How the radio interface works in GSM networks. Cellular frequencies and standards used in Russia

DownLink - communication channel from base station to the subscriber
UpLink is a communication channel from the subscriber to the operator’s base station.

Standard 4G/LTE Frequency 2500

This type of communication has been developing relatively recently and mainly in cities.

FDD (Frequency Division Duplex) - DownLink and UpLink operate on different frequency bands.
TDD (Time division duplex) - DownLink and UpLink operate on the same frequency band.

Yota: FDD DownLink 2620-2650 MHz, UpLink 2500-2530 MHz
Megafon: FDD DownLink 2650-2660 MHz, UpLink 2530-2540 MHz
Megafon: TDD 2575-2595 MHz - this frequency band is allocated only in the Moscow region.
MTS: FDD DownLink 2660-2670 MHz, UpLink 2540-2550 MHz
MTS: TDD 2595-2615 MHz - this frequency band is allocated only in the Moscow region.
Beeline: FDD DownLink 2670-2680 MHz, UpLink 2550-2560 MHz
Rostelecom: FDD DownLink 2680-2690 MHz, UpLink 2560-2570 MHz
After purchase by Megafon Yota company, Yota virtually began to work like Megafon.

Standard 4G/ LTE Frequency 800

The network was launched into commercial operation at the beginning of 2014, mainly outside the city, in rural areas.

UpLink/DownLink (MHz)

Rostelecom: 791-798.5 / 832 - 839.5
MTS: 798.5-806 / 839.5 - 847.5
Megafon: 806-813.5 / 847 - 854.5
Beeline: 813.5 - 821 / 854.5 - 862

Standard 3G/UMTS Frequency 2000

3G/UMTS2000 is the most common cellular communication standard in Europe and is mainly used for data transmission.

UpLink/DownLink (MHz)

Skylink: 1920-1935 / 2110 - 2125 - in the end, most likely these frequencies will go to Rostelecom. The network is not currently in use.
Megafon: 1935-1950 / 2125 - 2140
MTS: 1950-1965 / 2140 - 2155
Beeline:1965 - 1980 / 2155 - 2170

Standard 2G/DCS Frequency 1800

DCS1800 is the same GSM, only in a different frequency range, mainly used in cities. But, for example, there are regions where the TELE2 operator operates only in the 1800 MHz band.

UpLink 1710-1785 MHz and Downlink 1805-1880 MHz

There is no particular point in showing division by operators, because In each region, frequency distribution is individual.

Standard 2G/DCS Frequency 900

GSM900 is the most common communication standard in Russia today and is considered second generation communication.

There are 124 channels in GSM900 MHz. In all regions of the Russian Federation, GSM frequency ranges are distributed between operators individually. And there is E-GSM exists as an additional option frequency range GSM. It is shifted in frequency from the base one by 10 MHz.

UpLink 890-915 MHz and Downlink 935-960 MHz

UpLink 880-890 MHz and Downlink 925-935 MHz

Standard 3G Frequency 900

Due to the lack of channels on the 2000 frequency, frequencies of 900 MHz were allocated for 3G. Actively used in the region.

Standard CDMA Frequency 450

CDMA450 - in the central part of Russia, this standard is used only by the SkyLink operator.

UpLink 453 - 457.5 MHz and DownLink 463 - 467.5 MHz.

Introduction

Among modern systems In mobile radio communications, cellular radiotelephone communication systems are developing most rapidly. Their implementation made it possible to solve the problem of economic use of a dedicated radio frequency band by transmitting messages on the same frequencies and increase throughput telecommunication networks. These systems are built in accordance with the cellular principle of frequency division across the service territory and are designed to provide radio communications to a large number of subscribers with access to the PSTN.

Use of modern information technologies allows subscribers of such networks to be provided with high quality voice messages, reliable and confidential communications, protection against unauthorized access to the network and a very wide range of other services. Currently, in the field of radio communications with mobile objects, both analog (NMT-450, NMT-900, AMPS, etc.) and digital standards (GSM-900, GSM-1800, GSM-1900, D-AMPS, and others) are widely used. etc.). Most successfully developed mobile technologies related to the GSM standard. Compared to other digital standards of cellular mobile communication systems, GSM provides the best energy and quality communication characteristics, the highest security and confidentiality characteristics of communications. The GSM standard also provides a number of communication services that are not implemented in other cellular communication standards.

