Introduction
Have you ever wondered how you can turn off your cellphone, fly 2000 miles and possibly into a foreign country, then turn your cellphone back on and still get calls to the same phone number? Or how you can drive for an hour in one direction and talk with the same person the whole way? Well, the answer lies with the incredibly complex interactions happening behind the scenes, starting with your phone and ending in one of, if not the most, complicated computer networks ever created.
GSM, the Global System for Mobile communication, is a series of wireless protocols that allow for voice, data, and multimedia communication using standard protocols and connections to a variety of wired networks.
Development on the original GSM specifications began in 1982, though it took nine years for the first commercial GSM network to begin operation. Prior to this, fledgling mobile networks used incompatible protocols and equipment that made wide-area coverage difficult and expensive. Efforts began at the 1982 CEPT conference, where the GSM Standards body, Groupe Spécial Mobile, was formed to develop a European standard in order to help the industry by bringing down equipment costs and increasing efficiency. This group was later renamed to Global System for Mobile Communication, but retained its previous acronym.
After the creation of the basic technologies for GSM networking in 1987 and 1989, CEPT gave over management of the GSM group to ETSI, The European Telecommunication Standards Institute, and in 1998 the Third Generation Partnership Project took control of the management of GSM standards.
In 1990, eight years after the group was formed, phase one of the GSM standard was finished, and provided for basic voice and data services in the 1800 MHz spectrum. This was to be followed later by the GSM phase 2 standards, which expanded data and messaging capabilities, and continues to expand with the GSM phase 2+ standards, also known as GPRS/EDGE service.
The practical upshot of all of this for you, including the eventual adoption of the GSM standard by the United States, is that in theory, your GSM cellphone, aircard, or external modem will work anywhere in the world if you can sign up for service with the local carriers. The upshot for the industry is of course economies of scale - all the hardware and components involved are much cheaper when everyone's using the same stuff!
Terminology, Jargon, and Basic Components
Discussion of GSM technology and components on even a rudimentary level requires some specialized jargon. Rather than listing a bunch of acronyms in an index, we will cover most of it by way of a thorough explicative rundown of components and their purpose in a hopefully easy to digest narrative.
GSM networks consist, on the grossest level, of a subscriber, and a network. The subscriber is a device capable of accessing the network, and consists of hardware (whether a phone, modem, etcetera) and a SIM, Subscriber Identity Module, most commonly seen in the form of a SIM Card or chip. The network is, well, the network - a series of entities starting with the individual cell antenna and terminating in either another subscriber, the POTS, or Internet, depending on who is being called or what services are being accessed by the originating subscriber (MOC).
The subscriber pair, the hardware/SIM combo, is most commonly encountered in the form of a cellphone and a SIM card provided by a network operator, also known as a phone company, such as AT&T, Roshan, eeZee, Vodafone, and possibly thousands of others. The hardware carries a unique number, called an IMEI (International Mobile Equipment Identity), which is unique to every piece of GSM hardware, and the SIM carries a similar number called an IMSI (International Mobile Subscriber Identity). It is important to note that the IMSI is not the phone number!
The IMSI, however, does provide a lot of other useful peripheral information. It is used by the network to determine the subscriber's home network, among other things. It is very important for the basic function of GSM service for the network to know where your home network is, because there is certain information (covered later) that is only available, or has to be double-checked with, components of the subscriber's home network. Otherwise, it would be VERY easy to make fake SIM cards and reprogram phones to get free service!
Both of these numbers (IMEI and IMSI) are used by the network to identify the subscriber to determine whether or not it has permission to use the network, and if so, what services it is allowed to access, and who to bill the charges to. They are also important, of course, to make sure your phone rings no matter where you are, though we'll cover that later.
GSM networks operate on four different bands worldwide; 800, 850, 900, 1800, and 1900 MHz, which are galled GSM Bands, or just bands. When you see references to, for example, a GSM 850/900 network, or a quad band capable phone, it's referencing these frequency ranges. Basically, North America uses 850/1900 and everyone else in the world uses 900/1800. Some particular exceptions are Hong Kong, which uses primarily an 850/900 network, and, well, almost all of South America, which uses a confusing assortment of frequencies. A quad band phone typically covers the four major bands, 850/900/1800/1900, to enable at least basic access almost anywhere in the world. There are, however, many bands that see limited or special purpose use - the complete band specification can be found in the appendix at the end of this writeup.
