M900/M1800 GSM SYSTEM

RNP Training Document

OMD3201 GSM Communication Flow

Huawei Technologies CO.,Ltd.

Training Center

Contents

1 M900/M1800 GSM SYSTEM.....................................................................................................................2

1.1 GSM SECURITY MANAGEMENT.........................................................................................................4

1.2 GSM BASIC CALL SEQUENCE..........................................................................................................18

1.3 LOCATION UPDATE SEQUENCES.......................................................................................................56

1.4 SMS SEQUENCE...............................................................................................................................78

1.5 HANDOVER SEQUENCE.....................................................................................................................97

0

1 M900/M1800 GSM System

There are five parts in this course, the first section, several sequence related with

the GSM security management; then the basic call sequence will be explained in

detail, it is the most important sequence in this course ;in the third section, the

location update sequence is introduced; the fourth part, the SMS sequence, it’s

very similar to the call sequence; at last, a brief introduction to the handover

sequence. That’s the content for the course.

2

1.1 GSM Security Management

At first, let’s see the first part-GSM security management.

As a digital communication system, the security management is very easy to be

realized for GSM. In GSM system, the security management consists of four parts,

authentication and ciphering, TMSI reallocation and equipment identification.

3

Let’s see the first one, authentication. Generally, authentication may be

executed during call setup, location updating and supplementary

services; it ensures only legal subscriber can access to the network.

4

At the side of the network, the AUC is the entity, which produces the

authentication parameters.

In AUC, there stores IMSI and KI of the mobile station, besides, security

algorithm , A3 and A8 ,still random number generator. This generator produces

the different random number, here, for short, RAND.

Then, how does AUC produce the authentication parameters? We know，for one

MS, the unique identification is IMSI, corresponding to the IMSI, there is a set of

KI. In AUC, KI and RAND will be calculated through A3 and A8, the results are

called SRES and Kc respectively. RAND, SRES and Kc (authentication

parameters), are called triples .For different RAND, the different SRES and Kc will

be generated, So, in AUC, for each mobile subscriber, accordingly, there are many

sets of triples. In the buffer, there are tables which indicate the relationship

between IMSI and triples.

In GSM system, we know, AUC only has interface with HLR, so ,AUC will send the

triples to HLR, from 8 to 10 sets every time. temporarily, there stores the triples in

HLR.

5

At the side of the mobile station, in the SIM card, IMSI and KI are stored,also,A3

and A8.when MS wants to access to the network, for example, call setup, location

updating or supplementary services, from the HLR the triples are sent to the VLR

which the MS is registered.

The VLR will send authentication request to the MS, at the same time, the RAND

in the triples are sent to the MS, after the MS received the request, at SIM card,

same calculation with AUC will be executed, KI and RAND which are from VLR

through A3 and A8, SRES and Kc can be got in SIM card, then SRES is sent to

the VLR, the VLR compare the two SRES, if equal, the MS can access to the

system.

6

Then, the authentication and ciphering message sequence.

When the MS sends the request of call setup, location updating and

supplementary services, if authentication is set to necessary in the VLR, then the

VLR check whether there are authentication parameters in it or not, if not, the VLR

will send “authentication parameters request” to the HLR, generally, the HLR

sends the triples in groups of five through the acknowledgement message. These

triples are stored in the VLR. This ensures that the VLR can carry out the

authentication and that it will not have to contact the HLR.

7

Then, the VLR initiates the authentication by sending message : “authenticate” to

the MSC. The MSC will repackage this message and send it on to the MS. The

message is an “Authentication Request” and contains the random number RAND.

8

When the mobile receives the message, it responds with the “Authentication

Response” message, this contains the signed response (SRES).

9

If authentication is successful, the VLR will request the MSC to start ciphering

procedures using the “Start Ciphering” message. This message contains

information indicating whether ciphering is required.

If authentication fails the HLR will be notified and an “Authentication Reject”

message will be sent to the mobile.

10

The MSC will start ciphering procedures by sending the “Ciphering Mode

Command” This message contains the encryption information required by the

BSS. The new mode is applied for reception on the network side after the

message has been sent.

In the CIPHER MODE COMMAND, the MSC specifies which of the ciphering

algorithms may be used by the BSS. Upon receipt of the CIPHERING MODE

COMMAND message indicating ciphering, the mobile station shall start

transmission and reception in the indicated mode.

Whenever the mobile station receives a valid CIPHERING MODE COMMAND

message, it shall, if a SIM is present and considered valid by the ME and the

ciphering key sequence number stored on the SIM indicates that a ciphering key is

available, load the ciphering key stored on the SIM into the ME.

