Gayathri GSM 2 (1) Final

SDR based GSM Receiver
CHAPTER 1
INTRODUCTION
GSM INTRODUCTION
GSM is the short form of Global System for Mobile Communications. It is called 2G or
Second Generation technology. It is developed to make use of same subscriber units or mobile
phone terminals throughout the world. There are various GSM standards such as GSM900,
EGSM900, GSM1800 and GSM 1900; they mainly differ based on RF carrier frequency band
and bandwidth. This GSM tutorial covers network architecture, network elements, various
interfaces, specifications, GSM frame structure or GSM frame hierarchy, GSM burst types, GSM
physical layer, GSM physical channels, GSM logical channels and their functions, logical
channel mapping, GSM mobile network entry procedure, GSM MO call and GSM MT call,
VAMOS basics, AMR basics and MSK & GMSK modulation types.
1.1 HISTORY OF GSM
During the early 1980s, analog cellular telephone systems experienced rapid growth in
Europe, particularly in Scandinavia and the United Kingdom, but also in France and Germany.
Each country developed its own system, which was incompatible with everyone else's in
equipment and operation. This was an undesirable situation, because not only was the mobile
equipment limited to operation within national boundaries, which in a united Europe were
increasingly unimportant, but there was also a very limited market for each type of equipment, so
economies of scale and the subsequent savings could not be realized.
The Europeans realized this early on, and in 1982 the Conference of European Posts and
Telegraphs (CEPT) formed a study group called the Group Special Mobile (GSM) to study and
develop a pan-European public land mobile system. The proposed system had to meet certain
criteria:
 Good subjective speech quality
1
Dept of ECE, GCET
 Low terminal and service cost

 Support for international roaming
 Ability to support handheld terminals
 Support for range of new services and facilities
 ISDN compatibility
1.2 SERVICES PROVIDED BY GSM
From the beginning, the planners of GSM wanted ISDN compatibility in terms of the
services ordered and the control signalling used. However, radio transmission limitations, in
terms of bandwidth and cost, do not allow the standard ISDN B-channel bit rate of 64 kbps to be
practically achieved.
Using the ITU-T definitions, telecommunication services can be divided into bearer
services, tele-services, and supplementary services. The most basic tele-service supported by
GSM is telephony. Speech is digitally encoded and transmitted through the GSM network as a
digital stream. There is also an emergency service, where the nearest emergency-service
provider is notified by dialing three digits (similar to 911 in North America).
A variety of data services is offered. GSM users can send and receive data, at rates up to
9600 bps, to users on POTS (Plain Old Telephone Service), ISDN, Packet Switched Public Data
Networks, and Circuit Switched Public Data Networks using a variety of access methods and
protocols, such as X.25 or X.32. Since GSM is a digital network, a modem is not required
between the user and GSM network, although an audio modem is required inside the GSM
network to interwork with POTS.
2
Dept of ECE, GCET
CHAPTER 2
GSM ARCHITECTURE
2.1 GSM NETWORK ARCHITECTURE
GSM network is consists of Mobile station, Base station subsystem and Network and
operation subsystem. Following figure depicts complete GSM system network architecture.
Fig.2.1 GSM Network Architecture
Mobile Station- This Mobile station is GSM mobile phone equipment which houses DSP,RF
chip and SIM(subscriber Identity Module). This SIM is enough to carry to avail the service of
GSM network. SIM contains subscriber related all the information, network with which
3
Dept of ECE, GCET
subscriber is subscribed with and encryption related information. Stores Network Specific Data
such as list of carrier frequencies and current Location Area ID (LAI). Stores International
Mobile Subscriber Identity (IMSI) + ISDN. Stores Personal Identification Number (PIN) &
Authentication Keys. Also stores short messages, charging information, telephone book etc.
Base station Subsystem- Base station subsystem houses Base Transceiver station-BTS and Base
station controller-BSC. This subsystem take care of radio control related functions and provides
GSM air interface for GSM mobile phones to connect with GSM network. To provide GSM
service, region/city on earth is divided into various cells. The cell size is usually about 100m to
about 35 km. BTS coverage is limited to this cell. Like this many BTSs cover entire region. All
this BTSs are interfaced with one BSC in various ways mesh, star etc. This BSC takes care of
radio frequency assignments to the mobile phones, takes care of handoff within BSS i.e. between
one BTS and the other BTS. Function of BTS provides two channels: Signalling and Data
Channel performs error protection coding for the radio channel. Functions of BSC performs
radio resource management assigns and releases frequencies and time slots for all the MSs in its
area, reallocation of frequencies among cells, hand off protocol is executed here. Time and
frequency synchronization signals to BTSs. Time Delay Measurement and notification of an MS
to BTS. Power Management of BTS and MS.
Network Subsystem (NSS) - This subsystem provides interface between cellular system and
circuit switched telephone network i.e. PSTN. It performs switching and operation &
maintenance related functions. NSS takes care of call processing functions such as call setup,
switching, tear down and also hand over between BSCs. NSS takes care of security and
authentication related functions. There are various network elements in this subsystem as
mentioned in GSM network architecture above. They are explained below. These are basically
database elements.
HLR-Home Location Register, it stores permanent and temporary subscriber related

information. For all users registered with the network, HLR keeps user profile, MSCs exchange
information with HLR , When MS registers with a new GMSC, the HLR sends the user profile to
the new MSC.
4
Dept of ECE, GCET
VLR- Visitor Location Register, it stores visitor subscriber related information about its
facilities, the network it is subscribed to, and its home location and so on.
AUC- Authentication center, used to authenticate activities in the system. It holds encryption
(A5 key) and authentication keys (A3 key) in both HLR and VLR.
EIR- Equipment Identification Register, it helps in security as it keeps track of equipment type
available in Mobile Station or Terminal. allows stolen or fraudulent mobile stations to be
identified.
GSM IDENTIFIER- International mobile subscriber identity (IMSI): unique 15 digits assigned
by service provider = home country code + home GSM network code + mobile subscriber ID +
national mobile subscriber ID.
International mobile station equipment identity (IMEI): unique 15 digits assigned by equipment
manufacturer = type approval code + final assembly code + serial number + spare digit.
Temporary mobile subscriber identity (TMSI): 32-bit number assigned by VLR to uniquely
identify a mobile station within a VLR’s area.
2.1.1 GSM INTERFACES
 Air interface between Mobile station and BTS

 Abis interface between BTS and BSC
 A interface between BSC and MSC
 A interface between BSC and MSC
2.1.2 GSM SYSTEM SPECIFICATIONS
 Access Method- TDMA/FDMA
5
Dept of ECE, GCET
 Uplink frequency band- 890 to 915 MHz