The purpose of this graduation project is to design a fragment cellular system communications standard DCS-1800 operator "Astelit" and assessment of electromagnetic compatibility of this system.

1.1 Description and main characteristics of the GSM standard

The use in Western European countries of a number of analogue cellular communication standards, which are incompatible with each other and have significant disadvantages in comparison with digital standards, has led to the need to develop a single pan-European digital cellular standard GSM-900. It ensures high quality and confidentiality of communications and allows you to provide subscribers with a wide range of services. The standard allows for the possibility of organizing automatic roaming. As of July 1999, the share of GSM-900 subscribers was approximately 43% in the world, and more than 85% in Western Europe.

The GSM standard is also known as DCS (Digital Cellular System) or PCN (Personal Communications Network), as well as a modification of the GSM-900 standard for the 1800 MHz range: the GSM-1800 standard. The GSM standard includes the most complete set of services compared to others.

Cellular networks of the GSM standard are initially designed as high-capacity networks designed for the mass consumer and designed to provide a wide range of services to subscribers when using communications both inside buildings and on the street, including when traveling by car.

The GSM standard uses TDMA, which allows 8 voice channels to be placed simultaneously on one carrier frequency. The RPE-LTP speech codec with regular pulse excitation and speech conversion speed is used as a speech converting device
13 kbps.

To protect against errors occurring in radio channels, block and convolutional coding with interleaving is used. Increased coding and interleaving efficiency at low MS speeds is achieved by slowly switching operating frequencies during a communication session at a rate of 217 hops per second.

To combat interference fading of received signals caused by multipath propagation of radio waves in urban conditions, communication equipment uses equalizers that ensure equalization of pulse signals with a standard deviation of the delay time of up to 16 μs. The equipment synchronization system is designed to compensate for the absolute signal delay time of up to 233 μs. This corresponds to a maximum communication range of 35 km (maximum cell radius).

Spectral-efficient Hussian minimum shift keying (GMSK) is used to modulate the radio signal. Speech processing in this standard is carried out within the framework of the DTX (Discontinuous Transmission) system.

The GSM standard achieves high degree message transmission security; messages are encrypted using an encryption algorithm with public key(RSA).

In general, the communication system operating in the GSM standard is designed for use in various fields. It provides users with a wide range of services and the ability to use a variety of equipment for the transmission of voice and data messages, calling and emergency signals; connect to telephone networks public service network (PSTN), data networks (PDN) and digital networks with integrated services (ISDN).

Below are the main characteristics of the GSM standard:

MS transmission and BTS reception frequency, MHz 890–915;

MS reception frequency and BTS transmission frequency, MHz 935–960;

Duplex spacing of reception and transmission frequencies, MHz 45;

Message transmission speed in the radio channel, kbit/s 270.833;

Speech codec conversion rate, kbit/s 13;

Communication channel bandwidth, kHz 200;

The maximum number of communication channels is 124;

Modulation type GMSK;

Modulation index BT=0.3;

Pre-modulation bandwidth

Gaussian filter, kHz 81.2;

The number of frequency jumps per second is 217;

Maximum cell radius, km up to 35;

Combined TDMA/FDMA channel organization scheme;

The required carrier/interference ratio is 9 dB.

GSM network equipment includes mobile (radio telephones) and base stations, digital switches, control and maintenance center, various additional systems and devices. Functional interconnection of system elements is carried out using a number of interfaces. The block diagram (Figure 1.1) shows the functional structure and interfaces adopted in the GSM standard.

Figure 1.1 – Structural scheme GSM networks

MS consist of equipment that is designed to provide GSM subscribers with access to existing networks communications. Within the GSM standard, five classes of MS are adopted: from the 1st class model with an output power of up to 20 W, installed on vehicles, to the 5th class model with a maximum output power of up to 0.8 W (Table 1.1). When transmitting messages, adaptive adjustment of the transmitter power is provided, ensuring the required quality of communication. MS and BTS are independent of each other.

Table 1.1 – Classification of GSM mobile stations

Each MS has its own MIN - International Identification Number (IMSI) stored in its memory. Each MS is assigned another MIN - IMEI, which is used to exclude access to GSM networks using a stolen station or a station that does not have such authority.

The BSS equipment consists of a base station controller BSC and the actual transceiver base stations BTS. One controller can control several stations. He performs following functions: control of radio channel distribution; monitoring connections and adjusting their order; providing operating mode with “hopping” frequency, modulation and demodulation of signals, encoding and decoding of messages, speech encoding, adaptation of the transmission speed of speech, data and call signals; control of the order of transmission of personal call messages.