The BSS then selects an appropriate algorithm, taking into account the MS

ciphering capabilities. The CIPHER MODE COMPLETE message returned to the

MSC indicates the chosen ciphering algorithm message to the BSS.

11

Upon receipt of the CIPHERING MODE COMPLETE message the network starts

transmission in the new mode.

Whether the traffic or signaling information between the mobile and the BTS can

be encrypted. Generally, A5 algorithms and KC(ciphering key) are used during the

ciphering.

For the encryption (MS or BTS) , the information is processed with KC via A5;for

the decryption(BTS or MS),the received information is also processed with KC via

A5.

12

From the ciphering sequence, we can see, the ciphering will be processed after

the network gets the identification of MS(IMSI).That is, ciphering is point to point.

So, IMSI is transferred without encryption in radio path. This is very dangerous.

We know, IMSI is the unique identification of the mobile subscriber.

In GSM system, to avoid this instance, TMSI reallocation is used.

TMSI is the abbreviation of Temporary Mobile Subscriber Identification. It is

allocated by VLR. After a location update, the VLR will assign a new TMSI for the

mobile. The New TMSI and LAI will be transmitted to mobile through “Location

Update Accept” message.

The mobile has stored both TMSI and LAI on its SIM card, It will send the “TMSI

Reallocate complete” message to the VLR to confirm that the location update has

been completed.

During call setup, location updating and supplementary service, the mobile only

sends TMSI to the network, not IMSI. In this way, IMSI become very safe.

13

In the security management of the GSM system, on the side of the mobile station,

the first three are all based on the SIM card .

For the last one, equipment identification is based on the mobile equipment.

IMEI, International Mobile Equipment Identification, it is the unique number for the

mobile equipment. On the side of the network, EIR(Equipment Identification

Register) stores the IMEI of all the mobile equipment.

There are three databases in the EIR: white list, black list and grey list.

In the white list ,IMEI of legal mobile equipment is stored.

In the black list, IMEI of illegal mobile equipment are stored.

In the grey list, IMEIs of faulty mobile equipment are stored.

Equipment Identification will be initiated by the MSC sending the “equipment ID

Request” message to the mobile. This will be carried out less frequently than

authentication. The frequency of the checks will be at the discretion of the network

operator. Equipment Identification will be carried out during a Location Update or a

Call Setup.

14

The mobile will respond to the message by sending the “ID Response” message.

This message contains the equipment’s IMEI number.

15

MS BSS MSC VLR HLR PSTN1 Equipment ID

Request<SDCCH>

2 ID Response<SDCCH>

IMEI)

3 Check IMEI

Check IMEIResponse

EIR

Equipment IdentificationEquipment Identification

After the MSC received the “ID Response” message, the MSC will send the IMEI

number on to the EIR Using the “Check IMEI” message. The EIR will be respond

with the “Check IMEI Response”. In this message, equipment status is included,

that is, indicates which list the IMEI is located. So, the MSC can decide whether

continue the call or location updating.

Here, please note, checking of the IMEI at the EIR may occur after the TCH has

been allocated to the mobile.

Ok, hereto, we have finished the GSM security management.

GSM security management can be run through during the other sequence, for

example, call sequence, location updating and so on. So, it was introduced at first,

16

1.2 GSM Basic Call Sequence

Ok, after the GSM security management, let’s study GSM basic call sequence.

The process for the calling MS and called MS is two independent flows.

So, at first, we take the sequence from mobile to land as example, in this

sequence, we mainly devote to the calling party.

Then for the called MS, land to mobile call sequence will be introduced, of course,

devote to the called party.

At last, we will study call clearing sequence.

17

Ok, at first, the Mobile to Land Call Sequence.

18

The mobile subscriber pressing the “send” key initiates a “Channel Request”

message from MS to the BSS. This is followed by the assignment of a dedicated

control channel by the BSS. In this way, the signaling link between the MS and

BSS is established. Here you can find that the assignment of the SDCCH is

performed by the BSS, not through the MSC.

19

After the SDCCH assignment, the message “Request for service” is passed to the

MSC which relay it to the VLR. Let’s see A interface at first, “Request for Service”

is included in the CR message, connection request, the SCCP message which

belongs to connection-oriented service. We know, in A interface connection-

oriented service is widely used. After CR and CC, the virtual connection has been

established in A interface.

Ok, then let’s see B interface between MSC and VLR. We know, in GSM system,

the MSC provides the call control function, the subscriber information is stored in

the VLR and HLR, so when the MSC received the “Request for service” from the

mobile, it will send “Process Access Request” message to the VLR.

