SJ-20121227135800-019-ZXUR 9000 GSM (V6.50.102) Signaling Description, PDF

ZXUR 9000 GSM
Base Station Controller

Signaling Description
Version:6.50.102
ZTE CORPORATION
NO. 55, Hi-tech Road South, ShenZhen, P.R.China
Postcode: 518057
Tel: +86-755-26771900
Fax: +86-755-26770801
URL: http://ensupport.zte.com.cn
E-mail: support@zte.com.cn
LEGAL INFORMATION
Copyright © 2013 ZTE CORPORATION.
The contents of this document are protected by copyright laws and international treaties. Any reproduction or
distribution of this document or any portion of this document, in any form by any means, without the prior written
consent of ZTE CORPORATION is prohibited. Additionally, the contents of this document are protected by
contractual confidentiality obligations.
All company, brand and product names are trade or service marks, or registered trade or service marks, of ZTE
CORPORATION or of their respective owners.
This document is provided “as is”, and all express, implied, or statutory warranties, representations or conditions
are disclaimed, including without limitation any implied warranty of merchantability, fitness for a particular purpose,
title or non-infringement. ZTE CORPORATION and its licensors shall not be liable for damages resulting from the
use of or reliance on the information contained herein.
ZTE CORPORATION or its licensors may have current or pending intellectual property rights or applications
covering the subject matter of this document. Except as expressly provided in any written license between ZTE
CORPORATION and its licensee, the user of this document shall not acquire any license to the subject matter
herein.
ZTE CORPORATION reserves the right to upgrade or make technical change to this product without further notice.
Users may visit ZTE technical support website http://ensupport.zte.com.cn to inquire related information.
The ultimate right to interpret this product resides in ZTE CORPORATION.
Revision History
Revision No. Revision Date Revision Reason
R1.0 2013–01–29 First edition
Serial Number: SJ-20121227135800-019
Publishing Date: 2013–01–29(R1.0)
SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

Contents
About This Manual ......................................................................................... I
Chapter 1 Signaling Protocols .................................................................. 1-1
1.1 Application Scenarios ......................................................................................... 1-1
1.2 Protocol Architecture for Signaling....................................................................... 1-3
1.3 Introduction to Functional Modules of Signaling Protocols ..................................... 1-6
1.3.1 LAPD ...................................................................................................... 1-6
1.3.2 LAPDm.................................................................................................... 1-7
1.3.3 MTP2 ...................................................................................................... 1-7
1.3.4 MTP3 ...................................................................................................... 1-8
1.3.5 RR .......................................................................................................... 1-9
1.3.6 BTSM ...................................................................................................... 1-9
1.3.7 SCCP .................................................................................................... 1-10
1.3.8 BSSAP .................................................................................................. 1-10
1.3.9 MAC.......................................................................................................1-11
1.3.10 RLC..................................................................................................... 1-12
1.3.11 BSSGP ................................................................................................ 1-12
Chapter 2 Service Signaling Procedure ................................................... 2-1

2.1 Service Introduction............................................................................................ 2-1
2.2 Signaling Procedure of Speech Services ............................................................. 2-2
2.2.1 Cell Selection and Reselection .................................................................. 2-2
2.2.2 Location Update ....................................................................................... 2-3
2.2.3 Mobile Originated Calls............................................................................. 2-8
2.2.4 Mobile Terminated Calls.......................................................................... 2-17
2.2.5 Intra-Cell Handover ................................................................................ 2-25
2.2.6 Inter-cell Handover ................................................................................. 2-27
2.2.7 Inter-BSC Handover ............................................................................... 2-29
2.2.8 Inter-MSC Handover............................................................................... 2-32
2.2.9 Sending Point-to-Point Short Messages (Idle State).................................. 2-35
2.2.10 Receiving Point-to-Point Short Messages (Idle State) ............................. 2-37
2.2.11 Sending Point-to-Point Short Messages (Busy State) .............................. 2-38
2.2.12 Receiving Point-to-Point Short Messages (Busy State) ........................... 2-38
2.3 Signaling Procedure of Packet Services............................................................. 2-39
2.3.1 One-Step Access on the CCCH .............................................................. 2-39

2.3.2 Uplink Two-Step Access on the CCCH .................................................... 2-40
2.3.3 Uplink Access on the PACCH.................................................................. 2-41
2.3.4 Downlink Access on the CCCH ............................................................... 2-42
2.3.5 Downlink Access on the PACCH ............................................................. 2-43
2.3.6 GPRS Cell Selection and Reselection...................................................... 2-44
2.3.7 Attach.................................................................................................... 2-47
2.3.8 Detach................................................................................................... 2-49
2.3.9 PDP Activation ....................................................................................... 2-52
2.3.10 PDP Deactivation ................................................................................. 2-54
2.3.11 Cell Update .......................................................................................... 2-56
2.3.12 Routing Area Update ............................................................................ 2-57
Figures............................................................................................................. I
Tables ............................................................................................................ III
Glossary .........................................................................................................V
II

About This Manual
Purpose
ZXUR 9000 GSM is a new generation radio network controller (that is, BSC) in the ZTE 2G
multi-mode series products. It performs functions including system access control, security
mode control, mobility management, and radio resource management and control.
ZXUR 9000 GSM provides all the functions defined in the 3GPP R4/R5/R6/R7 protocols,
and offers series standard interfaces including A-interface, Abis interface, and Gb
interface, which enable it to connect with CN, BSC, and BTS. ZXUR 9000 GSM is
developed on the basis of ZTE all-IP unified hardware platform. It features a distributed
design, separating control plane and user plane as well as interface and application. It
supports TDM/IP dual protocol stack, and can smoothly evolve into all-IP GERAN.
Intended Audience
Communication engineers
What Is in This Manual
Chapter Summary
Chapter 1, Signaling Introduces the application scenarios of ZXUR 9000 GSM, the protocol
Protocols architecture and functional modules of signaling protocol.
Chapter 2, Service Describes the signaling procedure for speech services and packet
Signaling Procedure services.

II

Chapter 1
Signaling Protocols
Table of Contents
Application Scenarios.................................................................................................1-1
Protocol Architecture for Signaling..............................................................................1-3
Introduction to Functional Modules of Signaling Protocols ..........................................1-6
1.1 Application Scenarios

GSM Network Overview
The Base Station Controller connects to the BTS, MSC, and SGSN via the Abis interface,
A interface, and Gb interface respectively. The position of the BSC in the network is shown
in Figure 1-1.
Figure 1-1 Network Environment for the BSC
The network elements included are:

l MS: Mobile Station
l BTS: Base Transceiver Station
l BSC: Base Station Controller
l SC: Short message center
l OMC: Operation and Maintenance Center
l MSC: Mobile Switching Center
l HLR: Home Location Register
l AUC: Authentication Center
l VLR: Visitor Location Register
l EIR: Equipment Identification Register
1-1

ZXUR 9000 GSM Signaling Description
l SGSN: Serving GPRS Support Node
Introduction to the BSC and Related Network Elements

l Base Station Controller (BSC)
The BSC connects the BTS and the MSC, and provides interfaces for information
exchange between the BTS and the OMC. Generally, a BSC controls multiple
BTSs. The main functions of a BSC include the management of radio channels,
the establishment and disconnection of calls and channels, and the control of the
positioning, handover, and paging of the Mobile Stations (MS).
l Base Transceiver Station (BTS)
A BTS includes the hardware and software needed for radio transmission, such as
transmitter, receiver, antennas that support types of cell structures (for example,
omnidirectional, sector, star, and chain), interface circuits that connect to the BSC,
and testing and control devices for the BTS. Completely controlled by the BSC, the
BTS mainly performs radio transmission, including such functions as switch between
radio and cable transmission, radio diversity, radio channel ciphering, and frequency
hopping.
l Mobile Switching Center (MSC)
As the core of the GSM network, the MSC is a functional entity that controls Mobile
Stations (MSs) within its coverage and implements speech channel switching. The
MSC also serves as an interface between the mobile communication system and
other public communication networks. The MSC provides switching functions,
implementing paging access, channel allocation, call proceeding, traffic control,
charging, and BTS management. It also implements the switch between the BSS and
the MSC, and performs subsidiary functions, including radio resource management,
mobility management. Moreover, the MSC implements the interface function for
other functional entities in the system and the fixed network, such as PSTN and
ISDN. As the core of the network, the MSC coordinates with other equipment in
performing multiple functions, including location registration, handover, automatic
roaming, validity check, and inter-frequency handoff.
l Serving GPRS Support Node (SGSN)
A basic element in the GPRS network, the SGSN is added to the GSM network
to provide the GPRS service. The main function of the SGSN is to forward the
input/output IP packets for the MSs within the serving area.
l Gateway GPRS Support Node (GSSN)
As a new functional entity in the GSM network, the GGSN implements the routing
and encapsulation for data packets between the GPRS network and the external data
network.
l Mobile Station (MS)
The MS is the subscriber device in the GSM network. It consists of the mobile
equipment (ME) and the subscriber identification module (SIM). The functions that the
1-2

Chapter 1 Signaling Protocols
MS performs include speech coding, channel coding, channel cyphering, modulation

and demodulation of information, and the receiving and transmitting of information.
Introduction to the Interfaces Related to the BSC

l A
Defined as the communication interface between the network subsystem (NSS) and
the base station subsystem (BSS), the A interface connects the MSC to the BSC.
The physical link between the MSC and the BSC uses the standard 2.048Mb/s digital
transmission. The A interface transmits the information related to the management of
mobile stations, the BTSs, mobility, and connection.
l Gb
Defined as the communication between the BSS and the SGSN, the Gb interface is
mandatory in the GPRS networking. The SGSN communicates with the BSS and the
MS via the Gb interface to perform packet data transmission, mobility management
and conversation management.
l Abis
The Abis interface defines the communication standards between the BSC and
the BTS in the BSS. The interface applies to remote interconnection. The physical
connection between the BSC and the BTS uses the standard 2.048Mb/s PCM digital
transmission. The Abis interface supports all services provided to the subscribers,
and supports the control of the BTS radio equipment and the allocation of radio
frequency.
l Um
Defined as the communication interface between the MS and the BTS, the Um (air
interface) interface connects the MS to the fixed part of the GSM system. The Um
interface uses radio links as the physical link, and mainly transmits the information
related to the management of radio resources, mobility, and connection.
1.2 Protocol Architecture for Signaling

For different system applications, the completion of a certain function usually requires
the coordination of multiple devices. Therefore, the devices involved for a function must
be interconnected via specified interfaces according to standards in certain protocols.
Two entities must communicate by following certain protocols. In summary, the interface
represents the connecting point between two neighboring entities, while protocols specify
the rules that the information exchange through the connecting point must observe.
The Open System Interconnection Reference Model (OSI-RM) divides protocols into
different layers by their functions, as shown in Figure 1-2. The first layer is the physical
layer or transport layer, the second link layer or network layer, the third the application
layer.
1-3

Figure 1-2 Layers in the OSI Reference Model
The signaling protocols in the GSM system are divided based on the OSI reference model.
ZXUR 9000 GSM supports the CS services and the GPRS packet services that are
processed by different protocols. The protocols applied on relevant interfaces for the two
types of services are describes as follows.
The Protocol Architecture for E1 and IP Transmission in the CS-Domain

The different protocol layers in which signaling is transparently transmitted and processed
are shown in different colors as follows. The protocol stack for the all-IP access is shown
in Figure 1-3. The protocol stack for the E1 access is shown in Figure 1-4.
Figure 1-3 All-IP Access Protocol Stack
1-4

Figure 1-4 E1 Access Protocol Stack
The transparently transmitted signaling protocols in the CS domain are described as

follows:
The MM layer manages the subscriber database that includes the location data, and also
implements security management and the authentication.
CM implements call control management and processes the SMS.

