Module 3: 2G Technologies

Introduction
• GSM developed by ETSI (European Technical Standards Institute) protocols for 2G
• GSM was developed to solve fragmentation problem of the 1G systems in Europe
• The GSM is world’s 1st cellular system to specify digital modulation and network
level architectures and services
• The GSM is a circuit-switched system that divides each 200kHz channel into eight
25kHz time-slots.
• GSM operates in
890MHz to 915 MHz Reverse Link (MS to BS)
935MHz to 960MHz Forward Link (BS to MS )
• GSM uses FDD & a combination of TDMA & FDMA technique to provide
simultaneous access to multiple mobile subscriber Units.

27-08-2024 GSM 2
 GSM Architecture
MS BSS NSS

27-08-2024 GSM 3
27-08-2024 GSM 4
 GSM Network Architecture

The GSM network architecture consists of three major subsystems:

 Mobile Station (MS): SIM,ME

 Base Station Subsystem (BSS): BTS,BSC

 Network and Switching Subsystem (NSS): MSC, HLR, VLR, AuC ,EIR ,OMC

27-08-2024 GSM 5
 GSM System Architecture

27-08-2024 GSM 6
 Interfaces used in GSM
1. Air interface ‘Um’: wireless interface, specifies communication between MS & BTS
2. A-bis Interface: specifies communication between BTS & BSC. The support on this interface is for voice traffic
at 64Kbps and data/signaling traffic at 16 Kbps. Both types of traffic are carried over LAPD (Link Access
Protocol-D)
3. ‘A’ Interface : specifies communication between BSC & MSC.

It uses an SS7 protocol called SCCP

(signaling connection control part) which
supports communication between MSC &
BSS.
It allows a service provider to use BS and
switching equipment made by different
manufacturers.
27-08-2024 GSM 7
 Mobile Station (ME & SIM)
• ME-
 physical device, Consists of Transceiver, Digital Signal Processors and the
antenna.
 uniquely identified by the International Mobile Equipment Identity (IMEI).
• SIM-
smart card issued at the subscription time identifying the specification of a user
such as a unique number and type of the service.
The SIM card contains the International Mobile Subscriber Identity (IMSI) used
to identify the subscriber to the system, a secret key for authentication, service
area and other information.
The SIM card may be protected against unauthorized use by a password or
personal identity number (PIN)
27-08-2024 GSM 8
Base Station Subsystem (BSS) :(BTS & BSC)

• BSC:
It is the connection between the mobile station and the Mobile service
Switching Center (MSC).
It is a small switch inside BSS in change of frequency administration,
maintains appropriate power levels of signal and handoff among the BTSs
inside a BSS. This reduces burden of MSC
BSC Controller manages the radio resources for one up to several hundred
BTSs.
From 13kbps to 64kbps-at BSS

27-08-2024 GSM 9
Base Station Subsystem (BSS) :(BTS & BSC)

BTS: Defines a single cell (radius 100m to 35km). BTS components include a Tx,
a Rx and signaling equipment to operate over the air interface.
 Interface between BTS & BSC – A-bis interface- carries traffics and maintain
data
 Interface between BSC & MSC – A interface- standardized within GSM.
 User’s speech is converted to 13kbps digitized voice with speech coder –at
MS.
 Wired network uses 64kbps PCM digitized voice in PSTN technology
27-08-2024 GSM 10
 Network Subsystem
• It provides link between cellular networks and PSTN or ISDN or data network.
• The NSS controls handoffs between calls in different BSSs, authenticates users & validates
their accounts & includes functions for enabling worldwide roaming of mobile subscriber.
• It include the main switching functions of GSM as well as data based needed for
subscriber data and mobility management.
• It consists of
Mobile Switch Center (MSC)
Home Location Register (HLR)
Visitor Location Register (VLR)
Authentication Center (AuC)
Equipment Identity Register (EIR)
Interworking Function (IWF)
27-08-2024 GSM 11
 1. Mobile Switching Centre (MSC)
• It is a hardware part of wireless switch that can communicate with PSTN using
Signaling system- 7 (SS-7) protocol
• It also communicates other MSCs in the coverage area of the service provider.
• Functions of MSC:
Call setup , supervision, release and Call routing
Digit collection and translation
Billing information collection
Mobility management (registration, location updating, inter BSS and inter MSC call
handoffs)
Paging and alerting
Management of radio resources during call.
Echo cancellation

27-08-2024 GSM 12
 2. Home location Register (HLR)
• The HLR represents a central database software that Handles the management of
the mobile subscriber account.

• It is referenced using the SS7 signaling capabilities for every incoming call to the
GSM network for determine the current location of the subscriber.

• The HLR is kept updated with the current locations of all its mobile subscribers,
including those who may have roamed to other network operator within or outside
the country.