The VLR will carry out the authentication process if the MS has been previously

registered on this VLR. If not, the VLR will have to obtain authentication

parameters from the HLR.

20

Subscriber authentication takes place using authentication message and

encryption algorithms. If successful the Call setup can be continued. If ciphering is

to be used this is initiated at this time as the setup message contains sensitive

information.

Of course, subscriber authentication and ciphering can be optional. The operator

can make the configuration in the MSC/VLR.

21

And then the message “Set-up” is sent to the MSC by the MS accompanied by the

call information, such as type of call, and called number. The message is

forwarded from MSC to the VLR. This message is “SFOC”, Send Information for

outgoing call.

22

The MSC may initiates the MS IMEI check, Is the MS stolen? and so on. Here note

that this check may occur later in the message sequence.

23

In response to the message “Set-up” which sent at step 4,The VLR sends the

message “Complete call” to the MSC, which notifies the MS with “Call Proceeding”.

24

Ok, after the message “Call Proceeding”, the MSC then assigns a traffic channel to

the BSS through the message “Assignment Command”, and in turn assigns an air-

interface traffic channel. The MS responds to the BSS with “Assignment Complete”

which responds in turn to the MSC.

25

Oh, after so much preparation, an “Initial Address Message” is sent to the PSTN.

Ring tone is applied at the MS in response to “Alerting” .The MSC sends it to the

MS when the PSTN responds with an “Address Complete Message (ACM)”.

26

When “Answer (ANS)” from the PSTN, the message “Connect” is forwarded to the

MS by the MSC, stopping the MS ringing tone. The MSC then connects the GSM

traffic channel to the PSTN circuit, completing the end-end traffic connection.

27

In response to “Connect”, the MS sends the message “Connect Acknowledge”.

Conversation takes place for the duration of the call.

Ok, that is the call establishment sequence for Mobile to Land, for the call clearing

sequence, we’ll study it later.

28

Ok, after this sequence, let’s answer a question. What happens when the calling

MS activates the SS of BAOC?

29

Ok, let’s see the answer to this question.

We know, Subscriber information is stored in the VLR and HLR. When the MSC

receives the “Request for service” from the MS, the message “Set-up” is sent to

the MSC by the MS. The call information is included in this message. The MSC

sends the message “SFOC” to the VLR, and then the VLR will check the

subscriber information in it, at this time, VLR finds that the calling party has

activated the supplementary service “ BAOC”, and then in response to the “SFOC”,

“call barred” is sent to MSC. The MSC won’t assign the traffic channel for the call.”

Call barred” will be displayed on the MS.

30

Ok, we have studied Mobile to Land sequence ,in this sequence, we mainly devote

to the calling party sequence.

Then I introduce the called MS sequence, I will take Land to Mobile sequence as

example.

31

At first, a C7 message “Initial Address Message (IAM)” arrives at a gateway

MSC(GMSC).The MS to be called is identified by its MSISDN.

32

Then the GMSC requests the routing information from HLR, using the message

“Send Routing Info”, still tagged by the MS’s MSISDN.

There stores subscriber location information in the HLR, so the HLR forwards the

message using “Provide Roaming Number” to the VLR which the MS is currently

located in. This is tagged with the MS’s IMSI to the VLR. The requested

information will enable the GMSC to identify the MSC to which the “IAM” must be

directed.

33

The VLR responds with the message “Provide Roaming No. Ack.”, now tagged

with an MSRN which is either newly drawn from its pool of MSRNs or already

associated with the MS being called. The HLR forwards the message with “Routing

Information Ack.”.

The GMSC now sends “IAM” to the MSC serving the mobile’s location, tagged with

the MSRN.

34

The visitor MSC then requests call set-up information from the VLR using “SFIC

(Send Info for Incoming Call Setup”.

35

The VLR response is the “page” message back to the MSC, containing the

required information, LAI and TMSI or IMSI. The MSC then sends “Paging

Request” to the MS via the appropriate BSS.

36

The MS responds and requests a dedicated control channel from the BSS with

“Channel Request”. The BSS then sends assign DCCH ,and MS responds with

“Assign complete”. The air interface signaling link is established. Once established,

the dedicated control channel carries “Paging Response” to the BSS which relays

it to the VLR through the MSC.

The MS is authenticated and cipher mode is set. Of course, they are optional.

37

The “Complete Call” message is then sent to the MSC from the VLR. This is

relayed to the MS via the BSS as the message “Setup”.

38

The MS sends the message “Call Confirmation” to the MSC. This indicates that the

MS is capable of receiving a call. And then MSC sends an “Address Complete

Message(ACM)” to the GMSC which relays it to the PSTN. The land subscriber will

now hear ring tone.

