The GSM system

History
In the beginning of the 1980s several different systems for mobile communications were
developed in Europe. The need for a common system that allowed roaming between countries
was early recognized. In 1982 a number of European countries created a new standardization
organisation called ``Groupe Speciale Mobile'' (GSM). The mandate of this group was to
develop a standard to be common for the countries that created it. In 1988 the GSM was included
in the European Telecommunication Standards Institute (ETSI), and the standards developed by
GSM thus became standards for all telecommunication administrations in Europe.

The main work with the GSM took place from 1988 - 1990 and resulted in 12 series of
specifications that in great detail specified the inner workings of GSM. In 1990, when phase 1 of
the specifications was finished, there were three dominating automatic systems for mobile
communications in the world [20] :

 American AMPS from 1984, with networks in the US.

 British TACS from 1985, with network in Britain.
 Nordic NMT from 1981, with networks in the nordic countries.

Unlike these systems, the GSM is a fully digital system, allowing both speech and data services
and allowing roaming across networks and countries. These features made GSM a very popular
system, not only in european countries but also elsewhere. The term GSM has been chosen as a
trademark for the system, meaning ``Global System for Mobile communications'', whereas the
group within ETSI working with the standards has been renamed SMG (Special Mobile Group).
Today GSM is the largest system for mobile communications in the world, and exist on all
continents. From 1995, the specifications of GSM has moved into phase 2.

Overview of the GSM system

The GSM system is specified in 12 series of specifications. For phase 1, these specifications
constitute over 4000 pages. Although much of the information in the specifications is redundant,
it is impossible for most people to learn the GSM system from the specifications. It will therefore
be given a short overview of the GSM system in this thesis, as well as the details necessary to
understand the proposed solution to the location problem. For further reading, the books [20] and
[27] give good understanding of the inner workings of the GSM system without moving into too
great detail.

Entities of the GSM system

  
Figure:  Entities of the GSM system.

The GSM system consists of a number of separate entities [11]. These are shown in figure .
The entities are connected through interfaces with their own names according to the
specifications, these names are shown on the figure. In the following, each of the different
entities will be described.

The Mobile Station

The Mobile Station (MS) is the user equipment in GSM. The MS is what the user can see of the
GSM system, the cellular phone itself. Production of Mobile Stations is done by many different
manufacturers, and there will almost always be a wide range of different Mobile Stations in a
mobile network. Therefore the specifications specify the workings of the MS in great detail. On
the radio interface the specifications series 05 specify the workings of the link-level, defining the
frequencies and the access methods between the MS and the network. Series 04 specifies the
higher layers of the radio-interface, defining signalling procedures for call control, and
information exchange. The radio-interface will be described in . In order to verify the
conformal of the specifications by Mobile Stations, equipment must obtain type approval from
the standardization body [17].

The MSs in GSM are independent from networks-providers. The identity of the subscriber is
obtained from a SIM (Subscriber Identity Module) that has to be inserted into the MS to make it
work. The SIM contains the IMSI (International Mobile Subscriber Identity) which uniquely
intentifies the subscriber to the network. It also contains information necessary to encrypt the
connections on the radio interface. The MS itself is identified by an IMEI (International Mobile
Equipment Identity), which can be obtained by the network upon request. Without the SIM, calls
to and from the mobile station is not allowed. This has one exception. Calls to the international
emergency number, 112, is allowed without the SIM [27].

The Base Transciever Station

The Base Transciever Station (BTS) is the entity corresponding to one site communicating with
the Mobile Stations. Usually, the BTS will have an antenna with several TRXs (radio
transcievers) that each communicate on one radio frequency. The link-level signalling on the
radio-channels is interpreted in the BTS, whereas most of the higher-level signalling is
forwarded to the BSC and MSC (see ). Speech and data-transmissions from the MS is recoded
is the BTS from the special encoding used on the radio interface ( ) to the standard 64 kbit/s
encoding used in telecommunication networks. Like the radio-interface, the Abis interface
between the BTS and the BSC is highly standardized ([10] and others), allowing BTSs and BSCs
from different manufacturers in one network.

The Base Station Controller

Each Base Station Controller (BSC) control the magnitude of several hundred BTSs. The BSC
takes care of a number of different procedures regarding call setup, location update and handover
for each MS. The handover control procedures will come especially into focus in this thesis. It is
the BSC that decides when handover is necessary. This is accomplished by analyzing the
measurement results that are sent from the MS during a call and ordering the MS to perform
handover if this is necessary. The continous analyzing of measurements from many MSs requires
considerable computational power. This put strong constraints on the design of the BSC.

