GSM signal

S-72.260Laboratory Exercises in Communication Engineering

Lab # 2

Signalling of the GSM system

Version 1.21

Previous versions

Date Version Changes7.9.1998/JSa 1.00d Ensimmäinen draft

2.10.1998/JSa 1.04d Korjauksia ja selvennyksiä testiryhmän kommenttien perusteella

14.3.2000/MJu 1.2 First English version

11.9.2000/JSa 1.21 Revised, except for the introductory text, which remains horrible.

Student laboratory is in room SE306.

Check the links and latest instructions in the course home page. You might (or might not) findsome extra information.

Grading: Accepted/not accepted.

Return pencil-and-paper preliminary exercises at the beginning of your lab shift.

This material in this document does not cover GSM basics, for instance. It is assumed thatstudents have acquired prerequisites from previous courses, or books etc.

Some prerequisite courses for this laboratory work (not all required!):

Tik-109.350 Telecommunication signaling protocols (Recommended)S-72.xxx Mobile Communication Systems and Services

Literature:

Mouly M., Pautet M., “The GSM System for Mobile Communications”, published by theauthors, 1992

Redl, Siegmund M., Weber, Matthias K., Oliphant, Malcolm W., “An Introduction to GSM”Artech House, 1995

Carg, V.J., Wilkes, J.E., Principles and applications of GSM, Prentice-Hall Inc., Upper SaddleRiver 1999

Lab #2: Signalling of the GSM system

1 Introduction

In this laboratory exercise signalling and protocols of the GSM system are investigated.

Preliminary exercises include examination of the GSM system signalling on all interfaces. Thelaboratory work concentrates on examining interface A because the laboratory doesn’t at the moment(09/2000) have a protocol analyzer to examine also Abis interface.

To examine the A interface we use NetHawk-program. It is designed by a company from Oulu calledX-Net OY and it works in Windows95. We also need a PRI/AT-card manufactured by the samecompany to take make sure that the physical interface of 2,048 Mbit/s PCM-link is towards the basestation control.

Next we deal shortly with GSM signalling protocols and the system’s different interfaces andsignalling between them. Then the properties and the use of the lab’s simulator system are depicted.

There is plenty of material on GSM protocols and signalling in the Internet, books and specifications.This document gives a brief overview and an example of the anatomy of a certain A interface’s signal.The examining of the signals on bit level can be a bit too precise but the goal is to understand therelations between protocols and the principle of layer model. The most precise information is alwaysfound in specifications. ETSI updates these specifications constantly.

WARNING: This material is lousy. You should consult other background material than this, ifpossible. See links and instructions from the course home page.

2 An overview signalling protocols in the GSM system

GSM-system has numerous interfaces each including a protocol. Appendix 1 introduces most commoninterfaces and appendix 2 the protocol stacks of the interfaces examined in this work. The picture is notperfect and it lacks for example network-controlling protocol BSSOMAP that belongs to base stationcontrol (BSC) and mobile phone exchange (MSC) and it also lacks SMS protocols. N-ISDN networksuser part ISUP and applying protocol TCAP are also missing. This narrow report is completely limitedto be from interface A to mobile communications.

ITU-T has defined a common channel signalling-system #7 that is used on A interface (and in networksubsystem, NSS) to transfer messages. Above this are part of GSM applying protocol such asBSSMAP, CM and RSM. These are commonly called GSM L3 what means the third layer of GSMprotocol (but it means layer 7 in OSI-model).

2.1 SS#7

As Mouly and Pautet [Mou98] express this, is SS#7 a glue keeping NSS parts (VLR, HLR, EIR, AuC,GMSC,..) together. SS#7 is also a straight link to N-ISDN-network because the same signalling systemis used. Applying layers (layer 7 in OSI-model) are different in PLMN- and N-ISDN-networks. This isalso valid in PSTN-structure that is slowly going out of use.

SS#7 is a common channel signalling-system what means that signalling runs in its own channel. Thisis not necessarily the same physical wire as the route on traffic channel from a subscriber to another.Signalling occurs in messages whose structure is accurately defined in ITU-T specifications Q.7xx.Next we get a brief description of the four lowest layers of SS#7 that are used on the interface A ofGSM-system.

2.1.1 MTP1 or the Physical Layer (Layer 1 in OSI-model)

This includes the physical connection or the PCM-wire whose entire bit-speed is 2048 kbit/s divided in32 time intervals. The first interval is reserved for frame timing and passing alarms but the rest 31intervals can include signalling channels or traffic channels. The time interval #16 is usually reservedfor signalling but this not necessarily always the case. The choice depends on the operator and inFinland’s SS#7-network time interval #1 is always reserved for signalling [Tie98].

2.1.2 MTP2 or the Link Connection Layer (Layer 2 in OSI-model)

This layer includes the actions between two signalling points. Such are acknowledging the receivedmessage and request for transmitting over again. To be able to separate the messages HDCL-based(High level Data Link Control) protocol is used. It separates messages with a frame-mark 01111110.The word link means a connection between two points. MTP2 layer takes care of supervising the modeof the link by sending frames continuously. Because each moment can‘t have information to besignalled a conclusion has been made that three different types of message units are used. Thesemessage units are MSU, LSSU and FISU:

• MSU (Message Signal Unit) is the most important type of message unit because ittransports the actual payload, or the signalling messages. MSU includes SIO field (Service InformationOctet) that has information on the payload SIF (Service Information Field). SIF begins always withrouting label that consists of DPC (Destination Point Code) and OPC (Originating Point Code) andSLS-field (Signalling Link Selection) that can be used for distributing message units to different routesdepending on the loading-conditions. These four octets are MTP3. Signalling messages that include asingle phone call or a data link run the sane route anyway. The maximum length of a SIF-field is 272octets of which the length of the routing label is four octets. The maximum length of the payload isthen 268 octets.

• LSSU (Link Status Signal Unit) transforms information of for example processordefects between two signalling points.

• FISU (Fill-In Signal Unit) is a unit with no payload. It is needed because signallinglink has traffic continuously. This is how the status of the signalling link is supervised and defects arenoticed quickly.

Figure 1. The structure of MSU OPC+DPC+SLS (4 octets)

LI-part indicates which message unit is concerned. This happens according to the table below:

Table 1. The differences between message units LI SU0 FISU1 or 2 LSSU>2 MSU

LI field declares how many octets are there between itself and check-sum.

Each message unit is numbered to FSN-field (Forward Sequence Number). When the other endreceives a message unit successfully it places the FSN just read instead of BSN-frame (BackwardSequence Number) to go backwards. It is called acknowledging procedure when the end which sent themessage gets a reassurance in return mail that the original message did go through.

Using BIB- and FIB-bits (Backward/Forward Indicator Bit) is more complicated but it is described inparticular in ITU-T recommendations Q.703 [ITU703].

2.1.3 MTP3/SCCP or the Network Layer (Layer 3 in OSI-model)

The distinguishing of network protocols can be confusing. ITU-T has numerous precise specificationson the subject (Q.704-Q.714) but knowing them is not necessary to comprehend the basics. SCCP isoften considered to be the fourth layer protocol of OSI. For example when it serves TCAP (figure 2).SS#7 networks can be divided into signalling network and national/operator selective networks. This isrequired because 14-bit address field is not enough to distribute addresses globally.

MTP3 is a network level protocol that handles routing in national networks. It also takes care ofrerouting the defective links (MPT2 monitors the status of a link) and in case of overloading it cantransfer the message flow to go to a less congested route (SLS-bits). MTP3 does not know how toperform routing in international level but it needs help from SCCP. SCCP updates information onsignalling points in international SS#7-network. Signalling messages can be directed through thesepoints to international signalling network. This enables a call from N-ISDN network in Indonesia to amobile phone in Finland, or vice versa.

Another difference to MTP3 is that SCCP is able to direct messages to a higher level protocol such asBSSAP. SCCP uses a sub field SSN (Subsystem Number, not in the picture) for this purpose. SSNincludes specifications of GSM network elements. For example, SSN=254d means BSSAP, andSSN=11d means ISUP which is an applying protocol of N-ISDN network (Layer 7 in OSI-model).

It is worth mentioning that TCAP (hierarchically above SCCP) is able to distinguish and supervisesingle transactions between network elements, for example MAP/VLR <-> MAP/HLR. MAP-protocoland TCAP are not discussed any further in this laboratory work because they are not needed on Ainterface but only on the inner interfaces of NSS (B, C, D, E, F, G).

Figure 2. The correspondence of OSI-model and SS#7 [mic98]

2.2 The Protocols of GSM Link Layer (Layer 2 in OSI-model)

SS#7 is a system whose users are for example N-ISDN, NMT, PSTN and off course GSM. Specificprotocols for GSM are viewed next. In fact, LAPD is modified directly from the protocol used bychannel D in N-ISDN and LAPDm is a variation of LAPD. There are suitable parts chosen from otherprotocol architectures in GSM. This is probably reasonable for there is no point in inventing a wheelover again.

2.2.1 LAPD

Also LAPD is HDLC-based protocol. N-ISDN network’s channel D uses LAPD from where theabbreviation is derived, Link Access Protocol on the D-channel. Interface Abis has speed 64 kbit/s inuse (in signalling) channelled to a 2,048 Mbit/s PCM-channel. Signalling distribution and trafficchannels distribution in a 2 Mbit/s frame is operation selective. The traffic channels use 16 kbit/s subchannels. This means that one 64 kbit/s time interval cancontain four full speed GSM traffic channels.

The maximum length of a LAPD frame is 264 octets from which the actual signalling payload gets 260octets. Because LAPD does not distribute messages into new frames and furthermore because the radiointerfaces do not have the maximum length for the message (the message can further in many bursts),260 octets is the longest possible L3-level signalling message length (MTP2 has the maximum lengthof 268 octets) in GSM-system. The maximum length is for one reason or other defined to be 251 octets[GSM0406].

Figure 3 (next page) represents the structure of frame types A and B.

8 7 6 5 4 3 2 1

0 1 1 1 1 1 1 0

0 1 1 1 1 1 1 0

1

2

3

4

5

.

.

.

N – 2

N – 1

N

8 7 6 5 4 3 2 1

0 1 1 1 1 1 1 0

0 1 1 1 1 1 1 0

1

2

3

4

5

N – 2

N – 2

N

T1161580-94

Format A Format B

Flag Flag

Address(high order octet)

Address(high order octet)

Address(low order octet)

Address(low order octet)

Control (Note 2)

Control (Note 2)

FCS (first octet)

FCS (second octet)

Flag

Control (Notes 1 and 2)

FCS (first octet)

FCS (second octet)

Flag

Information

OctetOctet

Control (Notes 1 and 2)

NOTE 1 – For unacknowledged operation, format B applies and one octet control field is used.

NOTE 2 – For multiple frame operation, frames with sequence numbers contain a two-octet control field and frames without sequencenumbers contain a one-octet control field. Connection management information transfer frames contain a one-octet control field.

Figure 3. The LAPD frame types A and B [ITU921]

2.2.2 LAPDm

LAPDm is a modified version of LAPD. For example, the frame marks have been removed for theTDMA-frame structure of radio interface takes care of framing the messages. Also the error correctionbits have been withdrawn for the same reason: physical layer of GSM air interface takes care of errorcorrection functions.

LAPDm has different kinds of frames: A, Abis, B and Bbis are the most typical frame types. A/Abis

frames are used to transfer supervisory information and to be filling frames. B/Bbis frames transferinformation. Bis frames attached with appendices are used in unacknowledged mode.

Bitti 8 7 6 5 4 3 2 1Oktetti

1

: Address field :

k

Control field k+1

k+2

: Length indicator field :

n

n+1

: Fill bits :

N201+n

Figure 4. Type A LAPDm frame [GSM0406]

N201 is a parameter that defines the maximum size of information field in octets. If LI (LengthIndicator) is smaller than N201 are the rest of the octets filled with fill bits. The precise meanings forthe different fields are given in specifications [GSM0406].

Bitti 8 7 6 5 4 3 2 1Oktetti

1

: Address field :

k

Control field k+1

k+2

: Length indicator field :

n

n+1

: Information field :

N

N+1

: Fill bits :

N201+n

Figure 5. Type B LAPDm frame [GSM0406]

The fill bits are sent if a frame otherwise isn’t full or if there is nothing else to be sent. The frame hasthough always the same length. If the message is too long it can be divided into several frames. This isdone for example in sending short messages. There are certain mechanisms set into the frame structurefor this purpose but it is not covered here.

The following table includes some of the full speed channel parameters.

Table 2. Full speed logical channel parametersLogicalchannel

Frames/superframe

Channel coding Blockspeed(blocks/frames)

Blocksize(bits)

Bitsbeforecoding(octets)

LAPDmframesize (bitsin octet)

Frametype

Informationbits in aframe(octets)

FACCH 24/26 Fire-codeConvolution ½

6/24 456 184(23) 184(23) B/A 160(20)

SDCCH/4 4/51 Fire-codeConvolution ½

1/51 456 184(23) 184(23) B/A 160(20)

SACCH 1/26 Fire-codeConvolution ½

1/104 456 184(23) 168(21) B/A 144(18)

BCCH 4/51 Fire-codeConvolution ½

1/51 456 184(23) 184(23) Bbis 184(23)

PAGCH 36/51 Fire-codeConvolution ½

9/51 456 184(23) 184(23) Bbis 184(23)

SCH 5/51 Parity (10bits)Convolution ½

5/51 78 25 - - -

RACH 51/51 Parity (10bits)Convolution ½

51/51 36 8(1) - - -

2.3 GSM L3 (Layer 7 in OSI-model)

2.3.1 General

The layer above the physical and link layer of GSM is often called the third layer of GSM. It includesadaptive protocols. The physical layer and the link layer are often defined to be layers one and two.The network level protocol (layer 3 in OSI-model) is not actually included in GSM protocol stack.Comparing L3 to OSI-model it is included in adaptive layer (layer 7 in OSI-model). The preciseknowledge of protocols is needed when working with signalling programs but being familiar with thebasics is useful for anyone working with GSM. Radio interface may be the most critical part in terms ofperformance but its share in the whole system is relatively small.

