WCDMA and GSM are mobile network communication standards. Today in Russia the most popular is GSM, in which most Russian operators operate. And very rarely, users may hear about WCDMA, for example, when they accidentally noticed the tariffs of WCDMA operators or wanted to buy a phone that only supports this communication standard. So far, GSM is not going to move into the Russian market, but some advantages of the WCDMA network are making users think about which is better - WCMDA or GSM. What is the difference between these communication standards and which one is better to choose? Let's try to figure it out.
What is WCDMA and GSM in a phone?
It is impossible to explain the difference without talking about the very essence of these standards. Therefore, before we figure out what the difference is, we will consider the WCDMA or GSM standards in more detail.
Let's start with GSM. This abbreviation stands for Global System for Mobile Communications. And this is the first global digital cellular standard, which is somewhat of a model.
It was developed by ETSI (Europe) in the 90s, and was based on the principles of TDMA channel division, security, encryption and data transmission. GMS allows you to transmit:
- Speech.
- Text messages.
- Fax machine.
- Data packages (GPRS).
Also, thanks to this standard, for the first time it became possible to determine the mobile phone number from which a call is received and forward to another number. We must not forget about the possibility of creating a conference call, in which several cell phones can be combined simultaneously, and holding a call in waiting mode. At one time, GSM created a revolution in the field of cellular communications.
What is WCMDA?
When talking about WCDMA or GSM and what is the difference between them, it is always appropriate to mention that WCMDA is to some extent an add-on that improves the GSM standard. Or rather, this is how everything was originally intended, but today WCDMA is a third-generation communication standard, which is based on seven international projects. But GSM remained the second generation communication standard (read 2G).
WCDMA is based on DS-CDMA technology, which, compared to TDMA, is more resistant to interference and has higher throughput. Phones that operate in the WCMDA environment can perform the same functions as in the GSM standard (transfer of voice or digital information), but the quality and speed will be much higher. Therefore, operators supporting WCMDA provide Internet access services at higher speeds.
WCDMA or GSM - what's the difference?
The most important and key difference is in the technologies used (TDMA and DS-CDMA), that is, in the methods of channel separation. In GSM, the channel separation is temporary, and because of this, the subscriber is allocated a small frequency band for a certain period of time.
In WCMDA, everything is different: it uses code division of streams, thanks to which information is transmitted between devices over a wide frequency band. As a result, the data transfer speed increases greatly. Hence the name Wideband Code Division Multiple Access.
This is the main difference between the GSM and WCDMA LTE standards. What is the difference for the user? He will have higher Internet speeds and much less interference when talking. Despite all these advantages, the most popular cellular communication standard is still GSM. But we note that every year there are more WCDMA subscribers, and many telecom operators are gradually switching to this standard in order to provide higher data transfer speeds. Today, uninhabited areas and villages are not covered by the WCMDA network, so residents of such areas do not yet have an alternative to GSM.
Which to choose?
It all becomes obvious now that you know the difference. Both WCDMA and GSM modems will provide Internet access, but at different speeds. Living in a big city, it is more logical to give preference to the WCDMA communication standard due to the higher data transfer speed. At the same time, it is worth understanding that when traveling, the phone will not catch the network in many regions of the country, since WCMDA coverage is scarce today.
You need to choose between these standards depending on your needs. Generally speaking, GSM is a “cheap and cheerful” type of communication. It will be guaranteed everywhere, even in remote regions. As a bonus, you can highlight the ability to surf the Internet. If you need fast Internet always at hand and long trips are not planned, then you can safely give preference to the WCMDA standard. However, you should first check whether your phone and mobile operator support it.
As a result, the physical channel between the receiver and the transmitter is determined by the frequency, allocated frames and timeslot numbers in them. Typically base stations use one or more ARFCN channels, one of which is used to identify the presence of a BTS on the air. The first timeslot (index 0) of the frames of this channel is used as the base-control channel or beacon channel. The remaining part of ARFCN is distributed by the operator for CCH and TCH channels at its discretion.
2.3 Logical channels
Logical channels are formed on the basis of physical channels. The Um interface involves the exchange of both user information and service information. According to the GSM specification, each type of information corresponds to a special type of logical channels implemented through physical:
- traffic channels (TCH - Traffic Channel),
- service information channels (CCH - Control Channel).
Service information channels are divided into:
- Broadcast (BCH - Broadcast Channels).
- FCCH - Frequency Correction Channel. Provides the information needed by the mobile phone to correct the frequency.
- SCH - Synchronization Channel. Provides the mobile phone with the information necessary for TDMA synchronization with the base station (BTS), as well as its BSIC identification data.
- BCCH - Broadcast Control Channel (broadcast service information channel). Transmits basic information about the base station, such as the way service channels are organized, the number of blocks reserved for access grant messages, as well as the number of multiframes (51 TDMA frames each) between Paging requests.
- Common Control Channels (CCCH)
- PCH - Paging Channel. Looking ahead, I’ll tell you that Paging is a kind of ping of a mobile phone, allowing you to determine its availability in a certain coverage area. This channel is designed exactly for this.
- RACH - Random Access Channel. Used by mobile phones to request their own SDCCH service channel. Exclusively Uplink channel.
- AGCH - Access Grant Channel (access grant channel). On this channel, base stations respond to RACH requests from mobile phones by allocating SDCCH or TCH directly.
- Own channels (DCCH - Dedicated Control Channels)
Own channels, like TCH, are allocated to specific mobile phones. There are several subspecies:- SDCCH - Stand-alone Dedicated Control Channel. This channel is used for mobile phone authentication, encryption key exchange, location update procedure, as well as for making voice calls and exchanging SMS messages.
- SACCH - Slow Associated Control Channel. Used during a conversation, or when the SDCCH channel is already in use. With its help, the BTS transmits periodic instructions to the phone to change timings and signal strength. In the opposite direction there is data on the received signal level (RSSI), TCH quality, as well as the signal level of nearby base stations (BTS Measurements).
- FACCH - Fast Associated Control Channel. This channel is provided with the TCH and allows the transmission of urgent messages, for example, during the transition from one base station to another (Handover).
2.4 What is burst?
Over-the-air data is transmitted as sequences of bits, most often called “bursts,” within timeslots. The term “burst”, the most suitable analogue of which is the word “burst”, should be familiar to many radio amateurs, and most likely appeared when drawing up graphic models for analyzing radio broadcasts, where any activity is similar to waterfalls and splashes of water. You can read more about them in this wonderful article (image source), we will focus on the most important thing. A schematic representation of a burst might look like this:
Guard Period
To avoid interference (i.e. two busrts overlapping each other), the duration of the burst is always less than the duration of the timeslot by a certain value (0.577 - 0.546 = 0.031 ms), called the “Guard Period”. This period is a kind of time reserve to compensate for possible time delays during signal transmission.
Tail Bits
These markers define the beginning and end of the burst.
Info
Burst payload, for example, subscriber data or service traffic. Consists of two parts.
Stealing Flags
These two bits are set when both parts of the TCH burst data are transmitted on the FACCH. One transmitted bit instead of two means that only one part of the burst is transmitted via FACCH.
Training Sequence
This part of the burst is used by the receiver to determine the physical characteristics of the channel between the phone and the base station.
2.5 Types of burst
Each logical channel corresponds to certain types of burst:
Normal Burst
Sequences of this type implement traffic channels (TCH) between the network and subscribers, as well as all types of control channels (CCH): CCCH, BCCH and DCCH.
Frequency Correction Burst
The name speaks for itself. Implements a one-way FCCH downlink channel, allowing mobile phones to tune more accurately to the BTS frequency.
Synchronization Burst
Burst of this type, like Frequency Correction Burst, implements a downlink channel, only this time SCH, which is designed to identify the presence of base stations on the air. By analogy with beacon packets in WiFi networks, each such burst is transmitted at full power, and also contains information about the BTS necessary for synchronization with it: frame rate, identification data (BSIC), and others.
Dummy Burst
A dummy burst sent by the base station to fill unused timeslots. The point is that if there is no activity on the channel, the signal strength of the current ARFCN will be significantly less. In this case, the mobile phone may seem to be far from the base station. To avoid this, BTS fills unused timeslots with meaningless traffic.
Access Burst
When establishing a connection with the BTS, the mobile phone sends a dedicated SDCCH request on the RACH. The base station, having received such a burst, assigns the subscriber his FDMA system timings and responds on the AGCH channel, after which the mobile phone can receive and send Normal Bursts. It is worth noting the increased duration of Guard time, since initially neither the phone nor the base station knows information about time delays. If the RACH request does not fall into the timeslot, the mobile phone sends it again after a pseudo-random period of time.
2.6 Frequency Hopping
Quote from Wikipedia:Pseudo-random tuning of the operating frequency (FHSS - frequency-hopping spread spectrum) is a method of transmitting information via radio, the peculiarity of which is the frequent change of the carrier frequency. The frequency varies according to a pseudo-random sequence of numbers known to both the sender and the recipient. The method increases the noise immunity of the communication channel.
