Cellular communication standards: GSM. How the radio interface works in GSM networks

As a result, the physical channel between the receiver and the transmitter is determined by the frequency, allocated frames and timeslot numbers in them. Typically base stations use one or more ARFCN channels, one of which is used to identify the presence of a BTS on the air. The first timeslot (index 0) of the frames of this channel is used as the base-control channel or beacon channel. The remaining part of ARFCN is distributed by the operator for CCH and TCH channels at its discretion.

2.3 Logical channels

Logical channels are formed on the basis of physical channels. The Um interface involves the exchange of both user information and service information. According to the GSM specification, each type of information corresponds to a special type of logical channels implemented through physical:

• traffic channels (TCH - Traffic Channel),
• service information channels (CCH - Control Channel).

Traffic channels are divided into two main types: TCH/F- Full rate channel with maximum speed up to 22.8 Kbps and TCH/H- Half rate channel with a maximum speed of up to 11.4 Kbps. These types of channels can be used to transmit voice (TCH/FS, TCH/HS) and user data (TCH/F9.6, TCH/F4.8, TCH/H4.8, TCH/F2.4, TCH/H2. 4), for example, SMS.

Service information channels are divided into:

• Broadcast (BCH - Broadcast Channels).
  • FCCH - Frequency Correction Channel. Provides the information needed by the mobile phone to correct the frequency.
  • SCH - Synchronization Channel. Provides the mobile phone with the information necessary for TDMA synchronization with the base station (BTS), as well as its BSIC identification data.
  • BCCH - Broadcast Control Channel (broadcast service information channel). Transmits basic information about the base station, such as the way service channels are organized, the number of blocks reserved for access grant messages, as well as the number of multiframes (51 TDMA frames each) between Paging requests.
• Channels general purpose(CCCH - Common Control Channels)
  • PCH - Paging Channel. Looking ahead, I’ll tell you that Paging is a kind of ping of a mobile phone, allowing you to determine its availability in a certain coverage area. This channel is designed exactly for this.
  • RACH - Random Access Channel. Used by mobile phones to request their own SDCCH service channel. Exclusively Uplink channel.
  • AGCH - Access Grant Channel (access grant channel). On this channel, base stations respond to RACH requests from mobile phones by allocating SDCCH or TCH directly.
• Own channels (DCCH - Dedicated Control Channels)
  Own channels, like TCH, are allocated to specific mobile phones. There are several subspecies:
  • SDCCH - Stand-alone Dedicated Control Channel. This channel is used for mobile phone authentication, encryption key exchange, location update procedure, as well as for making voice calls and exchanging SMS messages.
  • SACCH - Slow Associated Control Channel. Used during a conversation, or when the SDCCH channel is already in use. With its help, the BTS transmits periodic instructions to the phone to change timings and signal strength. In the opposite direction there is data on the received signal level (RSSI), TCH quality, as well as the signal level of nearby base stations (BTS Measurements).
  • FACCH - Fast Associated Control Channel. This channel is provided with the TCH and allows the transmission of urgent messages, for example, during the transition from one base station to another (Handover).

2.4 What is burst?

Over-the-air data is transmitted as sequences of bits, most often called “bursts,” within timeslots. The term “burst”, the most suitable analogue of which is the word “burst”, should be familiar to many radio amateurs, and most likely appeared when drawing up graphic models for analyzing radio broadcasts, where any activity is similar to waterfalls and splashes of water. You can read more about them in this wonderful article (image source), we will focus on the most important thing. A schematic representation of a burst might look like this:

Guard Period
To avoid interference (i.e. two busrts overlapping each other), the duration of the burst is always less than the duration of the timeslot by specific value(0.577 - 0.546 = 0.031 ms), called "Guard Period". This period is a kind of time reserve to compensate for possible time delays during signal transmission.

Tail Bits
These markers define the beginning and end of the burst.

Info
Burst payload, for example, subscriber data or service traffic. Consists of two parts.

Stealing Flags
These two bits are set when both parts of the TCH burst data are transmitted on the FACCH. One transmitted bit instead of two means that only one part of the burst is transmitted via FACCH.

Training Sequence
This part of the burst is used by the receiver to determine the physical characteristics of the channel between the phone and the base station.

2.5 Types of burst

Each logical channel corresponds to certain types of burst:

Normal Burst
Sequences of this type implement traffic channels (TCH) between the network and subscribers, as well as all types of control channels (CCH): CCCH, BCCH and DCCH.

Frequency Correction Burst
The name speaks for itself. Implements a one-way FCCH downlink channel, allowing mobile phones to tune more accurately to the BTS frequency.

Synchronization Burst
Burst of this type, like Frequency Correction Burst, implements a downlink channel, only this time SCH, which is designed to identify the presence of base stations on the air. By analogy with beacon packets in WiFi networks, each such burst is transmitted to full power, and also contains information about the BTS necessary for synchronization with it: frame rate, identification data (BSIC), and others.

Dummy Burst
A dummy burst sent by the base station to fill unused timeslots. The point is that if there is no activity on the channel, the signal strength of the current ARFCN will be significantly less. In this case, the mobile phone may seem to be far from the base station. To avoid this, BTS fills unused timeslots with meaningless traffic.

Access Burst
When establishing a connection with the BTS, the mobile phone sends a dedicated SDCCH request on the RACH. The base station, having received such a burst, assigns the subscriber his FDMA system timings and responds on the AGCH channel, after which the mobile phone can receive and send Normal Bursts. It is worth noting the increased duration of Guard time, since initially neither the phone nor the base station knows information about time delays. If the RACH request does not fall into the timeslot, the mobile phone sends it again after a pseudo-random period of time.

