M900/M1800 GSM SYSTEM

MSC/SSP Training Document

OMA0002 GSM Communication Flow

Huawei Technologies CO.,Ltd.

Training Center

Contents
1

M900/M1800 GSM SYSTEM........................................................................................................................2

1.1

GSM SECURITY MANAGEMENT...........................................................................................................4

1.2

GSM BASIC CALL SEQUENCE............................................................................................................18

1.3

LOCATION UPDATE SEQUENCES.........................................................................................................56

1.4

SMS SEQUENCE..................................................................................................................................78

1.5

HANDOVER SEQUENCE.......................................................................................................................97

M900/M1800 GSM System

There are five parts in this course, the first section, several sequence related with
the GSM security management; then the basic call sequence will be explained in
detail, it is the most important sequence in this course ;in the third section, the
location update sequence is introduced; the fourth part, the SMS sequence, its
very similar to the call sequence; at last, a brief introduction to the handover
sequence. Thats the content for the course.

1.1 GSM Security Management

At first, lets see the first part-GSM security management.

As a digital communication system, the security management is very easy to be
realized for GSM. In GSM system, the security management consists of four parts,
authentication and ciphering, TMSI reallocation and equipment identification.

Lets see the first one, authentication. Generally, authentication may be

executed during call setup, location updating and supplementary
services; it ensures only legal subscriber can access to the network.

At the side of the network, the AUC is the entity,

which produces the

authentication parameters.
In AUC, there stores IMSI and KI of the mobile station, besides, security algorithm ,
A3 and A8 ,still random number generator. This generator produces the different
random number, here, for short, RAND.
Then, how does AUC produce the authentication parameters? We know for one
MS, the unique identification is IMSI, corresponding to the IMSI, there is a set of
KI. In AUC, KI and RAND will be calculated through A3 and A8, the results are
called SRES and Kc respectively. RAND, SRES and Kc (authentication
parameters), are called triples .For different RAND, the different SRES and Kc will
be generated, So, in AUC, for each mobile subscriber, accordingly, there are many
sets of triples. In the buffer, there are tables

which indicate the relationship

between IMSI and triples.

In GSM system, we know, AUC only has interface with HLR, so ,AUC will send the
triples to HLR, from 8 to 10 sets every time. temporarily, there stores the triples in
HLR.

At the side of the mobile station, in the SIM card, IMSI and KI are stored,also,A3
and A8.when MS wants to access to the network, for example, call setup, location
updating or supplementary services, from the HLR the triples are sent to the VLR
which the MS is registered.
The VLR will send authentication request to the MS, at the same time, the RAND
in the triples are sent to the MS, after the MS received the request, at SIM card,
same calculation with AUC will be executed, KI and RAND which are from VLR
through A3 and A8, SRES and Kc can be got in SIM card, then SRES is sent to the
VLR, the VLR compare the two SRES, if equal, the MS can access to the system.

Then, the authentication and ciphering message sequence.

When the MS sends the request of call setup, location updating and
supplementary services, if authentication is set to necessary in the VLR, then the
VLR check whether there are authentication parameters in it or not, if not, the VLR
will send authentication parameters request to the HLR, generally, the HLR
sends the triples in groups of five through the acknowledgement message. These
triples are stored in the VLR. This ensures that the VLR can carry out the
authentication and that it will not have to contact the HLR.

Then, the VLR initiates the authentication by sending message : authenticate to

the MSC. The MSC will repackage this message and send it on to the MS. The
message is an Authentication Request and contains the random number RAND.

When the mobile receives the message, it responds with the Authentication
Response message, this contains the signed response (SRES).

If authentication is successful, the VLR will request the MSC to start ciphering
procedures using the Start Ciphering message. This message contains
information indicating whether ciphering is required.
If authentication fails the HLR will be notified and an Authentication Reject
message will be sent to the mobile.

10

The MSC will start ciphering procedures by sending the Ciphering Mode
Command This message contains the encryption information required by the
BSS. The new mode is applied for reception on the network side after the
message has been sent.
In the CIPHER MODE COMMAND, the MSC specifies which of the ciphering
algorithms may be used by the BSS. Upon receipt of the CIPHERING MODE
COMMAND message indicating ciphering, the mobile station shall start
transmission and reception in the indicated mode.
Whenever the mobile station receives a valid CIPHERING MODE COMMAND
message, it shall, if a SIM is present and considered valid by the ME and the
ciphering key sequence number stored on the SIM indicates that a ciphering key is
available, load the ciphering key stored on the SIM into the ME.
The BSS then selects an appropriate algorithm, taking into account the MS
ciphering capabilities. The CIPHER MODE COMPLETE message returned to the
MSC indicates the chosen ciphering algorithm message to the BSS.

