GSM Study Guide
Other GSM Technology
- Frequency Reuse - Cell Selectors - Cell Sizes
IMSI Attach/Detach Operation
- IMSI Detach operation is the action taken by an MS to indicate to the Network that the station has entered an inactive state, i.e. the station is powered down. - IMSI Attach operation is the action taken by an MS to indicate that the station has re-entered an active state, i.e. the station is powered up.
GSM single times slot duration
.577 micro seconds
GSM Channel Bandwidith
200 kHz each. Each of these channels continuously transmit eight time slots. The duration of each time slot is .577 microseconds. A group of eight time slots in known as a GSM frame and lists 4.615 milliseconds.
BSIC Base Station Identity Code
A BSIC consists of a Base Station Color Code and a Network Color Code Network Color Code (0-7) - consists of 3 bits, which are used to differentiate between operators utilizing the same frequencies. Base Station Color Code (0-7) - Consists of 3 bits, which are used to differentiate between cells utilizing the same frequency.
GSM Channel
A GSM channel has a bandwidth of 200 kHz and continuously transmits 8 time slots.
GSM Frame
A GSM frame is a group of 8 time slots and lasts 4.615 milliseconds
Physical Channels
A GSM physical channel consists a pair of frequencies. One frequency carriers information from the tower to the MS, and is called the downlink. The other frequency carries information from the MS to the tower.m called the uplink. These frequencies paired together are referred to as the Absolute Radio Frequency Channel Number (ARFCN). This frequency pair is separated by a space referred to as a duplex offset, or simply and offset which is defined in MHz.
Slow Associated Control Channel (SACCH)
A SAACH is always assigned and used with a TCH or an SDCCH. The SACCH carries information for the optimal radio operation, such as commands for synchronization, transmitter power control, timing advance, receive level quality, and reports on channel measurements.
TMSI (Temporary Mobile Subscriber Identity)
A TMSI is a temporary number assigned to a user. The purpose of a TMSI is to hide an IMSI and increase Subscriber confidentiality on a given network. This number is assigned by the Visitor Location Registry VLR, and is only for a set time period in a specific location. The TIMSI is 32 bits in length and is expressed in hexadecimal.
CID (Cell Identity)
A cell Identity is a number that identifies a specific BTS within a base station subsystem. It is a fixed length of two octets (16bits) and can be coded using a full hexadecimal. Sometimes the trailing or leading digit can indicate the panel number on a cell tower. Example 5475 5475 = Cell 2 = Panel
Location Area
A location area is a geographical area serviced by a single VLR. A LAC can be made up of hundreds of BTSs, controlled by a single BSC. The network will page the entire LAC when there is traffic for a particular mobile handset within the system. A MS is required to perform an update with the network when it moves into a new LAC, so the network can know where to page the MS when there is a call or a SMS.
Track IMEI's
A network operator may use the EIR to track IMEIs in the following manner - three registers are defined, known as "white lists", "grey lists", and "black lists". - The use of such lists is at the operators discretion. - The white list is composed of all number series of equipment identities that are permitted for use. - The black list contains all equipment identities that belong to equipment that need to be barred. - Besides the black and white lists, the network administrators may create a grey list. Equipment on this list is not barred unless on the black list or not on the white list. But are tracked by the network (for evaluation purposes).
GSM Physical Channel
A pair of frequencies the up-link and the down-link paired together they are referred to as the Absolute Radio Frequency Channel Number (AFRCN). They have an offset defined in Mhz.
SIM (Subscriber Identity Module) card
A small card that is paired with mobile equipment and is used to identify a subscriber on a network. It is identifies by IMSI and it may contain the following mobile subscriber related info SIM (Authentication and encryption keys, IMSI, MSISDN, Subscriber access control class, PIN/PUK, Inter-PLMN roaming allowed/Not, the users phone book, Last known Location Area Code (LAC), last 10 numbers in the subscribers call log, SMS messages).
IMEI (International Mobile Equipment Identity)
An IMEI is a number that identifies a handset within a GSM Network. It consists of 15 digits, however, the last digit is a check digit and is not transmitted over the network. Furthermore, an IMEI is only transmitted on the uplink, after it has been requested by the network. It can be located underneath the battery or by dialing *#06# on the handset. The first eight digits of the IMEI is known as the type allocation code (TAC). The TAC is used to identify the make and model of the phone.
IMSI (International Mobile Subscriber Identity)
An IMSI is a 15 digit number that identifies a subscriber in a GSM Network. The IMSI is permanent and composed of three parts, MCC, MNC, and MSIN.
