entities, based on the
ISDN’s LAPD protocol for the Um and Abis interfaces, and on SS7’s Message
Transfer Protocol (MTP) for the other Layer interfaces
● Layer 3: Networking or Messaging Layer
● Responsible for the communication of network resources, mobility, code
format and call-related management messages between various network
entities
 L1-Physical Layer
● Modulation Techniques – Gaussian Minimum Shift Keying (GMSK)
● Channel Coding
▪ Block Code
▪ Convolutional Code
● Interleaving
▪ To distribute burst error

● Power control methodology – to minimize the co-channel interference

● Time synchronization approaches
 L2-Data Link Layer
■ Connection-based Network
■ Traffic
■ Signaling and Control
■ Signaling and control data are conveyed through Layer II and Layer III
messages in GSM
■ Purpose of Layer II is to check the flow of packets for Layer III
■ DLL checks the address and sequence # for Layer III
■ Also manages Acks for transmission of the packets
■ Allows two SAPs for signaling and SMS
■ SMS traffic is carried through a fake signaling packet that carries user
information over signaling channels
■ DLL allows SMS data to be multiplexed into signaling streams
 LAPDm
● The Link Access Procedure on the Dm channel (LAPDm) is the protocol for
use by the data link layer on the radio interface.
● Functions
– organization of Layer 3 information into frames
– peer-to-peer transmission of signaling data
in defined frame formats
– recognition of frame formats
– establishment, maintenance, and
termination of one or more (parallel) data
links on signaling channels
 Layer-III
● Radio Resource Management (RR),
● Mobility Management (MM)
● Connection Management
Layer-3.1 Radio Resource Management (RR)
Layer-3.2 Mobility Management (MM)

📫 Responsible for
- location management and
- Security
📫 Location management involves the procedures and
signaling for location updating, so that the mobile’s
current location is stored at the HLR, allowing incoming
calls to be properly routed.

📫 Security involves the authentication of the mobile, to

prevent unauthorized access to the network, as well as the
encryption of all radio link traffic.
 Layer-3.3 Call Management (CM)
● The CM functional layer is divided into three sub layers.
● Call Control (CC) sub layer
● - manages call routing, establishment, maintenance, and
release, and is closely related to ISDN call control.
Supplementary Services sub layer
- manages the implementation of the various supplementary
services (Call Forwarding/waiting/hold ), and also allows users
to access and modify their service subscription.

Short Message Service sub layer

- handles the routing and delivery of short messages, both
from and to the mobile subscriber.
 GSM Interfaces
■ Um
▪ Radio interface between MS and BTS
▪ each physical channel supports a number of logical channels

■ Abis
▪ between BTS and BSC
▪ primary functions: traffic channel transmission, terrestrial
channel management, and radio channel management

■ A
▪ between BSC and MSC
▪ primary functions: message transfer between different BSCs
to the MSC
 Initializing a call
1. when the cell phone is turned on it scans all the available frequencies for the control
channel
2. all the BTS in the area transmit the FCCH, SCH and BCCH that contain the BTS
identification and location
3. out of available beacon frequencies from the neighboring BTSs, the cell phone
chooses the strongest signal
4. based on the FCCH of the strongest signal, the cell phone tunes itself to the
frequency of the network
5. the phone send a registration request to the BTS
6. the BTS sends this registration request to the MSC via the BSC
7. the MSC queries the AUC and EIR databases and based on the reply it authenticates
the cell phone
8. the MSC also queries the HLR and VLR databases to check whether the cell is in its
home area or outside
9. if the cell phone is in its home area the MSC gets all the necessary information from
the HLR if it is not in its home area, the VLR gets the information from the
corresponding HLR via MSCs
10. then the cell phone is ready to receive or make calls.
Initializing a call (2)
 Making a call
1. when thee phone needs to make a call it sends an access request (containing
phone identification, number) using RACH to the BTS; if another cell
phone tries to send an access request at the same time the messages might
get corrupted, in this case both cell phones wait a random time interval
before trying to send again
2. then the BTS authenticates the cell phone and sends an acknowledgement to
the cell phone
3. the BTS assigns a specific voice channel and time slot to the cell phone and
transmits the cell phone request to the MSC via BSC
4. the MSC queries HLR and VLR and based on the information obtained it
routes the call to the receiver’s BSC and BTS
5. the cell phone uses the voice channel and time slot assigned to it by the BTS
to communicate with the receiver
Making a call (2)
 Receiving a call
1. when a request to deliver a call is made in the network, the MSC or the
receiver’s home area queries the HLR; if the cell phone is located in its
home area the call is transferred to the receiver; if the cell phone is located
outside its home area, the HLR maintains a record of the VLR attached to
the cell phone
2. based on this record, the MSC notes the location of the VLR and indicated
the corresponding BSC about the incoming call
3. the BSC routes the call to the particular BTS which uses the paging channel
to alert the phone
4. the receiver cell phone monitors the paging channel periodically and once it
receives the call alert from the BTS it responds to the BTS
5. the BTS communicates a channel and a time slot for the cell phone to
communicate
6. now the call is established
Receiving a call (2)
 Call Routing
● Call Originating from MS
● Call termination to MS
Outgoing Call
1. MS sends dialled number to BSS
2. BSS sends dialled number to MSC
3,4 MSC checks VLR if MS is
allowed the requested service.If
so,MSC asks BSS to allocate
resources for call.
5 MSC routes the call to GMSC
6 GMSC routes the call to local
exchange of called user
7, 8,
9,10 Answer back(ring back) tone is
routed from called user to MS via
GMSC,MSC,BSS
 1. Calling a GSM
Incoming Call subscribers
2. Forwarding call to
GSMC
3. Signal Setup to HLR
4. 5. Request MSRN from
VLR
6. Forward responsible
MSC to GMSC
7. Forward Call to current
MSC
8. 9. Get current status of
MS
10. 11. Paging of MS
12. 13. MS answers
14. 15. Security checks
16. 17. Set up connection
Handovers

● Between 1 and 2 – Inter

BTS / Intra BSC
● Between 1 and 3 –
Inter BSC/ Intra MSC
● Between 1 and 4 –
Inter MSC
 Security in GSM

● On air interface, GSM uses encryption and TMSI instead

of IMSI.
● SIM is provided 4-8 digit PIN to validate the ownership of
SIM
● 3 algorithms are specified :
- A3 algorithm for authentication
- A5 algorithm for encryption
- A8 algorithm for key generation
Authentication in GSM
Key generation and Encryption
 Characteristics of GSM Standard
● Fully digital system using 900,1800 MHz frequency band.
● TDMA over radio carriers(200 KHz carrier spacing.
● 8 full rate or 16 half rate TDMA channels per carrier.
● User/terminal authentication for fraud control.
● Encryption of speech and data transmission over the radio
path.
● Full international roaming capability.
● Low speed data services (upto 9.6 Kb/s).
● Compatibility with ISDN.
● Support of Short Message Service (SMS).
Thanks !