 Downlink frequency band- 935 to 960 MHz
 System Bandwidth- 200 KHz
 No. of frequency channels or ARFCN (Absolute Radio Frequency Channel Number)-124
Users per channel-8
 Frame duration-4.615ms
 Spectral efficiency-1.35 b/s/Hz
 Data rate per user- 33.6 kbps (270.833 kbps Gross data rate for 8 users/8users)
Table 2.1 GSM service quality requirements
2.2 GSM FRAME STRUCTURE OR FRAME HIERACHY
In GSM frequency band of 25 MHz is divided into 200 KHz of smaller bands, each carry
one RF carrier, this gives 125 carriers. As one carrier is used as guard channel between GSM and
other frequency bands 124 carriers are useful RF channels. This division of frequency pool is
called FDMA. Now each RF carrier will have eight time slots. This division time wise is called
6
Dept of ECE, GCET
TDMA. Here each RF carrier frequency is shared between 8 users hence in GSM system, the
basic radio resource is a time slot with duration of about 577 microsecs. As mentioned each time
slot has 15/26 or 0.577ms of time duration. This time slot carries 156.25 bits which leads to bit
rate of 270.833 kbps. This is explained below in TDMA gsm frame structure. For E-GSM
number of ARFCNs are 174, for DCS1800 ARFNCs are 374.
The GSM frame structure is designated as hyper-frame, super-frame, multi-frame and

frame. The minimum unit being frame (or TDMA frame) is made of 8 time slots. One GSM
hyper-frame composed of 2048 super-frames. Each GSM super-frame composed of multi-frames
(either 26 or 51 as described below).Each GSM multi-frame composed of frames (either 51 or 26
based on multi-frame type). Each frame composed of 8 time slots. Hence there will be total of
2715648 TDMA frames available in GSM and the same cycle continues.
Fig.2.2 GSM Frame Structure
As shown in the figure 2 below, there are two variants to multi-frame structure.
1.26 frame multi-frame called traffic multi-frame, composed of 26 bursts in a duration of 120ms,
out of these 24 are used for traffic, one for SACCH and one is not used.
7
Dept of ECE, GCET
Fig 2.3 GSM physical and logical concept
Frequencies in the uplink = 890.2 + 0.2 (N-1) MHz

Frequencies in the downlink = 935.2 + 0.2 (N-1) MHz
where, N is from 1 to 124 called ARFCN
As same antenna is used for transmit as well as receive, there is 3 time slots delay introduced
between TS0 of uplink and TSO of downlink frequency. This helps avoid need of simultaneous
transmission and reception by GSM mobile phone. The 3 slot time period is used by the Mobile
subscriber to perform various functions e.g. processing data, measuring signal quality of
neighbour cells etc.
Engineers working in GSM should know gsm frame structure for both the downlink as well as
uplink. They should also understand mapping of different channels to time slots in these gsm
frame structures.
8
Dept of ECE, GCET
CHAPTER 3
HARDWARE AND SOFTWARE TOOLS
3.1 HARDWARE TOOLS

 Software defined radio
 Two antennas
 SMA connectors
 I 7 processor PC
3.1.1 SOFTWARE DEFINED RADIO (SDR)
Software-defined radio (SDR) is a radio communication system where components that

have been traditionally implemented in hardware (e.g. mixers, filters, amplifiers,
modulators/demodulators, detectors, etc.) are instead implemented by means of software
on a personal computer or embedded system. While the concept of SDR is not new, the
rapidly evolving capabilities of digital electronics render practical many processes which
were once only theoretically possible.
A basic SDR system may consist of a personal computer equipped with a sound card, or
other analog-to-digital converter, preceded by some form of RF front end. Significant
amounts of signal processing are handed over to the general-purpose processor, rather than
being done in special-purpose hardware (electronic circuits). Such a design produces a
radio which can receive and transmit widely different radio protocols (sometimes referred
to as waveforms) based solely on the software used.
Software radios have significant utility for the military and cell phone services, both of
which must serve a wide variety of changing radio protocols in real time.
In the long term, software-defined radios are expected by proponents like the SDR Forum
(now The Wireless Innovation Forum) to become the dominant technology in radio
9
Dept of ECE, GCET
communications. SDRs, along with software defined antennas are the enablers of the
cognitive radio.
A software-defined radio can be flexible enough to avoid the "limited spectrum"

assumptions of designers of previous kinds of radios, in one or more ways including.
Spread spectrum and ultra wideband techniques allow several transmitters to transmit in
the same place on the same frequency with very little interference, typically combined with
one or more error detection and correction techniques to fix all the errors caused by that
interference.
Software defined antennas adaptively "lock onto" a directional signal, so that receivers
can better reject interference from other directions, allowing it to detect fainter
transmissions.
Cognitive radio techniques: each radio measures the spectrum in use and communicates
that information to other cooperating radios, so that transmitters can avoid mutual
interference by selecting unused frequencies. Alternatively, each radio connects to a geo
location database to obtain information about the spectrum occupancy in its location and,
flexibly, adjusts its operating frequency and/or transmit power not to cause interference to
other wireless services.
Dynamic transmitter power adjustment, based on information communicated from the
receivers, lowering transmit power to the minimum necessary, reducing the near-far
problem and reducing interference to others, and extending battery life in portable
equipment.
Wireless mesh network where every added radio increases total capacity and reduces the
power required at any one node. Each node only transmits loudly enough for the message
to hop to the nearest node in that direction, reducing near-far problem and reducing
interference to others.
10
Dept of ECE, GCET
OPERATING PRINCIPLES
 Ideal concept
The ideal receiver scheme would be to attach an analog-to-digital converter to an
antenna. A digital signal processor would read the converter, and then its software would
transform the stream of data from the converter to any other form the application requires.
An ideal transmitter would be similar. A digital signal processor would generate a stream
of numbers. These would be sent to a digital-to-analog converter connected to a radio
antenna.
The ideal scheme is not completely realizable due to the current limits of the technology.
The main problem in both directions is the difficulty of conversion between the digital and
the analog domains at a high enough rate and a high enough accuracy at the same time, and
without relying upon physical processes like interference and electromagnetic resonance
for assistance.
 Receiver architecture
Most receivers use a variable-frequency oscillator, mixer, and filter to tune the desired
signal to a common intermediate frequency or baseband, where it is then sampled by the
analog-to-digital converter. However, in some applications it is not necessary to tune the
signal to an intermediate frequency and the radio frequency signal is directly sampled by
the analog-to-digital converter (after amplification).
Real analog-to-digital converters lack the dynamic range to pick up sub-microvolt, nano
watt-power radio signals. Therefore, a low-noise amplifier must precede the conversion
step and this device introduces its own problems. For example, if spurious signals are
present (which is typical), these compete with the desired signals within the amplifier's
dynamic range. They may introduce distortion in the desired signals, or may block them
completely. The standard solution is to put band-pass filters between the antenna and the
amplifier, but these reduce the radio's flexibility. Real software radios often have two or
three analog channel filters with different bandwidths that are switched in and out.
11
Dept of ECE, GCET
Fig 3.1 software defined radio
3 . 1 . 2 TWO ANTENNAS
Two antennas one transmitter antenna and other as receiver antenna place at optimum
distances.
3 . 1 . 3 SMA CONNECTOR
It is use to connect the antennas to the SDR.
3 . 1 . 4 I 7 PROCESSOR PC
To operate the software tools in accordance with SDR.
3 . 2 SOFTWARE TOOLS
12
Dept of ECE, GCET
 GNU Radio Companion (GRC).

