Gayathri GSM 2 (1) Final
Gayathri GSM 2 (1) Final
Gayathri GSM 2 (1) Final
CHAPTER 1
INTRODUCTION
GSM INTRODUCTION
GSM is the short form of Global System for Mobile Communications. It is called 2G or
Second Generation technology. It is developed to make use of same subscriber units or mobile
phone terminals throughout the world. There are various GSM standards such as GSM900,
EGSM900, GSM1800 and GSM 1900; they mainly differ based on RF carrier frequency band
and bandwidth. This GSM tutorial covers network architecture, network elements, various
interfaces, specifications, GSM frame structure or GSM frame hierarchy, GSM burst types, GSM
physical layer, GSM physical channels, GSM logical channels and their functions, logical
channel mapping, GSM mobile network entry procedure, GSM MO call and GSM MT call,
VAMOS basics, AMR basics and MSK & GMSK modulation types.
During the early 1980s, analog cellular telephone systems experienced rapid growth in
Europe, particularly in Scandinavia and the United Kingdom, but also in France and Germany.
Each country developed its own system, which was incompatible with everyone else's in
equipment and operation. This was an undesirable situation, because not only was the mobile
equipment limited to operation within national boundaries, which in a united Europe were
increasingly unimportant, but there was also a very limited market for each type of equipment, so
economies of scale and the subsequent savings could not be realized.
The Europeans realized this early on, and in 1982 the Conference of European Posts and
Telegraphs (CEPT) formed a study group called the Group Special Mobile (GSM) to study and
develop a pan-European public land mobile system. The proposed system had to meet certain
criteria:
Good subjective speech quality
1
Dept of ECE, GCET
SDR based GSM Receiver
From the beginning, the planners of GSM wanted ISDN compatibility in terms of the
services ordered and the control signalling used. However, radio transmission limitations, in
terms of bandwidth and cost, do not allow the standard ISDN B-channel bit rate of 64 kbps to be
practically achieved.
Using the ITU-T definitions, telecommunication services can be divided into bearer
services, tele-services, and supplementary services. The most basic tele-service supported by
GSM is telephony. Speech is digitally encoded and transmitted through the GSM network as a
digital stream. There is also an emergency service, where the nearest emergency-service
provider is notified by dialing three digits (similar to 911 in North America).
A variety of data services is offered. GSM users can send and receive data, at rates up to
9600 bps, to users on POTS (Plain Old Telephone Service), ISDN, Packet Switched Public Data
Networks, and Circuit Switched Public Data Networks using a variety of access methods and
protocols, such as X.25 or X.32. Since GSM is a digital network, a modem is not required
between the user and GSM network, although an audio modem is required inside the GSM
network to interwork with POTS.
2
Dept of ECE, GCET
SDR based GSM Receiver
CHAPTER 2
GSM ARCHITECTURE
GSM network is consists of Mobile station, Base station subsystem and Network and
operation subsystem. Following figure depicts complete GSM system network architecture.
Mobile Station- This Mobile station is GSM mobile phone equipment which houses DSP,RF
chip and SIM(subscriber Identity Module). This SIM is enough to carry to avail the service of
GSM network. SIM contains subscriber related all the information, network with which
3
Dept of ECE, GCET
SDR based GSM Receiver
subscriber is subscribed with and encryption related information. Stores Network Specific Data
such as list of carrier frequencies and current Location Area ID (LAI). Stores International
Mobile Subscriber Identity (IMSI) + ISDN. Stores Personal Identification Number (PIN) &
Authentication Keys. Also stores short messages, charging information, telephone book etc.
Base station Subsystem- Base station subsystem houses Base Transceiver station-BTS and Base
station controller-BSC. This subsystem take care of radio control related functions and provides
GSM air interface for GSM mobile phones to connect with GSM network. To provide GSM
service, region/city on earth is divided into various cells. The cell size is usually about 100m to
about 35 km. BTS coverage is limited to this cell. Like this many BTSs cover entire region. All
this BTSs are interfaced with one BSC in various ways mesh, star etc. This BSC takes care of
radio frequency assignments to the mobile phones, takes care of handoff within BSS i.e. between
one BTS and the other BTS. Function of BTS provides two channels: Signalling and Data
Channel performs error protection coding for the radio channel. Functions of BSC performs
radio resource management assigns and releases frequencies and time slots for all the MSs in its
area, reallocation of frequencies among cells, hand off protocol is executed here. Time and
frequency synchronization signals to BTSs. Time Delay Measurement and notification of an MS
to BTS. Power Management of BTS and MS.
Network Subsystem (NSS) - This subsystem provides interface between cellular system and
circuit switched telephone network i.e. PSTN. It performs switching and operation &
maintenance related functions. NSS takes care of call processing functions such as call setup,
switching, tear down and also hand over between BSCs. NSS takes care of security and
authentication related functions. There are various network elements in this subsystem as
mentioned in GSM network architecture above. They are explained below. These are basically
database elements.
4
Dept of ECE, GCET
SDR based GSM Receiver
VLR- Visitor Location Register, it stores visitor subscriber related information about its
facilities, the network it is subscribed to, and its home location and so on.
