2. Top 15 Countries in Cellular Subscribers
Year-end 2005: Cellular Subscribers (#M) Share %
1. China 398 19.3
2. USA 202 9.9
3. Russia 115 5.6
4. Japan 95 4.6
5. Brazil 86 4.1
6. India 79 3.8
7. Germany 73 3.5
8. Italy 59 2.9
9. UK 58 2.8
10. France 47 2.3
11. Mexico 46 2.2
12. Turkey 40 1.9
13. Spain 39 1.9
14. South Korea 38 1.8
15. Indonesia 38 1.8
Top 15 Countries 1,414 68.5
Worldwide Total 2,065 100
3. Today, it has come a long way and is now used by over a
billion people, in over 200 countries, making it 70% of the
world’s mobile phone market.
4. Map of the world showing GSM coverage
5.  GSM criteria –
 Good subjective speech quality
 Low terminal and service cost
 Support for international roaming – one system for all
 Ability to support handheld terminals
 Support for range of new services and facilities
 Enhanced Features
 ISDN compatibility
 Enhance privacy
 Security against fraud
6.  Late 1980’s GSM work was transferred to the
European Telecommunication Standards
Institute (ETSI) and SGM (Special Mobile
Group) was created
 Document the functionality and interaction of
every aspect of the GSM network
 1987 ETSI oversees the creation of GSM MoU
(Memorandum of Understanding) Association
7.  Formal objective of the GSM MoU Association is the
promotion and evolution of the GSM systems and GSM
 Concepts of a published international standard and a
constantly evolving common standard are unique to
 Work groups throughout the world specifically designed
to allow interested parties to meet and work on finding
solutions to systems enhancements that will fit into
existing programs of GSM operators
8.  Phase I of GSM specifications was published in 1990
 International demand was so great that the system
name was changed from Groupe Special Mobile to
Global Systems for Mobile Communications (still GSM)
 Commercial service started in mid-1991
 1992 first paying customers were signed up for service
 By 1993 there were 36 GSM networks in 22 countries
 Early 1994 there were 1.3 million subscribers worldwide
 By 1996 there were more than 25 million subscribers
 By October 1997 it had grown to more than 55 million
9. Transmission techniques
 In frequency division multiple access (FDMA),
we separate radio channels or calls by
frequency, like the way broadcast radio stations
are separated by frequency. One call per
 In time division multiple access (TDMA) we
separate calls by time, one after another. Since
calls are separated by time TDMA can put
several calls on one channel.
 In code division multiple access (CDMA) we
separate calls by code, putting all the calls this
time on a single channel.
10. Building Blocks
 AMPS – Advanced Mobile Phone
 TACS – Total Access Communication
 NMT – Nordic Mobile Telephone System
11.  AMPS – Advanced Mobile Phone System
 analog technology
 used in North and South America and
approximately 35 other countries
 operates in the 800 MHz band using FDMA
12.  TACS – Total Access Communication
 variant of AMPS
 deployed in a number of countries
 primarily in the UK
13.  NMT – Nordic Mobile Telephone System
 analog technology
 deployed in the Russia
 operates in the 450 and 900 MHz band
 first technology to offer international roaming –
only within the Nordic countries
14. GSM System Architecture
 Mobile Station (MS)
 Mobile Equipment (ME)
 Subscriber Identity Module (SIM)
 Base Station Subsystem (BSS)
 Base Transceiver Station (BTS)
 Base Station Controller (BSC)
 Network Subsystem
 Mobile Switching Center (MSC)
 Home Location Register (HLR)
 Visitor Location Register (VLR)
 Authentication Center (AUC)
 Equipment Identity Register (EIR)
15.  A GSM network is divided into cells.
 A group of cells is considered a location area.
 A mobile phone in motion keeps the network
informed about changes in the location area.
 If the mobile moves from a cell in one location
area to a cell in another location area, the
mobile phone should perform a location area
update to inform the network about the exact
location of the mobile phone.
 With cellular radio we use a
simple hexagon to represent a
 the geographical area covered by
cellular radio antennas are called
 Why a hexagon and not a circle
to represent cells?