The TCE transcoder provides conversion of the output signals of the MSC voice and data channel (64 kbit/s) to a form that complies with the GSM recommendations for the air interface (13 kbit/s). The transcoder is usually located together with the MSC.

The SSS switching subsystem equipment consists of the mobile communication central control MSC, the HLR position register, the VLR relocation register, the AUC authentication center and the EIR equipment identification register.

The MSC serves a group of cells and provides all types of MS connections. It provides an interface between the mobile network and fixed networks such as PSTN, PDN, ISDN and provides call routing and call control functionality. In addition, the MSC performs radio channel switching functions, which include handover, which ensures continuity of communication as the MS moves from cell to cell, and switching of operating channels in a cell when interference or malfunction occurs. Each MSC serves subscribers located within a specific geographic area. The MSC manages call setup and routing procedures. For PSTN, it provides the functions of SS No. 7 signaling system, call transfer or other kinds of interfaces. MSC also generates data for calling tariffs, compiles statistics, and supports security procedures for accessing the radio channel.

The MSC also manages both location registration and control transfer procedures in the base station subsystem (BSC). The call handover procedure in cells controlled by one BSC is carried out by that BSC. If a call is transferred between two networks controlled by different BSCs, then primary control occurs in the MSC. The GSM standard also provides a procedure for transferring a call between controllers (networks) belonging to different MSCs.

The MSC continuously monitors the MS using registers: HLR (location register or home register) and VLR (travel or guest register).

The HLR stores that part of the location information of an MS that allows the MSC to deliver a call. This register contains the mobile subscriber MIN (IMS1), which is used to identify the MS to the authentication center (AUC), as well as data necessary for normal operation GSM networks.

Beginners do not understand the games undertaken by the standards developers. It would seem that it uses GSM frequencies 850, 1900, 900, 1800 MHz, what more? Quick answer - read the following section of the Phone Instructions. The inappropriateness of the generally accepted interpretation will be shown. The problem is described by the following provisions:

1. The second generation of cellular communications 2G gave rise to a lot of standards. The world knows three epicenters that set the rhythm: Europe, North America, Japan. Russia adopted the standards of the first two, changing them.
2. The family tree of standards is constantly expanding.
3. International versions of standards are intended to unify the disparate rules of individual countries. Often direct implementation is not possible. Governments change legislative framework, securing frequency plans.

The above explains the origins of beginners’ misunderstanding of the problem. Returning clarity to the issue, let’s build a simplified hierarchy of standards, indicating the frequencies used along the way.

Genealogy of standards

The following information is intended to explain to the average person the structure of existing, extinct standards. Below, in the following sections, the technologies used in Russia will be described. The corresponding representatives of the tree that decorated the Russian forest are marked in bold.

1G

1. AMPS family: AMPS, NAMPS, TACS, ETACS.
2. Others: NMT, C-450, DataTAC, Hicap, Mobitex.

2G: 1992

1. GSM/3GPP family: GSM, HSCSD, CSD.
2. 3GPP2 family: cdmaOne.
3. AMPS family: D-AMPS.
4. Other: iDEN, PHS, PDC, CDPD.

2G+

1. 3GPP/GSM family: GPRS, EDGE.
2. 3GPP2 family: CDMA2000 1x, including Advanced.
3. Others: WiDEN, DECT.

3G: 2003

1. 3GPP family: UMTS.
2. 3GPP2 family: CDMA2000 1xEV-DO R.0

3G+

1. 3GPP family: LTE, HSPA, HSPA+.
2. 3GPP2 family: CDMA2000 1xEV-DO R.A, CDMA2000 1xEV-DO R.B, CDMA2000 1xEV-DO R.C
3. IEEE Family: Mobile WiMAX, Flash OFDM.

4G: 2013

1. 3GPP family: LTE-A, LTE-S Pro.
2. IEEE family: WiMAX.

5G: 2020

1. 5G-NR.

Short description

Genealogy allows you to trace extinct species. For example, modern authors often use the abbreviation GSM, misleading the reader. The technology is entirely limited to the second generation of cellular communications, an extinct species. The previous frequencies with additions continue to be used by descendants. On December 1, 2016, Australia's Telstra stopped using GSM, becoming the first operator in the world to completely upgrade its equipment. Technology continues to be used by 80% of the world's population (according to the GSM Association). The American AT&T followed the example of its Australian colleagues on January 1, 2017. The service was stopped by the Optus operator; on April 2017, Singapore recognized the inadequacy of 2G to the growing needs of the population.