AUC- Authentication center, used to authenticate activities in the system. It holds encryption
(A5 key) and authentication keys (A3 key) in both HLR and VLR.
EIR- Equipment Identification Register, it helps in security as it keeps track of equipment type
available in Mobile Station or Terminal. allows stolen or fraudulent mobile stations to be
identified.
GSM IDENTIFIER- International mobile subscriber identity (IMSI): unique 15 digits assigned
by service provider = home country code + home GSM network code + mobile subscriber ID +
national mobile subscriber ID.
International mobile station equipment identity (IMEI): unique 15 digits assigned by equipment
manufacturer = type approval code + final assembly code + serial number + spare digit.
Temporary mobile subscriber identity (TMSI): 32-bit number assigned by VLR to uniquely
identify a mobile station within a VLR’s area.
5
Dept of ECE, GCET
SDR based GSM Receiver
In GSM frequency band of 25 MHz is divided into 200 KHz of smaller bands, each carry
one RF carrier, this gives 125 carriers. As one carrier is used as guard channel between GSM and
other frequency bands 124 carriers are useful RF channels. This division of frequency pool is
called FDMA. Now each RF carrier will have eight time slots. This division time wise is called
6
Dept of ECE, GCET
SDR based GSM Receiver
TDMA. Here each RF carrier frequency is shared between 8 users hence in GSM system, the
basic radio resource is a time slot with duration of about 577 microsecs. As mentioned each time
slot has 15/26 or 0.577ms of time duration. This time slot carries 156.25 bits which leads to bit
rate of 270.833 kbps. This is explained below in TDMA gsm frame structure. For E-GSM
number of ARFCNs are 174, for DCS1800 ARFNCs are 374.
As shown in the figure 2 below, there are two variants to multi-frame structure.
1.26 frame multi-frame called traffic multi-frame, composed of 26 bursts in a duration of 120ms,
out of these 24 are used for traffic, one for SACCH and one is not used.
7
Dept of ECE, GCET
SDR based GSM Receiver
8
Dept of ECE, GCET
SDR based GSM Receiver
CHAPTER 3
HARDWARE AND SOFTWARE TOOLS
A basic SDR system may consist of a personal computer equipped with a sound card, or
other analog-to-digital converter, preceded by some form of RF front end. Significant
amounts of signal processing are handed over to the general-purpose processor, rather than
being done in special-purpose hardware (electronic circuits). Such a design produces a
radio which can receive and transmit widely different radio protocols (sometimes referred
to as waveforms) based solely on the software used.
Software radios have significant utility for the military and cell phone services, both of
which must serve a wide variety of changing radio protocols in real time.
In the long term, software-defined radios are expected by proponents like the SDR Forum
(now The Wireless Innovation Forum) to become the dominant technology in radio
9
Dept of ECE, GCET
SDR based GSM Receiver
communications. SDRs, along with software defined antennas are the enablers of the
cognitive radio.
Spread spectrum and ultra wideband techniques allow several transmitters to transmit in
the same place on the same frequency with very little interference, typically combined with
one or more error detection and correction techniques to fix all the errors caused by that
interference.
Software defined antennas adaptively "lock onto" a directional signal, so that receivers
can better reject interference from other directions, allowing it to detect fainter
transmissions.
Cognitive radio techniques: each radio measures the spectrum in use and communicates
that information to other cooperating radios, so that transmitters can avoid mutual
interference by selecting unused frequencies. Alternatively, each radio connects to a geo
location database to obtain information about the spectrum occupancy in its location and,
flexibly, adjusts its operating frequency and/or transmit power not to cause interference to
other wireless services.
Dynamic transmitter power adjustment, based on information communicated from the
receivers, lowering transmit power to the minimum necessary, reducing the near-far
problem and reducing interference to others, and extending battery life in portable
equipment.
Wireless mesh network where every added radio increases total capacity and reduces the
power required at any one node. Each node only transmits loudly enough for the message
to hop to the nearest node in that direction, reducing near-far problem and reducing
interference to others.
10
Dept of ECE, GCET
SDR based GSM Receiver
OPERATING PRINCIPLES
Ideal concept
The ideal receiver scheme would be to attach an analog-to-digital converter to an
antenna. A digital signal processor would read the converter, and then its software would
transform the stream of data from the converter to any other form the application requires.
An ideal transmitter would be similar. A digital signal processor would generate a stream
of numbers. These would be sent to a digital-to-analog converter connected to a radio
antenna.
The ideal scheme is not completely realizable due to the current limits of the technology.
The main problem in both directions is the difficulty of conversion between the digital and
the analog domains at a high enough rate and a high enough accuracy at the same time, and
without relying upon physical processes like interference and electromagnetic resonance
for assistance.
Receiver architecture
Most receivers use a variable-frequency oscillator, mixer, and filter to tune the desired
signal to a common intermediate frequency or baseband, where it is then sampled by the
analog-to-digital converter. However, in some applications it is not necessary to tune the
signal to an intermediate frequency and the radio frequency signal is directly sampled by
the analog-to-digital converter (after amplification).