Network Components - the BSS
The first, and really only, piece of the network that you will ever likely encounter physically is the cell tower. The tower itself may be a tower, a palm tree, a light fixture - any structure will do, since the only purpose is to hold up the important bits - the BTSs, Base Transceiver Stations. They are nothing more or less complicated than transceivers of varying size and power on the appropriate band. A tower may have as few as one single BTS, or many, many BTSs depending on the topography of the network and the desired coverage area. It is not unusual to see transceivers for several technologies grouped together on a single structure - GSM, CDMA, WiMAX, etcetera.
Cell networks are so named because of the way network coverage is laid out - like cells in a honeycomb. The BTSs each have a specific coverage footprint, varying from omnidirectional transceivers with a radius of a kilometer or more, to very carefully calibrated pie slices, down to the new "pico" BTSs that have a range of as little as a few meters in order to serve a single building or even room. There are very, very well-paid engineers whose job it is to shape and aim each BTS to give the maximum coverage with the minimum cost.
For example, since each BTS can only transmit at a certain maximum power, it makes more sense to use different footprint shapes in different applications. If you were trying to cover a small town, you might be able to use a single omnidirectional antenna on a tall tower in the center of town. But, if you were trying to cover a remote highway, omnidirectional antennas would be wasting power to cover huge swaths of empty wasteland - you could get away with using far fewer BTSs with a 180 degree footprint transmitting at the same power, placed to cover the largest chunks of highway possible. A quick visual is Figure 1, below.
.....
.' '. 180 degree
: : coverage area
: 0 : ........0........
-------:---------:---------:-----------------:---------
'. .' '. .'
''''' '. .'
Omnidirectional '''''''''''
coverage area
Fig. 1; Simulated highway coverage area for omni and 180-degree BTSs at same transmit power
Things get quite a bit more complicated when planning coverage for a metropolitan area, where you have to take into account traffic patterns, population densities, RF interference, terrain masking, weekend schedules for commuters, business districts, and a dizzying array of other factors. Consider this: Most networks have reserve BTSs that are turned on at scheduled peak traffic times. For example, they may bump up total serving BTSs in a city between 5am and 10am, noon to 2pm, and 4pm to 6pm, to accommodate the peak traffic as people wake up, call in sick or late, get stuck in traffic, have lunch, and commute home.
Each individual BTS is given its own identifying number, called a Cell Identifier. This CI is used to identify each unique transceiver, and therefore area of coverage, by the network, and is used to route calls and data.
One or more BTSs are connected to a BSC, or Base Station Controller, which does most of the actual hardware/software control for transmission and receiving. For the purposes of this writeup, we will omit further mention of BSCs and refer to the BTS/BSC subsystems simply as BTSs.
BTSs are connected by the thousands to an MSC, a Mobile Switching Service Center. The BTS/MSC combo is known as the Base Station Subsystem, BSS. The easiest way to explain the BSS is to say that the BTSs are simply antennas for the MSC, which is the real brains of the BSS.
Physically, an MSC usually looks like an outbuilding or utility box, and can be as small as a shipping container - in some cases, even smaller. They contain loads of electronic equipment, power supplies, backup power provisions (battery and usually generators too), redundant equipment - basically, they are designed to be as self-contained as possible.
The MSC receives the dialed digits, routes calls, and processes requests from both mobile and landline callers. There are also two types of MSC - a Serving MSC (SMSC) and a Gateway MSC (GMSC). There is typically only one GMSC per network, and it is the GMSC through which all communication to or from anywhere outside the network must travel. For example, calls from a landline in Singapore enter a given Panamanian GSM network through that network's GMSC, and is routed to the correct mobile subscriber from there.
Each MSC is responsible for all traffic in their area of responsibility, which is known as a Local Area, or LA. Each LA in a network has a code - the LAC. The LA of an MSC is simply all of the areas that are covered by their BTS footprints, which, as you will remember, are denoted by individual CI numbers.
Now we have one of the basic building blocks of GSM network routing - the LAC plus the CI. Internally, the LAC plus the CI identifies any specific BTS and its coverage area. This is how the network knows which antenna to route a call through for a given subscriber, no matter where they are, physically, in the network.
The LAC plus the CI can be further pinned down by using two other numbers - the Mobile Country Code (MCC) which is unique to every country, and the MNC, the Mobile Network Code, which is unique to every provider. These numbers are used by GSM networks to route calls into and out of any other network, and have a specific name when combined - the Public Land Mobile Network number, or PLMN. Every single service provider has a unique PLMN.
All of the identifiers combined, MCC + MNC + LAC + CI, are known as a Global Cell Identifier. The comprehensive nature of the GCI is how the Panamanian GMSC knows where to direct the Singaporean landline call.
Network Component Review: The picture so far...
