STATION ID - 7047/3.12

9x Datakit Network
FOR OFFICIAL USE ONLY

This is a 9x system, restricted to authorized persons and for
official 9x business only. Anyone using this system, network or data
is subject to being monitored at any time for system administration and
for identifying unauthorized users or system misuse. Anyone using this
system expressly consents to such monitoring and is advised that any
evidence of criminal activity revealed through such monitoring may be
provided to law enforcement for prosecution.



Understanding The GSM  (Part I)
by The Monty
e-mail me at: m0nty@hack.gr
check the http://www.hack.gr/users/m0nty


   Intro:
  ~~~~~~~~
    GSM stands for Global System Mobile. It's a digital cellular network used 
 in Europe. In 1982 CEPT (Conference of European Postal and Telecommunication
 Administration) establish a work team for GSM, the Group Special Mobile.
 The purposes of this team was:
 
    > To validate an international European roaming
    > Improve the quality of the digital communication
    > Create interfaces for other networks (PSTN, ISDN, PSPDN etc..)
    > Granting services teleservices (Telebox, Voice Mail, Fax, etc..)
    > Bearer Services (data communication with 9600bps)
    > Better use of the frequencies so that the system could have bigger 
      capacity
 
 General characteristics of the GSM 900Mhz:
 
    > It obviusly uses the frequencies arround 900Mhz. 
    > Has 124 RF channels.
    > Each RF channel has 8 TDMA channels. 
    > GMSK.
    > Three cells per Reuse (instead of seven cells in the analog systems).
    > 6000 subscribers per cell (the analogs can handle about 2280).


  Introduction:
 ~~~~~~~~~~~~~~~

    A mobile telephony network obviusly has to be connected with the stable
 telephony network. The mobile network consists from 3 main units, the MSC
 (Mobile Switching Center) , the BSC (Base Station Center) where the BS
 (Base Stations) are located and the MS (Mobile Stations) which are the
 mobile telephones.

    A MSC is connected via cord with a number of BS. The area that each MSC
 covers is called service area. The area that a BS covers is called cell
 area. So we can understand that the service area of a MSC depends to the
 number of BS that are connected with it.

    Each BS communicates with the  MS  (that are inside the cell area)
 cordless. The structure if the mobile network is called cellular cause 
 of the "cell" that the BS uses.

    This is a ascii schematic..I know I'm not an ascii artist but i've done
 my best so..be kind ;)
                _______
               / ____  \
       _______/  |BS|   \_______
      /  ____ \  ~~~~   / ____  \
     /   |BS|  \_______/  |BS|   \
     \   ~~~~  / _____ \  ~~~~ --/------------> this is a cell
      \_______/  |MSC|  \_______/
      / ____  \  ~~~~~  / ____  \
     /  |BS|   \_______/  |BS|   \
     \  ~~~~   /  ____ \  ~~~~   /          The service area
      \_______/   |BS|  \_______/           and the BSs cells
              \   ~~~~  /
               \_______/





  Understanding The Calling Procedure:
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Every BS has one control channel and many conversation channels.	
 From the MS to the BS and the oposite  the control channel is cordless.
 From the BS to the MSC the control channel is connected with a four-cords 
 line. The signals between the MS and the BS are continuous (through the 
 control channel). The MSC is able to know the exact position of a MS since
 it communicates with the BS.


   	 Roaming:
        ~~~~~~~~~~
    When a MS moves from the cell area of the BS No1 to the cell area of 
 the BS No2 the connection with the control channel 1 (of the BS No1) 
 roams to the control channel 2 (of the BS No2). Roaming is the procedure
 which the MSC uses in order to know always the exact position of a MS.


   Making A Call:
  ~~~~~~~~~~~~~~~~

    We will examine here the procedure that takes place each time we call
 a MS from a stable phone. The MS's number is 094-391-128. You pick up the
 phone and dial 094-391-128. Your call goes through the MSC that the MS 
 belongs. The MSC orders every BS that are connected with it (remeber the 
 four-cords line that connects the MSC with a BS..) to call the MS via the
 control channel. 

                                           ()
                    _____                  /\    ORDER: 'call'   _____
    (094-391-128)  |     |                /  \  ---------------> |   |
   ----------->----| MSC |               / BS \  094-391-128     | MS|
                   |_____|______________/      \                 |___|
                           (4 cord line)
 
    
    When the MS receives the signal from a BS of it's area it 
 sends back a Achnowledgement Signal (AS) in order to confirm the BS that it
 got the signal. The BS informs the MSC that it received a AS from the MS
 (094-391-128). Now the MSC uses only the BS that the MS is located in. The
 MSC knows every moment which convertation channels are free in every BS.
    
 
                                 ()
          _____                  /\                             ____
         |     |                /  \   (Inform the MS)         |    |
         | MSC |               / BS \  ---------<--------------| MS |
         |_____|______________/      \ ------------->----------|____|
                 (4 cord line)         (Roams in a conv channel)
   
 
   Thus the MSC chooses a free convertation channel of the BS and orders the
 MS through the control channel to roam into the convertation channel. The
 MS roams to that channel and sends through it and the BS a signal to the
 MSC. The MSC orders the MS through that channel to ring and this is the 
 time that the subscriber understands that someone is calling him.    
 If the subscriber answers the call the MS sends an answer signal to the
 MSC and the MSC establishes a connection so the convertation begins.
    
    Now if the MS wants to call somewhere you first dial the number and then
 you order the device to dial (pressing the OK button). The MS sends a
 message to the MSC through the control channel. This message consists from
 a call signal and the number that you dialed.

                                ()
    ____                        /\                  _____    
   |    | call signal          /  \                |     | (Stable Telephone 
   | MS | ----------------->  / BS \               | MSC |------<------>---
   |____| number U dialed    /      \______________|_____|   Network)
                                      (4 cord line)      

 The MSC now choose a free convertation channel for the BS and informs the
 MS about it. The MSC then activates the MS's transmitter and the
 convertation begins.  



                            ()                            ____
    _____                   /\   (Inform the MS)         |    |
   |     |                 /  \  ---------<--------------| MS |      
   | MSC |                / BS \ ------------->----------|____|
   |_____|_______________/      \(Roams in a conv channel)
           (4 cord line)                           



      Quality Check:
     ~~~~~~~~~~~~~~~~

    During the convertation the quality of the connection is being checked
 with a signal from the BS to the MS. This signals returns to the BS from 
 the MS. The BS checks the noise of the returned signal. 

    If the quality is bad then the BS sends an alarm signal in the MSC.
 The MSC orders the BSs arround the MS to check if any of them has  better
 quality and then inform it. If there is a BS with better quality the MSC
 orders the MS to roam in another convertation channel inside the BS area 
 (with the better quality).

    This whole procedure is called handoff (or handover) and lasts less 
 than one second. Of course the subscriber doesn't have a clue about it..


      The End:
     ~~~~~~~~~~
    This was the first part of the 'Understanding The GSM' story. The 
 second part will have inside information about MSC and BSC, it'll talk
 about GSM security and the algorithms that it uses and many more (i hope)..

The Monty
m0nty@hack.gr