GSM Handset Vulnerabilities, Part II: Physical Layer Protocol
By Brian Sensese and Laurent Ronc
Operational characteristics of the Layer 1 time-division multiple access, which handles
airlink management, channel maintenance, and cell transfers, can be difficult to verify prior to full type approval. This discussion is devoted to understanding Layer 1 operation and ensuring spec compliance.
Communication systems rely upon protocols for their very survival. It is with this in mind that we turn our attention to physical layer operation in a time-division multiple access (TDMA) system. Last month, the RF performance of a Global System for Mobile Communications (GSM) handset was
examined with attention given to hardware. Full type approval (FTA) in Europe, a very painful process, was discussed at length in Part 1 — and many of the same issues hold true for protocol testing, especially as it applies to the physical layer, or Layer 1 (L1). L1 is primarily responsible for airlink management, encompassing GSM channel acquisition, channel maintenance in a hostile RF environment, and cell transfers when the current channel becomes ineligible for use. Operational characteristics of L1 can
be difficult to verify prior to attempting FTA. The following discussion is devoted to understanding L1 operation and methods of ensuring spec compliance (or at least building confidence in being able to pass FTA tests) on one’s home turf before making the journey to Europe.
The GSM airlink
GSM airlink operation can be very confusing; therefore, some of the fundamental concepts of operation are presented in preparation for further discussion of L1 and the problems generally associated
with this component of the handset.
Communication between the mobile handset and basestation (BTS) is supported by both a physical channel and several logical channels. The physical channel is defined by frequency as well as by time. Two frequencies support duplex communication between the mobile handset and the network, with eight repetitive time slot periods providing eight unique access points in time (577-µs slot duration) for an equal number of mobile handset units. This scheme is referred to as
TDMA since data is sent in time-limited bursts under strict network control. One of these slots is used for a single mobile handset, leaving the potential for another seven mobile handsets to gain access to the network on the same frequency pair, each using different slot assignments.
Figure 1
portrays a typical session whereby the BTS transmits a burst to the mobile handset within one time slot, and then receives from the mobile handset a related burst three time slots
later. In TDMA, timing is everything for correct operation, and this poses a problem.
In the realm of mobile communications, slot timing varies as a function of distance between the BTS and mobile handset, as a result of inherent propagation delay.
Figure 1
shows a manifestation of timing delay and the need for active control by the network to adjust burst timing, eliminating adjacent channel interference. A timing advance (TA) is calculated by the BTS, sent to the
mobile handset in a control message, and then used to reposition the burst transmitted by the mobile handset.
Logical channels are multiplexed on a physical channel and form a channel combination over a single multiframe (a frame structure defined by different logical channels) or a group of multiframes (a group of twenty-six frames or fifty-one frames). Two important channel combinations are illustrated in
Figure 2.
The first channel combination, the control channel, is
broadcasted by the BTS and is unique to each cell. Within this channel, significant amounts of network-related information is passed to the mobile handset for its use. An activated mobile handset first searches for a suitable GSM control channel, synchronizes to the network (in both time and frequency), extracts network system information, and, if the cell is suitable, “camps” on that cell while searching for and monitoring control channels of surrounding cells. Control channels are fifty-one
multiframes in length before they repeat themselves, whereas voice channels are twenty-six multiframes in length. Length differences assist the mobile handset in monitoring control channels of surrounding cells while in a voice call, which brings us to the second channel combination. This combination supports the actual call with the traffic channel (TCH) carrying digitized voice information. The slow-associated control channel (SACCH) is a logical channel that contains control information necessary in the
management of the airlink.
The response time of the mobile handset to a network command sent to it on the SACCH channel can be linked to the data structure associated with the channel itself.
Figure 3
illustrates the encoding of a SACCH message and its transmission in four bursts. Data is encoded, interleaved, and formatted into four bursts with each being sent in one 26-slot multiframe. Once the fourth burst is received, the mobile handset L1 performs de-interleaving and
channel decoding and extracts a 2-byte L1 header containing timing advance and transmit power-level commands to be used by the mobile handset. SACCH messages sent back to the BTS (delayed by three time slots) contain reports of values currently being using by the mobile handset for power and timing advance.
As can be seen, the airlink requires significant effort in terms of its management, which is generally handled by the L1 protocol. There are two basic categories of L1 operation: bit manipulation and
airlink surveillance. Bit manipulation operations are handled by the DSP; these include data/voice encoding, interleaving, burst building/transmission, filtering, and signal equalization. Airlink surveillance is managed by the L1 (with help from the L3) and is responsible for cell selection, channel synchronization, timing and power adjustments, surrounding cell monitoring, and cell handovers. Assuming that the RF hardware of the handset works perfectly to spec, discussion will be directed toward L1 management
of the airlink and how it can be verified before attempting FTA.