The sublayers CM and MM are not managed in the BSC, that is, the messages in the two
layers are not analyzed in the BSC.
The Protocol Architecture for E1 and IP Transmission in the PS-Domain

The protocol architecture for E1 and IP transmission in the PS-Domain is illustrated in
Figure 1-5.
Figure 1-5 The Protocol Architecture for E1 and IP Transmission in the PS-Domain
1-5

The transparently transmitted signaling protocols in the PS domain are described as

follows:
1. Sub Network Dependent Convergence Protocol (SNDCP)
The protocol is in the network layer, and the main functions include: multiplexing
of PDP, compressing/decompressing the subscriber data and protocol-controlling
information, segmentation of network protocol data unit (N-PDU) into logical link
control protocol data units (LL-PDU).
2. Logical Link Control (LLC)
The layer is a highly reliable encrypted logic link. The layer is also independent from
the sub-layer radio access protocols, thus minimizing the modifications to the network
when another GPRS radio solution is applied.
3. IP
The layer implements the routing of the subscriber data and the control signaling
protocols in the GPRS backbone network.
4. Application Layer Protocols
The layer includes the File Transfer Protocol (FTP), the Trivial File Transfer Protocol
(TFTP), the Hypertext Transfer Protocol (HTTP), Telnet (remote login), and the
Simple Mail Transfer Protocol (SMTP). These bottom-layer applications implements
the routing and tracing of data transmission, and the physical transmission of data.
1.3 Introduction to Functional Modules of Signaling

Protocols
1.3.1 LAPD
The Link Access Procedure on the D Channel (LAPD) is a point-to-multipoint
communication protocol with the frame structure. The protocol provides one or more data
connections in D channel. The data link connection is identified by the data link connection
identifier (DLCI) in individual frames. DLCI consists of TEI and SAPI, indicating the
accessed service and entity respectively.
The Functions the LAPD Implements

l Delimitation, location and transparency of frames.
l Sequence control, ensuring the sequential transmission of frames.
l Error detection and correction.
l Notifying the management entity of the unrecoverable error.
l Flow control.
1-6

1.3.2 LAPDm
The Link Access Procedure on the Dm Channel (LapDm) is a data link procedure for the
transmission of signaling between the MS and BTS. The purpose of LAPDm is to use the
Dm channel to transmit messages for entities in Layer 3 via the radio interface. LAPDm
is based on LAPD, with some simplification and modification. The Dm channel provides a
point-to-point data link connection and multiple services for the upper layer. The data link
connection is identified by the data link connection identifier (DLCI) in individual frames.
DLCI only contains the SAPI part, representing what service is accessed.
The Functions the LAPDm Implements

l Identification of frame types.
l Transparent transmission of the L3 messages among L3 entities.
l Sequence control, maintaining the sequence of the frames connected via the data
link.
l Checking the format and operation errors in the data link layer.
l Notifying the L3 entities to process the unrecoverable errors.
l Flow control.
l Access support for the burst solution mode after the RACH channel access is
immediately assigned.
1.3.3 MTP2
The main purpose of the Message Transfer Part (MTP) is to provide reliable signaling
message transmission, making corresponding responses upon failures in the system or
the signaling network, and taking measures to avoid or reduce message lost, repetition,
or sequence disorder.
Message Transfer Part - layer 2 (MTP2) specifies the functions and procedures for
transmitting signaling to the data link. The MTP2 and MTP1 work together to ensure the
reliable transmission of signaling between two directly connected signaling points.
In long-distance transmission, error codes might exist in the data link between neighboring
signaling points. However, the CCS7 signaling message coding does not allows any error.
The function of the MTP2 is to ensure no error transmission when error codes exist in the
MTP1.
The Functions of MTP2

l Signal unit delimitation and alignment.
l Signal unit error detection.
l Error correction of the signal unit by retransmission.
l Checking faults in the signaling link by monitoring the error rate of signal units.
l Restoring faulted signaling links.
l Flow control in the signaling link.
1-7

1.3.4 MTP3
The function of Message Transfer Part-layer 3 (MTP3) is to ensure reliable transmission
of the subscriber part of the message by controlling the routing and performance of the
signaling network whether the network is in normal status or not. The functions of the
signaling network include two parts: message signal processing and signaling network
management.
Signaling Message Handling

The function of signaling message handling is to ensure the message sent from the user
part of a signaling point can be transmitted to the proper signaling link or user part. In
the BSS, the user part only includes the Signal Connect Control Part (SCCP). Signaling
message handling consists of message routing, message discrimination, and message
distribution, as shown in Figure 1-6.
Figure 1-6 Signaling Message Handling Procedure
l Message Routing
Message Routing (MRT) implements the selection of routing. This function uses the
information contained in the routing flag to select a signaling link for the signaling
message, thus ensuring that the message can be transmitted to the destination
signaling point. The information in the routing flag includes the Destination signaling
Point Code and the Signaling Link Selection (SLS).
l Message Discrimination
The function of Message Discrimination (MDC) is to receive the message sent from
the MTP2 and decide whether the message destination is right. If the destination is
right, the MDC transmits the message to the Message Distribution (MDT) part. If the
destination is wrong, the MDC transmits the message to the MRT part.
l Message Distribution
1-8

The function of Message Distribution (MDT) is to distribute the messages sent from the
MDC part to the user part, signaling management network, and the test/maintenance
part.
Signaling Network Management

The signaling network management part controls and manages the system, monitors every
signaling routing and link, and automatically route messages upon faults to ensure the
normal communication of the signaling link.
1.3.5 RR
The RR layer includes the rules for managing the transmission at the radio interface, and
provides stable links between the MS and MSC.
Functions of RR
The main purpose of the RR layer is to manage the transmission between the MS and
MSC, establishing the transmission and signaling path between them.
The BSS implements the majority of the RR functions, including the radio interface, the
Abis interface, and the A interface. Other functional modules relate to the No.7 signaling
interface.
Cell selection/reselection and handover are all functions in the RR layer.
1.3.6 BTSM
The function of BSTM is to support measurement report handling and the distribution of
transmission path by using the LAPD protocol.
Functions of BTSM
1. Radio Link Layer Management
The radio link management sublayer messages are used by the BSC to control the
LAPDm links. Most Layer-3 signaling at the radio interface are transmitted through
this sublayer.
2. Dedicated Channel Management
The sublayer of dedicated channel management manages and distributes dedicated
channels, including such functions as channel activation, channel release, ciphering,
and mode shifting.
3. Common Channel Management
The common channel management information group manages and distributes
common channels. The sublayer manages the channel release, paging messages,
BCCH system messages, and the Immediate Assign Command messages.
4. TRX Management
1-9

The function of the REXM sublayer is to manage the radio transceiver. The messages
of this layer are transmitted only between the BSC and BTS.
1.3.7 SCCP
The Signal Connect Control Part (SCCP) is a supplementary functional module to the
user part, providing additional functions for the MTP. SCCP provides connection-based
and no-connection data services. SCCP is combined with the MTP3 to provide relatively
complete and reliable network layer functions for the information exchanges in any form.
Functions of SCCP
SCCP provides two categories of network layer services: no-connection service and
connection-based service.
In no-connection services, the subscriber does not establish the signaling connection
beforehand, and uses the routing of the SCCP and MTP to transmit data in the signaling
network. No-connection services are suitable for transmitting small amount of data.
In connection-based services, the signaling connection is established beforehand, so that
the data is transmitted directly through the signaling connection without the routing of the
SCCP. The connection-based services are suitable for transmitting large amount of data,
and can effectively reduce the delay for batch bata transmission.
SCCP can implement routing and network management. The routing of the SCCP is
implemented by addressing based on the information of Destination signaling Point Code
(DPC), Subsystem Number (SSN), and Global Title (GT). DPC is the destination signaling
point code used by the MTP, SSN is used to identify different SCCP subscribers of the
same node.
The network management of the SCCP implements the management of signaling point
state and subsystem state, switch between active and standby systems, broadcast of state
information, and the test of subsystem state. SCCP management (SCMG) maintains the
network functions by rerouting or controlling the traffic when network faults or congestions
occur.
1.3.8 BSSAP
The Base Station Application Part (BSSAP) consists of two parts: the Base Station
Management Application Part (BSSMAP) and the Direct Transfer Application Part (DTAP).
Functions of BSSAP
l The BSSMAP protocol supports the call-related or resource management processes
that requires the explanation and handling of the BSS. Some BSSMAP processes can
trigger the processes or the results triggered by the processes of the RR layer.
BSSMAP messages include no-connection and connection-based messages.
1-10

à The no-connection messages are: blocking/unblocking, handover, resources,

reset, and paging messages.
The blocking/unblocking messages include blocking, blocking acknowledgement,
unblocking, unblocking acknowledgement. The group blocking/unblocking
messages include group blocking/unblocking and acknowledgement of group
blocking/unblocking.
Handover messages include handover candidate inquiries and responses to
handover candidate inquiries.
Resource messages include resource requests and resource indications.
Reset message include reset and reset acknowledgement.
à Connection-based messages are messages related to assignment, handover,
clearing, and ciphering.
Assignment messages include assignment requests, assignment completion,
and assignment failures.
Handover messages include handover request, acknowledgement of handover
requests, handover commands, handover completion, and handover failures.
Clearing messages include clearing requests, clearing commands, and clearing
completion.
Ciphering messages include ciphering mode commands and the completion of
ciphering mode commands.
l The function of the DTAP is to transmit Call Control (CC) and Mobility Management
(MM) messages between the MSC and MS. These messages do not require the
explanation of the BSS, but are directly transmitted between the MSC and MS. The
DTAP protocol directly transmits all messages without modifying them. Messages
originated from the MS or sent directly from the MSC to the MS are all DTAP
messages.
1.3.9 MAC
Media Access Control (MAC) is a link-layer protocol that controls the signaling access
process on the radio channel and maps the LLC frames to the GSM channel.
Functions of MAC
l Providing effective multiplexing for control signaling and data in the uplink and
downlink. This is controlled by the network side. In the downlink, multiplexing control
uses a plan, while in the uplink, the multiplexing control uses media arrangement (the
responses to the requests by the server) for a single subscriber.
l Solving channel collision caused by MS-originated channel access requests, including
collision detection and restoration.
l Arranging access trials for MS-terminated channel access, including the queuing of
packet access.
1-11

l Handling priority.
1.3.10 RLC
Radio Link Control is a protocol in the link layer and network layer. The protocol provides
reliable links related to radio solutions.
Functions of RLC
l Transmitting LLC-PDU with interface primitives between the LLC and MAC.
l Segmenting LLC-PDU to reassemble into RLC data units. The Backward Error
Correction (BEC) process can selectively retransmit unrecoverable codes by using
the selective ARQ protocol. The ARQ protocol is the error correction by detection
and repetition.
1.3.11 BSSGP
In the BSS, BSSGP serves as the interface between the LLC frame and the RLC/MAC unit.
In the SGSN, the BSSGP is also an interface between the RLC/MAC and the LLC frame.
The interface uses the information contained in the RLC/MAC. The BSSGP between the
SGSN and BSS has one-to-one relation, that is, if one SGSN is to process multiple BSSs,
the SGSN must have a BSSGP to each BSS.
Functions of BSSGP
The main purpose of BSSGP (BSS GPRS Protocol) is to provide radio-side data, QoS and
routing information to meet the requirements for transmitting subscriber data between the
BSS and SGSN.
1. Providing a no-connection link between the SGSN and BSS.
2. Transmitting unacknowledged data between the SGSN and BSS.
3. Providing bi-directional control over the data flow between the SGSN and BSS.
4. Handling call requests sent from the SGSN to the BSS.
5. Supporting message updating in the BSS.
6. Supporting multi-layer links between the SGSN and the BSS.
1-12

Chapter 2
Service Signaling Procedure
Table of Contents
Service Introduction....................................................................................................2-1
Signaling Procedure of Speech Services ...................................................................2-2
Signaling Procedure of Packet Services ...................................................................2-39
2.1 Service Introduction

The types of services are described in Table 2-1.
Table 2-1 Service Types
Service Type Sub-Service
Speech service Cell selection and reselection
Location update
Mobile originated calls
Mobile terminated calls
Intra-cell handover
Inter-cell handover
Inter-BSC handover
Inter-MSC handover
Sending point-to-point short messages (idle state)
Receiving point-to-point short messages (idle state)
Sending point-to-point short messages (in conversation state)
Receiving point-to-point short messages (in conversation state)
Packet service Uplink one-step access on the CCCH (TBF Established)
Uplink two-step access on the CCCH (TBF Established)
Uplink access on the PACCH (TBF Established)
Downlink access on the CCCH (TBF Established)
Downlink access on the PACCH (TBF Established)
GPRS cell selection and reselection (MS initiated)
Attach (MS initiated)
Detach (MS initiated)
2-1

Service Type Sub-Service
PDP activation (MS initiated)
PDP deactivation (MS initiated)
Cell update (MS initiated)
Routing area update (MS initiated)
2.2 Signaling Procedure of Speech Services

2.2.1 Cell Selection and Reselection
The cell selection and reselection are initiated by the MS itself. The MS implements the
decision of cell selection/reselection based on the cell signal strength and the parameters
in the system messages broadcast by the base stations.
Cell Selection
After the MS is powered on, it attempts to contact the PLMN. In this attempt, the MS selects
a proper cell, and gets the control channel parameters and other system messages. This
process is called "cell selection".
The selection of a proper cell depends on many factors, such as whether the cell is in the
selected network (in manual selection mode), whether access to the cell is forbidden, the
cell priority, whether the access level of the MS is forbidden by the cell, and whether radio
channel quality can meet the communication requirements. Of the factors, the quality of the
radio channel is important for cell selection. The GSM specifications include a parameter
C1, called path loss. A proper cell indicates that C1 of that cell must be above zero (C >
0). C1 is calculated with the following formula.
C1=RXLEV-RXLEV ACCESS MIN-Max(MS TXPWR MAX CCH-P，0)
RXLEV: the average level received.
RXLEV ACCESS MIN: minimum access level allowed for the MS.
MS TXPWR MAX CCH: maximum transmission power of the control channel.
P: maximum output power of the MS.
If X>=Y, MAX(X，Y) = X
If X<=Y, MAX(X，Y) = Y
The parameters for calculating C1 are all broadcast in the system messages.
Cell Reselection
After the mobile station selects a cell, it will reside in the selected cell if there are no big
changes in conditions. At the same time, it begins to measure the signal level of the
BCCH carrier of neighboring cells, recording the six neighboring cells with the highest
2-2

