PW1 Monitoring a GSM network with a trace mobile



Similar documents
GSM Channels. Physical & Logical Channels. Traffic and Control Mutltiframing. Frame Structure

GSM: PHYSICAL & LOGICAL CHANNELS

Using TEMS Pocket. Johan Montelius

GSM System. Global System for Mobile Communications

GSM and Similar Architectures Lesson 07 GSM Radio Interface, Data bursts and Interleaving

Frequency [MHz] ! " # $ %& &'( " Use top & bottom as additional guard. guard band. Giuseppe Bianchi DOWNLINK BS MS UPLINK MS BS

GSM Radio Part 1: Physical Channel Structure

CS263: Wireless Communications and Sensor Networks

GSM GSM TECHNICAL July 1996 SPECIFICATION Version 5.1.0

How To Understand The Gsm And Mts Mobile Network Evolution

GSM LOGICAL CHANNELS

Global System for Mobile Communications (GSM)

INTRODUCTION TO COMMUNICATION SYSTEMS AND TRANSMISSION MEDIA

Agilent GSM/EDGE Self-Guided Demonstration for the E4438C ESG Vector Signal Generator and PSA Series Spectrum Analyzers

SPYTEC 3000 The system for GSM communication monitoring

GSM BASICS GSM HISTORY:

GSM GSM TECHNICAL May 1996 SPECIFICATION Version 5.0.0

The GSM and GPRS network T /301

MRN 6 GSM part 1. Politecnico di Milano Facoltà di Ingegneria dell Informazione. Mobile Radio Networks Prof. Antonio Capone

Positioning in GSM. Date: 14th March 2003

GSM Air Interface & Network Planning

Dimensioning, configuration and deployment of Radio Access Networks. Lecture 2.1: Voice in GSM

How To Understand The Theory Of Time Division Duplexing

Implementation of Mobile Measurement-based Frequency Planning in GSM

Wireless Cellular Networks: 1G and 2G

GSM - Global System for Mobile Communications

PXI. GSM/EDGE Measurement Suite

GSM Network and Services

The Global System for Mobile communications (GSM) Overview

RADIUS. Brief brochure. Product Purpose

Spectrum and Power Measurements Using the E6474A Wireless Network Optimization Platform

Attenuation (amplitude of the wave loses strength thereby the signal power) Refraction Reflection Shadowing Scattering Diffraction

RELEASE NOTE. Recc)mmendation GSM Previously distributed version :3.7.0 ( Updated Release 1/90

GSM GPRS. Course requirements: Understanding Telecommunications book by Ericsson (Part D PLMN) + supporting material (= these slides)

Voice services over Adaptive Multi-user Orthogonal Sub channels An Insight

AN Application Note: FCC Regulations for ISM Band Devices: MHz. FCC Regulations for ISM Band Devices: MHz

Global System for Mobile Communication (GSM)

Mobile Communications Chapter 4: Wireless Telecommunication Systems slides by Jochen Schiller with modifications by Emmanuel Agu

Coverage measurement systems. Radio Network Analyzer R&S TSMU. Interferences a frequent impairment in radio networks

2.0 System Description

How To Understand And Understand The Power Of A Cdma/Ds System

Appendix C GSM System and Modulation Description

Firmware version: 1.10 Issue: 7 AUTODIALER GD30.2. Instruction Manual

Lecture overview. History of cellular systems (1G) GSM introduction. Basic architecture of GSM system. Basic radio transmission parameters of GSM

Frequency Hopping for GSM Base Station Tests with Signal Generators SME

Introduction Ericsson Handheld Telephone 1341-B

MicroNet dual band IMSI and IMEI catcher

2G/3G Mobile Communication Systems

GSM Testers for Rent and Sale

3GPP Wireless Standard

Wireless Mobile Telephony

EE 186 LAB 2 FALL Network Analyzer Fundamentals and Two Tone Linearity

How To Make A Multi-User Communication Efficient

Lecture 1. Introduction to Wireless Communications 1

GSM GSM TECHNICAL May 1996 SPECIFICATION Version 5.0.0

CMU200: 2 2,5 Generation of Mobile Communication Systems GSM / GPRS / EGPRS. 2 MAR Re 1 1 CMU 200 GSM / GPRS / EGPRS

Module 5. Broadcast Communication Networks. Version 2 CSE IIT, Kharagpur

Mobile Communications

Multiple Access Techniques

CS Cellular and Mobile Network Security: CDMA/UMTS Air Interface

Wireless systems GSM Simon Sörman

ETSI EN V1.2.1 ( )

Tektronix RSA306 USB Spectrum Analyzer

Hello viewers, welcome to today s lecture on cellular telephone systems.

