1

GSM Base Transceiver Station

Presentation by:Naveen Jakhar

ITS – 2014 Batch

2

Topics covered in this presentation: What is a Base Transceiver Station ? Components of any BTS BTS transceiver, BTS O&M module, clock module BTS Transmitter and Receiver Characteristics BTS configurations BTS functions and Protocols on Um and Abis Interface BTS security aspects Conclusion

3

Introduction to Base Transceiver Station: BTS stands for Base Transceiver Station A BTS is an equipment that facilitates wireless communication

between user equipment (UE) and a network UEs are devices like mobile phones, WLL (Wireless in Local

Loop) phones, computers with wireless Internet connectivity The network can be that of any of the wireless communication

technologies like GSM, CDMA, wireless local loop, Wi-Fi (wireless fidelity), WiMAX (Worldwide Interoperability for Microwave Access) or other wide area network(WAN) technology

4

Introduction to Base Transceiver Station: BTS is also referred to as the radio base station (RBS), node

B(in 3G Networks) or, simply, the base station (BS) The term BTS is applicable to any of the wireless communication standards, it is generally associated with mobile communication technologies like GSM and CDMA

5

Base Transceiver Station(BTS) components: BTS provides the wireless connectivity to Mobile Station on one side

via Air Interface (also called) BTS is connected to BSC via Abis Interface Any BTS is having these components: Transceiver (TRX) Power amplifier (PA) Combiner Multiplexer Antenna Baseband receiver unit (BBxx) Control function Alarm extension system Clock Module Operation and Maintenance module

6

Base Station Transceiver: BTS Transceiver is responsible for transmission and reception of

signals GSM recommendations allow one BTS to host up to 16 TRX In field, majority of BTS have one to 4 TRX at max TRX is having two parts: one, a low frequency part for digital signal

processing and other, high frequency part for GMSK modulation and demodulation

Both parts are connected via a separate or an integrated frequency hopping unit

7

Base Transceiver Diagram:

8

Base station components: Combiner combines feeds from several TRXs so that they could be

sent out through a single antenna thus reducing the number of antennas that need be installed

Power Amplifier Class C, aids in signal amplification from TRX for transmission through the antenna

Duplexer is used for separating sending and receiving signals to or from the antenna

Antenna is an external part of the BTS and it is used to transmit the signals to other entity

9

Base station components: Alarm Extension system collects working status alarms of various

units in the BTS and extends them to operations and maintenance (O&M) monitoring stations

Control functions controls and manages the various units of BTS, including any software. On-the-spot configurations, status changes, software upgrades, etc. are done through the control function module

10

BTS Operations and Maintenance module: It consists of at least one central unit, which administers all other parts

of BTS O&M module is connected to BSC by means of a special O&M channel O&M module allows a remote access from BSC for any software

update A BTS is controlled by a parent BSC via the base station control

function(BCF), implemented in O&M module O&M module also provides a Human Machine Interface, which allows

for local control of BTS

11

BTS Clock module: Clock generation and distribution module is present inside O&M

module Reference clock is derived from PCM signals on Abis Interface BTS internal clock generation is mandatory – when a BTS is to be

tested in standalone environment & when PCM clock is not available due to link failure

GSM requires that all TRX of a BTS use same clock. The accuracy of the signal has to have a precision of at least 0.05 ppm

1 MHz clock, precision should be .05 Hz

12

BTS Input and Output filters: Input and output filters are used to limit the bandwidth of received

and transmitted signal The input filter typically is a non-adjustable wideband filter that

allows GSM 900MHz, DCS 1800 MHz, PCS 1900 MHz frequencies to pass in the uplink direction

The output filter is an adjustable wideband filter used in downlink direction which limits the signal to 200 KHz bandwidth

13

BTS Transmitter Characteristics: Output Power Output RF Spectrum Spurious emissions Radiofrequency tolerance Output level dynamic operation Modulation accuracy Intermodulation attenuation

14

BTS Transmitter Specifications: For a normal BTS, the maximum output power measured at the input

of the BSS Tx combiner, shall be, according to its class, as defined in the following table

15

Micro and pico -BTS Transmitter Specifications: For a micro-BTS or a pico-BTS, the maximum output power per

carrier measured at the antenna connector after all stages of combining shall be, according to its class, defined in the following table.