Real analog-to-digital converters lack the dynamic range to pick up sub-microvolt, nano
watt-power radio signals. Therefore, a low-noise amplifier must precede the conversion
step and this device introduces its own problems. For example, if spurious signals are
present (which is typical), these compete with the desired signals within the amplifier's
dynamic range. They may introduce distortion in the desired signals, or may block them
completely. The standard solution is to put band-pass filters between the antenna and the
amplifier, but these reduce the radio's flexibility. Real software radios often have two or
three analog channel filters with different bandwidths that are switched in and out.
11
Dept of ECE, GCET
SDR based GSM Receiver
3 . 1 . 2 TWO ANTENNAS
Two antennas one transmitter antenna and other as receiver antenna place at optimum
distances.
3 . 1 . 3 SMA CONNECTOR
3 . 1 . 4 I 7 PROCESSOR PC
3 . 2 SOFTWARE TOOLS
12
Dept of ECE, GCET
SDR based GSM Receiver
The GNU Radio software provides the framework and tools to build and run software
radio or just general signal-processing applications. The GNU Radio applications themselves are
generally known as "flowgraphs", which are a series of signal processing blocks connected
together, thus describing a data flow.
These flowgraphs can be written in either C++ or the Python programming language. The
GNU Radio infrastructure is written entirely in C++, and many of the user tools are written in
Python.
GNU Radio is a signal-processing package and part of the GNU Project. It is distributed
under the terms of the GNU General Public License (GPL), and most of the project code is
copyrighted by the Free Software Foundation.
3 . 2 . 2 WireShark Tool
13
Dept of ECE, GCET
SDR based GSM Receiver
Wireshark is a free and open source network protocol analyser that enables users to
interactively browse the data traffic on a computer network. The development project was
started under the name Ethereal, but was renamed Wireshark in 2006.
Many networking developers from all around the world have contributed to this project
with network analysis, troubleshooting, software development and communication
protocols. Wireshark is used in many educational institutions and other industrial sectors.
Wireshark shares many characteristics with tcp dump. The difference is that it supports a
graphical user interface (GUI) and has information filtering features. In addition,
Wireshark permits the user to see all the traffic being passed over the network.
Data is analysed either from the wire over the network connection or from data files that
have already captured data packets.
Supports live data reading and analysis for a wide range of networks (including Ethernet,
IEEE 802.11, point-to-point Protocol (PPP) and loopback).
With the help of GUI or other versions, users can browse captured data networks.
14
Dept of ECE, GCET
SDR based GSM Receiver
For programmatically editing and converting the captured files to the edit cap application,
users can use command line switches.
Display filters are used to filter and organize the data display.
Captured traffic can also trace Voice over Internet (VoIP) calls over the network.
15
Dept of ECE, GCET
SDR based GSM Receiver
CHAPTER 4
For example, every 26 TDMA frames a logical channel gets bandwidth in a physical
channel. Traffic channel are mainly of two types half rate and full rate traffic channels. There are
various control channels such as BCCH (Broadcast control channel), SCH (synchronous
channel), FCCH (Frequency control channel), DCCH(Dedicated control channel).
All these gsm channels help maintain GSM network and also helps GSM mobile phone
connect to GSM network and maintain the connection and help tear down the connection. Figure
below mention all the channels used in GSM.
16
Dept of ECE, GCET
SDR based GSM Receiver
GSM physical layer is nothing but the modules through which speech will pass through
before they are transmitted in the air. These modules are depicted in the figure below.
This page on GSM tutorial covers GSM speech processing modules at layer-1 i.e. Physical layer.
These modules are speech coding, channel coding, interleaving, ciphering, burst assembly,
modulation. Speech coding block uses 13kbps RELP (Residually Excited Linear Predictive
coder). Channel coding block uses convolution coding of rate 1/2 with constraint length of 5.
17
Dept of ECE, GCET
SDR based GSM Receiver
Interleaving block does diagonal interleaving, after 456 encoded bits in 20ms duration are broken
into 57 bits sub-blocks.
There will be about total 8 sub blocks of 57 bits each. Ciphering block uses A3 and A5
encryption algorithms. Encryption is changed call by call to enhance privacy. Burst assembly
block frames the burst as required by GSM frame structure. The same is modulated and Gaussian
filtered. Modulation block minimizes the occupied BW using GMSK modulation with BT of 0.3
There are two main types of GSM channels viz. physical channel and logical channel. Physical
channel is specified by specific time slot/carrier frequency. Logical channel run over physical
channel i.e. logical channels are time multiplexed on physical channels; each physical
channel(time slot at one particular ARFCN) will have either 26 Frame MF(Multi-frame) or 51
Frame MF structure describe here. logical channels are classified into traffic channel and control
channel. Traffic channel carry user data. Control channels are interspersed with traffic channels
in well specified ways.
As shown in the figure there are two main types of channels in the GSM. Traffic channels
and control channels. Different bursts are mapped to these channels uniquely as per GSM
Traffic channels carry speech or data. There are two main categories here, Full rate (13 kpbs) and
Half rate.
Control channels used to for control/command/signaling. Control channels are divided into three
categories.
18
Dept of ECE, GCET
SDR based GSM Receiver
As the name suggests they are point-to-multipoint and downlink only channels.