• The routing information is obtained from the serving VLR on a call by call basis, so
that for each incoming call the HLR queries the serving VLR for an MSRN(mobile
station routing number).
27-08-2024 GSM 13
 2. Home location Register (HLR)
 Usually one HLR is deployed for each GSM network for administration
of subscriber configuration and services.
 Besides the up to date information for each subscriber , which is dynamic the HLR
maintains the following data on a permanent basis.

 International mobile subscriber identity (IMSI)

 Service subscription information.
 Service restrictions
 Supplementary services subscribed to
 Mobile terminal characteristics
 Billing/ accounting information.
27-08-2024 GSM 14
 3. Visitor Location Register (VLR)
• The VLR represents a temporary database software

• Generally there is one VLR per MSC.

• This register contains information about the mobile subscribers who are currently in the service
area covered by the MSC/ VLR.

• The VLR also contains information about locally activated features such as call forwarding on busy.

• Thus temporary subscriber information available in VLR includes:

 Features currently activated

 Temporary mobile station identity (TMSI)

 Current location information about the MS.

27-08-2024 GSM 15
 4. Authentication Center (AuC)
• It is the database that holds different algorithms that are used for authentication &
encryption of mobile subscribers that verify the mobile user’s identity

• It ensure the confidentiality of each call.

• AuC protects network cellular operators from different types of frauds and spoofing.

• It contains the security modules for the authentication keys.

Cipher key generation algorithms A3 is used for authentication

Cipher key generation algorithms A5 for encryption.

Algorithm A8 is used for Cipher key generation

27-08-2024 GSM 16
 5. Equipment Identity Register (EIR)
• The EIR is another database that keeps the information about identity of ME such as IMEI.
• IMEI reveals the details about the manufacturer, country production and device type.
• This information is used to
1. prevent calls from being misused
2. prevent unauthorized or defective MSS
3. report stolen mobile phones
4. check if the mobile is operating according to the specification of its type.
• Each ME is identified by IMEI which is memorized by the manufacturer and cannot be
removed.

• By the registration mechanisms the MS always sends IMEI to the network so that the EIR
can memories and assign them to three different lists.
27-08-2024 GSM 17
 5. Equipment Identity Register (EIR)
• White list: for all known, good IMEIs- are allowed to enter in the network.

• Black list: for bad or stolen handsets- are not allowed to enter in the network

• Grey list: for handsets/IMEIs that are uncertain- are momentarily not allowed to enter
in the network eg because of software version is too old or because they are in repair.

• In future there will be an interconnections between all the EIRs to avoid the situation
where a mobile stolen in one country can be used in GSM network from a different
country.

27-08-2024 GSM 18
27-08-2024 GSM 19
 6. Interworking Function (IWF)

• IWF-is a subsystem in the PLMN (Public Land Mobile Network)

• It allows non speech communications between GSM and other networks.

• The task of IWF is particularly to adopt the transmission parameters and

protocol conversion.

• The physical manifestation of an IWF may be through a modem which is

activated by MSC dependent on bearer service and destination network.

27-08-2024 GSM 20
7. OSS (Operation & Support System)
• The implementation of Operation Maintenance Center(OMC) is called as
the Operation and Support System (OSS).

• It supports operation and maintenance of systems and allows engineers

to monitor, diagnose and troubleshoot every aspect of GSM network.

• OSS supports one or more OMC (operation maintenance center)

• Used to monitor & maintain the performance of each MS, BS, BSS and
MSC within GSM system.

27-08-2024 GSM 21
7. OSS (Operation & Support System)
OSS has main 3 functions:
1. To maintain all telecommunication hardware & network operations
with a particular service area
2. Manage all ME in the system
3. Manage all charging and billing procedures.

 Within each GSM system, an OMC is dedicated to each of these tasks

and has a provision for adjusting all base station parameters and billing
procedures .
 It provide the ability to determine their performance and integrity of
each unit of ME in the system.
27-08-2024 GSM 22
 GSM Air Interface Specifications

MS to BS
BS to MS
(ARFCN: Absolute Radio
Frequency Channel Number)

27-08-2024 GSM 23
 GSM Air Interface Specifications
Sr.No. Parameter Specifications
1. Frequency band Uplink 890-MHz to 915-MHz
Downlink 935-MHz to 960-MHz
2. Spectral allocation 50-MHz
3. Forward and reverse channel frequency 45-MHz
spacing
4. Tx /Rx time slot spacing 3 time slots
5. RF channel bandwidth 200-kHz(ARFCN channel spacing)
6. ARFCN number 0 to 124 and 975 to 1023
7. Multiple-access technique TDMA/FDMA
8. Duplexing technique FDD
9. Modulation scheme GMSK
10. Number of time slots per RF channel 8(users per frame full rate)
bandwidth
11. Number of voice channels 1000
27-08-2024 (ARFCN: Absolute Radio Frequency Channel Number)
GSM 24
 GSM Air Interface Specifications
Sr. No. Parameter Specifications