39

The MSC then assigns a traffic channel to the BSS through “Assignment

Command”, in turn assigns an air-interface traffic channel.

The MS responds to the BSS with “Assignment Complete”. The BSS responds in

turn to the MSC.

The MS now rings, sending the message “Alert” to the MSC as a confirmation.

40

When the GSM subscriber answers, the MS sends the message “Connect” to the

MSC. The MSC acknowledges this with “Conncet Ack” and sends “Answer (ANS)”

to the GMSC and PSTN.

The land subscriber’s ring tone stops, the GMSC and MSC connect the GSM

traffic channel and the PSTN circuit together.

Conversation takes place for the duration of the call.

So much for the Land to Mobile call sequence.

41

Ok, let’s answer several questions for this sequence.

Please give the sequence:

1.The called MS is powered off.

2.The called MS activates the CFU to a PSTN No.

3.The called MS has been barred all incoming call.

4.The Called MS is unknown in the HLR

42

Let’s answer the questions one by one.

The first one :the sequence when the called MS is power off.

The HLR doesn’t know whether the MS is powered on or off.

The MS’ IMSI status is stored in the VLR where the mobile is located. If the MS is

powered off, IMSI status in the VLR is detach, if on, it’s attach. So, when the VLR

receives the “Provide Roaming Number” from the HLR, the VLR will send “Provide

Roaming Number Ack.” with the cause of “subscriber absent”. The calling

subscriber then listens to the announcement “the subscriber you dialed is powered

off”.

43

The second question: the sequence when the called MS activates the CFU to a

PSTN number.

We know, in the HLR, there is service information, when the MS activates the

CFU, the HLR knows it. So when the HLR receives the “Routing Information

Request” from the GMSC, the HLR knows the MS has activated the CFU to an

other number, then responds “Routing Information Ack.” with the CFN directly, and

not request to the VLR.

The GMSC then sends the message “IAM” to the corresponding office direction.

44

Then let’s see the third question: the sequence when the called MS has been

barred all incoming call.

It’s very similar to the previous question, the HLR knows the service information,

so when the HLR receives the request for routing information, the HLR sends

routing info acknowledgement with the cause of “Call Barred” without notification to

the VLR.

45

Then the last question: the sequence when the called MS is unknown in the HLR.

This question is very simple for you. As the response to the routing information

request, the HLR sends acknowledgement with the cause of unknown subscriber.

The calling party may hear the announcement.

46

In the two sequence, no introduction to the call clearing sequence, here let’s study

it.

We take mobile initiated call clearing sequence as the example.

The mobile initiates the clearing of the call by sending the “Disconnect” message

to the MSC. The MSC will then send a “Release” message to the PSTN which will

then start to release the fixed network circuits associated with the call. The MSC

will also send a “Release” message to the mobile to indicate that it may clear down

the call.

47

When the mobile receives the message it will release the call and respond with the

“Release Complete” message. The PSTN will also respond with a “Release

Complete” message.

48

The MSC now initiates the freeing up of the air interface radio resources and the A

Interface terrestrial resources related to the call.

The MSC will send the “Clear Command” to the BSS. The BSS in turn will send a

“Channel Release” on to the mobile, this starts the release of the radio resources

used for that call.

The BSS will then respond to the MSC with the “Clear Complete” message

indicating that it has released the radio and terrestrial resources.

49

The BSS will complete the release of the radio resources by sending the “DISC”

message to the mobile. The mobile will respond with an unnumbered

acknowledgement message.

50

Mobile Initiated Call Clearing SequenceMobile Initiated Call Clearing Sequence

<FACCH>

<FACCH>4 DISC

UA

Clear Complete

5 RLSD

Release Complete

MS BSS MSC VLR HLR PSTN

The MSC will now initiate the release of the signaling connection related to the call.

The MSC will send the “Released” message, the BSS will respond with the

“Release Complete” message.

The call is now cleared and all resources are available for another subscriber.

Ok, that’s all for the second part. I only give you explanation about basic call

sequence. For the more information about call sequence, please refer to the

corresponding specifications.

51

Now, we’ll study the third part, location update sequence. In this part, at first I give

you brief introduction to the location update, and then I’ll introduce several typical

location updating sequences.