Professional Development Kit Series

Technical Datasheet Scalar Network Analyzer Model MHz to 40 GHz

Exercise 2 Common Fundamentals: Multiple Access

EPL 657 Wireless Networks

How To Make A Cell Phone Network More Efficient

Cellular Network Organization. Cellular Wireless Networks. Approaches to Cope with Increasing Capacity. Frequency Reuse

RECOMMENDATION ITU-R M *, **

OpenBTS Development Kit

RFS-805. Digital Modulator AV to COFDM. User Manual

GSM v. CDMA: Technical Comparison of M2M Technologies

Single channel data transceiver module WIZ2-434

Fast and Accurate Test of Mobile Phone Boards

GSM frequency planning

GSM/EDGE Output RF Spectrum on the V93000 Joe Kelly and Max Seminario, Verigy

ACRS 2.0 User Manual 1

Ch GSM PENN. Magda El Zarki - Tcom Spring 98

LTE Evolution for Cellular IoT Ericsson & NSN

Quick Start Guide. MRB-KW01 Development Platform Radio Utility Application Demo MODULAR REFERENCE BOARD

Location management Need Frequency Location updating

Base Station Adjacent Time Slot Rejection Measurement with CMD and SME

Revision of Lecture Eighteen

SmartDiagnostics Application Note Wireless Interference

Using R&S FSW for Efficient Measurements on Multi- Standard Radio Base Stations Application Note

Mobile Communications Chapter 4: Wireless Telecommunication Systems

How To Understand Cellular Communications

How To Improve Data Rates For Global Evolution (Edge)

GSM Frequency Planning with Band Segregation for the Broadcast Channel Carriers

Mobile Computing. Basic Call Calling terminal Network Called terminal 10/25/14. Public Switched Telephone Network - PSTN. CSE 40814/60814 Fall 2014

CS Cellular and Mobile Network Security: GSM - In Detail

How To Understand Power Consumption Of An Option Wireless Module

CDMA Network Planning

MATRIX TECHNICAL NOTES

RECOMMENDATION ITU-R F (Question ITU-R 157/9) b) that systems using this mode of propagation are already in service for burst data transmission,

Data Transmission. Data Communications Model. CSE 3461 / 5461: Computer Networking & Internet Technologies. Presentation B

Transcription:

LPRO WireLess Network and security PW1 Monitoring a GSM network with a trace mobile Module GSM MOBILE LPRO 2012-13 Experimental set-up: 1. SAGEM OT230/OT260 Trace Mobile and charger 2. GSM antenna and RF envelope detector 3. ADVANTEST R3131A spectrum analyser and an attenuator 20dB 1. Oscilloscope Objectives: The GSM is currently the most widespread mobile communication cellular system. The goal of this work is to monitor by using a special trace mobile the main parameters of the GSM physical interface as well as the radio interface between the Mobile Station (MS) and the Base Station (BTS). Another objective is to better understand the main operating modes of a Mobile Phone (MS).. 1 Introduction to the GSM 1.1 Frequency Division Multiple Access (FDMA) The GSM communication is carried out on two different frequencies - an up link frequency f U (from the MS to the BTS) and a down link frequency f D (from BTS to MS) - 1. The band width of the radio channel in both directions is 200 KHz. To transport the digital data on the radio interface, the GSM uses a modified phase modulation called GSMK (Gaussian Minimum Key Shift). The communication in the two directions is carried out in half duplex mode (no emission and reception at the same time). Each couple (f U, f D ) is identified by a number called ARFCN which defines the down link frequency f D. Currently in Europe the GSM uses frequency located in the bands of 900 and 1800 MHz and defined as follows: Bande GSM: f D= 935 + 0.2*ARFCN ARFCN = 1 124 Bande EGSM: f D= 935 + 0.2* (ARFCN - 1024) ARFCN = 975 1024 Bande DCS1800: f D= 1805.2 + 0.2* (ARFCN - 512) ARFCN = 512 885 For the frequency f U we have: f U = f D - 45 MHz for GSM/EGSM bands IUT of Grenoble - WINS PW1 - GSM -1 06/11/12