11

Upon receipt of the CIPHERING MODE COMPLETE message the network starts
transmission in the new mode.
Whether the traffic or signaling information between the mobile and the BTS can
be encrypted. Generally, A5 algorithms and KC(ciphering key) are used during the
ciphering.
For the encryption (MS or BTS) , the information is processed with KC via A5;for
the decryption(BTS or MS),the received information is also processed with KC via
A5.

12

From the ciphering sequence, we can see, the ciphering will be processed after
the network gets the identification of MS(IMSI).That is, ciphering is point to point.
So, IMSI is transferred without encryption in radio path. This is very dangerous. We
know, IMSI is the unique identification of the mobile subscriber.
In GSM system, to avoid this instance, TMSI reallocation is used.
TMSI is the abbreviation of Temporary Mobile Subscriber Identification. It is
allocated by VLR. After a location update, the VLR will assign a new TMSI for the
mobile. The New TMSI and LAI will be transmitted to mobile through Location
Update Accept message.
The mobile has stored both TMSI and LAI on its SIM card, It will send the TMSI
Reallocate complete message to the VLR to confirm that the location update has
been completed.
During call setup, location updating and supplementary service, the mobile only
sends TMSI to the network, not IMSI. In this way, IMSI become very safe.

13

In the security management of the GSM system, on the side of the mobile station,
the first three are all based on the SIM card .
For the last one, equipment identification is based on the mobile equipment.
IMEI, International Mobile Equipment Identification, it is the unique number for the
mobile equipment. On the side of the

network, EIR(Equipment Identification

Register) stores the IMEI of all the mobile equipment.

There are three databases in the EIR: white list, black list and grey list.
In the white list ,IMEI of legal mobile equipment is stored.
In the black list, IMEI of illegal mobile equipment are stored.
In the grey list, IMEIs of faulty mobile equipment are stored.
Equipment Identification will be initiated by the MSC sending the equipment ID
Request message to the mobile. This will be carried out less frequently than
authentication. The frequency of the checks will be at the discretion of the network
operator. Equipment Identification will be carried out during a Location Update or a
Call Setup.

14

The mobile will respond to the message by sending the ID Response message.
This message contains the equipments IMEI number.

15

Equipment Identification
MS
1 Equipment ID
Request
2 ID Response

BSS

MSC

VLR HLR PSTN EIR

<SDCCH>
<SDCCH>
IMEI)

3 Check IMEI
Check IMEI
Response

After the MSC received the ID Response message, the MSC will send the IMEI
number on to the EIR Using the Check IMEI message. The EIR will be respond
with the Check IMEI Response. In this message, equipment status is included,
that is, indicates which list the IMEI is located. So, the MSC can decide whether
continue the call or location updating.
Here, please note, checking of the IMEI at the EIR may occur after the TCH has
been allocated to the mobile.
Ok, hereto, we have finished the GSM security management.
GSM security management can be run through during the other sequence, for
example, call sequence, location updating and so on. So, it was introduced at first,

16

1.2 GSM Basic Call Sequence

Ok, after the GSM security management, lets study GSM basic call sequence.
The process for the calling MS and called MS is two independent flows.
So, at first, we take the sequence from mobile to land as example, in this
sequence, we mainly devote to the calling party.
Then for the called MS, land to mobile call sequence will be introduced, of course,
devote to the called party.
At last, we will study call clearing sequence.

17

Ok, at first, the Mobile to Land Call Sequence.

18

The mobile subscriber pressing the send key initiates a Channel Request
message from MS to the BSS. This is followed by the assignment of a dedicated
control channel by the BSS. In this way, the signaling link between the MS and
BSS is established. Here you can find that the assignment of the SDCCH is
performed by the BSS, not through the MSC.

19

After the SDCCH assignment, the message Request for service is passed to the
MSC which relay it to the VLR. Lets see A interface at first, Request for Service
is included in the CR message, connection request, the SCCP message which
belongs to connection-oriented service. We know, in A interface connectionoriented service is widely used. After CR and CC, the virtual connection has been
established in A interface.
Ok, then lets see B interface between MSC and VLR. We know, in GSM system,
the MSC provides the call control function, the subscriber information is stored in
the VLR and HLR, so when the MSC received the Request for service from the
mobile, it will send Process Access Request message to the VLR.
The VLR will carry out the authentication process if the MS has been previously
registered on this VLR. If not, the VLR will have to obtain authentication
parameters from the HLR.

