The development of a new pan-European standard for digital cellular communications began in 1985. For this purpose, a special group was created - Group Special Mobile. The abbreviation GSM gave the name to the new standard. Later, GSM, thanks to its widespread use, began to be deciphered as Global System for Mobile Communications. By now, the GSM system has developed into a global second generation standard, which occupies a leading position in the world both in terms of coverage and the number of subscribers.

The GSM standard provides for the operation of transmitters in two frequency bands. The frequency band 890-915 MHz is used for transmitting messages from the mobile station to the base station, and the band 935-960 MHz is used for transmitting messages from the base station to the subscriber. The frequency spacing between adjacent communication channels is 200 kHz, thus, 124 communication channels are located in the bandwidth allocated for reception / transmission. This standard uses Time Division Multiple Access (TDMA) to accommodate eight voice channels simultaneously on a single carrier. As a speech-converting device, a speech codec with regular impulse excitation and a speech conversion rate of 13 Kbit / s is used. To protect against errors occurring in radio channels, block and convolutional interleaving coding is used. Improving the efficiency of coding and interleaving at a low speed of movement of mobile frequencies is achieved by slow switching of operating frequencies during a communication session (at a rate of 217 hops per minute).

With regard to services, the developers of the standard here from the very beginning sought to ensure the compatibility of GSM and ISDN (Integrated Service Digital Network) networks in terms of the set of services offered. In addition to the usual telephone connection the GSM user is provided with a variety of data transmission services. GSM subscribers can exchange information with ISDN subscribers, conventional telephone networks, packet-switched networks and circuit-switched communication networks using different methods and access protocols such as X.25. It is possible to send fax messages using the appropriate adapter for a fax machine. A unique GSM capability that was not available in older analog systems is the bidirectional transmission of short SMS messages(Short Message Service) - up to 160 bytes transmitted in the store-and-forward mode.

In "digital" it was possible to realize additional features which are not available in previous generation analog standards. This mainly refers to the sound quality of the interlocutor's voice (quality of transmission and speech coding), subscriber authentication and automatic roaming. And besides, it is:

• use of SIM-cards to provide access to the channel and communication services;
• encryption of transmitted messages;
• radio interface closed from listening;
• subscriber authentication and identification of subscriber equipment using cryptographic algorithms;
• the use of short message services transmitted over signaling channels;
• automatic roaming of subscribers different networks GSM nationally and internationally;
• Internet roaming of GSM subscribers with subscribers of DCS1800, PCS1900, DECT networks, as well as with satellite system personal radio communication Globalstar.

Today the GSM standard is actively developing, and now the user can be provided with the service of high-speed packet data (GPRS) or Internet access.

TDMA / IS-136 (D-AMPS)

The TDMA / IS-136 specification was defined in the United States in 1998 by the Telecommunications Industry Associations (TIA) in order to digitize the AMPS (Advanced Mobile Phone Service). To ensure compatibility with AMPS, the TDMA / IS-136 specification uses a 30 kHz carrier bandwidth with three slots. Unlike frequency division systems, all TDMA subscribers operate in the same frequency range, but each has time access restrictions. Each subscriber is allocated a time period (slot) during which he is allowed to "broadcast". After one subscriber completes the broadcast, the permission is transferred to the next, etc.

Today IS-136 can by no means be considered a dead-end branch of the development of cellular communications (another question is how the fate of this standard will develop in our country). As well as in GSM, this standard provides for successive steps for the transition to the third generation system: GPRS, EDGE, etc.

PDC

As in many other cases, Japan had its own path of development. The Land of the Rising Sun uses the PDC (Personal Digital Cellular) standard. The standard is based on a three-slot TDMA solution. In this case, the carrier width is 25 kHz.

Despite the fact that PDC networks are located only in Japan, this standard (as of the end of 1999) confidently ranks second after GSM in the popularity rating among digital standards in terms of the number of subscribers. And this is not surprising: in early 2000, the number of Japanese cellular subscribers exceeded the number of standard wired telephony subscribers. By the way, it is in Japan that test sites of third-generation networks are already operating - despite the rapid pace of development of cellular communication systems, the Japanese are ahead of everyone else by more than a year.

CDMA / IS-95

CDMA (Code Division Multiple Access), or cdmaOne, is an all-digital standard using the frequency range 824-849 MHz for reception and 874-899 MHz for transmission. In fact, the "new" standard was developed back in the 30s. And then for decades it was used exclusively in military communication systems, both in the former USSR and in the United States. It was not in vain that the military drew attention to this standard, since it has many features useful for such systems, the main of which is the secrecy of communication. The fact is that the principle of CDMA operation is to "smear" the spectrum of the original information signal due to its modulation with a noise-like signal that occupies a much wider frequency range than the original signal. The shape of this noise signal is a unique code for each subscriber, which makes it possible to identify it in the CDMA receiver. At the CDMA base station, the common signal received from many users is again modulated with a similar noise-like signal, thereby restoring the original signal.