f U = f D - 95 MHz for DCS1800 band 1.2 Time Division Multiple Access (TDMA) Each carrier frequency can be used by 8 mobiles at the same time thanks to the technique of time division multiplexing - TDMA. The time is divided into 8 intervals called time slots (TS) Fig. 2. Each mobile which uses the couple of frequencies (f U, f D ) is allocated a time slot TSi (I = 0 7). During the time slot the mobile has access to the network. The triplet {f U, f D, TSi} forms a physical communication channel. Each mobile connected to GSM network has its own physical channel. Each physical channel can transport one or more logical channels. The logical channel is seen as a whole of structured information. T GSM Trame TDMA A The time of the time slot is: TS0 TS1 TS7 T S Fig. 2 156.25 bits Time slot T S = 7500/13 µs Each Time Slots can contain 156.25 bit. Only 148 are used to transmit information. The remainder of the bits is used to form a guard period which avoid different time slot being overlapped. The time of the bit in GSM is 3.692 µs and the maximum binary rate on the physical interface is 270.83 Kbit/s. All temporal parameters of the GSM system were selected so that the corresponding signals can be derived from a 13MHz quartz oscillator. TDMA frames are grouped in alternate-frames. There are two types of alternate-frames. The alternate-frame 26 with a time of 120 ms is used to transmit user information. (data and control). The alternate-trame 51, with a time of 236 ms, is mainly used to transmit information related to the network as well as dedicated control information (calls, SMS, control data ). 1.3 The transmission and the reception The communication between the basic station (BTS) and the mobile (MS) is made in a discontinuous way. The emission and the reception are shifted in time. BTS MS Communication BTS TS0 TS2 TS0 TS2 Down link BTS MS BTS transmits to MS on the frequency f D BTS transmits to MS on the frequency f D TS0 TS2 TS0 TS2 Up link MS BTS MS MS transmits to BTS on the frequency f U MS transmits to BTS on the frequency f U IUT of Grenoble - WINS PW1 - GSM -2 06/11/12

1.4 GSM MS Communication The GSM network transmits continuously control information on a special channel called BCH (Broadcast Channel). This channel contains information about the network as well as information which make possible the mobile to be synchronized, to identify the network and to connect themselves. BCH is transmitted on a frequency f DB always on Time slot 0. Each time a mobile is switched on, it tries to find the BCH, to be synchronized in frequency and in time and to read information concerning the cell where it is. At a given place the mobile can receive several base stations. It chooses that which it receives with a maximum power and tries to establish a connection. For that, it sends a request for connection on the frequency f UB. When the BCH is found the MS starts a negotiation with the BTS. This negotiation is made on the physical channel {f DB, f UB, TS0}. When the mobile is connected to the network it switches in a special mode called idle. In this mode the mobile listens to the BCH. From time to time, the network asks the mobile to confirm its presence and its positioning. This time is fixed by a timer T3121. The call of the mobile by the network (or the network by the mobile) is made on the BCH. When the mobile is called (or a call carries out) it switches in a specific mode called Dedicated mode. In this case the communication is made on a traffic channel (TCH) witch is different of the BCH. The traffic channel TCH is a new physical channel defined by - {f DTCH, f UTCH, TSi i=0 7}. The parameters of this channel (frequency and time slot) are fixed by the network and send towards the mobile during the phase of establishment of the connection which is made on the BCH. It is possible that during the communication the frequencies of TCH change. In this case we are in the presence of a special operating mode, called Frequency hopping. This mode is used to decrease the interference level in the cell as well as to increase the quality of the connection. The principal states of the mobile are indicated on the next figure. This diagram is called the state machine of the mobile. Mobile «idle» Mode «Dedicated mode» switched ON Calll Connexion to the network End 1. Search for cell (BCH) 2. Cell select 3. Identification 4. Connexion to the network 1. Listen BCH 2. Monitoring adjacent cells 3. Wait a call on BCH 4. Send a call on BCH 1. Communication on traffic channel (TCH) 2. Listen BCH 3. Monitoring adjacent cells During a communication, MS continuously supervise BCH, as well as the cells which surround it. This is necessary if the mobile moves and must make a change of cell. The mobile can supervise at the same time the BCH of its own cell and six other adjacent cells. 1.5 Monitoring a GSM network with a SAGEM OT230 trace phone. The SAGEM OT230/OT260 is a special mobile phone who has s system to monitor the network and has the option to display the parameters of the network. Operation modes, as well as the complete list of the parameters are described in documentation MMI for OT200 Test tool available on the Intranet of R&T Department. Here we will describe only the parameters used in this TP. IUT of Grenoble - WINS PW1 - GSM -3 06/11/12