2.6 Frequency Hopping

Quote from Wikipedia:

Pseudo-random tuning of the operating frequency (FHSS - frequency-hopping spread spectrum) is a method of transmitting information via radio, the peculiarity of which is the frequent change of the carrier frequency. The frequency varies according to a pseudo-random sequence of numbers known to both the sender and the recipient. The method increases the noise immunity of the communication channel.

3.1 Main attack vectors

Since the Um interface is a radio interface, all its traffic is “visible” to anyone within the range of the BTS. Moreover, you can analyze data transmitted via radio without even leaving your home, using special equipment (for example, an old mobile phone supported by the OsmocomBB project, or a small RTL-SDR dongle) and the most ordinary computer.

There are two types of attack: passive and active. In the first case, the attacker does not interact in any way with either the network or the attacked subscriber - only receiving and processing information. It is not difficult to guess that it is almost impossible to detect such an attack, but it does not have as many prospects as an active one. An active attack involves interaction between the attacker and the attacked subscriber and/or cellular network.

We can highlight the most dangerous types of attacks to which cellular network subscribers are exposed:

• Sniffing
• Leakage of personal data, SMS and voice calls
• Location data leak
• Spoofing (FakeBTS or IMSI Catcher)
• Remote SIM Capture, Random Code Execution (RCE)
• Denial of Service (DoS)

3.2 Subscriber identification

As already mentioned at the beginning of the article, subscriber identification is performed using IMSI, which is recorded in the subscriber’s SIM card and the operator’s HLR. Mobile phone identification is carried out using serial number- IMEI. However, after authentication, neither IMSI nor IMEI in clear form flies over the air. After the Location Update procedure, the subscriber is assigned a temporary identifier - TMSI (Temporary Mobile Subscriber Identity), and further interaction is carried out with its help.

Attack methods
Ideally, the subscriber's TMSI is known only to the mobile phone and the cellular network. However, there are ways to bypass this protection. If you cyclically call a subscriber or send SMS messages (or better yet Silent SMS), observing the PCH channel and performing correlation, you can identify the TMSI of the attacked subscriber with a certain accuracy.

In addition, having access to the SS7 interoperator network, you can find out the IMSI and LAC of its owner by phone number. The problem is that in the SS7 network all operators “trust” each other, thereby reducing the level of confidentiality of their subscribers’ data.

3.3 Authentication

To protect against spoofing, the network authenticates the subscriber before starting to serve him. In addition to the IMSI, the SIM card stores a randomly generated sequence called Ki, which it returns only in hashed form. Also, Ki is stored in the operator's HLR and is never transmitted in clear text. In general, the authentication process is based on the principle of a four-way handshake:

1. The subscriber issues a Location Update Request, then provides the IMSI.
2. The network sends a pseudo-random RAND value.
3. The phone's SIM card hashes Ki and RAND using the A3 algorithm. A3(RAND, Ki) = SRAND.
4. The network also hashes Ki and RAND using the A3 algorithm.
5. If the SRAND value on the subscriber side coincides with that calculated on the network side, then the subscriber has passed authentication.

Attack methods
Iterating through Ki given RAND and SRAND values ​​can take quite a long time. In addition, operators can use their own hashing algorithms. There is quite a bit of information on the Internet about brute force attempts. However, not all SIM cards are perfectly protected. Some researchers have been able to gain direct access to file system SIM card and then remove Ki.

3.4 Traffic encryption

According to the specification, there are three algorithms for encrypting user traffic:

• A5/0- a formal designation for the absence of encryption, just like OPEN in WiFi networks. I myself have never encountered networks without encryption, however, according to gsmmap.org, A5/0 is used in Syria and South Korea.
• A5/1- the most common encryption algorithm. Despite the fact that its hack has already been repeatedly demonstrated at various conferences, it is used everywhere. To decrypt traffic, it is enough to have 2 TB of free disk space, normal Personal Computer with Linux and Kraken on board.
• A5/2- an encryption algorithm with deliberately weakened security. If used anywhere, it is only for beauty.
• A5/3- on this moment the strongest encryption algorithm developed back in 2002. On the Internet you can find information about some theoretically possible vulnerabilities, but in practice no one has yet demonstrated its hacking. I don't know why our operators don't want to use it in their 2G networks. After all, this is far from a hindrance, because... the encryption keys are known to the operator and traffic can be decrypted quite easily on his side. That's all modern phones They support him very well. Fortunately, modern 3GPP networks use it.

Attack methods
As already mentioned, with sniffing equipment and a computer with 2 TB of memory and the Kraken program, you can quite quickly (a few seconds) find A5/1 session encryption keys, and then decrypt anyone’s traffic. German cryptologist Karsten Nohl demonstrated a method for cracking A5/1 in 2009. A few years later, Carsten and Sylviane Munod demonstrated the interception and method of deciphering a telephone conversation using several old Motorola phones(OsmocomBB project).

Conclusion

My long story has come to an end. You can get acquainted with the principles of operation of cellular networks in more detail and from a practical side in the series of articles Getting to know OsmocomBB, as soon as I finish the remaining parts. I hope I was able to tell you something new and interesting. I look forward to your feedback and comments! Add tags

DownLink - communication channel from the base station to the subscriber
UpLink is a communication channel from the subscriber to the operator’s base station.

Standard 4G/LTE Frequency 2500

This type of communication has been developing relatively recently and mainly in cities.

FDD (Frequency Division Duplex) - DownLink and UpLink operate on different frequency bands.
TDD (Time division duplex) - DownLink and UpLink operate on the same frequency band.