52

At first ,I’ll introduce the location update briefly. There are three types of location

update in GSM system. The first one is periodic location update, it is requested by

the system, that is, on the one hand, the BSC defines the interval of periodic

location update, notify the mobile through system message, the MS then sends the

periodic location update message to the network every the defined interval; on the

other hand, the MSC/VLR defines another interval, if the MSC/VLR doesn’t receive

the periodic location update message from the mobile after the defined interval, the

IMSI status of the mobile will be set to detach. please note the two interval defined

by the BSC and MSC is relative. the interval defined by MSC/VLR shouldn’t less

than that defined by the BSC.

When the MS is out of service area, the network can’t receive its periodic location

update message, the IMSI status will be set to detach, and then when the mobile is

called, the MSC/VLR won’t send “page” message, the PCH should be saved. But

periodic location update message occupies the SDCCH resource, so, the operator

should balance them.

Ok, that’s the first type of location update.

53

IMSI attach/detach is the second type of location update.

The last one is normal location update. It happens when the MS enters a new

location area. It is initiated from MS.

In the following, the normal location update sequence will be explained.

54

1.3 Location Update Sequences

In the second, several normal location update sequences are introduced.

It consists of two kinds of sequence: intra-VLR location update and inter-VLR

location update.

55

Ok, at first, intra-VLR location update sequence.

A location update is initiated by the mobile when it detects that it has entered a

new location area. The location area is transmitted on the BCCH as the LAI. The

mobile will be assigned an SDCCH by the BSS, the location updating procedure

will be carried out using this channel.

56

Once the SDCCH has been assigned the mobile transmits a “Location Update

Request” message. This message is received by the MSC which then sends the

new LAI and current mobile TMSI number to the VLR. The information will also be

sent to the HLR if the mobile has not previously been updated on the network.

If the mobile has been registered in this VLR, this information won’t be sent to the

HLR, that is, this is intra-VLR location update.

57

Authentication and ciphering may now take place if required.

58

The VLR will now assign a new TMSI for the mobile, this number will be sent to the

MSC using the “Forward New TMSI” message. The VLR will now initiate the

“Location Update Accept” message which will transmit the new TMSI and LAI to

the mobile.

59

Once the mobile has stored both the TMSI and the LAI on its SIM card it will send

the “TMSI Reallocate Complete” message to the MSC. The MSC will then send the

“TMSI ACK” message to the VLR to confirm that the location update has been

completed.

60

The SDCCH will then be released by the mobile.

Ok, that is the intra-VLR location update sequence.

61

Then let’s see the inter-VLR location update sequence.

Here introduce the sequence under the two situations. The first is location update

though IMSI, the other one is through TMSI.

62

As the intra-VLR location update, the inter-VLR location update is initiated by the

mobile when it detects that it has entered a new location area. The location area is

transmitted on the BCCH as the LAI. The mobile will be assigned an SDCCH by

the BSS, the location updating procedure will be carried out using this channel.

63

Once the SDCCH has been assigned the mobile transmits a “Location Update

Request” message. This message is received by the MSC, then MSC sends the

new LAI and mobile IMSI number to the VLR.

64

Because the mobile hasn’t previously been registered on this VLR, the information

will then be sent to the HLR.

If the authentication is required in the MSC/VLR, at first authentication parameter

request will be sent to the HLR and the HLR gives response.

And then authentication and ciphering may now take place if required.

65

After the authentication and ciphering, the information of “Location Update

Request” will be sent to the HLR, and in response the HLR transmits the

subscriber information using the message “Insert Subscriber Data”.

Once the VLR has stored the information it will send the Acknowledge message.

The HLR will then send the “Location Update Ack.” message to the VLR.

66

Since the VLRn has stored the mobile information, the HLR then sends

“Cancellocation” message to the VLRo, after the response from the VLRo, the HLR

will then update VLR number in the HLR for this subscriber.

67

TMSI reallocation procedure is same with the previous sequence.

Of course, if the system doesn’t use TMSI, then no this procedure.

68

At last the SDCCH will then be released by the mobile.

69

Ok, After this procedure, let’s see the next one, the sequence for inter-VLR

location update via TMSI.

At the beginning, the location update is initiated by the mobile, the mobile will be

assigned an SDCCH by the BSS, the location updating procedure will be carried

out using this channel.

70

Once the SDCCH has been assigned the mobile transmits a “Location Update

Request” message. This message is received by the MSC, the MSC then sends

the current TMSI and the LAI which consists of the previous and new one.

71

We know, the TMSI is allocated by the previous VLR, and unknown in the new

VLR (VLRn).So, the VLRn calculates the VLRo number through the old LAI

(LAIo),and then sends the message “Send Identification” to the VLRo to get the

mobile IMSI and authentication parameters. In response, the VLRo returns the

IMSI and authentication parameters in the acknowledgement message.