3.1 Main attack vectors
Since the Um interface is a radio interface, all its traffic is “visible” to anyone within the range of the BTS. Moreover, you can analyze data transmitted via radio without even leaving your home, using special equipment (for example, an old mobile phone supported by the OsmocomBB project, or a small RTL-SDR dongle) and the most ordinary computer.There are two types of attack: passive and active. In the first case, the attacker does not interact in any way with either the network or the attacked subscriber - only receiving and processing information. It is not difficult to guess that it is almost impossible to detect such an attack, but it does not have as many prospects as an active one. An active attack involves interaction between the attacker and the attacked subscriber and/or cellular network.
We can highlight the most dangerous types of attacks to which cellular network subscribers are exposed:
- Sniffing
- Leakage of personal data, SMS and voice calls
- Location data leak
- Spoofing (FakeBTS or IMSI Catcher)
- Remote SIM Capture, Random Code Execution (RCE)
- Denial of Service (DoS)
3.2 Subscriber identification
As already mentioned at the beginning of the article, subscriber identification is performed using IMSI, which is recorded in the subscriber’s SIM card and the operator’s HLR. Mobile phones are identified by serial number - IMEI. However, after authentication, neither IMSI nor IMEI in clear form flies over the air. After the Location Update procedure, the subscriber is assigned a temporary identifier - TMSI (Temporary Mobile Subscriber Identity), and further interaction is carried out with its help.Attack methods
Ideally, the subscriber's TMSI is known only to the mobile phone and the cellular network. However, there are ways to bypass this protection. If you cyclically call a subscriber or send SMS messages (or better yet Silent SMS), observing the PCH channel and performing correlation, you can identify the TMSI of the attacked subscriber with a certain accuracy.
In addition, having access to the SS7 interoperator network, you can find out the IMSI and LAC of its owner by phone number. The problem is that in the SS7 network all operators “trust” each other, thereby reducing the level of confidentiality of their subscribers’ data.
3.3 Authentication
To protect against spoofing, the network authenticates the subscriber before starting to serve him. In addition to the IMSI, the SIM card stores a randomly generated sequence called Ki, which it returns only in hashed form. Also, Ki is stored in the operator's HLR and is never transmitted in clear text. In general, the authentication process is based on the principle of a four-way handshake:
- The subscriber issues a Location Update Request, then provides the IMSI.
- The network sends a pseudo-random RAND value.
- The phone's SIM card hashes Ki and RAND using the A3 algorithm. A3(RAND, Ki) = SRAND.
- The network also hashes Ki and RAND using the A3 algorithm.
- If the SRAND value on the subscriber side coincides with that calculated on the network side, then the subscriber has passed authentication.
Attack methods
Iterating through Ki given RAND and SRAND values can take quite a long time. In addition, operators can use their own hashing algorithms. There is quite a bit of information on the Internet about brute force attempts. However, not all SIM cards are perfectly protected. Some researchers have been able to directly access the SIM card's file system and then extract Ki.
3.4 Traffic encryption
According to the specification, there are three algorithms for encrypting user traffic:- A5/0- a formal designation for the absence of encryption, just like OPEN in WiFi networks. I myself have never encountered networks without encryption, however, according to gsmmap.org, A5/0 is used in Syria and South Korea.
- A5/1- the most common encryption algorithm. Despite the fact that its hack has already been repeatedly demonstrated at various conferences, it is used everywhere. To decrypt traffic, it is enough to have 2 TB of free disk space, a regular personal computer with Linux and the Kraken program on board.
- A5/2- an encryption algorithm with deliberately weakened security. If used anywhere, it is only for beauty.
- A5/3- currently the most strong encryption algorithm, developed back in 2002. On the Internet you can find information about some theoretically possible vulnerabilities, but in practice no one has yet demonstrated its hacking. I don't know why our operators don't want to use it in their 2G networks. After all, this is far from a hindrance, because... the encryption keys are known to the operator and traffic can be decrypted quite easily on his side. And all modern phones support it perfectly. Fortunately, modern 3GPP networks use it.
As already mentioned, with sniffing equipment and a computer with 2 TB of memory and the Kraken program, you can quite quickly (a few seconds) find A5/1 session encryption keys, and then decrypt anyone’s traffic. German cryptologist Karsten Nohl demonstrated a method for cracking A5/1 in 2009. A few years later, Carsten and Sylviane Munod demonstrated the interception and method of decrypting a telephone conversation using several old Motorola phones (OsmocomBB project).
Conclusion
My long story has come to an end. You can get acquainted with the principles of operation of cellular networks in more detail and from a practical side in the series of articles Getting to know OsmocomBB, as soon as I finish the remaining parts. I hope I was able to tell you something new and interesting. I look forward to your feedback and comments! Add tagsChapter 1. DIGITAL CELLULAR MOBILE RADIO COMMUNICATION SYSTEM GSM STANDARD
1.1. General characteristics of the GSM standard
In accordance with the 1980 CEPT recommendation regarding the use of the mobile frequency spectrum in the frequency range 862-960 MHz, the GSM standard for digital pan-European (global) cellular land mobile system provides for the operation of transmitters in two frequency ranges: 890-915 MHz (for mobile station transmitters - MS), 935-960 MHz (for base station transmitters - BTS).
The GSM standard uses narrowband time division multiple access (NB TDMA). The TDMA frame structure contains 8 time positions on each of the 124 carriers.
To protect against errors in radio channels when transmitting information messages, block and convolutional coding with interleaving is used. Increasing the efficiency of coding and interleaving at low speeds of mobile stations is achieved by slow switching of operating frequencies (SFH) during a communication session at a rate of 217 hops per second.
To combat interference fading of received signals caused by multipath propagation of radio waves in urban conditions, communication equipment uses equalizers that ensure equalization of pulse signals with a standard deviation of the delay time of up to 16 μs.
The synchronization system is designed to compensate for the absolute signal delay time of up to 233 μs, which corresponds to a maximum communication range or maximum cell radius of 35 km.
The GSM standard chooses Gaussian frequency shift keying (GMSK). Speech processing is carried out within the framework of the adopted system of discontinuous transmission of speech (DTX), which ensures that the transmitter is turned on only when a speech signal is present and the transmitter is turned off during pauses and at the end of a conversation. A speech codec with regular pulse excitation/long-term prediction and linear predicative coding with prediction (RPE/LTR-LTP codec) was selected as a speech converting device. The total speed of speech and signal conversion is 13 kbit/s.
The GSM standard achieves a high degree of security for message transmission; Messages are encrypted using the public key encryption algorithm (RSA).
In general, the communication system operating in the GSM standard is designed for use in various fields. It provides users with a wide range of services and the ability to use a variety of equipment for the transmission of voice and data messages, calling and emergency signals; Connect to public switched telephone networks (PSTN), data networks (PDN), and integrated services digital networks (ISDN).
Main characteristics of the GSM standard
| Mobile station transmission and base station reception frequencies, MHz | 890-915 |
| Mobile station reception and base station transmission frequencies, MHz | 935-960 |
| Duplex spacing of reception and transmission frequencies, MHz | 45 |
| Message transmission rate in the radio channel, kbit/s | 270, 833 |
| Speech codec conversion rate, kbit/s | 13 |
| Communication channel bandwidth, kHz | 200 |
| Maximum number of communication channels | 124 |
| Maximum number of channels organized in the base station | 16-20 |
| Modulation type | GMSK |
| Modulation index | VT 0.3 |
| Bandwidth of pre-modulation Gaussian filter, kHz | 81,2 |
| Number of frequency hops per second | 217 |
| Time diversity in TDMA frame slots (transmit/receive) for a mobile station | 2 |
| Type of speech codec | RPE/LTP |
| Maximum cell radius, km | up to 35 |
| Combined TDMA/FDMA channel organization scheme |
1.2. Block diagram and composition of communication network equipment
The functional structure and interfaces adopted in the GSM standard are illustrated by the block diagram of Fig. 1.1, in which MSC (Mobile Switching Center) is a mobile switching center; BSS (Base Station System) - base station equipment; OMS (Operations and Maintenance Center) - control and maintenance center; MS (Mobile Stations) - mobile stations.
The functional interconnection of system elements is carried out by a number of interfaces. All network functional components in the GSM standard interact in accordance with the CCITT SS N 7 signaling system (CCITT SS. N 7).
A mobile switching center serves a group of cells and provides all types of connections that a mobile station needs to operate. The MSC is similar to an ISDN switching station and is the interface between fixed networks (PSTN, PDN, ISDN, etc.) and the mobile network. It provides call routing and call control features. In addition to performing the functions of a conventional ISDN switching station, the MSC is assigned the functions of switching radio channels. These include “handover,” which maintains continuity of communication as a mobile station moves from cell to cell, and switching operating channels within a cell when interference or failure occurs.
Each MSC provides service to mobile subscribers located within a certain geographical area (for example, Moscow and the region). The MSC manages call setup and routing procedures. For the public switched telephone network (PSTN), the MSC provides SS N 7 signaling, call forwarding, or other interfaces as required by the specific project.