 WireShark Tool.
3 . 2 . 1 GNU RADIO COMPANION
The GNU Radio software provides the framework and tools to build and run software
radio or just general signal-processing applications. The GNU Radio applications themselves are
generally known as "flowgraphs", which are a series of signal processing blocks connected
together, thus describing a data flow.
As with all software-defined radio systems, reconfigurability is a key feature. Instead of

using different radios designed for specific but disparate purposes, a single, general-purpose,
radio can be used as the radio front-end, and the signal-processing software (here, GNU Radio),
handles the processing specific to the radio application.
These flowgraphs can be written in either C++ or the Python programming language. The
GNU Radio infrastructure is written entirely in C++, and many of the user tools are written in
Python.
GNU Radio is a signal-processing package and part of the GNU Project. It is distributed
under the terms of the GNU General Public License (GPL), and most of the project code is
copyrighted by the Free Software Foundation.
The GNU Radio Companion is a graphical UI used to develop GNU Radio

applications.[6] This is the front-end to the GNU Radio libraries for signal processing. GRC was
developed by Josh Blum during his studies at Johns Hopkins University (2006-2007), then
distributed as free software for the October 2009 Hackfest. Starting with the 3.2.0 release, GRC
was officially bundled with the GNU Radio software distribution.
GRC is effectively a Python code-generation tool. When a flowgraph is "compiled" in

GRC, it generates Python code that creates the desired GUI windows and widgets, and creates
and connects the blocks in the flowgraph.
GRC currently supports GUI creation with WxWidgets or the Qt toolkit.
3 . 2 . 2 WireShark Tool
13
Dept of ECE, GCET
 Definition - What does Wireshark mean?
Wireshark is a free and open source network protocol analyser that enables users to
interactively browse the data traffic on a computer network. The development project was
started under the name Ethereal, but was renamed Wireshark in 2006.
Many networking developers from all around the world have contributed to this project
with network analysis, troubleshooting, software development and communication
protocols. Wireshark is used in many educational institutions and other industrial sectors.
 Techopedia explains Wireshark
Wireshark is a network or protocol analyser (also known as a network sniffer) available

for free at the Wireshark website. It is used to analyse the structure of different network
protocols and has the ability to demonstrate encapsulation. The analyser operates on Unix,
Linux and Microsoft Windows operating systems, and employs the GTK+ widget toolkit
and pcap for packet capturing. Wireshark and other terminal-based free software versions
like Tshark are released under the GNU General Public License.
Wireshark shares many characteristics with tcp dump. The difference is that it supports a
graphical user interface (GUI) and has information filtering features. In addition,
Wireshark permits the user to see all the traffic being passed over the network.
 Features of Wireshark include:
Data is analysed either from the wire over the network connection or from data files that
have already captured data packets.
Supports live data reading and analysis for a wide range of networks (including Ethernet,
IEEE 802.11, point-to-point Protocol (PPP) and loopback).
With the help of GUI or other versions, users can browse captured data networks.
14
Dept of ECE, GCET
For programmatically editing and converting the captured files to the edit cap application,
users can use command line switches.
Display filters are used to filter and organize the data display.
New protocols can be scrutinized by creating plug-ins.
Captured traffic can also trace Voice over Internet (VoIP) calls over the network.
When using Linux, it is also possible to capture raw USB traffic.
15
Dept of ECE, GCET
CHAPTER 4
CHANNELS AND CONNECTIONS
4.1 LOGICAL AND PHYSICAL GSM CHANNELS
For example, every 26 TDMA frames a logical channel gets bandwidth in a physical
channel. Traffic channel are mainly of two types half rate and full rate traffic channels. There are
various control channels such as BCCH (Broadcast control channel), SCH (synchronous
channel), FCCH (Frequency control channel), DCCH(Dedicated control channel).
All these gsm channels help maintain GSM network and also helps GSM mobile phone
connect to GSM network and maintain the connection and help tear down the connection. Figure
below mention all the channels used in GSM.
Fig.4.1 GSM Channels
16
Dept of ECE, GCET
Freq. Carrier: 200 kHz.
TDMA: 8 time slots per freq carrier.
No. of carriers = 25 MHz / 200 kHz = 125.
Max no. of user channels = 125 * 8 = 1000.
Considering guard bands = 124 * 8 = 992 channels.
4 . 1 . 1 SPEECH PROCESSING THROUGH GSM PHYSICAL LAYER
GSM physical layer is nothing but the modules through which speech will pass through
before they are transmitted in the air. These modules are depicted in the figure below.
This page on GSM tutorial covers GSM speech processing modules at layer-1 i.e. Physical layer.
Fig.4.2 GSM Physical Layer
These modules are speech coding, channel coding, interleaving, ciphering, burst assembly,
modulation. Speech coding block uses 13kbps RELP (Residually Excited Linear Predictive
coder). Channel coding block uses convolution coding of rate 1/2 with constraint length of 5.
17
Dept of ECE, GCET
Interleaving block does diagonal interleaving, after 456 encoded bits in 20ms duration are broken
into 57 bits sub-blocks.
There will be about total 8 sub blocks of 57 bits each. Ciphering block uses A3 and A5
encryption algorithms. Encryption is changed call by call to enhance privacy. Burst assembly
block frames the burst as required by GSM frame structure. The same is modulated and Gaussian
filtered. Modulation block minimizes the occupied BW using GMSK modulation with BT of 0.3
There are two main types of GSM channels viz. physical channel and logical channel. Physical
channel is specified by specific time slot/carrier frequency. Logical channel run over physical
channel i.e. logical channels are time multiplexed on physical channels; each physical
channel(time slot at one particular ARFCN) will have either 26 Frame MF(Multi-frame) or 51
Frame MF structure describe here. logical channels are classified into traffic channel and control
channel. Traffic channel carry user data. Control channels are interspersed with traffic channels
in well specified ways.
4 . 1 . 2 GSM LOGICAL CHANNELS AND THEIR FUNCTIONS
As shown in the figure there are two main types of channels in the GSM. Traffic channels
and control channels. Different bursts are mapped to these channels uniquely as per GSM
TECHNICAL SPECIFICATION 05.02.
Traffic channels carry speech or data. There are two main categories here, Full rate (13 kpbs) and
Half rate.
Control channels used to for control/command/signaling. Control channels are divided into three
categories.
Category1: Broadcast channels
18
Dept of ECE, GCET
As the name suggests they are point-to-multipoint and downlink only channels.
FCCH: Frequency correction control channel, this is transmitted by BTS to MS. This helps MS
tune its local oscillator to exact RF carrier frequency of the BTS cell. All zero sequences are
transmitted here which will produce fixed tone at the output of GMSK modulator. The frequency
value will be about 67.7075 KHz.
SCH:
synchronization channel, this carry BSIC(Base transceiver station identity code) and Frame
number which helps MS tune to specific (Frequency,Ts) physical slot on TDMA frame in GSM
network.
BCCH: Broadcast control channel, carry CGI,MNC,MCC which is received by MS. It is
compared with SIM information, once varified OK connection is established with the network.
Category 2: Common Control channels
They are point-to-multipoint and downlink only channels except RACH which is used in uplink.
PCH:
Paging channel, When someone is calling mobile phone, this channel sent information on
downlink to alert called mobile phone.This is known as mobile phone terminated call.
RACH:
Random Access channel, used in mobile originated call. When mobile wants to call some other
mobile phone, control information is sent on this channel
AGCH:
Access Grant Channel, transmitted by BTS to MS once network approves request of mobile by
RACH
CBCH:
Cell Broadcast channel, Used to carry the short message service cell broadcast.
Category 3: Dedicated Control channels
They are bidirectional and point-to-point Channels
19
Dept of ECE, GCET
SDCCH:
Stand alone dedicated control channel, used for call setup
SACCH:
Slow associated control channel, is used for control and supervisory signals associated with the
traffic channels.
FACCH:
Fast associated control channel, is used for control requirements such as handoff /handovers.
4.2 GSM MOBILE PHONE NETWORK ENTRY PROCEDURE OR ON