Mobile Subscriber <---> BSS <---> NSS
Device (IMEI) + BTS + EVERYTHING ELSE
SIM (IMSI) MSC
arrows denote flow of communication
Network Components - the NSS
The NSS is the most complicated portion of the network, since the parts we've covered so far - the BSS - is basically a front end, while the NSS does all the heavy lifting and most of the data tracking.
There are many, many parts to a typical NSS, and most of them will not be covered here. We will focus on the core components only, with perhaps brief mentions of other services.
The very heart of the NSS is the Home Location Register, the HLR, a database that contains the information of every single subscriber that is allowed to access the GSM network. Remember the IMSI that is stored in your SIM card? The HLR tracks which IMSIs are allowed to access the network, and the IMSI is the "key" to each entry. That is to say, all subscriber data is tracked by the IMSI.
Another key piece of information held by the HLR is the MSISDN for each IMSI. The Mobile Subscriber Integrated Services Digital Network Number - quite a mouthful - in plain English is, well, a phone number. Thus, the HLR is responsible for keeping track of which phone number or numbers go to which IMSI. That's why you can put a SIM card in any compatible phone, and still have it ring when your phone number is dialed.
One of the major functions of the MSISDN is so that the GSM networks can interface with other phone systems. The MSISDN is composed of several sets of numbers - the Country Code, the Destination Code, and the Subscriber Number. The CC is used to connect to the correct country from anywhere in the world, and the DC identifies the PLMN of the correct HLR. The Subscriber Number is what you probably know as your phone number, or "domestic number", without any of the prefixes necessary when dialing from overseas.
The HLR also tracks what services the subscriber is allowed to use, such as Internet access, multimedia texting, and other add-on features that vary per provider.
Another connected and very closely related NSS system is the Visitor Location Register, or VLR. The VLR temporarily stores the most important data from the HLR for each of the phones that are currently in the LAC. There is one VLR per MSC, to allow quick access to that data, which consists of the IMSI, MSISDN, list of services allowed, HLR address of each subscriber, and the "triplets", a set of checksums that are used to authenticate the SIM card.
The triplets are generated by an extremely important part of the NSS, the Authentication Center, known as the AuC. When a phone connects to a network, the AuC authenticates the SIM card by a cryptographic process involving checksums of a secret number that is held in the SIM and also in the AuC. This number is known as Ki. Ki is never transmitted anywhere, even when trying to authenticate on an entirely separate network. Instead, the AuC of the subscriber's home network will generate the triplets, and send them to the requesting AuC. Meanwhile, the cellphone generates the same triplets and sends them to the MSC, which compares the "official" triplets with the ones generated by the MS. If they match, the MSC and AuC allow the HLR and/or VLR to proceed with the authorization and registration process.
Let's try to make some sense of all of this, and take a look at:
Network Component Review: The picture so far...
MS BTS/MSC/VLR HLR AuC
1. ------>X
2. ------>X
3. -->X
3a. <--->
X<------------- 4.
<-------> 5.
X<------- 6.
arrows denote flow of communication
Fig. 2, components involved in accessing a GSM network
1. An MS (hardware + SIM) is powered on, and connects to an available tower. It passes its information (IMEI + IMSI) to the MSC and asks for service.
2. The MSC queries the HLR for the information associated with the IMSI passed to it by the MS.
3. The HLR asks the AuC if the SIM card is legitimate or not. The AuC generates the triplets based on the secret value, Ki, associated with that IMSI and the real SIM card.
3a. If this is not the home network for that IMSI, the AuC will ask the home network's AuC for some triplets.
4. Whichever way they are generated, the AuC will forward the triplets to the MSC.
5. The MSC asks the MS for its answer, and compares them to the correct answer from the MSC. If they match, the MS is authenticated, and allowed onto the network.
6. From here, the HLR passes the information to the VLR, where it is kept in order to provide service. The MS is now registered, and simply waits to either send or receive data such as calls, text messages, etcetera.
There are of course many other components, and some parts of this explanation have been simplified. There are, for example, further verification procedures for the IMEI; At the same time that it sends the IMSI to the AuC, the HLR sends the IMEI to the Equipment Identity Register, which checks it against a list of stolen and cloned phones. The encryption/authentication process used to generate the triplets is also quite a bit more complicated than has been explained here, and are indeed worthy of their own writeup.
The above process, called registration, is not necessary except when changing to another network or after the initial registration expires, after a time determined by the network (typically 24 hours). Each GSM device constantly monitors for the best available BTS, based on signal strength and other parameters that are beyond the scope of this writeup. If the GSM device "sees" a better BTS, it is free to jump to it without any further authentication except a location update if changing to a different LAC - the home network is not notified (if roaming), no more triplets are generated, etcetera. Since an incoming call will be "paged" to the entire LAC, function is not affected (see below for the call making/receiving processes).