FCCH: Frequency correction control channel, this is transmitted by BTS to MS. This helps MS
tune its local oscillator to exact RF carrier frequency of the BTS cell. All zero sequences are
transmitted here which will produce fixed tone at the output of GMSK modulator. The frequency
value will be about 67.7075 KHz.
SCH:
synchronization channel, this carry BSIC(Base transceiver station identity code) and Frame
number which helps MS tune to specific (Frequency,Ts) physical slot on TDMA frame in GSM
network.
BCCH: Broadcast control channel, carry CGI,MNC,MCC which is received by MS. It is
compared with SIM information, once varified OK connection is established with the network.
They are point-to-multipoint and downlink only channels except RACH which is used in uplink.
PCH:
Paging channel, When someone is calling mobile phone, this channel sent information on
downlink to alert called mobile phone.This is known as mobile phone terminated call.
RACH:
Random Access channel, used in mobile originated call. When mobile wants to call some other
mobile phone, control information is sent on this channel
AGCH:
Access Grant Channel, transmitted by BTS to MS once network approves request of mobile by
RACH
CBCH:
Cell Broadcast channel, Used to carry the short message service cell broadcast.
19
Dept of ECE, GCET
SDR based GSM Receiver
SDCCH:
Stand alone dedicated control channel, used for call setup
SACCH:
Slow associated control channel, is used for control and supervisory signals associated with the
traffic channels.
FACCH:
Fast associated control channel, is used for control requirements such as handoff /handovers.
Fig.4.3 GSM Call Setup, it depicts basic flow of logical frames between BTS and MS to
establish voice/data connection.
Following steps are followed at GSM Mobile phone before you actually start talking or using it
for data operations. These are called initial mobile phone procedures when you power ON the
20
Dept of ECE, GCET
SDR based GSM Receiver
phone.
Step-1 : Mobile phone scans for carriers and determine RSSI of all and pass them to upper layer,
upper layer decide which carrier/channel has the highest RSSI and mobile will lock on to that
carrier. There are two modes here first mode where mobile has prior knowledge of broadcast
carriers and the other mode where mobile has no prior knowledge. In the second case mobile has
to search for entire band while in the first case as mobile has broadcast carriers known and it will
determine RSSI of those carriers only, hence it will complete cell search operation in less time.
Step-2: Once carrier is known it will detect FB (Frequency correction Burst) on that
carrier/channel which is a pure sine wave as mentioned above of value 67.7 KHz. Any deviation
from this value is determined and this much frequency offset is corrected on LO module by
controlling through VCTCXO/VCO/OCXO used in the handset design.
Step-3: After correcting for Frequency offset, now mobile need to lock on to particular time slot
on that carrier frequency in the GSM time domain frame structure. This is done using SB
decoding. 25 bits of decoded data of SCH gives reduced frame number (19 bits) and BSIC (6
bits). Reduced frame number will provide very useful information of mobile's physical slot in the
entire hyper frame. BSIC is made of BCC (Base Station Color code- 3 bits) and NCC (Network
Color code-3 bits). BCC field directly provide training sequence details (26 bits in size).The
correlation is performed with known training sequence to determine peak and hence timing
offset is determined on the received frame. channel estimation is also performed using this
training sequence. Remember SB comes on the same time slot as FB but after 8 time slots
duration. This means time multiplexing of logical channels (FB,SB,BCCH, CCCH...) is used on
the dedicated physical time slot(TS0 at Broadcast Freq).
Step-4: Once SB is decoded now BCCH will appear on the same allocated physical time slot but
after 8 time slot duration. BCCH is decoded which gives useful system informations(SI). Now
mobile is camped on the network and it is ready to use voice services by exchanging useful
frames/channels based on mobile initiated or mobile terminated call. If GPRS is enabled on the
mobile phone, it can use data services provided by operator.
21
Dept of ECE, GCET
SDR based GSM Receiver
There are certain rules by which different channel types are used in different time slots. These
rules are used to map logical channels to physical channels. The most important slot is the time
slot TS0 where in BCCH is mapped and is very useful as SI messages (system information
messages) are transmitted over this channel.
Following are possible channel combinations in GSM system which network (BTS) will adopt
based on need of traffic channels versus signaling (control) GSM channels. They are called as
combined and non-combined type.
This page describes GSM combined channel configuration for TS0. It covers 51 frame
multiframe structure mentioning FCCH,SCH,BCCH,CCCH,SDCCH,SACCH channel mapping
on TS0 for both downlink and uplink.
As mentioned in GSM Channel types signaling channels SDCCH are combined with
(FCCH+SCH+BCCH+CCCH) on time slot TS0.
In this configuration, position of FCCH+SCH+BCCH is not changed, but CCCH capacity is
reduced from 9 blocks to mere 3 blocks. This 6 blocks are used by 4 blocks of SDCCH and 2
blocks of SACCH.
22
Dept of ECE, GCET
SDR based GSM Receiver
In the downlink CCCH gives a way for signaling channels (SDCCH/SACCH) and similarly in
the uplink RACH gives a way for these signaling channels.
Follow link below for the complete chart of this configurations for TS0 and TS1. In non
combined configuration, dedicated signaling channels are not combined with BCCH/CCCH and
thus require separate time slot (TS1). FCCH, SCH, BCCH and CCCH channels are mapped on
TS0.