PROCEDURE
Fig.4.3 GSM Call Setup, it depicts basic flow of logical frames between BTS and MS to
establish voice/data connection.
Following steps are followed at GSM Mobile phone before you actually start talking or using it
for data operations. These are called initial mobile phone procedures when you power ON the
20
Dept of ECE, GCET
phone.
Step-1 : Mobile phone scans for carriers and determine RSSI of all and pass them to upper layer,
upper layer decide which carrier/channel has the highest RSSI and mobile will lock on to that
carrier. There are two modes here first mode where mobile has prior knowledge of broadcast
carriers and the other mode where mobile has no prior knowledge. In the second case mobile has
to search for entire band while in the first case as mobile has broadcast carriers known and it will
determine RSSI of those carriers only, hence it will complete cell search operation in less time.
Step-2: Once carrier is known it will detect FB (Frequency correction Burst) on that
carrier/channel which is a pure sine wave as mentioned above of value 67.7 KHz. Any deviation
from this value is determined and this much frequency offset is corrected on LO module by
controlling through VCTCXO/VCO/OCXO used in the handset design.
Step-3: After correcting for Frequency offset, now mobile need to lock on to particular time slot
on that carrier frequency in the GSM time domain frame structure. This is done using SB
decoding. 25 bits of decoded data of SCH gives reduced frame number (19 bits) and BSIC (6
bits). Reduced frame number will provide very useful information of mobile's physical slot in the
entire hyper frame. BSIC is made of BCC (Base Station Color code- 3 bits) and NCC (Network
Color code-3 bits). BCC field directly provide training sequence details (26 bits in size).The
correlation is performed with known training sequence to determine peak and hence timing
offset is determined on the received frame. channel estimation is also performed using this
training sequence. Remember SB comes on the same time slot as FB but after 8 time slots
duration. This means time multiplexing of logical channels (FB,SB,BCCH, CCCH...) is used on
the dedicated physical time slot(TS0 at Broadcast Freq).
Step-4: Once SB is decoded now BCCH will appear on the same allocated physical time slot but
after 8 time slot duration. BCCH is decoded which gives useful system informations(SI). Now
mobile is camped on the network and it is ready to use voice services by exchanging useful
frames/channels based on mobile initiated or mobile terminated call. If GPRS is enabled on the
mobile phone, it can use data services provided by operator.
21
Dept of ECE, GCET
4.3 GSM POSSIBLE CHANNEL COMBINATIONS (NONCOMBINED AND

COMBINED)
There are certain rules by which different channel types are used in different time slots. These
rules are used to map logical channels to physical channels. The most important slot is the time
slot TS0 where in BCCH is mapped and is very useful as SI messages (system information
messages) are transmitted over this channel.
Following are possible channel combinations in GSM system which network (BTS) will adopt
based on need of traffic channels versus signaling (control) GSM channels. They are called as
combined and non-combined type.
This page describes GSM combined channel configuration for TS0. It covers 51 frame
multiframe structure mentioning FCCH,SCH,BCCH,CCCH,SDCCH,SACCH channel mapping
on TS0 for both downlink and uplink.
As mentioned in GSM Channel types signaling channels SDCCH are combined with
(FCCH+SCH+BCCH+CCCH) on time slot TS0.
In this configuration, position of FCCH+SCH+BCCH is not changed, but CCCH capacity is
reduced from 9 blocks to mere 3 blocks. This 6 blocks are used by 4 blocks of SDCCH and 2
blocks of SACCH.
22
Dept of ECE, GCET
Fig 4.4 GSM multiframe structure
In the downlink CCCH gives a way for signaling channels (SDCCH/SACCH) and similarly in
the uplink RACH gives a way for these signaling channels.
4 . 3 . 1 NON -COMBINED 51-FRAME MULTI FRAME CONFIGURATION
Follow link below for the complete chart of this configurations for TS0 and TS1. In non
combined configuration, dedicated signaling channels are not combined with BCCH/CCCH and
thus require separate time slot (TS1). FCCH, SCH, BCCH and CCCH channels are mapped on
TS0.
23
Dept of ECE, GCET
4 . 3 . 2 COMBINED 51- FRAME MULTIFRAME CONFIGURATION:
In combined configuration, FCCH, SCH,BCCH,CCCH channels are present along with SDCCH
on time slot TS0. Hence dedicated signaling channels SDCCH are combined with BCCH/CCCH
on the same time slot TS0. SDCCH also can be mapped on TS1 in addition to TS0; even
SDCCH can be mapped on to another time slots also.
4 . 3 . 3 GSM NON- COMBINED CHANNEL CONFIGURATION
This page describes GSM Noncombined channel configuration for TS0 and TS1. It covers 51
frame multiframe structure mentioning FCCH,SCH,BCCH,CCCH,SDCCH channel mapping on
TS0 and TS1 for both downlink and uplink.
As mentioned in GSM Channel types signaling channels SDCCH are not combined with
(FCCH+SCH+BCCH+CCCH) on time slot TS0. They are mapped on separate time slot TS1 as
shown in the figure.
In noncombined case, there are nine CCCH blocks mentioned as CCCH(0) to CCCH(8). If the
System information messages (SIs) are more and can not be occupied in BCCH block then first
CCCH block i.e. CCCH(0) can also be used for BCCH and SIs are transmitted on the same.
In GSM system BS_AG_BLKS_RES parameter is used to determine how many of CCCH blocks
are used for AGCH and how many for PCH. This parameter is of 3 bit field and is transmitted on
BCCH SI-3. It has range from 0 to 7. Value of 2 indicates 2 blocks are reserved for AGCH and
remaining(i.e.7) blocks are for PCH. For more details visit GSM Terminology page.
GSM Noncombined channel Configuration for TS0 is mentioned in below figure.
24
Dept of ECE, GCET
Fig 4.5 GSM multiframe structure for time slot 0
As shown in the figure-4.5, BCCH/CCCH is mapped in TS0 and as shown in figure-2, SDCCH
in TS1. A total of 8 users can share a time slot. Due to this it is called as SDCCH/8 combination.
Here 8 designates that there are 8 total subchannels and each are used by 8 different SDCCH
user. From figure-2 it depicts that there are 8 SDCCHs and 4 SACCHs in downlink multiframe.
This is due to rate of SDCCH is twice that of SACCH channel.
25
Dept of ECE, GCET
Fig 4.5 GSM multiframe structure for time slot 1
GSM Noncombined channel Configuration for TS1 is mentioned in the figure above.
26
Dept of ECE, GCET
CHAPTER 5
5 . 1 GSM SYSTEM INFORMATION MESSAGES