Synchronization
As discussed earlier, burst timing within the allocated slot is critical for successful operation of TDMA systems. A major task of the L1 is to keep its internal time base in line with that of the signal received from the BTS; this is much different than the forced adjustment of slot timing as presented previously. Synchronization is a graceful approach to maintaining lock with the network timing standard.
Deviation from the network results from both an imperfect channel as well as diverse clock references.
Timing error (the difference between the actual and expected time of arrival of the BTS burst) is a function of varying propagation delay as well as mobile handset reference-clock inaccuracy. As an example, a relative 10-ppm clock error between a network and a mobile handset results in an error of 2.71 bit-times every second (the time difference between the network clock and the mobile handset clock increases
by 2.71 bit-time every second). This is not good for mobile handsets using adjacent slots. To compensate for this clock difference, L1 estimates both signal timing and frequency error. When necessary, it adjusts the time base accordingly to maintain synchronization with the network, in a manner similar to that of a phase-locked loop (PLL). For timing errors greater than ±2 µs (0.54 bit-time), the time base is adjusted in steps of 1/4 bit-time at least every 2 sec (not exceeding once every second),
until the error is less than ±0.5 bit-time.
Testing this operational feature requires adjusting the BTS timing, and then measuring the response on the mobile handset itself. The reception-time tracking speed is implicitly measured on the transmit bursts. As mentioned, error in the phone time base will be reflected in the timing of the transmit burst (being delayed by three burst time slots). The FTA test method has the system tester suddenly shifting its time base by 2 bit-times; it then records the
time of arrival of the bursts transmitted by the mobile handset with the expectation that transmitted bursts will eventually, through incremental adjustment, align with the expected receive time at the BTS.
A simple “home grown” test setup with some software is required to detect potential problems in this area before going to FTA. The first step is to shift the received signal by 2 bit-times (7.38 µs), which can be done by suddenly shifting the GSM test set or shifting the internal
mobile handset time-base. Overwriting the timing correction that L1 would apply works effectively, resulting in the mobile handset now having a 2 bit-time receive timing error. Both mobile handset and tester-frame interrupt signals can then be compared using an oscilloscope, with the tester frame interrupt as the trigger. Quarter-bit time adjustments of the mobile handset interrupt should be observed, every 1 sec to 2 sec until the timing references are aligned again (approximately 8 sec later).
Temporary
reception gap
In some instances, network synchronization must be maintained even in the absence of a GSM signal with which it is to maintain lock. It is not uncommon to have a call established only to find that while traveling, the RF link to the BTS is lost temporarily — perhaps as a result of being in a tunnel. The mobile handset will continue to transmit voice to the BTS for up to 30 sec before declaring the link down and disabling the transmitter. During the time when the BTS signal is
absent, the mobile handset must ensure that transmit burst timing is accurate to prevent interference with other mobile handsets.
Failure in this area can result from reference clock drift or erroneous time base and frequency adjustments resulting from false receive slot measurements. During a “reception gap,” frequency error, as measured on receive slots, must be ignored. Filtering (the running average) of the frequency and timing error is another source causal to timing drift and should be
verified.
A test setup similar to that used for investigating receive timing can be used to examine the mobile handset’s response to a reception gap lasting 30 sec or even longer. By using the BTS simulator frame interrupt signal as a trigger, the frame interrupt of the mobile handset can be monitored on an oscilloscope. After establishing a call and ensuring that synchronization between the mobile handset and the network is achieved, break the RF connection between the BTS simulator and the mobile
handset. Both frame interrupt signals should remain within 3.69 µs of one another over the duration. Transmit burst timing and frequency error will also be recorded on the GSM test set.
Timing advance adjustment
The network instructs and consequently controls the mobile handset with respect to the burst timing adjustment, counteracting the effects of propagation delay as outlined earlier. During a call, for example, the mobile handset may receive a new timing advance value. This value is
applied on the next twenty-six slot multiframe following the reporting period. Failure to adjust the TA on the boundary of the new frame yields a failure at FTA.
Unfortunately, there is only one piece of available test equipment capable of attempting this measurement, the CRTC02 (GSM-BTS simulator). By collecting the protocol log as recorded during an actual traffic session, you can examine the received burst placement (the burst as transmitted by the mobile handset) as it responds to new TA information, as
sent to the mobile handset by the CRT02. With adjustments in the TA, bursts sent by the mobile handset shift in position and do so on the first frame of the twenty-six slot multiframe following a reporting period.
Transmit power adjustment by the mobile handset follows the same principle as the timing advances. Power-level information is sent to the mobile handset via the SACCH logical channel and is acted upon. Incremental adjustments are made for requested changes that are very large. During FTA, the
system tester verifies that these incremental power changes are taken, which,unfortunately, is the only method available to verify this operational feature.
