Top 15 Countries in Cellular Subscribers
Year-end 2005: Cellular Subscribers (#M) Share %
1. China 398 19.3
2. USA 202 9.9
3. Russia 115 5.6
4. Japan 95 4.6
5. Brazil 86 4.1
6. India 79 3.8
7. Germany 73 3.5
8. Italy 59 2.9
9. UK 58 2.8
10. France 47 2.3
11. Mexico 46 2.2
12. Turkey 40 1.9
13. Spain 39 1.9
14. South Korea 38 1.8
15. Indonesia 38 1.8
Top 15 Countries 1,414 68.5
Worldwide Total 2,065 100
Today, it has come a long way and is now used by over a
billion people, in over 200 countries, making it 70% of the
world’s mobile phone market.
GSM criteria –
Good subjective speech quality
Low terminal and service cost
Support for international roaming – one system for all
Ability to support handheld terminals
Support for range of new services and facilities
Security against fraud
Late 1980’s GSM work was transferred to the
European Telecommunication Standards
Institute (ETSI) and SGM (Special Mobile
Group) was created
Document the functionality and interaction of
every aspect of the GSM network
1987 ETSI oversees the creation of GSM MoU
(Memorandum of Understanding) Association
Formal objective of the GSM MoU Association is the
promotion and evolution of the GSM systems and GSM
Concepts of a published international standard and a
constantly evolving common standard are unique to
Work groups throughout the world specifically designed
to allow interested parties to meet and work on finding
solutions to systems enhancements that will fit into
existing programs of GSM operators
Phase I of GSM specifications was published in 1990
International demand was so great that the system
name was changed from Groupe Special Mobile to
Global Systems for Mobile Communications (still GSM)
Commercial service started in mid-1991
1992 first paying customers were signed up for service
By 1993 there were 36 GSM networks in 22 countries
Early 1994 there were 1.3 million subscribers worldwide
By 1996 there were more than 25 million subscribers
By October 1997 it had grown to more than 55 million
In frequency division multiple access (FDMA),
we separate radio channels or calls by
frequency, like the way broadcast radio stations
are separated by frequency. One call per
In time division multiple access (TDMA) we
separate calls by time, one after another. Since
calls are separated by time TDMA can put
several calls on one channel.
In code division multiple access (CDMA) we
separate calls by code, putting all the calls this
time on a single channel.
AMPS – Advanced Mobile Phone
TACS – Total Access Communication
NMT – Nordic Mobile Telephone System
AMPS – Advanced Mobile Phone System
used in North and South America and
approximately 35 other countries
operates in the 800 MHz band using FDMA
TACS – Total Access Communication
variant of AMPS
deployed in a number of countries
primarily in the UK
NMT – Nordic Mobile Telephone System
deployed in the Russia
operates in the 450 and 900 MHz band
first technology to offer international roaming –
only within the Nordic countries
GSM System Architecture
Mobile Station (MS)
Mobile Equipment (ME)
Subscriber Identity Module (SIM)
Base Station Subsystem (BSS)
Base Transceiver Station (BTS)
Base Station Controller (BSC)
Mobile Switching Center (MSC)
Home Location Register (HLR)
Visitor Location Register (VLR)
Authentication Center (AUC)
Equipment Identity Register (EIR)
A GSM network is divided into cells.
A group of cells is considered a location area.
A mobile phone in motion keeps the network
informed about changes in the location area.
If the mobile moves from a cell in one location
area to a cell in another location area, the
mobile phone should perform a location area
update to inform the network about the exact
location of the mobile phone.
With cellular radio we use a
simple hexagon to represent a
the geographical area covered by
cellular radio antennas are called
Why a hexagon and not a circle
to represent cells?
