Jump to content

- - - - -

Phreak question...

  • Please log in to reply
7 replies to this topic

#1 StankDawg


    same old Dawg, no new tricks

  • Moderating Team
  • 8,064 posts
  • Country:
  • Gender:Male

Posted 28 October 2002 - 09:56 PM

I saw this on another forum site. Both of these seem a little far-fetched. I know there are some neat things you can do, but these seem a little overboard. Especially the second one.


Tone box

I remember reading about these tone generator boxes you could make. They emitted tones that did variouse things when played over the phone. There was one that, when emitted, made it impossibe for the other end to hang up.If they put the reciever down you would still be on the other end when they picked it back up. Anybody ever hear about these? I am doing a book report  


I too have heard such stuff in fact I have read somewhere there is a number they can dial before calling your house that keeps your number from ringing but allows the caller to hear every thing that is said within 50 feet of your phone.
It use to require a court order for use but, since 9-11 that is no longer required.

If it is false 411, maybe someone would like ot go there and set them straight?


#2 W1nt3rmut3


    Phreak Scout

  • Agents of the Revolution
  • 321 posts

Posted 28 October 2002 - 10:06 PM

well the first one could be a number of boxes put together. Not sure which they are refering to, or even if it is possible, maybe something with keeping the voltage up over the line?

the second one is in reference to a phone line bug. its hooked up
to the pair box, the box that has all the phone line runs from the central office to each house, or even in the phone itself. when u call the number, u and put a special freq over the line, the phone cuts out, and the reciver is on, and u can hear the amibent sounds. I have a similar feature on my answering machine, where u can enable room monitor for about a minute or so. and some "number they can dial before calling your house" shit is either speculation or truth, but thats a into some pretty heavy gov't stuff.

but of course, dual must confirm this.

#3 dual


    BinRev veteran

  • Agents of the Revolution
  • 1,196 posts
  • Gender:Male

Posted 28 October 2002 - 10:54 PM

1. Tones that can put another phone on hold? Never heard of it.

2. Kinda pointless. They can just get everything at the switch (CALEA).

#4 kleptic


    SUP3R 31337 P1MP

  • Members
  • 283 posts

Posted 12 November 2002 - 10:01 PM

i dont see any need for it.

#5 zerodata


    Gibson Hacker

  • Members
  • 88 posts

Posted 17 November 2002 - 02:29 PM

No. 2 sounds alot like SF (special facilities) that used to be used on the analog phone systems here in the UK many years ago for covert listening by MI5 MI6 this needed a washer to be installed in the telephone. Read spycatcher Peter Wrights autobiography for details.

So far as I am aware this is no longer the case and I presume remote monitoring can now be done direct from the switch.

#6 dual


    BinRev veteran

  • Agents of the Revolution
  • 1,196 posts
  • Gender:Male

Posted 17 November 2002 - 08:13 PM

That's cool, zero - I'd love to hear any other UK phreaking info you have.

I just talked to some Qwest technicians (a la holy_handgrenade) and they said that crossbox taps still DO exist. Another pair is spliced to the target's pair and the whole thing looks like a tube of toothpaste (of course collection happens at the switch).

#7 zerodata


    Gibson Hacker

  • Members
  • 88 posts

Posted 18 November 2002 - 10:20 AM

I have a load of info here about ericsson GSM/GPRS Base station systems here is a sample I would love to post all this stuff but there is like 400mb more on this CD I found GUESS where Dumpster Diving
This is just one document out of thousands on the cd ::

BSS GPRS System Description
© Ericsson Radio Systems AB 2000, All rights reserved.


1 Introduction

BSS Architecture for GPRS
2.1 Base Station Controller (BSC) And Packet Control Unit (PCU)
2.2 Base Transceiver Station (BTS)
2.3 Operation Support System (OSS)
2.4 Transmission

GPRS Radio Resource Handling
3.1 Protocol Stack
3.2 Multislot Classes
3.3 Class A, Class B and Class C Mode of Operation
3.4 Multi-Frame Structure
3.5 GPRS MS States and Modes
3.6 Network Operation Modes
3.7 Logical Channels
3.8 PDCH Allocation
3.9 Paging
3.10 Packet Transfer
3.11 Cell Selection and Reselection
3.12 Power Regulation
3.13 Quality of Service Profile

Impacts on the Radio Network
4.1 Cell Planning Aspects of GPRS

Statistics and Traffic Counters

6.1 Concepts
6.2 Abbreviations and Acronyms



1 Introduction
GPRS is a feature that makes it possible to send packet data over the GSM network. For a complete GPRS system description outside of BSS, see reference 10.

GPRS will use the common pool of physical resources across the radio interface in co-existence with the existing circuit switched GSM. This makes it possible to mix GPRS channels with circuit switched channels in a cell. The GPRS resources can dynamically be allocated in gaps in the circuit switched sessions. Thereby using the spectrum much more efficiently.

GPRS will use the same physical channels but in a more efficient way compared to circuit switched GSM since several GPRS users will be able to share one channel. Thus giving a better channel utilisation. In addition, GPRS channels are allocated only when data is sent or received.

2 BSS Architecture for GPRS
GPRS and circuit switched GSM will co-exist within the existing GSM infrastructure, which will lead to a fast implementation and wide coverage of GPRS.

GPRS requires new software in the BSS and new hardware to implement the Packet Control Unit (PCU). The PCU will be within the BSC node. The BSC may be a combined BSC/TRC or a stand-alone BSC. It will be one PCU per BSC. The new PCU HW is available for both BYB 501 and BYB 202.

A new open interface, the Gb interface, is introduced between the PCU (BSC) and the new node SGSN.

The existing A-bis interface is reused for GPRS and will thus carry both circuit switched and GPRS traffic.

Figure 1 Packet Data in an Ericsson GSM Network

2.1 Base Station Controller (BSC) And Packet Control Unit (PCU)
The PCU is responsible for the GPRS packet data radio resource management in BSS. In particular the PCU is responsible for handling the Medium Access Control (MAC) and Radio Link Control (RLC) layers of the radio interface and the BSSGP and Network Service layers of the Gb interface. The Gb interface is terminated in the PCU.