The Mobile Switching Centre

The Mobile Switching Centre is a normal ISDN-switch with extended functionality to handle
mobile subscribers. The basic function of the MSC is to switch speech and data connections
between BSCs, other MSCs, other GSM-networks and external non-mobile-networks. The MSC
also handles a number of functions assosiated with mobile subscribers, among others
registration, location updating and handover. There will normally exist only a few BSCs per
MSC, due to the large number of BTSs connected to the BSC. The MSC and BSCs are
connected via the highly standardized A-interface [10]. However, due to the lack of
standardization on Operation and Mangement protocols, network providers usually choose
BSCs, MSCs and Location Registers from one manufacturer.

The Location Registers

With each MSC, there is associated a Visitors Location Register (VLR). The VLR can be
associated with one or several MSCs. The VLR stores data about all customers who are roaming
withing the location area of that MSC. This data is updated with the location update procedure
initiated from the MS through the MSC, or directly from the subscriber Home Location Register
(HLR). The HLR is the home register of the subscriber. Subscribtion information, allowed
services, authentication information and localization of the subscriber are at all times stored in
the HLR. This information may be obtained by the VLR/MSC when necessary. When the
subscriber roams into the location area of another VLR/MSC, the HLR is updated. At mobile
terminated calls, the HLR is interrogated to find which MSC the MS is registered with. Because
the HLR is a centralized database that need to be accessed during every call setup and data
transmission in the GSM network, this entity need to have a very large data transmission
capacity. [28] suggests a scheme for distributing the data in the HLR in order to reduce the load.

The communication between MSC, VLR and HLR is done using the MAP (Mobile Application
Part) of the Signalling System 7. The MAP is defined in [16] and will be further discussed in .

The Equipment Identity Register  

The Equipment Identity Register (EIR) is an optional register. Its purpose is to register IMEIs of
mobile stations in use. By implementing the EIR the network provider can blacklist
malfunctioning MSs or even receive reports to the operations centre when stolen mobile stations
are used to make calls.

Services
The services in GSM can be categorized in two main groups [20]:

 Tele services
 Bearer services

The bearer services are parted into nine groups of transparent and non-transparent data-
transmission services. Since the data-transmission capabilities of GSM is of little relevance to
our problem, it will not be further discussed here.

The tele-services group consists of the basic speech transmission, the point-to-point short
message service and the broadcast short message service. The speech transmission resembles
normal telephony. Speech is digitalized in the Mobile Station, coded and sent across the radio-
channel. In the network, the speech is recoded to the A-law coding used in telephone networks.

The point-to-point short message service let the user send short messages to other users. These
messages are relayed via a Short Message Centre (SMC), whose address has to be coded in the
MS. Short messages may be sent separately or concurrently with speech transmission [27].

The broadcast short message service let the network provider define short messages on a cell-by-
cell basis that are sent to all the Mobile Stations in that cell. Although this service is not widely
used, some providers use it to broadcast information about the cell the MS is currently camping
on. As this is position-specific it has some relevance to the MSL problem.
In addition to these services, some supplementary services are defined. These include call
forwarding, blocking of outgoing and incoming calls. The supplementary services are generally
of little relevance to the location problem.

Cells and location areas

In GSM it is distinguished between cells and location areas. A cell is defined as the area in which
one can communicate with a certain base station. In other words, the cell is related to the BTS.
When not communicating, the MS does not need to actively announce a shift from one cell to
another. If the MS is enganged in communication, a handover must be performed in order to
change from one cell to another.

A location area is the area assosiated with one VLR. On networks where there is a one-one
mapping between MSCs and VLRS, the location area corresponds to the area controlled by one
MSC. On a change of location area, the MS need to perform a location update in order to register
its presence in the new VLR and erase its presence in the old VLR. In this case, the HLR also
needs to be updated. If the MS is engaged in communication, a handover must be performed
between the different MSCs. Note that handover between MSCs belonging to different network-
providers is impossible.

 
Figure:  A possible cell configuration.

Figure shows a possible cell configuration within one location area [20]. The use of a number
of small cells within one large operating on different frequencies is typical. The small cells will
take the majority of the traffic, while the large cell will cover all the ``holes'' between the small
cells. Different cell-types can be classified according to their coverage dimension. This
classification is summarized in table .

 
Table:  Different cell-types
 Cell type Antenna location Cell Dimension (km)
Large macrocell Above rooftop level 3-30
Small macrocell Above rooftop level 1-3
Microcell Below or about rooftop level 0.1-1
Picocell Below rooftop level 0.01-1
Nanocell Below rooftop level 0.01-0.001

Identification
An important part of the location problem is the problem of finding where in the network the MS
resides. It is therefore necessary to have an overview of the different types of identification and
adressing that are specified in GSM.