The main parts of L3 are RR (Radio Source Management), MM (Mobility Management) and CM(Connection Management). CM is also divided into smaller parts of which the most important for thislaboratory work is CC (Call Control). Other sub parts are SMS and SS that are used for processingshort messages and controlling extra services. Appendix 2 includes the GSM protocols introduced sofar. CM, MM and RR can be considered to be a bunch of functions that control each their own sectionof GSM operations. Each includes a number of messages that contain parameters changing accordingto situations and decrees.

Figure 6. BSSAP

RR protocol controls radio channels allocation, detection and handover.

MM protocol controls activity. It means that the location of the phone has to be known. For exampletrying to make contact with a phone is impossible if its whereabouts is not known.

CM protocol controls setting up contact, sustaining and ending it. Contact stands for a data phone call,sending a short message or an ordinary phone call.

Abis interface has a protocol RSM (Radio Subsystem Management) that is sometimes called BTSM(Base Station Subsystem Management). Its purpose is to distribute radio resources and controllinghandovers.

The following table gives a few examples of messages that can be sent by L3 protocols.

Table 3. Example messagesThe protocol and the message ? <-> ? DescriptionRR PAGING RESPONSE MS -> MSC The phone’s response to PAGING-request with which the phone is

searched in the networkMM AUTHENTICATIONREQUEST

MS <- MSC MAS sends MS a recognising request that includes a randomnumber RAND. MS replies with MM AUTHENTICATIONRESPONSE

CC SETUP MS <-> MSC Includes information to set up connection to the phone such as thenumber

RSM ESTABLISHINDICATION

BTS -> BSC The base station sends this message after the connection to MS hasbeen set up. It includes MS’s first message BSSMAP COMPLETEL3 INFO

Distribution function

BSSMAPDTAP

RR

MM

CM

CC SS SMS

Protocol discriminator

BSSAP

SCCP

SSN = 254d

00d01d

RR messages are appointed usually to BSC or BTS such as RR MEASUREMENT REPORT thatincludes results from measuring the quality of speech and power levels measured from neighbouringcells (for handover decisions in BSC).

Hierarchy RR -> MM -> CM can be interpreted that the lower level matters have to be in order beforehigher level tasks can be performed. This leads to RR who controls distributing radio resources (i.e.distributing traffic- and signalling channels) to perform signalling before MM. On the other hand, MMmust authenticate the subscriber before CC can start making the phone connection.

A mobile phone exchanges messages with several network elements. The message can so betransparent to the element in between and the message can remain unread. This happens for instancewhen MSC sends an acknowledging request AUTHENTICSTION REQUEST. This leaves the basestation and its controller in between and they relay the message without interfering the contents. Thephone on the other hand sends MSC the response AUTHENTICATION RESPONSE. This is a verysimple example and there are many exceptions. Transmitting messages between MS <-> MSC iscontrolled by DTAP (Direct Transfer Application Part). DTAP is the other part of BSSAP (BaseStation Subsystem Application Part) and it is divided into RR, CM and MM.

BSSAP consists of two parts (figure 6). The other part of BSSAP is BSSMAP (Base Station SubsystemMobile Application Part). When the message sent by the phone arrives in MSC some sort of amechanism is needed to separate BSSMAP- and DTAP-messages from each other. SCCP does not dothis operation but instead a “layer” called the d-function (distribution function) does. Literature callsthe distribution function sometimes a layer sometimes a protocol. “A function” may actually be thebest word to describe this concept. The essential part is that the d-function separates BSSMAP- andDTAP-messages from each other immediately after SCCP has transmitted GSM L3-message to it.

More separation mechanisms are needed inside DTAP because CM (including several sub parts) andMM must be able to be separated from each other. For this purpose includes DTAP-message an octetbit that separates the protocols. This is called the PD-syllable (Protocol Discriminator). There is also anunpleasant exception for the first message (COMPLETE L3 INFO) from MS to MSC is actuallyappointed to BSSMAP and DTAP. So the d-function indicates the message to BSSMAP who knowshow to forward the right part of the message to DTAP. DTAP-part of the message is split normallyaccording to PD-syllable.

2.3.2 The structure of a message

Next example is a BSSMAP-message ASSIGNMENT REQUEST which MSC sends to BSC when itwants BSC to allocate radio resources for example to connect a call (Mobile Terminating Call). Thepoint is to achieve a picture of the message structure that was used. DTAP-messages are alike.A brief part of signalling is introduced later.

The structure of BSSMAP-messages on interface A is accurately defined in specifications [GSM0808].The structure of DTAP-messages is defined in other specifications [GSM0408, GSM0858]. Thesemessages travel transparently in BSS which means that BSS doesn’t interfere with these messages.

The messages consist of information elements that are stacked one after the other and then they form awhole message. Phase 2+ specification 08.08 defines 67 different BSSMAP-messages that use 59different information elements. The structure of the messages does not apply a certain rule (exceptduring the first octet) and the resolution of the information elements is one octet i.e. eight bits. The firstinformation element of BSSMAP-message is Message Type and uniformly the first section ofinformation element is an identifier (IEI) that indicates which information element is concerned. So theshortest possible message includes only one information element (at the shortest two octets) and so theminimum length is three octets.

Table 4. A diagram of a L3-message ASSIGNMENT REQUEST [GSM0808]Information Element Type LengthMessage Type M 1Channel Type M 5-10Layer 3 Header Information O 4Priority O 3Circuit Identity Code O 3Downlink DTX Flag O 2Interference Band To Be Used O 2Classmark Information 2 O 4-5Group Call Reference O 3-8Talker Flag O 1Configuration Evolution Indication O 2

This message can in principle be from 6 to 40 octets in length.

Some explanations:M -mandatory elementO -optional element

For Example information element Classmark Information 2 which describes the properties of the phoneto BSC is formed according to picture 2.5 [GSM0408].

8 7 6 5 4 3 2 1Information element identifier

Length of element contents

Spare Revision level ES IND A5/1 RF power capability

Spare PS capab. SS screen indicator SM capab. spare Spare FC

CM3 Spare Spare Spare spare spare A5/3 A5/2

Figure 7. Information element of Classmark Information 2 [GSM0408].

A field that informs the length of the element is needed because the fifth octet is optional or the lengthof the element can vary.

Some explanations:PS -Pseudo-synchronizationSS -Supplementary ServicesSM -Short MessageCM3 -Classmark 3FC -Frequency CapabilityES IND – Early Sending Indication

3 An Example of Signalling - BSSMAP COMPLETE L3INFORMATION

Next is an example of signalling introduced. There are connective messages between differentnetwork-elements introduced in the picture below. The vertical axis depicts time.

At the beginning MS calls the base station and the base station control admit MS signalling channelSDCCH. Then MS sends a SABM frame which includes also (this is called piggypagging in literature)the message COMPLETE L3 INFORMATION. This message includes information on MS and

services included in the linkage. The message travels unattached “inside” another message (RSMESTABLISH INDICATION). BSC has not yet set up a connection to MSC but it does it now by sayingSCCP CONNECTION REQUEST that includes the original message sent by MS. Let’s examine thismessage (the circled one) more closely next. The example is taken from references [Tel98].

Figure 8. Signalling scheme of setting up connection. The circled message is studied more closely.

3.1 MTP2 part

The figure below shows the composition of SCCP CONNECTION REQUEST-message by octets. Thedifferent parts have been marked by different shades of grey. The frame marks 01111110 and the checkbits are missing.

B2 B4 31 83 91 43 10 18 01 00 06 01 02 02 0402 42 FE 04 04 43 41 20 FE 0F 19 00 17 57 0505 01 00 47 1B BD 17 0D 05 24 31 03 20 18 0105 F4 00 00 2D 88 00

Figure 9. SCCP CONNECTION REQUEST almost in its entirety.

RR channel request

RSM channel required

RSM channel activation

RSM channel activ. ack

RSM immediate assign cmd

RR immediate assignment

LAPDm UA(COMPLETE L3 INFO)

LAPDm SABM(COMPLETE L3 INFO)

RSM establish indication(COMPLETE L3 INFO)

RACH

SDCCH

SCCP connection request(BSSMAP COMP. L3 INFO)

SCCP connection confirm

AGCH

SDCCH

MS BTS BSC MSC

MTP2

SCCP

BSSMAP

DTAP

(MTP3)

d-function

MTP2 part is coloured grey (in figure 9) in MSU-frame. MTP2 passes the rest to the upper level, in thiscase to SCCP.

B2 B4 31 83 91 43 10 18 01 00 06 01 02 02 0402 42 FE 04 04 43 41 20 FE 0F 19 00 17 57 0505 01 00 47 1B BD 17 0D 05 24 31 03 20 18 0105 F4 00 00 2D 88 00

Figure 10. MTP2-part

The first two octets are not decoded; they are assumed to be random as regards to this example.

LI=31h=00110001=49d i.e. the payload (SCCP-part) of MSU is 48 octets in length. The first two zerosare reserved bits and their value is a fixed ‘0’.

SIO=83h=10000011 of which SSF is the first two bits and SIO the four last bits (two bits are reserved).The value of SIO is 0011=3d what means SCCP.

Table 5. The possible values of SIO [mic98]SIO MTP user0 Signalling Network Management Message (SNM)1 Maintenance Regular Message (MTN)2 Maintenance Special Message (MTNS)3 Signalling Connection Control Part (SCCP)4 Telephone User Part (TUP)5 ISDN User Part (ISUP)6 Data User Part (call and circuit-related messages)7 Data User Part (facility registration/cancellation messages)

Table 6. Decoding Subservice Field-bits

0 International Network1 International spare2 National network3 Reserved National

BSN/BIB

FSN/FIB

LI

SIO+SSF

3.2 SCCP part

91 43 10 18 01 00 06 01 02 02 0402 42 FE 04 04 43 41 20 FE 0F 19 00 17 57 0505 01 00 47 1B BD 17 0D 05 24 31 03 20 18 0105 F4 00 00 2D 88 00

Figure 11. SCCP part

The first four octets in SCCP’s own part indicate always the routing label and load distribution betweenlinks. These can be assumed to be random from this point of view. In fact, these four octets belongactually to MTP3.

Figure 12. Routing label [ITU704]

The binary value of the routing label in this example (according to figure 12):00011000 00010000 01000011 10010001DPC= 00001110010001=913d=39h, OPC= 10000001000001=8257d=2041h and SLS=0001=1h.

MTP routing labelMessage type code

Mandatory fixed partMandatory variable part

Optional part

Figure 13. General structure of SCCP-message + routing label of MTP [ITU713].

Routing label (MTP3)

Message Type

Source Local Reference

Protocol Class

Called Party Address(ensimmäinen oktetti)

M1 O1

Calling Party Address(ensimmäinen oktetti,element identifier)

Subsystem Number

DPCOPCSLS

4 14 14

SCCP SIF

8 7 6 5 4 3 2 1

T1178720-96

Order of octettransmission

Mandatoryfixed part

Mandatoryvariable part

Optional part

Message type code

Mandatory parameter A

Mandatory parameter F

Pointer to parameter M

Pointer to parameter P

Pointer to start of optional part

Length indicator of parameter M

Parameter M

Length indicator of parameter P

Parameter P

Parameter name = X

Length indicator of parameter X

Parameter X

Parameter name = Z

Length indicator of parameter Z

Parameter Z

End of optional parameters

Figure 14. The structure of SCCP-message [ITU713]

The fifth octet expresses which message is concerned. In this case its value is 01h=01d which decoded[Net96] means the message CONNECTION REQUEST. The format of each message is accuratelydefined and after acknowledging the octet of the message type SCCP knows what elements come next.

Table 7. Some values for decoding Message Type-field [Net96]Value Message01h CR-Connection Request02h CC-Connection Confirm03h CREF-Connection Refused04h RLSD-Released05h RLC-Release Complete06h DTI-Data Form 109h UDT-Unit Data

The next three octets include in this message a reference number (Source Local Reference) that hasbeen given to this particular connection. SCCP uses this to recognise different parallel connectionprocesses of the connectional basic service. See next octet.

The ninth octet (Protocol Class) describes the manner of the connection which in this particular case is02h= connectional basic service. After this (in this message) follows two bits that indicate to elements:the called party address (M1) and the calling party address (O1). The called party address is optional.Indicating octets used in SCCP express how many octets are there between itself and the element to beindicated, including the routing label octet.

Table 8. Values for decoding Protocol Class-octet [Net96]Value The Connection Type0 Connectionless, discard msg on error1 Connectionless, not GSM, discard msg on error2 Connection oriented3 Connection oriented, not GSM80h Connectionless, return msg on error81h Connectionless, not GSM, return msg on error

The following octets include a more complicated information element: Called/Calling Party Address ofSCCP. The structure is indicated in the following figure and it will be studied more closely.

8 7 6 5 4 3 2 1Length Indicator

Nat. use Rtgi Global Title indicator SSNi PCiSignalling point code, low part

Spare Signalling point code, high partSubsystem Number

Global Title (variable length)...