The PCU consists of both central software (CP) and hardware devices with regional software (RP). It will have one or more Regional Processors (RPP). An RPP can work towards both the Gb and the A-bis interface, or towards A-bis only. The function of the RPP is to distribute data packets between Gb and A-bis. Where there is just one RPP in the PCU it will work towards both Gb and A-bis interfaces. Where there is more than one RPP, each RPP may work towards either A-bis or towards both Gb and A-bis.

Figure 2 The PCU in the BSC, simplified

When more than one RPP is being used (except for the two RPPs in an active/standby configuration) they will communicate with each other using Ethernet. A cell can not be split between two RPPs. If a RPP does not handle the cell that the message is destined for, the message is forwarded via the Ethernet to the right RPP.

A duplicated Ethernet connection is provided in the backplane of the PCU magazine. In addition some HUB boards are needed to connect the RPPs via the Ethernet. The HUB boards are doubled for redundancy reasons.

The PCU connects to the Gb devices via the group switch (GS), and to the A-bis devices via the GS and the subrate switch (SRS). The RPPs are connected to the group switch via DL2s and to the central processor CP via the RP bus.

The GPRS traffic is multiplexed with the circuit switched traffic in the Subrate switch.

Figure 3 A PCU with more than one RPP, and the connection with GS and SRS

The PCU architecture is scalable to achieve cost effective solutions for both small and large PCUs. In order to enable capacity expansions several magazines containing RPPs and HUB boards can be connected.

2.2 Base Transceiver Station (BTS)
GPRS will be implemented in the BTS software and no new BTS hardware is required. The fact that a software-only upgrade is needed allows for rapid introduction with full coverage.

Existing sites can be reused, since GPRS is supported both on RBS 2000 and the RBS 200 platforms SPU++ and 'SPU+ with SPE'. The RBS 200 platform SPP does not support GPRS.

Both channel coding schemes CS-1 and CS-2 are supported. The only exception is RBS 2301 without a DSP cluster that supports only CS-1. Note that if the operator has set the preferred channel coding scheme to CS-2, the BSC will switch to CS-1 in that cell in the case when the BTS is not capable of CS-2.

2.3 Operation Support System (OSS)
OSS provides support for GPRS related parameter setting. It also provides alarm surveillance of the new GSN nodes. Configuration management of the new GSN nodes is supported by means of a web interface (Netscape) in the OSS.

2.4 Transmission
2.4.1 Abis Interface
The existing transmission and signalling links over the Abis interface are reused for GPRS, thus providing an efficient and cost effective introduction. Modified TRAU frames are used for the support of GPRS Coding Schemes 1 and 2. No additional transmission links are needed (unless of course the number of TRX per site is increased).

2.4.2 Gb Interface
The Gb interface is a new open interface between the PCU and SGSN.

The PCU can be connected to a SGSN over the Gb interface either:

Directly from a standalone BSC or a combined BSC/TRC.
Via a TRC from a standalone BSC.
Via an MSC from a standalone BSC or combined BSC/TRC.
A BSC can use one or more physical links to connect to a SGSN.

When using an E1 interface the size of the physical links are between 1 and 31, 64Kbits/s time slots, i.e. between 64 kbits/s and 1984 kbits/s.

When using a T1 interface the size of these physical links are between 1 and 24 , 64 kbits/s time slots, i.e. between 64 kbits/s and 1536 kbits/s.

If more than one 64 kbits/s circuit is used on the same physical link the time slots must be contiguous to each other. Gb Protocols
The protocol used to provide layer 3 is BSSGP. BSSGP is a GPRS specific protocol. It conveys the necessary routing information to be able to transfer a LLC PDU transparently across the radio network to the MS. BSSGP is specified in reference 9.

Layer 2 is called the Network Service (NS) layer. This layer is further divided into two separate layers. The upper layer is called the Network Service Control. The lower layer is called the Sub-Network Service. The Network Service is specified in reference 8.

The protocol used to provide the Network Service Control layer is the Network Service Control protocol. The Network Service Control protocol provides a generic way of encapsulating BSSGP PDU and transferring them via the Sub-Network Service.

The protocol used to provide the Sub-Network Service layer is Frame Relay. Frame Relay is a frame mode interface specification providing a signalling and data transfer mechanism between end-points and the network. The end-points of the Gb interface are the BSC and the SGSN. Frame relay shall transparently transfer NS PDUs' between a SGSN and a BSC. Addressing and Configuration of the Gb Interface
An SGSN can be connected to several BSCs. Conversely a BSC can only be connected to one SGSN. A BSC can be connected to a SGSN via an intermediate transmission network (i.e. a Frame Relay network) or via point-to-point connection(s). A BSC can use one or more physical links to connect to a SGSN. Flush
When an MS in packet transfer state moves to another cell it sends a cell update to SGSN. SGSN then sends a flush message with mobile identity and cell identity for the old and the new cell to the PCU. If both cells belongs to the same location area and the PCU has a queue of packets for that MS, these packets are moved to a queue for the new cell. If the new cell is handled by another PCU or location area, the queued packets are deleted and higher layers will handle the retransmission. For more information see the chapter FLUSH-LL (logical link) procedure in reference 8. Flow Control
The DL flow control is done on both cell level and MS level. The DL flow control uses the same technique to adjust the flow for both MS level and cell level. The technique is to give the feeding side (SGSN) a "bucket" to fill with data, and a "leak rate" for the continuos flow. The task for SGSN is to first fill the "bucket" and then keep it filled by adding data in the same speed as it is leaking out.

When the BSC informs the SGSN node that a cell (BVC) is available for traffic, SGSN is not allowed to start DL traffic until an initial flow control message is sent to SGSN from the BSC.