20

Subscriber authentication takes place using authentication message and

encryption algorithms. If successful the Call setup can be continued. If ciphering is
to be used this is initiated at this time as the setup message contains sensitive
information.
Of course, subscriber authentication and ciphering can be optional. The operator
can make the configuration in the MSC/VLR.

21

And then the message Set-up is sent to the MSC by the MS accompanied by the
call information, such as

type of call, and called number. The message is

forwarded from MSC to the VLR. This message is SFOC, Send Information for
outgoing call.

22

The MSC may initiates the MS IMEI check, Is the MS stolen? and so on. Here note
that this check may occur later in the message sequence.

23

In response to the message Set-up which sent at step 4,The VLR sends the
message Complete call to the MSC, which notifies the MS with Call Proceeding.

24

Ok, after the message Call Proceeding, the MSC then assigns a traffic channel to
the BSS through the message Assignment Command, and in turn assigns an airinterface traffic channel. The MS responds to the BSS with Assignment Complete
which responds in turn to the MSC.

25

Oh, after so much preparation, an Initial Address Message is sent to the PSTN.
Ring tone is applied at the MS in response to Alerting .The MSC sends it to the
MS when the PSTN responds with an Address Complete Message (ACM).

26

When Answer (ANS) from the PSTN, the message Connect is forwarded to the
MS by the MSC, stopping the MS ringing tone. The MSC then connects the GSM
traffic channel to the PSTN circuit, completing the end-end traffic connection.

27

In response to Connect, the MS sends the message Connect Acknowledge.

Conversation takes place for the duration of the call.
Ok, that is the call establishment sequence for Mobile to Land, for the call clearing
sequence, well study it later.

28

Ok, after this sequence, lets answer a question. What happens when the calling
MS activates the SS of BAOC?

29

Ok, lets see the answer to this question.

We know, Subscriber information is stored in the VLR and HLR. When the MSC
receives the Request for service from the MS, the message Set-up is sent to
the MSC by the MS. The call information is included in this message. The MSC
sends the message SFOC to the VLR, and then the VLR will check the
subscriber information in it, at this time, VLR finds that the calling party has
activated the supplementary service BAOC, and then in response to the SFOC,
call barred is sent to MSC. The MSC wont assign the traffic channel for the call.
Call barred will be displayed on the MS.

30

Ok, we have studied Mobile to Land sequence ,in this sequence, we mainly devote
to the calling party sequence.
Then I introduce the called MS sequence, I will take Land to Mobile sequence as
example.

31

At first, a C7 message Initial Address Message (IAM) arrives at a gateway

MSC(GMSC).The MS to be called is identified by its MSISDN.

32

Then the GMSC requests the routing information from HLR, using the message
Send Routing Info, still tagged by the MSs MSISDN.
There stores subscriber location information in the HLR, so the HLR forwards the
message using Provide Roaming Number to the VLR which the MS is currently
located in. This is tagged with the MSs IMSI to the VLR. The requested
information will enable the GMSC to identify the MSC to which the IAM must be
directed.

33

The VLR responds with the message Provide Roaming No. Ack., now tagged
with an MSRN which is either newly drawn from its pool of MSRNs or already
associated with the MS being called. The HLR forwards the message with Routing
Information Ack..
The GMSC now sends IAM to the MSC serving the mobiles location, tagged with
the MSRN.

34

The visitor MSC then requests call set-up information from the VLR using SFIC
(Send Info for Incoming Call Setup.

35

The VLR response is the page message back to the MSC, containing the
required information, LAI and TMSI or IMSI. The MSC then sends Paging
Request to the MS via the appropriate BSS.

36

The MS responds and requests a dedicated control channel from the BSS with
Channel Request. The BSS then sends assign DCCH ,and MS responds with
Assign complete. The air interface signaling link is established. Once established,
the dedicated control channel carries Paging Response to the BSS which relays
it to the VLR through the MSC.
The MS is authenticated and cipher mode is set. Of course, they are optional.

37

The Complete Call message is then sent to the MSC from the VLR. This is
relayed to the MS via the BSS as the message Setup.