So, the term GSM is used in relation to outdated equipment that has overwhelmed the Russian Federation. The descendant protocols can be called successors of GSM. The frequencies are preserved by subsequent generations. The punctures and methods of transmitting information are changing. The frequency allocation aspects that accompany equipment upgrades are discussed below. Information is required to establish the GSM relationship.

Phone instructions

The phone manual will provide useful information regarding the issue. The corresponding section lists the supported frequencies. Some devices will allow you to customize the reception area. You should choose a phone model that receives generally accepted Russian channels:

1. 900 MHz – E-GSM. The ascending branch is 880..915 MHz, the descending branch is 925..960 MHz.
2. 1800 MHz – DCS. The ascending branch is 1710..1785 MHz, the descending branch is 1805..1880 MHz.

LTE technology adds a 2600 MHz region, and an 800 MHz channel has been introduced.

History of the emergence of RF communications: frequencies

Development began in 1983 European standard digital communication. We remind you that the first generation of 1G used analog transmission. Thus, engineers developed the standard in advance, anticipating the history of technology development. Digital communications were born out of World War II, or more precisely, the Green Hornet encrypted transmission system. The military understood perfectly well: an era was coming digital technologies. Civil industry caught the movement of the wind.

900 MHz

The European organization CEPT has created the GSM (Groupe Special Mobile) committee. The European Commission has proposed using the 900 MHz spectrum. The developers settled in Paris. Five years later (1987), 13 EU countries submitted a memorandum to Copenhagen on the need to create unified network cellular communications. The community decided to request GSM assistance. The first technical specification was released in February. Politicians from four countries (May 1987) supported the project with the Bonn Declaration. The next short period (38 weeks) is filled with general bustle, controlled by four appointed persons:

1. Armin Silberhorn (Germany).
2. Philippe Dupoulis (France).
3. Renzo Failli (Italy).
4. Stephen Temple (Great Britain).

In 1989, the GSM Commission leaves the trusteeship of CEPT, becoming part of ETSI. On July 1, 1991, the former Prime Minister of Finland, Garry Holkeri, made the first call to a subscriber (Kaarina Suonio) using the services of the Radioline provider.

1800 MHz

In parallel with the introduction of 2G, work was underway to utilize the 1800 MHz region. The first network covered the UK (1993). At the same time, the Australian operator Telecom moved in.

1900 MHz

The frequency of 1900 MHz was introduced by the USA (1995). The GSM Association was created, the world number of subscribers reached 10 million people. A year later, the figure had increased tenfold. Use of 1900 MHz prevented adoption European version UMTS.

800 MHz

The 800 MHz band appeared in 2002, parallel to the introduction of multimedia messaging service.

Attention, question!

What frequencies have become the Russian standard? Adding to the confusion is the ignorance of the RuNet authors about the standards adopted official developers. The direct answer is discussed above (see section Phone instructions), we describe the work of the mentioned organizations (section UMTS).

Why are there so many frequencies?

Examining the results of 2010, the GSM Association stated: 80% of the planet's subscribers are covered by the standard. This means that four-fifths of networks cannot choose a single frequency. In addition, there are 20% foreign communication standards. Where does the root of evil come from? The countries of the second half of the twentieth century developed separately. The frequencies of 900 MHz of the USSR were occupied by military and civil air navigation.

GSM: 900 MHz

In parallel with Europe’s development of the first versions of GSM, NPO Astra, Radio Research Institute, and Research Institute of the Ministry of Defense began research that ended in full-scale tests. The verdict:

• Navigation and second generation cellular communications can function together.

1. NMT-450.

Please note: again 2 standards. Each uses its own frequency grid. The announced competition for the distribution of GSM-900 was won by NPO Astra, OJSC MGTS (now MTS), Russian companies, and the Canadian BCETI.

NMT-450MHz - first generation

So, Moscow used, starting in 1992, the 900 MHz band (see above), because other GSM frequencies had not yet been born. In addition, NMT (Nordic Mobile Phones)… Initially, the countries of the Scandinavian Peninsula developed two options:

1. NMT-450.
2. NMT-900 (1986).

The reason for the Russian government choosing the first answer? They probably decided to try two ranges. Please note that these standards describe analog communications (1G). Developing countries began closing up shop in December 2000. Iceland (Siminn) was the last to surrender (September 1, 2010). Experts note an important advantage of the 450 MHz range: range. A significant plus, appreciated by remote Iceland. The Russian government wanted to cover the country's area using a minimum of towers.

