the phone picks the channels with highest amount of energy
it tries to decode the FCCH (Frequency Correction Channel) to slave its own internal clock (VCTCXO) to the frequency information contained in the FCCH
it then moves to the SCH (Synchronization Channel) to determine the current GSM frame number + training sequence code
finally, it is aligned with both the carrier frequency, and knows where in the time division multiplex frame/multiframe the BTS (Cell) currently transmits
Network Selection (2G): BCCH decode
After Frequency and Sync burst detection, the phone moves to BCCH (Broadcast Common Control Channel)
The BCCH contains a loop of repeated broadcasts of so-called SYSTEM INFORMATION messages
There are many different SYSTEM INFORMATION TYPEs which are repeatedly iterated over
SYSTEM INFORMATION (SI) 3 and 4 contain, among other things MCC + MNC information
MCC: Mobile Country Code (262 for Germany)
MNC: Mobile Network Code (01 for T-Mobile, 02 for Vodafone, 03 for E-Plus, …)
Now the phone knows to which operator the cell broadcasting on this ARFCN
The process of FCCH + SCH alignment with successive BCCH decoding is repeated for a number of strong signal ARFCNs to create a list of "available networks"
this is the output of what you see when you do a manual network search on your phone
the numeric MCC/MNC is typically translated in a string name based on a mapping table in the phone firmware, possibly extended by information on the SIM (EF.PNN, EF.OPL)
Network Selection: Which Network to register
Assuming we have a list of ARFCN <→ MCC+MNC, which network do we choose?
if manual network selection: use whatever the user has chosen
we assume automatic network selection below
If the cell-advertised MCC+MNC matches the IMSI prefix, it is the home network
home network trumps everything else
SIM / USIM contains various lists which operators use to control selection policy in roaming
EF.PLMNsel (PLMN Selector)
EF.PLMNwAcT (User-controlled PLMN Selector with Access Technology)
EF.HPPLMN (Higher Priority PLMN)
EF.FPLMN (Forbidden PLMNs)
EF.OPLMNwACT (Operator-controlled LMN Selector with Access Technology)
EF.HPLMNwAcT (Home PLMN Selector with Access Technology)
EF.EHPLMN (Equivalent HPLMN)
finally, MS will select a (first) cell to attempt registration.
Cell Selection State Machine
Registering to a network: LOCATION UPDATE
LOCATION UPDATE is a key transaction on the MM-sublayer of the Layer3 of the 2G/3G protocol stack
it is used to update the location/presence information of the network
there are variants:
IMSI ATTACH is used for initial registration at power-up (our case here)
NORMAL is an update triggered by a change of location (arae code) as the user moves around the coverage
PERIODIC is used when a timer expires, similar to a keep alive in many protocols
the MM LOCATION UPDATE on the Um/Abis/A interface up to the MSC is translated into a MAP UpdateLocation towards the HLR (central subscriber database)
authentication procedure may (should!) follow to cryptographically verify identity of subscriber
finally, the network either sends a MM LOCATION UPDATE ACCEPT or MM LOCATION UPDATE REJECT
GSM Control Plane Protocol Stack
LOCATION UPDATE: Layer 3 Only
LOCATION UPDATE: Ladder Diagram
GPRS for packet switched servics
Registering for packet switched services: GPRS ATTACH
packet-switched services were added about a decade after circuit-switched
hence, packet-switched attach is traditionally independent of circuit-switched attach
GPRS ATTACH is performed from MS to SGSN
it’s called GPRS ATTACH even for EDGE or even UMTS
GPRS Control Plane Protocol Stack
GPRS ATTACH: Ladder Diagram
Establishing a PDP Context
in order to exchange user-IP data with the public Internet, a tunnel must be established over the entire GSM/GPRS/UMTS infrastructure
one Tunnel end is inside the phone
other end is in the GGSN (Gateway GPRS Support Node)
it’s a true point-to-point link, no netmask/broadcast/arp/link-layer
if PPP is involved, this is only between the phone/modem baseband processor and the external computer
IP address allocation + DNS server addresses exchanged via protocol control options (PCO) inside PDP
context activation
phone sends PDP CONTEXT ACTIVATE to network (SGSN)
network (SGSN) responds with PDP CONTEXT ACTIVATE ACK in succesful case
user IP data may now be exchanged
PDP CONTEXT ACT: Ladder Diagram
Classic UMTS (3G) network as digraph
UMTS (3G) Cell Selection
differences primarily at physical layer
WCDMA instead of TDMA (GSM)
RF Channels are 5MHz wide, so many less RF channels to scan
however, MS (now called UE) has to search in code-space, as many cells on same frequency channel
UMTS (3G) Cell Selection
UMTS (3G) Cell Selection
Layer 3 is almost identical to GSM
MM LOCATION UPDATE (Type: IMSI ATTACH) between MS(UE) and MSC
3GPP TS 25.304 "User Equipment (UE) procedures in idle mode and
procedures for cell reselection in connected mode"
http://www.3gpp.org/DynaReport/25304.htm (UMTS_