12. Modulation data rate 270.833 kbps

13. Spectrum efficiency 1.35 bps/Hz

14. Frame period 4.615ms

15. Time slot period 577µs

16. Bit period 3.692µs

17. Interleaving (max. delay) 40ms

18. Speech coding RELP-LTP @ 13.4 Kbps

(Residual Excited linear prediction)

19. Channel coding CRC with r=1/2; L=5 convolution coding

20. Type of equalisers adaptive

21. Handheld mobile Tx power 1W max; 125mW avg.

27-08-2024 GSM 25
 Identifiers used in GSM System
 GSM distinguishes explicitly between user and equipment and deals with them
separately. Besides phone numbers and subscriber and equipment identifiers, several
other identifiers have been defined.
 The most important addresses and identifiers are as follows:
 IMSI (International Mobile Subscriber Identity)
 SIM (Subscriber Identity Module)
 MSISDN (Mobile System Integrated Service Digital Network)
 LAI (Location Area Identity)
 IMSEI (International MS Equipment Identity)
 MSRN (MS Roaming Number)
 TMSI (Temporary MS Identity)
27-08-2024 GSM 26
Identifiers:

1. International Mobile Subscriber Identity (IMSI):

• The IMSI is assigned to an MS at subscription time. It uniquely identifies a

given MS.

• When an MS attempts a call, it needs to contact a BS. The BS can offer its
service only if it identifies the MS as a valid subscriber.

• For this MS needs to store certain values uniquely defined for the MS, like
country of subscription, network type, subscriber ID and so on.

27-08-2024 GSM 27
The IMSI contains 15 digits and includes

 Mobile Country Code (MCC)—3 digits (home country)

 Mobile Network Code (MNC)—2 digits (Network provider Code)
 Mobile Subscriber Identification code/Number (MSIC/MSIN)
 National Mobile Subscriber Identity (NMSI)
 Another use of IMSI is to find information about the subscriber’s
home PLMN

27-08-2024 GSM 28
Format of IMSI

27-08-2024 GSM 29
 2. SIM (Subscriber Identity Module)
• Every time the MS has to communicate with a BS, it must correctly identify itself.

• An MS does this by storing the mobile phone number, personal information number
for mobile station, authentication parameters and so on, in the SIM card.

• Smart SIM cards have a flash memory –to store small messages to the unit.

• Advantage- it supports roaming with or without a cell phone, also called SIM roaming.

• Carry only the SIM card alone and insert in any GSM mobile phone to make a it work
as per customized MS.

27-08-2024 GSM 30
2. SIM (Subscriber Identity Module)

27-08-2024 GSM 31
 3. Mobile System ISDN (MSISDN)
• It identifies a particular MS’s subscriber, with the format shown. MCC- 1 to 3
digits, NDC-variable, SN- variable
• The GSM actually does not identify a particular mobile phone, but a particular
HLR. It is the responsibility of HLR to contact the mobile phone.
• https://ind.areacodebase.com/ndc_list
3. Mobile System ISDN (MSISDN)
 4. Location Area Identity (LAI)
The GSM service area is usually divided into a hierarchical structure that
facilitates the system to access any MS quickly.
•Each PLMN area is divided into many MSCs.

• Each MSC typically contains a VLR to inform the

system if a particular cell phone is roaming

•Each MSC is divided into many location areas (LAs).

•An LA is a group of cells and is useful when the MS is

roaming in a different cell but the same LA.

•LA identifier should contain the country code, the

mobile network code and LA code.
27-08-2024 GSM 34
8/27/2024 GSM 35
 5. International Mobile station
equipment identification (IMSEI)
• Each GSM mobile phone equipment is assigned a 15-bit long international MS
equipment identity number to contain manufacturing information.
• When the mobile phone equipment passes the interoperability tests, it is assigned
a type approval code.
• Since a single mobile unit may not be manufactured at the same place, a field in
IMSEI, called the final assembly code, identifies the final assembly place of the
mobile unit.
• To identify uniquely a unit manufactured, a Serial Number (SN) is assigned.
• A spare digit is available to allow further assignment depending on requirements.
27-08-2024 GSM 36
6. MS roaming Number (MSRN)
 When an MS roams into another MSC, that unit has to be identified based on the
numbering scheme format used in that MSC.
 Hence, the MS is given a temporary roaming number-called the MS Roaming
Number (MSRN), with the format shown in Fig.
 This MSRN is stored by the HLR, and any calls coming to that MS are rerouted to
the cell where the MS is currently located.

27-08-2024 GSM 38
 7. TMSI (Temporary Mobile Subscriber Identity)

 As all transmission is sent through the air interface, there is a constant threat to the
security of information sent. A Temporary Mobile Subscriber Identity (TMSI)is
usually sent in place of IMSEI.