Figure 15. Called/Calling Party Address- information element

02h=02d i.e. There are two octets after LI-element (Length Indicator).

The other octet is 42h=01000010. The following values are derived from this:

The most significant bit is reserved for national use.

Rtgi= Routing Indicator =1 what means that routing is based on the routing label of MTP and SNNinside the signalling point. The general address (Global Title) of SCCP is not used in this case. But it isuseful to be familiar with some basics. Any signalling point can be found globally with the help fromgeneral address (Global Title). The Global Title may be [Tie98] IMSI, MSISDN or a mixture of thesetwo. This does not yet indicate the location of the target signalling point but a transform functionneeded. This transfer function belongs to main SCCP functionality. The transfer function converts theGlobal Title into Routing Label after which the routing to targeting point can begin normally.

Global Title indicator = 0 = the message doesn’t have SCCP general address.SNNi =1 informs only whether SNN-field belongs to the element (‘1’) or not (‘0’). In this case theinformation element includes Subsystem Number.Pci =Signalling Point code indicator informs whether SPC-field is included in the message. In this casenot (‘0’).

The third octet is important. It indicates the adapting layer of the Destination Point Code that themessage belongs to. With this indicating mechanism SCCP knows to which upper layer the payload

should be passed. Now the value of the FEh=254d. This means BSSAP. So SCCP can not distinguishBSSMAP-and DTAP-messages from each other (or the protocols inside DTAP). GSM-signalling hasbeen included own information elements in upper layers.

Table 9. Some values for decoding SSN-field [Net96]Value Subsystem0h Not known/not used1h SCCP management3h ISUP4h OMAP5h MAPFDh O&MFeh BSSAP

Next comes the calling address which is an optional field. Instead of LI-octet the first octet is ElementIdentifier that expresses the element at hand. The message is the same than previous called address bydecoding but it differs in the values of the fields.

04 04 43 41 20 FE

- Routing is based on the routing label of MTP and SSN (RTGi =’1’).- Subsystem Number is included in the message (SSNi =’1’).- The originating address of the message is included in the message (Pci =’1’).- The address of the origin is 2041h.- The message was sent by BSSAP (SSN=FEh) from the address above.

There are still three SCCP-protocol octets left: 0F 19 00. All of these are included in the optional part.

0Fh This syllable indicates the next optional element (0Fh =SCCP user data).19h Indicates the SCCP user part length in octets (the payload)00h Comes only after the user part and it indicates the ending of the optional part. Afterwardscome MSU check bits and the frame mark 01111110. These are not described in the figures.The decoding of SCCP user part (the payload) is introduced next.2.4.3.3. The D-function

The following octet in the message is the d-function (distribution function). This very importantfunction defines whether the message is transferred to BSSMAP (‘0’) or to DTAP (‘1’). Seven mostsignificant bits are reserved and they are fixed to be zeros.

00 17 57 0505 01 00 47 1B BD 17 0D 05 24 31 03 20 18 0105 F4 00 00 2D 88 00

Figure 16. The d-function and BSSMAP part

3.3 BSSMAP COMPLETE L3 INFORMATION

The original message sent by the phone has arrived in the destination.

LI Message Type

LIIEI

(Cell Identifier)

IEI d-function

pd + TIMessage Type

Service Type +CKSN

MS Classmark 2(ensimmäinen oktetti)

Mobile identity(ensimmäinen oktetti)

TMSI

The first octet (Length Indicator) indicates the length of the BSSMAP message (17h =23d) the length is23 octets.

The second octet indicates which message is concerned. 57h means BSSMAP COMPLETE L3INFORMATION which is the first message to be sent by the phone when it requests services fromMSC.

Cell Identifier is of the following form:

8 7 6 5 4 3 2 1Information Element Identifier (IEI)

Length IndicatorCell Identifier Discriminator

Cell Identification(variable length)

.

.

Figure 17. Cell Identifier-information element

BSSMAP messages include IEI-octet (Information Element Identifier) that comes before eachInformation Element. 05h corresponds to Cell Identifier that indicates the location the phon in a cell.

The second octet is 5h or the whole length of the element is seven octets.

The third octet is 01h. This indicates more precisely what kind of an identifier is concerned. There arefour different of these defined [GSM0808]. The length of the type 01h is four octets which could havebeen concluded after the previous field.

The actual identifier part has been included four octets that are LAC (two octets) and CI (two octets).This is not decoded here.

The previous element ended and a new one begins. IEI =17h and this means element L3 MessageContents that includes upper layer data. 0Dh expresses the length of the element (=13).

3.3.1 MM CM SERVICE REQUEST

This is the highest level in this GSM message.

05 24 31 03 20 18 0105 F4 00 00 2D 88 00

Figure 18. CM SERVICE REQUEST part

The first octet includes pd-information (protocol discriminator) as follows:

8 7 6 5 4 3 2 1Tif TI value Protocol discriminator

Figure 19. Protocol discriminator-octet

The value of Protocol discriminator becomes 0101. This equals to protocol MM. Other possible valueshave presented in appendix 4.

TI (Transaction Identifier) informs which part of the connection event the message is from.

Message type 24h is decoded CM SERVICE REQUEST. This is how the phone requests MM-protocolto begin tasks such as ciphering so that CM (including CC) can begin.

The third octet includes a service type that in this case is MOC (Mobile Originating Call) and thenumber of the ciphering key (Ciphering Key Sequence Number) that was installed on the SIM-card ofthe phone at the end of the previous connection event. The binary value is 00110001 of which the lastfour bits belong to service types and the first three to the sequence number of ciphering key (not thesame as Kc !).

The next information element is several octets in length. It includes information of the phone’sproperties such as power class and the ciphering algorithms regulated by the phone. The first octetindicates the information part (Value Part) length of the element. The following three octets include theinformation.

The last element is Mobile Identity that includes one of the following: IMSI, IMEI, TMSI or IMEISV.The first octet indicates the length of the element and the second octet what type of an identifier isconcerned. In this case, the four following octets include the actual identifier (now TMSI).

The last octet of the whole message unit is 00h and it indicates the ending of the optional part of SCCP.This was introduced earlier.

This should be known: COMPLETE L3 INFORMATION is the only message that goes both BSSMAPand DTAP. Other messages end up in either one of these, not both. This arrangement is used becausethe first message from the phone is now able to transfer all information needed to set up a connection.So, only one message is needed instead of two separate messages. Even the name of the messageimplies this property; it includes all L3 level information in one message. BSSMAP protocol interpretsits own part first that includes information of the cell, then DTAP part is interpreted normally. Themessage of the DTAP-part could be one of the following:

• RR PAGING RESPONSE• MM LOCATION UPDATING REQUEST• MM CM RE-ESTABLISHMENT REQUEST• MM CM SERVICE REQUEST• MM IMSI DETACH

4 The MSC/A simulator software

The construction of the equipment in the laboratory is presented in the following figure. The phones aremissing.

Figure 20. The architecture of the equipment in the laboratory

The base stations are Siemens BS-11 micro base stations whose capacity is 1 TRX. NetHawk MSC-simulator is able to perform 25 simultaneous call signalling. In addition the equipment includes anISDN phone that is connected directly to the PRI/AT card of the simulator-PC. This can accomplishphone calls from a solid network to a mobile phone. The simulator controls automatically all actionssuch as connecting the calls.

NetHawk-program consists of three parts: the actual simulator, configuration tools and a monitor-program that decodes the signalling on interface A. The monitor-program is the most important tool inthis laboratory work.

4.1 MSC simulator

The simulator is controlled by a command interpreter or by macros. The console window shows realtime the messages that travel on interface A, excluding test-messages and fill-messages. Thecommands can be given by transferring to command-mode. Simulation sequences can be written intofiles that can be run at one time. The simulator itself is not very interesting as regard to the laboratorywork because the signalling messages on interface A are shown in console-window as heksa messageand they are not so fun to read. In addition, controlling the simulator must be done from a completedmacro because it is not useful to start learning the specialties of commander interpreter for the purposeof this laboratory work. This is why programming accomplishment is not explained any more than this.You’ll find more about it in course Tik-109.350. However, the following figure presents thesimulator’s protocol stack. Each box is its own CVOPS-process except actions accomplished byPRI/AT-card.

BSC/TRAU MSC-simulator

BTS 2

BTS 1

Figure 21. The structure of NetHawk MSC-simulator’s processes [Net96]. Only the other PCM-link isin use in the laboratory equipment.

4.2 Configuration tool

The MSC parameters can be set and users to GSM-network can be created by using configurationprogram. For example the following parameters are set:

• SS#7 addresses of MSC and BSS, used signalling- and speech-channels, SS#7standard (ANSI or ITU-T), GSM protocol version (1 or 2), synchronizing.

• Information on BSS cells, the addresses.• Information on the phones. Such as MSISDN-numbers, frequency region, IMSI,

security parameters, speech code, short message parameters. In addition, informationon the phones of a solid network can be configurated.

Configuration information can be saved in a file and load later. When MSC-simulator program isstarted it requires the user the configuration to be used. If the configuration of a network is changed,must the simulator first be shut down and then restarted.

PCM-linja 1

CC

MM

BSSMAP(sis. RR)

SCCP

MTP3

MTP2if

MTP2

BSSMAP

SCCP

MTP3

MTP2if

MTP2

PCM-linja 2PRI/AT -kortti

4.3 The Monitoring Program

The monitoring program is able to decode the messages on interface A beginning from MTP2 level.The program offers numerous possibilities to do this. You can choose for example a print of messagesin heksa-form or the whole message decoded in English without the hex-form. The protocol layers ofwhich the decoding is wanted can also be chosen. The MTP2 layer, for example, is not worth decodingin practise because the constant flow of fill-message units cover all useful information. The connectionevents can be picked from the flow by using TMSI and it is also possible to set ‘traps’. ‘A trap’ standsfor an action that is launched by a predefined stimulator such as the Location update sent by a certainphone (TMSI/IMSI). The functioning of the trap can be specified after the stimulator has beenlaunched. Using traps is useful in testing, for example in ‘over-night’- tests.

Most important in regards to this laboratory work is the versatile interpretation of the messages. Itenables us to examine signalling events very accurately. The messages from different protocol layersare printed on the screen in different colours which eases the interpretation of the messages. Appendix3 states an example on signalling on A interface that has been captured by the monitoring program.Different monitor settings can be saved in a file to be reloaded later again.

The monitor program has two functioning modes: real-time mode and buffer mode. In real-time modealmost real-time signalling data is printed on the screen. When switching to history mode, the messagesare forwarded to memory buffer and again when switching to real-time mode they appear on thescreen. When the wanted part of the signalling has been captured it is possible to transfer to the buffermode and study the messages. At this point, new windows can be opened and messages from differentprotocol layers can be printed on them. The text from the screen can be copied to Wordpad (forexample).

Appendices

1) GSM-system interfaces2) The protocol stacks of MSC-BSS3) An example of signalling on interface A (NetHawk-print)4) Some extracts from specifications GSM 04.085) Some extracts from specifications GSM 08.08 and 04.08 (Laboratory exercise 3)

References

[Mou92] Mouly M., Pautet M., “The GSM System for MobileCommunications”, published by the authors, 1992

[Tie98] S-38.110 Tiedonvälitystekniikka I, opetusmoniste K-98, TKK 1998

[ITU703] Q.703, “Signalling system No. 7- signalling link”, ITU-T, March 1993

[GSM0406] GSM 04.06, “Mobile Station – Base Station System interface (phase2+); Data Link (DL) layer specification”, version 5.2.0, ETSI, May1998

[GSM0858] GSM 08.58, “Base Station Controller – Base Transceiver Stationinterface (phase 2+); Layer 3 specification”, version 5.7.0, ETSI, May1998

[GSM0808] GSM 08.08, “Mobile-services Switching Centre – Base Station Systeminterface (phase 2+); Layer 3 specification”, version 7.0.0, ETSI,March 1998

[GSM0408] GSM 04.08, “Mobile radio interface layer 3 specification (phase 2+)”,version 6.1.1, ETSI, August 1998

[Net96] “NetHawk MSC/A Simulator”, training material, X-Net OY, 1996

[mic98] “MicroLegend SS7 Tutorial”,http://www.microlegend.com/whatss7.htm, 1998

[ITU921] Q.921, “ISDN user-network interface – Data link layer specification”,September 1997, ITU-T

[ITU704] Q.704, “Specifications of Signalling System No.7 – Message transferpart”, July 1996, ITU-T

[ITU713] Q.713, “Signalling Connection Control Part Formats and Codes”, July1996, ITU-T

[Tel 98] Tik-109.350 Televerkon signalointiprotokollat ja –ohjelmistot,opetusmoniste K-98, TKK 1998

Appendix 1: Interfaces of the GSM system

Air AbisAsub

A

B

D

E

MS

VLR

MSC

MSC

TRAU (=TC)BSC

BTS

HLR

EIR

F

O

O

C

G

GMSC

VLR

O&M

Appendix 2: MSC-BSS protocol stack

CM

MM

RR

pd

LAPDm

RR’