38

The MS sends the message Call Confirmation to the MSC. This indicates that the
MS is capable of receiving a call. And then MSC sends an Address Complete
Message(ACM) to the GMSC which relays it to the PSTN. The land subscriber will
now hear ring tone.

39

The MSC then assigns a traffic channel to the BSS through Assignment
Command, in turn assigns an air-interface traffic channel.
The MS responds to the BSS with Assignment Complete. The BSS responds in
turn to the MSC.
The MS now rings, sending the message Alert to the MSC as a confirmation.

40

When the GSM subscriber answers, the MS sends the message Connect to the
MSC. The MSC acknowledges this with Conncet Ack and sends Answer (ANS)
to the GMSC and PSTN.
The land subscribers ring tone stops, the GMSC and MSC connect the GSM
traffic channel and the PSTN circuit together.
Conversation takes place for the duration of the call.
So much for the Land to Mobile call sequence.

41

Ok, lets answer several questions for this sequence.

Please give the sequence:
1.The called MS is powered off.
2.The called MS activates the CFU to a PSTN No.
3.The called MS has been barred all incoming call.
4.The Called MS is unknown in the HLR

42

Lets answer the questions one by one.

The first one :the sequence when the called MS is power off.
The HLR doesnt know whether the MS is powered on or off.
The MS IMSI status is stored in the VLR where the mobile is located. If the MS is
powered off, IMSI status in the VLR is detach, if on, its attach. So, when the VLR
receives the Provide Roaming Number from the HLR, the VLR will send Provide
Roaming Number Ack. with the cause of subscriber absent. The calling
subscriber then listens to the announcement the subscriber you dialed is powered
off.

43

The second question: the sequence when the called MS activates the CFU to a
PSTN number.
We know, in the HLR, there is service information, when the MS activates the
CFU, the HLR knows it. So when the HLR receives the Routing Information
Request from the GMSC, the HLR knows the MS has activated the CFU to an
other number, then responds Routing Information Ack. with the CFN directly, and
not request to the VLR.
The GMSC then sends the message IAM to the corresponding office direction.

44

Then lets see the third question: the sequence when the called MS has been
barred all incoming call.
Its very similar to the previous question, the HLR knows the service information,
so when the HLR receives the request for routing information, the HLR sends
routing info acknowledgement with the cause of Call Barred without notification to
the VLR.

45

Then the last question: the sequence when the called MS is unknown in the HLR.
This question is very simple for you. As the response to the routing information
request, the HLR sends acknowledgement with the cause of unknown subscriber.
The calling party may hear the announcement.

46

In the two sequence, no introduction to the call clearing sequence, here lets study
it.
We take mobile initiated call clearing sequence as the example.
The mobile initiates the clearing of the call by sending the Disconnect message
to the MSC. The MSC will then send a Release message to the PSTN which will
then start to release the fixed network circuits associated with the call. The MSC
will also send a Release message to the mobile to indicate that it may clear down
the call.

47

When the mobile receives the message it will release the call and respond with the
Release Complete message. The PSTN will also respond with a Release
Complete message.

48

The MSC now initiates the freeing up of the air interface radio resources and the A
Interface terrestrial resources related to the call.
The MSC will send the Clear Command to the BSS. The BSS in turn will send a
Channel Release on to the mobile, this starts the release of the radio resources
used for that call.
The BSS will then respond to the MSC with the Clear Complete message
indicating that it has released the radio and terrestrial resources.

49

The BSS will complete the release of the radio resources by sending the DISC
message to the mobile. The mobile will respond with an unnumbered
acknowledgement message.

50

Mobile Initiated Call Clearing Sequence

MS
4 DISC
UA

BSS

MSC

VLR

HLR

PSTN

<FACCH>
<FACCH>

Clear Complete
5 RLSD
Release Complete

The MSC will now initiate the release of the signaling connection related to the call.
The MSC will send the Released message, the BSS

will respond with the

Release Complete message.

The call is now cleared and all resources are available for another subscriber.
Ok, thats all for the second part. I only give you explanation about basic call
sequence. For the more information about call sequence, please refer to the
corresponding specifications.

51

Now, well study the third part, location update sequence. In this part, at first I give
you brief introduction to the location update, and then Ill introduce several typical
location updating sequences.

