October 13 2004 1

Chapter 2 Data services in GSM system

Part 1 Introduction to Global System for Mobile Communication (GSM)

2

Introducing GSM

The Global System for Mobile Communication was standardized by ETSI in the late 1980’s to provide an all digital mobile communication system in the 900MHz range to the European market

GSM is the most popular mobile standard and variantsof GSM have been adapted for different applications and frequency ranges

3

The historyIn 1994, the special mobile group started to think about a high speed data upgrade for GSMThe first result was HSCSD in 19992000, GPRS2002, UMTS

4

GSM familyPrimary GSM, 900 MHz1992, PCS1800 in 1800 MHzUS version of GSM in 1900 MHzGSM 450 and 480 to replace analog cellularGSM 850 for eastern Europe to replace analog systemR-GSM for railway system, not only voice and data, but also for train and signal control

5

GSM servicesTeleservices:

Telephony (full rate and half rate)Emergency callsShort messaging services

Bearer services:Asynchronous dataSynchronous data

Supplementary servicesCall forwardingCall barringCalling line identificationCall waitingAdvice of charge

6

The GSM architectureThe GSM system can be roughly divided into three

different parts:The Network Switching Subsystem (NSS)NSS consists of several MSC (mobile switching center) with

integrated VLR, one or more HLRs, and optionally one or more EIR (Equipment Identity Register)

The Base Station Subsystem (BSS)BSS consists of a number of BTSs (Base Transceiver Station)

that are connected to a centralized BSC (Base Station Controller). The BSC itself interfaces the BSS towards one MSC

The Mobile Station:Mobile station consists of the Mobile Equipment (ME) and

the Subscriber Identity Module (SIM)

7

An example of PLMNPLMN: Public Land Mobile Network

8

The interconnection of the various network elements

PCU: Packet Control Unit

9

Tasks and functions of the GSM network elements

Home Location Register and Authentication Center (HLR/AuC)

The HLR is basically a huge database for the permanent storage of subscriber data. It is interconnected to the different VLRs and MSCswithin a PLMN which will retrieve subscriber and routing information and store it on an intermediate basis. Physically integrated with the HLR is the AuC that holds the most secret keys and algorithms of GSM (A3, A8 and Ki). The AuC will compute the so called Authentication Triplets (Kc, RAND, SRES) which in turn are used by the VLR to authenticate a subscriber.

Equipment Identity Register (EIR)The EIR is a relic from the old days when mobile terminals cost a fortune. If implemented, the EIR will allow the barring of stolen mobile terminals.

10

Tasks and functions of the GSM network elements (cont’d)Mobile services switching center (MSC)

The MSC is actually a digital switch that has been upgraded to suit the requirements of a mobile network environment. In GSM, the MSC takes care of the resource management on the A-interface towards the BSC and is responsible for the call processing in MOC (Mobile Originating Call) and MTC (Mobile Terminating Call). Also, the MSC is suited to process a handover procedure between two and even three MSCs. A special function is given to the Gateway-MSC (G-MSC) which is an MSC that provides access to external networks. Note that other MSCs might incorporate more special functions for the processing of short messages (SMS-IW-MSC/SMS-G-MSC).

Visiting Location Register (VLR)Initially, the VLR was considered a different network element from the MSC. Then the VLR became part of what is now called MSC/VLR. Still, from the protocol perspective, the VLR takes care of different tasks (mobility management MM) from those of the MSC (call control CC).

11

Tasks and functions of the GSM network elements (cont’d)

Base Station Controller (BSC)The BSC relieves the MSC from multiple radio-related tasks like access control or handover scenarios that do not require the contribution of the MSC.

Base Transceiver Station (BTS)The BTS interconnects the GSM network to the air interface and has multiple radio related functions like interleaving, channel coding and ciphering. One of the most important functions of the BTS is to broadcast on the BCCH (Broadcast Control Channel) with constant output power to supply the surrounding mobile stations with cellspecific information and to serve as a beacon for handover decisions.

Transcoding Rate and Adaptation Unit (TRAU)The TRAU is used for speech compression and is transparent for data connections. Since human speech is quite redundant, compression rates of 1/4 (fullrate channel/FR) and even 1/8 (halfrate channel/HR) are achieved.

12

Tasks and functions of the GSM network elements (cont’d)

Mobile Station and Subscriber Identity Module (SIM)

The GSM mobile station is evolving towards GPRS, EDGE and multimode devices.In GSM, the SIM deserves special attention as it provides for a distinction of the mobile equipment

or terminal and the subscriber’s identity. This distinction of the subscriber’s identity (IMSI) and his directory number (MS-ISDN)is different from, e.g. the NorthAmerican approach (MIN).