LAPDm

Radio channels

RSM

LAPD

BSSMAP

LAPD

64kbps

RSM

MTP2

PCM line

MTP3

SCCP

MTP2

MTP3

SCCP

BSSMAP

DTAPDTAP

d- function

Air interfaceAbis

A

d- function

OSI

7

3

2

1

MS BTS BSC MSC

pd

CM

MM

RR

DTAP

Appendix 3: An example of A interface signalling

Conn:1 Card:1 TS:16 Subch:0 21083 16:41:14.585CR - CONNECTION REQUESTRouting Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 15 (0Fh)Source Local Reference- CF0400hProtocol Class- protocol class : 2h, connection orientedCalled Party Address- length 4 (04h)- no global title present- routing based on SSN and MTP routing label- point code : 1513 (05E9h)- subsystem is BSSAPCalling Party Address- length 4 (04h)- no global title present- routing based on SSN and MTP routing label- point code : 1515 (05EBh)- subsystem is BSSAPSCCP User Data- length 30 (1Eh)End of Optional Parameters- BSSMAP (length : 28, 1Ch)COMPLETE L3 INFORMATIONCell Identifier- length : 8 (08h)- cell global identification is used- MCC : 123- MNC : 45- location area code : 11 (000Bh)- cell identifier : 2 (0002h)Layer 3 Information- length : 13 (0Dh)Chosen Channel- SDCCH CM SERVICE REQUEST (MM) CM Service Type - value : 1h Ciphering Key Seq. Nr - value : 7h MS Classmark 2- length : 3 (03h)- revision level : used by phase 2 MSs- No autonomous early sending- encryption algorithm A5/1 available- class 1, vehicle and portable- MS does not support ext. band G1- short message capability present- PS capability not present

- SS screening indicator 10h- A5/2 algorithm available- A5/3 algorithm not available- no additional MS capabilities available Mobile Identity - length : 5h - TMSI : 15e1bcd Conn:1 Card:1 TS:16 Subch:0 21086 16:41:14.654 CC - CONNECTION CONFIRM Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 15 (0Fh) Destination Local Reference - CF0400h Source Local Reference - 002B01h Protocol Class - protocol class : 2h, connection oriented End of Optional Parameters Conn:1 Card:1 TS:16 Subch:0 21090 16:41:14.819 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 15 (0Fh) Destination Local Reference - CF0400h Segmenting/Reassembling - no more data SCCP User Data - length 22 (16h) - DTAP (length : 19, 13h) - SAPI : 0, main DCCH is used AUTHENTICATION REQ (MM) Ciphering Key Seq. Nr - value : 0h Auth. Parameter RAND 30FD3033098AB0C98D8230980928342CConn:1 Card:1 TS:16 Subch:0 21092 16:41:15.538DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 15 (0Fh)Destination Local Reference- 002B01hSegmenting/Reassembling- no more dataSCCP User Data- length 9 (09h)- DTAP (length : 6, 06h)- SAPI : 0, main DCCH is used AUTHENTICATION RSP (MM)

BSSÄMSCmessages

aretabulated

BSSÅMSC

ID row, indicates thebeginning of a message,time stamp, PCM timeslot, etc

Message number

Message name(in this case SCCPmessages)

DTA

PBSSM

AP

SCC

PD

TAP

d function

Informationelement

NOTE! In this signallingprint only SCCP, BSSMAP,and DTAP are decoded.

DTAP messages arebetween MS<->MSC


Auth. Parameter SRES : 22C9664B Conn:1 Card:1 TS:16 Subch:0 21098 16:41:15.597 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 15 (0Fh) Destination Local Reference - CF0400h Segmenting/Reassembling - no more data SCCP User Data - length 5 (05h) - DTAP (length : 2, 02h) - SAPI : 0, main DCCH is used CM SERVICE ACCEPT (MM)Conn:1 Card:1 TS:16 Subch:0 21099 16:41:16.256DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 15 (0Fh)Destination Local Reference- 002B01hSegmenting/Reassembling- no more dataSCCP User Data- length 14 (0Eh)- DTAP (length : 11, 0Bh)- SAPI : 0, main DCCH is used SETUP (CC) Bearer Capability - length : 1 (1h) - info xfer cap : speech - xfer mode : circuit - coding std : GSM standardized - radio ch req: full rate ch required Called Party BCD Nr - nr type : 0 - nr plan : 1 - nr : 737765 Conn:1 Card:1 TS:16 Subch:0 21103 16:41:16.326 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 15 (0Fh) Destination Local Reference - CF0400h Segmenting/Reassembling - no more data SCCP User Data - length 5 (05h) - DTAP (length : 2, 02h)

- SAPI : 0, main DCCH is used CALL PROCEEDING (CC) Conn:1 Card:1 TS:16 Subch:0 21105 16:41:16.428 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 15 (0Fh) Destination Local Reference - CF0400h Segmenting/Reassembling - no more data SCCP User Data - length 15 (0Fh) - BSSMAP (length : 13, 0Dh) ASSIGNMENT REQUEST Channel Type - length : 3 (03h) - speech - TCH/FR or HR, FR preferred, changes allowed - speech full rate version 1 L3 Header Information - length : 2 (02h) - protocol discr. : Radio Resources - transaction id. : 0 (0h) - message send from originating side Circuit Identity Code - pcm multiplex : 0 (000h) - pcm timeslot : 13 (0Dh)Conn:1 Card:1 TS:16 Subch:0 21109 16:41:17.375DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 15 (0Fh)Destination Local Reference- 002B01hSegmenting/Reassembling- no more dataSCCP User Data- length 7 (07h)- BSSMAP (length : 5, 05h)ASSIGNMENT COMPLETERR Cause - normalChosen Channel- full rate TCH Conn:1 Card:1 TS:16 Subch:0 21112 16:41:17.444 UDT - UNIT DATA Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 4 (04h) Protocol Class


- protocol class : 0h, conn.less, discard msg Called Party Address - length 2 (02h) - no global title present - routing based on SSN and MTP routing label - subsystem is BSSAP Calling Party Address - length 4 (04h) - no global title present - routing based on SSN and MTP routing label - point code : 1513 (05E9h) - subsystem is BSSAP SCCP User Data - length 30 (1Eh) - BSSMAP (length : 28, 1Ch) PAGING IMSI - length : 8 (08h) - identity contains an IMSI - mobile country code : 123 - mobile network code : 45 - MSIN : 0000000001 Cell Identifier List - length : 15 (0Fh) - cell global identification is used - MCC : 123 - MNC : 45 - location area code : 11 (000Bh) - cell identifier : 2 (0002h) - MCC : 123 - MNC : 45 - location area code : 11 (000Bh) - cell identifier : 1 (0001h)Conn:1 Card:1 TS:16 Subch:0 21114 16:41:18.355CR - CONNECTION REQUESTRouting Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Source Local Reference- D00400hProtocol Class- protocol class : 2h, connection orientedCalled Party Address- length 4 (04h)- no global title present- routing based on SSN and MTP routing label- point code : 1513 (05E9h)- subsystem is BSSAPCalling Party Address- length 4 (04h)- no global title present

- routing based on SSN and MTP routing label- point code : 1515 (05EBh)- subsystem is BSSAPSCCP User Data- length 33 (21h)End of Optional Parameters- BSSMAP (length : 31, 1Fh)COMPLETE L3 INFORMATIONCell Identifier- length : 8 (08h)- cell global identification is used- MCC : 123- MNC : 45- location area code : 11 (000Bh)- cell identifier : 2 (0002h)Layer 3 Information- length : 16 (10h)Chosen Channel- SDCCH PAGING RESPONSE (RR) Ciphering Key Seq. Nr - value : 0h MS Classmark 2- length : 3 (03h)- revision level : used by phase 2 MSs- No autonomous early sending- encryption algorithm A5/1 available- class 1, vehicle and portable- MS does not support ext. band G1- short message capability present- PS capability not present- SS screening indicator 10h- A5/2 algorithm available- A5/3 algorithm not available- no additional MS capabilities available Mobile Identity - length : 8h - IMSI : 123450000000001 Conn:1 Card:1 TS:16 Subch:0 21116 16:41:18.423 CC - CONNECTION CONFIRM Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 0 (00h) Destination Local Reference - D00400h Source Local Reference - 000202h Protocol Class - protocol class : 2h, connection oriented End of Optional Parameters Conn:1 Card:1 TS:16 Subch:0 21119 16:41:18.578


DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 0 (00h) Destination Local Reference - D00400h Segmenting/Reassembling - no more data SCCP User Data - length 22 (16h) - DTAP (length : 19, 13h) - SAPI : 0, main DCCH is used AUTHENTICATION REQ (MM) Ciphering Key Seq. Nr - value : 0h Auth. Parameter RAND 30FD3033098AB0C98D8230980928342CConn:1 Card:1 TS:16 Subch:0 21123 16:41:19.307DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Destination Local Reference- 000202hSegmenting/Reassembling- no more dataSCCP User Data- length 9 (09h)- DTAP (length : 6, 06h)- SAPI : 0, main DCCH is used AUTHENTICATION RSP (MM) Auth. Parameter SRES : 22C9664B Conn:1 Card:1 TS:16 Subch:0 21125 16:41:19.369 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 0 (00h) Destination Local Reference - D00400h Segmenting/Reassembling - no more data SCCP User Data - length 16 (10h) - DTAP (length : 13, 0Dh) - SAPI : 0, main DCCH is used TMSI REALLOC COMMAND (MM) Location Area Id. - MCC : 123 - MNC : 45 - LAC : 11 (bh) Mobile Identity

- length : 5h - TMSI : 1822c18Conn:1 Card:1 TS:16 Subch:0 21128 16:41:20.025DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Destination Local Reference- 000202hSegmenting/Reassembling- no more dataSCCP User Data- length 5 (05h)- DTAP (length : 2, 02h)- SAPI : 0, main DCCH is used TMSI REALLOC COMPL. (MM) Conn:1 Card:1 TS:16 Subch:0 21131 16:41:20.086 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 0 (00h) Destination Local Reference - D00400h Segmenting/Reassembling - no more data SCCP User Data - length 8 (08h) - DTAP (length : 5, 05h) - SAPI : 0, main DCCH is used SETUP (CC) Bearer Capability - length : 1 (1h) - info xfer cap : speech - xfer mode : circuit - coding std : GSM standardized - radio ch req: dual rate/full rate preferredConn:1 Card:1 TS:16 Subch:0 21135 16:41:20.755DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Destination Local Reference- 000202hSegmenting/Reassembling- no more dataSCCP User Data- length 5 (05h)- DTAP (length : 2, 02h)- SAPI : 0, main DCCH is used CALL CONFIRMED (CC) Conn:1 Card:1 TS:16 Subch:0 21137 16:41:20.823


DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 0 (00h) Destination Local Reference - D00400h Segmenting/Reassembling - no more data SCCP User Data - length 15 (0Fh) - BSSMAP (length : 13, 0Dh) ASSIGNMENT REQUEST Channel Type - length : 3 (03h) - speech - TCH/FR or HR, FR preferred, changes allowed - speech full rate version 1 L3 Header Information - length : 2 (02h) - protocol discr. : Radio Resources - transaction id. : 0 (0h) - message send from originating side Circuit Identity Code - pcm multiplex : 0 (000h) - pcm timeslot : 14 (0Eh)Conn:1 Card:1 TS:16 Subch:0 21140 16:41:21.872DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Destination Local Reference- 000202hSegmenting/Reassembling- no more dataSCCP User Data- length 7 (07h)- BSSMAP (length : 5, 05h)ASSIGNMENT COMPLETERR Cause - normalChosen Channel- full rate TCHConn:1 Card:1 TS:16 Subch:0 21143 16:41:22.029DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Destination Local Reference- 000202hSegmenting/Reassembling- no more data

SCCP User Data- length 5 (05h)- DTAP (length : 2, 02h)- SAPI : 0, main DCCH is used ALERTING (CC) Conn:1 Card:1 TS:16 Subch:0 21146 16:41:22.619 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 15 (0Fh) Destination Local Reference - CF0400h Segmenting/Reassembling - no more data SCCP User Data - length 5 (05h) - DTAP (length : 2, 02h) - SAPI : 0, main DCCH is used ALERTING (CC)Conn:1 Card:1 TS:16 Subch:0 21149 16:41:23.322DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Destination Local Reference- 000202hSegmenting/Reassembling- no more dataSCCP User Data- length 5 (05h)- DTAP (length : 2, 02h)- SAPI : 0, main DCCH is used CONNECT (CC) Conn:1 Card:1 TS:16 Subch:0 21152 16:41:23.393 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 0 (00h) Destination Local Reference - D00400h Segmenting/Reassembling - no more data SCCP User Data - length 5 (05h) - DTAP (length : 2, 02h) - SAPI : 0, main DCCH is used CONNECT ACKNOWLEDGE (CC) Conn:1 Card:1 TS:16 Subch:0 21155 16:41:23.503 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h)


- SLC : 15 (0Fh) Destination Local Reference - CF0400h Segmenting/Reassembling - no more data SCCP User Data - length 5 (05h) - DTAP (length : 2, 02h) - SAPI : 0, main DCCH is used CONNECT (CC)Conn:1 Card:1 TS:16 Subch:0 21158 16:41:23.817DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 15 (0Fh)Destination Local Reference- 002B01hSegmenting/Reassembling- no more dataSCCP User Data- length 5 (05h)- DTAP (length : 2, 02h)- SAPI : 0, main DCCH is used CONNECT ACKNOWLEDGE (CC)Conn:1 Card:1 TS:16 Subch:0 21161 16:41:24.043DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Destination Local Reference- 000202hSegmenting/Reassembling- no more dataSCCP User Data- length 9 (09h)- DTAP (length : 6, 06h)- SAPI : 0, main DCCH is used STATUS (CC) Cause - length : 2 - coding standard : GSM - location : user - service or option not available - cause: incompatible with control state Call State - value : 202 (cah)Conn:1 Card:1 TS:16 Subch:0 21164 16:41:37.581SLTM - SIGNALLING LINK TEST MESSAGE- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)- test pattern length : 15 (Fh)