Barred LA's and Access Control
An MS in idle mode will not re-select to a cell that is restricted by the cell bar access parameter. Due to problems in certain areas, network operators may decide to restrict access. When there is a cell bar access set to 1 MS's will not attempt to register with it. The cell bar access value is found on the BCCH.
Cell Selection and Reselection
An MS in idle must periodically measure the receive level of the BTS. Based off of these measurements, the MS selects a cell with the best reception. This is called camping on a cell. In this state, accessing a service becomes possible and the MS listens periodically to the PCH. The cell selection equitation uses the average receive level of the BTS (RXLEV AVERAGE) along with two other threshold values which are broadcast on the BCCH: - The minimum received power level: this is the minimum value a MS must hear the BTS before it can attempt to register. - The maximum allowed transmitter power allowed on a Control Channel (RACH) before having received the first power control command.
MSC (mobile switching center)
An integrated Services Digital Network (ISDN) switch that can handle mobile handsets, controls 5-10 BSCs and is considered the brains of the GSM Network.
1G (1980's)
Analog cellular networks. Nippon Telephone and Telegraph, NTT, Japan. Nordic Mobile Telephone System NMT, Europe and Asia 450 MHz. Advanced Mobile Phone Systems AMPs, USA, Australia, Asia, Africa. Total access Communications TAC, europe 900MHZ,
BSS (Base Station Subsystem)
BSC BTS
Fast Associated Control Channel (FACCH)
By using dynamic preemptive multiplexing on a TCH, additional bandwidth can be made available for signaling. The signaling channel created this way is called the FACCH, and it handles such things as High Priority Messaging, Call Waiting, SMS and Handovers of a MS from one BTS to another. It is only assigned in connection with a TCH, and it's short time usage goes at the expense of the user data transport.
C1 formula
C1 = (RXLEV AVERAGE - RXLEV_ACCESS_MIN - maximum (0, (MS_TXPWR_MAX_CCH-P))
Common GSM Bands
CONUS US - 850 MHz and 1900 MHz. Europe and OCONUS - 900 MHz and 1800 MHz are common. In rural areas occasionally the 450 MHz band will be used.
CRO - Cell Reselection Offset
CRO Is a value a network assigns to a particular BTS to artificially increase the chances of a handset reselecting to a particular sell. CRO is measured between 0 and 126DBM, but is expressed in increments of two, which produce a value from 0 to 63.
MCC (Mobile Country Code)
Consists of three digits, uniquely identifies the country of the Mobile subscriber
MNC (Mobile Network Code)
Consists of two digits. Identifies the home home GSM Network of the mobile subscriber.
BSC (Base Station Controller)
Controls up to several hundred Base Transceiver stations
T =
Countdown timer current value
Dedicated Control Channels (DCCH)
DCCH's are point to point signaling channels between the BTS and the MS. An Associated Control Channel (ACCH) is also a dedicated Control Channel, but it is assigned only in connection with Traffic Channel (TCH) or an SDCCH. The group of Dedicated/Associated Control Channels (D/ACCH) is made up of the following: - Stand alone Dedicated Control Channel (SDCCH). - Slow Associated Control Channel (SAACH) - Fast Associated Control Channel (FACCH) - Traffic Channel (TCH)
AuC (Authentication Center)
Database that stores authentication keys for subscribers on a network
EIR (Equipment Identity Register)
Database that stores information on mobile equipment in a system.
2G (1990's)
Digital cellular networks IS-54/136 (TDMA) IS-95 A/B (CDMA/One) GSM (FDMA/TDMA)
GSM Channel Capacity
Each GSM Channel is capable of providing service to a maximum of seven full rate subscribers.
BSIC (Base Station Identity Code)
Each cell is allocated a BSIC which is broadcast on the Synchronization Channel (SCH). This BSIC is used by the mobile station to avoid interference (avoids Co-channel interference I.e. same frequency), which can arise when a mobile station in a given position receives two base transceiver stations transmitting the same frequency.
EDGE
Enhanced Data Rates for GSM Evolution
PLMN (Public Land Mobile Network
Entire area of service offered by service provider.
ETSI
European Telecommunications Standards Institute
Types of schemes and modulation
FDMA - Frequency Division Multiple Access TDMA - Time Division Multiple Access GSM Modulation - Global System for Mobile Communications
Wattage to Decibel Conversion
Follow the rules of 3's and 10's and always start with the baseline of 1 watt = 30dBm. For every instance you add 3 to the dB, then multiply the wattage by 2. If you subtract three then divide by two instead. For every instance that you add 10 to the dB then multiply the wattage by 10; if you subtract 10 then divide instead of multiple.