MSC generates the data necessary to issue invoices for communication services provided by the network, accumulates data on completed conversations and transmits them to the billing center. MSC also compiles statistical data necessary for monitoring and optimizing the network.
The MSC also supports security procedures used to control access to radio channels.
The MSC not only participates in call control, but also manages location registration and handoff procedures other than handover in the base station subsystem (BSS). Registering the location of mobile stations is necessary to ensure the delivery of calls to moving mobile subscribers from subscribers of the public telephone network or other mobile subscribers. The call transfer procedure allows connections to be maintained and conversations to be maintained as the mobile station moves from one service area to another. Call transmission in cells controlled by a single base station controller (BSC) is handled by that BSC. When calls are transferred between two networks controlled by different BSCs, primary control occurs in the MSC. The GSM standard also provides procedures for call transfer between networks (controllers) belonging to different MSCs. The switching center continuously monitors mobile stations using position registers (HLR) and movement registers (VLR). The HLR stores that part of information about the location of a mobile station that allows the switching center to deliver a call to the station. The HLR contains the International Mobile Subscriber Identity (IMSI) number. It is used to identify the mobile station in the authentication center (AUC) (Fig. 1.2, 1.3).
Composition of temporary data stored in HLR and VLR
In practice, HLR is a reference database of subscribers permanently registered on the network. It contains identification numbers and addresses, as well as subscriber authenticity parameters, the composition of communication services, and special routing information. The subscriber's roaming data is recorded, including the Temporary Mobile Subscriber Identity (TMSI) number and associated VLR.
The data contained in the HLR is remotely accessible by all MSCs and VLRs on the network and, if there are multiple HLRs on the network, there is only one subscriber record in the database, so each HLR represents a specific part of the network's overall subscriber database. The subscriber database is accessed using the IMSI or MSISDN number (mobile subscriber number in the ISDN network). The database can be accessed by MSCs or VLRs belonging to other networks as part of providing inter-network roaming to subscribers.
The second main device that provides control over the movement of a mobile station from zone to zone is the movement register VLR. With its help, the operation of a mobile station outside the area controlled by the HLR is achieved. When, during the movement, a mobile station moves from the coverage area of one base station controller BSC, which unites a group of base stations, to the coverage area of another BSC, it is registered by the new BSC, and information about the communication area number is entered into the VLR, which will ensure the delivery of calls to the mobile station.
visible station. To ensure the safety of data located in HLR and VLR in case of failures, the memory devices of these registers are protected.
The VLR contains the same data as the HLR, however this data is only contained in the VLR as long as the subscriber is in the area controlled by the VLR.
In the GSM mobile network, cells are grouped into geographical areas (LA), which are assigned their own identification number (LAC). Each VLR contains data about subscribers in several LAs. When a mobile subscriber moves from one LA to another, his location data is automatically updated in the VLR. If the old and new LA are controlled by different VLRs, then the data on the old VLR is erased after it is copied to the new VLR. The subscriber's current VLR address contained in the HLR is also updated.
The VLR also provides mobile station number (MSRN) assignment. When a mobile station receives an incoming call, the VLR selects its MSRN and transmits it to the MSC, which routes the call to base stations near the mobile subscriber.
The VLR also distributes control transfer numbers when transferring connections from one MSC to another. In addition, the VLR manages the distribution of new TMSIs and forwards them to the HLR. It also manages authentication procedures during call processing. At the operator's discretion, TMSI may be periodically changed to complicate the subscriber identification procedure. The VLR database can be accessed via IMSI, TMSI or MSRN. In general, the VLR is a local mobile subscriber database for the area where the subscriber is located, which eliminates constant requests to the HLR and reduces call servicing time.
To exclude unauthorized use of communication system resources, authentication mechanisms are introduced - authentication of the subscriber. The authentication center consists of several blocks and generates keys and authentication algorithms. With its help, the subscriber’s credentials are checked and his access to the communication network is provided. The AUC makes decisions about the parameters of the authentication process and determines the encryption keys of subscriber stations based on a database concentrated in the Equipment Identification Register (EIR).
Each mobile subscriber, while using the communication system, receives a standard subscriber authentication module (SIM), which contains: an international identification number (IMSI), its individual authentication key (Ki), and an authentication algorithm (A3).
Using the information stored in the SIM as a result of mutual data exchange between the mobile station and the network, a full authentication cycle is carried out and the subscriber's access to the network is allowed.
The procedure for verifying the subscriber's authenticity by the network is implemented as follows. The network transmits a random number (RAND) to the mobile station. On it, using Ki and the A3 authentication algorithm, the response value (SRES) is determined, i.e.
SRES = Ki * [RAND]
The mobile station sends the calculated SRES value to the network, which checks the received SRES value with the SRES value calculated by the network. If both values match, the mobile station starts transmitting messages. Otherwise, the connection is interrupted and the indicator of the mobile station shows that identification has not taken place. To ensure secrecy, the calculation of SRES occurs within the SIM. Unclassified information (eg Ki) is not processed in the SIM module.
EIR - equipment identification register, contains a centralized database to confirm the authenticity of the international equipment identification number of a mobile station (1ME1). This database applies exclusively to mobile station equipment. The EIR Database consists of lists of 1ME1 numbers organized as follows:
WHITE LIST - contains 1ME1 numbers, about which there is information that they are assigned to authorized mobile stations.
BLACKLIST - contains 1ME1 numbers of mobile stations that are stolen or denied service for any other reason.
GRAY LIST - contains 1ME1 numbers of mobile stations that have problems identified by software data, which is not grounds for inclusion in the black list.
The EIR database is remotely accessed by MSCs of this network, as well as MSCs of other mobile networks.
As with HLR, a network can have more than one EIR, with each EIR managing specific IME1 groups. The MSC includes a translator, which, upon receiving the 1ME1 number, returns the EIR address that controls the corresponding part of the equipment database.
IWF - internetwork functional interface, is one of the components of MSC. It provides subscribers with access to protocol and data rate conversion facilities so that they can be transferred between its GSM terminal equipment (DIE) and conventional fixed network terminal equipment. The gateway also "selects" a modem from its hardware bank to pair with the corresponding fixed network modem. The IWF also provides point-to-point interfaces for customer-supplied equipment, such as X.25 packet PAD data.
EC is an echo canceller, used in MSC on the PSTN side for all telephone channels (regardless of their length) due to physical delays in the propagation paths, including the radio channel, of GSM networks. A typical echo canceller can provide 68 milliseconds of cancellation between the EU exit and the fixed telephone network. The total delay in the GSM channel in the forward and backward directions, caused by signal processing, speech encoding/decoding, channel encoding, etc., is about 180 ms. This delay would not be noticeable to the mobile subscriber if a hybrid transformer was not included in the telephone channel to convert the path from two-wire to four-wire mode, the installation of which is necessary in the MSC, since the standard connection to the PSTN is two-wire. When two fixed network subscribers connect, there are no echoes. Without EC enabled, the delay from the propagation of signals in the GSM path will cause irritation for subscribers, interrupt speech and distract attention.
OMC - the operation and maintenance center, is the central element of the GSM network, which provides control and management of other network components and quality control of its operation. OMC connects to other components of the GSM network via packet transmission channels of the X.25 protocol. The OMS provides functions for processing alarm signals intended to alert maintenance personnel, and records information about emergency situations in other network components. Depending on the nature of the malfunction, OMS allows for its elimination automatically or with the active intervention of personnel. The OMC can provide verification of the status of the network equipment and the progress of the call to the mobile station. OMS allows you to manage the load on the network. The efficient management function includes collecting statistical load data from GSM network components, recording them in disk files and displaying them for visual analysis. OMS provides management of software changes and databases on the configuration of network elements. Loading software into memory can be done from the OMS to other network elements or from them to the OMS.
NMC is a network management center that allows for rational hierarchical management of the GSM network. It provides operation and maintenance at the entire network level, supported by the CHI centers that are responsible for managing regional networks. NMC provides traffic management throughout the network and provides network dispatch control during complex emergency situations, such as node failure or overload. In addition, it monitors the status of automatic control devices involved in the network equipment and displays the network status for NMC operators. This allows operators to monitor regional problems and, if necessary, provide assistance to the LGU responsible for a particular region. In this way, NMC staff knows the status of the entire network and can instruct CHI staff to change the strategy to solve a regional problem.
NMC focuses on signaling routes and connections between nodes to prevent network congestion conditions. Also controlled
connection routes between the GSM network and the PSTN to avoid propagation of congestion conditions between networks. At the same time, NMC personnel coordinate network management issues with personnel from other NMCs. The NMC also provides traffic management capabilities for base station subsystem (BSS) network equipment. NMC operators in extreme situations can employ control procedures such as "priority access", where only high priority subscribers (emergency services) can access the system.
The NMC can take over responsibility in a region when the local OMC is unserviced, with the OMC acting as a transit point between the NMC and the network equipment. NMC provides operators with functions similar to those of compulsory medical insurance.