NMT is loved by fishermen. The freed network was occupied by digital CDMA 450. In 2015, Scandinavian technologies mastered 4G. The Russian Uralwestcom vacated the closet on September 1, 2006, Sibirtelecom - on January 10, 2008. The subsidiary (Tele 2) Skylink fills the Perm and Arkhangelsk regions with its range. The license expires in 2021.

D-AMPS: UHF (400..890 MHz) - second generation

American 1G networks that used the AMPS specification refused to accept GSM. Instead, two alternatives have been developed to organize mobile networks second generation:

1. IS-54 (March 1990, 824-849; 869-894 MHz).
2. IS-136. Features a large number of channels.

The standard is now dead, replaced everywhere by the descendants of GSM/GPRS, CDMA2000.

Why does a Russian need D-AMPS?

The Russian average person often uses used equipment. D-AMPS equipment has reached the warehouses of Tele 2 and Beeline. On November 17, 2007, the latter closed up shop for the Central Region. The license of the Novosibirsk region expired on December 31, 2009. The last swallow flew away on October 1, 2012 ( Kaliningrad region). Kyrgyzstan used the range until March 31, 2015.

CDMA2000 - 2G+

Some protocol variants use:

1. Uzbekistan – 450 MHz.
2. Ukraine – 450; 800 MHz.

In the period December 2002 – October 2016 specifications 1xRTT, EV-DO Rev. A (450 MHz) Skylink was used. Now the infrastructure has been modernized, LTE has been introduced. On September 13, 2016, the news spread across world portals: Tele 2 is stopping the use of CDMA. The American MTS began the process of introducing LTE a year earlier.

GPRS – second or third generation

The development of the CELLPAC protocol (1991-1993) was a turning point in the development of cellular communications. 22 US patents received. The descendants of the technology are considered LTE, UMTS. Packet data transfer is designed to speed up the process of information exchange. The project is designed to improve GSM networks (frequencies listed above). The service user is obliged to receive technologies:

1. Access to the Internet.
2. Legacy "tap to talk"
3. Messenger.

The overlay of two technologies (SMS, GPRS) speeds up the process many times over. The specification supports IP, PPP, X.25 protocols. Packets continue to arrive even during a conversation.

EDGE

The next stage in the evolution of GSM is conceived by AT&T (USA). Compact-EDGE has filled the niche of D-AMPS. Frequencies are listed above.

UMTS – full 3G

The first generation that required updating base station equipment. The frequency grid has changed. The maximum transmission speed for a line that takes advantage of HSPA+ is 42 Mbps. Actually achievable speeds significantly exceed 9.6 kbit/s GSM. Since 2006, countries have started renewal. Using orthogonal frequency multiplexing, the 3GPP committee intended to reach the 4G level. Early Birds released in 2002. Initially, the developer laid down the following frequencies:

1. .2025 MHz. Ascending communication branch.
2. .2200 MHz. Descending connected branch.

Since the USA was already using 1900 MHz, it chose segments 1710..1755; 2110..2155 MHz. Many countries followed America's example. The 2100 MHz frequency is too often busy. Hence the numbers given at the beginning:

• 850/1900 MHz. Moreover, 2 channels are selected using one range. Either 850 or 1900.

Agree, it is incorrect to drag in GSM, following a bad common example. The second generation used a single half-duplex channel, UMTS used two at once (5 MHz wide).

UMTS frequency grid of Russia

The first attempt to distribute the spectra took place on February 3-March 3, 1992. The solution was adapted by the Geneva conference (1997). It was the S5.388 specification that fixed the ranges:

• 1885-2025 MHz.
• 2110-2200 MHz.

The decision required further clarification. The commission identified 32 ultra-channels, 11 of which constituted an unused reserve. Most of the others received qualifying names because individual frequencies coincided. Russia rejected the European practice, despising the USA, by adopting 2 channels (band) UMTS-FDD:

1. No. 8. 900 MHz – E-GSM. The ascending branch is 880..915 MHz, the descending branch is 925..960 MHz.
2. No. 3. 1800 MHz – DCS. The ascending branch is 1710..1785 MHz, the descending branch is 1805..1880 MHz.