There are numerous advantages to this seemingly simple scheme of operation. First, all subscribers of the CDMA system operate in the same frequency band (this bandwidth is 1.25 MHz), without interfering with each other, since the number of baseband noise-like signals is several billion.

Secondly, high noise immunity, both from passive and active interference. Due to the fact that the broadband signal "swallows" narrowband interference without changing its shape, it provides high quality voice and data transmission (comparable to high-quality wire lines). This, by the way, allows you to work with a much lower transmitted signal power, that is, CDMA networks are more environmentally friendly. Less operating power also provides more long work subscriber devices without recharging batteries.

As for the global trends in the development of this standard, they are more than extensive. The main one: in the radiotelephone systems of the next, third, generation, various variants of CDMA technology with an even wider carrier channel width will be used.

Introduction

Among modern mobile radio communication systems, the most rapidly developing systems are cellular radiotelephone communication. Their introduction made it possible to solve the problem of economic use of the allocated radio frequency band by transmitting messages on the same frequencies and to increase throughput telecommunication networks. These systems are built in accordance with honeycomb principle frequency divisions across the service area and are designed to provide radio communication for a large number of subscribers with access to the PSTN.

Use of modern information technologies allows to provide subscribers of such networks with high quality of voice messages, reliability and confidentiality of communication, protection from unauthorized access to the network and a very wide range of other services. Currently, in the field of radio communication with mobile objects, both analog (NMT-450, NMT-900, AMPS, etc.) and digital standards (GSM-900, GSM-1800, GSM-1900, D-AMPS, and etc.). The most successful development is mobile technologies associated with the GSM standard. Compared to other digital standards of cellular mobile communication systems, GSM provides the best energy and quality communication characteristics, the highest communication security and confidentiality characteristics. The GSM standard also provides a number of communication services that are not implemented in other cellular standards.

The purpose of this diploma project is to design a fragment of a cellular communication system of the DCS-1800 standard for the Astelit operator and to assess the electromagnetic compatibility of this system.

1.1 Description and main characteristics of the GSM standard

The use in Western Europe of a number of analog cellular communication standards that are incompatible with each other and have significant drawbacks in comparison with digital standards has led to the need to develop a unified pan-European digital cellular communication standard GSM-900. It provides high quality and confidentiality of communication, allows you to provide subscribers with a wide range of services. The standard allows for the possibility of organizing automatic roaming. As of July 1999, the share of GSM-900 subscribers was: around 43% in the world, more than 85% in Western Europe.

The GSM standard is also known under the names DCS (Digital Cellular System) or PCN (Personal Communications Network), as well as a modification of the GSM-900 standard for the 1800 MHz band: GSM-1800 standard. The GSM standard includes the most complete set of services in comparison with others.

Cellular networks of the GSM standard are initially designed as large-capacity networks designed for the mass consumer and designed to provide a wide range of services to subscribers when using communications both inside buildings and on the street, including when traveling by car.

V GSM standard TDMA is used, which makes it possible to simultaneously place 8 voice channels on one carrier frequency. The speech codec RPE-LTP with regular impulse excitation and speech conversion rate is used as a speech-transforming device
13 kbps.

To protect against errors occurring in radio channels, block and convolutional interleaving coding is used. Improving the coding and interleaving efficiency at a low MS movement speed is achieved by slowly switching operating frequencies during a communication session at a rate of 217 hops per second.

To combat the interference fading of received signals caused by multipath propagation of radio waves in urban conditions, the communication equipment uses equalizers that provide equalization of pulse signals with a standard deviation of the delay time of up to 16 μs. The equipment synchronization system is designed to compensate for the absolute signal delay times up to 233 μs. This corresponds to a maximum communication range of 35 km (maximum cell radius).

To modulate the radio signal, GMSK is used to modulate the radio signal. Speech processing in this standard carried out as part of the DTX (Discontinuous Transmission) system.

The GSM standard achieves a high degree of security for message transmission; the messages are encrypted using the public key encryption algorithm (RSA).

In general, the communication system operating in the GSM standard is designed for its use in various fields. It provides users with a wide range of services and the ability to use a variety of equipment for the transmission of voice messages and data, call and alarm signals; connect to telephone networks Public Service Networks (PSTN), Data Networks (PDN) and Integrated Services Digital Networks (ISDN).