GSM System information messages which include SI1,SI2,SI3,SI4,SI5,SI6,SI7,SI8,SI9
and SI13 transmitted on BCCH/SACCH.
5 . 1 . 1 SYSTEM INFORMATION
Messages are transmitted on either BCCH normal or BCCH extended or on SACCH.SI

messages are transmitted in TC=0 to 7 in a cyclic order repeating every eight TCs of the 51frame
multi frame.
TC is the sequence number of the 51 frame MF.
SI1 to SI4 - Transmitted on BCCH
SI5 / SI6 - associated with SACCH
SI7 / SI8 -BCCH Extended
SI-2quater and SI13 - BCCH Normal or BCCH extended
27
Dept of ECE, GCET
28
Dept of ECE, GCET
Table 5.1 system information blocks
This table on system information messages in GSM is useful to analyze GSM UE related issues.
5.2 GSM MO CALL :
This article covers MO MT call flow in GSM. This page covers mobile originated (MO) call
flow between Mobile (UE) and network. It covers messages exchanged between Layer 3 entities
(RR, MM , CC) at both side. It include channels ( RACH , AGCH,SDCCH ,FACCH,TCH)
used at layer 1 to carry these messages over the air. This article assumes that initial frequency
and time synchronization is done between UE and Network as described in GSM tutorial in
tutorial section.
• As described in the figure above, before RACH is sent by mobile (UE) mobile is synchronized
with network (BTS) both time and frequency wise.
29
Dept of ECE, GCET
• It means it has tuned frequency as per FCCH and time as per SCH burst. Information here in
this FCCH is all zeros which produces continuous sine wave of about 67.7 KHz above the RF
carrier centre frequency, This helps mobile(UE) synchronize with the GSM Base station.
• SCH carry frame number and BSIC (Base Station Identity Code) which helps Mobile
synchronize with GSM frame structure as well as helps in identification of the Base station in the
GSM network.
• It has received and decoded SIs(System Information) from the received BCCH, mobile station
comes to know where it has to transmit CCCH(RACH) and where it has to listen for
CCCH(carrying PCH,AGCH).
• RACH is used in mobile originated call while PCH is used in mobile terminated call at the
start.
5 . 2 . 1 MOBILE ORIGINATED CALL RELEASE
fig 5.2 mobile originated call release
The figure above mentions messages exchanged between mobile and network for call release.
5 . 2 . 2 MOBILE TERMINATED -MT CALL FLOW IN GSM
This article covers MO MT call flow in GSM. This page describes mobile terminated call
flow between Mobile (UE) and network. It covers messages exchanged between Layer 3 entities
(RR,MM, CC) at both side. It include channels (PCH, RACH,AGCH,SDCCH,FACCH,TCH)
30
Dept of ECE, GCET
used at layer 1 to carry these messages over the air. This article assumes that initial frequency
and time synchronization is done between UE and Network as described in GSM tutorial in
tutorial section.
Fig 5.3 mobile terminated call flow in GSM
As described in the figure, PCH will be sent by network to alert mobile with ring tone if
someone dials. This is called mobile terminated call. After PCH is received, mobile will transmit
RACH and obtain SDCCH and other resources for further process.
As described in GSM protocol stack, messages flow between both mobile and network at various
layers(layer 3,layer 2,layer 1(physical layer). The message flow is self explanatory to establish
the circuit switched mobile terminated (MT) call in GSM.
31
Dept of ECE, GCET
5 . 2 . 3 MOBILE TERMINATED CALL (MT CALL) RELEASE
fig 5.3 mobile terminated call release
The figure above mentions messages exchanged between mobile and network for call release.
5 . 3 GSM RRC LAYER STATE DIAGRAM

RRC falls on layer-3 of GSM mobile subscriber. On this page we will see RRC state diagram
along with functions of all the states.
There are two RRC states in GSM mobile subscriber station viz. IDLE and Dedicated. We will
see what mobile does during these modes. When we switch the mobile it will be in idle mode
until we receive a call or we ourselves dial a number or initiate GPRS data connection to browse
the internet. Radio Resource Control Procedure for the GSM mobile is outlined below.
32
Dept of ECE, GCET
Fig 5.4 RRC layer mode diagram