Yota: FDD DownLink 2620-2650 MHz, UpLink 2500-2530 MHz
Megafon: FDD DownLink 2650-2660 MHz, UpLink 2530-2540 MHz
Megafon: TDD 2575-2595 MHz - this frequency band is allocated only in the Moscow region.
MTS: FDD DownLink 2660-2670 MHz, UpLink 2540-2550 MHz
MTS: TDD 2595-2615 MHz - this frequency band is allocated only in the Moscow region.
Beeline: FDD DownLink 2670-2680 MHz, UpLink 2550-2560 MHz
Rostelecom: FDD DownLink 2680-2690 MHz, UpLink 2560-2570 MHz
After purchase by Megafon Yota company, Yota virtually began to work like Megafon.

Standard 4G/ LTE Frequency 800

The network was launched into commercial operation at the beginning of 2014, mainly outside the city, in rural areas.

UpLink/DownLink (MHz)

Rostelecom: 791-798.5 / 832 - 839.5
MTS: 798.5-806 / 839.5 - 847.5
Megafon: 806-813.5 / 847 - 854.5
Beeline: 813.5 - 821 / 854.5 - 862

Standard 3G/UMTS Frequency 2000

3G/UMTS2000 - the most common standard cellular communications in Europe it is mainly used for data transmission.

UpLink/DownLink (MHz)

Skylink: 1920-1935 / 2110 - 2125 - in the end, most likely these frequencies will go to Rostelecom. The network is not currently in use.
Megafon: 1935-1950 / 2125 - 2140
MTS: 1950-1965 / 2140 - 2155
Beeline:1965 - 1980 / 2155 - 2170

Standard 2G/DCS Frequency 1800

DCS1800 is the same GSM, only in a different frequency range, mainly used in cities. But, for example, there are regions where the TELE2 operator operates only in the 1800 MHz band.

UpLink 1710-1785 MHz and Downlink 1805-1880 MHz

There is no particular point in showing division by operators, because In each region, frequency distribution is individual.

Standard 2G/DCS Frequency 900

GSM900 is the most common communication standard in Russia today and is considered second generation communication.

There are 124 channels in GSM900 MHz. In all regions of the Russian Federation, GSM frequency ranges are distributed between operators individually. And there is E-GSM exists as an additional option frequency range GSM. It is shifted in frequency from the base one by 10 MHz.

UpLink 890-915 MHz and Downlink 935-960 MHz

UpLink 880-890 MHz and Downlink 925-935 MHz

Standard 3G Frequency 900

Due to the lack of channels on the 2000 frequency, frequencies of 900 MHz were allocated for 3G. Actively used in the region.

Standard CDMA Frequency 450

CDMA450 - in the central part of Russia, this standard is used only by the SkyLink operator.

UpLink 453 - 457.5 MHz and DownLink 463 - 467.5 MHz.

GSM-1800 (DCS-1800) - Global System for Mobile Communications - global mobile communications system. This is a digital standard with a frequency range of 1710-1880 MHz. Modification of the GSM-900 standard. The features of this standard include the following characteristics:
"The maximum radiated power of GSM-1800 mobile phones is 1W (for comparison, GSM-900 is 2W). High protection from eavesdropping and illegal use of the number;
"High network capacity, which is important for large cities;
"The maximum distance of a subscriber from the base station is 5-6 kilometers.
The signal coding system and the use of SIM cards is similar to the GSM-900 standard.

More about GSM

The GSM standard is closely related to all modern digital network standards, primarily ISDN (Integrated Services Digital Network) and IN (Intelligent Network). The main functional elements of GSM are included in the international standard currently being developed for the global mobile communications system UMTS (Universal Mobile Telecommunications System).

The early 1980s saw the rapid development of analogue cellular mobile systems in Europe, especially in Scandinavia, the UK, France and Germany. Each country developed its own system, incompatible with the others in both equipment and services provided. As a result, each state's mobile equipment was used only within its own borders. national borders and had a very limited market. Thus, the need arose to create a single pan-European standard. In 1982, CEPT (Conference of European Posts and Telegraphs) created a working group called GSM (Groupe Special Mobile) in order to study and develop a pan-European public cellular mobile communications system. The system being developed had to satisfy following criteria:
"high quality of voice information transmission;
"low cost of equipment and services provided;
"the ability to support the user's portable equipment;
" support for a number of new services and equipment;
"spectral efficiency;
" ISDN compatible;
" support international roaming, i.e. the ability for a subscriber to use his mobile phone when moving to another GSM network;

In 1989, the creation of GSM was transferred to ETSI (European Telecommunication Standards Institute), and in 1990 the specifications for the first phase of GSM were published. By mid-1991, commercial GSM services began to be supported, and by 1993, there were 36 GSM networks in operation in 22 countries, and a further 25 countries had chosen or considered adopting GSM. Although the GSM system has been standardized in Europe, it is not actually a purely European standard. GSM networks have been implemented or are planned for implementation in almost 60 countries in Europe, the Middle and Far East, Africa, South America and Australia. At the beginning of 1994, the number of GSM subscribers worldwide reached 1.3 million. By the beginning of 1995, there were already more than 5 million. The GSM acronym has acquired a new meaning - Global System for Mobile communications.

The developers of GSM chose an untested digital system at the time, contrasting it with standardized analogue cellular mobile systems such as AMPS (Advanced Mobile Phone Service) in the US and TACS (Total Access Communications System) in the UK. They believed that improving compression algorithms and digital processors will satisfy the initial requirements for the system, and it will develop along the path of improving the quality/cost ratio. From the very beginning, GSM developers sought to ensure compatibility between GSM and ISDN networks in terms of the range of services offered. According to ITU-T (International Telecommunications Union - Telecommunications Standardization Sector) definitions, the GSM network can provide the following types of services:
"information transfer services (bearer services);
"communication services (teleservices);
"supplementary services"
The most famous activity of GSM is telephony. Since GSM is essentially a digital data transmission system, speech is encoded and transmitted as a digital stream. Another example of the service provided is the provision emergency assistance, when the nearest provider of this type of service is notified using a three-digit dial (for example, 911). In addition, a variety of data services are provided. GSM subscribers can exchange information with subscribers of ISDN, conventional telephone networks, packet-switched networks, and circuit-switched networks using various access methods and protocols, such as X.25 or X.32. It is possible to send fax messages using the appropriate adapter for the fax machine. A unique feature of GSM, which was not available in older analogue systems, is the bidirectional transmission of short SMS messages(Short Message Service), (up to 160 bytes), transmitted in a store-and-forward mode. A message can be sent to the recipient, who is an SMS subscriber, after which a confirmation of receipt is sent to the sender. Short messages can be used in broadcast mode, for example, to notify subscribers about changes in traffic conditions in the region.