The mobile phone is started using the green button and is switched off using the red button. The code PIN to activate the telephone is 8884. The phone number is indicated on the label. The monitoring mode can be activated from the main menu of the Menu phone by choosing the option Test tool. The options available for this mode are: Test tool Trace Forcing Infos & settings From the various sub-menus one can reach the parameters of interest: Trace GSM QOS information: allows observing the Quality of the Service provided by the network. The parameter which interests us is the value of the timer T3212 (or Location Update Timer). This value, imposed by the network, is the interval of time after which the mobile is connected to the network to confirm its presence and to make an update of its localization. Network: There are the parameters of the cells which surround the mobile. <Serving cell> is the cell which is used by the mobile for connection. The parameters which interest us are: BCCH xxxx: is the ARFCN (fixes the frequency of the BCH) BSIC: identifying code of the basic station Rx: level in dbm of the signal received by the mobile C1, C2 DSC, BA: parameters used during the change of cell (handover). Not used for this TP CI: identity code of the cell LAI: identifier of the site of the mobile (on world GSM network). It is a number of three groups whose significance is: xxx - code of the country xx - code of the GSM operator xxxx - code of the BTS TS: time slot on which the communication is carried out. BCH is emitted always on TS=0. RM: level in dbm of the minimum acceptable by the mobile received signal. If the signal level received by the mobile becomes lower than this value, the mobile must carry out a change of cell. TX: maximum power that the mobile has the right to emit when it connects to the network (or when it carries out a call). BPM, CCH: not used for this TP <Serving cell> Options: allows to see the frequencies and the powers of the six cells (if they exist) which surround the mobile. These cells are called Neighbor cell. For each cell the screen shows the power Rx received by the mobile (on the right of the screen) and the ARFCN - on the left of the screen. The cell, on which the mobile is connected, is indicated in green. IUT of Grenoble - WINS PW1 - GSM -4 06/11/12

In mode <Serving cell> with the cursors and it is possible to see the complete list of the parameters of each Neighbor cell N N = 1 6 GPRS makes it possible to observe the parameters of GPRS networks (mode not used in this PW). Infos & Settings Mobile Information GPRS class: type of the GPRS class used by the mobile TMSI/Ciphering: indication of the TMSI used by the mobile and IMEI/Version: SIM information: information on the SIM card if the conversation is encrypted IMEI of the mobile and version of the software of the mobile IMSI: subscriber identifier Serial link speed: speed of the serial port of the mobile. This port is used to transfer data between the mobile and the network (in mode GSM or GPRS). Forcing: This menu makes possible to fix the value of some of the mobile parameters. It is not used in this PW. 2 Home work: 2.1 Determination of the frequency bands used by GSM Using the information given in introduction: - Determine the number of channels (upstream and downstream) allowed in the GSM band. - Determine for the channel 1, the frequency f D1 of the downlink channel carrier then the frequency f U1 of the uplink channel carrier. - Give the bandwith of each channel (uplink and downlink) - Calculate the total bandwith of the uplink and the downlink. 2.2 Characteristic of the GSM time slot - Calculate the length of the time slot and of the T GSM. - Which is the time with no information between each time slot? 3 Experiment: 3.1 Network parameters monitoring Start the mobile and enter the PIN code. At the end of the network connection the mobile is set up in idle mode. In this mode the mobile supervises the broadcast channel (BCH) of the base stations which surround it. The mobile can supervise at the same time the BCH of the cell on which it is connected as well as the BCH of six adjacent cells. The initiation of a communication between the mobile and the network is made on the BCH. In the idle mode the mobile is connected to the network and awaits an incoming (or outgoing) call. 1. With the trace mobile find the network provider. With the help of trace tool, find the LAI code and the operator code. IUT of Grenoble - WINS PW1 - GSM -5 06/11/12