Typical GSM Operations
Receiving a Call when on the Home Network
MS BTS/MSC/VLR HLR GMSC OUTSIDE NETWORK
X<---------- 1.
<----> 2.
X<--------------- 3.
X<------- 4.
arrows indicate flow of communication
Fig. 3, Receiving a Call when on the Home Network
1. A call originating outside of the network, whether from another carrier, or from a landline, enters the network through the Gateway MSC. It is routed there by the CC and DC, derived from the MSISDN that was dialed (see above).
2. The GMSC asks the destination phone's home HLR which MSC the destination phone is on.
3. The GMSC passes the call to the MSC/VLR that has the destination phone registered as per Fig. 2, see above.
4. The MSC/VLR sends out a "page" to the phone through the BTS, to let it know it has a call.
Receiving a Call when Roaming
MS BTS/MSC/VLR HLR GMSC HOME HLR HOME GMSC OUTSIDE NETWORK
X<------------ 1.
<---------> 2.
X<--------------------- 3.
X<----- 4.
X<----- 5.
X<--------- 6.
arrows indicate flow of communication
Fig. 4, Receiving a Call when Roaming
1. The outside network passes the call to the home network's GMSC, as derived from the MSISDN that was dialed to make the call (see above).
2. The home GMSC asks the home HLR what MSC the phone is on.
3. The home GMSC forwards the call to the roaming GMSC, which reported in to the home network during the registration process (see fig. 2, step 3a, above).
4. The roaming GMSC forwards the call to the MSC/VLR that has the phone registered as per Fig. 2, see above.
4. The MSC/VLR sends out a "page" to the phone through the BTS, to let it know it has a call.
Placing a Call
MS BTS/MSC/VLR HLR GMSC OUTSIDE NETWORK
1. -------->X
2. ------------->X
3. -------->X
arrows indicate flow of communication
Fig. 5, Placing a Call
1. The MS makes a call by sending it through the MSC to which it is registered.
2. The MSC decodes the MSISDN that the MS is trying to call. If the MSISDN belongs to an outside network, it passes the call to the Gateway MSC.
3. The GMSC forwards the call to the appropriate network.
Note: If the MSISDN decodes to a same-network phone, the MSC will query the home HLR directly to find out which MSC the destination phone is on; it then follows the same steps as either Figure 3 or Figure 4 above, depending on whether or not the destination phone is roaming.
Final Thoughts
As you can see, what seems simple enough - turning on your phone and getting a few bars - is actually a fairly complicated process that can span across dozens of complicated systems and networks. This writeup skipped or glossed over several concepts, such as BTS selection criteria, link monitoring, MS detaching, detailed roaming procedures, location updates, and even several network systems that handle things like SMS/MMS and Voicemail services.
Also omitted was the complex system of radio links that are transmitted and received between the MS and the BTS - nearly a dozen channels, some of which are one-way, some of which are duplex, some of which use randomized timing, some of which are Time Division Multiple Access, etcetera.
For further reading, I suggest the following links:
http://www.3GPP.org/
http://www.gsmworld.com/
Appendix
GSM Bands
System |
Band Range |
Uplink (MHz) |
Downlink (MHz) |
Channel number(s) |
T-GSM-380 |
380 |
380.2–389.8 |
390.2–399.8 |
dynamic |
T-GSM-410 |
410 |
410.2–419.8 |
420.2–429.8 |
dynamic |
GSM-450 |
450 |
450.6–457.6 |
460.6–467.6 |
259–293 |
GSM-480 |
480 |
479.0–486.0 |
489.0–496.0 |
306–340 |
GSM-710 |
710 |
698.2–716.2 |
728.2–746.2 |
dynamic |
GSM-750 |
750 |
747.2–762.2 |
777.2–792.2 |
438–511 |
T-GSM-810 |
810 |
806.2–821.2 |
851.2–866.2 |
dynamic |
GSM-850 |
850 |
824.2–849.2 |
869.2–894.2 |
128–251 |
P-GSM-900 |
900 |
890.0–915.0 |
935.0–960.0 |
1–124 |
E-GSM-900 |
900 |
880.0–915.0 |
925.0–960.0 |
975–1023, 0-124 |
R-GSM-900 |
900 |
876.0–915.0 |
921.0–960.0 |
955–1023, 0-124 |
T-GSM-900 |
900 |
870.4–876.0 |
915.4–921.0 |
dynamic |
DCS-1800 |
1800 |
1710.2–1784.8 |
1805.2–1879.8 |
512–885 |
PCS-1900 |
1900 |
1850.2–1909.8 |
1930.2–1989.8 |
512–810 |