Current specifications as additional features describe services for transferring information and providing communications (for example, call redirection in case of unavailability of a mobile subscriber). Subsequently, the emergence of new capabilities is expected, such as call identification, call queuing, negotiations of several subscribers at once, etc. The area covered by the GSM network divided into hexagonal honeycombs. The diameter of each hexagonal cell can be different - from 400m to 50km. The functions and interfaces of GSM network elements are described in ETSI recommendations.

In addition to the terminal, the MS contains a plastic card, which is called the SIM subscriber identification module (Subscriber Identity Module). When inserting a SIM card into another GSM terminal, the subscriber continues to receive a full range of services. Each terminal has a unique international mobile equipment identifier, the SIM card contains the international mobile subscriber identifier, a secret key for authentication, and other information. These identifiers are independent of each other, and the SIM card is protected from unauthorized use by a password or personal code. The BSS also consists of two parts: the base transceiver station BTS (Base Transceiver Station) and the base station controller BSC (Base Station Controller). The Abis interface connecting these parts allows you to operate the components created various manufacturers. BSS radio coverage is divided into territories - they are usually called - "cells", each covered by one BTS. The BTS manages radio protocols with the MS. A large, densely populated area can contain many BTSs, and therefore they are subject to very strict requirements (clear boundaries, reliability, portability and low cost). The BSC manages the radio resources of one or more BTSs, controls radio channel provisioning, frequency adjustment, manages cell-to-cell calls (handovers), and is the link between the mobile station and the MSC.

As already noted, the main component of the network subsystem is the MSC. It manages the mobile subscriber: registers, identifies, updates location information, performs handovers, routes calls when roaming subscribers, and also provides connection to fixed networks. The listed services are provided by various functional elements HLR, VLR, etc., access to which is possible through the network of the SS7 general-channel signaling system (Signalling System No. 7). SS7 is standardized internationally and is intended for the exchange of signaling information in digital communication networks with digital software-controlled stations. The system is optimized to work on digital channels with a speed of 64 kbit/s and allows you to control the connection process, as well as transmit maintenance and operation information. In addition, it can be used as a reliable transport system for transmitting other types of information between stations and specialized centers in telecommunications networks. SS7 uses a method of transmitting signaling information over a special channel common to one or more bundles of information channels. Signaling information must be transmitted in the correct sequence, without loss, and both ground and satellite channels. The SS7 network is a prerequisite for creating a GSM network. SS7 protocol architecture and its compliance with the interoperability reference model open systems shown here. The Home Location Register (HLR) and Visitor Location Register (VLR), together with the MSC, provide routing and roaming capabilities. HLR contains all administrative data about each registered subscriber in the GSM network corresponding to this HLR, as well as information about his current location. Subscriber location information is typically provided in the form of a VLR signaling address associated with the mobile station. The VLR contains selected administrative information from the home register necessary to control the call and provide the full range of services to each mobile subscriber that is currently located in the geographical area controlled by the VLR. The other two registers are used to provide authentication and security.

The spectrum bandwidth for cellular mobile networks operating in Europe is 890-915 MHz for the uplink (from mobile station to base station) and 935-960 MHz for the downlink (from base station to mobile station). Since these bands were already used by analogue systems in the early 1980s, the top 10 MHz of each band is reserved for the GSM network, which is still being developed. Eventually GSM will occupy the entire 2x25 MHz band.

Since the radio spectrum has limited resources, it is necessary to optimally distribute the bandwidth among all possible users. The method used for this purpose in GSM is a combination of TDMA and FDMA (Time- and Frequency-Division Multiple Access) multiple access methods. First, the 25 MHz frequency band is divided into 200 KHz bands. Each station has its own band (or several bands). Subscribers of the band are separated in time. Each subscriber corresponds to one frame. Eight frames are combined into a frame. The 26 frames in turn form a multiframe that repeats cyclically. Multiframe length is 120 milliseconds. One frame accounts for 1/200 of the multiframe, i.e. about 0.6 milliseconds. Channels are defined by the number and position of their corresponding cyclic frames, and the entire palette repeats approximately every 3 hours. They are divided into dedicated channels, or traffic channels, each of which corresponds to one mobile station, and common channels, or control channels, used by mobile stations in passive mode.

GSM is a digital system, and therefore requires digitization of analog speech. Method used by existing telephone systems and the ISDN network for multiplexing analog lines on high-speed channels and optical lines, called PCM (Pulse Coded Modulation). The 64 kbit/s PCM output bit rate is too high for transmission over GSM radio channels. The GSM research team examined several speech encoding algorithms until they finally settled on the RPE-LTP (Regular Pulse Excitation-Long Term Prediction) encoding scheme. The circuit converts a speech stream arriving at a speed of 64 kbit/s into a stream at a speed of 13 kbit/s, and vice versa, while maintaining the quality of the transmitted signal.