52

At first ,Ill introduce the location update briefly. There are three types of location
update in GSM system. The first one is periodic location update, it is requested by
the system, that is, on the one hand, the BSC defines the interval of periodic
location update, notify the mobile through system message, the MS then sends the
periodic location update message to the network every the defined interval; on the
other hand, the MSC/VLR defines another interval, if the MSC/VLR doesnt receive
the periodic location update message from the mobile after the defined interval, the
IMSI status of the mobile will be set to detach. please note the two interval defined
by the BSC and MSC is relative. the interval defined by MSC/VLR shouldnt less
than that defined by the BSC.
When the MS is out of service area, the network cant receive its periodic location
update message, the IMSI status will be set to detach, and then when the mobile is
called, the MSC/VLR wont send page message, the PCH should be saved. But
periodic location update message occupies the SDCCH resource, so, the operator
should balance them.
Ok, thats the first type of location update.

53

IMSI attach/detach is the second type of location update.

The last one is normal location update. It happens when the MS enters a new
location area. It is initiated from MS.
In the following, the normal location update sequence will be explained.

54

1.3 Location Update Sequences

In the second, several normal location update sequences are introduced.

It consists of two kinds of sequence: intra-VLR location update and inter-VLR
location update.

55

Ok, at first, intra-VLR location update sequence.

A location update is initiated by the mobile when it detects that it has entered a
new location area. The location area is transmitted on the BCCH as the LAI. The
mobile will be assigned an SDCCH by the BSS, the location updating procedure
will be carried out using this channel.

56

Once the SDCCH has been assigned the mobile transmits a Location Update
Request message. This message is received by the MSC which then sends the
new LAI and current mobile TMSI number to the VLR. The information will also be
sent to the HLR if the mobile has not previously been updated on the network.
If the mobile has been registered in this VLR, this information wont be sent to the
HLR, that is, this is intra-VLR location update.

57

Authentication and ciphering may now take place if required.

58

The VLR will now assign a new TMSI for the mobile, this number will be sent to the
MSC using the Forward New TMSI message. The VLR will now initiate the
Location Update Accept message which will transmit the new TMSI and LAI to
the mobile.

59

Once the mobile has stored both the TMSI and the LAI on its SIM card it will send
the TMSI Reallocate Complete message to the MSC. The MSC will then send the
TMSI ACK message to the VLR to confirm that the location update has been
completed.

60

The SDCCH will then be released by the mobile.

Ok, that is the intra-VLR location update sequence.

61

Then lets see the inter-VLR location update sequence.

Here introduce the sequence under the two situations. The first is location update
though IMSI, the other one is through TMSI.

62

As the intra-VLR location update, the inter-VLR location update is initiated by the
mobile when it detects that it has entered a new location area. The location area is
transmitted on the BCCH as the LAI. The mobile will be assigned an SDCCH by
the BSS, the location updating procedure will be carried out using this channel.

63

Once the SDCCH has been assigned the mobile transmits a Location Update
Request message. This message is received by the MSC, then MSC sends the
new LAI and mobile IMSI number to the VLR.

64

Because the mobile hasnt previously been registered on this VLR, the information
will then be sent to the HLR.
If the authentication is required in the MSC/VLR, at first authentication parameter
request will be sent to the HLR and the HLR gives response.
And then authentication and ciphering may now take place if required.

65

After the authentication and ciphering, the information of Location Update

Request will be sent to the HLR, and in response the HLR transmits the
subscriber information using the message Insert Subscriber Data.
Once the VLR has stored the information it will send the Acknowledge message.
The HLR will then send the Location Update Ack. message to the VLR.

66

Since the VLRn has stored the mobile information, the HLR then sends
Cancellocation message to the VLRo, after the response from the VLRo, the HLR
will then update VLR number in the HLR for this subscriber.

67

TMSI reallocation procedure is same with the previous sequence.

Of course, if the system doesnt use TMSI, then no this procedure.

68

At last the SDCCH will then be released by the mobile.

69

Ok, After this procedure, lets see the next one, the sequence for inter-VLR
location update via TMSI.
At the beginning, the location update is initiated by the mobile, the mobile will be
assigned an SDCCH by the BSS, the location updating procedure will be carried
out using this channel.

70

Once the SDCCH has been assigned the mobile transmits a Location Update
Request message. This message is received by the MSC, the MSC then sends
the current TMSI and the LAI which consists of the previous and new one.

71

We know, the TMSI is allocated by the previous VLR, and unknown in the new
VLR (VLRn).So, the VLRn

calculates the VLRo number through the old LAI

(LAIo),and then sends the message Send Identification to the VLRo to get the
mobile IMSI and authentication parameters. In response, the VLRo returns the
IMSI and authentication parameters in the acknowledgement message.
Then authentication and ciphering may now take place if required.