53 49 45 4D 45 4E 53 5F 54 45 4C 45 43 4F 00 Conn:1 Card:1 TS:16 Subch:0 21167 16:41:37.595 SLTA - SIGNALLING LINK TEST ACKNOWLEDGE - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 0 (00h) - test pattern length : 15 (Fh) 53 49 45 4D 45 4E 53 5F 54 45 4C 45 43 4F 00Conn:1 Card:1 TS:16 Subch:0 21170 16:41:40.041DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Destination Local Reference- 000202hSegmenting/Reassembling- no more dataSCCP User Data- length 8 (08h)- DTAP (length : 5, 05h)- SAPI : 0, main DCCH is used DISCONNECT (CC) Cause - length : 2 - coding standard : GSM - location : user - normal event - cause: normal clearing Conn:1 Card:1 TS:16 Subch:0 21173 16:41:40.109 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 0 (00h) Destination Local Reference - D00400h Segmenting/Reassembling - no more data SCCP User Data - length 9 (09h) - DTAP (length : 6, 06h) - SAPI : 0, main DCCH is used RELEASE (CC) Cause - length : 2 - coding standard : GSM - location : user - normal event - cause: normal clearing Conn:1 Card:1 TS:16 Subch:0 21176 16:41:40.219 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h)


- SLC : 15 (0Fh) Destination Local Reference - CF0400h Segmenting/Reassembling - no more data SCCP User Data - length 8 (08h) - DTAP (length : 5, 05h) - SAPI : 0, main DCCH is used DISCONNECT (CC) Cause - length : 2 - coding standard : GSM - location : user - normal event - cause: normal clearingConn:1 Card:1 TS:16 Subch:0 21179 16:41:40.439DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Destination Local Reference- 000202hSegmenting/Reassembling- no more dataSCCP User Data- length 9 (09h)- DTAP (length : 6, 06h)- SAPI : 0, main DCCH is used RELEASE COMPLETE (CC) Cause - length : 2 - coding standard : GSM - location : user - normal event - cause: normal clearing Conn:1 Card:1 TS:16 Subch:0 21182 16:41:40.507 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 0 (00h) Destination Local Reference - D00400h Segmenting/Reassembling - no more data SCCP User Data - length 10 (0Ah) - BSSMAP (length : 8, 08h) CLEAR COMMAND L3 Header Information - length : 2 (02h)

- protocol discr. : Radio Resources - transaction id. : 0 (0h) - message send from originating side Cause - length : 1 (01h) - radio interface message failureConn:1 Card:1 TS:16 Subch:0 21185 16:41:40.535DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 15 (0Fh)Destination Local Reference- 002B01hSegmenting/Reassembling- no more dataSCCP User Data- length 9 (09h)- DTAP (length : 6, 06h)- SAPI : 0, main DCCH is used RELEASE (CC) Cause - length : 2 - coding standard : GSM - location : user - normal event - cause: normal clearingConn:1 Card:1 TS:16 Subch:0 21188 16:41:40.590DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Destination Local Reference- 000202hSegmenting/Reassembling- no more dataSCCP User Data- length 3 (03h)- BSSMAP (length : 1, 01h)CLEAR COMPLETE Conn:1 Card:1 TS:16 Subch:0 21191 16:41:40.604 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 15 (0Fh) Destination Local Reference - CF0400h Segmenting/Reassembling - no more data SCCP User Data - length 9 (09h) - DTAP (length : 6, 06h)


- SAPI : 0, main DCCH is used RELEASE COMPLETE (CC) Cause - length : 2 - coding standard : GSM - location : user - normal event - cause: normal clearing Conn:1 Card:1 TS:16 Subch:0 21193 16:41:40.604 DT1 - DATA FORM 1 Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 15 (0Fh) Destination Local Reference - CF0400h Segmenting/Reassembling - no more data SCCP User Data - length 10 (0Ah) - BSSMAP (length : 8, 08h) CLEAR COMMAND L3 Header Information - length : 2 (02h) - protocol discr. : Radio Resources - transaction id. : 0 (0h) - message send from originating side Cause - length : 1 (01h) - radio interface message failureConn:1 Card:1 TS:16 Subch:0 21197 16:41:40.700DT1 - DATA FORM 1Routing Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 15 (0Fh)Destination Local Reference- 002B01hSegmenting/Reassembling- no more dataSCCP User Data- length 3 (03h)- BSSMAP (length : 1, 01h)CLEAR COMPLETE Conn:1 Card:1 TS:16 Subch:0 21200 16:41:41.217 RLSD - RELEASED Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 0 (00h) Destination Local Reference - D00400h Source Local Reference - 000202h

Release Cause - end user originated End of Optional Parameters Conn:1 Card:1 TS:16 Subch:0 21202 16:41:41.217 RLSD - RELEASED Routing Label - DPC : 1515 (05EBh) OPC : 1513 (05E9h) - SLC : 15 (0Fh) Destination Local Reference - CF0400h Source Local Reference - 002B01h Release Cause - end user originated End of Optional ParametersConn:1 Card:1 TS:16 Subch:0 21206 16:41:41.296RLC - RELEASE COMPLETERouting Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 0 (00h)Destination Local Reference- 000202hSource Local Reference- D00400hConn:1 Card:1 TS:16 Subch:0 21207 16:41:41.296RLC - RELEASE COMPLETERouting Label- DPC : 1513 (05E9h) OPC : 1515 (05EBh)- SLC : 15 (0Fh)Destination Local Reference- 002B01hSource Local Reference- CF0400h

Appendix 4: Decoding values for the CM SERVICE REQUEST message [GSM0408]

The following excerpts are from GSM 04.08.

9.2.9 CM service request

This message is sent by the mobile station to the network to request a service for the connection management sublayer entities, e.g.circuit switched connection establishment, supplementary services activation, short message transfer. See table 9.45/GSM 04.08.Message type: CM SERVICE REQUESTSignificance: dualDirection:mobile station to network

IEI Information element Type / Reference Presence Format LengthMobility management Protocol discriminator M V ½protocol discriminator 10.2Skip Indicator Skip Indicator M V ½

10.3.1CM Service Request Message type M V 1message type 10.4CM service type CM service type M V ½

10.5.3.3Ciphering key sequence Ciphering key sequence M V ½number number

10.5.1.2Mobile station Mobile station M LV 4classmark classmark 2

10.5.1.6Mobile identity Mobile identity M LV 2-9

10.5.1.4

Table 9.45/GSM 04.08CM SERVICE REQUEST message content

10 General message format and information elements coding

The figures and text in this section describe the Information Elements contents.

10.1 OverviewWithin the Layer 3 protocols defined in GSM 04.08, every message with the exception of the messages sent on the BCCH, downlinkCCCH, SCH, RACH, and the HANDOVER ACCESS message, is a standard L3 message as defined in GSM 04.07. This means that themessage consists of the following parts:

a) protocol discriminator;b) transaction identifier;c) message type;d) other information elements, as required.

This organization is illustrated in the example shown in figure 10.1/GSM 04.08. 8 7 6 5 4 3 2 1

7UDQVDFWLRQ�LGHQWLILHU� �3URWRFRO�GLVFULPLQDWRU �RFWHW��or Skip Indicator ��

��0HVVDJH�type �RFWHW��

��2WKHU�LQIRUPDWLRQ�HOHPHQWV�DV�required ��HWF��

FIGURE 10.1/GSM 04.08General message organization example


Unless specified otherwise in the message descriptions of section 9, a particular information element shall not be present more than oncein a given message.The term "default" implies that the value defined shall be used in the absence of any assignment, or that this value allows negotiation ofalternative values in between the two peer entities.When a field extends over more than one octet, the order of bit values progressively decreases as the octet number increases. The leastsignificant bit of the field is represented by the lowest numbered bit of the highest numbered octet of the field.

Table 11.1: Formats of information elements

Format Meaning IEI present LI present Value part presentT Type only yes no noV Value only no no yes

TV Type and Value yes no yesLV Length and Value no yes yes

TLV Type, Length and Value yes yes yes

NOTICE !

….The order of the information elements within the imperative part of messages has been chosen so that information elements with ½ octetof content (type 1) go together in succession. The first type 1 information element occupies bits 1 to 4 of octet N, the second bits 5 to 8of octet N, the third bits 1 to 4 of octet N + 1 etc. If the number of type 1 information elements is odd then bits 5 to 8 of the last octetoccupied by these information elements contains a spare half octet IE in format V.….

10.2 Protocol DiscriminatorThe Protocol Discriminator (PD) and its use are defined in GSM 04.07. GSM 04.08 defines the protocols relating to the PD valuesbits 4 3 2 1

0 0 1 1 Call Control; call related SS messages0 1 0 1 Mobility Management messages0 1 1 0 Radio Resource management messages

except the call related SS procedures, which are defined in GSM 04.10.

10.3 Skip indicator and transaction identifier10.3.1 Skip indicator

Bits 5 to 8 of the first octet of every Radio Resource management message and Mobility Management message contains the skipindicator. A message received with skip indicator different from 0000 shall be ignored. A message received with skip indicator encodedas 0000 shall not be ignored (unless it is ignored for other reasons). A protocol entity sending a Radio Resource management message ora Mobility Management message shall encode the skip indicator as 0000.

10.3.2 Transaction identifier

Bits 5 to 8 of the first octet of every message belonging to the protocol "Call Control; call related SS messages" contain the transactionidentifier (TI). The transaction identifier and its use are defined in GSM 04.07.

Seuraava kohta on spesifikaatiosta 04.07.

8 7 6 5 4 3 2 1

TIvalue

TIflag

octet 1


Figure 11.9: Transaction identifier

Table 11.3. Transaction identifier

TI flag (octet 1) Bit 8 0 The message is sent from the side that originates the TI 1 The message is sent to the side that originates the TI

TI value (octet 1) Bits 7 6 5 0 0 0 TI value 0 0 0 1 - - 1 0 1 0 - - 2 0 1 1 - - 3 1 0 0 - - 4 1 0 1 - - 5 1 1 0 - - 6 1 1 1 Reserved for future extension.

10.4 Message TypeThe message type IE and its use are defined in GSM 04.07. Tables 10.3/GSM 04.08, 10.4/GSM 04.08, and 10.5/GSM 04.08 define thevalue part of the message type IE used in the Radio Resource management protocol, the Mobility Management protocol, and the CallControl protocol.

��1 ��0 1 1 1 - - - Channel establishment messages: ��1 - ADDITIONAL ASSIGNMENT ��1 1 - IMMEDIATE ASSIGNMENT ��0 1 - IMMEDIATE ASSIGNMENT EXTENDED ��,00(',$7(�$66,*10(17�REJECT ��0 1 1 0 - - - Ciphering messages: ��&,3+(5,1*�02'(�COMMAND ��&,3+(5,1*�02'(�COMPLETE ��0 1 0 1 - - - Handover messages: ��1 0 - ASSIGNMENT COMMAND ��0 1 - ASSIGNMENT COMPLETE ��1 1 - ASSIGNMENT FAILURE ��1 - HANDOVER COMMAND ��0 - HANDOVER COMPLETE ��0 0 - HANDOVER FAILURE ��3+<6,&$/�INFORMATION ��0 0 0 1 - - - Channel release messages: ��&+$11(/�RELEASE ��3$57,$/�RELEASE ��1 1 - PARTIAL RELEASE COMPLETE ��0 1 0 0 - - - Paging messages: ��0 1 - PAGING REQUEST TYPE 1 ��3$*,1*�5(48(67�7<3(�2 ��0 - PAGING REQUEST TYPE 3 ��1 1 - PAGING RESPONSE ��

Table 10.1/GSM 04.08 (page 1 of 2)Message types for Radio Resource management


��1 ��0 0 1 1 - - - System information messages: ��0 0 - SYSTEM INFORMATION TYPE 8 ��0 1 - SYSTEM INFORMATION TYPE 1 ��6<67(0�,1)250$7,21�7<3(�2 ��1 - SYSTEM INFORMATION TYPE 3 ��0 - SYSTEM INFORMATION TYPE 4 ��6<67(0�,1)250$7,21�7<3(�5 ��1 0 - SYSTEM INFORMATION TYPE 6 ��1 1 - SYSTEM INFORMATION TYPE 7 ��0 0 0 0 - - - System information messages: ��6<67(0�,1)250$7,21�7<3(�2bis ��1 - SYSTEM INFORMATION TYPE 2ter ��6<67(0�,1)250$7,21�7<3(�5bis ��1 0 - SYSTEM INFORMATION TYPE 5ter ��0 0 1 0 - - - Miscellaneous messages: ��0 0 - CHANNEL MODE MODIFY ��RR STATUS ��1 1 - CHANNEL MODE MODIFY ACKNOWLEDGE��0 - FREQUENCY REDEFINITION ��0($685(0(17�REPORT ��1 0 - CLASSMARK CHANGE ��1 - CLASSMARK ENQUIRY

Table 10.1/GSM 04.08 (page 2 of 2)Message types for Radio Resource management

Bit 8 is reserved for possible future use as an extension bit, see GSM 04.07.