23
Dept of ECE, GCET
SDR based GSM Receiver
In combined configuration, FCCH, SCH,BCCH,CCCH channels are present along with SDCCH
on time slot TS0. Hence dedicated signaling channels SDCCH are combined with BCCH/CCCH
on the same time slot TS0. SDCCH also can be mapped on TS1 in addition to TS0; even
SDCCH can be mapped on to another time slots also.
This page describes GSM Noncombined channel configuration for TS0 and TS1. It covers 51
frame multiframe structure mentioning FCCH,SCH,BCCH,CCCH,SDCCH channel mapping on
TS0 and TS1 for both downlink and uplink.
As mentioned in GSM Channel types signaling channels SDCCH are not combined with
(FCCH+SCH+BCCH+CCCH) on time slot TS0. They are mapped on separate time slot TS1 as
shown in the figure.
In noncombined case, there are nine CCCH blocks mentioned as CCCH(0) to CCCH(8). If the
System information messages (SIs) are more and can not be occupied in BCCH block then first
CCCH block i.e. CCCH(0) can also be used for BCCH and SIs are transmitted on the same.
In GSM system BS_AG_BLKS_RES parameter is used to determine how many of CCCH blocks
are used for AGCH and how many for PCH. This parameter is of 3 bit field and is transmitted on
BCCH SI-3. It has range from 0 to 7. Value of 2 indicates 2 blocks are reserved for AGCH and
remaining(i.e.7) blocks are for PCH. For more details visit GSM Terminology page.
GSM Noncombined channel Configuration for TS0 is mentioned in below figure.
24
Dept of ECE, GCET
SDR based GSM Receiver
As shown in the figure-4.5, BCCH/CCCH is mapped in TS0 and as shown in figure-2, SDCCH
in TS1. A total of 8 users can share a time slot. Due to this it is called as SDCCH/8 combination.
Here 8 designates that there are 8 total subchannels and each are used by 8 different SDCCH
user. From figure-2 it depicts that there are 8 SDCCHs and 4 SACCHs in downlink multiframe.
This is due to rate of SDCCH is twice that of SACCH channel.
25
Dept of ECE, GCET
SDR based GSM Receiver
GSM Noncombined channel Configuration for TS1 is mentioned in the figure above.
26
Dept of ECE, GCET
SDR based GSM Receiver
CHAPTER 5
5 . 1 . 1 SYSTEM INFORMATION
27
Dept of ECE, GCET
SDR based GSM Receiver
28
Dept of ECE, GCET
SDR based GSM Receiver
This table on system information messages in GSM is useful to analyze GSM UE related issues.
This article covers MO MT call flow in GSM. This page covers mobile originated (MO) call
flow between Mobile (UE) and network. It covers messages exchanged between Layer 3 entities
(RR, MM , CC) at both side. It include channels ( RACH , AGCH,SDCCH ,FACCH,TCH)
used at layer 1 to carry these messages over the air. This article assumes that initial frequency
and time synchronization is done between UE and Network as described in GSM tutorial in
tutorial section.
• As described in the figure above, before RACH is sent by mobile (UE) mobile is synchronized
with network (BTS) both time and frequency wise.
29
Dept of ECE, GCET
SDR based GSM Receiver
• It means it has tuned frequency as per FCCH and time as per SCH burst. Information here in
this FCCH is all zeros which produces continuous sine wave of about 67.7 KHz above the RF
carrier centre frequency, This helps mobile(UE) synchronize with the GSM Base station.
• SCH carry frame number and BSIC (Base Station Identity Code) which helps Mobile
synchronize with GSM frame structure as well as helps in identification of the Base station in the
GSM network.
• It has received and decoded SIs(System Information) from the received BCCH, mobile station
comes to know where it has to transmit CCCH(RACH) and where it has to listen for
CCCH(carrying PCH,AGCH).
• RACH is used in mobile originated call while PCH is used in mobile terminated call at the
start.
The figure above mentions messages exchanged between mobile and network for call release.
This article covers MO MT call flow in GSM. This page describes mobile terminated call
flow between Mobile (UE) and network. It covers messages exchanged between Layer 3 entities
(RR,MM, CC) at both side. It include channels (PCH, RACH,AGCH,SDCCH,FACCH,TCH)
30
Dept of ECE, GCET
SDR based GSM Receiver
used at layer 1 to carry these messages over the air. This article assumes that initial frequency
and time synchronization is done between UE and Network as described in GSM tutorial in
tutorial section.
As described in the figure, PCH will be sent by network to alert mobile with ring tone if
someone dials. This is called mobile terminated call. After PCH is received, mobile will transmit
RACH and obtain SDCCH and other resources for further process.
As described in GSM protocol stack, messages flow between both mobile and network at various
layers(layer 3,layer 2,layer 1(physical layer). The message flow is self explanatory to establish
the circuit switched mobile terminated (MT) call in GSM.
31
Dept of ECE, GCET
SDR based GSM Receiver
The figure above mentions messages exchanged between mobile and network for call release.