NMC is also an important tool for network planning, since NMC monitors the network and its operation at the network level, and therefore provides network planners with data that determines its optimal development.
BSS - base station equipment, consists of a base station controller (BSC) and base transceiver stations (BTS). The base station controller can control several transceiver units. The BSS manages the allocation of radio channels, monitors connections, regulates their queue, provides frequency hopping mode, signal modulation and demodulation, message encoding and decoding, speech encoding, bit rate adaptation for speech, data and call, determines the order of transmission of paging messages.
BSS together with MSC, HLR, VLR performs some functions, for example: channel release is mainly under the control of MSC, but MSC can request the base station to ensure channel release if the call fails due to radio interference. The BSS and MSC jointly provide priority information transmission for certain categories of mobile stations.
TCE transcoder provides conversion of the output signals of the MSC voice and data channel (64 kbit/s PCM) to a form that complies with the GSM recommendations for the air interface (GSM Rec. 04.08). In accordance with these requirements, the transmission speed of speech presented in digital form is 13 kbit/s. This digital voice transmission channel is called "full-rate". The standard provides for the future use of a half-speed speech channel (transmission rate 6.5 kbit/s).
Reducing the transmission rate is achieved by using a special speech converting device using linear predictive coding (LPC), long-term prediction (LTP), residual pulse excitation (RPE - sometimes called RELP).
The transcoder is usually located together with the MSC, then the transmission of digital messages in the direction of the base station controller - BSC is carried out by adding additional bits to the stream with a transmission rate of 13 kbit/s (stuffing) up to a data transmission rate of 16 kbit/s. Then multiplexing is carried out with a factor of 4 into a standard 64 kbit/s channel. This is how a 3-channel PCM line, defined by the GSM Recommendations, is formed, providing the transmission of 120 voice channels. The sixteenth channel (64 kbit/s), the "time window", is allocated separately for the transmission of signaling information and often contains SS N7 or LAPD traffic. In another channel (64 kbit/s), data packets compliant with the CCITT X.25 protocol can also be transmitted.
Thus, the resulting transmission speed over the specified interface is 30x64 kbit/s + 64 kbit/s + 64 kbit/s = 2048 kbit/s.
MS - mobile station, consists of equipment that serves to organize access for GSM network subscribers to existing fixed telecommunication networks. Within the GSM standard, five classes of mobile stations have been adopted, from the 1st class model with an output power of 20 W, installed on a vehicle, to the portable 5th class model, with a maximum power of 0.8 W (Table 1.1). When transmitting messages, adaptive adjustment of the transmitter power is provided, ensuring the required quality of communication.
The mobile subscriber and the station are independent of each other. As already noted, each subscriber has his own international identification number (IMSI), recorded on his smart card. This approach allows cordless telephones to be installed, for example, in taxis and rental cars. Each mobile station is also assigned its own international identification number (1ME1). This number is used to prevent a stolen or unauthorized station from accessing GSM networks.
Table 1.1
| Power class | Maximum transmit power level | Permissible deviations |
| 1 | 20 W | 1.5 dB |
| 2 | 8 W | 1.5 dB |
| 3 | 5 W | 1.5 dB |
| 4 | 2 W | 1.5 dB |
| 5 | 0.8 W | 1.5 dB |
1.3. Network and radio interfaces
When designing digital cellular mobile communication systems of the GSM standard, three types of interfaces are considered: for connecting to external networks; between different equipment of GSM networks; between the GSM network and external equipment. All existing internal interfaces of GSM networks are shown in the block diagram of Fig. 1.1. They fully comply with the requirements of the ETSI/GSM Recommendations 03.02.
Interfaces with external networks
PSTN connection
The connection to the public telephone network is carried out by the MSC via a 2 Mbit/s communication line in accordance with the SS N 7 signaling system. The electrical characteristics of the 2 Mbit/s interface comply with CCITT Recommendations G.732.
ISDN connection
For connection to the created ISDN networks, four 2 Mbit/s communication lines are provided, supported by the SS N 7 signaling system and meeting the CCITT Blue Book Recommendations Q.701-Q.710, Q.711-Q.714, Q.716, Q.781 , 0.782, 0.791, 0.795, 0.761-0.764, 0.766.
Connection to existing NMT-450 network
The Mobile Switching Center connects to the NMT-450 network via four standard 2 Mbit/s links and SS N7 signaling systems. In this case, the requirements of the CCITT Recommendations on the subsystem of telephone network users (TUP - Telephone User Part) and the message transfer subsystem (MTP - Message Transfer Part) of the Yellow Book must be met. The electrical characteristics of the 2 Mbit/s line comply with CCITT Recommendations G.732.
Connections to international GSM networks
Currently, the GSM network in Moscow is being connected to pan-European GSM networks. These connections are based on the signaling systems protocol (SCCP) and gateway mobile switching (GMSC).
Internal GSM interfaces
The interface between the MSC and the BSS (A-interface) provides message transmission for BSS control, call transfer, and movement control. The A-interface combines communication channels and signaling lines. The latter use the SS N7 CCITT protocol. The complete specification of the A-interface complies with the requirements of the 08 series of ETSI/GSM Recommendations.
The interface between MSC and HLR is combined with VLR (B-interface). When the MSC needs to determine the location of the mobile station, it accesses the VLR. If a mobile station initiates a positioning procedure with the MSC, it informs its VLR, which stores all changing information in its registers. This procedure occurs whenever the MS moves from one location area to another. In case the subscriber requests special additional services or changes some of his data, the MSC also informs the VLR, which registers the changes and, if necessary, reports them to the HLR.
The interface between MSC and HLR (C-interface) is used to provide interaction between the MSC and the HLR. The MSC may send an instruction (message) to the HLR at the end of the communication session so that the subscriber can pay for the call. When the fixed telephone network is unable to perform the mobile subscriber call setup procedure, the MSC may request the HLR to determine the subscriber's location in order to place a call to the MS.
The interface between HLR and VLR (D-interface) is used to enhance the exchange of data about the position of the mobile station, controlling the communication process. The main services provided to the mobile subscriber are the ability to send or receive messages regardless of location. To do this, HLR must replenish its data. The VLR informs the HLR about the position of the MS, controlling it and reassigning numbers to it during the wandering process, sending all the necessary data to provide service to the mobile station.
The interface between MSCs (E-interface) ensures interaction between different MSCs during the HANDOVER procedure - “transfer” of a subscriber from zone to zone as he moves during a communication session without interruption.
The interface between the BSC and the BTS (A-bis interface) serves to communicate between the BSC and the BTS and is defined by the ETSI/GSM Recommendations for connection establishment and equipment control processes, transmission is carried out in digital streams at a speed of 2.048 Mbit/s. It is possible to use a 64 kbit/s physical interface.
The interface between the BSC and the OMC (O-interface) is intended for communication between the BSC and the OMC, used in networks with packet switching CCITT X.25.
The internal BSC interface of the base station controller provides communication between various BSC equipment and transcoding equipment (TCE); uses the PCM transmission standard of 2.048 Mbit/s and allows you to organize one channel at 64 kbit/s from four channels with a speed of 16 kbit/s.
The interface between MS and BTS (Um radio interface) is defined in series 04 and 05 of the ETSI/GSM Recommendations.
The network interface between the OMC and the network, the so-called control interface between the OMC and network elements, is defined by ETSI/GSM Recommendation 12.01 and is analogous to the Q.3 interface, which is defined in the ISO OSI layered open network model.
The network connection to the OMC can be provided by the CCITT SS N7 signaling system or the X.25 network protocol. An X.25 network can connect to internetworks or to PSDN in open or closed mode.
The GSM network and service management protocol must also satisfy the requirements of the Q.3 interface, which is defined in ETSI/GSM Recommendation 12.01.
Interfaces between the GSM network and external equipment
The interface between the MSC and the service center (SC) is required to implement the short message service. It is defined in ETSI/GSM Recommendation 03.40.
Interface to other compulsory medical insurances. Each network management and maintenance center must be connected to other MNOs that manage networks in other regions or other networks. These connections are provided by X interfaces in accordance with the CCITT M.ZO Recommendations. The OMS interface is used to interact with higher-level networks.
1.4. Structure of services and data transmission in the GSM standard
The GSM standard contains two classes of services: basic services and teleservices. Basic services provide: data transmission (asynchronously) in duplex mode at speeds of 300, 600, 1200, 2400, 4800 and 9600 bps over the public telephone network; data transmission (synchronously) in duplex mode at speeds of 1200, 2400, 4800 and 9600 bps through public telephone networks, switched public data networks (CSPDN) and ISDN; adapter access to packet asynchronous data transmission at standard speeds of 300-9600 bps via public switched packet data networks (PSPDN), for example, Datex-P; synchronous duplex access to the packet data network with standard speeds of 2400-9600 bps.
When transmitting data at 9.6 kbit/s, the full data rate link is always used. In case of transmission at speeds below 9.6 kbit/s, half-speed communication channels can be used.