Then authentication and ciphering may now take place if required.

72

And the VLRn will now send the message “Location Update Request” to the HLR,

the HLR will then transmit the subscriber information to the VLRn. Once the VLRn

responds, the HLR sends the message “Location Update Acknowledgement” to

the VLRn.

73

Then the HLR sends “Cancellocation” message to the previous VLR, once the

VLRo responds the HLR will then store the VLRn number for the mobile.

74

The VLR will now assign a new TMSI for the mobile, this number will be sent to the

MSC using the “Forward New TMSI” message. The VLRn will now initiate the

“Location Update Accept” message which will transmit the new TMSI and LAI to

the mobile.

Once the mobile has stored both the TMSI and the LAI on its SIM card it will send

the “TMSI Reallocate Complete” message to the MSC. The MSC will then send the

“TMSI ACK” message to the VLR to confirm that the location update has been

completed.

75

Inter-VLR Location Update Via TMSIInter-VLR Location Update Via TMSI

6 Forward New TMSI

Location Update Accept

TMSI Reallocate Complete

TMSI ACK

7 Clear Command

Clear Complete

MS BSS MSC VLRn HLR VLRo

5 Cancellocation

Cancellocation Ack.

The SDCCH will then be released by the mobile.

Ok, that’s all for the location update sequence.

76

1.4 SMS Sequence

Now we will study the fourth part, short message sequence. The mobile originated

short message transfer procedure is separated from mobile terminated. The basic

short message sequence consists of two parts: MO SMS Transfer and MT SMS

Transfer.

It’s very similar to the call sequence.

77

At first let’s see MO SMS transfer sequence.

Like the call sequence, the subscriber pressing the “send” key initiates a “Channel

Request” message from the MS to the BSS. This is followed by the assignment of

dedicated control channel by the BSS and the establishment of the signaling link

between the MS and BSS.

78

The message “Request for Service” is passed to the MSC which relays it to the

VLR.

79

The VLR will carry out the authentication process if the MS has been previously

registered on this VLR, if not, the VLR will have to obtain authentication

parameters from the HLR.

80

The message “RP_MO_DATA” is sent by the mobile to the MSC accompanied by

the SM information, such as type of SM, the SMC number. This message is

forwarded from the MSC to the VLR, that is, the MSC should query to the VLR

whether the mobile subscriber has authority of sending short message via

“SIF_MO_SMS” message, and then VLR returns the results for query.

81

If the mobile has the authority to send short message, the MSC will then transfer

the short message to the interworking-MSC via the message ”MO_Forward_SM”

tagged with SMC number. The SMC number is set on the mobile station. It’s the

home SMC of the mobile.

The interworking-MSC will then forward the short message to the corresponding

SMC. Once responds from SMC,

the interworking-MSC responds in turn to the MSC.

82

And the MSC will then send the message ”RP_ACK” to MS in response to the

message ”RP_MO_DATA”.

At this time “Send Successfully" is displayed on the mobile. It’s terminated the MO

sequence.

83

Ok, now let’s see the MT SMS transfer sequence. It consists of two cases: for one

short message and several messages.

84

At first I’ll introduce the MT SMS transfer sequence for one message.

A message “short message” arrives at a gateway-MSC. The MS to be called is

identified by its MSISDN. The GMSC will then request routing information from

HLR using the message “SRI_for_SM”, still tagged by the MS’s MSISDN. The HLR

then responds with the message “SRI_for_SM_ACK” which includes the VLR

number. This information will enable the GMSC to identify the MSC to which the

“Forward_SM” must be directed.

85

Then the “visitor” MSC requests call Set-up information from the VLR using the

message “SIF_MT_SMS”. The VLR response is the “page” message back to the

MSC, containing the required information. The MSC then sends “Paging Request

”to the MS via the appropriate BSS.

86

If the mobile is powered on, and in the service area, the MS responds and

requests a dedicated control channel from the BSS. Once the air interface

signaling link is established, the dedicated control channel carries the “Paging

Response” to the BSS which relays it to the VLR via the MSC.

Then the MS is authenticated and cipher mode is set. Of course it’s optional by

the operator.

87

The servicing MSC will then transfer the short message to the MS. The MS

acknowledges this and sends “Short_Message_Ack” to the MSC. The servicing

MSC then responds to the gateway MSC using the message

“MT_Forward_SM_Ack” and in turn the gateway MSC sends acknowledgement to

the SMC in response to the message “Short_Message”.

Hereto, the sequence is ended.

88

Ok, let’s see the sequence for MT transfer several messages.