Cell selection and handover
Selecting an appropriate cell on which to camp and maintain a list of potential cells for use as handover sites is one of the most challenging aspects of L1 operation. This activity is managed during idle periods when the mobile handset is not in use (cell reselection), as well as during periods when the mobile
handset is supporting a call (handovers).
Basically, L1 begins to first assess the spectrum by scanning all channels within the GSM band, sorting them in descending order of power level. From the list of the strongest signals, it determines which signals are associated with the control channel and, after reading information within this channel, makes a decision about whether it’s suitable for use. The mobile handset camps on the best cell candidate and continues monitoring a list of surrounding cells
belonging to the same network. Cell suitability is determined by whether the following stipulations are met:
• It’s a member of a particular network provider.
• It’s not barred or forbidden for use by mobile handsets.
• It doesn’t belong to a forbidden location area.
• Its RF signal strength is sufficient.
If all available GSM cells fail the first requirement (the network provider is not supported), the mobile handset attempts to select any GSM cell and
then enters a limited service mode where only emergency calls may be allowed (this is determined by the network provider). The search for a suitable cell may resume periodically, as well as upon a user’s request.
A different scenario is followed when the mobile handset is occupied in a call and is on a traffic channel. The surrounding cells are still monitored with the intention of prioritizing them as before; however, the transfer of the traffic channel to a new cell is initiated by the network based
on mobile handset power and quality measurement reports sent on the SACCH.
In-house testing requires the multicell capability, consisting of a serving cell and as many as six surrounding cells. Some of the neighboring cells have to support both a traffic channel and a control channel in the case of handover testing. Moreover, network parameters such as output power need to be changed dynamically during test, without interruption to the downlink BTS signal. On the mobile handset side, reports from the L1
containing information with respect to surrounding cell activity must be made available containing the control channels that are available and the signal strength of each channel found.
To support cell selection and reselection tests, a multicell configuration can be designed using a collection of passive RF components. Using this scheme, a single GSM signal can be made to appear as several signals at different frequencies through the process of mixing and combining. RF signal strength of any select
channel can be adjusted manually using a narrowband passband-filter. The ensuing results of adjusting any one of the multiple channels should be recorded by the mobile handset under test. Deviation in the channel radio signal strength indicator (RSSI) value should be seen, as well as a new channel order.
This approach works well with one important caveat: Precautionary measures should be taken with regard to the test setup. Newly generated GSM channels are replicas of the singular input channel. Testing
cell reselection with unique network defining parameters or with different identities is impossible with this device. This setup requires that two signal sources be synchronized to the same reference signal. This ensures that all generated signals have the same relative frequency error. If the relative error is very different from one cell to another, it can cause failure with respect to the L1 synchronization algorithm (timing and frequency error tracking) as it attempts to lock to surrounding cells. This
solution may not be perfect, but it’s better than nothing. It is also less expensive than a $3.5 million FTA test system!
The previous configuration cannot be used for handover testing since an additional traffic channel would be needed. It can be very useful, however, to test mobile handset call activity in a more strenuous environment, with up to six surrounding cells to monitor. Handover testing can partially be tested on several pieces of commercial equipment that can simulate both control and
TCHs. A built-out Anite system (costing several hundred thousand dollars) can support some of this test activity. Deficiencies or holes in the tests can be plugged at pre-FTA while on the system tester.
Ingenuity
Preparation for FTA requires tenacity as well as creativity since fully capable test systems are cost prohibitive. Through the use of existing GSM test equipment and ingenuity, many of the basic features that are put to the test during an FTA run can be exercised in-house to the point of
at least ensuring basic operation during a full system test in Europe. When considering the many approaches presented in this two-part series, you will have accomplished two very important tasks. Phone stability will have been established — without it don’t even consider attempting a pre-FTA session. Under such conditions, results at the test facility will inevitably be very disappointing since test verdicts will fall into the “error” category. Pass or fail information is what you want
— not data indicating that your handset is completely out of spec or unresponsive to the injected stimulus. Secondly, by cycling through the basic operation of the handset — whether it be related to RF performance or L1 protocol operation — you will have become very knowledgeable about your product’s operation. While at the test facility, debugging problems in one of these two areas will be much easier and inevitably faster. GSM handset development may be the quickest way to riches, but
it’s not the easiest.
Brian Senese is a senior engineering manager at Uniden Research and Development in San Diego, CA, where he is involved in the development of wireless handsets. He has an MSEE from the University of Western Ontario in Canada and has worked for telecommunication companies such as Nortel, PCSI, and Lucent Technologies. He can be reached at bpsdsp@incom.net.
Laurent Ronc is a senior staff engineer, leading the GSM handset integration effort at Uniden Research and
Development. He worked in GSM systems integration for Alcatel Mobile Phones in France for 3 years. He received a masters degree in electrical engineering from Ecole Supérieure d’Electricité in France. He can be reached at lronc1@san.rr.com.
Puzzled by a network processing design issue?