 The TMSI is assigned to an MS by the VLR. The TMSI uniquely identifies an MS

within the area controlled by a given VLR. The maximum number of bits that can
be used for the TMSI is 32.

27-08-2024 GSM 39
 GSM Signaling Protocol Architecture
Figure shows the signaling protocol architecture for communication between the main-hardware
elements of the GSM network architecture and the associated interfaces.

Networking or
Messaging Layer

Data Link Layer (DLL)

Physical Layer

27-08-2024 GSM 40
 Associated Interfaces
1. Air interface ‘Um’: wireless interface, specifies communication between MS &
BTS

2. A-bis Interface: specifies communication between BTS & BSC. The support on
this interface is for voice traffic at 64Kbps and data/signaling traffic at 16 Kbps.
Both types of traffic are carried over LAPD (Link Access Protocol-D)

3. ‘A’ Interface : specifies communication between BSC & MSC.

It uses an SS7 protocol called SCCP (signaling connection control part) which
supports communication between MSC & BSS.
It allows a service provider to use BS and switching equipment made by different
manufacturers.
 GSM Signaling Protocol Architecture

 Several control messages are exchanged between the key entities of GSM network
architecture that deal with radio resources, mobility management, and connection
management.

 The protocol-stack is divided into three layers:

 Layer 1 Physical Layer
 Layer 2 Data Link Layer (DLL)
 Layer 3 Networking or Messaging Layer

8/27/2024 42
 Layer I: Physical Layer
 The physical layer defined in the GSM specifications is for the Um air-interface.

 The radio link carries higher level data inside the TDMA format between the mobile
station and the base transceiver station.

 This layer specifies how the information from different voice and data services are
formatted into packets and sent through the radio channel.

 It specifies the radio modem details, the packaging of a variety of services into the
bits of a packet, traffic structure and control packets.

8/27/2024 43
 Layer I: Physical Layer

 This layer specifies :

 Modulation and coding techniques,
 Power control methodology,
 Time synchronization approaches which enable establishment and maintenance
of the channels

 The physical layer of the A and A-bis interfaces follow the ISDN standard with
64 kbps digital data per voice user.

8/27/2024 44
 Layer II: Data Link Layer
 Signaling and control data are conveyed through Layer II and Layer III
messages.
 At the link layer, a data link control protocol known as LAPDm-Link Access
Protocol-D for mobile.
 LAPD is designed to convert a potentially unreliable physical link into a reliable
data link. It does this by using a cyclic redundancy check to perform error
detection and Automatic Repeat Request (ARQ) to retransmit damaged frames.
 The LAPD protocol is used for the A-bis and A interfaces connecting the BTS to
BSC and BSC to MSC, respectively.

8/27/2024 45
 Layer II: Data Link Layer
 The overall purpose of DLL is to check the flow of packets for Layer III and allow
multiple Service Access Points (SAP) with one physical layer.

 The DLL checks the address and sequence number for Layer III and manages
acknowledgments for transmission of the packets. In addition, the DLL allows two
SAPs for signaling and Short Messages (SMS).

 Signaling packets delivered to the physical layer are each 184 bits, same as that of the
length of the DLL packets in the LAPD protocol used in the ISDN networks.

8/27/2024 46
 Layer II: Data Link Layer
 The address field is optional, and it identifies the SAP, protocol revision type
and nature of the message.
 The control field is also optional, and it holds the type of the frame (command
or response) and the transmitted and received sequence numbers.
 The length indicator identifies the length of the information field.
 Fill in bits are all 1s bits to extend the length to the desired 184bits.

8/27/2024 47
 Layer III: Networking or Signalling Layer

 The networking or signaling layer implements the protocols needed to support the
mechanisms required to establish, maintain and terminate a mobile communication
session.
 It is also responsible for control functions for supplementary and SMS services.
 Layer III defines the details of implementation of messages on the logical channels
encapsulated in DLL frames.
 Among all messages communicated between two elements of the network only a few,
such as DLL acknowledgment, do not carry Layer III information, Information bits of
the Layer II packets specify the operation of a Layer III message.

8/27/2024 48
 Layer III: Networking or Signalling Layer

 The Transaction Identifier (TI) field is used to identify a procedure or protocol that consists of a
sequence of messages. This field allows multiple procedures to operate in parallel.
 The Protocol Discriminator (PD) identifies the category of the operation (management, supplementary
services, call control, and test procedure).
 The Message type (MT) identifies the type of message for a given PD.
 Information Elements(IE)is an optional field for the time that an instruction carries some information that
is specified by an IE Identifier (IEI).
 The number of Layer III messages is much larger than the number of Layer II messages.
8/27/2024 49
 Layer III: Networking or Signalling Layer
GSM standard divides the messages into three sublayers that provide specific functions:
 Radio Resource Management (RRM)
 Mobility Management (MM)
 Communication Management (CM)

Radio Resource Management (RRM)

 The RRM sublayer of Layer III manages the frequency of operation and the quality
of the radio link. Radio resource management establishes and releases connections
between MSs and an MSC and maintains them despite subscriber movements

8/27/2024 50
 Radio Resource Management (RRM)

 The RRM functions are mainly performed by the MS and the BSC.
 The main responsibilities of the RRM are
 To assign the radio channel and hop to new channels in implementation of the slow
frequency-hopping option,
 To manage hand-off procedure and measurement reports from MS for hand off
decision,
 To implement power control procedure, and to adapt to timing advance for
synchronisation.