The BSC implement the flow control on MS level very dynamically with the ambition that TBF shall never be disconnected because of too low incoming flow from SGSN this to avoid having to re-establish the TBF when more data to come. Neither shall buffers congest the memory because of a too high incoming flow from SGSN. On cell level the flow control is more static and dimensioned so that it doesn't interfere or limit the flow to an MS.

An additional method for flow control is 'PDU lifetime'. The PDU lifetime is sent in each LLC-PDU downlink from SGSN. This element contains the remaining time for the PDU to be handled in the BSC. If the time has elapsed before the PDU is sent to lower layer MAC protocol, the PDU is discarded. When a PDU is discarded a PDU discard message is sent to SGSN.

3 GPRS Radio Resource Handling
3.1 Protocol Stack
Here is a picture of the GPRS protocol stack from a BSS perspective. Only the first layer is implemented in the BTS. The other BSS protocol layers are handled by the PCU in the BSC.

Figure 4 GPRS Protocols

3.2 Multislot Classes
There are 29 MS classes for multislot capability. They are described in reference 5.

For each multislot class it is defined how many timeslots the MS can use in each direction and the time it needs for changing from RX to TX and vice versa, with or without making measurements in between.

In the Ericsson implementation, MS of all multislot classes will be served, but the higher multislot classes will get a service that is limited by the BSS implementation. In the case the MS supporting more than 4 timeslots in one or both directions, max 4 TS is allocated per direction.

3.3 Class A, Class B and Class C Mode of Operation
GPRS MS can, depending on the MS and the network capabilities, operate in three different modes:

Class A mode of operation allows an MS to have a circuit switched connection at the same time as it is involved in a packet transfer.
Class B mode of operation allows a MS to be attached to both circuit switched and packet switched connections, but it can not use both services at the same time. However, MS that is involved in a packet transfer can receive a page for circuit switched traffic. The MS can then suspend the packet transfer for the duration of the circuit switched connection and afterwards resume the packet transfer. This requires the Gs interface between the MSC and SGSN to be present.
Class C mode of operation allows an MS only to be attached to one service at a time. An MS that only supports GPRS and not circuit switched traffic will always work in class C mode of operation.
3.4 Multi-Frame Structure
A 52 multi-frame structure is used on the Packet Data Channel (PDCH).

In the multi-frame structure, the bursts denoted by X (in figure 5) are used on the downlink to send timing advance messages to the MS. On uplink, nothing is sent during these periods. Instead the MS use the time in uplink to do measurements. The USF is only sent in the downlink blocks.

Figure 5 Multiframe Structure

3.5 GPRS MS States and Modes
There are three GPRS Mobility Management states. The SGSN knows the state of all MS that are in standby or ready state.These states are not seen in BSS.

Idle state, when the MS is turned on but not GPRS attached. The MS is "invisible" to GPRS, e.g. when the MS is outside of the coverage area for GPRS.
Standby state. The MS is GPRS attached and sends routing area updates to the SGSN every time it changes Routing Area.
Ready state. A packet transfer is ongoing or has recently ended. A ready timer defines how long time the MS shall remain in ready state after a transfer. The time is decided by SGSN and can take values from zero to infinity, i.e. the MS shall never go back to Standby state. The MS sends cell update to SGSN every time it changes cell. In ready state there is no need to send a page to the MS. SGSN sends the LLC frames to the PCU and the PCU sends an assignment immediately to the MS since the location is known.
The states are further described in the chapter Mobility Management Functionality in reference 1.

There are two GPRS Radio Resource MS states. These states are seen in BSS.

Packet Idle mode, when no packets are transferred.
Packet Transfer mode. A packet transfer is ongoing in uplink, downlink or in both directions simultaneously.
The MS is only known to the PCU when in Packet Transfer Mode.

3.6 Network Operation Modes
A GPRS network can operate in three different network operation modes. Basically the modes decides when packet control channels are used or not, see chapter 3.7 or if combined procedures, e.g. CS/PS paging co-ordination can be used for CS and PS connections, see chapter 3.9.

The network modes can be set by operator command per BSC.

Network operation mode I: The network uses combined procedures. The MS needs only to monitor one common control channel, the CS common control channel or the PS common control channel.This mode requires the optional Gs interface between MSC and SGSN.
Network operation mode II: The network does not use combined procedures. All common control signalling, both for CS and PS connections, is performed over the CS common control channel. The Gs interface should not be present.
Network operation mode III: The network does not use combined procedures. All common control signalling for PS connections is performed over the PS common control channel, and all common control signalling for CS connections is performed over the CS common control channel. This require a class A or B MS to listen on two common control channels. The Gs interface should not be present.
3.7 Logical Channels
3.7.1 General
GPRS is based on a new logical radio channel that is optimised for packet data, the Packet Data Channel (PDCH). The PDCH can be divided into a number of new logical channels, similar to the existing ones for circuit switched connections. Details about the logical channels and how to map them on physical channels can be found in reference 2 and reference 5.

3.7.2 Master PDCH
A Master PDCH (MPDCH), is a PDCH carrying a Packet Broadcast Channel (PBCCH) and a Packet Common Control Channel (PCCCH), as well as GPRS traffic. The PCCCH carries all the necessary control signalling to initiate packet transfer.

In the standard, the MPDCH is called "the PDCH carrying the PBCCH ". The abbreviation MPDCH is only used within Ericsson.

When a MPDCH is required in the cell, the first dedicated PDCH that is allocated according to the operator's preferences regarding non-hopping BCCH (see 3.8.1 ) will be configured as an MPDCH. The following PDCH that are allocated will only carry GPRS traffic and associated signalling. If the operator decreases the number of dedicated PDCH, the MPDCH is kept as long as there is at least one dedicated PDCH in the cell.

In a cell with no MPDCH the ordinary control channels, BCCH and CCCH, will handle the broadcasting and signalling to the GPRS mobiles.

