gsm technology

Liu guojun

AgendaAgenda

. GSM900/DCS1800

. The GSM Network& Air Interface . Technical Basics . Speech Coding . Types of Channel . Making a Phone Call

Liu guojun

Global System for Mobile

( Groupe Special Mobile )

G S MG S M

Liu guojun

1982 Groupe Special Mobile” is created within CEPT

1986 A Permanent Nucleus is set up

1987 Main radio transmission techniques are chosen, based on prototype evalution (1986)

1989 GSM becomes an ETSI technical committe

1990 The phase 1 GSM 900 specifications are frozen

1991 First systems are running

1992 All major European GSM 900 operators begin commerical operator

GSM Development HistoryGSM Development History

Liu guojun

• Speech Services• Data Services• Short Message Services (SMS)

• Supplementary Services• Subscriber Identity Module (SIM)• Security Function

GSM / DCS1800 FunctionalitiesGSM / DCS1800 Functionalities

Liu guojun

RF AspectsRF Aspects

• TDMA

• GMSK Modulation

• Burst Power Transmission

• Fast Switching Synthesizer

• Neighbour Cells Measurement

• Hopping

• Uplink / Downlink DTx

• Speech Transcoding

• BER & Receiver Testing

• Normal Burst & Access Burst

• Ciphering

Liu guojun

Phase 1 Phase 2 Phase 1 Phase 2 PCS1900GSM900 GSM900 DCS1800 DCS1800

Uplink 890 to 880 to 1710 to 1710 to 1850 to915MHz 915MHz 1785MHz 1785MHz 1910mHz

Downlink 935 to 925 to 1805 to 1805 to 1930 to960MHz 960MHz 1880MHz 1880MHz 1990MHz

ARFCN range 1 to 124 0 to 124 and 512 to 885 512 to 885 512 to 810975 to 1023

TX/RX Spacing 45MHz 45MHz 95MHz 95MHz 80MHz(Freq.)TX/RX Spacing 3 Timeslots(Time)Modulation Data 270.833kbit/sRateFrame Period 4.615msTimeslot Period 576.9usBit Period 3.692usModulation 0.3GMSKChannel Spacing 200KHzTDMA Mux 8MS Max Power 20W( 8W is 8W 8W 8W 8W

max in use)MS Min Power 13dBm 5dBm 0dBm 0dBm 0dBmMS Power 0 to 15 2 to 19 0 to 13 0 to 15 30,31,0 to 15Control StepsVoice Coder Bit 13kbit/s 13kbit/s 13kbit/s 13kbit/s 13kbit/sRate 6.5kbit/s 6.5kbit/s

GSM900/DCS1800/PCS1900GSM900/DCS1800/PCS1900

Liu guojun

GSM Frequency RangeGSM Frequency Range

•890 - 915 MHz Uplink / MS Transmit

•935 - 960 MHz Downlink / BS Transmit

•Duplex Offset 45 MHz

•Channel Spacing 200kHz

•Channel numbering 1 - 124

•Transmission Speed 270 Kbits

Liu guojun

DCS1800 Frequency RangeDCS1800 Frequency Range

•1710 - 1785 MHz Uplink / MS Transmit

•1805 - 1880 MHz Downlink / BS Transmit

•Duplex Offset 95 MHz

•Channel Spacing 200kHz

•Channel numbering 1 - 375

•Transmission Speed 270 Kbits

Liu guojun

GSM Primary BandGSM Primary Band

890 900 910 920 930 940 950 960 Freq

45 MHz

Uplink ( Mobile to Base )

Downlink ( Base to Mobile )

Liu guojun

DCS1800 Primary BandDCS1800 Primary Band

1710 1735 1760 1785 1800 1825 1850 1875Freq

95 MHz

Uplink ( Mobile to Base )

Downlink ( Base to Mobile )

Liu guojun

Carriers at the border of the GSM bandCarriers at the border of the GSM band

890.2 890.4 890.6 890.8

Freq

GSM band

200 kHz

Liu guojun

Carriers at the border of the DCS1800 bandCarriers at the border of the DCS1800 band

1710.2 1710.4 1710.6 1710.8

Freq

DCS1800 band

200 kHz

Liu guojun

GSM NetworksGSM Networks

BSC

BTS

BTS

BTSBSS

BSC

BTS

BTS

BTSBSS

MSC

MSC

OMCOMC

ADC NMC

VLR

VLRHLR

AUC

EIR

Interface to other network

MS

Liu guojun

GSM NetworksGSM Networks

Terminology:MS- Mobile Station BSS- Base Station System BTS- Base Transceiver Station BSC- Base Station Controller MSC- Mobile Switching Centre OMC- Operations and Maintenance CentreNMC- Network Management CentreAUC- Authentication CentreHLR- Home Location RegisterVLR- Visitors Location RegisterEIR- Equipment Identity Register