Identification of subscribers  

 
Figure:  Structure of the IMSI.

Each mobile subscriber is identified by an International Mobile Subscriber Identity [8]. As

shown in figure the IMSI is composed my a 3-digit Mobile Country Code (MCC) which
identifies the country, a 2-digit Mobile Network Code (MNC) which identifies the GSM network
within that country, and a MSIN of up to 10 digits. The MSIN uniquely identifies the subscriber
within one network, and the MNC+MSIN (called National Mobile Subscriber Identity, NMSI)
identifies the subscriber within a country. The MCCs are given in [3], the MNCs are
administered by the telecommunications administration in each country. During registration, the
network can assign a Temporary Mobile Subscriber Identity, TMSI to the subscriber. The TMSI
consists of 4 octets.
  
Figure:  Structure of the MSISDN.

In addition to the IMSI, all mobile subscribers need an international isdn-number (MSISDN) so
it can be reached from the international phone network. This number follows the ITU-T E.164
[4] recommendation as seen in figure . It consists of the Country Code (CC), the National
Destination Code (NDC) and the subscriber number (SN).

When an external call is routed towars a Mobile Station, the VLR assigns a Mobile Station
Roaming Number (MSRN) to the MS. This number is an international significant ISDN number
similar to MSISDN. The NDC of this number points to the area in which the relevant MSC is
located. The CC, NDC and first parts of SN digits of the MSRN uniquely identify the MSC the
MS is registered with [8].

Identification of areas

 
Figure:  Structure of the LAI and CGI.

Areas and cells are identified using Location Area Identificaitons (LAI) and Cell Global
Identifications (CGI) [8]. The composition of these are shown in figure . The MCC and MNC
are similar to the codes used in the IMSI. Within each network, there will be a set of location
areas identified with the Location Area Code (LAC) which is a fixed two-octet number. The Cell
Identity identifies the cell within a Location Area and is also a fixed two-octet number. The full
CGI globally identifies a cell.

 
Figure:  Structure of the BSIC.
Each base-station also has its own BSIC, this code is at all times transmitted on the broadcast
channel, so the Mobile Stations can distinguish between base stations. The BSIC is composed of
a 3-bit Network Colour Code (NCC) and a 3-bit Base station Colour Code. The NCC is assigned
to each network provider so the MS can sort out which base-stations it is allowed to camp on.
The NCC of different providers must be different, also in national border-areas. A scheme for
this is given in the appendix of [8]. The BCCs of each base stations are assigned by the network
operator, and must be assigned such that no neighbour stations have equal BCC and thus equal
BSIC.

Identification of mobile equipment

 
Figure:  Structure of the IMEI.

Each Mobile Station is identified by the International Mobile Equipment Identification as shown
in figure . The IMEI consists of a Type Approval Code (TAC) which identifies the type of
mobile equipment, and that is has been type approved according to [17]. The Final Assembly
Code (FAC) identifies the place of the final assembly of the unit. The SNR is the serial number
of the unit in question, and the spare digit is 0.

Identification of network equipment

Each equipment entity in the network is assigned its own identity according to [9]. Although
mandatory, these identities will be implementation specific as will be discussed in . It is worth
mentioning at this point that the network equipment usually can be identified uniquely by other
identification codes. The HLR can be uniquely identified by the first digits in the MSISDN or the
IMSI. The MSRN uniquely identifies the MSC and the VLR. The LAI is enough to identify the
VLR, whereas the CGI identifies MSC, BSC and BTS uniquely. It is also worth to note that the
BSIC not identifies a base station uniquely unless there is information about how the BSIC was
obtained.
The radio interface  
The radio interface in GSM uses a combination between frequency (FDMA) and time (TDMA)
multiplexing. The frequency division in GSM 900 allocates 125 frequencies in each direction for
GSM. The uplink (MS to BTS) frequencies is in the area 890 - 915 MHz and the downlink (BTS
to MS) frequencies in the are 935-960 MHz. The carrier frequencies are separated with 200 kHz
on each side. The frequencies are allocated in pair, so that each uplink/downlink pair is separated
with exactly 45 MHz.

 
Figure:  The synchronization of TDMA frames.

Each of the carrier frequencies are divided into 8 logical channels, using TDMA. A TDMA
frame contains one time-frame from each of the eight channels, and lasts 4.615 ms. The time-
frames from each channel lasts 0.577 ms [20]. The total bitrate for all 8 channels is 270.833
kbit/s, whereas the bitrate for each channel is 22.8 kbit/s [20].