When showing a cellular system we
want to depict an area totally covered
by radio, without any gaps.
the circles leave gaps
The Mobile Station is made up of two
1. Mobile Equipment (ME)
2. Subscriber Identity Module (SIM)
Produced by many different manufacturers
Must obtain approval from the
Uniquely identified by an IMEI
(International Mobile Equipment Identity)
Subscriber Identity Module (SIM)
Smart card containing the International Mobile
Subscriber Identity (IMSI)
Allows user to send and receive calls and receive other
Encoded network identification details
Protected by a password or PIN
Authentication key Ki
PUK – Pin Unlocking Key
Can be moved from phone to phone – contains key
information to activate the phone
Base Station Subsystem is composed of two parts
that communicate across the standardized
Abis interface allowing operation between components made
by different suppliers
1. Base Transceiver Station (BTS)
2. Base Station Controller (BSC)
Functions of BSS
Radio resource control
Configuration of radio channels,
selection, allocation, deallocation of channels
Monitoring of radio channel busy/idle status
Encryption of radio interface
Base Transceiver Station (BTS)
Houses the radio transceivers that define a cell
Comprises all radio equipments i.e antennas, signal
processing, amplifiers, necessary for radio transmission
Speech and data transmissions from the MS are
Requirements for BTS:
Base Station Controller (BSC)
Manages Resources for one or more
Handles call set up
Handover for each MS
Paging of the MS
Mobile Switching Center (MSC)
Switch speech and data connections between:
Base Station Controllers
Mobile Switching Centers
Other external networks
Heart of the network
The main jobs:
1. connects calls from sender to receiver
2. collects details of the calls made and received
3. supervises operation of the rest of the network component
4. Echo cancellation
5. Interrogation of appropriate registers
6. Manage connections to BSS, other MSCs and PSTN/ISDN
Home Location Registers (HLR)
- The HLR contains information relevant to mobile subscribers `
- Two types of information are stored in the HLR:
Ø Subscription information
The identity code
Directory number allocated to the subscriber
The type of service(s) provided
Any related restrictions.
Ø Location information
the address of the VLR in the area where the subscriber's MS is currently located
the address of the associated MSC.
The location information enables incoming calls to be routed to the MS.
When an MS moves from one VLR area to another, the location information in the
HLR is updated with the new VLR and MSC addresses.
The VLR then creates a new entry for the MS, using subscription data copied from
Visitor Location Registers (VLR)
- contains selected administrative information from
- authenticates the user
- tracks which customers have the phone on and
ready to receive a call
- periodically updates the database on which
phones are turned on and ready to receive calls
Authentication Center (AUC)
- mainly used for security
- data storage location and functional part of the
- Ki is the primary element
Equipment Identity Register (EIR)
- Database that is used to track handsets using the
IMEI (International Mobile Equipment Identity)
- Made up of three sub-classes: The White List, The
Black List and the Gray List
- Optional database
Basic Features Provided by GSM
- Notification of an incoming call while on the handset
- Put a caller on hold to take another call
- All calls, outgoing calls, or incoming calls
- Calls can be sent to various numbers defined by the
Multi Party Call Conferencing
- Link multiple calls together
Full duplex communication example.
since the mobile unit and
the base station both
need circuitry to transmit
on one frequency while
receiving on another.
The two frequencies are
paired and constitute a
voice channel. Paths
indicate direction of flow.
Advanced Features Provided by GSM
Calling Line ID
- incoming telephone number displayed
Alternate Line Service
- one for personal calls
- one for business calls
Closed User Group
- call by dialing last for numbers
Advice of Charge
- tally of actual costs of phone calls
Fax & Data
- Virtual Office / Professional Office
- services and features can follow customer from market to market
Advantages of GSM
Crisper, cleaner quieter calls
Security against fraud and eavesdropping
International roaming capability in over 100 countries
Improved battery life
Efficient network design for less expensive system expansion
Efficient use of spectrum
Advanced features such as short messaging and caller ID
A wide variety of handsets and accessories
High stability mobile fax and data at up to 9600 baud
Ease of use with over the air activation, and all account
information is held in a smart card which can be moved from
handset to handset
SMS - also known as text messaging
Short Message Service (SMS) messages are
160 character text messages
sent using a SDCCH (slow speed data channel).
