Seminar Fs12 Alyafawi

7/25/2019 Seminar Fs12 Alyafawi

1/29

26.March 2012 1CDS seminar

CDS Seminar, 26. March 2012

GSM Indoor Localization :

Mobile station eventsIslam Alyafawi

Universitt Bern


2/29


GSM indoor localization: Mobile station events

Outline

In3D guide objective

Challenges

Network Architecture

Paths under privacy roles

Future work


3/29



Objectives and Approaches

Guide people to their indoor

destinations using their mobile

phones

Using GSM technology

Independent from the local

cellular operator infrastructure

Transparent from the user side

Localization system based on

Multilateration technique

Analyze GSM signals based ontheir type, function, and identity.

Capture GSM signals (Mobile

GSM network) using wireless

sensors (USRP)

Multilaterationtechnique is based on the measurement of the difference in distance to two or

more stations at known locations

USRP : Universal Software Radio Peripheral


4/29



Hows ?

GSM Feature

TDMA/FDAM

Frequency hopping

Random Identity of users

Ciphering

Channels has different

functionality

Messages format depend

on its functionalities

Power control is on

Challenge

Time/frequency synch.

Know/ follow the hopping

sequence for single andmulti-users

Track unique user

Tracking the channel type

Analyzing GSM messages

Analyzing localization

parameters (e.g. TDoA)

Proposed solution

USRP follow MS wakeup

Using Airprobe

Read frequency sequence

transmitted over certain

channels

Find an algorithm to

match different identitiesto anonymous user

Synchronize USRPs

together


5/29



GSM network architecture

MS: Mobile Station BTS: Base Transiever Station

BSC: Base Station Controler MSC: Mobile Switching Center

HLR: Home Location Register VLR: Visitor Location Rigister

AuC: Authentication Center EIR: Equipment Identity Register


6/29



Functional layer of GSM

Connection management

Mobility management

Radio Resource management

Data link layer

Physical layer

CM

MM

RR

MS

Air Abis

RR

BTS BSC MSC

A

LAPDm

TDMA

FDMA

RR

LAPDm

TDMA

FDMA

CM

MM

n n


7/2926.March 2012 7CDS seminar


MS identities

MSISDN: Mobile Subscriber ISDN Number

IMSI: InternationalMobileSubscriberIdentity

TMSI: Temporary Mobile Subscriber Identity,

MSRN: Mobile Station Roaming Number

LMSI: Local Mobile Subscriber Identity

LAI: Location Area Identity




IMSI/TMSI structure

TMSI

Identification

Network Resource

Identifier (NRI)

TMSI

Generation

Temporary Mobile Subscriber Identity (TMSI)

All Parameters length and location are operater configuration

4 Octet

Mobile Subscriber

Identification Number

Mobile

Country Code

International Mobile Subscriber Identity (IMSI)

8 Octet

Mobile

Network Code




Logical channels in GSM

Common Channels

CCH

Dedicated Channels

DCH

Broadcast Channels

BCH

Common Control

Channels

CCCH

Dedicated Control

Channels

DCCH

Traffic Channels

TCH

Frequency Correction

Channel

FCCH

Synchronization

ChannelSCH

Broadcast Control

Channel

BCCH

Paging Channel

PCH

Random Access

ChannelRACH

Access Grant

Channel

AGCH

Slow Dedicated

Control Channel

SDCCH

Slow Associated

Control ChannelSACCH

Fast Associated

Control Channel

FACCH

Full rate

TCH/F

Half rate

TCH/H




Analyzing GSM messages (LAPDm)

Signalling dataFill-in bit

Fill octet

A-Format

Address field

8 bits

Control field

8 bits

Frame length

8 bits

B-Format

Bbis-Format

N201 = 23 octets

Address field: - Service Access Point Identifier

- Link Protocol Discriminator

Control field: - Send/receive sequence number

- Frame type

Frame length: -The signalling data length

Fill-in bit : all 1 bits to extend the length to

the desired N201 bits

Fill octet

Abis-Format

Signalling dataFill-in bit

Usage:

A, B:

SACCH, FACCH, SDCCH

Abis, Bbis:

BCCH, PCH, AGCH




Analyzing GSM messages (LAPDm)

Channel N201

SACCH 18 octets

SDCCH, FACCH 20 octets

BCCH, AGCH, PCH 22 octets

Fill octetType ID

8 bits

Message Type

8 bits

Type ID: - Protocl discriminator

Message type: -Determine all messages that

are define on the air interface




Burst types (156.25 bits)

TB

3

F

1

GB

8.25

Encrypted bits

57

Training sequence

26

F

1

Encrypted bits

57

TB

3

Normal Burst (NB)

TB

3

GB

8.25

Fixed bits

142

TB

3

Frequency correction Burst (FB)

TB

3

F

1

GB

8.25

Encrypted bits

39

Synchronization sequence

64

F

1

Encrypted bits

39

TB

3

Synchronization Burst (SB)

TB

3

GB

68.25

Encrypted bits

36

Synchronization 41

sequence

TB

3

Access Burst (AB)

TB

3

Training sequence

26

Mix bits

58

Dummy Burst (DB)