Unlike fixed networks, where the subscriber terminal is connected by wire to the central office, a GSM network subscriber can move within the national network and beyond its borders, i.e. perform roaming. To reach a mobile subscriber, you need to dial a number called the mobile subscriber number digital network with integration of MSISDN (Mobile Subscriber ISDN) services. This number contains a country code and a national destination code identifying the operator of this subscriber. The first few digits of the number identify the subscriber's HLR in its mobile network. An incoming call from a mobile subscriber is routed to the GMSC (Gateway MSC) for processing. The GMSC basically acts as a switch that requests the subscriber's HLR to obtain the necessary data and routing information, and therefore contains a table of connections between MSISDN numbers and their corresponding HLRs. The mobile station roaming number MSRN (Mobile Station Roaming Number) completely determines routing, relates to the geographical numbering plan and is in no way associated with subscribers.

Beginners do not understand the games undertaken by the standards developers. It would seem that it uses GSM frequencies 850, 1900, 900, 1800 MHz, what more? Quick answer - read the following section of the Phone Instructions. The inappropriateness of the generally accepted interpretation will be shown. The problem is described by the following provisions:

1. The second generation of cellular communications 2G gave rise to a lot of standards. The world knows three epicenters that set the rhythm: Europe, North America, Japan. Russia adopted the standards of the first two, changing them.
2. The family tree of standards is constantly expanding.
3. International versions of standards are intended to unify the disparate rules of individual countries. Often direct implementation is not possible. Governments are changing legislation to fix frequency plans.

The above explains the origins of beginners’ misunderstanding of the problem. Returning clarity to the issue, let’s build a simplified hierarchy of standards, indicating the frequencies used along the way.

Genealogy of standards

The following information is intended to explain to the average person the structure of existing, extinct standards. Below, in the following sections, the technologies used in Russia will be described. The corresponding representatives of the tree that decorated the Russian forest are marked in bold.

1G

1. AMPS family: AMPS, NAMPS, TACS, ETACS.
2. Others: NMT, C-450, DataTAC, Hicap, Mobitex.

2G: 1992

1. GSM/3GPP family: GSM, HSCSD, CSD.
2. 3GPP2 family: cdmaOne.
3. AMPS family: D-AMPS.
4. Other: iDEN, PHS, PDC, CDPD.

2G+

1. 3GPP/GSM family: GPRS, EDGE.
2. 3GPP2 family: CDMA2000 1x, including Advanced.
3. Others: WiDEN, DECT.

3G: 2003

1. 3GPP family: UMTS.
2. 3GPP2 family: CDMA2000 1xEV-DO R.0

3G+

1. 3GPP family: LTE, HSPA, HSPA+.
2. 3GPP2 family: CDMA2000 1xEV-DO R.A, CDMA2000 1xEV-DO R.B, CDMA2000 1xEV-DO R.C
3. IEEE Family: Mobile WiMAX, Flash OFDM.

4G: 2013

1. 3GPP family: LTE-A, LTE-S Pro.
2. IEEE family: WiMAX.

5G: 2020

1. 5G-NR.

Short description

Genealogy allows you to trace extinct species. For example, modern authors often use the abbreviation GSM, misleading the reader. The technology is entirely limited to the second generation of cellular communications, an extinct species. The previous frequencies with additions continue to be used by descendants. On December 1, 2016, Australia's Telstra stopped using GSM, becoming the first operator in the world to completely upgrade its equipment. Technology continues to be used by 80% of the world's population (according to the GSM Association). The American AT&T followed the example of its Australian colleagues on January 1, 2017. The service was stopped by the Optus operator; on April 2017, Singapore recognized the inadequacy of 2G to the growing needs of the population.

So, the term GSM is used in relation to outdated equipment that has overwhelmed the Russian Federation. The descendant protocols can be called successors of GSM. The frequencies are preserved by subsequent generations. The punctures and methods of transmitting information are changing. The frequency allocation aspects that accompany equipment upgrades are discussed below. Information is required to establish the GSM relationship.

Phone instructions

The phone manual will provide useful information regarding the issue. The corresponding section lists the supported frequencies. Some devices will allow you to customize the reception area. You should choose a phone model that receives generally accepted Russian channels:

1. 900 MHz – E-GSM. The ascending branch is 880..915 MHz, the descending branch is 925..960 MHz.
2. 1800 MHz – DCS. The ascending branch is 1710..1785 MHz, the descending branch is 1805..1880 MHz.

LTE technology adds a 2600 MHz region, and an 800 MHz channel has been introduced.

History of the emergence of RF communications: frequencies

In 1983, the development of a European digital communications standard began. We remind you that the first generation of 1G used analog transmission. Thus, engineers developed the standard in advance, anticipating the history of technology development. Digital communications were born out of World War II, or more precisely, the Green Hornet encrypted transmission system. The military understood perfectly well: the era of digital technology was coming. Civil industry caught the movement of the wind.

900 MHz

The European organization CEPT has created the GSM (Groupe Special Mobile) committee. The European Commission has proposed using the 900 MHz spectrum. The developers settled in Paris. Five years later (1987), 13 EU countries submitted a memorandum to Copenhagen on the need to create unified network cellular communications. The community decided to request GSM's help. The first technical specification was released in February. Politicians from four countries (May 1987) supported the project with the Bonn Declaration. The next short period (38 weeks) is filled with general bustle, controlled by four appointed persons:

1. Armin Silberhorn (Germany).
2. Philippe Dupoulis (France).
3. Renzo Failli (Italy).
4. Stephen Temple (Great Britain).

In 1989, the GSM Commission leaves the trusteeship of CEPT, becoming part of ETSI. On July 1, 1991, the former Prime Minister of Finland, Garry Holkeri, made the first call to a subscriber (Kaarina Suonio) using the services of the Radioline provider.

1800 MHz

In parallel with the introduction of 2G, work was underway to utilize the 1800 MHz region. The first network covered the UK (1993). At the same time, the Australian operator Telecom moved in.