SMS delivery is a store-and-forward system
the message is sent to a Short Message Service
Centre (SMSC), which then forwards them on to
the destination mobile.
There is no provision in the GSM specification
for diverting SMS messages
Logical and physical channels
GSM distinguishes between physical
channels (the timeslot) and logical
channels (the information carried by the
GSM Radio Aspects
The uplink frequency band: 890-915 MHz
Downlink band: 935-960 MHz
Available 25MHz spectrum is partitioned
into 24 carriers (Carrier spacing: 200KHz)
Each carrier in turn divided into 8 time
slots (radio channels).
Traffic Channels (TCH)
Used to transmit user data (voice, fax)
Full rate TCH (TCH/F): data rate is 22.8
Half rate TCH (TCH/H): 11.4 Kbit/s
Control Channels (CCH)
Used to control
Allocation of traffic channels
Three groups of CCH
BCCH – Broadcast control channel
BTS uses this channel to signal information to all MSs within
Unidirectional channel (BTS to MS)
Broadcast information regarding the mobile’s serving cell as
well as neighboring cell.
Continuously broadcasts in the downlink
Frequency Correction Channel (FCCH) – accurate tuning to BS
Synchronization channel (SCCH) – Frame synchronization
CCCH (Common Control Channel)
Used either for uplink or downlink communications
Paging (PCH) & Access Grant (AGCH) channels
operate in the downlink direction
PCH – for paging a mobile
AGCH – to assign dedicated resources to the mobile
In the idle mode MS always listens to the paging
channel for incoming calls
MS uses Random Access Channel (RACH) to send
data to the BTS i.e. MS uses RACH to request
access to the network.
Dedicated Control Channel (DCCH)
Used for call set up and handoff i.e signalling between the
network and the mobile.
SDCCH – Standalone dedicated control channel
SDCCH is used if MS has not established TCH with BTS
SDCCH for signaling – authentication, registration or other
data needed for setting up a TCH
i.e provides reliable connection for signaling.
SACCH – Slow Associated Dedicated Control Channel
Used to exchange system information such as channel
quality and signal power level.
FACCH – Fast Associated Dedicated Control Channel
To transfer handoff information during an active call
Um The air interface is used for exchanges between a MS and a
Abis This is a BSS internal interface linking the BSC and a BTS.
The Abis interface allows control of radio frequency allocation in
A The A interface is between the BSS and the MSC. The A
interface manages the allocation of suitable radio resources to the
MSs and mobility management.
B The B interface between the MSC and the VLR uses the MAP/B
protocol. Most MSCs are associated with a VLR, making the B
interface "internal". Whenever the MSC needs access to data
regarding a MS located in its area, it interrogates the VLR using
the MAP/B protocol over the B interface.
C The C interface is between the HLR and a GMSC or a SMS-G.
Each call originating outside of GSM (i.e., a MS terminating call
from the PSTN) has to go through a Gateway to obtain the routing
information required to complete the call, and the MAP/C protocol
over the C interface is used for this purpose. Also, the MSC may
optionally forward billing information to the HLR after call clearing.
D The D interface is between the VLR and HLR, and uses the
MAP/D protocol to exchange the data related to the location of
the MS and to the management of the subscriber.
E The E interface interconnects two MSCs. The E interface
exchanges data related to handover between the anchor and
relay MSCs using the MAP/E protocol.
F The F interface connects the MSC to the EIR, and uses the
MAP/F protocol to verify the status of the IMEI that the MSC has
retrieved from the MS.
G The G interface interconnects two VLRs of different MSCs and
uses the MAP/G protocol to transfer subscriber information,
during e.g. a location update procedure.
H The H interface is between the MSC and the SMS-G, and uses
the MAP/H protocol to support the transfer of short messages.