There are two RRC states in GSM mobile subscriber station viz. IDLE and Dedicated. We will
see what mobile does during these modes. When we switch the mobile it will be in idle mode
until we receive a call or we ourselves dial a number or initiate GPRS data connection to browse
the internet. Radio Resource Control Procedure for the GSM mobile is outlined below.
32
Dept of ECE, GCET
SDR based GSM Receiver
5 . 3 . 1 IDLE MODE
Once the appropriate best cell is selected by mobile then and mobile is said to be camped to the
respective BTS. After camping GSM mobile enters into the idle mode. In this mode, it monitors
the BTS paging channel for posibility of incoming call. Mobile runs a procedure periodically to
check, whether it has been camped to the most suitable cell or not i.e. it checks the signal
strength and quality from the incoming broadcast channels from the camped on cell. This
procedure is called cell reselection.
In the idle mode, GSM mobile receives the BCCH and CCCH channels from BTS, transmits
RACH in case of MO call, does cell reselection and also the most important is measurements.
Mobile does measurements on any of the IDLE frame except on PCH/PPCH channels
,FCCH,SCH,CBCH, neighbour cell BCCHs, serving cell PBCCH etc. Idle mode in mobile is
normally exited to switch to dedicated mode when the Layer-1(physical layer) is configured by
the upper Layer for either TCH or SDCCH.
33
Dept of ECE, GCET
SDR based GSM Receiver
During Idle mode, GSM mobile will continue monitoring downlink signal strength of neighbor
cells to ensure it is camped on to the best available cell. As per requirement mobile will monitor
received signal strength of 6 neighbor BCCH carriers other than serving cell BCCH.
Mobile subscriber initially accesses a GSM BTS using an random access channel to perform
location update, to answer incoming paging call or to make a MO call.
There are total eight time slots in all the frames and there is no dedicated slot to be used by the
mobile station. It can use any slots for sending RACH. If collision occurs it is repeated for few
times for establishing access to the network on access burst. It transmits 5 bit number with 3 bit
indicating reason for the network access. If access is granted to the mobile then it is indicated by
AGCH from BTS on the downlink.
5 . 3 . 2 DEDICATED MODE
As soon as RRC connection is established the GSM mobile moves to dedicated mode from the
idle mode state.
If the mobile is supporting multi-RATs or multi modes then during the dedicated mode, mobile
subscriber does the measurements from the other neighbor base stations (WCDMA, LTE, TD-
SCDMA etc.). These measurements are carried in idle slot of the GSM frame.
Also mobile does other GSM neighbor cell measurements mainly for handover and cell
reselection purpose when the power from serving/active cell becomes lower compare to target
cell where mobile is moving towards.
5 . 3 . 3 CELL RE-SELECTION
In GSM network, when a connected mobile moves to another GSM cell area, re-direction
disconnects the serving or active GSM network and re-connects to the target GSM cell. Cell
reselection to other RAT i.e. LTE or WCDMA is also possible when the serving cell will have
any issue. This is referred as Cell reselection.
34
Dept of ECE, GCET
SDR based GSM Receiver
This section has covered GSM RRC states. For protocol stack involving other layers such as
physical layer, LAPD , LAPDm ,RRM,MM,CM,SCCP,BSSMAP and BTSM refer GSM
protocol stack.
GPRS uses packet switched based architecture. Here connection is established when we want to
send/receive data using FTP/HTTP protocols. It is released once we have carried out our goal of
internet browsing or file transfer. Hence location update need to be carried out often to achieve
this. But this consumes lot of power and battery will drain fast. To avoid this GPRS RRC state
machine has been developed for location management. In GPRS mode, mobile will have three
states viz. idle, standby, and ready. The state of the mobile determines frequency of the location
update.
35
Dept of ECE, GCET
SDR based GSM Receiver
Idle State: As mentioned when mobile is powered on it will be in idle state and will not be
attached to the GPRS network. In this state the GPRS compatible mobile is not reachable and
location update is not yet performed.
Ready State: After performing GPRS attach, mobile station enters into the ready state. Here
either mobile will be in packet transfer mode or it might have just finished the transfer. By GPRS
detach the mobile will get disconnected from the network and it will go back to the idle state. All
the PDP contexts will be deleted after disconnection. During ready state mobile keep updating
SGSN about its whereabouts.
Standby State: when the mobile is powered on and will be attached to the GPRS network but
packet transfer has not been initiated for long period of time. This state is referred as standby
state. This will cause GSM ready timer to expire. Here routing area updates are done when
needed. GSM LA (location area) is divided into several RAs(routing areas). A routing area
composed of several cells.
When mobile moves to a new routing area then SGSN will be informed of the same. Paging is
performed by the network to determine the current cell of mobile station in standby state. The
paging is performed within a GSM RA.
This section has covered GPRS RRC states. For protocol stack involving other layers such as
Physical layer, LLC,RLC,MAC,SM,GMM and SNDCP refer GPRS protocol stack.