The listed functions of data transmission channels are provided for terminal equipment that uses CCITT interfaces with V.24 or X.21 series specifications. These specifications address issues related to data transmission over conventional telephone communication channels. Teleservices provide the following services:
1) telephone communication (combined with an alarm service: apartment security, distress signals, etc.);
2) transmission of short messages;
3) access to the services "Videotex", "Teletex";
4) Telefax service (group 3).
Additionally, a wide range of special services have been standardized (call transfer, notifications about tariff costs, inclusion in a closed user group).
Since most subscribers are expected to use GSM services for business purposes, special attention is paid to the security aspects and quality of services provided.
The block diagram of communication services in GSM PLMN is shown in Fig. 1.4 (GSM PLMN - GSM Public Land Mobile Network - communication network with ground mobile objects; TE (Terminal Equipment) - terminal equipment, MT (Mobile Terminal) - mobile terminal, IWF (Interworking Function) - internetwork functional interface). Data transmission also includes a new type of service used in GSM - short message transmission (transmission of service alphanumeric messages for individual groups of users).
When transmitting short messages, the bandwidth of signaling channels is used. Messages can be sent and received by the mobile station. Common control channels can be used to transmit short messages. The volume of messages is limited to 160 characters, which can be received during the current call or in an idle cycle. IN
control of radio channels, protection against errors in the radio channel, speech encoding-decoding, current monitoring and distribution of user data and calls, adaptation of the transmission speed between the radio channel and data, ensuring parallel operation of loads (terminals), ensuring continuous operation while moving.
Three types of mobile station terminal equipment are used: MTO (Mobile Termination 0) - a multifunctional mobile station, which includes a data terminal with the ability to transmit and receive data and speech: MT1 (Mobile Termination 1) - a mobile station with the ability to communicate through a terminal with ISDN ; MT2 (Mobile Termination 2) is a mobile station with the ability to connect a terminal for communication using the CCITT V or X series protocol.
Terminal equipment may consist of one or more types of equipment, such as a handset with a dialer, data transmission equipment (DTE), telex, etc.
The following types of terminals are distinguished: TE1 (Terminal Equipment 1) - terminal equipment that provides communication with ISDN; TE2 (Terminal Equipment 2) - terminal equipment that provides communication with any equipment via CCITT V or X series protocols (does not provide communication with ISDN). Terminal TE2 can be connected as a load to MT1 (mobile station with ISDN capability) via adapter TA.
The system of characteristics of the GSM standard, the adopted functional diagram of communication networks and a set of interfaces provide high parameters for message transmission, compatibility with existing and future information networks, and provide subscribers with a wide range of digital communication services.
1.6. Structure of TDMA frames and signal generation in the GSM standard
As a result of the analysis of various options for constructing digital cellular mobile communication systems (CMCS), the GSM standard adopted time division multiple access (TDMA). The general structure of time frames is shown in Fig. 1.6. The length of the sequence period in this structure, which is called a hyperframe, is equal to Tg = 3 hours 28 minutes 53 s 760 ms (12533.76 s). A hyperframe is divided into 2048 superframes, each of which has a duration Te = 12533.76/2048 = 6.12 s.
A superframe consists of multiframes. To organize various communication and control channels in the GSM standard, two types of multiframes are used:
1) 26-position TDMA multiframe frames;
2) 51-position TDMA multiframe frames.
A superframe may contain 51 multiframes of the first type or 26 multiframes of the second type. The durations of multiframes are respectively:
1) Tm= 6120/51 = 120 ms;
2) Tm = 6120/26 = 235.385 ms (3060/13 ms). Duration of each TDMA frame
Tk = 120/26 = 235.385/51 = 4.615 ms (60/13 ms).
In a sequence period, each TDMA frame has its own sequence number (NF) from O to NFmax, where NFmax = (26x51x2048) -1 = 2715647.
Thus, a hyperframe consists of 2715647 TDMA frames. The need for such a long hyperframe period is explained by the requirements of the applied cryptographic security process, in which the frame number NF is used as an input parameter. A TDMA frame is divided into eight time positions with a period
To = 60/13:8 = 576.9 µs (15/26 ms)
Each time position is designated by a TN numbered from 0 to 7. The physical meaning of time positions, otherwise called windows, is the time during which the carrier is modulated by a digital information stream corresponding to a voice message or data.
The digital information flow is a sequence of packets placed in these time intervals (windows). Packets are formed slightly shorter than intervals, their duration is 0.546 ms, which is necessary to receive a message in the presence of time dispersion in the distribution channel.
The information message is transmitted over a radio channel at a speed of 270.833 kbit/s.
This means that the time slot of a TDMA frame contains 156.25 bits.
The duration of one information bit is 576.9 μs/156.25 = 3.69 μs.
Each time interval corresponding to the duration of a bit is designated by a BN numbered from 0 to 155; The last 1/4-bit interval is numbered 156.
To transmit information over communication and control channels, adjust carrier frequencies, provide time synchronization and access to the communication channel, five types of time intervals (windows) are used in the TDMA frame structure:
The NB is used to transmit information over communication and control channels, with the exception of the RACH access channel. It consists of 114 bits of encrypted message and includes a guard interval (GP) of 8.25 bits with a duration of 30.46 µs. The 114-bit information block is divided into two independent blocks of 57 bits each, separated by a 26-bit training sequence, which is used to set the equalizer in the receiver in accordance with the characteristics of the communication channel at a given time.
The NB includes two control bits (Steeling Flag), which indicate whether the group being transmitted contains voice or signaling information. In the latter case, the Traffic Channel is “stolen” to provide signaling.
Between the two groups of encrypted bits in the NB there is a training sequence of 26 bits, known at the receiver. This sequence ensures:
Estimation of the frequency of occurrence of errors in binary bits based on the results of comparison of the accepted and reference sequences. During the comparison process, the RXQUAL parameter is calculated, adopted to assess the quality of communication. Of course, we are talking only about assessing the connection, and not about exact measurements, since only part of the transmitted information is checked. The RXQUAL parameter is used when entering into communication, when performing the “handover” procedure and when assessing the radio coverage area;
Estimation of the impulse response of the radio channel during the NB transmission interval for subsequent correction of the signal reception path through the use of an adaptive equalizer in the reception path;
Determination of signal propagation delays between base and mobile stations to estimate communication range. This information is necessary to ensure that data packets from different mobile stations do not overlap when received at the base station. Therefore, mobile stations located at greater distances must transmit their packets before stations located in close proximity to the base station. The FB is designed to synchronize with the frequency of the mobile station. All 142 bits in this time interval are zero, which corresponds to an unmodulated carrier with a 1625/24 kHz offset above the nominal carrier frequency. This is necessary to check the operation
its transmitter and receiver at a small channel frequency spacing (200 kHz), which is about 0.022% of the nominal frequency band 900 MHz. The FB contains a guard interval of 8.25 bits in the same way as the normal time interval. Repeated frequency adjustment (FB) time slots form a frequency setting channel (FCCH).
SB is used for time synchronization between the base and mobile stations. It consists of a 64-bit synchronization sequence, carries information about the frame VOLUME number and the base station identification code. This interval is transmitted along with the frequency setting interval. Repeated synchronization intervals form a so-called synchronization channel (SCH).
DB provides establishment and testing of the communication channel. In its structure, DB coincides with NB (Fig. 1.6) and contains an installation sequence 26 bits long. There are no control bits in the DB and no information is transmitted. DB only informs that the transmitter is functioning.
The AB provides permission for the mobile station to access the new base station. The AB is transmitted by the mobile station when requesting a signaling channel. This is the first packet transmitted by the mobile station, therefore the signal transit time has not yet been measured. Therefore, the package has a specific structure. The 8-bit tail pattern is transmitted first, followed by the base station synchronization sequence (41 bits), which allows the base station to ensure correct reception of the subsequent 36 encrypted bits. The interval contains a large guard interval (68.25 bits, duration 252 μs), which provides (regardless of the signal travel time) sufficient time separation from packets of other mobile stations,
This guard interval corresponds to twice the maximum possible signal delay within a single cell and thereby sets the maximum allowable cell size. A special feature of the GSM standard is the ability to provide communications to mobile subscribers in cells with a radius of about 35 km. The propagation time of the radio signal in the forward and reverse directions is 233.3 μs.
The GSM structure strictly defines the time characteristics of the signal envelope emitted by packets on the channel time interval of a TDMA frame, and the spectral characteristics of the signal. The envelope time mask for signals emitted in the AB interval of a complete TDMA frame is shown in Fig. 1.7, and the envelope mask for signals NB, FB, DB and SB of a complete TDMA frame is in Fig. 1.8. Different envelope shapes of the emitted signals correspond to different durations of the AB interval (88 bits) in relation to other specified intervals of the full TDMA frame (148 bits). The standards for the spectral characteristics of the emitted signal are shown in Fig. 1.9.