72

And the VLRn will now send the message Location Update Request to the HLR,
the HLR will then transmit the subscriber information to the VLRn. Once the VLRn
responds, the HLR sends the message Location Update Acknowledgement to the
VLRn.

73

Then the HLR sends Cancellocation message to the previous VLR, once the
VLRo responds the HLR will then store the VLRn number for the mobile.

74

The VLR will now assign a new TMSI for the mobile, this number will be sent to the
MSC using the Forward New TMSI message. The VLRn will now initiate the
Location Update Accept message which will transmit the new TMSI and LAI to
the mobile.
Once the mobile has stored both the TMSI and the LAI on its SIM card it will send
the TMSI Reallocate Complete message to the MSC. The MSC will then send the
TMSI ACK message to the VLR to confirm that the location update has been
completed.

75

Inter-VLR Location Update Via TMSI

MS

BSS

MSC

VLRn

HLR

VLRo

5 Cancellocation
Cancellocation
.
Ack

6 Forward New TMSI

Location Update Accept
TMSI Reallocate Complete
TMSI ACK

7 Clear Command
Clear Complete

The SDCCH will then be released by the mobile.

Ok, thats all for the location update sequence.

76

1.4 SMS Sequence

Now we will study the fourth part, short message sequence. The mobile originated
short message transfer procedure is separated from mobile terminated. The basic
short message sequence consists of two parts: MO SMS Transfer and MT SMS
Transfer.

Its very similar to the call sequence.

77

At first lets see MO SMS transfer sequence.

Like the call sequence, the subscriber pressing the send key initiates a Channel
Request message from the MS to the BSS. This is followed by the assignment of
dedicated control channel by the BSS and the establishment of the signaling link
between the MS and BSS.

78

The message Request for Service is passed to the MSC which relays it to the
VLR.

79

The VLR will carry out the authentication process if the MS has been previously
registered on this VLR, if not, the VLR will have to obtain authentication
parameters from the HLR.

80

The message RP_MO_DATA is sent by the mobile to the MSC accompanied by

the SM information, such as type of SM, the SMC number. This message is
forwarded from the MSC to the VLR, that is, the MSC should query to the VLR
whether the mobile subscriber has authority of sending short message via
SIF_MO_SMS message, and then VLR returns the results for query.

81

If the mobile has the authority to send short message, the MSC will then transfer
the short message to the interworking-MSC via the message MO_Forward_SM
tagged with SMC number. The SMC number is set on the mobile station. Its the
home SMC of the mobile.
The interworking-MSC will then forward the short message to the corresponding
SMC. Once responds from SMC,
the interworking-MSC responds in turn to the MSC.

82

And the MSC will then send

the message RP_ACK to MS in response to the

message RP_MO_DATA.
At this time Send Successfully" is displayed on the mobile. Its terminated the MO
sequence.

83

Ok, now lets see the MT SMS transfer sequence. It consists of two cases: for one
short message and several messages.

84

At first Ill introduce the MT SMS transfer sequence for one message.
A message short message arrives at a gateway-MSC. The MS to be called is
identified by its MSISDN. The GMSC will then request routing information from
HLR using the message SRI_for_SM, still tagged by the MSs MSISDN. The HLR
then responds with the message SRI_for_SM_ACK which includes the VLR
number. This information will enable the GMSC to identify the MSC to which the
Forward_SM must be directed.

85

Then the visitor MSC requests call Set-up information from the VLR using the
message SIF_MT_SMS. The VLR response is the page message back to the
MSC, containing the required information. The MSC then sends Paging Request
to the MS via the appropriate BSS.

86

If the mobile is powered on, and in the service area, the MS responds and
requests a dedicated control channel from the BSS. Once the air interface
signaling link is established, the dedicated control channel carries the Paging
Response to the BSS which relays it to the VLR via the MSC.
Then the MS is authenticated and cipher mode is set. Of course its optional by
the operator.

87

The servicing MSC will then transfer the short message to the MS. The MS
acknowledges this and sends Short_Message_Ack to the MSC. The servicing
MSC

then

responds

to

the

gateway

MSC

using

the

message

MT_Forward_SM_Ack and in turn the gateway MSC sends acknowledgement to

the SMC in response to the message Short_Message.
Hereto, the sequence is ended.

88

Ok, lets see the sequence for MT transfer several messages.