13

The GSM Air-interfaceGaussian Minimum Shift Keying (GMSK)

200Khz, 8 time slots, 577µS

The GMSK modulated burst in power versus time

14

The GSM Air-Interface

Access scheme: classic TDMA/FDMA

15

Frame Hierarchy of GSM

16

Frame Hierarchy of GSM (cont’d)

Multiframe/Superframe/Hyperframe:The basic TDMA-frame is embedded into a logical structure that combines 26 or 51 TDMA-frames to a multiframe and so on. Each TDMA-frame is uniquely numbered (frame number=FN) within that structure. The establishment of the frame hierarchy is required to provide the BTS with an internal clocking system which in turn is required for multiple functions like logical channel configuration, network access and circuit-switched ciphering.

17

Frame hierarchy (cont’d)Physical channels

The discrimination of logical and physical channels is rather simple:

The physical channel in GSM is one timeslot, offering throughput rate of 22.8 kbit/sThe logical channels are the application specific bearer channels that GSM defines to suit the various needs of a mobile network environment. The multiframe structure is used to identify, at each instant, which logical channel is using a particular physical channel.

Many restrictions apply in the allocation of logical channels.

18

Example

All allocation of logical channels in the downlink direction on TS0

of the BCCH

FCCH+SCH+BCCH 1-4

Block 0Reserv.for CCCH

FCCH/SCH

Block 1Reserv. for CCCH

FCCH/SCH

Block 2Reserv. for CCCH

Block 3SDCCH/0

FCCH/SCH

FN=0-5

FN=6-9FN=10-11

FN=12-15

FN=16-19FN=20-21

FN=23-25

FN=26-29 Block 4SDCCH/1

FN=30-31

Block 6SDCCH/3

FCCH/SCH

Idle

Block 5SDCCH/2

Block 7SDCCH/0 or 2

Block 8SDCCH/1 or 3

FN=32-35

FN=36-39FN=40-41

FN=42-45

FN=46-49

FN=50

FN: frame number

19

Logical channelsTCH/SDCCH/ACCH/CCCH/CBCH/BCCH:

Traffic channels (TCH) are bidirectional PTP (point-to-point) channels to transmit speech or data between BTS and mobile station. Different types of TCHs exist.SDCCH (Stand-alone dedicated control channel) are bidirectional PTP channels reserved for the transmission of signaling information.Associated control channels (ACCH) are used to transmit signaling and layer 1 information (timing advance, power control information, etc.) for their masters which are TCHsand SDCCHs. Two types of ACCH exist, the SACCH (slow ACCH) and the FACCH (fast ACCH).

20

TCH/SDCCH/ACCH/CCCH/CBCH/BCCH:Common control channels (CCCH) are unidirectional and PTM (point-to-multipoint). They are mainly used to establish a dedicated channel.Broadcast control channel (BCCH) conveys cell specific information to the mobile stations that are currently affiliated with that BTS.The cell broadcast channel (CBCH) is downlink only and conveys broadcast short messages.

Logical channels (cont’d)

21

Transmission over the air-interface

Transmission and reception are not continuous but performed in bursts. Five types of bursts:

Frequency correction burst (FB): the simplest. Consists of 142 bits, all coded with ‘0’ as well as a head and a tail. FB is used on the FCCH (frequency correction channel) that serves as the beacon of the BTS.Synchronization burst (SB): used on synchronization channel (SCH). SCH conveys frame number and some initial identification of the cell to the surrounding mobile stations.

22

Transmission over the Air-interface (cont’d)

Access burst (AB): used in uplink direction only in case the mobile station does not possess valid information about the current propagation delay of the cell. Therefore, the AB is shortened to ensure that it will definitely fit into the respective receive window of the BTS. This method allows for a maximum distance of 35 km between MS and BTS.Normal burst (NB): the bearer for almost every kind of information, signaling and payload, in uplink and downlink direction.

23

Transmission over the Air-interface (cont’d)

Dummy burst (DB): serves a special function on the BCCH carrier where all timeslots need to transmit permanently, even without being in use. All not-used timeslots of the BCCH therefore transmit dummy bursts, where a dummy burst consists of a pre-defined and fixed bit sequence. Permanent transmission on all timeslots of the BCCH carrier is required because the BCCH carrier serves as a reference for handover and cell selection decisions.

24

Five BurstsNormal Burst

Synchronization Burst

Access Burst

Frequency Correction Burst

Dummy Burst

25

Layer 1 on the GSM Air-interface/Timing Advance Control

Timing advance control: Propagation delay varies with distance and is a critical issue for a TDMA system on the uplink path. Accordingly, the network needs to constantly tell the mobile station how to offset its burst transmissions during a connection (SACCH). Otherwise, the signals from different MS would collide in the receive window of BTS.