3.7.3 With and without MPDCH
The operator can decide if there shall be a MPDCH in a cell or not, by setting the network operation mode. When network operation mode I is selected, options with or without MPDCH can be selected. Network operation mode II can only be configured without MPDCH. Network operation mode III shall always be configured with an MPDCH.

A cell with an MPDCH must be configured with at least one dedicated PDCH. In this case the first allocated channel will be the MPDCH, see User Description, GPRS Channel Administration.

In a cell with no MPDCH, the MS will listen to BCCH and PCH for broadcast information and paging messages. The paging message will contain information about if the page is for circuit switch (CS) or packet switch (PS). The MS will send access bursts on RACH. The MS will specify in the message if it is a request for CS or PS connection. Information about the allocated resources is sent on AGCH to the MS.

In a cell with a MPDCH allocated, an MS will only read the BCCH to get information about the physical channel where PBCCH and the Packet Common Control Channels (PCCCH) can be found. The MS then listens to PBCCH to get all system information it needs. The MS will listen to PPCH for paging messages. The MS will send access bursts on PRACH for request for PS services, but on RACH if the request is for a circuit switched service.

The release of an MPDCH is not broadcast in advance to the MS. The MS will discover that the MPDCH is removed after trying to read broadcast information or its PPCH. Then the MS will go back to BCCH and read the information there. This procedure can take long time for MS with a long sleeping period. Therefore it is recommended not to allocate and release the MPDCH more often than necessary.

3.8 PDCH Allocation
GPRS is based on a new logical radio channel that is optimised for packet data, the Packet Data Channel (PDCH). These PDCH are allocated to the PCU. The PCU is then responsible for assigning channels to the different GPRS MS. The PDCH allocation can be done in different ways:

Dedicated PDCH are allocated and released by operator command.
On-demand PDCH, serving as temporary dynamic GPRS resources, are allocated and released depending on the GPRS traffic demand.
Channels that are allocated for GPRS (PDCH) are allocated in sets of maximum four consecutive time slots. Such a set is called a PSET and can consist of both dedicated and on-demand PDCH. All channels in a PSET are on the same frequency or hop on the same frequency hopping set. A mobile station can only be assigned PDCH from one PSET. There is no additional limit on the number of PDCH that can be allocated in a cell, except the number of available TCH.

Details about channel allocation for GPRS can be found in User Description, GPRS Channel Administration

3.8.1 Dedicated PDCH
Dedicated PDCH can only be used for GPRS. The operator can specify 0-8 dedicated PDCH per cell. The dedicated PDCH ensure that there is always GPRS resources in a cell.

The Operator can specify where he wants his dedicated PDCH to be located. From a radio point-of-view, non-hopping channels on the BCCH carrier are generally not equivalent to traffic channels on other frequencies. The BCCH frequencies may have a separate frequency plan, and bursts on the BCCH frequency are not power regulated. The Operator can per cell decide if the dedicated PDCH shall be allocated on the non-hopping BCCH frequency as a first or last hand choice or with no preference.

3.8.2 On-demand PDCH
On-demand PDCH can be pre-empted by incoming circuit switched calls in congestion situations in the cell. Note that a HSCSD user can never get more than one channel through the pre-emption procedure.

There is no physical limit on how many on-demand PDCH there can be in a cell. The number of on-demand PDCH depends on how much packet switched traffic there is, up to the limit where circuit switched traffic starts to pre-empt PDCH due to congestion. In a cell without any circuit switched traffic it would be possible to use all channels for GPRS traffic.

A load supervision function is implemented so that in a cell with or without dedicated PDCH, new on-demand PDCH are allocated when the number of GPRS users becomes too high with respect to the number of existing PDCH in that cell, assuming there are idle channels available. The number of simultanous users on one PDCH (UL and DL) before a new on-demand PDCH channel allocation attempt is made can be set by operator command per BSC, see User Description, GPRS Channel Administration.

At the allocation of on-demand PDCH, the operator's choice of preferred frequency allocation strategy is also taken into account but if there is no free channel on the first hand choice, another channel is allocated.

3.8.3 Packet Switched Idle List
In a cell supporting GPRS, the BSS system maintains two idle lists, the GSM and the packet (PS) idle lists, over all the available traffic channels. The lists exclude the dedicated PDCH. Initially all these idle channels belong to the GSM idle list. The channels in the PS idle list are GPRS activated.

For circuit switched calls, a suitable candidate is first sought after in the GSM idle list. If none is available, channels in the PS domain will be stolen. First the PS idle list will be searched. It contains on-demand channels with no packet data transfer, temporary block flow (TBF), active. As a final option an on-demand PDCH will be pre-empted to cater for the circuit switched call.

When there is a need to assign resources to a GPRS mobile station, the system first looks for already allocated PDCH, with a preference for PDCH having none or few reservations already. Among those, dedicated PDCH are preferred since they can not be pre-empted. If all PDCH have traffic up to a certain limit, the system checks the GSM idle list.

An on-demand PDCH is returned to the PS idle list as soon as there is no TBF (se chapter 3.10.1 for explanation of TBF) assigned to it (no mobile station is assigned resources on that channel). After a certain time on the PS idle list, the PDCH is released and moved to the GSM idle list.

If there is a need for a circuit switched TCH, an on-demand PDCH can be reconfigured to a TCH. This procedure is estimated to take less than 200 ms.

3.9 Paging
There are two types of paging, PS Paging and CS Paging. If a PS connection is requested, i.e. the network wants to send data to the MS, a PAGING PS message is sent from SGSN to BSC.

If the network wants to set up a CS connection, a PAGING CS message is sent from SGSN to BSC.

Details about paging for GPRS can be found in User Description, GPRS Paging and DRX.

3.9.1 CS Paging
When an MS in Class A or Class B mode of operation is attached to both GPRS and CS, and the Gs interface between MSC and SGSN is available, the MSC sends the pages to the SGSN, via the Gs interface, instead of directly to the BSC. Since the SGSN knows the location of the MS on cell level when it is in ready state and on routing area level otherwise, the paging area will be smaller or equal to, than compared to sending the page directly to the BSC.