 When showing a cellular system we
want to depict an area totally covered
by radio, without any gaps.
 the circles leave gaps
17. The Mobile Station is made up of two
1. Mobile Equipment (ME)
2. Subscriber Identity Module (SIM)
18. Mobile Equipment
 Produced by many different manufacturers
 Must obtain approval from the
 Uniquely identified by an IMEI
(International Mobile Equipment Identity)
19. Subscriber Identity Module (SIM)
 Smart card containing the International Mobile
Subscriber Identity (IMSI)
 Allows user to send and receive calls and receive other
 Encoded network identification details
 Protected by a password or PIN
 Authentication key Ki
 PUK – Pin Unlocking Key
 Can be moved from phone to phone – contains key
information to activate the phone
20. Base Station Subsystem is composed of two parts
that communicate across the standardized
Abis interface allowing operation between components made
by different suppliers
1. Base Transceiver Station (BTS)
2. Base Station Controller (BSC)
 Functions of BSS
 Radio resource control
 Configuration of radio channels,
 selection, allocation, deallocation of channels
 Monitoring of radio channel busy/idle status
 Encryption of radio interface
21. Base Transceiver Station (BTS)
 Houses the radio transceivers that define a cell
 Comprises all radio equipments i.e antennas, signal
processing, amplifiers, necessary for radio transmission
 Speech and data transmissions from the MS are
 Requirements for BTS:
22. Base Station Controller (BSC)
 Manages Resources for one or more
 Handles call set up
 Location update
 Handover for each MS
 Paging of the MS
23. Mobile Switching Center (MSC)
 Switch speech and data connections between:
Base Station Controllers
Mobile Switching Centers
Other external networks
 Heart of the network
 The main jobs:
1. connects calls from sender to receiver
2. collects details of the calls made and received
3. supervises operation of the rest of the network component
4. Echo cancellation
5. Interrogation of appropriate registers
6. Manage connections to BSS, other MSCs and PSTN/ISDN
24.  Home Location Registers (HLR)
- The HLR contains information relevant to mobile subscribers `
- Two types of information are stored in the HLR:
 Ø Subscription information
 The identity code
 Directory number allocated to the subscriber
 The type of service(s) provided
 Any related restrictions.
Ø Location information
 the address of the VLR in the area where the subscriber's MS is currently located
 the address of the associated MSC.
 The location information enables incoming calls to be routed to the MS.
 When an MS moves from one VLR area to another, the location information in the
HLR is updated with the new VLR and MSC addresses.
 The VLR then creates a new entry for the MS, using subscription data copied from
25.  Visitor Location Registers (VLR)
- contains selected administrative information from
- authenticates the user
- tracks which customers have the phone on and
ready to receive a call
- periodically updates the database on which
phones are turned on and ready to receive calls
26.  Authentication Center (AUC)
- mainly used for security
- data storage location and functional part of the
- Ki is the primary element
 Equipment Identity Register (EIR)
- Database that is used to track handsets using the
IMEI (International Mobile Equipment Identity)
- Made up of three sub-classes: The White List, The
Black List and the Gray List
- Optional database
27. Basic Features Provided by GSM
 Call Waiting
 - Notification of an incoming call while on the handset
 Call Hold
 - Put a caller on hold to take another call
 Call Barring
 - All calls, outgoing calls, or incoming calls
 Call Forwarding
 - Calls can be sent to various numbers defined by the
 Multi Party Call Conferencing
 - Link multiple calls together
28. Full duplex communication example.
 since the mobile unit and
the base station both
need circuitry to transmit
on one frequency while
receiving on another.
 The two frequencies are
paired and constitute a
voice channel. Paths
indicate direction of flow.
29. Advanced Features Provided by GSM
 Calling Line ID
 - incoming telephone number displayed
 Alternate Line Service
 - one for personal calls
 - one for business calls
 Closed User Group
 - call by dialing last for numbers
 Advice of Charge
 - tally of actual costs of phone calls
 Fax & Data
 - Virtual Office / Professional Office
 - services and features can follow customer from market to market
30. Advantages of GSM
 Crisper, cleaner quieter calls
 Security against fraud and eavesdropping
 International roaming capability in over 100 countries
 Improved battery life
 Efficient network design for less expensive system expansion
 Efficient use of spectrum
 Advanced features such as short messaging and caller ID
 A wide variety of handsets and accessories
 High stability mobile fax and data at up to 9600 baud
 Ease of use with over the air activation, and all account
information is held in a smart card which can be moved from
handset to handset
31. SMS - also known as text messaging
 Short Message Service (SMS) messages are
160 character text messages
 sent using a SDCCH (slow speed data channel).