��1 ��[��0 - - - - Registration messages: ��0 0 1 - IMSI DETACH INDICATION ��0 1 0 - LOCATION UPDATING ACCEPT ��0 - LOCATION UPDATING REJECT ��0 0 - LOCATION UPDATING REQUEST ��[��- Security messages: ��0 0 1 - AUTHENTICATION REJECT ��0 1 0 - AUTHENTICATION REQUEST ��0 - AUTHENTICATION RESPONSE ��0 0 - IDENTITY REQUEST ��0 1 - IDENTITY RESPONSE ��TMSI REALLOCATION COMMAND ��1 - TMSI REALLOCATION COMPLETE ��[��- Connection management messages: ��0 0 1 - CM SERVICE ACCEPT ��0 1 0 - CM SERVICE REJECT ��0 1 1 - CM SERVICE ABORT ��0 - CM SERVICE REQUEST ��0 0 - CM RE-ESTABLISHMENT REQUEST ��0 1 - ABORT ��[��1 - - - - Miscellaneous messages: ��0 0 1 - MM STATUS

Table 10.2/GSM 04.08Message types for Mobility Management

Bit 8 is reserved for possible future use as an extension bit, see GSM 04.07.Bit 7 is reserved for the send sequence number in messages sent from the mobile station. In messages sent from the network, bit 7 iscoded with a "0". See GSM 04.07.


��1 ��[��0 0 0 0 0 escape to nationally specific ��message types ; see 1) below ��[��0 - - - - Call establishment messages: ��0 0 1 - ALERTING ��0 0 - CALL CONFIRMED ��0 1 0 - CALL PROCEEDING ��1 1 - CONNECT ��1 1 1 - CONNECT ACKNOWLEDGE ��1 1 0 - EMERGENCY SETUP ��0 1 1 - PROGRESS ��SETUP ��[��- Call information phase messages: ��1 1 - MODIFY ��1 1 1 - MODIFY COMPLETE ��0 1 1 - MODIFY REJECT ��0 0 0 - USER INFORMATION ��0 0 - HOLD ��0 1 - HOLD ACKNOWLEDGE ��+2/'�REJECT ��1 0 0 - RETRIEVE ��1 0 1 - RETRIEVE ACKNOWLEDGE ��1 1 0 - RETRIEVE REJECT ��[��- Call clearing messages: ��DISCONNECT ��1 0 1 - RELEASE ��5(/($6(�COMPLETE ��[��1 - - - - Miscellaneous messages: ��0 1 - CONGESTION CONTROL ��1 1 0 - NOTIFY ��1 0 1 - STATUS ��0 - STATUS ENQUIRY ��67$57�DTMF ��0 0 1 - STOP DTMF ��0 1 0 - STOP DTMF ACKNOWLEDGE ��1 0 - START DTMF ACKNOWLEDGE ��1 1 - START DTMF REJECT ��FACILITY

Table 10.3/GSM 04.08Message types for Call Control and call related SS messages

1): When used, the message type is defined in the following octet(s), according to the nationalspecification.

Bit 8 is reserved for possible future use as an extension bit, see GSM 04.07.Bit 7 is reserved for the send sequence number in messages sent from the mobile station. In messages sent from the network, bit 7 iscoded with a "0". See GSM 04.07.


10.5.3.3 CM service type

The purpose of the CM Service Type information element is to specify which service is requested from the network.The CM Service Type information element is coded as shown in figure 10.63/GSM 04.08 and table 10.63/GSM 04.08.The CM Service Type is a type 1 information element .

8 7 6 5 4 3 2 1

��&0�VHUYLFH�W\SH�IEI ��VHUYLFH�W\SH�� RFWHW��

FIGURE 10.63/GSM 04.08CM Service Type information element

�6HUYLFH�W\SH��RFWHW��) �Bits ��1 ��0 0 1 Mobile originating call establishment ��or packet mode connection establishment ��0 1 0 Emergency call establishment ��0 Short message service ��0 0 Supplementary service activation ��$OO�RWKHU�YDOXHV�DUH�UHVHUYHG��

Table 10.63/GSM 04.08CM Service Type information element

10.5.1.2 Ciphering Key Sequence Number

The purpose of the Ciphering Key Sequence Number information element is to make it possible for the network to identify the cipheringkey Kc which is stored in the mobile station without invoking the authentication procedure. The ciphering key sequence number isallocated by the network and sent with the AUTHENTICATION REQUEST message to the mobile station where it is stored togetherwith the calculated ciphering key Kc.The Ciphering Key Sequence Number information element is coded as shown in figure 10.3/GSM 04.08 and table 10.6/GSM 04.08.The ciphering key sequence number is a type 1 information element.

8 7 6 5 4 3 2 1

�� &LSKHULQJ�Key �� NH\�VHTXHQFH�� RFWHW�� 6HTXHQFH�Number �� IEI VSDUH ��

FIGURE 10.3/GSM 04.08Ciphering Key Sequence Number information element

�.H\�VHTXHQFH��RFWHW��) ��Bits ��1 ��0 0 �through Possible values for the ciphering key ��1 0 sequence number ��1 1 No key is available (MS to network); ��5HVHUYHG��QHWZRUN�WR�06)

Table 10.6/GSM 04.08Ciphering Key Sequence Number information element


10.5.1.6 Mobile Station Classmark 2

The purpose of the Mobile Station Classmark 2 information element is to provide the network with information concerning aspects ofboth high and low priority of the mobile station equipment. This affects the manner in which the network handles the operation of themobile station. The Mobile Station Classmark information indicates general mobile station characteristics and it shall therefore, exceptfor fields explicitly indicated, be independent of the frequency band of the channel it is sent on.The Mobile Station Classmark 2 information element is coded as shown in figure 10.7/GSM 04.08, table 10.10a/GSM 04.08 andtable 10.10b/GSM 04.08.The Mobile Station Classmark 2 is a type 4 information element with 5 octets length.

8 7 6 5 4 3 2 1

�� Mobile station classmark 2 IEI �RFWHW��

��/HQJWK�RI�PRELOH�VWDWLRQ�classmark 2 contents �RFWHW��

��0 ��5HYLVLRQ� �(6�� $�� RF power spare ��OHYHO�� IND �� FDSDELOLW\�� RFWHW��

��0 �36�� 66�6FUHHQ� 60�FD 0 0 ��FC spare FDSD� �Indicator pabi. ��spare �� RFWHW��

�CM3 0 0 0 0 0 �$�� $�� spare �� RFWHW��

FIGURE 10.7/GSM 04.08Mobile Station Classmark 2 information element

NOTE: Owing to backward compatibility problems, bit 8 of octet 4 should not be used unless it is alsochecked that the bits 8, 7 and 6 of octet 3 are not "0 0 0".


Revision level (octet 3) Bits 7 6 0 0 Reserved for phase 1 0 1 Used by phase 2 MSs

All other values are reserved for future use

ES IND (octet 2, bit 5) "Controlled Early Classmark Sending" option implementation

0 "Controlled Early Classmark Sending" option is not implemented 1 "Controlled Early Classmark Sending" option is implemented

A5/1 algorithm supported (octet 3, bit 4)

0 encryption algorithm A5/1 available 1 encryption algorithm A5/1 not available

When the GSM 900 band is used (for exceptions see 3.4.12): Bits 3 2 1 0 0 0 class 1 0 0 1 class 2 0 1 0 class 3 0 1 1 class 4 1 0 0 class 5

All other values are reserved.

When the DCS 1800 band is used (for exceptions see 3.4.12): Bits 3 2 1 0 0 0 class 1 0 0 1 class 2 0 1 0 class 3


PS capability (pseudo-synchronization capability) (octet 4)Bit 7 0 PS capability not present 1 PS capability present

SS Screening Indicator (octet 4)Bits 6 5 0 0 defined in GSM 04.80 0 1 defined in GSM 04.80 1 0 defined in GSM 04.80 1 1 defined in GSM 04.80

SM capability (MT SMS pt to pt capability) (octet 4) Bit 4 0 Mobile Station does not support mobile terminated point to point SMS 1 Mobile Station supports mobile terminated point to point SMS

Table 10.10a/GSM 04.08Mobile Station Classmark 2 information element


FC Frequency Capability (octet 4)When the GSM 900 band is used (for exceptions see 3.4.12): bit 10 The mobile station does not support the extension band G1 in addition to the primary GSMband. (For definition of frequency bands see GSM 05.05)1 The mobile station does support the extension band G1 in addition to the primary GSM band. (Fordefinition of frequency bands see GSM 05.05)

When the DCS 1800 band is used (for exceptions see 3.4.12): bit 10 Reserved for future use (for definition of frequency bands see GSM 05.05)

Note: This bit conveys no information about support or non support of the G1 extension band when transmitted on aDCS 1800 channel.

Classmark 3 (octet 5, bit 8)0 No additional MS capability information available1 Additional MS capabilities are described in the Classmark 3 information element

A5/3 algorithm supported (octet 5, bit 2) 0 encryption algorithm A5/3 not available 1 encryption algorithm A5/3 available

A5/2 algorithm supported (octet 5, bit 1)0 encryption algorithm A5/2 not available1 encryption algorithm A5/2 available

Table 10.10b/GSM 04.08Mobile Station Classmark 2 information element

NOTE: Additional mobile station capability information might be obtained by invoking the classmarkinterrogation procedure.

10.5.1.4 Mobile Identity

The purpose of the Mobile Identity information element is to provide either the international mobile subscriber identity, IMSI, thetemporary mobile subscriber identity, TMSI, the international mobile equipment identity, IMEI or the international mobile equipmentidentity together with the software version number, IMEISV.The IMSI shall not exceed 15 digits, the TMSI is 4 octets long, and the IMEI is composed of 15 digits, the IMEISV is 16 digits (seeGSM 03.03).For all transactions except emergency call establishment, emergency call re-establishment, mobile terminated call establishment, theidentification procedure, and the ciphering mode setting procedure, the mobile station and the network shall select the mobile identitytype with the following priority:

1- TMSI: The TMSI shall be used if it is available.

2- IMSI: The IMSI shall be used in cases where no TMSI is available.

For mobile terminated call establishment the mobile station shall select the same mobile identity type as received from the network in thePAGING REQUEST message.For emergency call establishment and re-establishment the mobile station shall select the mobile identity type with the followingpriority:

1- TMSI: The TMSI shall be used if it is available.

2- IMSI: The IMSI shall be used in cases where no TMSI is available.

3- IMEI: The IMEI shall be used in cases where no SIM is available or the SIM is considered as not valid by themobile station or no IMSI or TMSI is available.

In the identification procedure the mobile station shall select the mobile identity type which was requested by the network.In the ciphering mode setting procedure the mobile shall select the IMEISV.The Mobile Identity information element is coded as shown in figure 10.5/GSM 04.08 and table 10.8/GSM 04.08.The Mobile Identity is a type 4 information element with a minimum length of 3 octet and 10 octets length maximal. Further restrictionon the length may be applied, e.g. number plans.


8 7 6 5 4 3 2 1

�� Mobile Identity IEI �RFWHW��

��/HQJWK�RI�PRELOH�LGHQWLW\�contents �RFWHW��

�� odd/ ��,GHQWLW\�GLJLW�1 HYHQ� �7\SH�RI�LGHQWLW\ �RFWHW�� indic ��

�� ,GHQWLW\�GLJLW�S�1 ��,GHQWLW\�GLJLW�S�� RFWHW��

FIGURE 10.5/GSM 04.08Mobile Identity information element

�7\SH�RI�LGHQWLW\��RFWHW��) �Bits ��1 ��0 1 IMSI ��0 IMEI ��1 IMEISV ��0 TMSI ��0 0 No Identity note 1) ��$OO�RWKHU�YDOXHV�DUH�UHVHUYHG��2GG�HYHQ�LQGLFDWLRQ��RFWHW��) �Bit �4 �0 even number of identity digits and also when ��the TMSI is used �1 odd number of identity digits ��,GHQWLW\�GLJLWV��RFWHW��HWF) �)RU�WKH�IMSI, IMEI and IMEISV this field is coded using�BCD coding. If the number of identity digits is even �then bits 5 to 8 of the last octet shall be filled �with an end mark coded as "1111". ��,I�WKH�PRELOH�LGHQWLW\�LV�WKH�TMSI then bits 5 to 8 of �octet 3 are coded as "1111" and bit 8 of octet 4 is the�most significant bit and bit 1 of the last octet the �least significant bit. The coding of the TMSI is left �open for each administration.

Table 10.8/GSM 04.08Mobile Identity information element

NOTE 1: This can be used in the case when a fill paging message without any valid identity has to be sent onthe paging subchannel

Appendix 5: Excerpts from GSM 08.08

This appendix contains information of the structure of a COMPLETE LAYER 3 INFORMATION message,which is the first message sent by the BSC at the beginning of a BSSMAP connection. Encapsulated in themessage, within the Layer 3 Information field, is the first MSÅMSC message, like CM SERVICE REQUESTor PAGING RESPONSE.

3.2.1.32 COMPLETE LAYER 3 INFORMATION

The message is sent from the BSS to the MSC as described in subclause 3.1.16 (on receipt of the initial layer 3 message on adedicated channel, e.g. PAGING RESPONSE, LOCATION UPDATING REQUEST, CM REESTABLISHMENT REQUEST,CM SERVICE REQUEST, IMSI DETACH).The message is sent via the BSSAP SCCP connection established for the associated dedicated resource(s).

INFORMATION ELEMENT REFERENCE DIRECTION TYPE LEN

Message Type 3.2.2.1 BSS-MSC M 1

Cell Identifier 3.2.2.17 BSS-MSC M 3-10

Layer 3 Information 3.2.2.24 BSS-MSC M 3-n

Chosen Channel 3.2.2.33 BSS-MSC O (1) 2

1 This element is optionally used by the BSS to give the MSC a description of the channel rate/typeon which the initial layer 3 message was received.

3.2.2 SIGNALLING ELEMENT CODING

This paragraph contains the CODING of the signalling elements used.The following conventions are assumed for the sequence of transmission of bits and bytes:- Each bit position is marked as 1 to 8. Bit 1 is the least significant bit and is transmitted first.