Below are the main characteristics of the GSM standard:

Frequency of MS transmission and BTS reception, MHz 890-915;

Frequency of MS reception and BTS transmission, MHz 935-960;

Duplex spacing of receiving and transmitting frequencies, MHz 45;

The rate of transmission of messages in the radio channel, kbit / s 270.833;

Speech codec conversion rate, kbit / s 13;

Communication channel bandwidth, kHz 200;

The maximum number of communication channels is 124;

Modulation type GMSK;

Modulation index BT = 0.3;

Pre-modulation bandwidth

Gaussian filter, kHz 81.2;

The number of frequency hops per second is 217;

Maximum cell radius, up to 35 km;

Combined TDMA / FDMA channel organization;

Required carrier / interference ratio 9 dB.

GSM network equipment includes mobile (radiotelephones) and base stations, digital switches, control and maintenance center, various additional systems and devices. Functional interfacing of system elements is carried out using a number of interfaces. The block diagram (Figure 1.1) shows the functional structure and interfaces adopted in the GSM standard.

Figure 1.1 - Block diagram of a GSM network

MS consist of equipment that is designed to organize access for GSM subscribers to existing networks communication. Within the framework of the GSM standard, five MS classes are adopted: from the 1st class model with an output power of up to 20 W, installed on vehicles, to the 5th class model with a maximum output power of up to 0.8 W (table 1.1). When transmitting messages, an adaptive control of the transmitter power is provided to ensure the required quality of communication. MS and BTS are independent from each other.

Table 1.1 - Classification of GSM mobile stations

Each MS has its own MIN - International Identification Number (IMSI) stored in its memory. Each MS is assigned one more MIN - IMEI, which is used to exclude access to GSM networks by a stolen station or a station that does not have such authority.

The BSS equipment consists of the base station controller BSC and the actual transceiver base stations BTS. One controller can control several stations. It performs the following functions: management of radio channel allocation; connection control and adjustment of their sequence; providing a mode of operation with a "hopping" frequency, modulation and demodulation of signals, coding and decoding of messages, coding of speech, adaptation of the transmission rate of speech, data and call signals; control of the sequence of transmission of paging messages.

The TCE transcoder provides conversion of the output signals of the MSC voice and data transmission channel (64 kbps) to the form corresponding to the GSM recommendations for the radio interface (13 kbps). The transcoder is usually co-located with the MSC.

The SSS switching subsystem equipment consists of a mobile CC, an HLR position register, a VLR movement register, an AUC authentication center, and an EIR equipment identification register.

The MSC serves a group of cells and provides all kinds of MS connections. It is the interface between the mobile network and fixed networks such as PSTN, PDN, ISDN and provides call routing and call control function. In addition, the MSC performs radio channel switching functions, which include handover, which ensures the continuity of communication when the MS moves from cell to cell, and the switching of working channels in the cell when interference or malfunctions occur. Each MSC serves subscribers located within a specific geographic area. The MSC manages call setup and routing procedures. For PSTN, it provides SS # 7 signaling system functions, call transfer or other kinds of interfaces. MSC also generates data for tariffication of calls, compiles statistical data, and maintains security procedures when accessing a radio channel.

The MSC also manages both location registration and handover procedures in the base station subsystem (BSC). The call transfer procedure in cells controlled by one BSC is performed by that BSC. If the call is transferred between two networks controlled by different BSCs, then the primary control is carried out in the MSC. Also, the GSM standard provides for a call transfer procedure between controllers (networks) belonging to different MSCs.

The MSC continuously monitors the MS using registers: HLR (position register or home register) and VLR (move or guest register).

The HLR stores that part of the location information of an MS that allows the MSC to deliver the call. This register contains the MIN of the mobile subscriber (IMS1), which is used to identify the MS in the Authentication Center (AUC), as well as the data necessary for the normal operation of the GSM network.

Newcomers don't understand the games that standards developers are playing. It would seem that it uses GSM frequencies 850, 1900, 900, 1800 MHz, what more? Quick answer - read the following section of the phone manual. The incorrectness of the generally accepted interpretation will be shown. The problem is described by the following provisions:

1. The second generation of 2G cellular communications has spawned a slew of standards. The world knows three epicenters that set the rhythm: Europe, North America, Japan. Russia adopted the standards of the first two, having changed them.
2. The pedigree tree of standards is constantly expanding.
3. International versions of the standards are intended to combine the disparate rules of individual countries. Direct injection is often not possible. Governments change legislative framework fixing frequency plans.

The foregoing explains the origins of the misunderstanding of the problem by beginners. Returning clarity to the question, let's build a simplified hierarchy of standards, indicating the frequencies used along the way.

Genealogy of standards

The following information is intended to explain to the layman the structure of the existing, extinct standards. The technologies used in Russia will be described below, in the following sections. The corresponding representatives of the tree that adorned the Russian forest are marked in bold.