8/27/2024 51
 Mobility Management (MM)
The major functions of Mobility Management (MM) sublayer are
 Location update,
 Registration procedures,
 Authentication procedure,
 TMSI handling,
 Attachment and detachment procedures for the IMSI.
 This sublayer handles mobility issues that are not directly related to the radio, and
include management of security functions.
 Mobility management functions are handled by the MS/SIM, the MSC/VLR, and
the HLR/AuC.
8/27/2024 52
 Communication Management (CM)
 The Communication Management (CM) sublayer is used to establish, maintain, and
release the circuit switched connection between the calling and called subscribers of
GSM network.
 Specific procedures for the CM sublayer include
 mobile-originated and mobile-terminated,
 call establishment,
 change of transmission mode during the call,
 control of dialling using dual-tones, and call reestablishment.
 In addition to call management it includes supplementary services management and
SMS management.
8/27/2024 53
 Signaling System No. 7(SS7 or C7)

 Common Channel Signaling System No. 7 (i.e., SS7 or C7) is a global standard for
telecommunications defined by the International Telecommunication Union (ITU)
Telecommunication.

 The standard defines the procedures and protocol by which network elements in the
public switched telephone network (PSTN) exchange information over a digital
signaling network to effect wireless (cellular) and wireline call setup, routing and
control.

8/27/2024 54
 GSM Channels
• Uplink Frequency = 890MHz- 915 MHz (Forward)
• Downlink Frequency = 935 MHz- 960 MHz (Reverse)
• The available 25 MHz spectrum is divided into 124 FDM channels
• Each occupy 200 KHz with 100 KHz guard band at two edges of the spectrum.
• The available Forward & reverse frequency bands are divided into 200 KHz wide
channels called ARFCN (Absolute Radio Frequency Channel Numbers)

8/27/2024 57
 GSM Physical channels

When an MS and a BTS communicate, they do so on a specific pair of radio

frequency (RF) carriers, one for the up-link and the other for the down link
transmissions, and within a given time slot. This combination of time slot and
carrier frequency(ARFCN) forms is termed a physical channel .

One RF channel will support eight physical channels in time slots zero through
seven.

8/27/2024 58
 GSM Logical channels
• Logical channels are set of instructions and ports to instruct different elements of
cellular network to perform their specified duties.

• Each physical channel is mapped into different logical channels at different times.

• Each specific time slot or frame may be dedicated to either handling

 traffic data (user data such as speech, facsimile or teletext data)

signaling data or control channel data (from MSC, BS or MS)

• Logical channel use a physical TDMA slot or a portion of a physical slot to specify an
operation in the network in GSM.

• GSM uses variety of multiplexing techniques to create a collection of logical channels.

 GSM Logical Channels

8/27/2024 61
 GSM Logical Channels
Channel Types:

Traffic channels (TCHs)

The traffic channels are intended to carry encoded speech or user data.

Control Channels (CCHs)

The control channels are intended to carry signaling and Synchronization data between
the base station and the Mobile station. Logical are used by the system and the MS for
different purposes

8/27/2024 62
 GSM Traffic Channels

Traffic Channels
•Traffic channels are intended to carry encoded speech and user data.
-Full rate traffic channels at a net bit rate of 22.8 Kb/s (TCH/F)
-Half rate traffic channels at a net bit rate of 11.4 Kb/s (TCH/H)
Speech Channels
Speech channels are defined for both full rate and half rate traffic channels.
Data Channels
Data channels support a variety of data rates (2.4, 4.8 and 9.6 Kb/s) on both half and full
rate traffic channels. The 9.6 Kb/s data rate is only for full rate application
8/27/2024 63
 GSM Logical Channels
Control channels carry signaling information between an MS and a BTS.

There are several forms of control channels in GSM, and they can generally be divided
into three categories according to the manner in which they are supported on the radio
interface and the type of signaling information they carry.
1. Broadcast control channel
2. Common control channel
3. Dedicated control channel

8/27/2024 64
 Broadcast control channel(BCH)
Broadcast control channels are transmitted in downlink direction only i.e. only
transmitted by BTS. They are used to broadcast synchronization and general network
information to all the MSs within a cell. Such as Location Area Identity (LAI) and
maximum output power.