I The I interface (not shown in Figure 1) is the interface between
the MSC and the MS. Messages exchanged over the I interface
are relayed transparently through the BSS.
Layer 1- Physical Layer
Handles radio-specific functions’
Synchronization with the BTS
Detection of idle channels
Measurement of the channel quality on the
Physical layer at Um interface performs
encryption/decryption of data.
Includes the correction of the individual path
delay between an MS and the BTS
All MSs within a cell use the same BTS
They must be synchronized to the BTS
BTS generates the time-structure of frames i.e
An MS close to the BTS has a very short RTT
whereas an MS 35 KM away has 0.23ms
BTS sends the current RTT to the MS, which
then adjust its access time so that all bursts
reach BTS within their limits.
LAPDm - Link Access Protocol for D Channel
Reliable data transfer
Reassembly of data
Acknowledged/ unacknowledged service
Layer 3 – Network Layer
Three sub layers
CM - The Communication (connection) Management (CM) layer
consists of setting up calls at the users' request.
Its functions are divided in three:
Call control, which manages the circuit oriented services;
Supplementary services management, which allows modifications and
checking of the supplementary services configuration;
Short Message Services, which provides point-to-point short message
MM - The Mobility Management (MM) layer is in charge of
maintaining the location data, in addition to the authentication and
Provides functions necessary to support terminal registartion, location
MM replaces IMSI with TMSI
RR - The Radio Resource (RR) Management layer is in charge of
establishing and maintaining a stable uninterrupted communications path
between the MSC and MS over which signalling and user data can be
Handovers are part of the RR layers responsibility. Most of the functions
are controlled by the BSC, BTS, and MS, though some are performed
by the MSC (in particular for inter-MSC handovers.).
RR manages logical channels, signal quality measurement, reporting
RR‘ - The RR' layer is the part of the RR functionality which is managed by
Responsible for channel establishment and release
BTSM - The Base Transceiver Station Management (BTSM) is responsible
for transferring the RR information (not provided for in the BTS by the RR'
protocol) to the BSC.
BSSAP - The Base Station System Application Part (BSSAP) is split into
two parts, the BSSMAP and the DTAP (not shown in the above figure).
Messages which are not transparent to the BSC are carried by the Base
Station System Management Application Part (BSSMAP), which
supports all of the procedures between the MSC and the BSS that
require interpretation and processing of information related to single
calls, and resource management.
The messages between the MSC and MS which are transparent to the
BSC (MM and CM messages) are catered for by the Direct Transfer
Application Part (DTAP).
SS7 – Signalling System No.7
Signalling between an MSC and a BSC
Transfers all management information between MSCs, HLR, VLR, AUC, EIC
SCCP - The Signalling Connection Control Part (SCCP) from SS7.
MTP - The Message Transport Part (MTP) of SS7.
Mobile Originated Call
A mobile user originates a call by keying in the called number and
depressing the send key
The mobile transmits an access request on the uplink signaling
If the network can process the call, the BS sends a speech channel
MS locks the designated speech channel allocated to that cell
Network proceeds to setup the connection to the called party
A terminal updation procedure may also be invoked to ensure that
the terminal originating the call is a legitimate terminal.
Mobile Terminated Call
The network establishes the current location area for the
called mobile through signaling between HLR and VLR.
The call is routed to the current serving MSC
The serving MSC initiates a paging message over the
downlink signaling channel toward cells contained in the
appropriate paging area.
If the mobile is tuned on, it receives the page and sends
a page response to its nearest BS on the signaling
The BS sends a speech channel allocation message to
the mobile station and informs the network so that the
two halves of the connection can be completed.
MS monitors the information broadcast by the network
on the signaling channel and updates the operating
parameters as necessary.
Also checks the location information (location area
identity) broadcast by the new cell
GSM network identifies each cell via the cell global
identity (CGI), Number assigned to each cell.