TDMA (Time Division Multiple Access)
GSM employs such a combination of FDMA and TDMA. The available frequency range is divided into channels with a bandwidth problem of 200 kHz each. Each of these channels continuously transmits 8 times lots. The duration of a single time slot is .577 microseconds. A group of eight time time slots is known as a GSM frame and lasts 4.615 milliseconds.
GSM Modulation
GSM uses a Gaussian Minimum Shift Keying (GMSK) as it's form of modulation. Modulation is the process of changing the amplitude frequency, or phase of a radio frequency carrier signal to change with the information signal.
GPRS
General Packet Radio Service; a 2G standard for cellular transmissions.
GSM
Global System for Mobile Communications
GSM Components
IMSI (MCC, MNC, MSIN) SIM (Authentication and encryption keys, IMSI, MSISDN, Subscriber access control class, PIN/PUK, Inter-PLMN roaming allowed/Not, the users phone book, Last known Location Area Code (LAC), last 10 numbers in the subscribers call log, SMS messages). TMSI (Temporary Mobile Subscriber Identity) IMEI ( International Mobile Equipment Identity)
Cell Reselection Hysteresis (CRH)
If the mobile subscriber (MS) is moving in a border area between location areas (LA), it might repeatedly change between cells of different LAs. Each change of LA would require a location update (LU), which would cause a heavy signaling load and increase the risk of a paging message being lost. To prevent this, a CRH parameter is used. A cell in a different LA is only selected if it can beat the cell currently being camped on by the CRH value in decibels for at leave 5 second and upon completing the C2 calculation. CRH is applied to the serving cell to prevent the MS from re-selecting to a neighbor cell.
Cell selection and reselection 2
In an effort to increase efficiencies in cell planning, and additional value known as C2 maybe used to determine re-selection criteria. Network planners may incorporate timers or offsets to balance potential users in an attempt to increase frequency. These are further defined as cell reselection offset, or penalty time. The equation is C2 = C1 + CRO - (Temporary Offset *H)
C1
In consideration of the maximum transmitter power of a mobile station, the path loss criterion C1 is now defined using the minimal threshold for the network access and the maximum allowed transmitter power. This is calculated at the MS.
Frequency Reuse
In order to be able to provide service to multiple subscribers while faced with limited bandwidth, frequencies must be spatially reused. With well thought out planning, telecommunication companies can reuse the same frequency multiple times as long as it is far enough away that it does not interfere with another cell on the same frequency.
The numerical value of the Cell Reselection Hysteresis
Is 0-7 where zero indicates that there is no CRH applied. For each increase in value up to seven the decibel increases by two. CRH 0 = 0dB CRH 1 = 2dB CRH 2 = 4dB
H = (penalty time - T)
Is a value from 0 to 31, measured in increments of 20. Penalty time ranges from 20 to 620. A penalty time value of 31 is reserved to indicate that the cell re-selection offset is subtracted from C2 and the temporary offset is ignored.
MSIN (Mobile Subscriber Identification Number)
Is the remaining 9 digits of the IMSI and is a number assigned by the service provider to that SIM card.
4G (Broadband Data)
LTE / LTE-A WiMAX
Location Management
Location management refers to the network keeping track of where a MS is located in the system area. The location information for each MS is stored in functional units called location registers. Functionally, there are two types of location Registers. - HLR (Home Location Register) - VLR (Visitor Location Register)
Logical Channels
Logical channels are bursts of specific information which are critical for an MS to gain access to and maintain connectivity as it moves within the GSM Network. Logical Channels are concerned with the information being transmitted, while a physical channel refers to the actual frequency the information is transmitted on. Logical Channels are mapped on a 200 kHz wide channel and made to fit into one of the GSM TDMA time slots. There are (8) time slots within a GSM TDMA frame and these time slots are numbered 0-7. Each GSM channel is capable of providing service to a maximum of seven full rate subscribers.
GSM TDMA Time Slots
Logical channels are mapped on a 200 kHz wide channel and fit one GSM TDMA time slot. There are 8 time slots within a GSM TDMA frame and they are numbered 0-7.
NSS, (Network Switching Subsystem)
MSC VLR HLR AuC EIR GMSC
Cell Sizes
Macro - Cells where antenna is installed on a mast or larger building structures that are taller than an average roof top level. These generally cover an area up to 25KM. Micro - These Cells are usually found around rooftop level in urban areas. They generally provide 200-1000M worth of coverage. PICO - These are small, specialized cells whose diameter is only few dozen meters; they are used mainly for indoor applications. They can cover a floor of a building or an entire building. Umbrella - An umbrella cell provides coverage that overlaps other smaller macro, micro or PICO cells.