Liu guojun

MSCBSC

BSC

BSC

PSTNBTS

BTS

BTS

Air Interface Abis Interface SS#7 SS#7

GSM InterfaceGSM Interface

MS

Liu guojun

Phase Shift KeyingPhase Shift Keying

State 1 State 0

0 Deg 180 DegT

Liu guojun

GMSK ModulationGMSK Modulation

1 1 0 0 1 0 1 1 0 0 1 0

PSK

Guassian Filter

Spectrum < 200kHz

Liu guojun

Fc Fc + 67.708KHzFc + 67.708KHz

+67.708KHz-67.708KHz Data Type “ 0”Data Type “ 1”

ModulationModulation

Liu guojun

4 0

1

2

3

4

5

6

7

1 2 3 4 5 6

Frequency

Amplitude

ARFCN

Timeslot

Physical Channel isan ARFCN and Timeslot

TDMA and FDMATDMA and FDMA

Liu guojun

TDMA and FDMATDMA and FDMA

Terminology:FDMA -Frequency Division Multiple AccessTDMA -Time Division Multiple AccessARFCN -Absolute RF Channel NumberTS -Timeslot

Physical -The Combination of a TS numberChannels and ARFCN.Logical -are Mapped on Physical ChannelsChannels

Liu guojun

DTX and DRXDTX and DRX

DISCONTINUOUS RECEPTION (DRX) . Idle mode to save battery power . MS’s divided into paging groups based on IMSI - Paging requests transmitted by network at predefined intervals

DISCONTINUOUS TRANSMISSON (DTX)

. Save battery power . Inserts comfort noise

Liu guojun

10us

10us

10us

10us

8us 8us

3 31 157 5726

148 Active Bits, 546.42us

147 Useful Bits

542.8us

-70dB

-30dB

-6dB

+4dB

-6dB

-30dB

-70dB

Tol -1.0dB

Tol +1.0dB

GSM TDMA Power BurstGSM TDMA Power Burst

Liu guojun

Power Time TemplatePower Time Template

542.8 us / 147 Bits 10 8 1010 8 10Time

Power

-70

0

dB

Upper Limit

Lower Limit

Actual

us

Normal Burst

Liu guojun

Power Time TemplatePower Time Template

321.23 us / 87 Bits 10 8 1010 8 10Time

Power

-70

0

dB

Upper Limit

Lower Limit

Actual

us

Access Burst

87 bits

Liu guojun

6.12s

120ms

4.615ms

576.92us

3 31 1 57bits

57bits

26bits

8.25bits

Tailbits

Controlbits

Data

Midamble

Controlbits

Data Tailbits

GuardPeriod

Timeslot(normal burst)

Superframe

Multiframe

Frame

51 Multiframes

26 Frames

8 Timeslots

156.25bits

Frames and MultiframesFrames and Multiframes

Liu guojun

GSM Frame StructureGSM Frame Structure

6.12 6.12 ss

Superframe = 26 x 51 multiframesSuperframe = 26 x 51 multiframes

hyperframe = 2048 superframeshyperframe = 2048 superframes

3 3 h 28 mins 53 s 760msh 28 mins 53 s 760ms

0 1 2

324 2510 2

0 7

TDMA Frame / 8 Time Slots

TCH Signalling26 TDMA Frame 51 TDMA Frame

235 ms120 ms

48 49 50

Liu guojun

Time Frame

0 1 2 3 4 5 6 7

4.615 ms

156.25 Bits

0.577ms

3 31 157 5726

TrainingData Data

148 BitsBurst

Burst Structure

TDMA Frame Structure TDMA Frame Structure

Liu guojun

Normal BurstNormal Burst

5 6 7 0 1 2 3 4 5 6 7 0 1 3 42

577us

4.6ms

T3

T3

GP8.25

26 TrainingSequence

57Encrypted Bits

57Encrypted Bits1 1

Liu guojun

Access BurstAccess Burst

T8

41 SynchronisationSequence

36 EncryptedBits

T3

GP68.25

Used only when MS send Chan_req onto the Random Access Channel (RACH)

Liu guojun

Uplink & DownlinkUplink & Downlink

Downlink / MS Receive

5 6 7 0 1 2 3 4 5 6 7 0 1 3 42

0 6 7 0 1 2 3 4 5 6 71 3 42

Uplink / MS Transmit

5

Liu guojun

Uplink & DownlinkUplink & Downlink

ARFCN

0 2 4 7 3 6 01

3

5 06 1 4 72 5 31 2 64 5 7 2 4 60 3 5 713

210 4 5 6 7 0 1 2 3 4 5 6 7 0 0 3 4 5 6 7 0 1 2 3 4 51

ARFCN

UPLINK

DOWNLINK

45MHz

. Uplink Lags Downlink by 3 Timeslot periods

. Uplink and Downlink use same Timeslot Number

. Uplink and Downlink use same Channel Number (ARFCN)