2. Which is the frequency (ARFCN and the frequency in MHz) of cell with which the mobile is connected to? 3. Which is the power in dbm and W received by the mobile from this cell. If the antenna of the mobile is supposed to be a resistor of 50 Ώ, which is the rms voltage value at the HF amplifier input? 4. Which is the lowest input power (in dbm and W) detected by the mobile for this cell? Which is the rms amplitude corresponding to this power? 5. Which is the total number of cells really listened to by the mobile? 6. Which are the powers in dbm and the frequencies (ARFCN and frequencies) of these cells? 7. Find the values of IMEI, IMSI and TMSI. Which of these parameters are not fixed and can vary foollowing the time? 8. Which is the period after which the mobile will be addressed by the network to check its presence (value of the timer T3212)? 9. Does the network have GPRS mode? Put the mobile in mode Test tool Trace GSM Network and observe the parameters of the <Serving cell>. Call the number 888, pushing the button green. Once the call is made, a symbol appears on the left side in top of the screen in front of the inscription < Serving cell >. This is an indication that we are on a traffic channel (TCH) allowing to observe the next parameters: TCH xxxx: ARFCN of the traffic channel. If the symbol hop appears that indicates the frequency of the TCH changes continuously (frequency hopping mode). While pressing several times on the key one arrives at a menu <Freq. Hopping > which indicates which are the frequencies which are used for the communication. RQ: quality of the channel. The binary error rate TEB is: 0.1 2 RQ RQ+ 1 TEB 0.1 2 in % CT: indicate the kind of the channel used. The kind of the channel depends on the kind of the voice coder. The older models use coders with 13 kbit/s, indicated by symbol TCHF. The recent models work with 5.6 kbit/s - TCHH. RTL: parameter not used in this PW. TS: indicate the time slot on which the communication is done. TA: Timing advance indicates the approximate distance between the mobile and the BTS. This distance is roughly: D 555 * ( TA+ 1) in m DTX: discontinuous transmission. In this case the mobile emits only if one really speaks in front of the microphone. This mode (if it is activated) makes it possible to increase battery life. On the right side of the screen one can see the parameters of the BCH (ARFCN and Rx level of power in dbm). PL: value of the maximum power P in dbm emitted by the mobile. The interpretation of this parameter depends on the frequency band: IUT of Grenoble - WINS PW1 - GSM -6 06/11/12

900 MHz Band 1800 MHz Band PL P (dbm) 0-2 39 3 37 4 35 5 33 6 31 7 29. 19-31 5 PL P (dbm) 29 36 30 34 31 32 0 30 1 30 2 28 15-28 0 CI: identity of the cell. During the communication the mobile goes on supervising the BCH as well as the cells which are around it. This is necessary if the mobile moves and to change of BTS. Observe the parameters of the traffic channel (TCH). 1. Which is the approximate length between the mobile and the BTS? 2. Does the mobile use a Frequency hopping mode? If so, on which frequency (ARFCN) is made the communication? 3. Is the BCH frequency on the frequency list? If yes how is made the data transfer on this same frequency? 4. On which time slot is made the communication? 5. Does the mobile use a discontinuous transmission of the phone voice? 6. Which is the quality of the received signal and the approximate bit error rate? 7. Does the voice encoder work with 13 kbit/s or 5.6 kbit/s? 8. Which is the maximum power emitted by the mobile? 3.2 Observation of the frequencies f u emitting by the mobile with the spectrum analyser. From the observations made previously we are going to visualize on an spectrum analyzer the signal emitted by the mobile. Switch on the spectrum analyser N9320B. Reinit it pushing the green button Preset/System/Preset Connect an antenna to the spectrum analyser input. As the mobile is near the analyzer and the emitted RF power is important (until 2W) the signal at the entry of the analyzer is high and it is necessary to add an attenuator of 20 db between the antenna and the spectrum analyser and also to use the internal attenuator of the instrument. Keep the mobile at a distance of at least 50 cm of the antenna of the analyzer! Firstly, preset the spectrum analyser pushing the button SHIFT\PRESET. Tune the frequency range from 880MHz to 920MHz (In this case we are able to observe all the frequencies f U of the GSM band). Frequency Button: Start Freq 880 MHz Stop Freq 920 MHz IUT of Grenoble - WINS PW1 - GSM -7 06/11/12