SGSN sends the page to the affected PCU(s) with information of the cell or routing area. If the MS is involved in a packet transfer, the PCU sends the page on the control channel associated with the packet transfer, PACCH. Otherwise the page is sent out on PPCH or, if that is not available on PCH. This is Network Operation Mode I.

It is possible to have a network without a Gs interface. In this case the MSC can not send the page to SGSN. Instead the MSC sends the page directly to the BSC. CS pages will always come on PCH. This is Network Operation Mode II or III. In this case the BSC is unable to check paging messages coming from the MSC and see if the MS is GPRS attached as well. Therefore the BSC will always send those messages on PCH. An MS of class B does not listen to the PCH when in packet transfer mode, therefore pages can be lost.

The operator can per BSC specify the network operation mode, see User Description, GPRS Channel Administration.

3.9.2 PS Paging
The SGSN sends a paging request to all BSC serving the routing area where the MS is currently located.

The BSC then pages the MS in all cells within the paging area. The PPCH is used if the MPDCH exists in the cells. For those cells not having an MPDCH, the PCH is used instead.

3.9.3 Paging Groups and DRX
The discontinous reception (DRX) is a technique implemented in the GPRS system that ensures that the MS is exactly aware of the period of time a paging may be transmitted, thereby allowing the MS to be powered down for a high percentage of the time. This to reduce the power consumption during standby mode. For details see User Description, GPRS Paging and DRX.

The MS population is divided into a set of paging groups. The group which an MS belongs to is known by both the MS and the BSC and is calculated based on IMSI and DRX parameters. The DRX parameters are negotiated between the MS and the SGSN during the GPRS Attach Procedure. The maximum DRX period is 15 seconds and the minimum is 'no DRX'.

3.10 Packet Transfer
3.10.1 General
The transmission of packets to or from a certain MS is called a Temporary Block Flow (TBF). The correspondence to a circuit switched call setup is an assignment of an uplink or a downlink TBF for a packet transfer. An MS can have a TBF in one direction or one in each direction. Each TBF is addressed by a Temporary Flow Identity (TFI) assigned by the network.

At assignment of a TBF, the MS is informed of which timeslot(s) to use and its TFI address.

A packet transfer can either be RLC acknowledged or unacknowledged.

More details about packet transfer on RLC/MAC level can be found in reference 4.

3.10.2 Downlink Packet Transfer Procedure
If the MS is in GPRS MS standby state, the downlink packet transfer is initiated by paging the MS in a Routing Area. This is initiated by the SGSN sending a PS Paging Request message to the PCU. The PCU will then calculate which paging group the MS belongs to and send the paging request in a timeslot when the MS is awake (listening).

A Routing Area is defined in the standard as a subset of a Location Area. In BSS R8 the Routing Area is identical to the Location Area

The MS responds to the page by sending any LLC PDU message to the SGSN. This is done by use of the uplink packet transfer procedure. The message is transparent to BSS and looks like an ordinary LLC PDU.

The MS is now in ready state and the SGSN can start to send LLC frames to the PCU with the cell and MS identity.

When the PCU receives LLC frames from the SGSN, the PCU checks if the addressed MS is already involved in a packet transfer.

If the MS already has a downlink TBF, the new LLC frame is put in the queue with the other LLC frames to that MS.

If the MS has no TBF established and no MPDCH exist, an Immediate Assignment message is sent on a timeslot that the MS listens to on the Common Control Channel (PCCCH). If an MPDCH exist, a Packet Downlink Assignment message is sent on a timeslot that the MS listens to on the Packet Common Control Channel (PCCCH). A certain time after the MS has been involved in a packet transfer it remains in non-DRX mode. That means that the MS is awake and there is no need to wait for its paging group. The message can be sent immediately.

If the MS already has an uplink TBF, the PCU has to take this into consideration. Probably the PCU will allocate downlink resources on the same timeslots (or at least partially) as the MS has uplink resources. This makes it possible for the MS to use both the uplink and downlink resources at the same time. The MS multislot class tells the capability of the MS regarding how many PDCH it can handle in each direction at the same time. The Packet Downlink Assignment message is sent on the control channel that is associated with the uplink assignment, the Packet Associated Control Channel (PACCH).

The Packet downlink assignment message consists of a list of the channels that will be used and a TFI to address the MS.

3.10.3 Uplink Packet Transfer Procedure
If an MS has no TBF established, the MS sends a Packet Channel Request message to the PCU.

In the Ericsson implementation there are two main ways to allocate resources after receiving a Packet Channel Request message from the MS:

The MS is assigned resources on one or several timeslots for a longer time using the dynamic allocation method. For each timeslot, the MS is assigned a value of the Uplink State Flag (USF). The use of the USF is further described in the subchapter Scheduling. The TFI is used in signalling to identify the MS.
A single timeslot is reserved for the sending of one RLC block. This can be used to let the MS send a Packet Resource Request message, to further specify its capabilities and/or demands. This is called a two-phase access. The single RLC block could also be used when the MS only has a very short LLC frame to send.
At two-phase access, the MS sends a Packet Resource Request on the allocated timeslot. With the new information received, the PCU assign resources and sends a new Packet Uplink Assignment to the MS.

If the MS already has a downlink TBF established, the MS sends a Packet Resource Request message on the control channel associated with the downlink TBF, the Packet Associated Control Channel (PACCH). The PCU has to consider the downlink allocation when allocating uplink resources. The Packet Uplink Assignment message is then sent to the MS on the PACCH.

3.10.4 Scheduling
The LLC frames received from the SGSN in a downlink transfer are cut up into smaller pieces called RLC blocks by the PCU. Each RLC block is sent in four consecutive bursts on one timeslot. If one MS is assigned for example timeslots 1-4, one RLC block is sent in four bursts on timeslot 1, a second RLC block is sent in four bursts on timeslot 2 etc.