Chapter 2 Service Signaling Procedure
signal levels. Next, the MS extracts the system messages and control information from
each of these six cells. When certain conditions prevail, the MS will move to another cell
from the current cell. This process is called cell reselection.
The reselection also considers multiple conditions, including whether the access to a cell
is forbidden. The most important factor, however, is also the strength of the radio signal.
The cell reselection uses C2 as the channel quality parameter, which is calculated with the
following formula:
If PENALTY TIME does not equal to 11111, C2=C1+CELL RESELECT OFFSET –
TEMPORARY OFFSET×H（PENALTY TIME-T）
If PENALTY TIME=11111, C2=C1-CELL RESELECT OFFSET
In the formula,
If X<0, H(X) = 0;
If X>=0, H(X) = 1.
T is a timer, whose initial value is 0. When a cell is recorded in a table as one of the six
cells with the largest signal levels, the counter in the cell begins to calculate, whose value
is accurate to one TDMA frame (about 4.62ms). When the cell is removed from the table
of six cells, the corresponding counter is reset.
CELL RESELECT OFFSET is used to manually correct the cell reselection parameter C2.
TEMPORARY OFFSET is used to provide a negative offset for C2 from the time when the
counter begins to calculate to the time when T reaches PENALTY TIME.
PENALTY TIME is the duration when TEMPORARY OFFSET is used to calculate C2.
However, the value 11111 for the parameter PENALTY TIME indicates the change in the
relation of CELL RESELECT OFFSET to C2.
CELL RESELECT OFFSET, TEMPORARY OFFSET, and PENALTY TIME are cell
reselection parameters. If PI (indication of cell reselection parameter) equals 1, the three
parameters are broadcast on the BCCH of a cell. If PI=0, the MS considers the three
parameters as 0, and that C2=C1.
If via calculation, the MS finds that the C2 of a neighboring cell (in the same location area
with the current cell) exceeds that value of the current cell, and that the situation remains
more than five seconds, the MS will start cell reselection to enter the cell with higher C2.
If via calculation, the MS finds that the C2 of a non-neighboring cell (not in the same
location area with the current cell) exceeds the sum of C2 of the current cell and CELL
RESELECTION HYSTERESIS, and that the situation remains more than five seconds,
the MS will start cell reselection to enter the cell with higher C2. It is worth noting that the
cell reselection caused by C2 comparison must wait an interval of at least 15 seconds to
avoid too frequent reselection of the MS.
2.2.2 Location Update

When an MS is to call another MS in the network, the system will send paging messages
via all base stations in the location area where the MS resides. The call originated by an
2-3

MS concerns all cells in the location area. The concept location area is used to reduce
the system loads, because when the capacity of an MSC is too high, it is impossible to
send paging messages in all cells controlled by the MSC. When an MS moves from one
location area to another, it must register to the system, so that the network can send paging
messages to the MS.
Signaling Procedure
The location update of an MS occurs in the idle status and in the following three cases:
l The MS is powered on.
l The MS roams to a new location area.
l The periodical location updating timer T3212 times out.
Figure 2-1 illustrates the location update procedure.
Figure 2-1 Location Update Procedure
1. Channel Request
The MS requests a channel from a BTS by dynamically sending a random access pulse
on the Random Access Channel (RACH). The channel request message includes the
reason for establishing a channel. The reason can be "paging response", "emergency
call", "other services (mobile originated call, short message service)", and "others"
(such as “location area update”). The message also includes a random parameter,
2-4

which is a 5-bit message randomly selected by the MS. These parameters can be
used by the network to discriminate between two MSs that access to the network
simultaneously. This is the function of the parameters.
2. Channel Required
The BTS sends a channel requirement message to the BSC about the channel request
by the MS. This message (Channel Required) includes not only the information in the
channel request message, but also the messages added by the BTS. The BTS keeps
calculating the number of channels, so that the number of uplink CCCH (RACH-pulse)
is also counted. The parameters are directly taken from the channel request message.
In this way, the BTS adds the initial timing advance (access delay) to this message.
3. Channel Activation
The BSC sends a channel activation message to the BTS. After receiving the channel
requirement message sent from the BTS, the BSC begins to find and distribute the
Separate Dedicated Control Channel (SDCCH). The most important for the BSC is
to distribute a proper BTS and a channel combination including the SDCCH to the
MS. The parameters included in the channel activation message are: DTX control,
channel identification (ID), channel description and mobile distribution, the maximum
power level for the MS and the BTS, the initial timing advance (related to the access)
calculated by the BSC.
4. Channel Activation ACK
Response to the channel activation message. After receiving this message, the
BTS begins to transmit and receive the Slow Assisted Control Channel (SACCH).
The parameter included in the message is the power level of the channel activation
message received by the BTS.
5. Immediate Assignment Command
The BSC informs the BTS about the SDCCH to be used.
6. Immediate Assignment
The Base Station Subsystem (BSS) notifies the MS via the Access Granted Channel
(AGCH) about the usage of the SDCCH. The message is actually a command sent
from the network to the MS. The command is sent to take effect from the AGCH to
the predefined SDCCH. The parameters included in the message are: paging mode,
SDCCH description, associated SACCH, frequency hopping, request parameter (the
same as the establishment reason), initial timing advance, and frequency distribution
(hopping application).
7. Set Asynchronous Balanced Mode (SABM) - Location Update Request
The MS sends the location update request to the network.
8. Unnumbered Acknowledgement (UA)
The unnumbered acknowledgement is implemented in layer-2 when the LAPDm link
is established.
9. Establish Indication (for location update)
2-5

The BTS returns this message (Establish Indication) to acknowledge the immediate
assignment command. The Establish Indication message has two functions. First,
the message indicates from the perspective of the BTS that the MS is currently on the
SDCCH. The BTS thus sends a message to the BSC, indicating that the CM service
requested by the MS is being transmitted on the SDCCH. Second, while identifying
the connection, the BTS add the received layer-3 message to this message.
10. Location Update Request - Connect Request
The location update request is sent to the MSC as a connection request (CR).
11. Connect Confirm
12. Identity Request
This is an identification process that checks the International Mobile Equipment
Identifier (IMEI). The Equipment Identification Register (EIR) sends the request to
control the hardware of the MS. Usually this check is not implemented every time
a call is established. As a typical setting (set in the Visitor Location Register), the
check of the IMEI is performed every 20 times a call is established. The network also
requires the International Mobile Subscriber Identifier (IMSI) to prevent the MS from
losing contact from the network. For example, if the Temporary Mobile Subscriber
Identity (TMSI) of a mobile station is lost in the network, when the MS attempts to start
a call by using the TMSI, the network cannot identify the subscriber but by inquring
the MS. The identification request is sent as a CC (Connection Confirm) message.
13. Identity Response
The MS responses to the identity request by sending a message including the mobile
identity.
14. Authentication Request
The Mobile Switching Center (MSC) sends an authentication request message to the
BSC as connection confirm (CC), including RAND.
15. Authentication Response
The MS returns the Signed Response to the authentication request. The
authentication response is sent to the BSC via the BTS.
The MS authentication uses two algorithms: A3 and A8. The algorithms and 32-digit
key are stored in the SIM card. When the network requests for the authentication
of the MS, the AUC/VLR sents a 32-digit random decimal number to the MS. The
MS then calculates the Signed Response (SRES), and returns the response to the
VLR. VLR then compares the received SRES with the one previously received from
the authentication group of the Authentication Center (AUC). If the two SRESs is the
same, the authentication succeeds. Then the MS can resume the call.
16. Ciphering Mode Command

The MSC requires the BSC to start ciphering from the radio channel. If the network
attempts to start ciphering from the radio interface, it needs to send a message from
2-6

the A interface. If the network implements ciphering, the MS begins ciphering upon
receiving this message.
The BSC stores the ciphering message to its memory, and sends a ciphering command
to the BTS to start the ciphering mode operation.
The GSM system notifies the MS to start ciphering, and that the system is ready to
receive the ciphered messages.
19. Ciphering Mode Complete
The MS confirms the ciphering command.
During the ciphering process, this is the first ciphered message at the air interface.
The GSM system confirms the ciphering command, and notifies the MSC that the MS
starts ciphering and sending messages in ciphering mode.
21. Location Update Accepted
The MSC sends the Location Update Accepted message to the MS to indicate that the
update is finished.
22. TMSI Reallocation Complete
After receiving the TMSI Reallocation Complete message, the MS stores the Location
Area Identifier (LAI) to the SIM card. If the received identification is the IMSI, the MS
deletes the TMSI that is stored previously. If the received identification is the TMSI,
the MS stores it to the SIM card. In the two cases, the MS sends a TMSI Reallocation
Complete message to the network.
23. Clear Command
The MSC sends the message to release all relevant resources, which is the GSMAP
related to the call.
24. Channel Release
Stops the action of the Traffic Channel (TCH) in use. The message is sent from the
BSC to the MS. Another name of the message is "layer-3 disconnection message". If
the call is normally established, the calling reason is "normal".
25. Deactivate SACCH
The BSC sends the message in the downlink to indicate that the BSC stops sending
system messages to the MS. At this moment, it is not necessary to transmit/receive
any message on the SACCH, so deactivation is required.
26. DISC (SDCCH)
The MS sends the layer-2 frame to clear the uplink connection, and notifies the BTS
to stop the service connection on the TCH/FACCH.
27. UA (SDCCH)
2-7

The BTS confirms the removal of the frame. After that, the MS starts to monitor the
BCCH, and releases all radio interfaces.
28. Release Indication
The BTS notifies the BSC to release radio resources.
29. RF Channel Release
The BSC notifies the BTS to release the remaining radio resources.
30. RF Channel Release Ack
After all free radio resources have been released, the BTS sends a message to the
BSC. The released resources include the TCH/FACCH and SACCH.
31. Clear Complete
The acknowledgement is the SCCP data (clear command). The BSC notifies the MSC
that all radio resources related to the call have been released.
32. SCCP Release
After all radio resources are released, the GSMAP related to the call is not necessary.
The message is sent as the RLSD message, notifying the BSC to release the SCCP
connection.
33. SCCP Release Ack
The BSC notifies the MSC in an RLC message that the dedicated SCCP connection
related to the call is released.
2.2.3 Mobile Originated Calls

An MS originated call can be divided into three steps. The first step is to establish a
signaling connection to the MSC. The second step is to allocate the service channel,
transmitting speech service data between the MS and MSC. The third step is to release
resources after the call ends.
Signaling Procedure
The mobile-originated call procedure is illustrated in Figure 2-2.
2-8

Figure 2-2 Mobile-Originated Call Procedure
1. Channel Request
call", "mobile originated call", "short message service", and "others" (such as "location
area update"). The message also includes a random parameter, which is a 5-bit
message randomly selected by the MS. These parameters can be used by the network
2-9

to discriminate between two MSs that access to the network simultaneously. This is
the function of the parameters.
2. Channel Required
The BTS sends a channel requirement message to the BSC. The BTS sends this
message to the BSC about the Channel Request started by the MS. This message
(Channel Required) includes not only the information in the channel request message,
but also the messages added by the BTS. The channel request parameters are taken
directly from the Channel Request message. Besides, the BTS adds the initial timing
advance (access delay) to the message.
After receiving the channel requirement message sent from the BTS, the BSC begins
to find and allocate the Separate Dedicated Control Channel (SDCCH). At the same
time, the BSC sends a channel activation message to the BTS. The most important
in the activation message are the allocated BTS and a channel combination including
the SDCCH. The parameters included in the channel activation message are: DTX
control, channel identification (ID), channel description and mobile distribution, the
maximum power level for the MS and the BTS, the initial timing advance (related to
the access) calculated by the BSC.
The message is a response to the channel activation message. After the BTS receives
the message, it begins to transmit and receive messages on the Slow Associated
Control Channel (SACCH).
The BSC informs the BTS about the SDCCH to be used.
the predifined SDCCH. The parameters included in the message are: paging mode,
7. CM Service Request (SDCCH)
The MS sends the CM Service Request to the network to request a service for the
entities from the connection management sublayer. The services might include the
establishment of the CS connection, auxiliary service activation, or short message
transmission.
8. CM Service Request Establishment Indication
The BTS acknowledges the immediate assignment command via the returned
establishment indication message. The establishment indication message has two
2-10

functions. First, the message indicates from the perspective of the BTS that the MS is
currently on the SDCCH. The BTS thus sends a message to the BSC, indicating that
the CM service requested by the MS is being transmitted on the SDCCH. Second,
while identifying the connection, the BTS add the received layer-3 message to this
message.
9. CM Service Request
This CM request message is sent to the Mobile Switching Center (MSC).
10. UA (SDCCH)
is established.
11. Connect Confirm
BSC as connection confirm (CC), including RAND.
The MS returns the Signed Response (SRES) to the authentication request. The
authentication reponse is sent to the BSC via the BTS.
The MS authentication uses two algorithms: A3 and A8. The algorithms and a 32-digit
key are stored in the SIM card. When the network requests for the authentication of
the MS, the AUC/VLR sents a random 32-digit decimal number to the MS. The MS
then calculates the Signed Response (SRES), and returns the response to the VLR.
VLR then compares the received SRES with the one previously received from the
authentication group of the Authentication Center (AUC). If the two SRESs are the
The first 8 digits of the KI are used for the authentication and the SRES algorithm,
while the remaining 24 digits are reserved for the key algorithm.
The MSC requires the BSC to start ciphering from the wireless channel. If the network
attempts to start ciphering from the radio interface, it needs to send messages from
to the BTS to start the ciphering mode.
16. Ciphering Mode Command (SDCCH)
The BTS informs the MS about the ciphered random number to start ciphering.
17. Ciphering Mode Complete (SDCCH)
2-11