If it differs from the previous cell, the mobile advises the
network of its new information
BS updates its location registers.
Inter – VLR
MS sends a location update request
to the VLR (new) via the BSS and
VLR sends a Location update
message to the HLR serving the MS
which includes the address of the
VLR (new) and the IMSI of the MS
(this updating of the HLR is not
required if the new LA is served by
the same VLR as the old LA)
The service and security related data for
the MS is downloads to the new VLR.
The MS sent an acknowledgment of
successful location update
The HLR requests the old VLR to delete
data relating to the relocated MS.
Single cells do not cover the whole service
The smaller the cell size and the faster the
movement of a mobile station through the
More handovers of ongoing calls required.
Possible Handover Scenarios
Inter-cell, intra-BSC handover: MS
moves one cell to another , but stays
within the control of the same BSC
Inter-BSC, intra-MSC handover:
perform handovers between cells
controlled by different BSCs
Inter – MSC handover – handover
between two cells belonging to
Every so often each mobile reports its position by
sending a Location Update.
The mobiles decide when to do this, so that they don't all
report in at once.
you may suddenly get old SMS messages when a
Location Update occurs.
When the mobile is switched off, it signals a log-off
(known as an IMSI Detach) to the network so that it won't
try to search for a switched-off mobile.
It is possible that this doesn't happen (if switched off out
of coverage, for example). In such a case, the network
won't notice until the next scheduled Location Update
has been missed.
During a Call
When a call is in progress, during the time between sending and
receiving data, the handset monitors the signal it gets from the 16
nearby cells listed in the current cell's Neighbour List
every second it reports the signal level of the best six of them to the
BSC, using a Slow Access Control Channel (SACCH).
the idea is to switch to the cell with the best signal to economize on
power in the mobile
The decision to switch to another cell can be made by the mobile or
by the BTS: the latter usually because it is getting too busy.
Occasionally, the handoff fails, and the mobile has to start again,
scanning for a network for a fresh start. This can happen when
unusual signal propagation has led it to register on a far distant cell,
over the hilltops, which has a neighbour list of cells nowhere near
Inter- MSC handoff
BSC A informs MSC A that MS needs handover
from BTS A to BTS B
MSC A informs MSC B that a handover from
BTS A to BTS B is underway
MSC A commands BSC A/ BTS A to proceed
with handover to BTS B
MS informs BTS B that it is on specified channel
on BTS B
BTS B informs BSC A/ MSC A that handover is
MSC B informs MSC A that handover to BTS B
To protect the network against unauthorised access
To protect the privacy of the mobile subscribers against
Security with SIM –PIN, PUK
IMSI, TMSI – MS
AUTHENTICATION KEY Ki
Authentication algorithm A3
Cipher key generation algorithm A8
Encryption algorithm A5 – programmed into MS
IMSI and Ki are specific to each MS
A3 and A8 can be different for network operators
A5 is unique
Distribution of Security Features in the GSM Network
Ciphering Key Generation Mechanism
MS uses its Kc to cipher the radio path
using encryption algorithm A5
1. At terminal location update,
VLR sends IMSI to the HLR
2. HLR returns security triplets –
RAND, SRES, Kc to the VLR
3. For authentication and
ciphering key VLR sends
RAND to the MS
4. Using stored A3 algorithm
and secret key Ki stored in
the SIM, and RAND provided
by the VLR, the MS calculates
the SRES and returns it to the
5. Using the A8 algorithm and
Ki, MS also calculates the
cipher key Kc
6. If the SRES returned by the
MS matches with the stored
SRES in the VLR, the VLR
sends the cipher key Kc to
the BTS which uses Kc for
ciphering the radio path
How incoming calls are handled
when a GSM mobile is roaming
on another network
Roaming allows a GSM phone user to make and receive calls
using any other GSM network.
phone number remains the same
When your phone registers on the foreign network, the local
VLR tells your home HLR where you are.