 SMS delivery is a store-and-forward system
 the message is sent to a Short Message Service
Centre (SMSC), which then forwards them on to
the destination mobile.
 There is no provision in the GSM specification
for diverting SMS messages
32. IMEI: *#06#
33. Logical and physical channels
 GSM distinguishes between physical
channels (the timeslot) and logical
channels (the information carried by the
34. GSM Radio Aspects
 The uplink frequency band: 890-915 MHz
 Downlink band: 935-960 MHz
 Available 25MHz spectrum is partitioned
into 24 carriers (Carrier spacing: 200KHz)
 Each carrier in turn divided into 8 time
slots (radio channels).
35. Traffic Channels (TCH)
 Used to transmit user data (voice, fax)
 Full rate TCH (TCH/F): data rate is 22.8
 Half rate TCH (TCH/H): 11.4 Kbit/s
36. Control Channels (CCH)
 Used to control
 medium access
 Allocation of traffic channels
 Mobility management
 Three groups of CCH
 BCCH – Broadcast control channel
 BTS uses this channel to signal information to all MSs within
 Unidirectional channel (BTS to MS)
 Broadcast information regarding the mobile’s serving cell as
well as neighboring cell.
 Continuously broadcasts in the downlink
 BCCH includes
 Frequency Correction Channel (FCCH) – accurate tuning to BS
 Synchronization channel (SCCH) – Frame synchronization
37.  CCCH (Common Control Channel)
 Used either for uplink or downlink communications
 Paging (PCH) & Access Grant (AGCH) channels
operate in the downlink direction
 PCH – for paging a mobile
 AGCH – to assign dedicated resources to the mobile
 In the idle mode MS always listens to the paging
channel for incoming calls
 MS uses Random Access Channel (RACH) to send
data to the BTS i.e. MS uses RACH to request
access to the network.
38.  Dedicated Control Channel (DCCH)
 Used for call set up and handoff i.e signalling between the
network and the mobile.
 SDCCH – Standalone dedicated control channel
 SDCCH is used if MS has not established TCH with BTS
 SDCCH for signaling – authentication, registration or other
data needed for setting up a TCH
 i.e provides reliable connection for signaling.
 SACCH – Slow Associated Dedicated Control Channel
 Used to exchange system information such as channel
quality and signal power level.
 FACCH – Fast Associated Dedicated Control Channel
 To transfer handoff information during an active call
 Um The air interface is used for exchanges between a MS and a
 Abis This is a BSS internal interface linking the BSC and a BTS.
The Abis interface allows control of radio frequency allocation in
 A The A interface is between the BSS and the MSC. The A
interface manages the allocation of suitable radio resources to the
MSs and mobility management.
 B The B interface between the MSC and the VLR uses the MAP/B
protocol. Most MSCs are associated with a VLR, making the B
interface "internal". Whenever the MSC needs access to data
regarding a MS located in its area, it interrogates the VLR using
the MAP/B protocol over the B interface.
 C The C interface is between the HLR and a GMSC or a SMS-G.
Each call originating outside of GSM (i.e., a MS terminating call
from the PSTN) has to go through a Gateway to obtain the routing
information required to complete the call, and the MAP/C protocol
over the C interface is used for this purpose. Also, the MSC may
optionally forward billing information to the HLR after call clearing.
40.  D The D interface is between the VLR and HLR, and uses the
MAP/D protocol to exchange the data related to the location of
the MS and to the management of the subscriber.
 E The E interface interconnects two MSCs. The E interface
exchanges data related to handover between the anchor and
relay MSCs using the MAP/E protocol.
 F The F interface connects the MSC to the EIR, and uses the
MAP/F protocol to verify the status of the IMEI that the MSC has
retrieved from the MS.
 G The G interface interconnects two VLRs of different MSCs and
uses the MAP/G protocol to transfer subscriber information,
during e.g. a location update procedure.