Characteristics cell phone should be selected according to the information provided. The Wikipedia table revealing the frequency plan of planet Earth is completely useless. They forgot to take into account Russian specifics. Europe operates nearby IMT Channel No. 1. In addition, there is a UMTS-TDD mesh. The equipment of the two overhead network options is incompatible.

LTE – 3G+

Evolutionary continuation of the GSM-GPRS-UMTS connection. Can serve as an add-on for CDMA2000 networks. Only a multi-frequency phone can provide LTE technology. Experts directly indicate a place below the fourth generation. Contrary to the claims of marketers. Initially, the ITU-R organization recognized the technology as appropriate, but later the position was revised.

LTE is a registered trademark of ETSI. The key idea was the use of signal processors and the introduction of innovative methods of carrier modulation. IP addressing of subscribers was considered appropriate. Lost interface backwards compatible, the frequency spectrum has changed once again. The first network (2004) was launched by the Japanese company NTT DoCoMo. The exhibition version of the technology reached Moscow in the hot May of 2010.

Repeating the experience of UMTS, the developers introduced two options for the air protocol:

1. LTE-TDD. Time division of channels. The technology is widely supported by China, South Korea, Finland, and Switzerland. Availability of a single frequency channel (1850..3800 MHz). Partially overlaps WiMAX, upgrade is possible.
2. LTE-FDD. Frequency division of channels (separate downstream and upstream).

The frequency plans of the 2 technologies are different, 90% of the core design is the same. Samsung and Qualcomm produce phones that can support both protocols. Occupied ranges:

1. North America. 700, 750, 800, 850, 1900, 1700/2100, 2300, 2500, 2600 MHz.
2. South America. 2500 MHz.
3. Europe. 700, 800, 900, 1800, 2600 MHz.
4. Asia. 800, 1800, 2600 MHz.
5. Australia, New Zealand. 1800, 2300 MHz.

Russia

Russian operators have chosen LTE-FDD technology and use the following frequencies:

1. 800 MHz.
2. 1800 MHz.
3. 2600 MHz.

LTE-A – 4G

The frequencies remain the same (see LTE). Launch chronology:

1. On October 9, 2012, Yota acquired 11 base stations.
2. On February 25, 2014, the megaphone covered the Garden Ring of the capital.
3. Beeline has been operating at LTE frequencies 800, 2600 MHz since August 5, 2014.

As a result, the physical channel between the receiver and the transmitter is determined by the frequency, allocated frames and timeslot numbers in them. Typically base stations use one or more ARFCN channels, one of which is used to identify the presence of a BTS on the air. The first timeslot (index 0) of the frames of this channel is used as the base-control channel or beacon channel. The remaining part of ARFCN is distributed by the operator for CCH and TCH channels at its discretion.

2.3 Logical channels

Logical channels are formed on the basis of physical channels. The Um interface involves the exchange of both user information and service information. According to the GSM specification, each type of information corresponds to a special type of logical channels implemented through physical:

• traffic channels (TCH - Traffic Channel),
• service information channels (CCH - Control Channel).

Traffic channels are divided into two main types: TCH/F- Full rate channel with maximum speed up to 22.8 Kbps and TCH/H- Half rate channel with a maximum speed of up to 11.4 Kbps. These types of channels can be used to transmit voice (TCH/FS, TCH/HS) and user data (TCH/F9.6, TCH/F4.8, TCH/H4.8, TCH/F2.4, TCH/H2. 4), for example, SMS.

Service information channels are divided into:

• Broadcast (BCH - Broadcast Channels).
  • FCCH - Frequency Correction Channel. Provides the information needed mobile phone for frequency correction.
  • SCH - Synchronization Channel. Provides the mobile phone with the information necessary for TDMA synchronization with the base station (BTS), as well as its BSIC identification data.
  • BCCH - Broadcast Control Channel (broadcast service information channel). Transmits basic information about the base station, such as the way service channels are organized, the number of blocks reserved for access grant messages, as well as the number of multiframes (51 TDMA frames each) between Paging requests.
• Channels general purpose(CCCH - Common Control Channels)
  • PCH - Paging Channel. Looking ahead, I’ll tell you that Paging is a kind of ping of a mobile phone, allowing you to determine its availability in a certain coverage area. This channel is designed exactly for this.
  • RACH - Random Access Channel. Used by mobile phones to request their own SDCCH service channel. Exclusively Uplink channel.
  • AGCH - Access Grant Channel (access grant channel). On this channel, base stations respond to RACH requests from mobile phones by allocating SDCCH or TCH directly.
• Own channels (DCCH - Dedicated Control Channels)
  Own channels, like TCH, are allocated to specific mobile phones. There are several subspecies:
  • SDCCH - Stand-alone Dedicated Control Channel. This channel is used for mobile phone authentication, encryption key exchange, location update procedure, as well as for making voice calls and exchanging SMS messages.
  • SACCH - Slow Associated Control Channel. Used during a conversation, or when the SDCCH channel is already in use. With its help, the BTS transmits periodic instructions to the phone to change timings and signal strength. In the opposite direction there is data on the received signal level (RSSI), TCH quality, as well as the signal level of nearby base stations (BTS Measurements).
  • FACCH - Fast Associated Control Channel. This channel is provided with the TCH and allows the transmission of urgent messages, for example, during the transition from one base station to another (Handover).

2.4 What is burst?

Over-the-air data is transmitted as sequences of bits, most often called “bursts,” within timeslots. The term “burst”, the most suitable analogue of which is the word “burst”, should be familiar to many radio amateurs, and most likely appeared when drawing up graphic models for analyzing radio broadcasts, where any activity is similar to waterfalls and splashes of water. You can read more about them in this wonderful article (image source), we will focus on the most important thing. A schematic representation of a burst might look like this:

Guard Period
To avoid interference (i.e. two busrts overlapping each other), the duration of the burst is always less than the duration of the timeslot by specific value(0.577 - 0.546 = 0.031 ms), called "Guard Period". This period is a kind of time reserve to compensate for possible time delays during signal transmission.

Tail Bits
These markers define the beginning and end of the burst.

Info
Burst payload, for example, subscriber data or service traffic. Consists of two parts.

Stealing Flags
These two bits are set when both parts of the TCH burst data are transmitted on the FACCH. One transmitted bit instead of two means that only one part of the burst is transmitted via FACCH.

Training Sequence
This part of the burst is used by the receiver to determine the physical characteristics of the channel between the phone and the base station.

2.5 Types of burst

Each logical channel corresponds to certain types of burst:

Normal Burst
Sequences of this type implement traffic channels (TCH) between the network and subscribers, as well as all types of control channels (CCH): CCCH, BCCH and DCCH.

Frequency Correction Burst
The name speaks for itself. Implements a one-way FCCH downlink channel, allowing mobile phones to tune more accurately to the BTS frequency.

Synchronization Burst
Burst of this type, like Frequency Correction Burst, implements a downlink channel, only this time SCH, which is designed to identify the presence of base stations on the air. By analogy with beacon packets in WiFi networks, each such burst is transmitted to full power, and also contains information about the BTS necessary for synchronization with it: frame rate, identification data (BSIC), and others.

Dummy Burst
A dummy burst sent by the base station to fill unused timeslots. The point is that if there is no activity on the channel, the signal strength of the current ARFCN will be significantly less. In this case, the mobile phone may seem to be far from the base station. To avoid this, BTS fills unused timeslots with meaningless traffic.

Access Burst
When establishing a connection with the BTS, the mobile phone sends a dedicated SDCCH request on the RACH. The base station, having received such a burst, assigns the subscriber his FDMA system timings and responds on the AGCH channel, after which the mobile phone can receive and send Normal Bursts. It is worth noting the increased duration of Guard time, since initially neither the phone nor the base station knows information about time delays. If the RACH request does not fall into the timeslot, the mobile phone sends it again after a pseudo-random period of time.

2.6 Frequency Hopping

Quote from Wikipedia:

Pseudo-random tuning of the operating frequency (FHSS - frequency-hopping spread spectrum) is a method of transmitting information via radio, the peculiarity of which is the frequent change of the carrier frequency. The frequency varies according to a pseudo-random sequence of numbers known to both the sender and the recipient. The method increases the noise immunity of the communication channel.

3.1 Main attack vectors

Since the Um interface is a radio interface, all its traffic is “visible” to anyone within the range of the BTS. Moreover, you can analyze data transmitted via radio without even leaving your home, using special equipment (for example, an old mobile phone supported by the OsmocomBB project, or a small RTL-SDR dongle) and the most ordinary computer.