1900 MHz

The frequency of 1900 MHz was introduced by the USA (1995). The GSM Association was created, the world number of subscribers reached 10 million people. A year later, the figure had increased tenfold. Use of 1900 MHz prevented adoption European version UMTS.

800 MHz

The 800 MHz band appeared in 2002, parallel to the introduction of multimedia messaging service.

Attention, question!

What frequencies have become Russian standard? Adding to the confusion is the ignorance of RuNet authors about the standards adopted by official developers. The direct answer is discussed above (see section Phone instructions), we describe the work of the mentioned organizations (section UMTS).

Why are there so many frequencies?

Examining the results of 2010, the GSM Association stated: 80% of the planet's subscribers are covered by the standard. This means that four-fifths of networks cannot choose a single frequency. In addition, there are 20% foreign communication standards. Where does the root of evil come from? The countries of the second half of the twentieth century developed separately. The frequencies of 900 MHz of the USSR were occupied by military and civil air navigation.

GSM: 900 MHz

In parallel with Europe’s development of the first versions of GSM, NPO Astra, Radio Research Institute, and Research Institute of the Ministry of Defense began research that ended in full-scale tests. The verdict:

• Navigation and second generation cellular communications can function together.

1. NMT-450.

Please note: again 2 standards. Each uses its own frequency grid. The announced competition for the distribution of GSM-900 was won by NPO Astra, OJSC MGTS (now MTS), Russian companies, and the Canadian BCETI.

NMT-450MHz - first generation

So, Moscow used, starting in 1992, the 900 MHz band (see above), because other GSM frequencies had not yet been born. In addition NMT (Nordic Cell phones)…Initially, the countries of the Scandinavian Peninsula developed two options:

1. NMT-450.
2. NMT-900 (1986).

The reason for the Russian government choosing the first answer? They probably decided to try two ranges. Please note that these standards describe analog communications (1G). Developing countries began closing up shop in December 2000. Iceland (Siminn) was the last to surrender (September 1, 2010). Experts note an important advantage of the 450 MHz range: range. A significant plus, appreciated by remote Iceland. The Russian government wanted to cover the country's area using a minimum of towers.

NMT is loved by fishermen. The freed network was occupied by digital CDMA 450. In 2015, Scandinavian technologies mastered 4G. The Russian Uralwestcom vacated the closet on September 1, 2006, Sibirtelecom - on January 10, 2008. The subsidiary (Tele 2) Skylink fills the Perm and Arkhangelsk regions with its range. The license expires in 2021.

D-AMPS: UHF (400..890 MHz) - second generation

American 1G networks that used the AMPS specification refused to accept GSM. Instead, two alternatives have been developed to organize second generation mobile networks:

1. IS-54 (March 1990, 824-849; 869-894 MHz).
2. IS-136. Features a large number of channels.

The standard is now dead, replaced everywhere by the descendants of GSM/GPRS, CDMA2000.

Why does a Russian need D-AMPS?

The Russian average person often uses used equipment. D-AMPS equipment has reached the warehouses of Tele 2 and Beeline. On November 17, 2007, the latter closed up shop for the Central Region. The license of the Novosibirsk region expired on December 31, 2009. The last swallow flew away on October 1, 2012 ( Kaliningrad region). Kyrgyzstan used the range until March 31, 2015.

CDMA2000 - 2G+

Some protocol variants use:

1. Uzbekistan – 450 MHz.
2. Ukraine – 450; 800 MHz.

In the period December 2002 – October 2016 specifications 1xRTT, EV-DO Rev. A (450 MHz) Skylink was used. Now the infrastructure has been modernized, LTE has been introduced. On September 13, 2016, the news spread across world portals: Tele 2 is stopping the use of CDMA. The American MTS began the process of introducing LTE a year earlier.

GPRS – second or third generation

The development of the CELLPAC protocol (1991-1993) was a turning point in the development of cellular communications. 22 US patents received. The descendants of the technology are considered LTE, UMTS. Packet data transfer is designed to speed up the process of information exchange. The project is designed to improve GSM networks (frequencies listed above). The service user is obliged to receive technologies:

1. Access to the Internet.
2. Legacy "tap to talk"
3. Messenger.

The overlay of two technologies (SMS, GPRS) speeds up the process many times over. The specification supports IP, PPP, X.25 protocols. Packets continue to arrive even during a conversation.

EDGE

The next stage in the evolution of GSM is conceived by AT&T (USA). Compact-EDGE has filled the niche of D-AMPS. Frequencies are listed above.

UMTS – full 3G

The first generation that required updating base station equipment. The frequency grid has changed. The maximum transmission speed for a line that takes advantage of HSPA+ is 42 Mbps. Actually achievable speeds significantly exceed 9.6 kbit/s GSM. Since 2006, countries have started renewal. Using orthogonal frequency multiplexing, the 3GPP committee intended to achieve 4G. Early Birds released in 2002. Initially, the developer laid down the following frequencies:

1. .2025 MHz. Ascending communication branch.
2. .2200 MHz. Descending connected branch.

Since the USA was already using 1900 MHz, it chose segments 1710..1755; 2110..2155 MHz. Many countries followed America's example. The 2100 MHz frequency is too often busy. Hence the numbers given at the beginning:

• 850/1900 MHz. Moreover, 2 channels are selected using one range. Either 850 or 1900.

Agree, it is incorrect to drag in GSM, following a bad common example. The second generation used a single half-duplex channel, UMTS used two at once (5 MHz wide).

UMTS frequency grid of Russia

The first attempt to distribute the spectra took place on February 3-March 3, 1992. The solution was adapted by the Geneva conference (1997). It was the S5.388 specification that fixed the ranges:

• 1885-2025 MHz.
• 2110-2200 MHz.