The sensitivity of the analyser must be such as the spectral peak is entirely visible without saturation. For example: Amplitude Button: Ref. Level: 0 dbm Attenuation / Man then 10 db Scale/div: 10dB/div Scale: off Tune the frequency resolution at 300kHz BW / Ag Button: Res BW/ Man then 300kHz Check that the average of the spectra is switched OFF: BW / Ag Button: Avergae: OFF: (No average) Call for example the number 888 (consultation of the Orange account) and stop the call quickly before listening the automatic responder. The phone is connected to the network using the BCH. During the phone emission, the spectrum analyser detects the emitted signal. You must be careful to not saturate the analyser. If the amplitude of the signal is too important increase the attenuation of the analyzer choosing 20 or 30 db. 3.2.1 PC connection configuration Check the connection between the PC and the USB cable. The PC must be detected on the spectrum analyser. If it is not the case, check on the spectrum analyser that it must use an USB transmission and not a LAN transmission (Preset / Menu 2sur3 / IO Configure > USB) Launch the soft to control the equipment (Demarrer / RT-Telecom / Agilent N9320B PC Software) Instruments / Connect Select instrument USB :.. puis OK If an error message appears, you need to change some options on the PC (Démarrer / Paramètres / Paramètres de configuration / Options régionales et linguistiques : remplacer Français par Anglais (Etats-Unis)) Now, you have an access on the spectrum analyser screen (for copy the screen and to control the spectrum analyser). To copy the screen: File / Copy Image / Black and White 3.2.2 Analysed signals You can control directly the spectrum analyser or on the PC with the previous connection. In the first case, you need to cancel the remote state (disconnect the soft used on the PC and push the green button Preset/System pour éteindre la led rouge REMOTE). Broadcast Control Channel BCCH To visualize the F UP frequency of the BCCH, you need to mark the frequency previously observed on the mobile trace (Menu / Test tool / Trace /GSM / Network) with a marker on the spectrum analyser (Marker / Normal / xxxx MHz)), Call the number 888 (Orange account consultation), stop the transmission quickly after the call start, before the activation of the answerphone. The phone is connected to the mobile network using the BCCH. But then the IUT of Grenoble - WINS PW1 - GSM -8 06/11/12

connection is activated, the TCH mode is activated and the frequency used often changes. The signal is rapid and it is difficult to keep it on the screen. To help you, you can keep on the screen all the frequencies used (BCCH and TCH) with View/Trace / Max Hold then stop the measurement with View (always in the menu View/Trace). Pick up the spectrum on your report with the single signal corresponding to the frequency f up. Mark it with a marker. Give the frequency value and deduce its corresponding ARFCN. Trafic Channels TCH After the link connection, the mobile network uses a frequency (which can be different of the BCCH frequency) to do the communication. It is the Trafic Channel frequency (TCH). Following the network used, it can activate the mode «Frequency Hopping». In this case, the TCH frequency changes during the communication. On the spectrum analyser screen, it is observed a peak signal moving along a specific frequency bandwith. Is the «Frequency Hopping» mode activated during the communication? Pick up on your report the spectrum measured. Mark with two cursors the frequency band with used and deduce the minimum and maximum corresponding ARFCN. 3.3 Observation of the frequencies f D issued from the BTS with the spectrum analyser. Connect the GSM antenna directly to the input of the analyzer. Do not use an attenuator. 3.3.1 Basic station search. We are going to search for base stations in the GSM band 935-960 MHz. Set up the spectrum analyzer as follows: Button Frequency : Start Freq : 935MHz Stop Freq : 960MHz Suppress all the attenuations : Button Amplitude : Ref. Level : -60 dbm Attenuation / Man puis 0 db Scale/div : 5 db/div Scale : off Increase the spectrum analyser resolution Button BW/Ag : Res BW / Man then 10 khz On the screen, with amplitude about -90dBm the spectra of the base stations must appear - BTS. Press on button Marker to use the cursor and measure the center frequency of the basic stations with maximum power. Pick up on your report the spectrum (You can use the mode trace) Use a marker to note the carrier associated toe the maximum power Give the value of this frequency and deduce its ARFCN. How many BTS are received in the T16 room? IUT of Grenoble - WINS PW1 - GSM -9 06/11/12