• Channel assignment
• channel release
• channel change and handover
• change of channel frequencies
• hopping
• sequences (algorithms) and frequency tables
• measurement reports from the MS
36
Dept of ECE, GCET
SDR based GSM Receiver
• power control
• discontinuous transmission reception
• time advance
• modification of channel modes (speech and data)
• cipher mode setting
37
Dept of ECE, GCET
SDR based GSM Receiver
CHAPTER 6
38
Dept of ECE, GCET
SDR based GSM Receiver
39
Dept of ECE, GCET
SDR based GSM Receiver
40
Dept of ECE, GCET
SDR based GSM Receiver
41
Dept of ECE, GCET
SDR based GSM Receiver
42
Dept of ECE, GCET
SDR based GSM Receiver
43
Dept of ECE, GCET
SDR based GSM Receiver
44
Dept of ECE, GCET
SDR based GSM Receiver
45
Dept of ECE, GCET
SDR based GSM Receiver
46
Dept of ECE, GCET
SDR based GSM Receiver
47
Dept of ECE, GCET
SDR based GSM Receiver
48
Dept of ECE, GCET
SDR based GSM Receiver
49
Dept of ECE, GCET
SDR based GSM Receiver
50
Dept of ECE, GCET
SDR based GSM Receiver
CHAPTER 7
INPUT ADAPTOR
class gsm_input(grgsm.hier_block):
##################################################
# Parameters
##################################################
self.fc = fc
self.osr = osr
self.ppm = ppm
self.samp_rate_in = samp_rate_in
##################################################
# Variables
##################################################
self.gsm_symb_rate = gsm_symb_rate = 1625000.0/6.0
self.samp_rate_out = samp_rate_out = gsm_symb_rate*osr
##################################################
# Blocks
##################################################
51
Dept of ECE, GCET
SDR based GSM Receiver
##################################################
# Connections
##################################################
self.msg_connect((self, 'ctrl_in'), (self.gsm_clock_offset_corrector_tagged_0, 'ctrl'))
self.connect((self.gsm_clock_offset_corrector_tagged_0, 0), (self.low_pass_filter_0_0, 0))
self.connect((self.low_pass_filter_0_0, 0), (self, 0))
self.connect((self, 0), (self.gsm_clock_offset_corrector_tagged_0, 0))
def get_fc(self):
return self.fc
def get_osr(self):
return self.osr
def get_ppm(self):
return self.ppm
def get_samp_rate_in(self):
return self.samp_rate_in
def get_gsm_symb_rate(self):
return self.gsm_symb_rate
52
Dept of ECE, GCET
SDR based GSM Receiver
self.set_samp_rate_out(self.gsm_symb_rate*self.osr)
def get_samp_rate_out(self):
return self.samp_rate_out
53
Dept of ECE, GCET
SDR based GSM Receiver
DECRYPTION
from gnuradio import gr, gr_unittest, blocks
import grgsm_swig as grgsm
import pmt
"0001100001000111100111101111100101000100101011000010011110011101001111101100010100111111100
000110100011111101011101100100111110011000100010001010000",
"0001000101000000001001111110000110010110110111110111101000001101001111101100010100111111001
110001001110101110001010001000111011010010001011011000000",
"0001001101101101000111001000101011001101001110110001001100111101001111101100010100111111111
001001010011010011111010010010101011001001011011100110000",
"0000010010100000001001101010100001011100010001101100111111101101001111101100010100111111101
101001110100010101110010110101111100010010000110010110000"
]
bursts_expected = [
"0000010111000110010001010000000101010011110101100000100000011101001111101100010100111111010
110110000000001101110000101000000000101000100011000110000",
"0000010110101100010100111101011001000000000101010011000100001101001111101100010100111111011
001101001110000100001000110000000101100010111100111010000",
"0000011110110111011011100001010000000000110100100000100001001101001111101100010100111111100
010000000000000001101000000100000010011001110100000010000",
"0000011000010001000000001101000001001001000010001000000000001101001111101100010100111111000
010110001001110000000110111001110010000010111000111001000"
]
key = [0x32,0xE5,0x45,0x53,0x20,0x8C,0xE0,0x00]
54
Dept of ECE, GCET
SDR based GSM Receiver
a5_version = 1
self.tb.run ()
self.assertEqual(framenumbers_input, framenumbers_result)
self.assertEqual(timeslots_input, timeslots_result)
self.assertEqual(bursts_expected, bursts_result)
"0000111101111110011111000111000100110100001101100001000110011000110101110010000011010111010
110101100100010011000000100111010001000011000010010010000",
"0001010010001100110000000111100110101111001001101111000000101000110101110010000011010111001
101001101000001000001110101101100101111010011001000111000",
"0001110111101000110100001111000010100001101011000001010010011000110101110010000011010111101
110000011100010110110101010100101010011011111111001000000",
"0001111011000100011010100010000110001101111001000110010100001000110101110010000011010111000
100101011110110000100110110001110010011110110110101100000"
]
bursts_expected = [
"0001100000010010011110111110011111000000001010001111000000001000110101110010000011010111100
101101010000001111010100010110111101011101011100000101000",
"0001000101111101111110000010100001011011111010111110101011101000110101110010000011010111110
110111101101111110000011011010111011111001011101000011000",
"0000001000011110111110101011001000110000000000110110101100011000110101110010000011010111001
010100101011111001000111100000100000111111000000101110000",
55
Dept of ECE, GCET