The decision required further clarification. The commission identified 32 ultra-channels, 11 of which constituted an unused reserve. Most of the others received qualifying names because individual frequencies coincided. Russia rejected the European practice, despising the USA, by adopting 2 channels (band) UMTS-FDD:

1. No. 8. 900 MHz – E-GSM. The ascending branch is 880..915 MHz, the descending branch is 925..960 MHz.
2. No. 3. 1800 MHz – DCS. The ascending branch is 1710..1785 MHz, the descending branch is 1805..1880 MHz.

The characteristics of the cell phone should be selected according to the information provided. The Wikipedia table revealing the frequency plan of planet Earth is completely useless. They forgot to take into account Russian specifics. Europe operates nearby IMT Channel No. 1. In addition, there is a UMTS-TDD mesh. The equipment of the two overhead network options is incompatible.

LTE – 3G+

Evolutionary continuation of the GSM-GPRS-UMTS connection. Can serve as an add-on for CDMA2000 networks. Only a multi-frequency phone can provide LTE technology. Experts directly indicate a place below the fourth generation. Contrary to the claims of marketers. Initially, the ITU-R organization recognized the technology as appropriate, but later the position was revised.

LTE is a registered trademark of ETSI. The key idea was the use of signal processors and the introduction of innovative methods of carrier modulation. IP addressing of subscribers was considered appropriate. Lost interface backwards compatible, the frequency spectrum has changed once again. The first network (2004) was launched by the Japanese company NTT DoCoMo. The exhibition version of the technology reached Moscow in the hot May of 2010.

Repeating the experience of UMTS, the developers introduced two options for the air protocol:

1. LTE-TDD. Time division of channels. The technology is widely supported by China, South Korea, Finland, and Switzerland. Availability of a single frequency channel (1850..3800 MHz). Partially overlaps WiMAX, upgrade is possible.
2. LTE-FDD. Frequency division of channels (separate downstream and upstream).

The frequency plans of the 2 technologies are different, 90% of the core design is the same. Samsung and Qualcomm produce phones that can support both protocols. Occupied ranges:

1. North America. 700, 750, 800, 850, 1900, 1700/2100, 2300, 2500, 2600 MHz.
2. South America. 2500 MHz.
3. Europe. 700, 800, 900, 1800, 2600 MHz.
4. Asia. 800, 1800, 2600 MHz.
5. Australia, New Zealand. 1800, 2300 MHz.

Russia

Russian operators have chosen LTE-FDD technology and use the following frequencies:

1. 800 MHz.
2. 1800 MHz.
3. 2600 MHz.

LTE-A – 4G

The frequencies remain the same (see LTE). Launch chronology:

1. On October 9, 2012, Yota acquired 11 base stations.
2. On February 25, 2014, the megaphone covered the Garden Ring of the capital.
3. Beeline has been operating at LTE frequencies 800, 2600 MHz since August 5, 2014.

This article is the first in a series of articles about cellular communications. In this series, I would like to describe in detail the principles of operation of second, third and fourth generation cellular networks. The GSM standard belongs to the second generation (2G).

The first generation of cellular communications was analog and is not used now, so we will not consider it. The second generation is digital and this feature has made it possible to completely replace 1G networks. A digital signal is more noise-resistant than an analog signal, which is a major advantage in mobile radio communications. In addition, in addition to speech, the digital signal allows data transmission (SMS, GPRS). It is worth noting that this trend of switching from analogue to digital signals is characteristic not only of cellular communications.

GSM (Global System Mobile) – global digital standard mobile communications, with channel separation by TDMA time and FDMA frequency. Developed under the auspices of the European Telecommunication Standardization Institute (ETSI) in the late 1980s.

GSM provides support for services:

• GPRS data transfer
• Voice transmission
• Sending short messages SMS
• Sending a fax

In addition, there are additional services:

• Number identification
• Call forwarding
• Call waiting and holding
• Conference call
• Voice mail

GSM network architecture

Let's take a closer look at what elements the GSM network is built from and how they interact with each other.

The GSM network is divided into two systems: SS (Switching System) - switching subsystem, BSS (Base Station System) - base station system. SS performs the functions of servicing calls and establishing connections, and is also responsible for the implementation of all services assigned to the subscriber. The BSS is responsible for functions related to the air interface.

SS includes:

• MSC (Mobile Switching Center) – GSM network switching node
• GMSC (Gate MSC) – a switch that processes calls from external networks
• HLR (Home Location Register) – database of home subscribers
• VLR (Visitor Location Register) – database of guest subscribers
• AUC (Authentication Cetner) – authentication center (subscriber authentication verification)

BSS includes:

• BSC (Base Station Controller) – base station controller
• BTS (Base Transeiver Station) – transceiver station
• MS (Mobile Station) – mobile station

Composition of the SS switching subsystem

MSC performs switching functions for mobile communications. This center controls all incoming and outgoing calls coming from other telephone and data networks. These networks include PSTN, ISDN, public data networks, corporate networks, as well as mobile networks of other operators. Subscriber authentication functions are also performed in the MSC. The MSC provides call routing and call control functions. The MSC is responsible for switching functions. MSC generates the data necessary for tariffication of communication services provided by the network, accumulates data on completed conversations and transmits them to the billing center. MSC also compiles statistical data necessary for monitoring and optimizing the network. The MSC not only participates in call control, but also manages location registration and control transfer procedures.

In the GSM system, each operator has a database containing information about all subscribers belonging to its PLMN. In the network of one operator there is logically one HLR, but physically there are many of them, because This
distributed database. Information about the subscriber is entered into the HLR at the time the subscriber registers (the subscriber enters into a service contract) and is stored until the subscriber terminates the contract and is removed from the HLR register.
Stored information in HLR includes:

• Subscriber identifiers (numbers).
• Additional services assigned to the subscriber
• Information about the subscriber's location, accurate to the MSC/VLR number
• Subscriber authentication information (triplets)

HLR can be implemented as a built-in function in MSC/VLR or separately. If the HLR capacity is exhausted, then an additional HLR can be added. And in the case of organizing several HLRs, the database remains single - distributed. The subscriber data record always remains the only one. Data stored in the HLR can be accessed by MSCs and VLRs belonging to other networks as part of providing inter-network roaming to subscribers.