The BSC confirms the ciphering command, and notifies the MSC that the MS starts
ciphering and sending messages in ciphering mode.
19. TMSI Reallocation Command
The purpose of the TMSI reallocation is to provide confidentiality of the identity. The
TMSI reallocation is implemented at least at every location update. The MSC sends
the TMSI reallocation command to the MS to start the TMSI reallocation process. The
TMSI reallocation command includes the combination of the TMSI and the Location
Area Identifier (LAI) allocated by the network. Or, if the TMSI in use is to be deleted,
the command includes an LAI and an IMSI. Usually, the TMSI reallocation command
is sent to the MS via a ciphering-mode RR connection.
Area Identifier (LAI) to the SIM card. If the received identification is the IMSI, the MS
deletes the TMSI that is stored previously. If the received identification is the TMSI,
the MS stores it to the SIM card. In the two cases, the MS sends a TMSI Reallocation
Complete message to the network.
21. Setup
After authentication, identification, and ciphering, the MS is on the Separate Dedicated
Control Channel (SDCCH), ready for sending THE call setup signaling. The setup
message is sent from the MS to the BSC, and then to the MSC.
22. Call Proceeding
When the call control entity of the MS receives the call proceeding message, the MS
enters the "mobile originated call proceeding" state.
23. Assignment Request
The allocation of the Traffic Channel (TCH) starts from this message. At the A
interface, the MSC is the controller that seeks a circuit for the call on the interface.
The message, based on the GSM specifications, includes some optional messages,
including call priority, downlink discontinuous transmission (DTX), radio channel
identification, and available interface bandwidth.
After the channel inside the BSC is saved and allocated, the BSC sends this message
to the BTS to activate the traffic channel (TCH). The contents included in the message
are: the number of channels, activation type, channel mode (DTX/NO DTX), channel
type (speech/data, the speech channel includes the GSM coding algorithm, while the
data channel includes whether the message is transparent on the channel and the
data rate), channel identification, ciphered message, and the power level of the BTS
and MS.
2-12

The BTS returns the current TDMA frame number, and activates the TCH via the Abis
interface.
26. Assignment Command
The BTS sends the received message further to the MS. The contents of the message
include: channel description, power level, cell channel description, channel mode (full
rate/half rate), and mobile frequency point list.
27. SABM (Set Asynchronous Balanced Mode)
The message mainly includes some layer-2 messages. SABM is used to set up a
layer-2 connection.
28. Establish Indication
The establishment indication message has two functions. First, the application of
establishment indication message informs the BTS that the MS is currently on the
FACCH. The BTS thus sends a message to the BSC, indicating the channel usage by
the MS. Second, the BTS identifies the active signaling channel, and adds the layer-3
messages sent from the MS to the establishment indication message.
is established.
30. Assignment Complete (FACCH)
The MS sends this message to the network to indicate that it has successfully set up
the active signaling channel.
31. BSC Confirm
The GSM system confirms that the MSC has acquired a channel.
When the MS notifies the network that it has occupied the traffic channel (TCH), the
Standalone Dedicated Control Channel (SDCCH) is not necessary to be occupied.
The channel release program releases the SDCCH.
33. RF Channel Release ACK
The BTS acknowledges the message of RF channel release.
34. Alerting
The MSC sends an alerting message to the MS.
35. Connect
The MSC sends a message to the MS via the BSC to indicate that the network
connection has been established.
36. Connect Ack
The MS sends this message to the MSC to indicate that the MS is in "active" state.
37. Measurement Report (SACCH)
2-13

After the active signaling channel is established, the MS sends the measurement
report about the voice quality every two seconds.
38. Measurement Report
If the measurement reports have been preprocessed in the BTS, the measurement
results are sent to the BSC. If the reports have not been preprocessed, the reports are
sent directly to the BSC.
39. Disconnect
The MS sends the connection removal message. The message contents are:
removing the terminal-to-terminal connection. The message will stop charging the
connected call.
40. Release
The MSC starts the actual release to stop the call.
41. Release Complete
The MS notifies the network that it will release the processing ID, indicating that release
is in process.
42. Clear Command
The MSC sends the message to release all relevant resources, which is the GSMAP
related to the call.
43. Channel Release
The message stops the action of the active Traffic Channel (TCH). The message is
sent from the BSC to the MS. Another name of the message is "layer-3 disconnection
message". If the call is normally established, the calling reason is "normal".
44. Deactivate Slow Associated Control Channel (SACCH)
system messages to the MS. At this moment, it is not necessary to transceive any
message on the SACCH, so deactivation is required.
45. DISC (Disconnect)
The MS sends the layer-2 frame to remove the uplink connection, and notifies the BTS
46. UA
The BTS confirms the removal of the frame. After that, the MS restarts to monitor the
The BTS notifies the BSC that the MS does not have to many radio resources available.
2-14

50. Clear Complete
The acknowledgement message is the SCCP data (clear command). The BSC notifies
the MSC that all radio resources related to the call have been released.
51. SCCP Release
connection.
Authentication
The authentication message is sent from the MSC to the MS. The BSC directly sends the
message without any processing. The authentication process is illustrated in the signaling
procedure of location update, specifically in the transparent transmission of authentication
request between the MSC and MS, and in the Authentication Response message.
The GSM system uses three algorithms for authentication and ciphering, including A3, A5,
and A8. A3 is used for authentication, while A8 for generating keys, and A5 for ciphering.
A3 and A8 are in the SIM card and authentication center (AUC), while A5 is in the MS and
BTS.
The mobile subscribers have been created in the AUC before the operator uses the security
functions. Following is the information required for creating users:
1. The International Mobile Station Identity (IMSI)
2. Subscriber's Ki
3. The algorithm version
The same information is also stored in the SIM card of the subscriber. Ths basic principle of
the security functionality in the GSM system is to compare the data in the network and those
stored in the SIM card. The International Mobile Subscriber Identity (IMSI) is the only ID for
a mobile subscriber, while Ki is an authentication key that is a 32-digit hexadecimal number.
The algorithms A3 and A8 use these numbers as the basic parameters for authentication.
The authentication center (AUC) can generate the information used for security purpose
during transaction. The information is called authentication data set.
The authentication data set consists of three numbers
1. RAND: a random number.
2. SRES: Signed Response is the result produced by the algorithm A3 based on certain
source information.
3. KC: KC is the ciphering key produced by the algorithm A8 based on certain source
information.
2-15

The three numbers in the authentication data set are interrelated, that is, a certain RAND
and KC can produce a certain SRES and a KC by certain algorithm.
When the Visitor Location Register (VLR) has the three-number data set, it can start the
authentication of the mobile subscriber. The VLR sends the RAND to the SIM card via
the BSS. The SIM has the same algorithm with the network in producing the data set.
Therefore, after receiving the RAND, the SIM should produce the same SRES with that
produced in the network. If the SRES calculated and sent by the MS is the same as the
SRES in the MSC/VLR, the authentication succeeds.
The function of authentication is to protect the network and avoid illegal use. Meanwhile,
authentication protects the mobile subscribers in the GSM system by rejecting the
"invasion" of fake subscribers. When a mobile subscriber switches on to request access
to the network, the MSC/VLR sends the RAND in the three-parameter data set to the
subscriber. The SIM card then calculates the SRES with the authentication Ki and the
received RAND by using the A3 algorithm, and sends the SRES to the MSC/VLR. The
VLR then checks whether the SRES calculated by the SIM card is the same as the SRES
in the data set of the VLR. If the two SRESs match, the subscriber is allowed to access
the network. Otherwise, the access request is rejected.
The authentication is required before registration, call establishment attempt, location
update, and before the activation, deactivation, registration and deletion of supplementary
services.
Encryption
The encryption process involves the BSC, which receives the encrypted message CIPH
MODE CMD sent from the MSC via the A interface. Next, the BSC sends the message to
the MS via the BTS. The MS then implements encryption and returns the message to the
BTS, which sends the CIPH MODE COM message to the BSC. Lastly, the BSC sends the
encrypted message to the MSC.
In the GSM system, encryption is implemented on the wireless path, that is, the
information transceived between the BTS and the MS is encrypted to avoid being
intercepted or monitored by illegal individuals or groups. In the authentication process,
besides calculating the SRES, the subscriber side also produces the ciphering key (KC)
by using the algorithm A8. Upon receiving the ciphering command sent by the MSC/VLR,
the BTS and MS sides both start using the KC. At the MS side, the KC, TDMA frame
number, and ciphering command M are used together based on the A5 algorithm in
ciphering the data flow of subscriber information. The encrypted information, also called
the scrambling code, is transmitted on the wireless path. At the BTS side, the encrypted
data flow sent from the radio channel, the KC and TDMA frame number are used based
on the A5 algorithm to decipher the information and send it to the BSC and MSC.
All voice, data, and all related subscriber parameters must be encrypted.
2-16

2.2.4 Mobile Terminated Calls

An MS-terminated call is different from an MS-originated call mainly in that for an
MS-terminated call, the first step is to page the called MS. After receiving the paging
message sent from the MSC, the BSC paging module sends the paging message to the
relevant BTS according to the message content. The BTS then sends the message on
the paging channel. MS starts the channel request after receiving the paging message.
In addition to the beginning paging process, the signaling procedure for an MS-terminated
call is basically the same with a call originated by the MS.
Signaling Procedure
The mobile-terminated call procedure is illustrated in Figure 2-3.
2-17

Figure 2-3 Mobile-Terminated Call Procedure
1. Paging
2-18

The MSC sends a paging message that can search for the called MS within the paging
range. The paging message includes four pieces of message: message type, the
IMSI, the TMSI, and cell identification table. If a TMSI is registered, it has the priority.
If for security reasons, the only TMSI available in the network is the IMSI, the number
will be sent to the BSC as a unit data message (UDT).
2. Paging Command
The network might include at least three different types of BCCH-TRX-radio time slot
configuration, so that the logical paging channel (PCH) can have at least three different
locations. As a result, the BSC keeps calculating the paging groups. The calculating
result indicates the radio slot where the BTS can send the paging request to the MS.
If the BSC receives the TMSI or IMSI at the same time, it uses the TMSI in sending
the paging message.
3. Paging Request
The BSC sends the paging message on the paging channel (PCH).
4. Channel Request
call", "mobile originated call", "short message service", and "others" (such as "location
area update"). The message also includes a random parameter, which is a 5-bit
message randomly selected by the MS. These parameters can be used by the network
to discriminate between two MSs that access to the network simultaneously. This is
the function of the parameters.
5. Channel Required
The BTS sends a channel requirement message to the BSC. The BTS sends this
message to the BSC about the Channel Request started by the MS. This message
(Channel Required) includes not only the information in the channel request message,
but also the messages added by the BTS. The channel request parameters are taken
directly from the Channel Request message. Besides, the BTS adds the initial timing
advance (access delay) to the message.
After receiving the channel requirement message sent from the BTS, the BSC begins
to find and allocate the Separate Dedicated Control Channel (SDCCH) according to
certain conditions. At the same time, the BSC sends a channel activation message to
the BTS. The most important in the activation message are the allocated BTS and a
channel combination including the SDCCH. The parameters included in the channel
activation message are: DTX control, channel identification (ID), channel description
and mobile distribution, the maximum power level for the MS and the BTS, the initial
timing advance (related to the access) calculated by the BSC.
2-19

The message is a response to the channel activation message. After the BTS receives
the message, it begins to transmit and receive messages on the Slow Associated
Control Channel (SACCH).
The BSC informs the BTS about the Standalone Dedicated Control Channel (SDCCH)
to be used.
the predifined SDCCH. The parameters included in the message are: paging mode,
10. SABM Paging Response
The MS responds to the paging on the SDCCH.
11. Paging Response (Establish Indication)
message (Establish Indication). The establishment indication message has two
functions. First, the message informs the BTS that the MS is currently on the SDCCH.
The message also indicates that the paging response sent from the MS is being
transmitted on the SDCCH. Second, while identifying the connection, the BTS add
the received layer-3 message to this message.
12. Paging Response
BSC sends a connection request message to the MSC via the paging response
message.
is established.
BSC as connection confirm (CC), which is transparently transmitted to the MS via the
BSC.
The MS returns the Signed Response (SRES) to the authentication request. The
authentication response is sent to the MSC via the BTS.
The MS authentication uses two algorithms: A3 and A8. The algorithms and a 32-digit
key are stored in the SIM card. When the network requests for the authentication of
the MS, the AUC/VLR sends a random 32-digit decimal number to the MS. The MS
2-20

then calculates the Signed Response (SRES), and returns the response to the VLR.
The VLR then compares the received SRES with the one previously received from
the authentication group of the Authentication Center (AUC). If the two SRESs are the
The first 8 digits of the KI are used for the authentication and the SRES algorithm,
while the remaining 24 digits are reserved for the key algorithm.
The MSC requires the BSC to start ciphering from the wireless channel. If the network
attempts to start ciphering from the radio interface, it needs to send messages from
to the BTS to start the ciphering mode.
The GSM system notifies the MS to start ciphering, and that the system is ready to
receive the ciphered messages.

The GSM system confirms the ciphering command, and notifies the MSC that the MS
starts ciphering and sending messages in ciphering mode.
21. TMSI Reallocation Command
The purpose of the TMSI reallocation is to provide confidentiality of the identity. The
TMSI reallocation is implemented at least at every location update. The MSC sends
the TMSI reallocation command to the MS to start the TMSI reallocation process. The
TMSI reallocation command includes the combination of the TMSI and the Location
Area Identifier (LAI) allocated by the network. Or, if the TMSI in use is to be deleted,
the command includes an LAI and an IMSI. Usually, the TMSI reallocation command
is sent to the MS via a ciphering-mode RR connection.