One of the features of signal generation in the GSM standard is the use of slow frequency hops during a communication session. The main purpose of such hops (SFH - Slow Frequency Hopping) is to ensure frequency diversity in radio channels operating in conditions of multipath propagation of radio waves. SFH is used in all mobile networks, which improves coding and interleaving efficiency when subscriber stations are moving slowly. The principle of forming slow frequency hops is that the message transmitted in the time interval of a TDMA frame allocated to the subscriber (577 μs) is transmitted (received) on a new fixed frequency in each subsequent frame. According to the frame structure, the time for frequency tuning is about 1 ms.
During frequency hopping, a duplex spacing of 45 MHz between the receive and transmit channels is constantly maintained. All active subscribers located in the same cell are assigned orthogonal shaping sequences, which eliminates mutual interference when subscribers in the cell receive messages. Frequency hopping sequence parameters (time-frequency matrix and starting frequency) are assigned to each mobile station during the channel establishment process. The orthogonality of frequency switching sequences in a cell is ensured by the initial frequency shift of the same (according to the generation algorithm) sequence. Adjacent cells use different shaping sequences.
The combined TDMA/FDMA channel organization scheme in the GSM standard and the principle of using slow frequency hops when transmitting messages in time frames are shown in Fig. 1.10,1.11.
For comparison, it can be noted that according to the results of experimental studies conducted on existing GSM networks, the spatial diversity of receiving antennas at the base station gives a gain of 3-4 dB.
The adopted structure of TDMA frames and the principles of signal generation in the GSM standard, in combination with droplet coding methods, made it possible to reduce the signal-to-interference ratio required for reception to 9 dB, whereas in the standards of analog cellular communication networks it is 17-18 dB.
Literature for Chapter 1
1.1 M. Mouly, M. B. Pautet. The GSM System for Mobile Communications. 1992. p.p. 702.
1.2 Yu.A. Gromakov. Cellular mobile radio communication systems. Technologies of electronic communications. Volume 48. "Eco-Trends". Moscow. 1994.
1.3 A. Mehrotra. Cellular Radio: Analog and Digital Systems. Artech House, Boston-London. 1994. p.p. 460.
1.4 Yu.A. Gromakov. Structure of TDMA frames and signal generation in the GSM standard. "Electrocommunications". N 10. 1993. p. 9-12.
This article is the first in a series of articles about cellular communications. In this series, I would like to describe in detail the principles of operation of second, third and fourth generation cellular networks. The GSM standard belongs to the second generation (2G).
The first generation of cellular communications was analog and is not used now, so we will not consider it. The second generation is digital and this feature has made it possible to completely replace 1G networks. A digital signal is more noise-resistant than an analog signal, which is a major advantage in mobile radio communications. In addition, in addition to speech, the digital signal allows data transmission (SMS, GPRS). It is worth noting that this trend of switching from analogue to digital signals is characteristic not only of cellular communications.
GSM (Global System Mobile) is a global standard for digital mobile communications, with channel division by TDMA time and FDMA frequency. Developed under the auspices of the European Telecommunication Standardization Institute (ETSI) in the late 1980s.
GSM provides support for services:
- GPRS data transfer
- Voice transmission
- Sending short messages SMS
- Sending a fax
In addition, there are additional services:
- Number identification
- Call forwarding
- Call waiting and holding
- Conference call
- Voice mail
GSM network architecture
Let's take a closer look at what elements the GSM network is built from and how they interact with each other.
The GSM network is divided into two systems: SS (Switching System) - switching subsystem, BSS (Base Station System) - base station system. SS performs the functions of servicing calls and establishing connections, and is also responsible for the implementation of all services assigned to the subscriber. The BSS is responsible for functions related to the air interface.
SS includes:
- MSC (Mobile Switching Center) - GSM network switching node
- GMSC (Gate MSC) - a switch that processes calls from external networks
- HLR (Home Location Register) - database of home subscribers
- VLR (Visitor Location Register) - database of guest subscribers
- AUC (Authentication Cetner) - authentication center (subscriber authentication)
BSS includes:
- BSC (Base Station Controller) - base station controller
- BTS (Base Transeiver Station) - transceiver station
- MS (Mobile Station) - mobile station
Composition of the SS switching subsystem
MSC performs switching functions for mobile communications. This center controls all incoming and outgoing calls coming from other telephone and data networks. These networks include PSTN, ISDN, public data networks, corporate networks, as well as mobile networks of other operators. Subscriber authentication functions are also performed in the MSC. The MSC provides call routing and call control functions. The MSC is responsible for switching functions. MSC generates the data necessary for tariffication of communication services provided by the network, accumulates data on completed conversations and transmits them to the billing center. MSC also compiles statistical data necessary for monitoring and optimizing the network. The MSC not only participates in call control, but also manages location registration and control transfer procedures.
In the GSM system, each operator has a database containing information about all subscribers belonging to its PLMN. In the network of one operator there is logically one HLR, but physically there are many of them, because This
distributed database. Information about the subscriber is entered into the HLR at the time the subscriber registers (the subscriber enters into a service contract) and is stored until the subscriber terminates the contract and is removed from the HLR register.
Stored information in HLR includes:
- Subscriber identifiers (numbers).
- Additional services assigned to the subscriber
- Information about the subscriber's location, accurate to the MSC/VLR number
- Subscriber authentication information (triplets)
HLR can be implemented as a built-in function in MSC/VLR or separately. If the HLR capacity is exhausted, then an additional HLR can be added. And in the case of organizing several HLRs, the database remains single - distributed. The subscriber data record always remains the only one. Data stored in the HLR can be accessed by MSCs and VLRs belonging to other networks as part of providing inter-network roaming to subscribers.
The VLR database contains information about all mobile subscribers currently located in the MSC service area. Thus, each MSC on the network has its own VLR. The VLR temporarily stores service information so that the associated MSC can serve all subscribers within the MSC's service area. HLR and VLR store very similar subscriber information, but there are some differences that will be discussed in the following chapters. When a subscriber moves to the service area of a new MSC, the VLR connected to that MSC requests subscriber information from the HLR that stores that subscriber's data. The HLR sends a copy of the information to the VLR and updates the subscriber's location information. Once the information is updated, the MS can make outgoing/incoming connections.
To prevent unauthorized use of communication system resources, authentication mechanisms are introduced - authentication of the subscriber. AUC is a subscriber authentication center, consists of several blocks and generates authentication and encryption keys (passwords are generated). With its help, MSC verifies the authenticity of the subscriber, and when a connection is established, encryption of the transmitted information will be enabled on the radio interface.
Composition of the BSS base station subsystem
The BSC controls all functions related to the operation of radio channels in the GSM network. It is a switch that provides functions such as MS handover, radio channel assignment, and cell configuration data collection. Each MSC can manage multiple BSCs.
The BTS controls the radio interface with the MS. The BTS includes radio equipment such as transceivers and antennas that are needed to serve each cell in the network. The BSC controller controls multiple BTSs.
Geographical construction of GSM networks
Every telephone network needs a specific structure to route calls to the required station and on to the subscriber. In a mobile network, this structure is especially important, since subscribers move around the network, that is, they change their location and this location must be constantly monitored.
Despite the fact that the cell is the basic unit of the GSM communication system, it is very difficult to give a clear definition. It is impossible to associate this term with an antenna or a base station, because There are different honeycombs. However, a cell is a geographical area that is served by one or more base stations and in which one group of GSM control logical channels operates (the channels themselves will be discussed in the following chapters). Each cell is assigned a unique number called a Cell Global Identifier (CGI). In a network covering, for example, an entire country, the number of cells can be very large.
A location area (LA) is defined as a group of cells in which the mobile station will be called. The subscriber's location within the network is associated with the LA in which the subscriber is currently located. The given area identifier (LAI) is stored in the VLR. When an MS crosses the boundary between two cells belonging to different LAs, it transmits information about the new LA to the network. This only happens if MS is in Idle mode. The new location information is not transmitted during the established connection, this process will occur after the connection ends. If an MS crosses a boundary between cells within the same LA, it does not inform the network of its new location. When an incoming call arrives at an MS, the paging message is propagated throughout all cells belonging to the same LA.
The service area of an MSC consists of a number of LAs and represents the geographical portion of the network under the control of one MSC. In order to route a call to an MS, information about the MSC's service area is also needed, so the service area is also monitored and information about it is recorded in a database (HLR).
A PLMN service area is a collection of cells served by a single operator and is defined as the area in which the operator provides radio coverage and access to its network to the subscriber. Any country may have several PLMNs, one for each operator. The definition of roaming is used when an MS moves from one PLMN service area to another. So-called intra-network roaming is a change of MSC/VLR.
The GSM service area is the entire geographical area in which a subscriber can access the GSM network. The GSM service area is expanding as new operators sign contracts to collaborate on customer service. Currently, the GSM service area covers, at some intervals, many countries from Ireland to Australia and from South Africa to America.
International roaming is a term that applies when an MS moves from one national PLMN to another national PLMN.
GSM frequency plan
GSM includes several frequency ranges, the most common: 900, 1800, 1900 MHz. Initially, the 900 MHz band was allocated for the GSM standard. Currently, this range remains worldwide. Some countries use extended frequency bands to provide greater network capacity. The extended frequency bands are called E-GSM and R-GSM, while the regular band is called P-GSM (primary).