In order to get the TDMA scheme to work, the time-frames from each mobile station must be
synchronized when received by the BTS (see figure ). This synchronization is achieved by
using the concept of Timing Advance (TA), defined in [13]. The degree of synchronization is
measured by the BTS on the uplink, by checking the position of the training sequence. This
training sequence is mandatory in all frames transmitted from the MS. From these
measurements, the BTS can calculate the Timing-Advance and send it back to the MS in the first
downlink transmission. From the TA value received from the BTS, the MS know when to send
the frame, so that it can arrive at the BTS in synchronism. The values of the TA is continously
calculated and transmitted to the MS during the lifetime of a connection.
The TA can take values from to . These values are coded by 6 bits, where [13] defines 0
to be no timing-advance, and 63 to be the maximum timing advance. This gives a time-
difference of .

Signalling  
In order to be able to implement Mobile Station Location (MSL) in a GSM network, it is very
important to understand the signalling protocols and procedures used in GSM. In this section, an
overview of the signalling protocols and some important signalling sequences will be given.

MS-BSS-MSC

 
Figure:  Signalling protocols from MS via BTS and BSC to MSC.

Figure shows an overview of the signalling protocols in the GSM network between the entities
MS and MSC [20]. Above the lower layers in the BSS, is the Radio Resources Protocol (RR).
This protocol deals with the allocation, deallocation and parameters of the radio-channel and is
crucial in the setup of all communication with the MS. Above this layer is the Mobility
Management (MM) and Circuit Mode Connection Call Protocol (CM or CC). The MM deals
with administration of localization and handover. The CM administrates the setup and
termination of calls. There also exist protocols between the different entities in the network
intended for network internal messages. These are BTS Management protocol (BTSM) across
the Abis interface and the BSSAP (BSS Application Part) across the A interface. The BSSAP is
divided into BSSMAP (BSS Management Application Part) and DTAP (Direct Transfer
Application Part). The lower layers of the A interface are the transport layers of the ITU-T
signalling system 7, SCCP and MTP [10].

MAP and ISUP

All functional signalling between the MSCs, the VLRs, the HLR and the EIR uses the Mobile
Application Part protocol (MAP). The MAP is a beast of a protocol specified in the 784 pages
long GSM 09.02 [16]. MAP includes all signalling procedures required for location updates,
localization of customers and many other functions that are special for mobile networks. To be
compatible with external networks, call setup is normally performed by ISUP (ISDN User Part)
[29]. The ISUP is defined in [1]. Both MAP and ISUP use the transport protocols in the SS7, the
MTP and the SCCP, defined in [2] and successors.

Call setup  
To get an idea of the complexity of the signalling procedures and show some of the signals that
later will be used, the complete signal-sequence for a mobile-terminated call will be shown here.
Diagram shows the signalling sequence between the ISDN network and the GSM network.

 
Figure:  Signalling between ISDN and GSM at a mobile terminated call setup.
As we can see on diagram , the procedure starts when the Gateway MSC (GSMC) receives the
ISUP IAM message from the remote network. The GMSC must then ask the HLR for a roaming
number using MAP procedures. Further, the HLR sends this request to the VLR, which assigns a
roaming number to the IMSI in question, and returns it. The GMSC can now forward the call
setup request (IAM) to the MSC the MS in question is registered with. When the setup between
the MSC and the MS is finished, the user is alerted (the cell phone is ringing) and a notification
of this is sent to the caller via the ISUP ACM. When the receiver accepts the call, the ISUP ANU
is sent to the caller, and the connection is established.
  
Figure:  Signalling between the MSC and the MS.
Figure shows in detail what happens between the MSC and the MS. The paging request is sent
out on all the base stations in the location area. When the MS discovers that it is being paged it
requests a channel on the radio interface, and the BSC assigns one. When the channel is active,
the MS sends the PAG RESP indicating that it has been paged, and is ready to answer the
paging. When the MSC receives this, it commences with authentication of the MS. The
authentication parameters received from the MS must be checked with the HLR, thus the MSC
requests these from the HLR with the ``Send Parameters'' request. Meanwhile, encryption can be
initiated with the CIPH MODE signals. If the authentication was successful, the call setup is sent
to the MS, which responds with the CALL CONF, where its indicated if the MS can respond this
call type. If this is successful, a traffic channel is allocated with the ASS signals, and the call
commences with alerting and connection. Optionally, the MSC can request the MS for its IMEI,
and check if it is blacklisted in the EIR. This is shown in figure .