SDR based GSM Receiver
"0001101010111110010001010110101100000011101100011111110100101000110101110010000011010111111
000000001010010111001111111011001000000001001000011101000"
]
key = [0xAD,0x6A,0x3E,0xC2,0xB4,0x42,0xE4,0x00]
a5_version = 1
self.tb.run ()
self.assertEqual(framenumbers_input, framenumbers_result)
self.assertEqual(timeslots_input, timeslots_result)
self.assertEqual(bursts_expected, bursts_result)
"0001111001001110001101111101111111110100011010101100100001011101001111101100010100111111101
101011110100011101111001000110110100101101011110010100000",
"0001111000110011010110000111010010100101001100111011000001011101001111101100010100111111000
100101000001011010001100000010100011000011111001111011000",
"0000000110100101110010011101101100101110001100000000101001011101001111101100010100111111100
100100010110110111011010101010001001100010100100100111000",
"0000011100111011101010000111001010010001100110011011100101011101001111101100010100111111101
110110100101101010100111101000000111001011011100010101000"
]
bursts_expected = [
"0001000000000010100111000010010101001010011110010010101110011101001111101100010100111111011
010111010111100110000011100111010001010100010100110000000",
56
Dept of ECE, GCET
SDR based GSM Receiver
"0000101110001111011110100111101010000000101101101011101001011101001111101100010100111111010
110100111001100100011000100100011110101001010110001001000",
"0000001111011010110111000100111111000011001010100011000110011101001111101100010100111111100
111100010011100000010110011100001101000000000000011001000",
"0000011011100010001000101000101010010011010000100011110011001101001111101100010100111111010
100100010010100111010101110001101101110101110011100101000"
]
key = [0x41,0xBC,0x19,0x30,0xB6,0x31,0x8A,0xC8]
a5_version = 3
self.tb.run ()
self.assertEqual(framenumbers_input, framenumbers_result)
self.assertEqual(timeslots_input, timeslots_result)
self.assertEqual(bursts_expected, bursts_result)
"0001001000010110001000001101001010100000011100011011110101011101001111101100010100111111010
000100000100101101111000010001100001000100101100101010000",
"0000011101010011010110101000011011101010100001011001100011001101001111101100010100111111000
110011001110101110111000100101001111100110100011011011000",
"0000000000110011000001110101110101111011011111000111101001011101001111101100010100111111101
100010011010000010001101101000110000011011000011100011000",
57
Dept of ECE, GCET
SDR based GSM Receiver
"0000000001110011001010110101100110100111110010000101001011111101001111101100010100111111101
110001101111111001001001000101101010110010101010110100000",
]
bursts_expected = [
"0001101100011001110111101010110000001111000010110011000110101101001111101100010100111111100
010000011100010101001010110101100001111101111110010011000",
"0001101001110110000111000011111110011011001001101010011000001101001111101100010100111111110
010001001001001101011111010010100100011100110110000011000",
"0001000001110000001011101010011010010100010010100110010010001101001111101100010100111111010
011011101010110100000111111011111100000010100000111000000",
"0000001000001010010001010000101011101100100100001010011101111101001111101100010100111111000
001001001100100101010000011101010100001110000100000001000"
]
key = [0xAD,0x2C,0xB3,0x83,0x2F,0x4A,0x6C,0xF1]
a5_version = 3
self.tb.run ()
self.assertEqual(framenumbers_input, framenumbers_result)
self.assertEqual(timeslots_input, timeslots_result)
self.assertEqual(bursts_expected, bursts_result)
if __name__ == '__main__':
gr_unittest.run(qa_decryption, "qa_decryption.xml")
58
Dept of ECE, GCET
SDR based GSM Receiver
CHAPTER 8
RESULT
59
Dept of ECE, GCET
SDR based GSM Receiver
GSM CCCHs(Common Control Channels) are used for conveying information from
network to the Mobile Subscribers(MS's) and provide access to the Mobile Subscribers.
GSM CCCHs include PCH,RACH,AGCH and CBCH.
60
Dept of ECE, GCET
SDR based GSM Receiver
Direct Transfer Application sub-Part (DTAP), also called GSM L3, is used to transfer messages
between the MSC and the MS (Mobile Station); the layer-3 information in these messages is not
interpreted by the BSS.
61
Dept of ECE, GCET
SDR based GSM Receiver
62
Dept of ECE, GCET
SDR based GSM Receiver
63
Dept of ECE, GCET
SDR based GSM Receiver
New radio products are quickly introduced in the market by using the common platform
architecture implemented in products.
Military: - Software Defined Radio used in a military venture called Joint Tactical
Radio System (JRTS). By using this single hardware platform, it could communicate
using one if different waveforms by configuring the software for required
application. JTRS is the program of US military. It provides flexible and
interoperable communications.
Amateur and home use:- The amateur radio uses a direct conversion receiver. The
SDR software performs all functions such as filtering, demodulation etc.
Satellite modems used in defense markets and commercial uses programmable
processing devices for signal processing of baseband signals or intermediate signals.
Cellular handsets uses System on Chip (SoC) devices which incorporate
programmable DSP for processing baseband signals.
65
Dept of ECE, GCET
SDR based GSM Receiver
66
Dept of ECE, GCET