Area Identifier (LAI) to the SIM card. If the received identity is the IMSI, the MS deletes
the TMSI that is stored previously. If the received ID is the TMSI, the MS stores it to the
SIM card. In the two cases, the MS sends a TMSI Reallocation Complete message to
the network.
23. Setup
2-21

After authentication, identification, and ciphering, the MS is on the Separate Dedicated

Control Channel (SDCCH), ready for sending speech messages for the call. In this
case, the MSC sends the call setup message to the MS.
24. Call Confirm
The MS responds to the call setup message after testing the calling capability of all
compatible devices.
25. Assignment Request
The allocation of the Traffic Channel (TCH) starts from this message. At the A
interface, the MSC is the controller that seeks an available circuit for the call on the
interface. The message, based on the GSM specifications, includes some optional
messages, including call priority, downlink Discontinuous Transmission (DTX), radio
channel identification, and bandwidths of available interfaces.
After the channel inside the BSC is saved and allocated, the BSC sends this message
to the BTS to activate the traffic channel (TCH). The contents included in the message
are: the number of channels, activation type, channel mode (DTX/NO DTX), channel
type (speech/data, for the speech channel, the message includes the GSM coding
algorithm, while for the data channel, the message includes whether the message
is transparent over the channel and the data rate), channel identification, ciphered
message, and the power level of the BTS and MS.
The BTS returns the current TDMA frame number, and activates the TCH via the Abis
interface.
28. Assignment Command
The BTS sends the received message further to the MS. The contents of the message
include: channel description, power level, cell channel description, channel mode (full
rate/half rate), and mobile frequency point list.
29. SABM (Set Asynchronous Balanced Mode)
The message mainly includes layer-2 messages, with some layer-3 messages.
The establishment indication message has two functions.
a. First, the application of establishment indication message informs the BTS that
the MS is currently on the FACCH. The BTS thus sends a message to the BSC,
indicating the current channel usage by the MS.
b. Second, the BTS identifies the active signaling channel, and adds the layer-3
messages sent from the MS to the establishment indication message.
is established.
2-22

32. Assignment Complete (FACCH)

33. Assignment Complete
The BSC confirms to the MSC about the acquirement of a channel.
When the MS notifies the network that it has occupied the traffic channel (TCH), the
Standalone Dedicated Control Channel (SDCCH) is not necessary to be occupied.
The channel release program then releases the SDCCH.
35. RF Channel Release ACK
36. Alerting
MS sends an alerting message to the MSC.
37. Connect
The MS user accepts the call by sending this message. The MSC begins the control
of the call when the Connect message comes.
38. Connect Ack
The MSC notifies the MS by this message that the call connection completes.
Therefore, the voice coder can be opened on the MS. If the voice coder is not open,
the logical channel of the MS switches from the Fast Associated Control Channel
(FACCH) to the Traffic Channel (TCH).
40. Measurement Report/Result
results are sent to the BSC.
If the reports have not been preprocessed, the reports are sent directly to the BSC.
41. Disconnect
The MS sends the connection removal message. The message will stop charging the
connected call.
The message contents are: removing the terminal-to-terminal connection.
42. Release
The MSC starts the actual release to stop the call.
43. Release Complete
2-23

The MS notifies the network that it will release the processing ID, indicating that release
is in process.
44. Clear Command
The MSC sends the message to release all related resources.
45. Channel Release (FACCH)
The message stops the active Traffic Channel (TCH). The message is sent from the
BSC to the MS. If the call is normally established, the calling reason is "normal".
46. Deactivate Slow Associated Control Channel (SACCH)
system messages to the MS. At this moment, it is not necessary to transmit/receive
any message on the SACCH, so deactivation is required.
47. DISC (Disconnect)
The MS sends the layer-2 frame to remove the uplink connection, and notifies the BTS
48. Unnumbered Acknowledgement
The BTS confirms the removal of the frame. After that, the MS restarts monitoring the
The BTS notifies the BSC that the MS does not have to many radio resources available.
52. Clear Complete
53. SCCP Release
connection.
2-24

2.2.5 Intra-Cell Handover

Intra-cell handover refers to finding available service channel within a cell and handing
over the MS to this channel. The allocation of a new channel for the intra-cell handover
uses the assignment command.
Signaling Procedure
The signaling procedure for the intra-cell handover is illustrated in Figure 2-4.
Figure 2-4 Intra-Cell Handover Procedure

If the reports have not been preprocessed in the BTS, the reports are sent directly to
the BSC.
The BSC sends a channel activation message to the BTS. After receiving the handover
request from the BTS, the BSC starts searching and allocating the traffic channel
(TCH) for completing the call based on a certain protocol. The most important in the
activation message are the allocated BTS and a channel combination including the
SDCCH.
The parameters included in the channel activation message are: DTX control,
2-25

After receiving this message, the BTS begins to transmit and receive on the
TCH/SACCH. The parameter included in the message is the power level of the
channel activation message received by the BTS.
5. Assignment Command (FACCH)
The BTS sends the received message further to the MS.
The contents of the message include: channel description, power level, cell channel
description, channel mode (full rate/half rate), and mobile frequency point list.
6. Set Asynchronous Balanced Mode (SABM)
The message mainly includes layer-2 messages, with some layer-3 messages.
The contents of the message are: service request, key sequence number, Mobile
Station classmark, and mobile identification number (MIN).
Establish Indication message.
a. This procedure indicates to the BTS the new TCH where the MS is located. The
BTS thus sends the description of the new TCH to the BSC.
b. The BTS identifies the connected signaling channel by this message (Establish
Indication), while adding the layer-3 messages it received.

is established.
9. Assignment Complete
10. Handover Performed
The BSC notifies the MSC about the handover.

When the MS notifies the network that it has been handed over to the new traffic
channel (TCH), the original TCH established for the call is no longer necessary and
has to be released by the channel release procedure.
2-26

2.2.6 Inter-cell Handover

Intra-BSC inter-cell handover refers to finding an available service channel in another cell
controlled by the BSC and handing over the MS to this channel.
Signaling Procedure
The signaling procedure for the inter-cell handover is illustrated in Figure 2-5.
Figure 2-5 Inter-Cell Handover Procedure

the BSC.
The BSC sends a channel activation message to the BTS. After receiving the handover
request from the BTS, the BSC starts searching and allocating the traffic channel
(TCH) for completing the call based on a certain protocol. The most important in the
activation message are the allocated BTS and a channel combination including the
SDCCH.
2-27

After receiving this message, the BTS begins to transmit and receive messages on
the TCH/SACCH. The parameter included in the message is the power level of the
channel activation message received by the BTS.
5. Handover Command
The BSC sends the Handover Command message to the BTS for modifying the
dedicated channel and the required timing advance.
6. Handover Command (FACCH)
BTS sends the message to the MS.
7. Handover Access (FACCH)
The MS sends a handover access message in random mode to the new BTS.
8. Handover Detect
The new BTS notifies the BSC that it has detected the handover access message.
9. Handover Detect
The new BSC notifies the MSC that it has detected the handover access message.
10. Physical Info (FACCH)
The physical information includes the messages related to different physical layers.
The information ensures the accuracy in transmission.
The message mainly includes layer-2 messages, with some layer-3 messages. The
contents of the message are: service request, key sequence number, MS classmark,
and mobile identification number (MIN).
The BTS acknowledges the immediate assignment command based on the returned
Establish Indication message.
a. This procedure indicates to the BTS the new TCH where the MS is located. The
BTS thus sends the description of the new TCH to the BSC.
b. The BTS identifies the connected signaling channel by this message (Establish
is established.
2-28

14. Handover Complete

15. Receive Ready (RR)
The new BTS sends the message to the MS
The new BTS (BTS2) sends the message to the BSC.
17. Handover Performed
The BSC notifies the MSC about the handover.
has to be released by the RF channel release procedure.
The original BTS (BTS1) acknowledges the message of RF channel release.
2.2.7 Inter-BSC Handover

When no available service channel is found within one BSC, and the available channel
is found in another BSC controlled by the same MSC, the inter-BSC handover is
implemented.
Signaling Procedure
Inter-BSC handover can be divided into two parts: part 1 is outgoing handover from the
source BSC, part 2 is incoming handover process to the target BSC.
Figure 2-6 illustrates the procedure for an inter-BSC handover.
2-29

Figure 2-6 Inter-BSC Handover Procedure
the BSC.
3. Handover Required
The BSC notifies the MSC of the handover requirement.
4. Handover Request
The MSC sends the handover request to the target BSC (BSC2), which implements
the channel activation later on.
The target BSC (BSC2) sends a channel activation message to the target BTS. After
receiving the handover request from the BTS, the BSC starts searching and allocating
the traffic channel (TCH) for completing the call based on a certain protocol. The most
important in the activation message are the allocated BTS and a channel combination
including the SDCCH.
2-30

This message is a response to the channel activation message. After receiving this
message, the BTS begins to transmit and receive messages on the TCH/SACCH.
The parameter included in the message is the power level of the channel activation
message received by the BTS.
7. Handover Request Acknowledgement
After the channel is activated, the target BSC sends a message of handover request
acknowledgement to the MSC, and then implements channel activation.
8. Handover Command
The MSC sends the handover command to the BSC for modifying channel
configurations and the TA.
9. Handover Command (FACCH)
The BSC1 sends the handover command to the MS via the BTS1.
10. Handover Access (FACCH)
The MS sends the handover access message to the target BTS.
11. Handover Detect
The target BTS notifies the BSC2 that it has detected the handover access message.
12. Handover Detect
The target BSC sends the Handover Detect message to the MSC, indicating that
channel establishment has begun in the new GSM system.
13. Physical Info (FACCH)
The physical information includes messages related to different physical layers. The
MS then provides a proper transmission path.
The message mainly includes layer-2 messages, with some layer-3 messages. The
contents of the message are: service request (refer to the establishment reason), key
sequence number, Mobile Station classmark, and mobile identification number (MIN).
The BTS acknowledges the immediate assignment command based on the returned
Establish Indication message. The establishment indication message has two
functions. First, this procedure indicates to the BTS the new TCH where the MS is
located. The BTS thus sends the description of the new TCH to the BSC. Second,
the BTS identifies the connected signaling channel by this message (Establish
16. Unnumbered Acknowledgement
2-31

The unnumbered acknowledgement is implemented in layer-2 when the layer-2

LAPDm link is established.
The MS sends the handover completion message to the network, indicating the
successful establishment of signaling link.
The BSC2 sends the handover completion message to the BSC. After the MSC
receives the handover completion message, the network releases the original
channel.
19. Clear Command

The message is sent by the MSC, which is responsible for releasing relevant
resources.
has to be released by the RF channel release procedure.
The original BTS acknowledges the message of RF channel release.
22. Clear Complete
2.2.8 Inter-MSC Handover

The inter-MSC handover procedure can be divided into three types: basic handover,
subsequent handover back to the master MSC and handover to the third MSC.
Signaling Procedure
l Basic handover
Figure 2-7 illustrates the basic handover procedure.
2-32

Figure 2-7 Basic Handover Procedure
1. The BSS-A sends the message HO-REQUIRED at interface A.

2. The MSC-A generates the HANDOVER REQUEST message at interface A and
adds the message to the MAP-PREPARE-HANDOVER message, which is sent
to the MSC-B. MSC-B requests a roaming number from the VLR, and sends the
HANDOVER REQUEST message to the BSC B, requiring channel allocation by
the MSC-B. Then the MSC-B sends MAP-PREPARE-HANDOVER response mes-
sage to MSC-A. The response message includes the handover number and HO
REQUEST-ACKNOWLEDGE message sent from BSC.
3. The MSC-A uses the handover number to send the IAM message to the MSC-B
for establishing a voice channel. After getting response from the MSC-B, the
MSC-A sends the A-HO-COMMAND to the BSS-A to request handover.
4. MS performs handover. MSC-B sends the
MAP-PROCESS-ACCESS-SIGNALLING request message (carrying the
A-HO-DETECT message received by the BSS-B) to MSC-A, and sends the
MAP-SEND-END-SIGNAL request message (carrying the A-HO-COMPLETE
message) to the MSC-A, and sends the ANC message. MSC-A sends the
A-CLEAR-CMD message to the BSS-A to release the resource.
5. Upon call completion, the MSC-A sends the MAP-SEND-END-SIGNAL response
and the RELEASE message to the MSC-B to release resources.
l Subsequent Handover Back
Figure 2-8 shows the subsequent incoming handover procedure.
2-33

Figure 2-8 Subsequent Incoming Handover Procedure
1. After receiving the A-HO-REQUEST message, the MSC-B sends

the MAP-PREPARE-SUBSEQUENT-HANDOVER message (including
A-HO-REQUEST) to the MSC-A.
2. MSC-A sends MAP-PREPARE-SUBSEQUENT-HANDOVER response (including
A-HO-REQUEST-ACKNOWLEDGE message) to the MSC-B. After receiving the
message, MSC-B sends A-HO-COMMAND to request the handover by the MS.
3. After receiving the A-HO-COMMAND message from the BSS, the MSC-A sends
the MAP-SEND-END-SIGNAL response message to the MSC-B, which imple-
ments the release. The MSC-A sends the Release message to the MSC-B to
release inter-MSC circuit.
l Subsequent Handover to a Third MSC
Figure 2-9 illustrates the procedure for subsequent handover to a third MSC.
2-34

Figure 2-9 Procedure for the Subsequent Handover to a Third MSC
1. MSC-B sends the MAP-PREPARE-SUBSEQUENT-HANDOVER message