26

Timing advance control

GSM operates in half-duplex mode. A mobile station never transmits and receives simultaneously. The generic rule for GSM is: mobile station transmits 3 time slots later than BTS. It is altered by the noticeable propagation delay

27

Propagation measurement

GSM provides means to continuously measure the propagation delay and sends this information back to mobile station as TA-value.BTS uses TSC (training sequence code) within the received bursts to measure the bit shift and the distance between itself and MSBased on TA, the MS needs to start its transmission earlier than according to the “three time slots” ruleTA-value is 7-bits and take values between 0-63. For a maximum distance of 35 km, each unit translates into 550m, roughly. The 7th bit is a spare bit and can be used in case of extended cell sizes.

28

Initial timing advance estimation

Initial timing advance is based on the time of arrival of the short Access Burst

29

Layer 1 on the GSM Air-interface /channel coding

Channel coding: transmission over the air interface is vulnerable against interference and other hazards. To fight these threats, redundancy is added to the data to allow the receiver to recover the original signal in case of errors.Interference: random error, bursty error and narrow bandwidth interference

30

Channel coding for full rate speech TCH

Each 20ms of coded speech at 13kbps forms a 260-bit packetThe first 50 most significant bits receives a 3-bit CRC code protectionThen they are added to the second group of 132 bits with lower importance and a 4-bit tail that are all 0s.Resulting 189 bits are encoded with a ½ rate convolutional encoder that doubles the number of bits to 378.The 378 bits are added to the 78 least important speech-coded bits to form a 456 bit packet every 20ms.

31

Speech coding

32

Channel coding for data traffic

Each 20ms of data at 9600bit/s forms a 192-bit packet48 bits of signaling information and 4 bits of tail are added to form a 244-bit packet.The 244-bit packet is expanded to 456 bits using a ½rate punctured convolutional encoder.The resulting 456 bits are turned to NBs (Normal Burst).

33

Channel coding for data packets

192 bits (20 ms)

User’s 9600 bps packet

½ punctured convolutional coding

48 bits signaling info. 4 tail bits

456 bits (20 ms)

Transmitted packet

34

Channel coding for signaling

Original signaling packet consists of 184 bitsBlock coded with 40 parity check bits 4 bits of tail are added to form a 228-bit packet.The 228-bit packet is expanded to 456 bits using a ½rate convolutional encoder.The resulting 456 bits are turned to NBs (Normal Burst).

35

Channel coding for signaling packet

184 bits (20 ms)

signaling packet

½ convolutional coding

4 tail bits

456 bits (20 ms) Transmitted packet

40 parity bits

224 bits

36

InterleavingTo reduce the effect of bursty errors. By distributing a single block over multiple bursts the hazard of a complete loss of one packet is reduced

37

Slow Frequency Hopping in GSM

Frequency hopping provides a means to cope with narrow bandwidth interferenceGSM provides slow frequency hopping:

The sender will send several bits on a frequency before changing to another frequencyBoth sides need to negotiate on the frequency hopping pattern

38

Narrow bandwidth interference

An interference with limited bandwidth and high power within the narrow bandwidth

39

Authentication and cipheringAuthentication: used to prevent fraudulent subscribers from accessing the GSM network. The authentication process is invoked by the MSC/VLR which requests pre-calculated authentication triplets from the HLR/AuC. Authentication consists of challenging the mobile station by providing the RAND. RAND and Ki are the input parameters for algorithm A3. The respective output is SRES. The VLR will compare both values, the stored SRES and the SRES coming from the mobile station to decide whether the authentication process is successful.Ciphering: ciphering ensures data confidentiality during the transmission over the air interface. Ciphering cannot be initiated without prior authentication. Compared to authentication, ciphering is based on the calculation of RAND and Ki, but this time applying algorithm A8. The respective output parameter Kc together with the current frame number is used in algorithm A5 to determine the ciphering sequence that is used for “XORing” the 114bits of the output burst.

40

AuthenticationHLR stores pre-calculated triplets: RAND (random number: 128 bit), SRES (Signed RESponse: 32 bit) and Kc (Ciphering Key: 64 bit). RAND is randomly chosen by the AuC. Kiis the subscriber identification only known in HLR and SIM. Ki never leaves HLR nor SIM.After receiving triplets from HLR, the VLR sends one RAND to MS.Based on received RAND, MS calculates SRES and sends back to VLR.VLR compares received SRES to the stored SRES. If correct, authentication successful.

41

A3 and A8 computation:

42

Ciphering:

43

Deciphering:

44

ConclusionsGSM is circuit-switchedPacket-switched vs circuit-switched:

Packet-switched transmission requires that every packet comes with an individual header to provide address and routing information. No dedicated resource is required.

Can GSM become a packet-switched system?Inherently, GSM is a packet-switched system, considering that transmission and channel coding is performed in blocks and bursts.