GB

8.25

TB

3

Mix bits

58

TB: Tail Bit

F: Flag

GB:Gard Band




TDMA, bursts to frame

TS 0 TS 1 TS 2 TS 3 TS 4 TS 5 TS 6 TS 7


200 KHz

45MHz

577 s

TS 0 TS 1 TS 2

TS 0 TS 1 TS 2

Time

1 TDMA frame = 4.165 ms

Downlink

Uplink




Frame structure in GSM


0 1 24 25 0 1 49 50

TB3

F1

GP8.25

Encrypted bits57

Training sequence26

F1

Encrypted bits57

TB3

0 1 24 25

0 1 49 50

0 1 2046 20472

TDMA frame

Multi

frame

Time slot

Super

frame

Hyper

frame




FDMA

Time

Frequency

577 s

200KHz

GSM900

Uplink: 890-915MHz

Down: 935-960MHz

Duplex interval: 45MHz

Bandwidth: 25MHz

Frequency interval: 200KHz

Burst




Frequency hopping

The hopping rate is about 217 changes per second

There are essentially two types of hopping algorithms available

Cyclic hopping: the transmit frequency in accordance to a predefined

list of frequencies in sequential order

Random hopping: the transmit frequency randomly through a set of

frequencies


17/29



In3D guide structure

NO ACCESS


18/29



USRP: Hardware-Software

Hardware

Contain s radio daughterboard's (e.g. RFX900, 800-1000 MHz

Transceiver, WBX 50-2200 MHz Transceiver)

Analog to digital converters (ADCs), 64 M sample/s

digital to analog converters (DACs), 128 M sample/s

200 us PLL lock time

Software

GNU Radio is a free software development toolkit that provides the signal processing runtimeand processing blocks to implement software radios using readily-available, low-cost external

RF hardware and commodity processors

AirProble is a free software tool to build an air-interface analysis for the GSM mobile phone

standard


19/29



Frequency/time synchronization

Scanning GSM

bands, 200 kHz

> Power

threshold

NoFCCH

channel

No

Yes

The mobile wakes

up for the first time

Record FCCH

sequence (zeros)

Frequency

correction

Yes

The USRP wakes up in the same was as mobile station

Frequency Synchronization


20/29



Frequency/time synchronization

Scan SCH channel

-Training sequence for timesynchronization

-Current frame number for

the serving BTS

-Base station Identity code-Base station color code

-Network color code

The USRP wakes up in the same was as mobile station

Time Synchronization


21/29



Frequency hopping

BTS hopping MS hopping

Obtaining Frequency

hopping Sequence

Listening to 4

BCCH slots

Listening to

CCCH channels

AGCH

channel

No

Obtain

Hopping Sequence Number

Mobile Allocation Index Offset

Yes


22/29



Authentication

Base

Stations

MSC /

VLR

HLR /

AuC

MS request

IMSI, TMSI_old

Mobile

Stations

REQ_INFO

IMSI

IMSI, triplets

(RAND, SRES, Kc)

IMSI, RANDAUTH_REQ

RANDAUTH_RES

SRES Compare SRES

CIPH_MOD_CMD

CIPH_MOD_COM

Cipher ModeTMSI_REAL_CMD

TMSI

Request:-Location update

-IMSI detach

-CM Servicve

Request


23/29



IMSI attach/Location update

MobileStation

BaseStations

MSC /VLR

CHAN_REQ

IMM_ASS_CMD

SDCCHLOC_UPD_REQ

IMSI, TMSIREQ_ACK LOC_UPD_REQ

IMSI, TMSI

HLR /AuC

Cipher Mode

LOC_UPD_ACCTMSI

TMSI_REAL_CMD

TMSITMSI_REAL_COMLOC_UP

CHAN_REL

Authentication


24/29



IMSI detach

MobileStation

BaseStations

MSC /VLR

CHAN_REQ

IMM_ASS_CMD

SDCCHIMSI_DET_IND

IMSI, TMSI

HLR /AuC

Authentication

Location Cancel

Request

Removes any pointers for

the IMSI from its registryLocation Cancel

Acknowledge

Mobile Base MSC / HLR /


25/29

Mobile

Station

Base

Stations

MSC /

VLR

PAG_REQ

IMSI, TMSI

HLR /

AuC

Cipher Mode

Authentication

The Call in progress

CHAN_REQ

IMM_ASS_CMD

SDCCHPAG_RES

SETUP(CLIP)

CLIP = Calling Line

Identification Presentation

CALL_CON

TCH

ASS_CMD

ASS_COM

ALERT

Connect with PTSN

CON_ACK

The calling party terminatethe call

Mobile Base MSC / HLR /


26/29

Mobile

Station

Base

Stations

MSC /

VLR

HLR /

AuC

Disconnect-Release channel

Close the call

DISC

REL

REL_CMD

CHAN_REL

DISC (LAPDm)


27/29



Power control

Calculated power

level at BTS

Within

threshold

Send command

over SACCH

header withpower

adjustment level

SACCH at FN

12 and 25

Yes No

Send command

over SACCHheader with NO

power

adjustment level

Slow power control every 480 ms

Fast power control every 20 ms, signalling is made over

enhanced inband associated control channel (E-IACCH)


28/29



USRPs synchronization

-GPS does not work for indoor enviroments

-Coaxial cable delay is not tolerated at

high data rate

Training sequence

based on the internal

clock

Adjust the internal clock

based on the sequence

If the USRPs are not synchronize with eath

other after synchronizing with BTS


29/29


4. Future work

Invistigating more research for the messages in the bit level

The physical layer of GSM technology (Modulation, coding,...)

Algorithm(s) to connect messages flow/TMSI and unique user

Documents

Seminar Fs12 Alyafawi