- P-GSM900 890-915/935-960 MHz
- E-GSM900 880-915/925-960 MHz
- R-GSM900 890-925/935-970 MHz
- R-GSM1800 1710-1785/1805-1880 MHz
In 1990, to increase competition between operators, the UK began to develop a new version of GSM, which was adapted to the 1800 frequency range. Immediately after the approval of this range, several countries applied to use this frequency range. The introduction of this range increased the growth in the number of operators, leading to increased competition and, accordingly, improved quality
service. The use of this range allows you to increase the network capacity by increasing the bandwidth and, accordingly, increasing the number of carriers. Frequency band 1800 uses the following frequency ranges: GSM 1710-1805/1785-1880 MHz. Until 1997, the 1800 standard was called Digital Cellular System (DCS) 1800 MHz, currently called GSM 1800.
In 1995, the concept of PCS (Personal Cellular System) was specified in the USA. The main idea of this concept is the ability to provide personal communication, that is, communication between two subscribers, and not between two mobile stations. PCS does not require that these services be implemented on cellular technology, but this technology is currently recognized as the most effective for this concept. The frequencies available for PCS implementation are in the 1900 MHz region. Since GSM 900 cannot be used in North America due to the frequency band being occupied by another standard, GSM 1900 is an option to fill this gap. The main difference between the US standard GSM 1900 and GSM 900 is that GSM 1900 supports ANSI signaling.
Traditionally, the 800 MHz band has been occupied by the TDMA standard (AMPS and D-AMPS) common in the United States. As in the case of the GSM 1800 standard, this standard makes it possible to obtain additional licenses, that is, it expands the scope of the standard on national networks, providing operators with additional capacity.
GSM networks. A look from the inside.
A little history
At the dawn of the development of mobile communications (and this was not so long ago - in the early eighties), Europe was covered with analogue networks of various standards - Scandinavia developed its systems, Great Britain its... Now it is difficult to say who was the initiator of the revolution that followed very soon - the “tops” in in the form of equipment manufacturers who are forced to develop their own devices for each network, or the “lower classes” as users who are dissatisfied with the limited coverage area of their phone. One way or another, in 1982, the European Commission for Telecommunications (CEPT) created a special group to develop a fundamentally new, pan-European mobile communications system. The main requirements for the new standard were: efficient use of the frequency spectrum, the possibility of automatic roaming, improved speech quality and protection against unauthorized access compared to previous technologies, and, obviously, compatibility with other existing communication systems (including wired) etc.
The fruit of the hard work of many people from different countries (to be honest, I can’t even imagine the amount of work they did!) was the specification of a pan-European mobile communications network presented in 1990, called Global System for Mobile Communications or just GSM. And then everything flashed like in a kaleidoscope - the first GSM operator accepted subscribers in 1991, by the beginning of 1994, networks based on the standard in question already had 1.3 million subscribers, and by the end of 1995 their number increased to 10 million! Truly, “GSM is sweeping the planet” - currently about 200 million people have phones of this standard, and GSM networks can be found all over the world.
Let's try to figure out how GSM networks are organized and on what principles they operate. I’ll say right away that the task ahead is not an easy one, however, believe me, as a result we will receive true pleasure from the beauty of the technical solutions used in this communication system.
Two very important issues will remain outside the scope of consideration: firstly, time-frequency division of channels (you can familiarize yourself with this) and, secondly, systems for encrypting and protecting transmitted speech (this is such a specific and extensive topic that, perhaps in the future, A separate article will be devoted to it).
The main parts of the GSM system, their purpose and interaction with each other.
Let's start with the most difficult and, perhaps, boring - consideration of the skeleton (or, as they say at the military department of my Alma Mater, a block diagram) of the network. When describing, I will adhere to English-language abbreviations accepted throughout the world, of course, while giving their Russian interpretation.
Take a look at fig. 1:
Fig.1 Simplified GSM network architecture.
The simplest part of the block diagram - a portable telephone, consists of two parts: the “handset” itself - ME(Mobile Equipment - mobile device) and smart cards SIM (Subscriber Identity Module - subscriber identification module), obtained when concluding a contract with the operator. Just like any car is equipped with a unique body number, a cell phone has its own number - IMEI(International Mobile Equipment Identity - international mobile device identifier), which can be transmitted to the network upon its request (more details about IMEI you can find out). SIM , in turn, contains the so-called IMSI(International Mobile Subscriber Identity - international subscriber identification number). I think the difference between IMEI And IMSI clear - IMEI corresponds to a specific phone, and IMSI- to a specific subscriber.
The "central nervous system" of the network is N.S.S.(Network and Switching Subsystem - network and switching subsystem), and the component that performs the functions of the “brain” is called M.S.C.(Mobile services Switching Center - switching center). It is the latter that is vainly called (sometimes with aspiration) “switchboard”, and also, in case of communication problems, blamed for all mortal sins. M.S.C. there may be more than one on the network (in this case, the analogy with multiprocessor computer systems is very appropriate) - for example, at the time of writing, the Moscow operator Beeline was introducing a second switch (manufactured by Alcatel). M.S.C. deals with call routing, generation of data for the billing system, manages many procedures - it is easier to say what is NOT the responsibility of the switch than to list all its functions.
The next most important network components, also included in N.S.S., I would call HLR(Home Location Register - register of own subscribers) and VLR(Visitor Location Register - register of movements). Pay attention to these parts, we will mention them often in the future. HLR, roughly speaking, is a database of all subscribers who have entered into a contract with the network in question. It stores information about user numbers (numbers mean, firstly, the above-mentioned IMSI, and secondly, the so-called MSISDN-Mobile Subscriber ISDN, i.e. telephone number in its usual sense), a list of available services and much more - further in the text the parameters located in HLR.
Unlike HLR, which is the only one in the system, VLR There may be several of them - each of them controls its own part of the network. IN VLR contains data about subscribers who are located on its (and only its!) territory (and not only its own subscribers are served, but also roamers registered on the network). As soon as the user leaves the coverage area of some VLR, information about it is copied to the new VLR, and is removed from the old one. In fact, between what is available about the subscriber in VLR and in HLR, there is a lot in common - look at the tables, which show a list of long-term (Table 1) and temporary (Tables 2 and 3) data about subscribers stored in these registers. Once again I draw the reader’s attention to the fundamental difference HLR from VLR: the first contains information about all subscribers of the network, regardless of their location, and the second contains data only about those who are within its jurisdiction VLR territories. IN HLR For each subscriber there is always a link to that VLR, who is currently working with him (the subscriber) (while he himself VLR may belong to someone else's network, located, for example, on the other side of the Earth).
| 1. | International subscriber identification number ( IMSI) |
| 2. | The subscriber's telephone number in the usual sense ( MSISDN) |
| 3. | Mobile station category |
| 4. | Subscriber Identification Key ( Ki) |
| 5. | Types of provision of additional services |
| 6. | Closed user group index |
| 7. | Lock code for a closed user group |
| 8. | Composition of the main calls that can be transferred |
| 9. | Caller alert |
| 10. | Called number identification |
| 11. | Schedule |
| 12. | Called party notification |
| 13. | Signaling control when connecting subscribers |
| 14. | Characteristics of a closed user group |
| 15. | Benefits of a closed user group |
| 16. | Restricted outgoing calls in a closed user group |
| 17. | Maximum number of subscribers |
| 18. | Passwords used |
| 19. | Priority access class |
Table 1. Complete composition of long-term data stored in HLR And VLR.
| 1. | Authentication and encryption options |
| 2. | Temporary mobile number ( TMSI) |
| 3. | Address of the movement register in which the subscriber is located ( VLR) |
| 4. | Mobile station movement zones |
| 5. | Handover cell number |
| 6. | Registration status |
| 7. | No answer timer |
| 8. | Composition of currently used passwords |
| 9. | Communication activity |
Table 2. Complete composition of temporary data stored in HLR.
Table 3. Complete composition of temporary data stored in VLR.
N.S.S. contains two more components - AuC(Authentication Center - authorization center) and EIR(Equipment Identity Register - equipment identification register). The first block is used for subscriber authentication procedures, and the second, as the name suggests, is responsible for allowing only authorized cell phones to operate on the network. The operation of these systems will be discussed in detail in the next section devoted to subscriber registration on the network.
The executive, so to speak, part of the cellular network is BSS(Base Station Subsystem - base station subsystem). If we continue the analogy with the human body, then this subsystem can be called the limbs of the body. BSS consists of several "arms" and "legs" - BSC(Base Station Controller - base station controller), as well as many “fingers” - BTS(Base Transceiver Station - base station). Base stations can be observed everywhere - in cities, fields (I almost said “and rivers”) - in fact, they are simply receiving and transmitting devices containing from one to sixteen emitters. Every BSC controls the whole group BTS and is responsible for the management and distribution of channels, the power level of base stations, and the like. Usually BSC there is not just one in the network, but a whole set (there are hundreds of base stations).