It has three types

1. FCCH (Frequency Correction Channel)
2. SCH (Synchronization Channel)
3 BCCH (Broadcast Control Channel)
8/27/2024 65
 Broadcast control channel(BCH)
1.FCCH ( Frequency Correction Channel)
Used for the frequency correction / synchronization of a mobile station.

The repeated (every 10 sec) transmission of Freq Bursts is called FCCH.

This serves two purposes;
 To make sure this is the BCCH-carrier,
 To allow the MS to synchronize to the frequency.

 FCCH is transmitted on the downlink, point-to-multipoint.

8/27/2024 66
 Broadcast control channel(BCH)
2. SCH (Synchronization Channel )
Allows the mobile station to synchronize time wise with the BTS.

Repeated broadcast (every 10 frames) of Synchronization Bursts is called (SCH)

The MS receives the TDMA frame number and also the Base Station Identity
Code(BSIC), of the chosen base station. BSIC can only be decoded if the base
station belongs to the GSM network.

 SCH is transmitted on the downlink, point to multipoint as Synchronization

Burst

8/27/2024 67
 3. BCCH (broadcast control channel)
 It is used to broadcast control information to every MS within a cell, downlink, point-to-
multipoint. Use normal burst.
 This information includes details of the control channel configuration used at the BTS, a
list of the BCCH carrier frequencies used at the neighboring BTSs and a number of
parameters that are used by the MS when accessing the BTS.
 Broadcast Control channel, BCCH include the Location Area Identity (LAI), maximum
output power allowed in the cell .
 Now the MS is tuned to a base station and synchronized with the frame structure in this cell.
 The base stations are not synchronized to each other, so every time the MS decides to camp on
another cell, its FCCH, SCH and BCCH have to be read.

8/27/2024 68
 Common Control Channels(CCCH)
 The common control channels are used by an MS during the paging and access
procedures.
 Common control channels are of three types:
1. PCH (Paging Channel)
2. RACH (Random Access Channel)
3. AGCH (Access Granted Channel)

8/27/2024 69
 1. PCH (Paging Channel)
Within certain time intervals the MS will listen to the Paging channel, PCH, to see
if the network wants to get in contact with the MS. The reason could be an
incoming call or an incoming Short Message.

The information on PCH is a paging message, including the MS’s identity

number (IMSI) or a temporary number (TMSI).

PCH is transmitted on the downlink, point-to-point.

Use normal burst.

8/27/2024 70
 2.RACH (Random Access Channel)
If listening to the PCH, the MS will realize it is being paged. The MS answers,
requesting a signalling channel, on the Random Access channel, RACH.

RACH can also be used if the MS wants to get in contact with the network, e.g.
when setting up a mobile originated call. RACH is transmitted on the uplink, It is
termed ‘random’ because there is no mechanism to ensure that no more than one MS
transmits in each RACH time slot and there is a finite probability that two mobiles
could attempt to access the same RACH at the point at the same time.
Use Access Burst.

8/27/2024 71
 3. AGCH (Access Granted Channel)
The access grant channel (AGCH) is carried data which instructs the mobile to
operate in a particular physical channel (Time slot or ARFCN).

The AGCH is used by the network to grant, or deny, an MS access to the

network by supplying it with details of a dedicated channel, i.e. TCH or SDCCH, to
be used for subsequent communications. The AGCH is a down-link only channel.

 Use normal burst.

8/27/2024 72
 Dedicated Control Channels
 Signaling information is carried between an MS and a BTS using associated and
dedicated control channels during or not during a call.
 They are of three types.
1. SACCH (Slow Associated Control Channel)
2. FACCH (Fast Associated Control Channel)
3. SDCCH (Stand Alone Dedicated Control Channel)

8/27/2024 73
 1. SACCH (Slow Associated Control Channel)
Non-urgent information, e.g. transmitter power control
On the uplink MS sends averaged measurements on own base station (signal strength
and quality) and neighboring base stations (signal strength)
It is transmitted at 13 Frame of TCH. As seen, SACCH is transmitted on both up- and
downlink, point-to-point.
This channel is always present when a dedicated link is active between the MS and
BTS, and it occupies one timeslot in every 26.
 SACCH messages may be sent once every 480ms, i.e. approximately every 2 s.
Use normal burst.

8/27/2024 74
 2. FACCH (Fast Associated Control Channel)

More urgent information, e.g. a handover command, is sent using time slots that
are ‘stolen’ from the traffic channel.

FACCH works in stealing mode, meaning that one 20 ms segment of speech is

exchanged for signalling information necessary for the Handover. This channel is
known as the fast associated control channel (FACCH)because of its ability to transfer
information between the BTS and MS more quickly than the SACCH.

Use normal burst.

8/27/2024 75
 3. SDCCH (Stand Alone Dedicated Control Channel)
It is a two-way channel allocated with SACCH to each mobile terminal to transfer network control
and signaling information for call establishment and mobility management. just before a TCH
assignment is issued by the base station.