GSM RRC layer is used for signaling between the GSM network and MS. In the idle mode
mobile does not involve in any form of communication. Also dedicated resource is also not
assigned to it in the idle mode. While in the dedicated mode, the resource is assigned to mobile
to communicate with the BSS.
5 . 3 . 1 IDLE MODE
Once the appropriate best cell is selected by mobile then and mobile is said to be camped to the
respective BTS. After camping GSM mobile enters into the idle mode. In this mode, it monitors
the BTS paging channel for posibility of incoming call. Mobile runs a procedure periodically to
check, whether it has been camped to the most suitable cell or not i.e. it checks the signal
strength and quality from the incoming broadcast channels from the camped on cell. This
procedure is called cell reselection.
In the idle mode, GSM mobile receives the BCCH and CCCH channels from BTS, transmits
RACH in case of MO call, does cell reselection and also the most important is measurements.
Mobile does measurements on any of the IDLE frame except on PCH/PPCH channels
,FCCH,SCH,CBCH, neighbour cell BCCHs, serving cell PBCCH etc. Idle mode in mobile is
normally exited to switch to dedicated mode when the Layer-1(physical layer) is configured by
the upper Layer for either TCH or SDCCH.
33
Dept of ECE, GCET
During Idle mode, GSM mobile will continue monitoring downlink signal strength of neighbor
cells to ensure it is camped on to the best available cell. As per requirement mobile will monitor
received signal strength of 6 neighbor BCCH carriers other than serving cell BCCH.
Mobile subscriber initially accesses a GSM BTS using an random access channel to perform
location update, to answer incoming paging call or to make a MO call.
There are total eight time slots in all the frames and there is no dedicated slot to be used by the
mobile station. It can use any slots for sending RACH. If collision occurs it is repeated for few
times for establishing access to the network on access burst. It transmits 5 bit number with 3 bit
indicating reason for the network access. If access is granted to the mobile then it is indicated by
AGCH from BTS on the downlink.
5 . 3 . 2 DEDICATED MODE
As soon as RRC connection is established the GSM mobile moves to dedicated mode from the
idle mode state.
If the mobile is supporting multi-RATs or multi modes then during the dedicated mode, mobile
subscriber does the measurements from the other neighbor base stations (WCDMA, LTE, TD-
SCDMA etc.). These measurements are carried in idle slot of the GSM frame.
Also mobile does other GSM neighbor cell measurements mainly for handover and cell
reselection purpose when the power from serving/active cell becomes lower compare to target
cell where mobile is moving towards.
5 . 3 . 3 CELL RE-SELECTION
In GSM network, when a connected mobile moves to another GSM cell area, re-direction
disconnects the serving or active GSM network and re-connects to the target GSM cell. Cell
reselection to other RAT i.e. LTE or WCDMA is also possible when the serving cell will have
any issue. This is referred as Cell reselection.
34
Dept of ECE, GCET
This section has covered GSM RRC states. For protocol stack involving other layers such as
physical layer, LAPD , LAPDm ,RRM,MM,CM,SCCP,BSSMAP and BTSM refer GSM
protocol stack.
5 . 3 . 4 GPRS RRC LAYER STATES
GPRS uses packet switched based architecture. Here connection is established when we want to
send/receive data using FTP/HTTP protocols. It is released once we have carried out our goal of
internet browsing or file transfer. Hence location update need to be carried out often to achieve
this. But this consumes lot of power and battery will drain fast. To avoid this GPRS RRC state
machine has been developed for location management. In GPRS mode, mobile will have three
states viz. idle, standby, and ready. The state of the mobile determines frequency of the location
update.
Fig 5.5 GPRS mobile RRC states
35
Dept of ECE, GCET
Idle State: As mentioned when mobile is powered on it will be in idle state and will not be
attached to the GPRS network. In this state the GPRS compatible mobile is not reachable and
location update is not yet performed.
Ready State: After performing GPRS attach, mobile station enters into the ready state. Here
either mobile will be in packet transfer mode or it might have just finished the transfer. By GPRS
detach the mobile will get disconnected from the network and it will go back to the idle state. All
the PDP contexts will be deleted after disconnection. During ready state mobile keep updating
SGSN about its whereabouts.
Standby State: when the mobile is powered on and will be attached to the GPRS network but
packet transfer has not been initiated for long period of time. This state is referred as standby
state. This will cause GSM ready timer to expire. Here routing area updates are done when
needed. GSM LA (location area) is divided into several RAs(routing areas). A routing area
composed of several cells.
When mobile moves to a new routing area then SGSN will be informed of the same. Paging is
performed by the network to determine the current cell of mobile station in standby state. The
paging is performed within a GSM RA.
This section has covered GPRS RRC states. For protocol stack involving other layers such as
Physical layer, LLC,RLC,MAC,SM,GMM and SNDCP refer GPRS protocol stack.
5 . 3 . 5 FUNCTIONS OF RRC LAYER IN GSM NETWORK
• Channel assignment
• channel release
• channel change and handover
• change of channel frequencies
• hopping
• sequences (algorithms) and frequency tables
• measurement reports from the MS
36
Dept of ECE, GCET
• power control
• discontinuous transmission reception
• time advance
• modification of channel modes (speech and data)
• cipher mode setting
37
Dept of ECE, GCET
CHAPTER 6
BLOCK BUILDING IN GRC
Fig 6.1 GSM Receiver in GRC
38
Dept of ECE, GCET
Fig 6.2 QT GUI Range block design (g_slider)
Fig 6.3 Options block design
39
Dept of ECE, GCET
Fig 6.4 Parameter block design for shitoff
Fig 6.5 Parameter block design for ppm
40
Dept of ECE, GCET
Fig 6.6 Parameter block design for fc
Fig 6.7 Parameter block design for gain
41
Dept of ECE, GCET
Fig 6.8 Message printer block design
Fig 6.10 QT GUI Range block design (fc_slider)
42
Dept of ECE, GCET
Fig 6.11 Soket PDU (UDP Client)
Fig 6.12 Soket PDU (UDP Server)
43
Dept of ECE, GCET
Fig 6.13 SDCCH/8 demapper block design
Fig 6.14 Control channel decoder block design
44
Dept of ECE, GCET
Fig 6.15 Decryption block design
Fig 6.16 BCCH + CCCH demapper block design
45
Dept of ECE, GCET
Fig 6.17 GSM Receiver block design
Fig 6.18 GSM clock offset control block design
46
Dept of ECE, GCET
Fig 6.19 URSP Source block design
Fig 6.20 import block
47
Dept of ECE, GCET
Fig 6.21 Parameter block design for fm_station
Fig 6.22 QT GUI Range ppm_slider block design
48
Dept of ECE, GCET
Fig 6.23 GSM input adaptor block design
Fig 6.24 QT GUI Frequency sink block design
49
Dept of ECE, GCET
Fig 6.25 Rotator block design
Fig 6.26 Variable block design
50
Dept of ECE, GCET
CHAPTER 7
PHYTON CODE OF BLOCKS
INPUT ADAPTOR
from gnuradio import filter

from gnuradio import gr
from gnuradio.filter import firdes
import grgsm
class gsm_input(grgsm.hier_block):
def __init__(self, fc=940e6, osr=4, ppm=0, samp_rate_in=1e6):

gr.hier_block2.__init__(
self, "GSM input adaptor",
gr.io_signature(1, 1, gr.sizeof_gr_complex*1),
gr.io_signature(1, 1, gr.sizeof_gr_complex*1),
)
self.message_port_register_hier_in("ctrl_in")
##################################################
# Parameters
##################################################
self.fc = fc
self.osr = osr
self.ppm = ppm
self.samp_rate_in = samp_rate_in
##################################################
# Variables
##################################################
self.gsm_symb_rate = gsm_symb_rate = 1625000.0/6.0
self.samp_rate_out = samp_rate_out = gsm_symb_rate*osr
##################################################
# Blocks
##################################################
51
Dept of ECE, GCET
self.low_pass_filter_0_0 = filter.fir_filter_ccf(1, firdes.low_pass(

1, samp_rate_out, 125e3, 5e3, firdes.WIN_HAMMING, 6.76))
self.gsm_clock_offset_corrector_tagged_0 = grgsm.clock_offset_corrector_tagged(
fc=fc,
samp_rate_in=samp_rate_in,
ppm=ppm,
osr=osr,
)
##################################################
# Connections
##################################################
self.msg_connect((self, 'ctrl_in'), (self.gsm_clock_offset_corrector_tagged_0, 'ctrl'))
self.connect((self.gsm_clock_offset_corrector_tagged_0, 0), (self.low_pass_filter_0_0, 0))
self.connect((self.low_pass_filter_0_0, 0), (self, 0))
self.connect((self, 0), (self.gsm_clock_offset_corrector_tagged_0, 0))
def get_fc(self):
return self.fc
def set_fc(self, fc):

self.fc = fc
self.gsm_clock_offset_corrector_tagged_0.set_fc(self.fc)
def get_osr(self):
return self.osr
def set_osr(self, osr):

self.osr = osr
self.set_samp_rate_out(self.gsm_symb_rate*self.osr)
self.gsm_clock_offset_corrector_tagged_0.set_osr(self.osr)
def get_ppm(self):
return self.ppm
def set_ppm(self, ppm):