The VLR database contains information about all mobile subscribers currently located in the MSC service area. Thus, each MSC on the network has its own VLR. The VLR temporarily stores service information so that the associated MSC can serve all subscribers within the MSC's service area. HLR and VLR store very similar subscriber information, but there are some differences that will be discussed in the following chapters. When a subscriber moves to the service area of ​​a new MSC, the VLR connected to that MSC requests subscriber information from the HLR that stores that subscriber's data. The HLR sends a copy of the information to the VLR and updates the subscriber's location information. Once the information is updated, the MS can make outgoing/incoming connections.

To exclude unauthorized use of communication system resources, authentication mechanisms are introduced - authentication of the subscriber. AUC is a subscriber authentication center, consists of several blocks and generates authentication and encryption keys (passwords are generated). With its help, MSC verifies the authenticity of the subscriber, and when a connection is established, encryption of the transmitted information will be enabled on the radio interface.

Composition of the BSS base station subsystem

The BSC controls all functions related to the operation of radio channels in the GSM network. It is a switch that provides functions such as MS handover, radio channel assignment, and cell configuration data collection. Each MSC can manage multiple BSCs.

The BTS controls the radio interface with the MS. The BTS includes radio equipment such as transceivers and antennas that are needed to serve each cell in the network. The BSC controller controls multiple BTSs.

Geographical construction of GSM networks

Each telephone network needs a certain structure for routing calls to the required station and further to the subscriber. In a mobile network, this structure is especially important, since subscribers move around the network, that is, they change their location and this location must be constantly monitored.

Despite the fact that the cell is the basic unit of the GSM communication system, it is very difficult to give a clear definition. It is impossible to associate this term with an antenna or a base station, because There are different honeycombs. However, a cell is a geographic area that is served by one or more base stations and in which one group of GSM control logical channels operates (the channels themselves will be discussed in the following chapters). Each cell is assigned a unique number called a Cell Global Identifier (CGI). In a network covering, for example, an entire country, the number of cells can be very large.

A location area (LA) is defined as a group of cells in which the mobile station will be called. The subscriber's location within the network is associated with the LA in which the subscriber is currently located. The given area identifier (LAI) is stored in the VLR. When an MS crosses the boundary between two cells belonging to different LAs, it transmits information about the new LA to the network. This only happens if MS is in Idle mode. The new location information is not transmitted during the established connection, this process will occur after the connection ends. If an MS crosses a boundary between cells within the same LA, it does not inform the network of its new location. When an incoming call arrives at an MS, the paging message is propagated throughout all cells belonging to the same LA.

The service area of ​​an MSC consists of a number of LAs and represents the geographical portion of the network under the control of one MSC. In order to route a call to an MS, information about the MSC's service area is also needed, so the service area is also monitored and information about it is recorded in a database (HLR).

A PLMN service area is a collection of cells served by a single operator and is defined as the area in which the operator provides radio coverage and access to its network to the subscriber. Any country may have several PLMNs, one for each operator. The definition of roaming is used when an MS moves from one PLMN service area to another. So-called intra-network roaming is a change of MSC/VLR.

The GSM service area is the entire geographical area in which a subscriber can access the GSM network. The GSM service area is expanding as new operators sign contracts to collaborate on customer service. Currently, the GSM service area covers, at some intervals, many countries from Ireland to Australia and from South Africa to America.

International roaming is a term that applies when an MS moves from one national PLMN to another national PLMN.

GSM frequency plan

GSM includes several frequency ranges, the most common: 900, 1800, 1900 MHz. Initially, the 900 MHz band was allocated for the GSM standard. Currently, this range remains worldwide. Some countries use extended frequency bands to provide greater network capacity. The extended frequency bands are called E-GSM and R-GSM, while the regular band is called P-GSM (primary).

• P-GSM900 890-915/935-960 MHz
• E-GSM900 880-915/925-960 MHz
• R-GSM900 890-925/935-970 MHz
• R-GSM1800 1710-1785/1805-1880 MHz

In 1990, to increase competition between operators, the UK began to develop new version GSM, which is adapted to the 1800 frequency range. Immediately after the approval of this range, several countries made applications to use this frequency range. The introduction of this range increased the growth in the number of operators, leading to increased competition and, accordingly, improved quality
service. The use of this range allows you to increase the network capacity by increasing the bandwidth and, accordingly, increasing the number of carriers. Frequency band 1800 uses the following frequency ranges: GSM 1710-1805/1785-1880 MHz. Until 1997, the 1800 standard was called Digital Cellular System (DCS) 1800 MHz, currently called GSM 1800.

In 1995, the concept of PCS (Personal Cellular System) was specified in the USA. The main idea of ​​this concept is the possibility of providing personal communication, that is, communication between two subscribers, and not between two mobile stations. PCS does not require that these services be implemented on cellular technology, but this technology is currently recognized as the most effective for this concept. The frequencies available for PCS implementation are in the 1900 MHz region. Since GSM 900 cannot be used in North America due to the frequency band being occupied by another standard, GSM 1900 is an option to fill this gap. The main difference between American GSM standard 1900 and GSM 900 is that GSM 1900 supports ANSI signaling.

Traditionally, the 800 MHz band has been occupied by the TDMA standard (AMPS and D-AMPS) common in the United States. As in the case of the GSM 1800 standard, this standard makes it possible to obtain additional licenses, that is, it expands the scope of the standard on national networks, providing operators with additional capacity.

Subscribe to our