There are two types of attack: passive and active. In the first case, the attacker does not interact in any way with either the network or the attacked subscriber - only receiving and processing information. It is not difficult to guess that it is almost impossible to detect such an attack, but it does not have as many prospects as an active one. An active attack involves interaction between the attacker and the attacked subscriber and/or cellular network.

We can highlight the most dangerous types of attacks to which subscribers are susceptible cellular networks:

• Sniffing
• Leakage of personal data, SMS and voice calls
• Location data leak
• Spoofing (FakeBTS or IMSI Catcher)
• Remote SIM Capture, Random Code Execution (RCE)
• Denial of Service (DoS)

3.2 Subscriber identification

As already mentioned at the beginning of the article, subscriber identification is performed using IMSI, which is recorded in the subscriber’s SIM card and the operator’s HLR. Mobile phones are identified by serial number - IMEI. However, after authentication, neither IMSI nor IMEI in clear form flies over the air. After the Location Update procedure, the subscriber is assigned a temporary identifier - TMSI (Temporary Mobile Subscriber Identity), and further interaction is carried out with its help.

Attack methods
Ideally, the subscriber's TMSI is known only to the mobile phone and the cellular network. However, there are ways to bypass this protection. If you cyclically call a subscriber or send SMS messages (or better yet Silent SMS), observing the PCH channel and performing correlation, you can identify the TMSI of the attacked subscriber with a certain accuracy.

In addition, having access to the SS7 interoperator network, you can find out the IMSI and LAC of its owner by phone number. The problem is that in the SS7 network all operators “trust” each other, thereby reducing the level of confidentiality of their subscribers’ data.

3.3 Authentication

To protect against spoofing, the network authenticates the subscriber before starting to serve him. In addition to the IMSI, the SIM card stores a randomly generated sequence called Ki, which it returns only in hashed form. Also, Ki is stored in the operator's HLR and is never transmitted in clear text. In general, the authentication process is based on the principle of a four-way handshake:

1. The subscriber issues a Location Update Request, then provides the IMSI.
2. The network sends a pseudo-random RAND value.
3. The phone's SIM card hashes Ki and RAND using the A3 algorithm. A3(RAND, Ki) = SRAND.
4. The network also hashes Ki and RAND using the A3 algorithm.
5. If the SRAND value on the subscriber side coincides with that calculated on the network side, then the subscriber has passed authentication.

Attack methods
Iterating through Ki given RAND and SRAND values ​​can take quite a long time. In addition, operators can use their own hashing algorithms. There is quite a bit of information on the Internet about brute force attempts. However, not all SIM cards are perfectly protected. Some researchers have been able to gain direct access to file system SIM card and then remove Ki.

3.4 Traffic encryption

According to the specification, there are three algorithms for encrypting user traffic:

• A5/0- a formal designation for the absence of encryption, just like OPEN in WiFi networks. I myself have never encountered networks without encryption, however, according to gsmmap.org, A5/0 is used in Syria and South Korea.
• A5/1- the most common encryption algorithm. Despite the fact that its hack has already been repeatedly demonstrated at various conferences, it is used everywhere. To decrypt traffic, it is enough to have 2 TB of free disk space, normal Personal Computer with Linux and Kraken on board.
• A5/2- an encryption algorithm with deliberately weakened security. If used anywhere, it is only for beauty.
• A5/3- currently the most strong encryption algorithm, developed back in 2002. On the Internet you can find information about some theoretically possible vulnerabilities, but in practice no one has yet demonstrated its hacking. I don't know why our operators don't want to use it in their 2G networks. After all, this is far from a hindrance, because... the encryption keys are known to the operator and traffic can be decrypted quite easily on his side. That's all modern phones They support him very well. Fortunately, modern 3GPP networks use it.

Attack methods
As already mentioned, with sniffing equipment and a computer with 2 TB of memory and the Kraken program, you can quite quickly (a few seconds) find A5/1 session encryption keys, and then decrypt anyone’s traffic. German cryptologist Karsten Nohl demonstrated a method for cracking A5/1 in 2009. A few years later, Karsten and Sylviane Munod demonstrated interception and decryption method telephone conversation with the help of several old Motorola phones(OsmocomBB project).

Conclusion

My long story has come to an end. You can get acquainted with the principles of operation of cellular networks in more detail and from a practical side in the series of articles Getting to know OsmocomBB, as soon as I finish the remaining parts. I hope I was able to tell you something new and interesting. I look forward to your feedback and comments! Add tags