BTS (Base Transceiver Station)
Maximum theoretical coverage area is approximately 35KM. Includes transmit and receive antennas mounted on a tower or building.
TDMA (Time Division Multiple Access)
Multiple mobile stations share the same frequency but are separated in time. Each user is assigned their own time slot and they all take turns transmitting and receiving. These time slots are only fractions of a second in duration, so the exchange happens so quickly that users cannot tell they are sharing the frequency with other users.
Cell selection and reselection 1
Once a MS is camping on a cell and is in idle mode, it will continue to monitor all neighboring cells whose frequencies are broadcast on the serving BCCH. (Known as the BA list). Once an MS is in an active state (being assigned a TCH and in an active phone call) The MS monitors only the six strongest neighboring BCCH carriers, which are known as the neighbors list.
Penalty Time
Penalty time is used to reduce unnecessary signaling in a network by keeping high-speed mobile's from camping on small cells intended for stationary users. An example is a highway next to a busy shopping mall.
HLR (Home Location Register)
Permanent information of a subscriber is store here. The HLR also knows the general area of a MS within a network. Below is a list of subscriber information found in the HLR. - Subscriber and Subscription Data - IMSI - MSISDN - Service subscriptions - Service restrictions (Roaming) - Information on the subscriber Equipment (if available) - Authentication Data (subject to implementation) - Tracking and Routing Information - Mobile Station Roaming Number - Current VLR address - Current MSC address
HLR (Home Location Register)
Permanent storage database for subscriber data, one per Network (PLMN).
BCH (Broadcast Channels)
Point to Multi-point BCHs are used by the Base Station to broadcast the same information to all Mobile Stations in a cell. - Broadcast Control Channel (BCCH) - Frequency Correction Channel (FCCH) - Synchronization Channel (SCH)
Basic GSM Network Diagram
Take photo
VLR (Visitor Location Register)
Temporary storage database for subscriber data, normally co-located with MSC
BCCH (Broadcast Control Channel)
The BCCH is a logical channel on the air interface used to broadcast basic parameters for how a MS must operate within the network. It includes indemnification information such as the LAI and CID. It also provides information on neighboring cells (known as the Base Station allocation list or BA list). Synchronization information registration timers and additional information for available services on the network. The BCCH is found on time slot zero.
Common Control Channel (CCCH)
The CCCH is a point to multi point signaling channel to deal with acess management functions. This includes the assignment of dedicated channels and paving to localize a MS. - Random Acess Channel (RACH) - Access Grant Channel (AGCH) - Paging Channel (PCH)
CGI (Cell Global Identification)
The Cell Global Identification is the joining of the Location Area Identification and Cell Identity.
FCCH (Frequency Correction Channel)
The FCCH is a beacon channel with information about correction of the transmission frequency.
Location Update Reject Code/Cause Codes
The Location Update Reject messages are used to tunr a handset away from the network in the Mobility Management Layer. There are many reasons why a network would reject a handset. Below is a list of common reject/cause codes - 000 - No Error - 002 - IMSI unknown in HLR - 003 - Illegal MS - 004 - IMSI unknown in VLR - 005 - IMEI not accepted - 006 - Illegal ME - 011 - PLMN not allowed - 012 - Location area not allowed - 013 - Roaming not allowed in this location area
MSISDN (Mobile Station Integrated Services Digital Network Number)
The MSISDN is the permanent dialed phone number which can be 10-14 digits long but generally 10-12. It is possible to have to have more than one MSISDN associated with a single GSM SIM card. The MSISDN consists of the CC Country Code, NDC National Destination Code, and Subscriber Number SN.
MSRN (Mobile Station Roaming Number)
The MSRN is a temporary number used to route calls directed to a mobile station. The MSRN shall have the same structure as an International ISDN in the area in which the roaming number is allocated.
Synchronization Channel (SCH)
The SCH broadcasts information to identify a BTS, i.e. BSIC. The SCH also broadcasts data for the frame synchronization. The FCCH and SCH are always broadcast together with the BCCH.
VLR (Visitor Location Register)
The VLR is a database that stores information of subscribers within a specific geographical location in a network. The VLR for a given area is usually co-located with the MSC. It is also responsible for assigning temporary identifiers known as TMSIs to users within its domain. Below is a list of information that can be found at the VLR. - Subscriber and Subscription Data - IMSI - MSISDN - Parameters for supplementary services - Information on the subscribers equipment (if available) - Authentication Data (subject to implementation) - Tracking and Routing information - MSRN - TMSI - LAI or LA where the MS was registered, used for call paging and setup
FDMA (Frequency Division Multiple Access)
The allocated frequency band is divided into channels of fixed bandwidth such that traffic is carried on its own frequency.