self.ppm = ppm
self.gsm_clock_offset_corrector_tagged_0.set_ppm(self.ppm)
def get_samp_rate_in(self):
return self.samp_rate_in
def set_samp_rate_in(self, samp_rate_in):

self.samp_rate_in = samp_rate_in
self.gsm_clock_offset_corrector_tagged_0.set_samp_rate_in(self.samp_rate_in)
def get_gsm_symb_rate(self):
return self.gsm_symb_rate
def set_gsm_symb_rate(self, gsm_symb_rate):

self.gsm_symb_rate = gsm_symb_rate
52
Dept of ECE, GCET
self.set_samp_rate_out(self.gsm_symb_rate*self.osr)
def get_samp_rate_out(self):
return self.samp_rate_out
def set_samp_rate_out(self, samp_rate_out):

self.samp_rate_out = samp_rate_out
self.low_pass_filter_0_0.set_taps(firdes.low_pass(1, self.samp_rate_out, 125e3, 5e3, firdes.WIN_HAMMING,
6.76))
53
Dept of ECE, GCET
DECRYPTION
from gnuradio import gr, gr_unittest, blocks
import grgsm_swig as grgsm
import pmt
class qa_decryption (gr_unittest.TestCase):
def setUp (self):

self.tb = gr.top_block ()
def tearDown (self):

self.tb = None
def test_001_a51 (self):

"""
A system information message on the SACCH of TCH/F, encrypted with A5/1
"""
framenumbers_input = [1259192, 1259218, 1259244, 1259270]
timeslots_input = [2, 2, 2, 2]
bursts_input = [
"0001100001000111100111101111100101000100101011000010011110011101001111101100010100111111100
000110100011111101011101100100111110011000100010001010000",
"0001000101000000001001111110000110010110110111110111101000001101001111101100010100111111001
110001001110101110001010001000111011010010001011011000000",
"0001001101101101000111001000101011001101001110110001001100111101001111101100010100111111111
001001010011010011111010010010101011001001011011100110000",
"0000010010100000001001101010100001011100010001101100111111101101001111101100010100111111101
101001110100010101110010110101111100010010000110010110000"
]
bursts_expected = [
"0000010111000110010001010000000101010011110101100000100000011101001111101100010100111111010
110110000000001101110000101000000000101000100011000110000",
"0000010110101100010100111101011001000000000101010011000100001101001111101100010100111111011
001101001110000100001000110000000101100010111100111010000",
"0000011110110111011011100001010000000000110100100000100001001101001111101100010100111111100
010000000000000001101000000100000010011001110100000010000",
"0000011000010001000000001101000001001001000010001000000000001101001111101100010100111111000
010110001001110000000110111001110010000010111000111001000"
]
key = [0x32,0xE5,0x45,0x53,0x20,0x8C,0xE0,0x00]
54
Dept of ECE, GCET
a5_version = 1
src = grgsm.burst_source(framenumbers_input, timeslots_input, bursts_input)

decryption = grgsm.decryption((key), a5_version)
dst = grgsm.burst_sink()
self.tb.msg_connect(src, "out", decryption, "bursts")

self.tb.msg_connect(decryption, "bursts", dst, "in")
self.tb.run ()
# have to convert tuple to list

framenumbers_result = list(dst.get_framenumbers())
timeslots_result = list(dst.get_timeslots())
bursts_result = list(dst.get_burst_data())
self.assertEqual(framenumbers_input, framenumbers_result)
self.assertEqual(timeslots_input, timeslots_result)
self.assertEqual(bursts_expected, bursts_result)

"""
A TMSI Reallocation command on SDCCH/8, encrypted with A5/1
"""
bursts_input = [
"0000111101111110011111000111000100110100001101100001000110011000110101110010000011010111010
110101100100010011000000100111010001000011000010010010000",
"0001010010001100110000000111100110101111001001101111000000101000110101110010000011010111001
101001101000001000001110101101100101111010011001000111000",
"0001110111101000110100001111000010100001101011000001010010011000110101110010000011010111101
110000011100010110110101010100101010011011111111001000000",
"0001111011000100011010100010000110001101111001000110010100001000110101110010000011010111000
100101011110110000100110110001110010011110110110101100000"
]
bursts_expected = [
"0001100000010010011110111110011111000000001010001111000000001000110101110010000011010111100
101101010000001111010100010110111101011101011100000101000",
"0001000101111101111110000010100001011011111010111110101011101000110101110010000011010111110
110111101101111110000011011010111011111001011101000011000",
"0000001000011110111110101011001000110000000000110110101100011000110101110010000011010111001
010100101011111001000111100000100000111111000000101110000",
55
Dept of ECE, GCET
"0001101010111110010001010110101100000011101100011111110100101000110101110010000011010111111
000000001010010111001111111011001000000001001000011101000"
]
key = [0xAD,0x6A,0x3E,0xC2,0xB4,0x42,0xE4,0x00]
a5_version = 1


self.tb.run ()


"""
A cp-ack message of a SMS, encrypted with A5/3
"""
bursts_input = [
"0001111001001110001101111101111111110100011010101100100001011101001111101100010100111111101
101011110100011101111001000110110100101101011110010100000",
"0001111000110011010110000111010010100101001100111011000001011101001111101100010100111111000
100101000001011010001100000010100011000011111001111011000",
"0000000110100101110010011101101100101110001100000000101001011101001111101100010100111111100
100100010110110111011010101010001001100010100100100111000",
"0000011100111011101010000111001010010001100110011011100101011101001111101100010100111111101
110110100101101010100111101000000111001011011100010101000"
]
bursts_expected = [
"0001000000000010100111000010010101001010011110010010101110011101001111101100010100111111011
010111010111100110000011100111010001010100010100110000000",
56
Dept of ECE, GCET
"0000101110001111011110100111101010000000101101101011101001011101001111101100010100111111010
110100111001100100011000100100011110101001010110001001000",
"0000001111011010110111000100111111000011001010100011000110011101001111101100010100111111100
111100010011100000010110011100001101000000000000011001000",
"0000011011100010001000101000101010010011010000100011110011001101001111101100010100111111010
100100010010100111010101110001101101110101110011100101000"
]
key = [0x41,0xBC,0x19,0x30,0xB6,0x31,0x8A,0xC8]
a5_version = 3


self.tb.run ()