HLR gets the AuC to pass a seed number and response pair
to the roamed-to network, which then uses it to authenticate
your mobile account identity.
Once that is done, the HLR records which VLR your phone is
in, and so any incoming calls are passed to it.
Choosing a Foreign Network
When you take a GSM mobile phone to
another country, the handset will try to find
its home network, and will probably fail.
It will then scan for all the networks it can
detect, and then decide which to use.
Normally, this decision is left to the handset
with the "Automatic" setting, but users can
select a particular network.
The handset will choose one of the networks listed in the
SIM card's preferred list, if a network listed offers
Failing that, it will select any of the networks available,
provided that it is giving a strong enough signal.
Handsets are supposed to treat all networks equally if
the signal exceeds a certain threshold, but in practice,
they seem to go for the strongest.
the signal seems strong at airports!
Making an outgoing call when roaming
The handset contacts the base station (BTS),
asking for access.
The BTS passes the request back and it reaches
your home network's HLR, which checks that
your account is allowed roaming facilities.
The reply comes back, and your phone is
permitted to register.
The VLR allocates your account a temporary
phone number, but you never get to know what
GPRS is a packet based radio service
Fast data transfer rate
Always on connection
Broad application support – web access, file
transfers, multimedia , WAP
Security – RADIUS
Remote Authentication Dial In User Service
SGSN – Serving GPRS Support Node
Responsible for tracking the state of the
mobile station and its movements.
Handles the data connection between the
mobile device and the network.
Gateway GPRS Support Node – GGSN
Handles the link between the GPRS network
and the other data networks.
Each of those network is given an Access
Point Name (APN).
Ms register with SGSN
Network checks if the user is authorised
Copied the user profile from the HLR to the
Assigns a packet temporary mobile
subscriber identity (PTMSI) to the user
Disconnection – GPRS detach
Detach is initiated by either MS or network
MS apply for one or more addresses used in the PDN
For each session a PDP context is created
PDP address is assigned to the MS (18.104.22.168)
PDP context contains IP, address of GGSN
Context is stored in the MS, SGSN and GGSN.
Now MS is able to send and receive packets
Mapping between PDP and IMSI enables GGSN to
transfer data packets between PDN and MS.
Enhanced Data rates for GSM Evolution (EDGE)
or Enhanced GPRS (EGPRS)
allows for increased data transmission rate and
improved data transmission reliability.
classified as a 2.75G network technology.
EDGE has been introduced into GSM networks around
the world since 2003, initially in North America.
It can be used for any packet switched applications such
as an Internet connection.
High-speed data applications such as video services and
other multimedia benefit from EGPRS' increased data
EDGE requires no hardware changes to be made in
GSM core networks, but base stations must be modified.
EDGE compatible transceiver units must be installed and
the base station subsystem (BSS) needs to be upgraded
to support EDGE.
3G –WCDMA (UMTS)- Wideband CDMA
3.5G – HSDPA( High speed downlink
packet access) – 2 Mbits/s
3.75G – HSUPA (High speed uplink
packet access) – 5.76 Mbits/s
4G – WiMax also known as 3G AND
BEYOND – allows smmoth video
transmission – 20M bits/ sec
GSM is a digital mobile telephone system that is widely used in Europe and
other parts of the world.
GSM uses a variation of Time Division Multiple Access (TDMA) and is the
most widely used of the three digital wireless telephone technologies
(TDMA, GSM, and CDMA).
GSM operates in the 900MHz, 1800MHz, or 1900Mhz frequency bands.
GSM is the de facto wireless telephone standard in Europe.
GSM has over one billion users worldwide and is available in 190 countries.
users can often continue to use their mobile phones when they travel to
GSM together with other technologies is part of an evolution of wireless
mobile telecommunication that includes High-Speed Circuit-Switched Data
(HCSD), General Packet Radio System (GPRS), Enhanced Data GSM
Environment (EDGE), and Universal Mobile Telecommunications Service