Within the BTS, these ARFCNs are given arbitrary carrier indexes C0..Cn-1, with C0 designated as a Beacon Channel and always operated at constant power.
Each timeslot is occupied by a radio burst with a guard interval, two payload fields, tail bits, and a midamble (or training sequence).
Bursts that require higher processing gain for signal acquisition have longer midambles.
The random access burst (RACH) has an extended guard period to allow it to be transmitted with incomplete timing acquisition.
The C0T0 physical channel carries the SCH, which encodes the timing state of the BTS to facilitate synchronization to the TDMA pattern.
Interleaving algorithms for the most common traffic and control channels are described in GSM 05.03 Sections 3.1.3, 3.2.3 and 4.1.4.
This interleaving pattern makes the TCH robust against single-burst fades since the loss of a single burst destroys only 1/8 of the frame's channel bits.
The SDCCH is used for most short transactions, including initial call setup step, registration and SMS transfer.
Closed loop timing and power control are performed with a physical header at the start of each L1 frame.
The SACCH uses 4-burst block interleaving and the same multiframe type as its host TCH or SDCCH.
The BCCH carries a repeating pattern of system information messages that describe the identity, configuration and available features of the BTS.
BCCH brings the measurement reports it bring the information about LAI And CGI BCCH frequency are fixed in BTS The SCH transmits a Base station identity code and the current value of the TDMA clock.
The FCCH generates a tone on the radio channel that is used by the mobile station to discipline its local oscillator.
The PCH carries service notifications (pages) to specific mobiles sent by the network.
A mobile station that is camped to a BTS monitors the PCH for these notifications sent by the network.
These restrictions are intended to exclude non-sensical BTS configurations and are described in GSM 05.02 Section 6.5.
This procedure uses the CCCH (PCH and AGCH) as a unicast downlink and the RACH as a shared uplink.
If these RACH bursts arrive at the BTS with comparable power, the resulting sum of radio signals will not be demodulable and both MSs will move to step 4.
There are three common approaches: This is the transaction for an incoming call to the MS, defined in GSM 04.08 Sections 5.2.2 and 7.3.3, but taken largely from ISDN Q.931.
In the simplest case, error-free delivery outside of an established call, the transaction sequence is: GSM 02.09 defines the following security features on Um: Um also supports frequency hopping (GSM 05.01 Section 6), which is not specifically intended as a security feature but has the practical effect of adding significant complexity to passive interception of the Um link.
Authentication and encryption both rely on a secret key, Ki, that is unique to the subscriber.
Copies of Ki are held in the SIM and in the Authentication Center (AuC), a component of the HLR.
An important and well-known shortcoming of GSM security is that it does not provide a means for subscribers to authenticate the network.
This oversight allows for false basestation attacks, such as those implemented in an IMSI catcher.
GSM encryption, called "ciphering" in the specifications, is implemented on the channel bits of the radio bursts, at a very low level in L1, after forward error correction coding is applied.
This is another significant security shortcoming in GSM because: A typical GSM transaction also includes LAPDm idle frames and SACCH system information messages at predictable times, affording a Known plaintext attack.
The network is expected to deny service to any MS that does not support either A5/1 or A5/2 (GSM 02.09 Section 3.3.3).
The TMSI is a 32-bit temporary mobile subscriber identity that can be used to avoid sending the IMSI in the clear on Um.
Note that the subscriber identity must be established before authentication or encryption, so the first transaction in a new network must be initiated by transmitting the IMSI in the clear.