A number of MSs can be assigned resources on the same timeslot(s). The header of every downlink RLC block contains the TFI that shows which MS the RLC block is addressed to.

The header of every downlink RLC block also contains the Uplink State Flag (USF). The USF is used to tell the MS with an uplink TBF on that timeslot, which one that is allowed to send an uplink RLC block in the next but one group of four bursts.

When an MS only has a single RLC block to send, for example an acknowledgement or a Packet Resource Request, the PCU can assign a timeslot at a certain time to the MS. Then no USF is assigned to the MS. In the header of the corresponding downlink RLC block, the USF is then given a value that is not assigned to any MS, in order to avoid collision.

3.10.5 Acknowledgement
Packets can be sent in acknowledged or unacknowledged RLC mode. Actually Ack/Nack messages are sent in both modes, but packets are only retransmitted over the air interface in acknowledged RLC mode.

The reason for sending acknowledgements in unacknowledged mode can be several:

To check that the communication has not been broken.
To get knowledge about the transmission quality, in order to use the coding scheme that gives the best performance.
To prioritise MS depending on link quality.
In BSS R8 this is only used to check that the MS has not left the cell.

3.10.6 Ending a TBF
When there are no more LLC frames to a certain MS in the PCU (but there may be more in the SGSN), the downlink TBF is released. If a new LLC frame arrives immediately after, a new assignment corresponding to a new TBF is sent to the MS. The MS is still in ready state, so there is no need to page the MS.

When the MS has only a few more RLC blocks to send, this is signalled to the network, and a countdown procedure is started. After all blocks have been sent and acknowledged, the uplink TBF is released. If the MS has more packets to send after the countdown procedure has been initiated, a new TBF has to be established. The MS is not allowed to continue to send more packets than it had when initiating the countdown procedure.

3.11 Cell Selection and Reselection
In a GSM network the BSC governs the cell selection behavior of MS in idle and transfer mode by different methods. Idle mode MS autonomously performs the cell selection by using the C1/C2 criteria.

In transfer mode, non-GPRS MS are being steered by the locating functionality implemented in the BSC. That means that the BSC initiates handovers to other cells.

In GPRS, the decision about which base station to communicate with is to be taken by the MS. GPRS MS manage both the idle and transfer mode behaviours.

The cell selection and reselection algorithms used for controlling those idle/transfer mode behaviours are governed by GPRS cell selection parameter settings broadcast in the packet system information on PBCCH in each GPRS capable cell with allocated PBCCH (MPDCH), User Description, GPRS Cell Selection.

If no PBCCH is allocated in a cell, the GPRS MS will read the system information broadcast on BCCH and use the C1/C2 criteria for cell selection and reselection as in the circuit switched case, see User Description, Idle Mode Behaviour.

The GPRS cell selection and reselection algorithms are governed by parameter settings. These parameters are different from the corresponding parameters for circuit switched. However, in the Ericsson implementation, GPRS cell selection parameters are automatically mapped on those for cell selection/locating known from the circuit switched case. This is to get the same cell selection behaviour for GPRS and to enable an easy roll-out of GPRS in the network.

The standard allows the network to take over the cell reselection for a specific MS or for all MS. This is called Network Controlled Cell Reselection, this is not implemented. This means the overlaid sub-cell in an overlaid/underlaid cell structure can not be used for GPRS connections, see User Description, Overlaid/Underlaid Subcells.

3.11.1 Cell Reselection, a Small Traffic Case
In this example, the MS is involved in a downlink packet transfer. The MS discovers that another cell is a better choice according to its own measurements and to the cell selection parameters broadcast on PBCCH or BCCH. The MS stops listening to the old cell and start to read the necessary system information in the new cell. Then the MS makes an access in the new cell and sends a cell update to the SGSN. This message is transparent to the PCU.

The SGSN receives the cell update and discovers that there was already an ongoing downlink packet transfer. The SGSN sends a Flush message to the PCU responsible for the old cell. The Flush message contains the addresses to both the old and the new cell as well as the MS identity.

The PCU checks if it is also responsible for the new cell and that the new cell belongs to the same location area as the old cell. In that case all buffered LLC frames that have not been acknowledged or not sent are moved to a queue towards the new cell. The PCU assigns new resources to the MS in the new cell and the transmission is restarted.

Otherwise, the PCU will delete all LLC frames destined to that MS and leave the retransmission to higher layers.

3.12 Power Regulation
Open loop MS power control is implemented, see User Description, GPRS Dynamic MS Power Control.The value of the parameter Gamma_CH can be set per cell by the operator and the parameter ALPHA can be set per BSC by the operator.

3.13 Quality of Service Profile
There are a number of parameters defined as QoS parameters or attributes. The following concerns BSS:

Precedence Class. At congestion, all packets with the lowest class are discarded. Then packets with the second lowest class are discarded, etc. This is not implemented in BSS.
Reliability Class. The part that concerns BSS is the RLC Block mode. Both acknowledged and unacknowledged mode are supported.
Peak Throughput Class. Maximises the throughput for a MS. Nothing is guaranteed. This is not implemented in BSS.
Radio Priority. Radio priority can be used to differentiate between MS requesting an uplink TBF.
BSS will only offer best effort regarding the quality of service parameters.

All these parameters, except for radio priority, concern SGSN as well. If the support for Precedence class is implemented in SGSN, it will also help when BSS is congested.

The parameters are further described in the chapter Quality of Service profile in reference 1.

4 Impacts on the Radio Network
In BSS we have tried to minimise the impacts the introduction of GPRS will have on the radio network.

The GPRS resources can dynamically be allocated in the gaps of circuit switched sessions. In addition incoming circuit switched users can pre-empt on-demand PDCH. On-demand PDCH are hence viewed as idle by circuit switched mobiles, and will not affect the (speech) blocking probability in the cell.