At first it’s same to the sequence for one message, a message “short message”

arrives at a gateway-MSC. The MS to be called is identified by its MSISDN. The

GMSC will then request routing information from the HLR using the message

“SRI_for_SM”, still tagged by the MS’s MSISDN. The HLR then responds with the

message “SRI_for_SM_ACK” which includes the VLR number. This information

will enable the GMSC to identify the MSC to which the “Forward_SM” must be

directed.

Actually, in the message “MT_Forward_SMS”, there is a flag for more message, in

this case, this flag is true. If only one message will be transferred, the flag is false.

89

The “visitor” MSC then requests call set-up information from the VLR, the VLR

responds with “page” message. The MSC then sends “Paging Request” to the MS

via the BSS.

90

The MS responds and requests a dedicated control channel from the BSS. Once

the air interface signaling link is established, the dedicated control channel carries

“Paging Response” to the BSS which relays it to the VLR via the MSC.

The MS is then authenticated and cipher mode is set. Of course, it can be optional

by the operator.

91

Then the MSC transfers the short message to the MS through the BSS. Once the

MS sends the acknowledgement to the servicing MSC, the MSC will then respond

to the message “MT_Forward_SM” to the gateway MSC which in turn sends

response to the SMC. Now one message has been transferred to the MS.

92

Then the SMC sends the second message to the gateway MSC. The gateway

MSC will transfer the message via “MT_Forward_SM” to the servicing MSC

without request routing information to the HLR. The “visitor” MSC then sends the

message to the MS. Once the MS responds, the MSC sends acknowledgement to

the gateway MSC using the message “MT_Forward_SM_Ack”. In turn the gateway

MSC responds to the SMC.

If the flag in the message “MT_Forward_SM” is false, after the message is

received by the MS, the sequence for several messages is closed.

93

Ok, after the basic SMS sequence, let’s answer a question.

What is the sequence when the originating subscriber sets the wrong SC No. in

the mobile station.

94

MO_Forward_SM

Short_Message

MO_Forward_SM_Ack

Short_Message_Ack

RP_ACK

(SC_No.)

MS BSS MSC VLR InterworkingMSC

SC

"Send Not Successfully" is displayed on the mobile

AnswerAnswer

Illegal Subscriber

Illegal Subscriber

From the MO SMS sequence, we know, after the establishment of the air interface

signaling link and authentication, the MS sends “RP_MO_Data” to the MSC. The

MSC will then transfer the short message to the interworking MSC, tagged with

SMC number.

The SMC number is set on the mobile, and sent from the mobile to the network.

This SMC is the home SMC of the mobile. If the mobile set the wrong number, and

if the number is other SMC number, then the gateway MSC sends short message

to the other SMC. In this SMC, the mobile does not exist, so the SMC returns the

acknowledgement with the cause of illegal subscriber, and then “Send Not

Successfully" is displayed on the mobile.

Ok, that’s all for the fourth part.

95

1.5 Handover Sequence

Ok, now let’s study the last section, handover sequence.

In this section, the content consists of two parts, inter-BSS handover sequence

and inter-MSC handover sequence.

96

At first, I will explain the inter-BSS handover sequence.

The MS is in the conversation state and is continuously compiling measurements

both current transmission and broadcast control channels of up to sixteen

surrounding cells.

The measurements from the six best cells are reported back to the BSS, every

480ms.

97

When a handover is required, due to low Receive Signal Strength Indication (RSS)

or poor signal quality the existing “originating” BSS(oBSS) notifies the MSC using

message “Handover Required”.

98

The target or the new BSS (nBSS) is alerted with the message “Handover

Request” tagged with the TMSI or IMSI.

99

Then the new BSS allocates a Handover Reference Number which is used to

determine whether the correct mobile gains access to the air-interface channel

which it allocates, and acknowledges the MSC’s request with “Handover Request

Ack.” This is tagged with the HO Reference number. The nBSS assigns a traffic

channel.

100

The MSC, via the oBSS orders the MS to change to the new channel with the

message “Handover Command” on FACCH.

101

There is an information interchange between nBSS and MS. This uses the FACCH

channel but an access burst is used. The messages and information carried

depend upon the type of handover being performed.

102

Once all necessary information has been transferred the message “Handover

Complete” is sent to the MSC.

103

The MSC now sends a “Clear Command” to the oBSS, this frees the radio

resources for another MS. The channel is not cleared until this point incase nBSS

can not accommodate the MS being handed over.

104

The MS, still in the conversation mode, then continues to prepare periodic

measurement reports and sends them to the nBSS.

105

Ok, after the inter-BSS handover sequence, we’ll study inter-MSC handover

sequence.