The SDCCH ensures that the mobile station and the base station remain connected while the base
station and MSC verify the subscriber unit and allocate resources for the mobile

 The SDCCH is used to send authentication and alert messages (but not speech) as the mobile
synchronizes itself with the frame structure and waits for a TCH.

The channel is termed ‘stand-alone’ because it may exist independently of any TCH.
SDCCH is transmitted on both up- and downlink, point-to-point.
Use normal burst
8/27/2024 76
 Channel Mapping
1. When the MS is turned on it will listen to the FCCH in order to sync to the carrier
frequency
2. Then the MS listen to the SCH to get info on the TDMA frame structure
3. The MS will then listen to the BCCH to get info such as location area, Max allowed
O/P power & neighboring cells
4.The MS will periodically listen to the PCH to determine if someone is trying to call it.
5. If the MS hears a page it will use the RACH to ask for access to the system in order
to respond to the incoming call

8/27/2024 77
 Channel Mapping
6. The system will give access using the AGCH
7. The system uses the AGCH to tell the MS which SDCCH to use for complete the
Call Setup .
8.When the MS gets the SDCCH, it also gets a SACCH which the system uses to
regulates the O/P power of the MS & gives it timing advance info .
9.The MS is given a TCH to use by the SDCCH. The MS tunes to it during the call.
10. During a call if a handover is required to a neighboring cell, the FACCH will be
used to exchange the necessary info.

8/27/2024 78
 Frame Structure For GSM

Frequency Band of Operation: is around 900 MHz

Number Of Logical Channels or Number of Time Slots in TDMA Frame : 8
Channel Bandwidth : should not exceed 200kHz.
Maximum Cell Radius (R) :maximum cell radius be 35 km.
Maximum Vehicle Speed (Vm): 250 km/h.
Maximum Delay Spread (∆m) :10 seconds.
Maximum Coding Delay : approximately 20 milliseconds.

8/27/2024 79
 Frame Structure For GSM
12Kbpsx20ms 240bitsx2 480bits+2x4=488bits

8/27/2024 80
 Frame Structure For GSM
 In the design of time slot of a TDMA frame, an appropriate data rate of the speech
coder should be decided first.
 It is desirable that the speech coder must provide satisfactory speech quality at
minimum data rate.
 The PCM speech coder has a data rate of 64 kbps, which is undesirably high for use
with wireless systems.
 A data rate of 12 kbps is reasonable for reproducing good-quality speech. Since the
coding delay is restricted to 20 milliseconds, the encoded speech can be formed into
blocks of 20 ms duration.
 This converts the speech samples of 12 kbps × 20 ms = 240 bits.
27-08-2024 GSM 81
 Frame Structure For GSM

 Error correction can then be applied to the 240-bit blocks.

 Using a convolutional error-correcting technique with a code rate , the
number of bits in a block of 20-ms speech at 12 kbps rate increases to (2
× 240 bits =) 480-bits.
 With a constraint length of 5, 4 bits per block of 240 bits are added to
account for the length of the shift register.
 This brings the speech block length to 480 + 2 × 4 = 488 bits.

27-08-2024 GSM 82
 Frame Structure For GSM

The minimum bit rate for all eight channel TDMA system can be computed
as follows:
Number of bits in one channel = 488 bits
Number of channels or time slots = 8
Total number of bits in 8 time slots = 488 bits x 8 = 3904 bits
Duration of one speech block = 20ms
Overall minimum channel bit rate=3904bits/20ms= 195.2kbps

8/27/2024 83
 Frame Structure For GSM
Maximum transmission duration (one-way) = (c/20)/Vm
Maximum transmission duration(one-way)= (0.333m/20)/250km/h
Maximum transmission duration (one-way) = 0.24 ms
Maximum transmission duration (two-way)= 2 x 0.24= 0.48 ms
Duration for data transmission in a time slot, Td == 0.48 ms

8/27/2024 84
 Frame Structure For GSM
The guard time can be computed as follows.
Let the average duration of the voice call = 120 seconds
Maximum vehicle speed of the mobile = 250 km/h
Therefore, the radial distance a mobile moving toward or away from the base station
located at the center of the cell = (250 km/h) x (120s) = 8333 m
The change in propagation delay = 8333 m/(3 x108 m/s)= 0.03 ms
or, Required duration for guard interval, Tg = 0.03 ms
Time needed for training sequence in the time slot = 6*m = 6*0.01ms = Tts = 0.06ms

8/27/2024 85
 Frame Structure For GSM
Maximum time duration of a time slot, Ts = Td+ Tts + Tg
Maximum time duration of a time slot, Ts=0.48ms+ 0.06 ms +0.03ms
Maximum time duration of a time slot, T= 0.57ms
Number of time sots in a TDMA frame = 8
Duration of a TDMA frame = 8 x 0.57ms = 4.6ms