Handover  
Handover procedures are defined for each of the following cases:

 Intra-cell handover. The connections is transferred to another channel on the same BTS.
 Intern inter-cell handover. The connection is transferred to another BTS on the same
BSC.
 MSC intern handover. The connection is transferred between BTSs belonging to two
different BSCs within one MSC.
 MSC extern handover. The connection is transferred to a BTS within another MSC.

The decision to perform a handover is made in the BSC. At all times during a connection, the
MS send reports for received signal level for all the BTSs it can receive. These reports are sent to
the BTS using the MEAS REP signal in the RR protocol. The reporting of measurements are
normally sent over every SACCH frame, which is every 480 ms. If the SACCH is used for other
transmissions, at least every second SACCH frame is to be used for measurement reports [18] .
This means that the measurements are updated at least once a second. These reports are usually
not analyzed in the BTS, but forwarded directly to the BSC using the MEAS RES signal in the
BTSM protocol. Based on these measurements, the BSC can initiate the handover procedure.
Figure shows the signalling sequence when performing an intern inter-cell handover.

 
Figure:  Intern inter-cell handover.
The figure shows that the procedure starts by allocating the channel in the new BTS. The BSC
then orders the MS over to the new channel by sending the HANDO CMD. The MS immediately
switches to the new BTS and starts transmitting HANDO ACC on the new channel. When this is
detected, the PHY INF message containing the physical information about the channel is sent,
and the layer 2 connection can be established with the SABM - UA sequence. The handover is
complete, and the previous radiochannel can be released. If the MS does not get any answer after
transmittng HANDO ACC on the new channel for some time, it will return to the old channel.
For this reason, the BSC cannot release the old channel before the handover is completed.

The Operations and Management system  

GSM Q3 and proprietary protocols
Operations and Management systems are extremely important in GSM networks. When an
operator extends its network in order to establish coverage over large areas, the network can
quickly grow to contain tenths or even hundreds of thousands of entities. An operations and
management system ties the management of all these entities together into one or several
Operations and Management Centres. Through such systems, the operator can configure
switches, add new base-stations, perform software maintenance, add subscribers and perform
many other tasks.
Unfortunately, the GSM-specifications does not specify a detailed protocol suite for Operations
and Maintenance purposes. But the series 12 of the specifications give an outline for an
Operations and Maintenance protocol. It also dictates many O&M-functions that must be
implemented in GSM-equipment [12]. The protocols defined in the 12-series is called GSM Q3
and builds on the ITU-T specified Telecommunication Management Network (TMN) specified
in [5].

Most manufacturers of GSM network equipment use their own proprietary protocol in their
O&M implementation. Therefore, the network operators must either choose all network
components from one manufacturer, or there must exist one Operations & Management Centre
(OMC) for each equipment type. However, all proprietary implementations of OM protocols
must follow the principles given in GSM Q3, and it is thus possible to find general solutions to
operations and management problems in the GSM Q3 specification.

The O&M trace function  

Subscriber tracing is a compulsory O&M function described in GSM specification 12.08 [19].
Several different trace types exist:

 Tracing of a native subscriber in home network

 Tracing of a native subscriber roaming in other networks
 Tracing of a foreign subscriber in home network
 Tracing of equipment based on IMEI.

A trace is activated by sending the TRACE_ACTIVATION message from the OMC in question
to the HLR or a VLR. In this message the subscriber to be traced is identified by the IMSI, and a
number of parameters to identify the trace type, the OMC id and others is given. If the trace
activation is sent to the HLR, the HLR will send a MAP_ACTIVATE_TRACE_MODE to the
VLR the subscriber is registered with, if any. The VLR will in turn inform the MSC using
MAP_TRACE_SUBSCRIBER_ACTIVITY which in turn will inform the BSC using the
BSSMAP MSC_INVOKE_TRACE message. The complete trace activation procedure is
outlined in figure

 
Figure:  Signalling on trace activation.
After the trace activation, the entities of the GSM system will report all datas relevant to the
traced subscriber to the OMC. The contents of the reports are defined in [19], and can include:

 IDs for MSC, BSC, BTS and TRX

 cell and location IDs.
 All radio measurements received from the MS
 Actual TA used on the link
 All parameters leading to handover

It can be specified in the trace invocation, that the trace shall continue on handover. In this case,
the BSC will inform the new base station that trace is invoked when handover is performed. The
OMC will then receive trace reports from the new BSC after the handover.

The trace procedures have a number of important applications relating to the management of
subscribers in a GSM network. As it will be discovered, the trace procedures are useful for
implementing Mobile Station Location.