. Uplink and Downlink use different bands(45MHz apart for GSM900)

Liu guojun

Frequency HoppingFrequency Hopping

MOD

Coupler

Switch

Synth

Register

ControlUplink

BS 1 BS 2MonitoringRX LevRX Qual

Downlink 1

65

124

1

65

124

Home BS

Liu guojun

20ms Blocks

Speech Coder

Bits Ordered

260 Bits

260 Bits

50 132 78

. RELP and LTP Coder RELP- Residual-Excited Linear Prediction Coder LTP- Long Term Prediction

. Converts Speech to Low Data Rate

. 20ms Speech makes 260Bits

. Output 13kbit/s

Very Important Bits Important Bits Other Bits

Speech CoderSpeech Coder

Liu guojun

Error CorrectionError Correction

Type Ia 50 Type Ib 132 Type II 78

50 132 783

Type Ia CRC Type Ib Type II

Block Code

25 66 25663 4 78

Re-ordering

378 78

Half rate convolutional code

456 Bits from 20ms of Speech

Type Ia Type Ib Type Ib Type Ia Tail Type II

CRC

262 Bits

In

456 Bits

Out

Liu guojun

Diagonal InterleavingDiagonal Interleaving

456 Bits from 20ms of Speech 456 Bits from 20ms of Speech

57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57 57

57 57 57 57 57 57 57 57

57

57 57 57 57TCH

Traffic Channel (TCH) Bursts Carry Two 57 Bits Blocks (114) Each120ms of Speech = 456x6 = 2736 bits2736/114 = 24 bursts I.e. 24frames(mobile transmits once per frame)Multiframe has 26 frames in 120msThere are 2 spare frames…… One SACCH, one Idle

Liu guojun

Speech to Radio / Radio to SpeechSpeech to Radio / Radio to Speech

Channelcoding

Speech

Digitizing and Source coding

Interleaving

Burst formatting

Ciphering

Modulation

Channeldecoding

Speech

Source decoding

De-interleaving

Burst formatting

Deciphering

Demodulation

Liu guojun

BCH- Broadcast CHannelBCH- Broadcast CHannel

. One ARFCN, On all the time, in every cell

. Different cells use different ARFCN

. BCH Information carried in Timeslot 0, other Timeslots can be used for TCH. Allows Mobile to Synchronise. Identifies Network. Carries Paging Messages and other Control Information

Liu guojun

FCH- Frequency correction CHannel

. Use a special burst which repeats on the BCH, it has a special fixed bit sequence . Allow the mobile to tune it’s internal freqency reference when it first turns on


Liu guojun


SCH- Synchronisation CHannel . Allow the mobile to adjust it’s internal timing and get synchronised to multiframe sequence

Liu guojun

BCCH- Broadcast Control CHannel

. Carries information identifies the network

. Carries lists of the channels in use in the cell - BA(Base Allocation) Table List of all the BCH frequencies to go out and measure - CA(Cell Allocation) Table List of all the hop freguencies available in a particular cell


Liu guojun

CCCH- Common Control CHannelCCCH- Common Control CHannel

PCH- Paging CHannel

. Base staiton page the mobile using PCH

. When the mobile sees its number on the PCH it recognises that it should respond by requesting service with a RACH

Liu guojun

AGCH- Access Grant CHannel

. Once a mobile has sent a RACH, the base station respond by putting an AGCH on the CCCH. The AGCH instructs the mobile to go to an SDCCH or TCH


Liu guojun


RACH- Random Access CHannel

. Used by the mobile to get attention from Base station

. Mobile doesn’t know path delay - So RACH has to be a special Short Burst - Mobile sends normal burst only after getting Timing Advance on Downlink SACCH

Liu guojun

DCCH- Dedicated Control CHannelDCCH- Dedicated Control CHannel

SDCCH- Stand-alone Dedicated Control Channel

. Used during call setup

. Stepping stone between BCH and TCH

. Used for Authentication etc.