The network operation is managed and coordinated using OSS (Operating and Support Subsystem). OSS consists of all kinds of services and systems that control operation and traffic - in order not to overload the reader with information, the work of OSS will not be discussed below.
Online registration.
Every time you turn on the phone after selecting a network, the registration procedure begins. Let's consider the most general case - registration not in the home network, but in someone else's, so-called guest, network (we will assume that the roaming service is allowed to the subscriber).
Let the network be found. At the request of the network, the phone transmits IMSI subscriber IMSI begins with the code of the country of "registry" of its owner, followed by numbers that define the home network, and only then - the unique number of a specific subscriber. For example, the beginning IMSI 25099... corresponds to the Russian operator Beeline. (250-Russia, 99 - Beeline). By number IMSI VLR guest network identifies the home network and associates with it HLR. The latter transmits all necessary information about the subscriber to VLR who made the request and posts a link to this VLR, so that if necessary, you know “where to look” for the subscriber.
The process of determining the authenticity of a subscriber is very interesting. During registration AuC home network generates a 128-bit random number - RAND, sent to the phone. Inside SIM using the key Ki(identification key - same as IMSI, it is contained in SIM) and identification algorithm A3, a 32-bit response is calculated - SRES(Signed RESult) using the formula SRES = Ki * RAND. Exactly the same calculations are performed simultaneously in AuC(according to selected from HLR Ki user). If SRES, calculated in the phone, will coincide with SRES, calculated AuC, then the authorization process is considered successful and the subscriber is assigned TMSI(Temporary Mobile Subscriber Identity - temporary mobile subscriber number). TMSI serves solely to increase the security of the subscriber’s interaction with the network and may change periodically (including when changing VLR).
Theoretically, when registering, the number should also be transmitted IMEI, but I have big doubts about what Moscow operators are tracking IMEI phones used by subscribers. Let's consider a certain "ideal" network that functions as intended by the creators of GSM. So, upon receipt IMEI network, he is sent to EIR, where it is compared with the so-called “lists” of numbers. The white list contains phone numbers authorized for use, the black list consists of IMEI phones, stolen or for any other reason not approved for use, and, finally, the gray list - “handsets” with problems, the operation of which is resolved by the system, but which are constantly monitored.
After the guest identification and interaction procedure VLR with home HLR a time counter starts, setting the moment of re-registration in the absence of any communication sessions. Typically, the mandatory registration period is several hours. Re-registration is necessary so that the network receives confirmation that the phone is still within its coverage area. The fact is that in standby mode, the “handset” only monitors the signals transmitted by the network, but does not emit anything itself - the transmission process begins only when a connection is established, as well as during significant movements relative to the network (this will be discussed in detail below) - in such In such cases, the timer counting down until the next re-registration starts again. Therefore, if the phone “falls out” of the network (for example, the battery was disconnected, or the owner of the device entered the subway without turning off the phone), the system will not know about it.
All users are randomly divided into 10 equal access classes (numbered from 0 to 9). In addition, there are several special classes with numbers from 11 to 15 (various types of emergency and emergency services, network service personnel). Access class information is stored in SIM. Special, class 10 access, allows you to make emergency calls (to 112) if the user does not belong to any permitted class, or does not have any IMSI (SIM). In case of emergencies or network overload, some classes may be temporarily denied access to the network.
Territorial division of the network and handover.
As already mentioned, the network consists of many BTS- base stations (one BTS- one "cell", cell). To simplify the functioning of the system and reduce service traffic, BTS grouped into groups - domains called L.A.(Location Area - location areas). Each L.A. matches your code LAI(Location Area Identity). One VLR can control several L.A.. And exactly LAI fits in VLR to set the location of the mobile subscriber. If necessary, in the appropriate L.A.(and not in a separate cell, note) the subscriber will be searched. When a subscriber moves from one cell to another within the same L.A. re-registration and change of records in VLR/HLR is not performed, but as soon as he (the subscriber) enters the territory of another L.A. how the phone’s interaction with the network begins. Each user has probably heard periodic interference more than once (such as grunt-grunt---grunt-grunt---grunt-grunt :-)) in the music system of his car from a phone in standby mode - often this is a consequence of the re-registration when crossing borders L.A.. When changing L.A. the old area code is erased from VLR and is replaced with a new one LAI, if the next L.A. controlled by another VLR, then there will be a change VLR and updating the entry in HLR.
Generally speaking, dividing a network into L.A. a rather difficult engineering problem that is solved when building each network individually. Too small L.A. will lead to frequent re-registration of phones and, as a result, to an increase in traffic of various kinds of service signals and faster discharge of mobile phone batteries. If you do L.A. large, then if it is necessary to connect with a subscriber, the call signal will have to be sent to all cells included in L.A., which also leads to an unjustified increase in the transmission of service information and overload of internal network channels.
Now let's look at a very beautiful algorithm called handover`ra (this is the name given to changing the channel used during the connection process). During a conversation on a mobile phone, due to a number of reasons (removal of the handset from the base station, multipath interference, movement of the subscriber into the so-called shadow zone, etc.), the power (and quality) of the signal may deteriorate. In this case, it will switch to a channel (maybe another BTS) with better signal quality without interrupting the current connection (I’ll add - neither the subscriber himself nor his interlocutor, as a rule, notice what happened handover`a). Handovers are usually divided into four types:
- changing channels within one base station
- changing the channel of one base station to the channel of another station, but under the patronage of the same BSC.
- switching channels between base stations controlled by different BSC, but one M.S.C.
- switching channels between base stations, for which not only different BSC, but also M.S.C..
In general, carrying out handover`a - task M.S.C.. But in the first two cases, called internal handover`s, in order to reduce the load on the switch and service lines, the process of changing channels is controlled BSC, A M.S.C. only informs about what happened.
During a conversation, the mobile phone constantly monitors the signal level from neighboring BTS(the list of channels (up to 16) that need to be monitored is set by the base station). Based on these measurements, the six best candidates are selected, data about which is constantly (at least once per second) transmitted BSC And M.S.C. to organize a possible switchover. There are two main schemes handover`a:
- "Lowest switching mode" (Minimum acceptable performance). In this case, when the quality of communication deteriorates, the mobile phone increases the power of its transmitter as long as possible. If, despite increasing the signal level, the connection does not improve (or the power has reached its maximum), then handover.
- "Energy saving mode" (Power budget). At the same time, the transmitter power of the mobile phone remains unchanged, and if the quality deteriorates, the communication channel changes ( handover).
Interestingly, not only a mobile phone can initiate a channel change, but also M.S.C., for example, for better traffic distribution.
Call routing.
Let's now talk about how incoming mobile phone calls are routed. As before, we will consider the most general case, when the subscriber is within the coverage area of the guest network, registration was successful, and the phone is in standby mode.
When a request is received (Fig. 2) for a connection from a wired telephone (or other cellular) system to M.S.C. home network (the call “finds” the desired switch using the dialed mobile subscriber number MSISDN, which contains the country and network code).
Fig.2 Interaction of the main network blocks when an incoming call arrives.
M.S.C. forwards to HLR number ( MSISDN) subscriber. HLR, in turn, makes a request to VLR guest network in which the subscriber is located. VLR selects one of the ones at her disposal MSRN(Mobile Station Roaming Number - the number of the “roaming” mobile station). Ideology of destination MSRN is very similar to the dynamic assignment of IP addresses in dial-up Internet access via a modem. HLR home network receives from VLR assigned to the subscriber MSRN and, accompanying him IMSI user, transmits to the home network switch. The final stage of establishing a connection is to route the call followed by IMSI And MSRN, the guest network switch, which generates a special signal transmitted over PAGCH(PAGer CHannel - call channel) throughout L.A. where the subscriber is located.
Routing outgoing calls does not represent anything new or interesting from an ideological point of view. I will give just some of the diagnostic signals (Table 4) indicating the impossibility of establishing a connection and which the user may receive in response to an attempt to establish a connection.
Table 4. Main diagnostic signals about an error when establishing a connection.
Conclusion
Of course, nothing is perfect in the world. The GSM cellular systems discussed above are no exception. The limited number of channels creates problems in the business centers of megalopolises (and recently, marked by the rapid growth of the subscriber base, and on their outskirts) - in order to make a call, you often have to wait for the system load to decrease. The low, by modern standards, data transfer speed (9600 bps) does not allow sending large files, not to mention video materials. And roaming possibilities are not so limitless - America and Japan are developing their own digital wireless communication systems, incompatible with GSM.
Of course, it’s too early to say that the days of GSM are numbered, but one cannot help but notice the appearance of so-called 3G-systems that represent the beginning of a new era in the development of cellular telephony and are devoid of the listed disadvantages. How I would like to look a few years ahead and see what opportunities we will all get from new technologies! However, the wait is not so long - the start of commercial operation of the first third-generation network is scheduled for the beginning of 2001... But what fate is in store for the new systems - explosive growth, like GSM, or ruin and destruction, like Iridium, time will tell...