A circuit switched user applying for a channel in a cell with no TCH available is blocked. A GPRS user that arrives to a cell without idle channels, on the other hand, may be directed to an existing PDCH up to a certain maximal limit. This is at the expense of the quality experienced by other users already allocated on that channel. The total bandwidth on the channel has to be shared among all GPRS mobiles using that channel. The exception is however if a GPRS mobile requests a channel in a cell where no GPRS channels can be allocated, e.g. when all channels in a cell is used as TCH. In this case, the GPRS user will not get any resources, and the GPRS mobile will find itself blocked from the system until the congestion decreases.

The current radio interface has been optimised with regard to speech traffic. When GPRS is introduced, circuit switched and packet data services will be competing for the same spectral resources. Simulations have, however, shown that there will not be any major impact on the quality of the circuit switched services.

Initially GPRS traffic may not be so significant. In order to simplify the introduction of GPRS, the GSM Circuit switched based cell planning and cell parameter setting is reused for GPRS. The system automatically sets the new GPRS cell parameters and cell border to be as similar as possible to circuit switched.

Location areas (LA) are not used for GPRS. A new area is instead defined for GPRS, called the routing area (RA). A RA consists of one or a number of cells and therefore is a subset of a LA. In BSS they are set them to be the same. GPRS frequency hopping feature is supported for single slot as well as multislot MS session.

The Ericsson BSS supports paging of MS using discontinuous reception (DRX) according to parameters sent by the SGSN node to the BSS.

GPRS MS power control is implemented in BSS as an "open loop" manner and the MS power control parameters are set per cell. BTS power control is however not supported. Instead full output power is used on all GPRS channels.

Both coding schemes CS-1 and CS-2 are implemented.

All signalling is made with CS-1 only. The data blocks however use any coding, i.e. CS-1 or CS-2. CS-2 is set as default but the operator can choose between CS-1 and CS-2 on a per BSC level.

4.1 Cell Planning Aspects of GPRS
4.1.1 General Considerations
GPRS will use the same physical channels as standard GSM. Hence, GPRS and Circuit Switched traffic can be integrated in the same frequency band. This leads to trunking gains, since GPRS can dynamically use channels which are " left over" after circuit switched traffic. Much more important is that existing sites can be used, and that the cell plan does not need to be adjusted to cater for GPRS. This alternative minimises the cost for integrating and running GPRS in an existing GSM radio network.

Alternatively, a sub-band can be set aside for GPRS traffic. The radio-condition requirements for GPRS are not identical to those of speech. Being more flexible than speech, GPRS can tolerate a signal to interference ratio (C/I) down to 5 dB. At the same time, the design of GPRS makes it possible to capitalise on C/I above 25 dB to get a higher bandwidth per basic physical channel. This suggests that an existing GSM cell plan, tuned for speech, is not optimal to GPRS. In a mature GSM/GPRS system using all four coding schemes defined in the standard and possibly EDGE, and where a substantial fraction of the total traffic is due to GPRS, it may be motivated to have a separate frequency and cell plan for GPRS. At initial deployment of GPRS it is not expected that a separate frequency band for GPRS is necessary, because of low GPRS traffic and link adaptation for CS-1 and CS-2 is not supported in BSS R8.

It is of course feasible to use a combination of the above. So could, e.g., one part of the frequency band be used for both speech and data users, while other frequencies are used for GPRS users with applications that require high transfer rates and hence exceptionally good radio link quality.

4.1.2 Consequences of using the same Cell Plan for Circuit Switched and GPRS Traffic
Using the same frequency plan for GPRS and speech services requires some care in order to protect the speech quality. In a frequency hopping system where the GPRS traffic volume is limited, this should not pose a significant problem, c.f. below.

If the GPRS traffic volume is substantial, and if the speech in the radio network relies on interference-reducing features like DTX and power control, similar measures may have to be taken on the GPRS channels. In GPRS, as in any packet data system, it is not possible to utilise a link to 100%. This is due to the bursty nature of packet data traffic and maximum-delay requirements. Hence, a GPRS channel will display a sort of "automatic DTX". However, the interference reduction the unused timeslots brings, may not be sufficient to guarantee the speech quality. Hence, in systems where a large fraction of the total traffic is GPRS, it may be necessary to use a combination of admission control, GPRS power control and other features that reduces interference. This is not supported in BSS R8.

4.1.3 Link Budget for GPRS
GPRS is more adjustable to the radio link quality than is (GSM) speech. In GPRS, different coding schemes with different degrees of coding protection against bit errors are available to the user. Link-level simulations show that by using the most robust coding (CS-1), a GPRS connection can be maintained at a signal to interference ratio (C/I) below 6 dB. This is in the same region as where the SDCCH signalling in circuit switched GSM breaks down. This is not surprising, since CS-1 in GPRS is identical to the coding used in the SDCCH signalling. In contrast, the speech quality in a circuit switched connection starts to deteriorate at higher C/I, and it is typically not possible to maintain a decent speech quality with C/I below 9 dB (frequency hopping system). Better radio-link quality in GPRS leads to fewer retransmissions of erroneous radio blocks, and the possibility to use the more information-dense coding schemes, e.g. CS-2. By adjusting the coding to the radio conditions, the GPRS user bandwidth per basic physical channel increases as the radio link quality increases.

4.1.4 Effect of GPRS on the Speech Quality in the Radio Network
GPRS uses the same modulation, burst structure and radio channels as circuit switched GSM; Burst by burst, GPRS has the same interference properties as speech. However, the interference pattern from a GPRS channel can be expected to be different than that from a speech channel. This is because the on-off sequence on a packet data channel is different from a speech channel. Furthermore, GPRS and speech may use different power control mechanisms.

In a frequency hopping system with a dynamic allocation of circuit switched traffic and GPRS traffic on the various channels, the interference encountered by the speech mobiles is a mix of GSM and GPRS traffic. In a radio network using frequency hopping and with pre-dominantly circuit switched traffic, we do not expect the mix-in of a small population of GPRS mobiles to change the total interference in the radio network in any significant way.