(including MSC-B' number and A-HO-REQUEST) to MSC-A.
2. After receiving the ACM message from the MSC-B’, the MSC-A sends MAP-PRE-
PARE-SUBSEQUENT-HANDOVER response to the MSC-B, indicating that the
MSC-B’ has successfully allocated radio resource with the A-HO-REQUEST-AC-
KNOWLEDGE message.
3. After the MSC-A receives the MAP-SEND-END-SIGNAL REQUEST message
with A-HO-COMPLETE from MSC-B’, the handover succeeds, and the
circuit between the MSC-A and MSC-B is released. The MSC A also
sends MAP-SEND-END-SIGNAL response to the MSC-B to terminate MAP
conversation, and the MSC-B releases the radio resources.
2.2.9 Sending Point-to-Point Short Messages (Idle State)

The short message sending procedure starts from the access of the MS to the system, and
ends when the MS receives the sending success message sent from the short message
center (SMC). The mobile-originated SMS procedure is divided into the procedure on the
Standalone Dedicated Control Channel (SDCCH ) and that on the Slow Associated Control
Channel (SACCH). The procedure for an MS in idle status is on the SDCCH.
2-35

Signaling Procedure
Figure 2-10 illustrates the procedure for sending a point-to-point short message in idle
state.
Figure 2-10 Procedure for Sending Point-to-Point Short Messages (Idle State)
The procedure for sending a short message from an idle MS is similar with that for a
mobile-originated call. The procedure can be divided into three steps:
1. The procedure from 1 to 8 is the random access and immediate assignment, during
which time the BSS allocates the signaling channel for the MS.
2. The procedure from 14 to 21 is the short message sending process.
The MS re-sends the SABM frame, notifying the network side that the subscriber
requires to set up the short message service (SMS). Next, the BSC provides the
transparent transmission channel for exchanging short message information between
the MS and MSC. During the sending procedure, the MSC of some manufacturers
can send the ASS REQ message to the BSC, requiring the assignment of an SMS
channel. The time of sending the ASS REQ message is the same with a common
call procedure. The BSC can either assign another channel for the SMS, or use the
orignal SDCCH for the SMS.
3. The procedure from 22 to 32 is the release process. The MS starts the release of
resources upon completion of sending the short message.
2-36

2.2.10 Receiving Point-to-Point Short Messages (Idle State)

The process of receiving a short message includes acquiring routing information, paging,
access and paging response, authentication, ciphering, sending, and reporting the
receiving result to the short message center (SMC).
Signaling Procedure
Figure 2-11 illustrates the procedure for receiving a point-to-point short message in idle
state.
Figure 2-11 Procedure for Receiving Point-to-Point Short Messages (Idle State)
The procedure for receiving a short message from an idle MS is similar with that for a
mobile-terminated call. The procedure can be divided into three steps:
1. The procedure from 1 to 10 are paging response and immediate assignment.

The MSC sends the Paging CMD message to page the receiving MS, which then
requests a SDCCH and returns the Paging Response message.
2. The procedure from 17 to 25 are SMS setup and short message sending.
For the terminated SMS procedure, the BSC sends the EST REQ message to the MS
to request the SMS setup. After the BSC receives the EST CNF message from the MS,
the setup of the SMS channel succeeds. The BSC transparently transmits the short
2-37

message until the sending process completes. In the whole signaling procedure, 14
and 15 are optional.
3. The procedure from 26 to 36 is the release process.
2.2.11 Sending Point-to-Point Short Messages (Busy State)

The SMS originated procedure for a busy MS is on the SACCH.
Signaling Procedure
The channel is set up for a busy MS, so that requesting a new channel is not necessary
for sending a short message.
For sending a short message from a busy MS, the MS sends the CM SERV REQ message
on the FACCH to the MSC, which returns the CM SERV ACC message to set up a CC layer
connection. Next, the connection is set up on the SACCH for sending the short message.
After the short message is sent, it is also not necessary to release the channel resource.
Figure 2-12 illustrates the procedure for sending a point-to-point short message in busy
state.
Figure 2-12 Procedure for Sending Point-to-Point Short Messages (Busy State)
2.2.12 Receiving Point-to-Point Short Messages (Busy State)

The process of receiving a short message includes acquiring routing information, paging,
access and paging response, authentication, ciphering, sending, and reporting the
receiving result to the short message center (SMC).
2-38

Signaling Procedure
The channel is set up for a busy MS, so that requesting a new channel is not necessary
for receiving a short message.
After receiving the CP DATA message sent from the MSC, the BSC set up the RR-layer
connection for the SMS. When receiving the acknowledgement by the MS, the BSC sends
the message to the MS.
After the short message is received, it is not necessary to release the channel resource.
Figure 2-13 illustrates the procedure for receiving a point-to-point short message in busy
state.
Figure 2-13 Procedure for Receiving Point-to-Point Short Messages (Busy State)
2.3 Signaling Procedure of Packet Services

2.3.1 One-Step Access on the CCCH
In the GPRS system, one-step access has clear conflict-resolving mechanism. The
transmission of the GMM or SM signaling must use the one-step access.
2-39

Signaling Procedure
The procedure for uplink one-step access on the CCCH is illustrated in Figure 2-14.
Figure 2-14 Uplink One-Step Access on the CCCH
1. The MS sends the CHANNEL REQUEST message to the BSC via the BTS.
2. After receiving the message, the BSC requests for relevant radio resources, and sends
the channel activation message to the BTS.
3. After activating the channel, the BTS returns the Channel Activation Acknowledgement
message to the BSC, which then sends the Immediate Assignment message to the
MS.
4. After receiving the Immediate Assignment message, the MS starts sending uplink data
on the assigned radio channel. To introduce the conflict resolution mechanism, the
MS should add the Temporary Link Level Identity (TLLI) to the first three data block.
(The conflict-resolving mechanism is used to avoid the channel allocation conflict when
multiple MSs request for channels simultaneously.)
5. After receiving the first uplink data block, the BSC responses with the PACKET UPLINK
ACK message, which contains the TLLI.
6. After receiving the PACKET UPLINK ACK message, the MS checks whether the TLLI
is the same with that in itself. If yes, the radio channel is allocated to the MS, which can
then resume sending uplink data. Otherwise, the MS exits and re-starts the random
access procedure.
2.3.2 Uplink Two-Step Access on the CCCH

In the GPRS system, the transmission of packet data in RLC acknowledgement mode
must use the two-step access.
Signaling Procedure
The procedure for uplink two-step access on the CCCH is illustrated in Figure 2-15.
2-40

Figure 2-15 Procedure for Uplink Two-Step Access on the CCCH
1. The MS sends the CHANNEL REQUEST message to the BSC via the BTS.
2. After receiving the message, the BSC requests for relevant radio resources, and sends
the channel activation message to the BTS.
3. After activating the channel, the BTS returns the Channel Activation Acknowledgement
message to the BSC, which then sends the Immediate Assignment message to the
MS.
4. After receiving the Immediate Assignment message, the MS sends the PACKET
RESOURCE REQUEST message to the BSC. The message contains the TLLI of the
subscriber.
5. After receiving the message, the BSC releases the single block resource and request
for another resource, while implementing channel activation for another time.
6. After receiving the Channel Activation Acknowledge message, the BSC sends the
PACKET UPLINK ASSIGNMENT message to the MS. The message includes the
information such as the USF and the TLLI.
2.3.3 Uplink Access on the PACCH

During the downlink transmission, the MS can starts establishing the uplink Temporary
Block Flow (TBF) by sending a message to the BSC.
Signaling Procedure
When the downlink TBF is established, the uplink access procedure on the PACCH is
shown in Figure 2-16.
2-41

Figure 2-16 Procedure for Uplink Access on the PACCH
1. If the MS attempts to establish the uplink TBF on the condition that the downlink TBF
has been established, the MS needs to send the PACKET DOWNLINK ACK message,
which contains the CHANNEL REQUEST message, to the BSC.
2. After receiving the message PACKET DOWNLINK ACK that contains CHANNEL RE-
QUEST message, the BSC releases the original downlink resources, and requests
new uplink and downlink resources. Meanwhile, the BSC requires the BTS to activate
channel.
3. After activating the relevant channel, the BTS returns the CHANNEL ACTIVATION
ACKNOWLEDGEMENT message to the BSC. After receiving the message, the
BSC sends the PACKET TIMESLOT RECONFIGURE message to the MS, and the
establishment of uplink TBF completes.
2.3.4 Downlink Access on the CCCH

When the PBCCH is not configured, the SGSN requests for downlink transmission to
initiate the downlink access on the CCCH.
Signaling Procedure
The procedure for the uplink access on the CCCH is illustrated in Figure 2-17.
2-42

Figure 2-17 Procedure for Downlink Access on the CCCH
1. After receiving the downlink data unit BSSGP DL UNITDATA sent from the SGSN,
the BSC requests for relevant radio resources, while initiating the channel activation
process to the BTS.
ACKNOWLEDGEMENT message to the BSC. Upon receiving the message, the BSC
sends the IMMEDIATE ASSIGNMENT message to the MS.
3. After receiving the PACKET_PTA_SEND message (indication of successful sending
of the IMMEDIATE ASSIGNMENT message) sent from the BTS, the BSC sends the
PACKET POLLING REQUEST message to the MS.
4. Upon receiving the message, the MS returns the PACKET CONTROL
ACKNOWLEDGEMENT message, calculating the value of TA during the process.
5. The BSC sends the PACKET POWER CONTROL/TIME ADVANCE message to the
MS. If there are multiple allocated downlink time slots, the BSC needs also to send the
PACKET DOWNLINK ASSIGNMENT message to the MS.
2.3.5 Downlink Access on the PACCH

During the uplink transmission, the network can starts establishing the downlink Temporary
Block Flow (TBF) by sending a message to the MS.
Signaling Procedure
The procedure for the downlink access on the PACCH is illustrated in Figure 2-18.
2-43

Figure 2-18 Procedure for Downlink Access on the PACCH
1. If the uplink TBF is established, when the BSC receives the downlink data unit BSSGP
DL UNITDATA sent from the SGSN, it is necessary to establish the downlink TBF.
BSC will release the original uplink resources and request for new uplink and downlink
resources. Meanwhile, the BSC requires the BTS to activate channel.
ACKNOWLEDGEMENT message to the BSC. After receiving the message, the
BSC sends the PACKET TIMESLOT RECONFIGURE message to the MS, and the
establishment of downlink TBF completes.
2.3.6 GPRS Cell Selection and Reselection

The cell selection and reselection procedure is shown in Figure 2-19.
2-44

Figure 2-19 GPRS Cell Selection and Reselection Procedure
The detailed procedure is as follows:
1. Cell Selection
When the MS is switched on or moves from a blind area to a coverage area, the MS
will seek all frequency points allowed by the PLMN, while selecting an appropriate cell
to reside in. The process is called cell selection.
Before the allocation of the GPRS dedicated channel, the GPRS Mobile Stations use
the GSM signaling resources.
During cell selection, the Mobile Station (MS) first searches through 124 RF channels,
calculating the average level based on the received signal strength of each RF
channel. This process takes three to five seconds. At lease one measurement point
is taken from each RF channel.
After this process, the MS is modulated to the carrier with the highest reception level.
2. Cell Reselection
In the GPRS system, the cell reselection can be controlled by the network or
carried out by the MS itself. Compared with the MS-implemented cell reselection,
network-controlled reselection fully considers the information known to the network,
such as individual cell load, status, and level. Therefore, network-controlled cell
2-45

reselection can make reasonable reselection decisions via flexible control strategy,
thus optimizing the allocation of services within the network.
The general procedure for network-controlled cell reselection is illustrated in Figure
2-20.
Figure 2-20 Network-Controlled Cell Reselection Procedure
a. Measurement Report Saving

Searching for instances according to the TLLI contained in the packet
measurement report, saving the power levels of the serving cells and neighboring
cells separately in the instance data area. The instance can contain the
measurement reports of up to 8 neighboring cells.
b. Weight Average of Measurement Report
To avoid too frequent cell reselection, the cell reselection module averages
several recent measurement reports before making the reselection pre-decision.
The period for packet measurement report is relatively long and not fixed, so
that individual measurement reports are give different weights according to their
reporting time.
c. Cell Reselection Pre-decision
The algorithm for network-controlled cell reselection pre-decision uses three
parameters: path loss parameter (C1), signal level threshold rule for the
multi-layer cell structure (C31), and cell ranking rule (C32). If C1 < 0, the cell
reselection is required. C31 and C32 are used to decide the most appropriate
2-46

cell. Pre-decision does not make the final choice. When the cell reselection
pre-decision decides that cell reselection is required, the BSC user plane notifies
the BSC control plane about the C31 and C32 of these neighboring cells via the
cell reselection request message.
The algorithm for pre-decision is explained as follows:
l If the value of C for the serving cell is below zero, reselection is required.
Rank the values of C31 of neighboring cells, or if C31 is below zero for all
neighboring cells, rank the value of C32. After that, the parameters C31 and
C32 are sent to the control plane, which selects a cell according to the network
conditions.
l If the value of C in the serving cell is above zero, the reselection module
selects a neighboring cell that is more appropriate than the current serving
cell. The parameters of the serving cell and neighboring cells are sent to the
control plane for decision. If no better cells are found, reselection will not
be carried out. Whether a neighboring cell is better than the serving cell is
decided by the value of C31.
d. Cell Reselection Decision
After receiving the cell reselection request message sent from the BSC user plane,
the BSC control plane implements cell reselection decision, selecting the target
cell. The BSC control plane checks the resources and service loads of several
strongest neighboring cells, and selects a best cell, while sending cell reselection
indication to the BSC user plane.
e. Sending the Cell Reselection Command
After receiving the Cell Reselection Indication message, the BSC user plane sends
a cell reselection command to the MS. For a mobile station in packet idle mode,
if a Packet Common Control CHannel (PCCCH) is configured, the cell reselection
command is sent to the MS on the PCCCH. If the PCCCH does not exist, the BSC
first assigns a downlink block via an IMMEDIATE ASSIGNMENT message, and
then sends the cell reselection command through the downlink block. For a mobile
station in packet transfer mode, the cell reselection command is sent to the MS
on the Packet Associated Control Channel (PACCH).
2.3.7 Attach
IMSI Attach refers to the process when the MS reports its IMSI to the system after it is
powered on.
Signaling Procedure
GPRS Attach is a procedure of the GPRS Mobility Management (GMM). The procedure is
triggered by the MS.
GPRS Attach has two types. The first type is regular GPRS Attach, during which process
the MS only attaches the IMSI to the GPRS service. The other type is combined GPRS
2-47