At first its same to the sequence for one message, a message short message
arrives at a gateway-MSC. The MS to be called is identified by its MSISDN. The
GMSC will then request routing information from the HLR using the message
SRI_for_SM, still tagged by the MSs MSISDN. The HLR then responds with the
message SRI_for_SM_ACK which includes the VLR number. This information will
enable the GMSC to identify the MSC to which the Forward_SM must be
directed.
Actually, in the message MT_Forward_SMS, there is a flag for more message, in
this case, this flag is true. If only one message will be transferred, the flag is false.

89

The visitor MSC then requests call set-up information from the VLR, the VLR
responds with page message. The MSC then sends Paging Request to the MS
via the BSS.

90

The MS responds and requests a dedicated control channel from the BSS. Once
the air interface signaling link is established, the dedicated control channel carries
Paging Response to the BSS which relays it to the VLR via the MSC.
The MS is then authenticated and cipher mode is set. Of course, it can be optional
by the operator.

91

Then the MSC transfers the short message to the MS through the BSS. Once the
MS sends the acknowledgement to the servicing MSC, the MSC will then respond
to the message MT_Forward_SM to the gateway MSC which in turn sends
response to the SMC. Now one message has been transferred to the MS.

92

Then the SMC sends the second message to the gateway MSC. The gateway
MSC will

transfer the message via MT_Forward_SM to the servicing MSC

without request routing information to the HLR. The visitor MSC then sends the
message to the MS. Once the MS responds, the MSC sends acknowledgement to
the gateway MSC using the message MT_Forward_SM_Ack. In turn the gateway
MSC responds to the SMC.
If the flag in the message MT_Forward_SM is false, after the message is
received by the MS, the sequence for several messages is closed.

93

Ok, after the basic SMS sequence, lets answer a question.

What is the sequence when the originating subscriber sets the wrong SC No. in
the mobile station.

94

Answer
MS

BSS

MSC

MO_Forward_SM

VLR Interworking SC
MSC

(SC_No.)

Short_Message
Short_Message_Ack
Illegal Subscriber

MO_Forward_SM_Ack
Illegal Subscriber

RP_ACK
"Send Not Successfully" is displayed on the mobile

From the MO SMS sequence, we know, after the establishment of the air interface
signaling link and authentication, the MS sends RP_MO_Data to the MSC. The
MSC will then transfer the short message to the interworking MSC, tagged with
SMC number.
The SMC number is set on the mobile, and sent from the mobile to the network.
This SMC is the home SMC of the mobile. If the mobile set the wrong number, and
if the number is other SMC number, then the gateway MSC sends short message
to the other SMC. In this SMC, the mobile does not exist, so the SMC returns the
acknowledgement with the cause of illegal subscriber, and then Send Not
Successfully" is displayed on the mobile.
Ok, thats all for the fourth part.

95

1.5 Handover Sequence

Ok, now lets study the last section, handover sequence.

In this section, the content consists of two parts, inter-BSS handover sequence
and inter-MSC handover sequence.

96

At first, I will explain the inter-BSS handover sequence.

The MS is in the conversation state and is continuously compiling measurements
both current transmission and broadcast control channels of up to sixteen
surrounding cells.
The measurements from the six best cells are reported back to the BSS, every
480ms.

97

When a handover is required, due to low Receive Signal Strength Indication (RSS)
or poor signal quality the existing originating BSS(oBSS) notifies the MSC using
message Handover Required.

98

The target or the new BSS (nBSS) is alerted with the message Handover
Request tagged with the TMSI or IMSI.

99

Then the new BSS allocates a Handover Reference Number which is used to
determine whether the correct mobile gains access to the air-interface channel
which it allocates, and acknowledges the MSCs request with Handover Request
Ack. This is tagged with the HO Reference number. The nBSS assigns a traffic
channel.

100

The MSC, via the oBSS orders the MS to change to the new channel with the
message Handover Command on FACCH.

101

There is an information interchange between nBSS and MS. This uses the FACCH
channel but an access burst is used. The messages and information carried
depend upon the type of handover being performed.

102

Once all necessary information has been transferred the message Handover
Complete is sent to the MSC.

103

The MSC now sends a Clear Command to the oBSS, this frees the radio
resources for another MS. The channel is not cleared until this point incase nBSS
can not accommodate the MS being handed over.

104

The MS, still in the conversation mode, then continues to prepare periodic
measurement reports and sends them to the nBSS.