Liu guojun


SACCH- Slow Associated Control Channel

. DOWNLINK - Mobile TX power commands - Mobile Timing Advance - Cell’s Channel Configuration

. UPLINK - Received signal quality report (RXQual) - Received signal level report (RXLev) - Adjacent BCH power measurements - Mobile’s status+

Liu guojun


FACCH- Fast Associated Control Channel

. Interrupts TCH on Uplink and Downlink

. Rapid message exchange for handovers

. Control Bits either side of midable: - Indicate TCH or FACCH

Liu guojun

TCH- Traffic CHannelTCH- Traffic CHannel

. Mobile’s on a call use a TCH

. The TCH is a two way channel used to exchange speech information between the mobile and Base station

Liu guojun

GSM Signalling / Traffic ChannelsGSM Signalling / Traffic Channels

SIGNALLING TRAFFIC

BASE STATION

SIGNALLING TRAFFIC

BCCH CCCH DCCH TCH

FCCH SCH PCH RACH AGCH SDCCH SACCH FACCH

MOBILE STATION

Network Ident.LAIBA listSystem parameters

MS searchesfor the strongestBCCH and locksonto it

MS adjusts its frequency

MS in idle mode listens to the CCCH

MS Sync. tothe network

MS receivespaging requests

MS sendsAccess requests

messages

BS sends Access GrantedMessage

Main SignallingChannel duringa period of TCH

MS measure-ment results

Fast SignallingChannel

Signalling afterAccess to network Granted

Speech / Data

Liu guojun

MS Camp on Flow ChartMS Camp on Flow Chart

MS Turn On

MS searches channelsand orders by signalstrength

MSStongest

BCCH

FCCH on BCCH and adjusts timebase

SCH on BCCH and fine tunes timebase & timing

Decode BCCH & store info

Is BCCHin PLMN ?

MSNext Stongest

BCCH

YES

NO

YES

NO

NO

Location =Previous Location?

YES

YES

MS camped on - listens for page, can request service

Using SACCH - adjust power, TA & report RX Qualetc

MS goes to the assigned SDCCH ( Freq., timeslot, ... )for authentication + location Update

MS sendsRACH

BS assigns SDCCH to MS using the CCCH

Liu guojun

Orignated CallOrignated Call

BS pages MS usingthe CCCH MS sends RACH

BS ORIGINATED CALL

MS ORIGINATED CALL

MS responds withRACH

BS assigns MS to SDCCH

or TCH

MS transmits and receives speech on TCH

TCH

Using the FACCH onTCH authentication &location update

Using the SDCCH, authentication,call setup, and TCH assignment

Using the SACCH, BS commands MS to adust power + timing, MS

reports power + Rx quality of BCCH + adjacent BCCH

MS transmits + receives speechon TCH

Using the SACCH on TCH, MSreports power + Rx quality , BScommands MS to adjust power ,TA

During inactive timeslots, MS measures adjacent cells, BCCH

Call disconnected by MS or BS

Liu guojun

Subscriber Identity Module ( SIM )Subscriber Identity Module ( SIM )

SIM contains ( at least ) following information :

• SIM serial number• ID - key Ki• Encryption key Kc• IMSI• TMSI• LAI ( Location Area Identification )• PIN ( Personal Identification Number )• PUK( Personal Unblock Code )• A3• A8

Liu guojun

International Mobile Subscriber Identity ( IMSI )International Mobile Subscriber Identity ( IMSI )

IMSI = MCC + MNC + MSIN

NMSI

3 digits 2 digits

Not more than 15 digits

IMSI = International Mobile Subscriber Identity

MCC = Mobile Country Code

MNC = Mobile Network Code

MSIN = Mobile Station Identification Number

NMSI = National Mobile Subscriber Identity

Liu guojun

International Mobile Equipment Identity ( IMEI )International Mobile Equipment Identity ( IMEI )

IMEI = International Mobile Equipment Identity

TAC = Type Approval Code

FAC = Final Assembly Code

SNR = Serial Number

SP = Spare

IMEI = TAC + FAC + SNR SP+

6 digits 2 digits 6 digits 1digit

Liu guojun

Timing AdvanceTiming Advance

MS Txwith TimingAdvance

0 1 2 3Td

Td

0 1 2 3

0 1 2 3

0 1 2 3

TA

0 1 2

BS Tx

MS Rx

MS TxNo TimingAdvance

BS Rx

MS Rx

Td - delay on radio path

TA - Timing Advance

0 1 2

Liu guojun

Security AspectsSecurity Aspects

Network

=

SRES

Yes

RAND

MS

A3

K i (SIM )

SRES

Authentication

A5

K c Ciphering

Speech / message

Encypted speech /message

A5

K c

Speech /message

Radio Interface

A8

K i RAND

K c

A8

K i RAND

K c

Ciphering Key

A8

K i RAND

K c

A8

K i RAND

K c

Ciphering Key

gsm technology

Documents

base downlink base

mobile carriers

gsm band890

major european gsm

gsm network air interface

dcs1800 band1710

transmission speed

uplink ms transmit935