 H The H interface is between the MSC and the SMS-G, and uses
the MAP/H protocol to support the transfer of short messages.
 I The I interface (not shown in Figure 1) is the interface between
the MSC and the MS. Messages exchanged over the I interface
are relayed transparently through the BSS.
41.  Layer 1- Physical Layer
 Handles radio-specific functions’
 Synchronization with the BTS
 Detection of idle channels
 Measurement of the channel quality on the
 Physical layer at Um interface performs
encryption/decryption of data.
42.  Synchronisation
 Includes the correction of the individual path
delay between an MS and the BTS
 All MSs within a cell use the same BTS
 They must be synchronized to the BTS
 BTS generates the time-structure of frames i.e
An MS close to the BTS has a very short RTT
whereas an MS 35 KM away has 0.23ms
 BTS sends the current RTT to the MS, which
then adjust its access time so that all bursts
reach BTS within their limits.
43.  Layer 2
 LAPDm - Link Access Protocol for D Channel
 Reliable data transfer
 Flow control
 Reassembly of data
 Acknowledged/ unacknowledged service
44. Layer 3 – Network Layer
 Three sub layers
 CM - The Communication (connection) Management (CM) layer
consists of setting up calls at the users' request.
 Its functions are divided in three:
 Call control, which manages the circuit oriented services;
 Supplementary services management, which allows modifications and
checking of the supplementary services configuration;
 Short Message Services, which provides point-to-point short message
 MM - The Mobility Management (MM) layer is in charge of
maintaining the location data, in addition to the authentication and
 Provides functions necessary to support terminal registartion, location
 MM replaces IMSI with TMSI
45.  RR - The Radio Resource (RR) Management layer is in charge of
establishing and maintaining a stable uninterrupted communications path
between the MSC and MS over which signalling and user data can be
 Handovers are part of the RR layers responsibility. Most of the functions
are controlled by the BSC, BTS, and MS, though some are performed
by the MSC (in particular for inter-MSC handovers.).
 RR manages logical channels, signal quality measurement, reporting
 RR‘ - The RR' layer is the part of the RR functionality which is managed by
 Responsible for channel establishment and release
 BTSM - The Base Transceiver Station Management (BTSM) is responsible
for transferring the RR information (not provided for in the BTS by the RR'
protocol) to the BSC.
46.  BSSAP - The Base Station System Application Part (BSSAP) is split into
two parts, the BSSMAP and the DTAP (not shown in the above figure).
 Messages which are not transparent to the BSC are carried by the Base
Station System Management Application Part (BSSMAP), which
supports all of the procedures between the MSC and the BSS that
require interpretation and processing of information related to single
calls, and resource management.
 The messages between the MSC and MS which are transparent to the
BSC (MM and CM messages) are catered for by the Direct Transfer
Application Part (DTAP).
 SS7 – Signalling System No.7
 Signalling between an MSC and a BSC
 Transfers all management information between MSCs, HLR, VLR, AUC, EIC
 SCCP - The Signalling Connection Control Part (SCCP) from SS7.
 MTP - The Message Transport Part (MTP) of SS7.
47. Mobile Originated Call
 A mobile user originates a call by keying in the called number and
depressing the send key
 The mobile transmits an access request on the uplink signaling
 If the network can process the call, the BS sends a speech channel
 MS locks the designated speech channel allocated to that cell
 Network proceeds to setup the connection to the called party
 A terminal updation procedure may also be invoked to ensure that
the terminal originating the call is a legitimate terminal.
48. Mobile Terminated Call
 The network establishes the current location area for the
called mobile through signaling between HLR and VLR.
 The call is routed to the current serving MSC
 The serving MSC initiates a paging message over the
downlink signaling channel toward cells contained in the
appropriate paging area.
 If the mobile is tuned on, it receives the page and sends
a page response to its nearest BS on the signaling
 The BS sends a speech channel allocation message to
the mobile station and informs the network so that the
two halves of the connection can be completed.
49. Location Update
 MS monitors the information broadcast by the network
on the signaling channel and updates the operating
parameters as necessary.
 Also checks the location information (location area
identity) broadcast by the new cell
 GSM network identifies each cell via the cell global
identity (CGI), Number assigned to each cell.