Attach, which implements both GPRS Attach and location update. Figure 2-21 illustrates
the Attach procedure.
Figure 2-21 Attach Procedure
1. The MS sets up an uplink temporary block flow (TBF) by two-step access with "MM
Program" as the access request. Upon receiving the PACKET UPLINK ASSIGNMENT
message sent from the BSC, the MS sends the LLC PDU, containing the ATTACH
REQUEST message, on the assigned RLC data block.
2. Upon receiving the ATTACH REQUEST message, the BSC puts the message on the
BSSGP UPLINK DATA UNIT and sends it data unit to the SGSN.
3. Upon receiving the ATTACH REQUEST message, the target SGSN gets the address
of the source SGSN based on the P-TMSI in the message and the source RAI. Next,
the target SGSN sends an IDENTITY REQUEST message to the source SGSN.
4. Upon receiving the message, the source SGSN, if it can identify the MS, sends an
IDENTITY RESPONSE message to the target SGSN.
5. The target SGSN, if cannot getting the identity of the MS from the source SGSN, sends
an IDENTITY REQUEST message to the MS for getting information such as IMSI,
while implementing authentication and encryption.
6. When authentication and encryption succeeds, the target SGSN looks for the HLR
where the MS belongs by the IMSI. The SGSN sends a LOCATION UPDATE
REQUEST message to the HLR.
2-48

7. Upon receiving the message, the HLR saves the information of the new SGSN, and
sends a location deletion message to the source SGSN, which, upon receiving the
message, deletes all information of the MS, and returns the ACK message to the HLR.
8. Upon receiving the ACK message sent from the source SGSN, the HLR sends a
INSERT SUBSCRIBER DATA message, with data related to the MS, to the target
SGSN. The target SGSN, upon receiving the message, returns the ACK message to
the HLR, which then sends the LOCATION UPDATE ACKNOWLEDGE message to
the target SGSN.
9. The SGSN, if accepting the attach request by the MS, sends the ATTACH ACCEPT
message to the MS. If the SGSN allocates a new P-TMSI, the new P-TMSI along with
the route identification information will be sent to the MS via the ATTACH ACCEPT
message.
10. For the Combined Attach, a new TMSI and a new LAI are included in the ATTACH
ACCEPT message.
11. The BSC, upon receiving the downlink data unit containing the ATTACH ACCEPT
message, allocates a downlink TBF, and sends the message to the MS via the
assigned downlink RLC data block.
12. Atfter receiving the ATTACH ACCEPT message, the MS stores the RAI information,
and enters the ready status. For a Combined Attach, the MS stores the TMSI and LAI
information, and sends the newly allocated TMSI included in the ATTACH COMPLETE
message to the SGSN.
13. SGSN considers the allocated P-TMSI valid when receiving the ATTACH COMPLETE
message. For a Combined Attach, the SGSN sends the TMSI Reallocation Complete
message to the MSN/VLR.
2.3.8 Detach
IMSI Detach refers to the process when the MS reports to the system before it is powered
off.
Signaling Procedure
When the MS is powered off, it needs to disable GPRS, thus triggering the Detach
procedure. The network can also trigger the GPRS Detach program to detach the IMSI
from the GPRS service.
1. The MS-initiated GPRS Detach procedure is shown in Figure 2-22.
2-49

Figure 2-22 MS-Initiated GPRS Detach Procedure
a. The MS sends the Detach Request message, which includes the GPRS Detach
type, to initiate the GPRS Detach.
b. After receiving the Detach Request message, the SGSN, if finding it a
non-power-off detach, returns a Detach Accept message to the MS. The returned
message includes the IMSI of the MS. For a power-off detach, the procedure
completes after the SGSN receives the Detach Request message.
c. If the PDP context still exists, the SGSN, upon receiving the Detach Request
message, sends a Delete PDP Context Request message (including the TID, the
PDP Context Identifier for the MS) to the corresponding GGSN.
d. Upon receiving the request sent from the SGSN, the GGSN deletes the PDP
context related to the MS, and returns a Delete PDP Context Response message
to the SGSN.
e. If the Gs interface exists, and the SGSN finds the detach reason is Combined
GPRS/IMSI Detach, it will sends a GPRS DETACH INDICATION message to the
MSC/VLR.
2. The SGSN-initiated GPRS Detach procedure is shown in Figure 2-23.
2-50

Figure 2-23 SGSN-Initiated GPRS Detach Procedure
a. The SGSN sends a Detach Request message to the MS, indicating the detach type
and reason. The detach types include re-attach required, re-attach not required,
and IMSI detach.
While sending Detach Request to the MS, the SGSN sends the Delete PDP
Context Request message to the GGSN, indicating TID, the identifier for the
PDP Context of the MS. Upon receiving the message, the GGSN deletes the
corresponding PDP context, and returns a Delete PDP Context Response
b. Upon receiving the Detach Request sent from the SGSN, the MS, if finding
the request type is "re-attach required", removes the PDP context and the
corresponding logic link, while returning the Detach Accept message to the
SGSN. After the GPRS is successfully detached, the MS initiates the GPRS
Attach procedure again, and activates a new PDP.
If the request type is "Re-attach not required", and the reason is "IMSI not known
to the HLR", the MS will remove the PDP context and the logic link, while sending
the Detach Accept message to the SGSN.
If the detach type is "IMSI detached", the MS will not remove the PDP context,
while sending the Detach Accept message to the SGSN.
c. If the Gs interface exists, and the SGSN finds the detach reason is Combined
MSC/VLR.
3. The procedure for an HLR-initiated GPRS Detach is illustrated in Figure 2-24.
2-51

Figure 2-24 HLR-Initiated GPRS Detach Procedure
a. If the HLR attempts to delete the PDP context and the MM of an MS, the HLR
needs to send a Cancel Location message to the SGSN.
b. Upon receiving the message, the SGSN sends the Detach Request message to
the MS, while sending a Delete PDP Context Request message to the GGSN. After
deleting the PDP context, the GGSN returns a Delete PDP Context Response
c. Upon receiving the Detach Request, the MS contacts the PDP context and the
logic link, and sends the Detach Accept message to the SGSN.
d. Upon receiving the Detach Accept message, the SGSN returns a Cancel Location
Ack message to the HLR.
e. If the Gs interface exists, and the SGSN finds the detach reason is Combined
MSC/VLR.
2.3.9 PDP Activation

The Packet Data Protocol (PDP) context activation is the action that the MS requires the
network to allocate an IP address to it, making it part of the IP network. The address is
removed after the data transfer is finished. Only when the MS is in standby or ready state
can it initiate PDP context activation. Each PDP context is described by the PDP state and
relevant information stored in the MS, SGSN, and GGSN.
The PDP context is either active or inactive, described by the PDP state.
1. Inactive: a PDP address for a subscriber has no activated data service, and the PDP
has no routing or mapping information. The routing area update of the MS at this time
will not initiate the PDP update.
2. Active: a PDP address for a subscriber has activated data service, as the PDP contexts
for the MS, SGSN, and GGSN all contain the PDU routing and mapping information
transmitted by the PDP address. The PDP context is in activated only when the MS is
in standby or ready state.
2-52

When the mobility management(MM) is in idle state, the MS first implements the attach
procedure for mobility management to enter the ready or standby state, before carrying
out activation of the PDP context.
Signaling Procedure
The PDP context activation can be initiated either by the MS or the GGSN.
1. The procedure for the MS-initiated activation of the PDP context is shown in Figure
2-25.
Figure 2-25 The Procedure for the MS-initiated Activation of a PDP Context
a. If the MS has finished GPRS Attach, and needs to transmit data in the network, it
first sets up an uplink TBF on which to initiate the Activate PDP Context Request
to the SGSN.
b. Upon receiving the message, the SGSN decides whether to implement
authentication, encryption, and the reallocation of the P-TMSI. For anonymous
transmission, authentication and encryption are not required.
c. After completing authentication and encryption, the SGSN validates the PDP type,
address, and APN provided by the MS according to the subscription record in the
PDP context.
d. Upon receiving the message sent from the MS, the GGSN finds the corresponding
access point based on the APN, and generates a charging ID. The GGSN then
returns a Create PDP Context Response message to the SGSN.
e. Upon receiving the response, the SGSN sends the Activate PDP Context Accept
message to the MS. At this time, the SGSN can initiate the routing and transfer
of the PDP PDU packet between the MS and GSGN, while starting the charging
process.
f. Upon receiving the Activate PDP Context Accept message, the MS enters the
PDP active state and starts data transfer.
2. GSGN-Initiated PDP Context Activation
If the PDP address is static, the PDP context activation can be initiated by the Gateway
EDGE/GPRS Support Node (GGSN), as shown in Figure 2-26.
2-53

Figure 2-26 GGSN-Initiated PDP Context Activation
a. When receiving the packet data sent from the packet data network (PDN), the
GGSN first checks whether there is a static address for the PDP and whether the
PDP context is set up. The GGSN stores the data, and sends the Send Routing
Info for GPRS message, including the IMSI of the MS, to the HLR.
b. Upon receiving the message, the HLR, if acknowledging to provide the service,
returns the Send Routing Info for GPRS ACK message to the GGSN. If the HLR
returns the UACK message, the message contains the reason for the error.
c. If the GGSN finds the MS accessible upon receiving the ACK message, it will
sends the PDP Notification Request message to the SGSN.
d. Upon receiving the message, the SGSN returns the PDP Notification Response
message to the GGSN. At the same time, the SGSN sends the Request PDP
Context Activation message to the MS. Then if the MS accepts the message, it
sends the PDP Context Activation Request to the SGSN.
2.3.10 PDP Deactivation

The PDP Context Deactivation procedure deactivates the PDP context existing between
the MS and SGSN, and between MS and GGSN, and ends the packet data service.
2-54

Signaling Procedure
The PDP context deactivation can be initiated either the MS, GGSN, or SGSN.
1. The procedure for the MS-initiated deactivation of the PDP context is shown in Figure
2-27.
Figure 2-27 The Procedure for the MS-Initiated Deactivation of a PDP Context
a. The MS sends the Deactivate PDP Context Request message to the SGSN to
initiate the PDP deactivation procedure.
b. Upon receiving the message, the SGSN decides whether to implement
authentication, encryption, and the reallocation of the P-TMSI.
c. The SGSN sends the Delete PDP Context Request message, including the PDP
Context tunnel identifier (TID), to the GGSN.
d. Upon receiving the message, the GGSN deletes the PDP context. If the MS uses
the dynamic PDP address, the GGSN releases the address, and returns the Delete
PDP Context Response message to the SGSN.
e. Upon receiving the response, the SGSN sends the Deactivate PDP Context
Accept message to the MS. If the link is not occupied by another PDP context,
the MS and the network release the link.
2. The procedure for the GGSN-initiated deactivation of the PDP context is shown in
Figure 2-28.
Figure 2-28 The Procedure for the GGSN-Initiated Deactivation of a PDP Context
a. The GGSN sends a Delete PDP Context Request message to the SGSN.
b. Upon receiving the message, the SGSN sends the Deactivate PDP Context
Request message to the MS.
2-55

c. Upon receiving the message, the MS deletes the PDP Context, and returns the
Deactivate PDP Context Accept message to the SGSN.
d. Upon receiving the Accept message, the SGSN returns a Delete PDP Context
Response message to the GGSN. At last, the GGSN releases the PDP address.
3. The procedure for the SGSN-initiated deactivation of the PDP context is shown in
Figure 2-29.
Figure 2-29 The Procedure for the SGSN-Initiated Deactivation of a PDP Context
a. The SGSN sends a Delete PDP Context Request message to the GGSN.
b. Upon receiving the message, the GGSN deletes the PDP Context and the PDP
address, and returns a Delete PDP Context Response message to the SGSN.
c. Upon receiving the Response message, the SGSN sends a Deactivate PDP
Context Request message to the MS.
d. The MS deletes the PDP Context according to the message it receives, and returns
a Deactivate PDP Context Accept message to the SGSN.
2.3.11 Cell Update