- In an element octets are identified by number, octet 1 is transmitted first, then octet 2 etc.

When a field extends over more than one octet, the order of bit values progressively decreases as the octet number increases. Theleast significant bit of the field is represented by the lowest numbered bit of the highest numbered octet of the field.- For variable length elements a length indicator is included, this indicates the number of octets following in the

element.

- All fields within Information Elements are mandatory unless otherwise specified. The Information ElementIdentifier shall always be included.

All spare bits are set to 0.The elements used and their CODING are:

ElementIdentifierCoding

Element name Reference

0000 0001 Circuit Identity Code 3.2.2.20000 0010 Reserved *0000 0011 Resource Available 3.2.2.40000 0100 Cause 3.2.2.50000 0101 Cell Identifier 3.2.2.170000 0110 Priority 3.2.2.180000 0111 Layer 3 Header Information 3.2.2.90000 1000 IMSI 3.2.2.6


0000 1001 TMSI 3.2.2.70000 1010 Encryption Information 3.2.2.100000 1011 Channel Type 3.2.2.110000 1100 Periodicity 3.2.2.120000 1101 Extended Resource Indicator 3.2.2.130000 1110 Number Of MSs 3.2.2.80000 1111 Reserved *0001 0000 Reserved *0001 0001 Reserved *0001 0010 Classmark Information Type 2 3.2.2.190001 0011 Classmark Information Type 3 3.2.2.200001 0100 Interference Band To Be Used 3.2.2.210001 0101 RR Cause 3.2.2.220001 0110 Reserved *0001 0111 Layer 3 Information 3.2.2.240001 1000 DLCI 3.2.2.250001 1001 Downlink DTX Flag 3.2.2.260001 1010 Cell Identifier List 3.2.2.270001 1011 Response Request 3.2.2.280001 1100 Resource Indication Method 3.2.2.290001 1101 Classmark Information Type 1 3.2.2.300001 1110 Circuit Identity Code List 3.2.2.310001 1111 Diagnostic 3.2.2.32

(continued)

ElementIdentifierCoding

Element name Reference

0010 0000 Layer 3 Message Contents 3.2.2.350010 0001 Chosen Channel 3.2.2.330010 0010 Total Resource Accessible 3.2.2.140010 0011 Cipher Response Mode 3.2.2.340010 0100 Channel Needed 3.2.2.360010 0101 Trace Type 3.2.2.370010 0110 Triggerid 3.2.2.380010 0111 Trace Reference 3.2.2.390010 1000 Transactionid 3.2.2.400010 1001 Mobile Identity 3.2.2.410010 1010 OMCId 3.2.2.420010 1011 Forward Indicator 3.2.2.430010 1100 Chosen Encryption Algorithm 3.2.2.440010 1101 Circuit Pool 3.2.2.450010 1110 Circuit Pool List 3.2.2.460010 1111 Time Indication 3.2.2.470011 0000 Resource Situation 3.2.2.480011 0001 Current Channel type 1 3.2.2.490011 0010 Queueing Indicator 3.2.2.500100 0000 Speech Version 3.2.2.510011 0011 Assignment Requirement 3.2.2.52

0011 0101 Talker Flag 3.2.2.540011 0110 Connection Release Requested 3.2.2.30011 0111 Group Call Reference 3.2.2.560011 1000 eMLPP Priority 3.2.2.560011 1001 Configuration Evolution Indication 3.2.2.57

* Information Element codes marked as "reserved" are reserved for use by previous versions of thisinterface specification


3.2.2.1 Message Type

Message Type uniquely identifies the message being sent. It is a single octet element, mandatory in all messages.Bit 8 is reserved for future extension of the code set. All unassigned codes are spare.

8 7 6 5 4 3 2 10 0 0 0 0 0 0 0 Reserved.

ASSIGNMENT MESSAGES0 0 0 0 0 0 0 1 ASSIGNMENT REQUEST0 0 0 0 0 0 1 0 ASSIGNMENT COMPLETE0 0 0 0 0 0 1 1 ASSIGNMENT FAILURE

HANDOVER MESSAGES0 0 0 1 0 0 0 0 HANDOVER REQUEST0 0 0 1 0 0 0 1 HANDOVER REQUIRED0 0 0 1 0 0 1 0 HANDOVER REQUEST ACKNOWLEDGE0 0 0 1 0 0 1 1 HANDOVER COMMAND0 0 0 1 0 1 0 0 HANDOVER COMPLETE0 0 0 1 0 1 0 1 HANDOVER SUCCEEDED0 0 0 1 0 1 1 0 HANDOVER FAILURE0 0 0 1 0 1 1 1 HANDOVER PERFORMED0 0 0 1 1 0 0 0 HANDOVER CANDIDATE ENQUIRE0 0 0 1 1 0 0 1 HANDOVER CANDIDATE RESPONSE0 0 0 1 1 0 1 0 HANDOVER REQUIRED REJECT0 0 0 1 1 0 1 1 HANDOVER DETECT

RELEASE MESSAGES0 0 1 0 0 0 0 0 CLEAR COMMAND0 0 1 0 0 0 0 1 CLEAR COMPLETE0 0 1 0 0 0 1 0 CLEAR REQUEST0 0 1 0 0 0 1 1 RESERVED0 0 1 0 0 1 0 0 RESERVED0 0 1 0 0 1 0 1 SAPI “N” REJECT0 0 1 0 0 1 1 0 CONFUSION

OTHER CONNECTION RELATED MESSAGES0 0 1 0 1 0 0 0 SUSPEND0 0 1 0 1 0 0 1 RESUME

GENERAL MESSAGES0 0 1 1 0 0 0 0 RESET0 0 1 1 0 0 0 1 RESET ACKNOWLEDGE0 0 1 1 0 0 1 0 OVERLOAD0 0 1 1 0 0 1 1 RESERVED0 0 1 1 0 1 0 0 RESET CIRCUIT0 0 1 1 0 1 0 1 RESET CIRCUIT ACKNOWLEDGE0 0 1 1 0 1 1 0 MSC INVOKE TRACE0 0 1 1 0 1 1 1 BSS INVOKE TRACE

TERRESTRIAL RESOURCE MESSAGES0 1 0 0 0 0 0 0 BLOCK0 1 0 0 0 0 0 1 BLOCKING ACKNOWLEDGE0 1 0 0 0 0 1 0 UNBLOCK0 1 0 0 0 0 1 1 UNBLOCKING ACKNOWLEDGE0 1 0 0 0 1 0 0 CIRCUIT GROUP BLOCK0 1 0 0 0 1 0 1 CIRCUIT GROUP BLOCKING

ACKNOWLEDGE0 1 0 0 0 1 1 0 CIRCUIT GROUP UNBLOCK0 1 0 0 0 1 1 1 CIRCUIT GROUP UNBLOCKING

ACKNOWLEDGE0 1 0 0 1 0 0 0 UNEQUIPPED CIRCUIT0 1 0 0 1 1 1 0 CHANGE CIRCUIT0 1 0 0 1 1 1 1 CHANGE CIRCUIT ACKNOWLEDGE

(continued)


(concluded)8 7 6 5 4 3 2 1

RADIO RESOURCE MESSAGES0 1 0 1 0 0 0 0 RESOURCE REQUEST0 1 0 1 0 0 0 1 RESOURCE INDICATION0 1 0 1 0 0 1 0 PAGING0 1 0 1 0 0 1 1 CIPHER MODE COMMAND0 1 0 1 0 1 0 0 CLASSMARK UPDATE0 1 0 1 0 1 0 1 CIPHER MODE COMPLETE0 1 0 1 0 1 1 0 QUEUING INDICATION0 1 0 1 0 1 1 1 COMPLETE LAYER 3 INFORMATION0 1 0 1 1 0 0 0 CLASSMARK REQUEST0 1 0 1 1 0 0 1 CIPHER MODE REJECT0 1 0 1 1 0 1 0 LOAD INDICATION

VGCS/VBS0 0 0 0 0 1 0 0 VGCS/VBS SETUP0 0 0 0 0 1 0 1 VGCS/VBS SETUP ACK0 0 0 0 0 1 1 0 VGCS/VBS SETUP REFUSE0 0 0 0 0 1 1 1 VGCS/VBS ASSIGNMENT REQUEST0 0 0 1 1 1 0 0 VGCS/VBS ASSIGNMENT RESULT0 0 0 1 1 1 0 1 VGCS/VBS ASSIGNMENT FAILURE0 0 0 1 1 1 1 0 VGCS/VBS QUEUING INDICATION0 0 0 1 1 1 1 1 UPLINK REQUEST0 0 1 0 0 1 1 1 UPLINK REQUEST ACKNOWLEDGE0 1 0 0 1 0 0 1 UPLINK REQUEST CONFIRMATION0 1 0 0 1 0 1 0 UPLINK RELEASE INDICATION0 1 0 0 1 0 1 1 UPLINK REJECT COMMAND0 1 0 0 1 1 0 0 UPLINK RELEASE COMMAND0 1 0 0 1 1 0 1 UPLINK SEIZED COMMAND

3.2.2.17 Cell Identifier

This element uniquely identifies a cell within a BSS and is of variable length containing the following fields:

��

��(OHPHQW�LGHQWLILHU�� RFWHW��

��/HQJWK�� RFWHW��

��6SDUH�� &HOO�LGHQWLILFDWLRQ�� RFWHW�� GLVFULPLQDWRU��

��&HOO�LGHQWLILFDWLRQ�� RFWHW��Q

The coding of octet 2 is a binary number indicating the length of the remaining element. The length depends on the Cellidentification discriminator (octet 3).The coding of "Cell identification discriminator" (bits 1 to 4 of octet 3) is a binary number indicating if the whole or a part of CellGlobal Identification, CGI, according to GSM 03.03 is used for cell identification in octet 4-n. The "Cell identificationdiscriminator" is coded as follows:0000 The whole Cell Global Identification, CGI, is used to identify the cell.0001 Location Area Code, LAC, and Cell Identity, CI, is used to identify the cell.0010 Cell Identity, CI, is used to identify the cell.0011 No cell is associated with the transaction.



The coding of octet 4-n depends on the Cell identification discriminator (octet 3). Below the coding is shown for each Cellidentification discriminator:Note that no coding is specified for a Cell identification discriminator value of "0011" as no additional information is required.Coding of Cell Identification forCell identification discriminator = 0000

��

��0&&�GLJ�� 0&&�GLJ�� RFWHW��

�� 0&&�GLJ�� RFWHW��

��01&�GLJ�� 01&�GLJ�� RFWHW��

��/$&�� RFWHW��

��/$&�FRQW�� RFWHW��

��&,�YDOXH�� RFWHW��

��&,�YDOXH�FRQW�� RFWHW��

The octets 4-8 are coded as shown in GSM 04.08, Table ‘Location Area Identification information element’ .The octets 9-10 are coded as shown in GSM 04.08, Table ‘Cell Identity information element’ .Coding of Cell Identification forCell identification discriminator = 0001

��

��/$&�� RFWHW��

��/$&�FRQW�� RFWHW��



Coding of Cell Identification forCell identification discriminator = 0010

��



The octets 4-5 are coded as shown in GSM 04.08, Table ‘Cell Identity information element’

3.2.2.24 Layer 3 Information

This is a variable length element used to pass radio interface messages from one network entity to another.

��


��/HQJWK�� RFWHW��

��/D\HU��LQIRUPDWLRQ�� RFWHW��Q

Octet 1 identifies the element. Octet 2 gives the length of the following layer 3 information.Octet j (j = 3, 4, ..., n) is the unchanged octet j-2 of a radio interface layer 3 message as defined in GSM 04.08, n-2 is equal to thelength of that radio interface layer 3 message.


3.2.2.33 Chosen Channel

This Information Element contains a description of the channel allocated to the MS.For VGCS/VBS calls this Information Element contains a description of the channel allocated for the call in the cell.It is coded as follows:

��


��&KDQQHO�PRGH�� &KDQQHO�� RFWHW��

The channel mode field is coded as follows:

Bit 87650000 no channel mode indication1001 speech (full rate or half rate)

1110 data, 14.5 kbit/s radio interface rate1011 data, 12.0 kbit/s radio interface rate1100 data, 6.0 kbit/s radio interface rate1101 data, 3.6 kbit/s radio interface rate1000 signalling only

All other values are reserved.The channel field is coded as follows:Bit 4321

0000 None (Note *)0001 SDCCH1000 1 Full rate TCH1001 1 Half rate TCH1010 2 Full Rate TCHs1011 3 Full Rate TCHs1100 4 Full Rate TCHs1101 5 Full Rate TCHs1110 6 Full Rate TCHs1111 7 Full Rate TCHs0100 8 Full Rate TCHs

NOTE *: This value may be returned in the chosen channel information for VGCS/VBS calls in the casewhere the BSS has decided to de-allocate resources or allocate no resources for the call.


Helsinki University of Technology S-72.260Communications Laboratory Lab 2

- 1 -

PRELIMINARY EXERCISES

P1

What is the difference between acknowledged state and unacknowledged state in LAPD and LAPDmsignalling? Why are there not check bits or frame marks in LAPDm signalling?

P2

Sketch a signalling diagram of the following signalling subsections: Random access and access grant (MS isgiven a radio channel), ciphering and authentication, call release. These subsections are repeated over and overagain in each signalling procedure during the laboratory exercise. Include all interfaces in your signallingdiagrams.

P3

List CC, MM and RR protocol messages, at least four of each.

P4

Referring to L4: What information is saved on the SIM card when the MS is switched off?