4.1.5 The Ericsson Solution
The first release of GPRS in Ericsson's GSM systems is designed as to minimise the impact on the existing radio network. Two coding schemes are available; CS-1 which is the most robust coding scheme and CS-2 which improves the data rate to up to 48 kbps (four time-slot connections). Using the error protection of CS-1, GPRS is capable of maintaining a data-link between the mobile and the network also at radio-link conditions that would induce unacceptable speech quality in GSM. Hence, in the first implementation of GPRS, the existing GSM cell plan can be used to give at least the same coverage for GPRS as for GSM.

Letting GPRS use the existing cell plan also makes the GPRS users connect to the same BTS as circuit switched mobiles. Thus, co-channel and adjacent channel interference generated from GPRS mobiles originate from the same geographical locations as the interference from the speech users. To minimise the interference impact from GPRS channels on speech mobiles further, channels on BCCH carriers can be set as first choice for allocation of Packet Data Channels.

5 Statistics and Traffic Counters
GPRS statistics are provided in order to help the operator dimension the Gb interface, the PCU HW, and the signalling and traffic channels. The following information will be provided per cell to the operator:

The number of PDCHs that is currently allocated in the cell and how many PDCHs there has been in average.
The number of attempts to allocate one or more channels for GPRS (up to 4 channels can be granted at the same time).
The number of attempts that resulted in a complete failure, i.e. no channel at all was allocated.
Number of Channel Request messages for GPRS received on RACH.
Number of Packet Channel Request messages received on PRACH.
Radio block messages transmitted to an MS.
Radio block messages retransmitted to an MS.
Radio block messages received by the PCU from a MS.
Radio block messages that the MS had to retransmit.
The number of paging messages concerning CS with paging area set to cell that come from the SGSN and will be transmitted on PCH.
The number of paging messages concerning CS with paging area set to cell that come from the SGSN and will be transmitted on PPCH or PACCH.
The following information will be provided per BSC to the operator:

Discarded PCU frames, uplink and downlink respectively.
The number of paging messages concerning CS with paging area not set to cell that comes from the SGSN.
The number of paging messages concerning PS with paging area not set to cell that comes from the SGSN.
The number of paging messages concerning CS that are rejected due to congestion.
When the processor load in a PCU-RP is greater than 50%.
Number of rejected PDCH allocation attempts
6 Glossary
6.1 Concepts
GPRS dedicated PDCH
A PDCH that is allocated for GPRS by operator command. It can not be used for CS services.
On-demand PDCH
A PDCH that is allocated for GPRS depending on traffic needs.
PDCH pre-emption
Action performed to remove a PDCH from the PSD and return it to CSD.
Physical channel SET. A group of up to 4 consecutive physical channels that are allocated for the same service.
Two GPRS protocol layers. Also used to refer to functions that reside in these layers.
Regional Processor with PCIA card. The type of RP that the PCU is built on.
6.2 Abbreviations and Acronyms
Base Station Controller
Base Station System
Base Transceiver Station
Central Processor
Circuit Switched
Home Location Register
High Speed Circuit Switched Data
Integrated Services Digital Network
General Packet Radio Service
Master Packet Data Channel
Mobile Station
Mobile Services Switching Center
Mobile Station ISDN Number
Operations and Maintenance
Operation Support System
Paging Channel
Packet Control Unit
Packet Data Channel
Public Land Mobile Network
Packet Paging Channel
Packet Random Access Channel
Packet Switched
Random Access Channel
Regional Processor
Regional Processor with Power PC
Serving GPRS Support Node
Temporary Block Flow
Temporary Flow Identity
Uplink State Flag
Visitors Location Register
7 References
GSM 03.60 version 6.3.0 Release 1997 (Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (GPRS); Service description; Stage 2.
GSM 03.64 version 6.1.0 Release 1997 (Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (GPRS); Overall description of the GPRS radio interface; Stage 2.
GSM 04.08 version 6.2.0 Release 1997 (Digital cellular telecommunications system (Phase 2+); Mobile Radio Interface layer 3 specification.
GSM 04.60 version 6.3.0 Release 1997 (Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (GPRS); Radio Link Control/Medium Access Control (RLC/MAC) protocol.
GSM 05.02 version 6.4.0 Release 1997 (Digital cellular telecommunications system (Phase 2+); Multiplexing and multiple access on the radio path.
GSM 05.08 version 6.4.0 Release 1997 (Digital cellular telecommunications system (Phase 2+); Radio subsystem link control.
GSM 05.10 version 6.4.0 Release 1997 (Digital cellular telecommunications system (Phase 2+); Radio subsystem synchronisation.
GSM 08.16 version 6.1.0 Release 1997 (Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (GPRS); Base Station System (BSS) - Serving GPRS Support Node (SGSN); Network Service
GSM 08.18 version 6.3.0 Release 1997 (Digital cellular telecommunications system (Phase 2+); General Packet Radio Service (GPRS); Base Station System (BSS) - Serving GPRS Support Node (SGSN); BSS GPRS Protocol (BSSGP).
GPRS System Description, 1551-AXB 250 01/1.

#8 zerodata


    Gibson Hacker

  • Members
  • 88 posts

Posted 18 November 2002 - 05:06 PM

Oh and for some information on the UK telephone system try here


This is BT's (British Telecom) Suppliers' Information Notes Index

What are they well here is the official line.......

Suppliers' Information Notes are produced to meet BTs obligations under Condition 15 of Schedule 1 of its Licence that relates to the publication of Customer Interface information. To this end BT has agreed with Oftel that SINs will be used to provide information about its network offerings. This may be the launch of a completely new service, alternatively it may be an announcement of the addition of new features within an existing service. Withdrawal of services or facilities will also be announced through SINs. For the SINs which are available from this site as Portable Document Format (pdf) files,

Basically this stuff is the real meat of UK telecoms what is coming out, changes to platform etc Hint download the stuff and keep it as it is sometimes withdrawn :angry:

Shame they have to use those awful PDF files though




BinRev is hosted by the great people at Lunarpages!