 This is a tentative design of a time slot indicating 2 blocks of data before and after the
training sequence and guard time.
 This is quite close to actual design of a TDMA time slot and frame structure used in
GSM.
8/27/2024 86
 GSM basic Frame structure

• TB :Trail Bits:3 bits at the start and at the end excluding Guard bits
• Coded/Encrypted Data : two 57 bits data fields i.e.114 cipher text bits
• Stealing Bit : 1 bit each at the end of two 57 bit data field. It indicate whether this block
contains data or stolen (for urgent control signaling)
• Training Data : 26 bits, known bit pattern that differs for different adjacent cells. Used
for multipath equalization to extract the desired signal from unwanted reflections.
• Guard Bits: 8.25 bits, used to avoid overlapping with other bursts due to different path
delays.
 Frame Structure For GSM

8/27/2024 88
GSM Hyperframe format
Simplified Hyperframe Format
 Frame Structure For GSM

8/27/2024 91
GSM Frame Hierarchy
https://www.youtube.com/watch?v=VYZCzWS7AV4
 Burst in GSM
The information contained in one time slot on the TDMA frame is call a burst.
Five types of burst

Normal Burst (NB)

Frequency Correction Burst (FB)
Synchronization Burst (SB)
Access Burst (AB)
Dummy Burst

8/27/2024 93
 Security in GSM
• Security is implemented to prevent unauthorized use of the mobile
subscriber number over the air.
• The voice conversations need to encrypted using secrecy algorithm in GSM.
• Authentication is done with the help of a pre- defined protocol that is used to
compare IMSI of MS reliably.
• A unique secret key (128 bits) is stored in SIM card.
• It uses 3 algorithms
1. A3 – for Authentication (verify users password within SIM)
2. A5 – for confidentiality (it scramble coded data)
3. A8 – generate privacy key that used to encrypt voice or data messages.
GSM - authentication
GSM - key generation and encryption
 GSM handoff
• Cellular systems must be able to provide the capability to handoff calls in
progress from one channel to another.

• Handoff of calls already in progress from one channel to another may be

invoked for one of the following reasons.

To avoid dropped calls when the subscriber crosses the boundary of one
cell and moves into neighboring cell.

To improve the global interference level.

To improve load balancing between adjacent cells.

8/27/2024 122
 GSM Handoff Procedures
Intracell-cum-
intra–BTS
Inter BSC Inter MSC
Intercell
cum Intra cum Intra
BSC MSC
 GSM handoff

8/27/2024 124
 GSM Handoff Procedures
(a) Intracell-Cum-intra-BTS Hand-off : This type of hand off is necessary when high
interference occurs during the call .The channel for the connection is changed within
the cell by moving to another frequency of the same cell or to another time slot of the
same frequency. The hand-off process is initiated by the base station.

(b) Intercell-Cum, lntra-BSC Hand-off : In this type of hand-off, the change is in the
radio channel between two cells that are served by the same BSC. Initially, the hand-
off request is initiated by the serving BSS to the MSC. The MSC transmits the hand-off
request to the destination BSS.

8/27/2024 125
 GSM Handoff Procedures

(c)Inter-BSC-Cum-Intra-MSC Hand-off : A call connection is changed between two

cells that are served by different BSCs but operate in the same MSC. When the
measured value of the received signal strength at the mobile subscriber is lower than the
threshold value, it informs the serving BSC which initiates the hand-off command to the
MSC of that area.

(d) Inter-MSC Hand-off : A connection is changed between two cells that are in
different MSCs. This situation occurs in case of roaming.

8/27/2024 126
 GSM Handoff Procedures

8/27/2024 127
 GSM Handoff Procedures 1. BSC A informs MSC A that MS needs handover from BTS

A to BTS B.

2. MSC A informs MSC B that a handover from BTS A to

BTS B is underway.

3. MSC A commands BSC A/BTS A to proceed with

handover to BTS B.

4. BTS A commands MS to change to a specified channel on

BTS B.

5. MS informs BTS B that it is on specified channel on BTS

B.
Note: MSC A continues to maintain
6. BTS B informs BSC A/MSC A that handover is complete.
control of call routing and connection
7. MSC B informs MSC A that handover to BTS B is

complete.
8/27/2024 128
 Power Classes in GSM
There are three major classes of mobile phones:
 Vehicle mounted, mobile phones use the car battery,
 Portable, mobile phones use larger rechargeable batteries
 Handheld mobile phones use low capacity smaller rechargeable batteries.
 There are five power classes for the mobile phones from +29dBm (0.8 W) up to
+44dBm (20 W) with a 4-dB separation between consecutive mobile classes.
 There are eight classes for the BTS radiated power ranging from +34 dBm (2.5 W)
up to +55dBm (320 W)in 3-dB steps.

8/27/2024 133
 Power Classes in GSM

8/27/2024 134