105

Ok, after the inter-BSS handover sequence, well study inter-MSC handover
sequence.
There are two types of inter-MSC handover sequence, basic inter-MSC sequence
and subsequent inter-MSC sequence.

106

In the inter-MSC handover , here devoted to introduce the sequence between

different MSC/VLR.
When the MSCA receives the Handover required from the oBSS, the MSCA finds
that the new cell belongs to the MSCB, then sends the Prepare Handover
message to the MSCB. This request may optionally contain an indication that a
handover number allocation is not required, target Cell Id, for compatibility
reasons, and all information required by MSCB to allocate the necessary radio
resources.

107

Then the MSCB sends Allocate HandoverNo. Message to the VLRB.

108

The VLRB responds with the message Send Handover Report which handover
number is included in.

109

Then the MSCB transfers the handover number to the MSCA with the message
Prepare Handover Ack.

110

The MSCB sends the acknowledgement to the VLRB. The handover number will
be reserved until a Send Handover Report confirmation is received from MSC-B.

111

The MSCA then sends the message Initial Address Message tagged with
handover number allocated by VLRB. The MSCB sends the Address Complete
Message and Answer to the MSCA. The connection between the MSCA and
MSCB has been established.

112

Optionally MSC-A can receive, after a Prepare Handover confirmation, a

Process Access Signaling indication containing BSSAP information.
When the connection has been established between the MS and MSCB, MSCA
will be informed by a Send End Signal indication.
If required, the MSCA requests the Forward Access Signaling request containing
the information to be transferred to the A-interface of MSCB (e.g. call control
information).
The Forward Access Signaling is a non-confirmed service.
The Forward Access Signaling is composed in such a way that the information
can be passed transparently to the A-interface for call control and mobility
management information.
Any response received in MSC-B from the A-interface that should be brought to
MSC-A will require a new independent request from the MSCB to the MSCA by
invoking a Process Access Signaling request.

113

When the conversation is ended, the MSCA sends the Release message to the
MSCB and MSCB responds with the message Release Complete.
When MSCA wants to clear the connection with BSSB, and then sends the Send
End Signal response to MSCB to close the sequence.

114

After the release of the resources for the call and handover, the inter-VLR location
update sequence is followed.

115

Ok, lets see the subsequent inter-MSC handover sequence.

The procedure is used when the MSCB has decided that a call is to be handed
over to another MSC (either back to the controlling MSC (MSCA) or to a third MSC
(MSCC)).
When MSCA receives a Prepare Subsequent Handover request, it will start the
procedure of handing the call over to a third MSC (MSCC), or back to the
controlling MSC (MSCA). In this example, handover to the MSCC.
The controlling MSC(MSCA) sends the Prepare Handover to the MSC/VLRC,
and MSC/VLRC responds with the handover number in the acknowledgement
message. Then the MSCA responds to the MSCB using the message Prepare
Subsequent Handover_Ack.

116

The MSCA then sends the message Initial Address Message tagged with
handover number allocated by the VLRC. The MSCC sends the

Address

Complete Message and Answer to the MSCA. The connection between the
MSCA and MSCC has been established.

117

And then the MSCA will release the connection with the MSCB. The MSCA sends
Release message to the MSCB, and MSCB responds with Release Complete
message.

118

If required , MSCC invokes the Process Access Signaling request containing the
information received on the A-interface that should be transferred to MSCA (e.g.
call control information).
Process Access Signaling is a non-confirmed service and any response from
MSC-A will require a Forward Access Signaling request.

119

When the conversation is ended, the MSCA sends the Release message to
MSCC and MSCC responds with the message Release Complete.

120

Actually, after the establishment of the connection between the MSCC and MSCA,
the MSCC sends the message Send End Signal to the MSCA.
If the new handover procedure towards MSCC (or MSCA) is successful, the MSCA
will request the release of the MSC-B by sending the Send End Signal
confirmation.

121

At last, a location update sequence is followed.

122

Ok, hereto, we have finished the study of the communication flow in the GSM
system.
Finally, lets make a summary.
In this course, the GSM security management was introduced at first, it consists of
the authentication, ciphering, TMSI reallocation and equipment identification. It is
usually used in the other sequence.
Then the explanation for the GSM basic call sequence, it is the most important
sequence in the GSM system.
In the third section, the location update sequence was introduced.
And then an introduction to the basic SM sequence.
At last a brief introduction to the handover sequence.
Actually, for each kind of sequence, there are many abnormal communication
flows. If you want to know more information, please refer to the relative
specifications.

123