 If it differs from the previous cell, the mobile advises the
network of its new information
 BS updates its location registers.
50. Inter – VLR
 MS sends a location update request
to the VLR (new) via the BSS and
 VLR sends a Location update
message to the HLR serving the MS
which includes the address of the
VLR (new) and the IMSI of the MS
 (this updating of the HLR is not
required if the new LA is served by
the same VLR as the old LA)
 The service and security related data for
the MS is downloads to the new VLR.
 The MS sent an acknowledgment of
successful location update
 The HLR requests the old VLR to delete
data relating to the relocated MS.
 Single cells do not cover the whole service
 The smaller the cell size and the faster the
movement of a mobile station through the
 More handovers of ongoing calls required.
52. Possible Handover Scenarios
 Inter-cell, intra-BSC handover: MS
moves one cell to another , but stays
within the control of the same BSC
 Inter-BSC, intra-MSC handover:
perform handovers between cells
controlled by different BSCs
 Inter – MSC handover – handover
between two cells belonging to
53. Between Calls
 Every so often each mobile reports its position by
sending a Location Update.
 The mobiles decide when to do this, so that they don't all
report in at once.
 you may suddenly get old SMS messages when a
Location Update occurs.
 When the mobile is switched off, it signals a log-off
(known as an IMSI Detach) to the network so that it won't
try to search for a switched-off mobile.
 It is possible that this doesn't happen (if switched off out
of coverage, for example). In such a case, the network
won't notice until the next scheduled Location Update
has been missed.
54. During a Call
 When a call is in progress, during the time between sending and
receiving data, the handset monitors the signal it gets from the 16
nearby cells listed in the current cell's Neighbour List
 every second it reports the signal level of the best six of them to the
BSC, using a Slow Access Control Channel (SACCH).
 the idea is to switch to the cell with the best signal to economize on
power in the mobile
 The decision to switch to another cell can be made by the mobile or
by the BTS: the latter usually because it is getting too busy.
 Occasionally, the handoff fails, and the mobile has to start again,
scanning for a network for a fresh start. This can happen when
unusual signal propagation has led it to register on a far distant cell,
over the hilltops, which has a neighbour list of cells nowhere near
55. Inter- MSC handoff
 BSC A informs MSC A that MS needs handover
from BTS A to BTS B
 MSC A informs MSC B that a handover from
BTS A to BTS B is underway
 MSC A commands BSC A/ BTS A to proceed
with handover to BTS B
 MS informs BTS B that it is on specified channel
on BTS B
 BTS B informs BSC A/ MSC A that handover is
 MSC B informs MSC A that handover to BTS B
 To protect the network against unauthorised access
 To protect the privacy of the mobile subscribers against
 Security with SIM –PIN, PUK
 IMSI, TMSI – MS
 AUTHENTICATION KEY Ki
 Authentication algorithm A3
 Cipher key generation algorithm A8
 Encryption algorithm A5 – programmed into MS
 IMSI and Ki are specific to each MS
 A3 and A8 can be different for network operators
 A5 is unique
57. Distribution of Security Features in the GSM Network
58. Ciphering Key Generation Mechanism
MS uses its Kc to cipher the radio path
using encryption algorithm A5
59. 1. At terminal location update,
VLR sends IMSI to the HLR
2. HLR returns security triplets –
RAND, SRES, Kc to the VLR
3. For authentication and
ciphering key VLR sends
RAND to the MS
4. Using stored A3 algorithm
and secret key Ki stored in
the SIM, and RAND provided
by the VLR, the MS calculates
the SRES and returns it to the
5. Using the A8 algorithm and
Ki, MS also calculates the
cipher key Kc
6. If the SRES returned by the
MS matches with the stored
SRES in the VLR, the VLR
sends the cipher key Kc to
the BTS which uses Kc for
ciphering the radio path
60. GSM Authentication Mechanism
61. How incoming calls are handled
when a GSM mobile is roaming
on another network
 Roaming allows a GSM phone user to make and receive calls
using any other GSM network.
 phone number remains the same
 When your phone registers on the foreign network, the local
VLR tells your home HLR where you are.