16

BTS Transmitter Specifications: The tolerance of the actual maximum output power of the BTS for

each supported modulation shall be ±2 dB under normal conditions and ±2.5 dB under extreme conditions

Power can be increased in steps, each step size is of 2 dB with accuracy of ±1 dB

dBc (decibels relative to the carrier) is the power ratio of a signal to a carrier signal, expressed in decibels

The Residual output power, if a timeslot is not activated, shall be maintained at, or below, a level of -30 dBc on the frequency channel

17

BTS Receiver Characteristics: Blocking Characteristics

AM Suppression Characteristics

Intermodulation Characteristics

Spurious emissions

18

BTS Receiver Blocking Characteristics: The blocking characteristics of the receiver are specified separately

for in-band and out-of-band performance

19

BTS configurations: BTS Configurations depend on load, subscriber behaviour and area to

be covered Three different configurations of BTS: Standard omnidirectional configuration Umbrella shape configuration Sectorized or Cell configuration

20

BTS Standard Omnidirectional Configuration: Omnidirectional antennas are used

No fine load balancing with respect to the load and clutter

Inefficient resource utilization

Low antenna gain

21

BTS Umbrella Cell Configuration: Umbrella cell configuration consists of one BTS with high

transmission power and an antenna installed high above the ground that serves as an umbrella for a number of BTSs with low transmission power

and small diameters Use of Umbrella cell Configuration ?

22

BTS Umbrella Cell Configuration: Umbrella cell configuration – high rise antenna may be a solution to

provide coverage for fast moving cars (how can they be detected – using timing advance parameter – updated after every 480 ms by MEAS_RES message)and antennas with lesser height can provide coverage to dense areas within a city

Umbrella configuration not specified by GSM, so additional design updates required in BTS and BSC

Drawback: Interference and non-reuse of frequency

23

BTS Sectorized(Collocated) Configuration: Several BTSs are collocated at one site but their antennas cover only

an area of 120 or 180 degrees Fairly easy to fine-synchronize the cells with each other and thus

allows for synchronised handover between the two cells Re-use of frequencies Sectorization eases the demand for frequencies especially in urban

areas

24

BTS Sectorized(Collocated) Configuration:

25

BTS functions: BTS is an important component of BSS Channel encoding and decoding Burst formatting and Interleaving Encryption and decryption (ciphering) setup of LAPD connection on BSC side and LAPDm on Um interface GMSK modulation and demodulation Creation and transmission of BCCH Measurements of signal strength and forward the results to BSC

26

BTS Interface Protocols and signal transfer : interface :This interface uses LAPDm protocol for signalling, to conduct call control,measurement reporting reporting, handover, power control, authentication, authorization, location update and so on. Traffic and signaling are sent in bursts of 0.577 ms at intervals of 4.615 ms, to form data blocks each 20 ms LAPDm does not have CRC for Error detection Abis Interface :Uses TDM sub channels for traffic (TCH), LAPD protocol for BTS supervision and telecom signalling, and carries synchronization from the BSC to the BTS and MS

27

BTS Interface Protocols:

28

BTS Interface Protocols and signal transfer : GSM Layer 1: FDMA/TDMA is the air interface(radio), also called Um interface

At Mobile Station, FDMA/TDMA is used which is also followed at BTS, BTS takes this format from MS and convert it to 64kbps digital format for the digital link and interfaces with BSC

29

BTS Interface Protocols and signal transfer : GSM Layer 2: Layer 2 is the data link layer, which does following three main

functions. Establish and maintain the link Flow control Error detection Work on layer 3 frames.

30

BTS Interface Protocols and signal transfer : GSM Layer 2:At Layer-2 LAPD and LAPDm is used. LAPD is the ISDN(Integrated Services

Digital Network) protocol for D Channel

LAPDm is the modified version of LAPD for mobile station

LAPDm does not have CRC for Error detection

LAPD at BTS converts potentially unreliable physical link of MS into reliable link

31

Security aspects at BTS: All BTS are comprised of software and radio equipment and most of

the vendors use a similar transceiver code base – means all can be attacked using this flaw

A malicious hacker can take control of BTS from any remote place – results in compromised BTS functionalities

The attacker could impersonate a parallel BTS communicating with it and could send GSM data bursts to the transceiver itself, thus conducting attacks such as IMSI detaching, encryption downgrading, and denial of service against mobile subscribers

32

Conclusion and way forward: BTS is an important device for Mobile communication and any

security breach at BTS would expose the entire mobile network to many vulnerabilities

Vendors are coming up with these improvements in BTS design: change firewall rules to block traffic coming from external networks to

specific ports Enhanced authentication process perform additional code audits before releasing alpha version of any

software patch

33

References: Book GSM networks : Protocols, Terminology and Implementation by

Gunnair Heine3GPP TS 05.05 version 8.20.0 Release 1999, ETSI TS 100 910 V8.20.0

(2005-11) http://

www.securityweek.com/critical-vulnerabilities-affect-open-source-base-transceiver-stations

http://www.rfwireless-world.com/http://whytelecom.com/https://en.wikipedia.org/wiki/Base_transceiver_station

34

Thank You Communication – The Human Connection – is the key to Personal and Career Success