"""
An assignment command for a TCH channel, encrypted with A5/3
"""
bursts_input = [
"0001001000010110001000001101001010100000011100011011110101011101001111101100010100111111010
000100000100101101111000010001100001000100101100101010000",
"0000011101010011010110101000011011101010100001011001100011001101001111101100010100111111000
110011001110101110111000100101001111100110100011011011000",
"0000000000110011000001110101110101111011011111000111101001011101001111101100010100111111101
100010011010000010001101101000110000011011000011100011000",
57
Dept of ECE, GCET
"0000000001110011001010110101100110100111110010000101001011111101001111101100010100111111101
110001101111111001001001000101101010110010101010110100000",
]
bursts_expected = [
"0001101100011001110111101010110000001111000010110011000110101101001111101100010100111111100
010000011100010101001010110101100001111101111110010011000",
"0001101001110110000111000011111110011011001001101010011000001101001111101100010100111111110
010001001001001101011111010010100100011100110110000011000",
"0001000001110000001011101010011010010100010010100110010010001101001111101100010100111111010
011011101010110100000111111011111100000010100000111000000",
"0000001000001010010001010000101011101100100100001010011101111101001111101100010100111111000
001001001100100101010000011101010100001110000100000001000"
]
key = [0xAD,0x2C,0xB3,0x83,0x2F,0x4A,0x6C,0xF1]
a5_version = 3


self.tb.run ()

if __name__ == '__main__':
gr_unittest.run(qa_decryption, "qa_decryption.xml")
58
Dept of ECE, GCET
CHAPTER 8
RESULT
59
Dept of ECE, GCET
Fig 8.1 (SIB 1) System information block 1
Fig 8.2 common control channel
GSM CCCHs(Common Control Channels) are used for conveying information from
network to the Mobile Subscribers(MS's) and provide access to the Mobile Subscribers.
GSM CCCHs include PCH,RACH,AGCH and CBCH.
60
Dept of ECE, GCET
Fig 8.3 direct transfer application sub-part
Direct Transfer Application sub-Part (DTAP), also called GSM L3, is used to transfer messages
between the MSC and the MS (Mobile Station); the layer-3 information in these messages is not
interpreted by the BSS.
61
Dept of ECE, GCET
Fig 8.4 Comman paging request to all
62
Dept of ECE, GCET
Fig 8.7 (SIB 4) System information block 4 (channel details)
63
Dept of ECE, GCET
Fig 8.8 (SIB 4) System information block 4 ( network)
Figure shows the network it is connected to.
Fig 8.9 (SIB 2) System information block 2 quarter

64
Dept of ECE, GCET
Benefits of Software Defined Radio
Advantages of SDR technology
 It is possible to achieve very high levels of performance.

 Performance can be changed by updating the software (it will not be possible to update
hardware dependent attributes though).
 It is possible to reconfigure radios by updating software
 The same hardware platform can be used for several different radios.
 New radio products are quickly introduced in the market by using the common platform
architecture implemented in products.
It reduces the development cost because the software can be reused.

It uses wireless communication. It uses for communicating with anyone at any time in
any manner.
Software upgrade automatically done and new features inserted. The capacity is improved
by remote software downloads.
Applications of Software Defined Radio
 Military: - Software Defined Radio used in a military venture called Joint Tactical
Radio System (JRTS). By using this single hardware platform, it could communicate
using one if different waveforms by configuring the software for required
application. JTRS is the program of US military. It provides flexible and
interoperable communications.
 Amateur and home use:- The amateur radio uses a direct conversion receiver. The
SDR software performs all functions such as filtering, demodulation etc.
 Satellite modems used in defense markets and commercial uses programmable
processing devices for signal processing of baseband signals or intermediate signals.
 Cellular handsets uses System on Chip (SoC) devices which incorporate
programmable DSP for processing baseband signals.
65
Dept of ECE, GCET
 Cellular infrastructure utilizes programmable processing devices for creating

common platform or multiband multiple protocol base station which supports
multiple cellular infrastructure standards.
66
Dept of ECE, GCET

Gayathri GSM 2 (1) Final

Transféré par

Informations du document

Titre original

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Gayathri GSM 2 (1) Final

Transféré par

Droits d'auteur :

Formats disponibles

SDR based GSM Receiver

1.1 HISTORY OF GSM

 Low terminal and service cost

1.2 SERVICES PROVIDED BY GSM

2.1 GSM NETWORK ARCHITECTURE

Fig.2.1 GSM Network Architecture

HLR-Home Location Register, it stores permanent and temporary subscriber related

2.1.1 GSM INTERFACES

 Air interface between Mobile station and BTS

2.1.2 GSM SYSTEM SPECIFICATIONS

 Access Method- TDMA/FDMA

 Uplink frequency band- 890 to 915 MHz

Table 2.1 GSM service quality requirements

2.2 GSM FRAME STRUCTURE OR FRAME HIERACHY

The GSM frame structure is designated as hyper-frame, super-frame, multi-frame and

Fig.2.2 GSM Frame Structure

Fig 2.3 GSM physical and logical concept

Frequencies in the uplink = 890.2 + 0.2 (N-1) MHz

3.1 HARDWARE TOOLS

3.1.1 SOFTWARE DEFINED RADIO (SDR)

Software-defined radio (SDR) is a radio communication system where components that

A software-defined radio can be flexible enough to avoid the "limited spectrum"

Fig 3.1 software defined radio

It is use to connect the antennas to the SDR.

To operate the software tools in accordance with SDR.

 GNU Radio Companion (GRC).

3 . 2 . 1 GNU RADIO COMPANION

As with all software-defined radio systems, reconfigurability is a key feature. Instead of

The GNU Radio Companion is a graphical UI used to develop GNU Radio

GRC is effectively a Python code-generation tool. When a flowgraph is "compiled" in

GRC currently supports GUI creation with WxWidgets or the Qt toolkit.

 Definition - What does Wireshark mean?

 Techopedia explains Wireshark

Wireshark is a network or protocol analyser (also known as a network sniffer) available

 Features of Wireshark include:

New protocols can be scrutinized by creating plug-ins.

When using Linux, it is also possible to capture raw USB traffic.

CHANNELS AND CONNECTIONS

4.1 LOGICAL AND PHYSICAL GSM CHANNELS

Fig.4.1 GSM Channels

Freq. Carrier: 200 kHz.

TDMA: 8 time slots per freq carrier.

No. of carriers = 25 MHz / 200 kHz = 125.

Max no. of user channels = 125 * 8 = 1000.

Considering guard bands = 124 * 8 = 992 channels.

4 . 1 . 1 SPEECH PROCESSING THROUGH GSM PHYSICAL LAYER

Fig.4.2 GSM Physical Layer

4 . 1 . 2 GSM LOGICAL CHANNELS AND THEIR FUNCTIONS

TECHNICAL SPECIFICATION 05.02.

Category1: Broadcast channels

Category 2: Common Control channels

Category 3: Dedicated Control channels

They are bidirectional and point-to-point Channels

4.2 GSM MOBILE PHONE NETWORK ENTRY PROCEDURE OR ON

4.3 GSM POSSIBLE CHANNEL COMBINATIONS (NONCOMBINED AND

Fig 4.4 GSM multiframe structure

4 . 3 . 1 NON -COMBINED 51-FRAME MULTI FRAME CONFIGURATION

4 . 3 . 2 COMBINED 51- FRAME MULTIFRAME CONFIGURATION:

4 . 3 . 3 GSM NON- COMBINED CHANNEL CONFIGURATION

Fig 4.5 GSM multiframe structure for time slot 0

Fig 4.5 GSM multiframe structure for time slot 1

5 . 1 GSM SYSTEM INFORMATION MESSAGES

Messages are transmitted on either BCCH normal or BCCH extended or on SACCH.SI

def init(self, fc=940e6, osr=4, ppm=0, samp_rate_in=1e6):