There are two types of inter-MSC handover sequence, basic inter-MSC sequence

and subsequent inter-MSC sequence.

106

In the inter-MSC handover , here devoted to introduce the sequence between

different MSC/VLR.

When the MSCA receives the “Handover required” from the oBSS, the MSCA finds

that the new cell belongs to the MSCB, then sends the “Prepare Handover”

message to the MSCB. This request may optionally contain an indication that a

handover number allocation is not required, target Cell Id, for compatibility

reasons, and all information required by MSCB to allocate the necessary radio

resources.

107

Then the MSCB sends “Allocate HandoverNo.” Message to the VLRB.

108

The VLRB responds with the message “Send Handover Report” which handover

number is included in.

109

Then the MSCB transfers the handover number to the MSCA with the message

“Prepare Handover Ack”.

110

The MSCB sends the acknowledgement to the VLRB. The handover number will

be reserved until a “Send Handover Report” confirmation is received from MSC-B.

111

The MSCA then sends the message “Initial Address Message” tagged with

handover number allocated by VLRB. The MSCB sends the “Address Complete

Message” and “Answer” to the MSCA. The connection between the MSCA and

MSCB has been established.

112

Optionally MSC-A can receive, after a “Prepare Handover” confirmation, a

“Process Access Signaling” indication containing BSSAP information.

When the connection has been established between the MS and MSCB, MSCA

will be informed by a “Send End Signal” indication.

If required, the MSCA requests the “Forward Access Signaling” request containing

the information to be transferred to the A-interface of MSCB (e.g. call control

information).

The “Forward Access Signaling” is a non-confirmed service.

The “Forward Access Signaling” is composed in such a way that the information

can be passed transparently to the A-interface for call control and mobility

management information.

Any response received in MSC-B from the A-interface that should be brought to

MSC-A will require a new independent request from the MSCB to the MSCA by

invoking a Process Access Signaling request.

113

When the conversation is ended, the MSCA sends the “Release” message to the

MSCB and MSCB responds with the message “Release Complete”.

When MSCA wants to clear the connection with BSSB, and then sends the “Send

End Signal” response to MSCB to close the sequence.

114

After the release of the resources for the call and handover, the inter-VLR location

update sequence is followed.

115

Ok, let’s see the subsequent inter-MSC handover sequence.

The procedure is used when the MSCB has decided that a call is to be handed

over to another MSC (either back to the controlling MSC (MSCA) or to a third MSC

(MSCC)).

When MSCA receives a “Prepare Subsequent Handover” request, it will start the

procedure of handing the call over to a third MSC (MSCC), or back to the

controlling MSC (MSCA). In this example, handover to the MSCC.

The controlling MSC(MSCA) sends the “Prepare Handover” to the MSC/VLRC,

and MSC/VLRC responds with the handover number in the acknowledgement

message. Then the MSCA responds to the MSCB using the message “Prepare

Subsequent Handover_Ack”.

116

The MSCA then sends the message “Initial Address Message” tagged with

handover number allocated by the VLRC. The MSCC sends the “Address

Complete Message” and “Answer” to the MSCA. The connection between the

MSCA and MSCC has been established.

117

And then the MSCA will release the connection with the MSCB. The MSCA sends

“Release” message to the MSCB, and MSCB responds with “Release Complete”

message.

118

If required , MSCC invokes the “Process Access Signaling” request containing the

information received on the A-interface that should be transferred to MSCA (e.g.

call control information).

“Process Access Signaling” is a non-confirmed service and any response from

MSC-A will require a “Forward Access Signaling” request.

119

When the conversation is ended, the MSCA sends the “Release” message to

MSCC and MSCC responds with the message “Release Complete”.

120

Actually, after the establishment of the connection between the MSCC and MSCA,

the MSCC sends the message “Send End Signal” to the MSCA.

If the new handover procedure towards MSCC (or MSCA) is successful, the MSCA

will request the release of the MSC-B by sending the “Send End Signal”

confirmation.

121

At last, a location update sequence is followed.

122

Ok, hereto, we have finished the study of the communication flow in the GSM

system.

Finally, let’s make a summary.

In this course, the GSM security management was introduced at first, it consists of

the authentication, ciphering, TMSI reallocation and equipment identification. It is

usually used in the other sequence.

Then the explanation for the GSM basic call sequence, it is the most important

sequence in the GSM system.

In the third section, the location update sequence was introduced.

And then an introduction to the basic SM sequence.

At last a brief introduction to the handover sequence.

Actually, for each kind of sequence, there are many abnormal communication

flows. If you want to know more information, please refer to the relative

specifications.

123