Cell Sectors 2
The area covered by a single BTS is generally referred to as the cell. Each cell consists of its own a ARFCN, which contains two frequencies, an up link and a down link. Rather than have to refer to both the up link and the down link, the ARFCN simplifies it by allowing reference by one number.
Note
The first 5-6 digits of the IMSI, the MCC and the MNC make up the PLMN
TAC (Type Allocation Code)
The first eight digits of the IMEI is known as the type allocation code (TAC). The TAC is used to identify the make and model of the phone.
Traffic Channel (TCH)
The is used for the actual point to point sending and receiving of messages in the form of voice or data communications. They are a combination of voice and data signals existing within the communication channel.
Stand alone dedicated control channel (SDCCH)
This is a dedicated point to point signaling channel found on time slot one that is not tied to the existence of a TCH (I.e. it is used for signaling between a MS and BSS when there is no active connection). The SDCCH is requested from the MS via a RACH and assigned via an AGCH. After the completion of the signaling transaction, the SDCCH is released and can be reassigned.
Temporary Offset
This is a value from 0 to7 representing values 0 to60 DBM in increments of 10. Seven is infinite value. The temporary offset it is then subtracted from the results until the penalty timer expires.
Paging Channel (PCH)
This is part of the downlink of the Common Control Channel (CCCH). It is used for paging to find a specific MS. It notifies the MS of mobile terminated (incoming) calls or SMS messages.
Access Grant Channel (AGCH)
This is the downlink part of the Common Control Channel (CCCH). The network uses this channel to allocate resources to a particular MS to set up a transaction (voice or data). It is used to assign an SDCCH or a TCH to a MS.
Random Access Channel (RACH)
This is the uplink portion of the Common Control Channel (CCCH). When a mobile station wants to access the network to place a call or send a message, it uses a RACH to request a dedicated signaling channel for exclusive use.
Location Cancellation Procedure
This is used by the HLR to remove a mobile station from the losing VLR, i.e. such as when an MS has a LAC change. The procedure will normally be used when the MS has moved to an area controlled by a different location register.
Location Updating
This procedure is executed if the MS recognizes that it is in a new location area, which leads to updating the location information in the HLR record and the MS receiving updated TMSI, LAI, and a location update message. Alternatively, the location update can also occur periodically, independent of the current location. For this purpose, a time interval value is broadcast on the BCCH, which prescribes the time between location updates. This time value is known as the T3212 timer. The main objective of this location update is to know the current location for incoming calls or short messages, so that the call or message can be directed to the current location of the MS. The difference between the location update procedure and the location registration procedure is that the first case MS has already been assigned a TMSI.
Location Updating
Three instances of a location update 1. Initial Registration - IMSI Attach/Detach 2. T3212 Timer (Periodic) - 0-255 deci-hours, six minute increments each deci-hour. A value of 0 means there are no periodic updates on the network. 3. Different Location Area - crossing into a new LAC.
Cell Sectors
Traffic capacity per area is determined by the cell radius. Therefore given a fixed amount of resources, capacity can be enhanced by creating smaller cell sizes. This can be done by purchasing more base stations or using the preferred method of dividing a coverage area into three sectors of 120 degrees or six sectors of 60 degrees each of which supported by a directional antenna.
3G (Digital / HS Data) Developed 2000's
UMTS; WCDMA CDMA2000 (1xRTT; EV-DO) HSDPA; HSUPA; HSPA+
handover procedure
When a MS is in an active state (in a phone call) and mobile, it may switch from receiving services from 1BTS to another. A handover in GSM is a break before make process. This means that the MS must break the connection with its serving BTS before the link can be established with the next BTS. The handover procedure is always initiated by the network.
Mobile Registration
When a MS unit is first powered on, it initially looks at the SIM for a preferred Control Channel list. If no list then MS scans for available Control Channels and use the Frequency Correction Channel to ID strongest one. The MS will synchronize with BTS using SCH. The MS will then decode the PLMN and compare to its preferred roaming / batted roaming list. If on the preferred list the MS will decode the entire BCCH and acquire parameters for access. The MS will initiate the initial registration process.
GMSC (Gateway Mobile Switching Center)
Works like a MSC, but also serves as a gateway to other outside networks.