In idle or transfer mode, the MS in ready state can implement cell update.
l Idle-mode cell update for an MS in ready state
If the MS detects the change in cell ID, but no change in routing area ID, it implements
cell update. The MS sends the message that includes its ID to the SGSN to carry out
the cell update procedure. The BSS adds the Cell Global Identity (CGI) of the RAC
and LAC to the message.
If the SGSN receives a frame with valid LLC PDU, and the BSSGP packet data unit
(PDU) contains a new cell ID, the SGSN considers receiving a cell update request
by the MS, and will record the cell change of the MS and transfer the services in the
source cell to the target cell.
l Transfer-mode cell update for an MS in ready state
During the data transfer process, if, based on signal measurement and the system
parameters broadcast on the PBCCH/BCCH, the MS finds a more appropriate
neighboring cell, the MS will stop monitoring the original cell for system messages to
2-56

start monitoring the target cell. Next, the MS accesses the cell, and sends the CELL
UPDATE message to the SGSN.
If the SGSN, upon receiving the cell update request, finds that the MS is implementing
downlink packet data transmission, the SGSN sends a FLUSH message to the BSC,
indicating that the MS has moved to a new cell.
The BSC finds the source cell by the original BVCI. If the BSC does not support LLC
frame transfer, it deletes the LLC frame in the source cell by the TLLI. If the BSC
supports LLC frame transfer, it transfers the LLC frame from the source cell to the
target cell. The BSC will reallocate resources to the MS in the new cell and set up
new temporary block flow (TBF) for starting data transmission in the new cell.
2.3.12 Routing Area Update

In the GPRS system, location management is implemented by the routing area, which
is made up of one or more cells. One SGSN provides services to each routing area. A
routing area is the subset of a location area.
Signaling Procedure
l Intra-SGSN Routing Area Update
Intra-SGSN routing area update occurs in the following cases:
à For the cell reselection of an MS in standby or ready state, the original and new
cells belong to different routing areas (RA) administered by the same SGSN.
à Periodical routing update timer T3312 times out, but the MS is still in the old
routing area.
à After a class B mobile station leaves dedicated mode, the MS is still in the old
routing area (RA) when it restores suspended mobile services.
The procedure for intra-SGSN routing area update is shown in Figure 2-30.
Figure 2-30 Procedure for Intra-SGSN Routing Area Update
1. The MS sends the Routing Area Update Request message to the SGSN to trigger
the intra-SGSN routing area update.
2-57

2. Upon receiving the message, the BSC adds the Cell Global Identity (CGI) of the
RAC and LAC to the message, and sends the message to the SGSN.
3. Upon receiving the message, the SGSN analyzes the message, and, if deciding to
implement authentication and encryption program, sends the authentication and
encryption request to the MS.
4. Upon completion of authentication and encryption, if the SGSN considers the RA
update is within the same SGSN, it will check whether the MS is a legal subscriber.
The SGSN returns a reject message to the MS upon one of the cases: illegal
MS, illegal ME, GPRS service forbidden, failure of importing the MS ID, PLMN
forbidden, location area forbidden, and roaming in the location area forbidden.
Otherwise, the SGSN returns the Routing Area Update Accept message to the
MS, and assigns the MS with a new P-TMSI and P-TMSI signature, which are
sent with the RAI to the MS in the Routing Area Update Accept message.
5. Upon receiving the ACCEPT message, the MS stores the RAI, new P-TMSI and
new P-TMSI signature, and returns a Routing Area Update Complete message.
Upon receiving the message, the SGSN uses the old P-TMSI if there is no new
P-TMSI.
l Inter-SGSN Routing Area Update
The procedure for inter-SGSN routing area update is shown in Figure 2-31.
Figure 2-31 Procedure for Inter-SGSN Routing Area Update
1. The MS sends the Routing Area Update Request message to the new SGSN to
trigger the update procedure. The message contains the old P-TMSI, old P-TMSI
2-58

signature, and update type. After receiving the message, the BSC adds the CGI
and sends the message to the new SGSN.
2. If the new SGSN cannot identify the P-TMSI, and/or that the RAI does not match,
the new SGSN will send an SGSN Context Request message to the old SGSN
to get the Mobility Management (MM) Context and PDP Context of the MS. The
message contains the old P-TMSI signature, TLLI, RAI, and the new SGSN ad-
dress.
3. The old SGSN, upon receiving the message, returns an SGSN Context Response
message, containing such information as the MM Context and PDP Context.
4. Receiving the response message, the new SGSN implements authentication
and encryption on the MS based on the received message description, such as
authentication key triplet.
5. After authentication and encryption, the new SGSN sends an SGSN Context
Acknowledge message to the old SGSN, indicating that it (new SGSN) is ready
to receive active PDP information.
6. Upon receiving the ACK message from the new SGSN, the old SGSN sends the
N-PDU messages that have accumulated after some time to the new SGSN.
7. After receiving the accumulated N-PDU messages, the new SGSN sends an
Update PDP Context Request message to the GGSN.
8. Upon receiving the message, the GGSN returns an Update PDP Context
Response message to the new SGSN.
9. Receiving the response, the new SGSN sends an Update Location message to
the HLR, updating the information of the subscriber in the HLR.
10. Upon receiving the request, the HLR deletes the MS information for the old SGSN
(by sending the Cancel Location message to it), while adding new information
about the MS to the new SGSN (by sending the Insert Subscriber Data message
to the new SGSN).
11. Upon receiving the Update Location ACK message from the HLR, the new SGSN
sets up the MM Context and PDP Context for the MS, and allocates a new P-TMSI
signature, which is sent with the RAI to the MS in the Routing Area Update Accept
message.
12. Receiving the message, the MS returns the Routing Area Update Complete
message.
l Periodic Routing Area Update
The prevent the network from losing contact with the MS, the GPRS system
takes some measures to force the MS to report its current location to the network
periodically. This is called periodic routing area update.
The procedure for the periodic routing area update is the same with that for intra-SGSN
routing area update. They only differ in the update reason.
The periodic routing area update occurs in the following cases:
1. If network work mode is I, it implements combined RA/LA update.

2. If network work mode is II or III, the RA and LA update procedures are carried out
separately.
2-59

For a GPRS mobile station in standby state, if one of the following cases occurs, the
network will lose contact with the MS.
1. When the MS enters the blind area, the network cannot get the current MS state,
and still considers the MS in the Attach state.
2. When the MS sends the Detach Request message to the network, if the uplink is
interfered, the network may not be able to decipher the message due to the low
signal quality. In this case, the network still considers the MS in the Attach state.
3. When the MS encounters power failure and cannot report its state to the network,
the contact between the network and the MS is lost.
2-60

Figures
Figure 1-1 Network Environment for the BSC............................................................ 1-1
Figure 1-2 Layers in the OSI Reference Model ......................................................... 1-4
Figure 1-3 All-IP Access Protocol Stack .................................................................... 1-4
Figure 1-4 E1 Access Protocol Stack ........................................................................ 1-5
Figure 1-5 The Protocol Architecture for E1 and IP Transmission in the
PS-Domain ............................................................................................. 1-5
Figure 1-6 Signaling Message Handling Procedure................................................... 1-8
Figure 2-1 Location Update Procedure ..................................................................... 2-4
Figure 2-2 Mobile-Originated Call Procedure ............................................................ 2-9
Figure 2-3 Mobile-Terminated Call Procedure ......................................................... 2-18
Figure 2-4 Intra-Cell Handover Procedure............................................................... 2-25
Figure 2-5 Inter-Cell Handover Procedure............................................................... 2-27
Figure 2-6 Inter-BSC Handover Procedure ............................................................. 2-30
Figure 2-7 Basic Handover Procedure .................................................................... 2-33
Figure 2-8 Subsequent Incoming Handover Procedure ........................................... 2-34
Figure 2-9 Procedure for the Subsequent Handover to a Third MSC....................... 2-35
Figure 2-10 Procedure for Sending Point-to-Point Short Messages (Idle
State).................................................................................................... 2-36
Figure 2-11 Procedure for Receiving Point-to-Point Short Messages (Idle
State).................................................................................................... 2-37
Figure 2-12 Procedure for Sending Point-to-Point Short Messages (Busy
State).................................................................................................... 2-38
Figure 2-13 Procedure for Receiving Point-to-Point Short Messages (Busy
State).................................................................................................... 2-39
Figure 2-14 Uplink One-Step Access on the CCCH ................................................ 2-40
Figure 2-15 Procedure for Uplink Two-Step Access on the CCCH .......................... 2-41
Figure 2-16 Procedure for Uplink Access on the PACCH ........................................ 2-42
Figure 2-17 Procedure for Downlink Access on the CCCH...................................... 2-43
Figure 2-18 Procedure for Downlink Access on the PACCH.................................... 2-44
Figure 2-19 GPRS Cell Selection and Reselection Procedure................................. 2-45
Figure 2-20 Network-Controlled Cell Reselection Procedure................................... 2-46
Figure 2-21 Attach Procedure ................................................................................. 2-48
Figure 2-22 MS-Initiated GPRS Detach Procedure ................................................. 2-50

Figure 2-23 SGSN-Initiated GPRS Detach Procedure............................................. 2-51

Figure 2-24 HLR-Initiated GPRS Detach Procedure................................................ 2-52
Figure 2-25 The Procedure for the MS-initiated Activation of a PDP Context ........... 2-53
Figure 2-26 GGSN-Initiated PDP Context Activation ............................................... 2-54
Figure 2-27 The Procedure for the MS-Initiated Deactivation of a PDP
Context ................................................................................................. 2-55
Figure 2-28 The Procedure for the GGSN-Initiated Deactivation of a PDP
Context ................................................................................................. 2-55
Figure 2-29 The Procedure for the SGSN-Initiated Deactivation of a PDP
Context ................................................................................................. 2-56
Figure 2-30 Procedure for Intra-SGSN Routing Area Update .................................. 2-57
Figure 2-31 Procedure for Inter-SGSN Routing Area Update .................................. 2-58
II

Tables
Table 2-1 Service Types............................................................................................ 2-1
III

Tables
This page intentionally left blank.
IV

Glossary
3GPP
- 3rd Generation Partnership Project
AUC
- Authentication Center
Abis
- Abis Interface between BSC and BTS
BSC
- Base Station Controller
BSS
- Base Station Subsystem
BTS
- Base Transceiver Station
CC
- Call Control
CCCH
- Common Control Channel
CN
- Core Network
EIR
- Equipment Identity Register
FTP
- File Transfer Protocol
GERAN
- GSM/EDGE Radio Access Network
GPRS
- General Packet Radio Service
HLR
- Home Location Register
HTTP
- Hypertext Transfer Protocol
IP
- Internet Protocol
ISDN
- Integrated Services Digital Network

LLC
- Logic Link Control
MM
- Mobility Management
MS
- Mobile Station
MSC
- Mobile Switching Center
NSS
- Network Subsystem
OMC
- Operation & Maintenance Center
OSI
- Open System Interconnection
PSTN
- Public Switched Telephone Network
RR
- Radio Resource
SC
- Short Message Center
SCCP
- Signaling Connection Control Part
SGSN
- Serving GPRS Support Node
SMTP
- Simple Mail Transfer Protocol
SNDCP
- Sub Network Dependent Convergence Protocol
TA
- Timing Advance
TDM
- Time Division Multiplexing
TFTP
- Trivial File Transfer Protocol
VLR
- Visitor Location Register
VI

SJ-20121227135800-019-ZXUR 9000 GSM (V6.50.102) Signaling Description, PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

SJ-20121227135800-019-ZXUR 9000 GSM (V6.50.102) Signaling Description, PDF

Hochgeladen von

Copyright:

Verfügbare Formate

ZXUR 9000 GSM

Base Station Controller

Revision No. Revision Date Revision Reason

R1.0 2013–01–29 First edition

Serial Number: SJ-20121227135800-019

Publishing Date: 2013–01–29(R1.0)

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

Chapter 2 Service Signaling Procedure ................................................... 2-1

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

What Is in This Manual

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

1.1 Application Scenarios

Figure 1-1 Network Environment for the BSC

The network elements included are:

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

l SGSN: Serving GPRS Support Node

Introduction to the BSC and Related Network Elements

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

MS performs include speech coding, channel coding, channel cyphering, modulation

Introduction to the Interfaces Related to the BSC

1.2 Protocol Architecture for Signaling

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

Figure 1-2 Layers in the OSI Reference Model

The Protocol Architecture for E1 and IP Transmission in the CS-Domain

Figure 1-3 All-IP Access Protocol Stack

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

Figure 1-4 E1 Access Protocol Stack

The transparently transmitted signaling protocols in the CS domain are described as

CM implements call control management and processes the SMS.

The Protocol Architecture for E1 and IP Transmission in the PS-Domain

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

The transparently transmitted signaling protocols in the PS domain are described as

1.3 Introduction to Functional Modules of Signaling

The Functions the LAPD Implements

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

The Functions the LAPDm Implements

The Functions of MTP2

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

Signaling Message Handling

Figure 1-6 Signaling Message Handling Procedure

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

Signaling Network Management

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

à The no-connection messages are: blocking/unblocking, handover, resources,

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

SJ-20121227135800-019|2013–01–29(R1.0) ZTE Proprietary and Confidential

2.1 Service Introduction

Table 2-1 Service Types

Service Type Sub-Service

Speech service Cell selection and reselection

Mobile originated calls

Mobile terminated calls

Sending point-to-point short messages (idle state)

Receiving point-to-point short messages (idle state)

Sending point-to-point short messages (in conversation state)

Receiving point-to-point short messages (in conversation state)

Packet service Uplink one-step access on the CCCH (TBF Established)

Uplink two-step access on the CCCH (TBF Established)

Uplink access on the PACCH (TBF Established)

Downlink access on the CCCH (TBF Established)