3.3.2 Basic Stations spectrum observation. The best reception is done on the BTS with the frequency 954.6 MHz. But sometimes, other stations can be better detected. Try to choose the best one: Measure the frequency centrer. Which is the frequency f D in the GSM band? Which is the value ARFCN? Set up the spectrum analyser as follows : Button Frequency : Center Freq : f D en MHz Reduce the span close to the frequency carrier. Button SPAN : 500 khz Keep the same sensitivity : Button Amplitude : Ref. Level : -50 dbm (-60 dbm if necessary) Attenuation / Man then 0 db Scale/div : 5 db/div Scale : off Increase again the spectrum analyser resolution Button BW/Ag : Res BW / Man then 1 khz Try to obtain the next trace centerd on Fd and mark the bandwith of the BTS emission. There are two different ways to obtain that : 1- using an average to reduce the noise and to smooth the trace: Button BW/Ag : Average / on then 10 ENTER (Average made with 10 spectrums) 2- without average but with the mode trace Button View/Trace / Max-Hold then View to stop adding traces IUT of Grenoble - WINS PW1 - GSM -10 06/11/12

On the screen, in the two cases, with an amplitude around -90dBm, the spectrum of BTS must appear. With the parameters chosen, the spectrum begins to be stable after 20s. Acquire the spectrum with a marcker and DELTA to measure the bandwith. Measure it. Set a marker on the maximum amplitude and measure the received power at f D Set a marker outside the bandwith and measure the noise level. Which is the signal to noise ratio in db? Set the cursor at f D + 60KHz. A peak must be observed due to the FCB (Frequency Correction Burst) transmission. The mobile can detect the BTS thanks by this frequency. Pick up the spectrum with FCB. 3.4 Time slots observation with the help of the oscilloscope To observe the pulsed transmission used in GSM, an external antenna relied to an envelop detector is used. Fig. 5. During the mobile communication, a time slot is used and the signal is modulated by a GMSK(Gaussian minimum shift keying) modulation with the carrier F U chosen. The antenna receives the emitted signal and the receiver extract the signal envelop which can be observed on the oscilloscope. Connect the reception box at the input of the oscilloscope. Call the number 888. Observe the signal on the oscilloscope screen. Pick up the signal obtained on the oscilloscope. Measure the time of the slot the time of the frame TDMA. Compare them with the theoretical values. IUT of Grenoble - WINS PW1 - GSM -11 06/11/12

3.5 BTS change observation with the trace mobile Using the idle mode of the mobile and observing the menu <Serving cell>, move outside the room and observe the BCH change and the parameters displayed on the screen. Observe in particular the power change received by the mobile from the different BTS. When the BTS changes, try to measure the distance between the BTS and the mobileobserving the parameter Timing Advance - TA. Notice on mobile SAGEM OT260 This portable telephone has the possibility to trace the messages exchanged with the network. He has an additional menu Traces storage which makes it possible to record these messages. These options are not used in this TP. Glossary: ARFCN - (Absolute Radio Frequency Channel Number): Number of the channel on which the radio connection is carried out. BCH - Broadcast Channel BCCH - Broadcast Control Channel - control information channel which is transported by the BCH. BCCH is a logical channel. BCH is a physical channel. BTS - Base Transceivers Station BSIC - Base Station Identification Codes - code of each base station DTX - Discontinuous Transmission Down link - downlink BTS MS FDMA - Frequency Division Multiple Access GPRS - General Packet Radio Services IMEI - International Mobile Equipment Identifier - identity of the subscriber who is on the SIM IMSI - International Mobile Subscriber Identify LAY - Room Area Identification MS - Mobile Station PL - Maximum power that the mobile can emit on a cell PIN - Personal Identification Number - password to activate the portable telephone QOS - Quality of Services Rx - Receive RQ - Receive Quality - indicator of the quality of the connection (0: maximum quality) SIM - Subscriber Identification Modulates TDMA - Time Division Multiple Access TCH Traffic Channel - Channel of traffic on which the communication is carried out TMSI - Temporary Mobile Subscriber Identity TS - Time slot TT Time Advance Up link - uplink MS BTS Note: GSM and UMTS are public systems. All the documents relating to these systems are accessible on: www.etsi.org and www.3gpp.org IUT of Grenoble - WINS PW1 - GSM -12 06/11/12

IUT of Grenoble - WINS PW1 - GSM -13 06/11/12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information