P5

Which parts of NSS (Network Subsystem) are responsible for storing the ciphering key; when is the cipheringkey transmitted in the signalling network and where? How does authentication happen? Show the functioning ofA3, A5, and A8 algorithms (for example with a figure). In L4 you have to configure authentication andciphering, so it is very important to understand how they work.

P6

Answer the following questions based on the signalling example in Appendix 3.

a) What kind of a connection is established (MSÅMS, PSTNÅMS, MSÅISDN etc.)?b) What is the first message sent by an MS over the A interface?c) Why is the sequence number of the messages "hopping"?d) Give an example of an SCCP message, BSSMAP message and DTAP message. Message name is enough.e) What is the SS#7 signalling point code of the BSC? What is the signalling point code of the MSC?f) What kind of control channel is the MS requesting from the MSC?g) What is the cell identifier of the cell where A subscriber is located? Which message contains this

information?h) Is ciphering used? Is authentication used?i) What PCM time interval is used for signalling on the A interface?


- 2 -

j) What is the number of the B subscriber? What is the IMSI/TMSI of the B subscriber? What is the IMSI ofthe A subscriber?

k) What kind of a traffic channel is allocated on the air interface? What time slot is used on PCM line over theA interface to transmit the traffic data?

l) In which cells is the Bsubscriber paged? In which cell is the B subscriber located?m) What is the first message of the B subscriber to the MSC?n) Does the B subscriber use IMSI or TMSI when replying to paging response?o) How long does the phone call last? What is the reason of call release?p) What is the purpose of Source/Destination Local Reference in SCCP messages?

P7

Sketch a signalling diagram of signalling between ASSIGNMENT REQUEST and ASSIGNMENTCOMPLETE messages (Include the messages from all interfaces!).

Sketch a signalling diagram of signalling between PAGING and PAGING RESPONSE messages (Include themessages from all interfaces!).

P8

What are the layers of SS#7 in BSS and MSC?

P9

Explain (with a figure) the relation between BSSAP, BSSMAP, DTAP and d-function.

P10

Why is it useful to attach MSC and VLR together? What about HLR/AuC/EiR? Why is it useful to place TRAUphysically close to MSC?


- 3 -

P11

Below is a signalling message with all layers shown separately. Decode the necessary parts of the message, andanswer the following questions. Use appendices.

a) What is OPC and DPC?b) In which cell identifier is MS?c) On which channel did MS sent the message?d) What is the value for CKSN?e) Is A5/2 algorithm in use?f) How does the phone identifier itself to the network?

MSU8D 8F 38 83 E9 C5 7A A1 01 AA 02 00 02 02 06 04 43 E905 FE 04 04 43 EB 05 FE 0F 1E 00 1C 57 05 08 00 21 F354 00 0B 00 01 17 0D 05 24 11 03 20 18 01 05 F4 01 5E1B CD 21 01 00

CR-CONNECTION REQUESTE9 C5 7A A1 01 AA 02 00 02 02 06 04 43 E9 05 FE 04 0443 EB 05 FE 0F 1E 00 1C 57 05 08 00 21 F3 54 00 0B 0001 17 0D 05 24 11 03 20 18 01 05 F4 01 5E 1B CD 21 0100

COMPLETE L3 INFORMATION (BSSMAP)57 05 08 00 21 F3 54 00 0B 00 01 17 0D 05 24 11 03 2018 01 05 F4 01 5E 1B CD 21 01

CM SERVICE REQUEST (MM)05 24 11 03 20 18 01 05 F4 01 5E 1B CD

General Instructions for Lab 2

• The laboratory has three Siemens S6-mobile phones and one Nokia 6150 dual bandphone. There are three SIM-cards (SeppoJ, SvenG and HeikkiPS). MISDN-numbersare according to American style ADG = BEH =123 (A=1, D=2, G=3). The numbersof the phones are: SeppoJ = 737765, SvenG = 78364 and HeikkiPS = 43455477.

• The phones are not at times able to form connection to the base stations; you mighthave to wait a while. The other option is to turn off the phone, then turn it on againand hope that the phone finds the net faster. Also, when the simulator is switchedoff, the connection to the phones is broken and they will have to be switched onagain. The connection to the net will also be broken if authentication fails(AUTHENTICATION REJECT).

• It would be appropriate to bring your own SIM-card to the lab if possible. If neitherof the lab partners have a small SIM-card, the assistant may kindly lend one. Yourown SIM-card is needed in lab exercise 4.

General Instructions for using NetHawk

NetHawk program consists of three parts: configuration tool, simulator andmonitoring program. Visit the web-site www.xnet.fi

MSC/A Simulator

1. The simulator has two functioning modes: active mode and command mode. Inactive mode, the simulation is in progress normally and relatively automatically. Ifyou wish to give some of your own commands to MSC (for example to sendAUTHENTICATION REQUEST to one of the phones) you need to switch tocommand mode and give the appropriate commands. In this lab work thecommands are given with macros that are prepared before hand (by clicking themouse). So, you’ll not have to worry about the command interpreter.

2. To make the signalling happen between MSC and BSS, the MTP-link betweenMSC (NetHawk) and BSS (Siemens) has to be switched on immediately after thesimulator. This is done by using the macro called ”Start MTP-link”. The alarm-leads of the base station should turn off.

3. NetHawk can not connect the calls if it is not told how to do it. If a phone call isperformed from one phone to another, should the macro called ”MS<->MS” beperformed first. This macro transmits the information to the simulator. Vice versa,if a phone call PSTN/ISDN is performed, it is essential that the macro called”Fixed” is performed first. In addition; if a call is wanted to be made from a solidphone to mobile phone the NetHawk must be informed which one of the phones isreached by choosing the macro called Pag 1, Pag 2 or Pag 3. The ”fixed phone”attached to the simulator does not actually include anything but the speaker, notthe dial disk or the alarming sound.

4. Always when the configuration of the simulator is wanted to be changed, thesimulator must be switched off first and when restarting, read another newconfiguration. When switching off the simulator the connection to the base stationis broken which breaks the connection between the base station and the phones inthe area. Even the phone should be switched off and restarted so that they wouldfind the net again in decent time.

MSC/A Configuration tool

1. Configuration tool is able to create files before hand. These files include theinformation MSC needs, such as MISDN-numbers of the phones and otherinformation on the subscriber and the phones, ciphering parameters, the addressesof MSC and BSS signalling points and used SS#7 protocols (ANSI or ITU-T).Because NetHawk MSC/A-simulator does not have VLR, HLR/AuC or EiR, theconfiguration files include also information on the network elements.

2. All fields are not critical to the functioning of the simulator. Some of the valuesare updated when MSC and MS talk to each other and some are optional. This isuseful to notice when creating the configuration.

MSC/A Monitoring

1. The monitoring program has two modes: active mode and history mode. In activemode, the program decodes in a defined way, almost in real time the traffic oninterface A. In history mode, the traffic on A interface in saved in memory buffer.Nothing is seen on the screen which eases the examining of signalling. Switchingbetween modes is done by pressing space-key or clicking the button on right ofthe mouse inside the monitoring window.

2. The program is able to choose the messages on the wanted protocol layer. Forexample, the messages on MTP2-link layer are not very interesting to monitorbecause it transmits also a great amount of garbage; If there are not message data(MSU), there are filling message units (FISU). From the Monitoring-> LayerDetails (F6) menu can be chosen the wanted layers and how they are wanted to bedecoded. In the laboratory work these settings are mostly ”prepared” before handand they are saved in configuration files to avoid the time consuming difficultiesof the program settings.


- 1 -

LABORATORY EXERCISES

The report is to be returned one week after the laboratory shift, at the latest. You can bring a floppy disk withyou to the lab, and save signalling data on it. You should also bring your own SIM card, if possible.

NetHawk configuration files needed in this laboratory exercise can be found in the directoryc:\NetHawk3\configs\lab\

When you create your own configurations do not replace the old ones when saving, but in filec:\NetHawk3\configs\temp\ !!!!

Mere short answers will not be enough in most of the questions. Explanations on how the conclusions werereached are required. However, blaa blaa text is not needed.

L1

Load configuration teht1.cfg to the simulator.

This is a troubleshooting exercise. In the configuration there are two problems that prevent you from making acall SeppoJ Å HeikkiPS. Your mission, Jim, - should you choose to accept it - is to find those errors from thesignalling. You can monitor A interface signalling with the monitoring program.

a) What kind of problems arise when trying to connect to the network and/or make the phone call? What is thereason for these problems?

Repair/go around the problems (examine the simulator’s scripts) and make the phone call.

b) How did you go around the problems?


- 2 -

L2

Load configuration teht2.cfg to the simulator.

Make a call MS<->MS. Examine signalling with the monitoring program.

Examine SS#7-signalling on SCCP level. Print the signalling of the SCCP layer.

a) Explain how SS#7-connection is formed. Explain how parallel connection SCCP connections aredistinguished from each other.

b) Explain the difference between DATA FORM 1 and UNIT DATA messages. What GSM L3 message isencapsulated in a UNIT DATA message and why do you think this is so?

Examine GSM L3-level signalling. Print the signalling of the GSM L3 layer.

c) What is the first message sent from MS to MSC? What information elements does it include?

d) What is the first message sent from MSC to MS?

e) List the phases of L3 signalling that take place before TMSI ALLOCATION COMPLETE message.


- 3 -

f) In this uplink direction what network element performs deciphering? What is the Kc used? How can youknow it if it is not supposed to be sent over the air interface?

g) At which point in the signalling procedure does the MS switch to FACCH channel? What type of radiochannel is used?

h) What information elements does the ASSIGNMENT REQUEST message include? What is the purpose ofthe message?

i) What information is included in the SETUP message sent by the A subscriber?

j) Which message includes information on the MSISDN number of the B subscriber? How (with TMSI, IMSI)is the B subscriber paged?


- 4 -

L3

Call setup time is one possible QoS criterion (Quality of Service). Examine the signalling of MS ->MS call ofthe previous exercise and especially the durations of different phases (between messages). Which phase takeslongest? Why? What happens during it? Draw a signalling diagram of the whole connection event, i.e. includemessages from ALL interfaces. Circle the messages displayed by NetHawk in the diagram. Write your answerin a separate piece of paper.

L4

MSC configuration exercise. By using the MSC configuration tool, set the parameters of MSC and BSS so thatyou SCCP connection between MSC and BSS is enabled. Use the file teht4.cfg as template. Your job is toconfigure the parameters of MSC so that MTP link to BSS works. If the parameters are not correct theconnection cannot be established. You can use signalling data from previous exercises to make yourconfiguration work.

Do not save anything over the configuration you have loaded but save the fixed configuration inc:\NetHawk3\configs\lab2\teht4\ryhmanro.cfg !!!

The parameters of the simulator’s phone (MSC/Party Numbers), such as number (1234) is already defined. Generally, all the parameters ofMSC do not necessarily have critical meaning. Experiment! You may have to iterate your configuration many times.

The addresses (Point Codes) of signalling points are given in hex form.

The synchronisation set up of the simulator must be SLAVE. PCM multiplex=0.

After you have reached the connection to BSS switch the SIM-card of your own phone to one of the otherphones. Use the configuration tool again and create yourself as one of the subscribers into the network.

Do not touch the parameters of short messages (SMS, TPDU, Priority).

Because at the beginning you will not know all the parameters of your GSM link, you will have to “guess” someof them. Switch on the GSM1800 phone and wait until it finds one of the base stations. By using the monitoringprogram, examine the signalling on interface A and answer the following questions.

a) Does the GSM1800 network you configured accept the phone equipped with your SIM card? What happens(signalling)? Fix the possible error situation again by using the configuration tool. Configure the network sothat authentication and ciphering work. Explain how you achieved this. Notice that you will have to set theencryption algorithm as 'no encryption'. Why is that?

b) What is IMSI of your own SIM?

Explain how yougot ciphering andauthentication to

work!


- 5 -

Print the signalling that includes the following information.

c) We want to find out the cell identity of the serving cell in the network you use (your own SIM-card;Radiolinja, Sonera, Telia etc.) in MCC MNC LAC form. Find out this information by using the BSS,monitoring program, and your SIM card. How did you do that?

d) By examining signalling, can you find out the ciphering key Kc of your own phone? How did you manageto do that?

e) What was the ciphering key number (CKSN) given to you by your own network? It was given to you by theoperator during the connection in c)-question. Is there a security risk? Explain why.

f) What was TMSI that the operator gave during the connection of question c).

L5

What is the IMEI code of HeikkiPS? What is the IMEISV of HeikkiPS? Use the simulator (scripts maybe) andsignalling to find this out. Which message gives you this information? Use configuration teht5.cfg in thesimulator.

You are allowed to change the simulator scripts in this exercise. Destroying is forbidden. After this exercise thescripts will have to be changed back to look exactly the same they did before changing.

Compare with P4


- 6 -

L6

Use the same configuration as in the previous exercise. Attach the phone to the power splitter in the middle.Turn the adjustable attenuation to its minimum. Switch the phone on. Add attenuation and examine signalling.

a) Does Location Update (LU) happen? What are the LACs of the cells?

b) Why is LU made when LAC changes but not necessarily when the cell changes?

c) Use the monitor mode of the MS and find out the received power level in which LU happens? On whichlevel does the MS make LU back to its old cell (hysteresis)? Why is hysteresis needed in cell reselectionwhen the cell LACs are different?

Call the simulator phone. Add attenuation slowly. Try to induce a handover to the other cell. Examine thesignalling with the monitoring program.

d) In which cell does the phone answer?

e) Which message indicates that handover has happened?

f) What causes handover?

g) Which network element is responsible for handover (BTS, BSC, MSC, MS)?

Documents

GSM signal