 HLR gets the AuC to pass a seed number and response pair
to the roamed-to network, which then uses it to authenticate
your mobile account identity.
 Once that is done, the HLR records which VLR your phone is
in, and so any incoming calls are passed to it.
62.  Choosing a Foreign Network
When you take a GSM mobile phone to
another country, the handset will try to find
its home network, and will probably fail.
It will then scan for all the networks it can
detect, and then decide which to use.
Normally, this decision is left to the handset
with the "Automatic" setting, but users can
select a particular network.
63. Preferred list
 The handset will choose one of the networks listed in the
SIM card's preferred list, if a network listed offers
 Failing that, it will select any of the networks available,
provided that it is giving a strong enough signal.
 Handsets are supposed to treat all networks equally if
the signal exceeds a certain threshold, but in practice,
they seem to go for the strongest.
 the signal seems strong at airports!
64. Making an outgoing call when roaming
 The handset contacts the base station (BTS),
asking for access.
 The BTS passes the request back and it reaches
your home network's HLR, which checks that
your account is allowed roaming facilities.
 The reply comes back, and your phone is
permitted to register.
 The VLR allocates your account a temporary
phone number, but you never get to know what
65.  GPRS is a packet based radio service
 Fast data transfer rate
 Always on connection
 Broad application support – web access, file
transfers, multimedia , WAP
 Security – RADIUS
 Remote Authentication Dial In User Service
66. NEW DATA SERVICES
67.  SGSN – Serving GPRS Support Node
 Responsible for tracking the state of the
mobile station and its movements.
 Handles the data connection between the
mobile device and the network.
 Gateway GPRS Support Node – GGSN
 Handles the link between the GPRS network
and the other data networks.
 Each of those network is given an Access
Point Name (APN).
68.  GPRS Attachment
 Ms register with SGSN
 Network checks if the user is authorised
 Copied the user profile from the HLR to the
 Assigns a packet temporary mobile
subscriber identity (PTMSI) to the user
 Disconnection – GPRS detach
 Detach is initiated by either MS or network
69.  Session Management
 MS apply for one or more addresses used in the PDN
 For each session a PDP context is created
 PDP address is assigned to the MS (184.108.40.206)
 PDP context contains IP, address of GGSN
 Context is stored in the MS, SGSN and GGSN.
 Now MS is able to send and receive packets
 Mapping between PDP and IMSI enables GGSN to
transfer data packets between PDN and MS.
70. Enhanced Data rates for GSM Evolution (EDGE)
or Enhanced GPRS (EGPRS)
 allows for increased data transmission rate and
improved data transmission reliability.
 classified as a 2.75G network technology.
 EDGE has been introduced into GSM networks around
the world since 2003, initially in North America.
 It can be used for any packet switched applications such
as an Internet connection.
 High-speed data applications such as video services and
other multimedia benefit from EGPRS' increased data
 EDGE requires no hardware changes to be made in
GSM core networks, but base stations must be modified.
 EDGE compatible transceiver units must be installed and
the base station subsystem (BSS) needs to be upgraded
to support EDGE.
71.  3G –WCDMA (UMTS)- Wideband CDMA
 3.5G – HSDPA( High speed downlink
packet access) – 2 Mbits/s
 3.75G – HSUPA (High speed uplink
packet access) – 5.76 Mbits/s
 4G – WiMax also known as 3G AND
BEYOND – allows smmoth video
transmission – 20M bits/ sec
72.  GSM is a digital mobile telephone system that is widely used in Europe and
other parts of the world.
 GSM uses a variation of Time Division Multiple Access (TDMA) and is the
most widely used of the three digital wireless telephone technologies
(TDMA, GSM, and CDMA).
 GSM operates in the 900MHz, 1800MHz, or 1900Mhz frequency bands.
 GSM is the de facto wireless telephone standard in Europe.
 GSM has over one billion users worldwide and is available in 190 countries.
 users can often continue to use their mobile phones when they travel to
 GSM together with other technologies is part of an evolution of wireless
mobile telecommunication that includes High-Speed Circuit-Switched Data
(HCSD), General Packet Radio System (GPRS), Enhanced Data GSM
Environment (EDGE), and Universal Mobile Telecommunications Service