1G

1. AMPS family: AMPS, NAMPS, TACS, ETACS.
2. Others: NMT, C-450, DataTAC, Hicap, Mobitex.

2G: 1992

1. GSM / 3GPP family: GSM, HSCSD, CSD.
2. 3GPP2 family: cdmaOne.
3. AMPS family: D-AMPS.
4. Others: iDEN, PHS, PDC, CDPD.

2G +

1. 3GPP / GSM family: GPRS, EDGE.
2. 3GPP2 family: CDMA2000 1x including Advanced.
3. Others: WiDEN, DECT.

3G: 2003

1. 3GPP family: UMTS.
2. 3GPP2 family: CDMA2000 1xEV-DO R. 0

3G +

1. 3GPP family: LTE, HSPA, HSPA +.
2. 3GPP2 family: CDMA2000 1xEV-DO R. A, CDMA2000 1xEV-DO R. B, CDMA2000 1xEV-DO R. C
3. IEEE family: Mobile WiMAX, Flash OFDM.

4G: 2013

1. 3GPP family: LTE-A, LTE-S Pro.
2. IEEE family: WiMAX.

5G: 2020

1. 5G-NR.

Short description

Genealogy allows you to trace extinct species. For example, modern authors often use the abbreviation GSM, misleading the reader. The technology is entirely limited to the second generation of cellular communications, an extinct species. The former frequencies with additions continue to be used by descendants. On December 1, 2016, Telstra in Australia stopped using GSM, becoming the world's first operator to completely upgrade its equipment. 80% of the world's population continues to be content with technology (according to the GSM Association). The example of their Australian colleagues on January 1, 2017 was followed by the American AT&T. This was followed by the suspension of the service by the operator Optus, on April 2017, Singapore recognized the inconsistency of 2G with the growing needs of the population.

So, the term GSM is used in relation to aging equipment that has flooded the Russian Federation. Descendant protocols can be named as descendants of GSM. The frequencies are preserved by the next generations. Punctures, methods of information transfer are changing. Frequency allocation aspects associated with equipment upgrades are discussed below. It is obligatory to provide information allowing to establish the relationship of GSM.

Phone manual

Helpful information regarding the question will be provided by the phone manual. The corresponding section lists the supported frequencies. Individual devices will allow you to customize the reception area. You should choose a phone model that catches the generally accepted Russian channels:

1. 900 MHz - E-GSM. The ascending branch is 880..915 MHz, the descending branch is 925..960 MHz.
2. 1800 MHz - DCS. Ascending branch - 1710..1785 MHz, descending - 1805..1880 MHz.

LTE technology adds a 2600 MHz region, an 800 MHz channel is introduced.

History of RF communication: frequencies

In 1983, the development of a European standard for digital communications began. As a reminder, the first generation of 1G used analog transmission. Thus, engineers developed the standard in advance, anticipating the history of the development of technology. Digital communication was born of the Second World War, more precisely, the Green Hornet encrypted transmission system. The military understood perfectly well: the era of digital technology is coming. Civilian industry caught the wind.

900 MHz

The European organization CEPT has established a GSM committee (Groupe Special Mobile). The European Commission has proposed the use of the 900 MHz spectrum. The developers settled in Paris. Five years later (1987), 13 EU countries submitted to Copenhagen a memorandum on the need to create a unified cellular network. The community decided to request GSM assistance. The first came out in February. data sheet... The politicians of the four countries (May 1987) supported the project with the Bonn Declaration. The next short period (38 weeks) is filled with a general bustle, governed by four appointed persons:

1. Armin Silberhorn (Germany).
2. Philippe Dupoulis (France).
3. Renzo Failli (Italy).
4. Stephen Temple (UK).

In 1989 the GSM commission leaves the custody of CEPT, becoming part of ETSI. On July 1, 1991, the former Prime Minister of Finland, Harry Holkeri, made the first call to a subscriber (Kaarina Suonio) using the services of the Radio Line provider.

1800 MHz

In parallel with the introduction of 2G, work was underway to use the 1800 MHz region. The first network covered the UK (1993). At the same time, the Australian operator Telecom moved in.

1900 MHz

The frequency 1900 MHz was introduced by the USA (1995). The GSM association was established, the global number of subscribers reached 10 million. A year later, the figure increased tenfold. The use of 1900 MHz prevented the introduction of the European version of UMTS.

800 MHz

The 800 MHz band appeared in 2002, in parallel with the introduction of the multimedia messaging service.

Attention, question!

What frequencies have become the Russian standard? The confusion is added by the lack of knowledge by the authors of the Runet of the standards adopted official developers... The direct answer is discussed above (see the section Telephone instructions), we describe the work of the mentioned organizations (section UMTS).

Why are there so many frequencies

Examining the results of 2010, the GSM Association stated: 80% of the world's subscribers are covered by the standard. This means that four fifths of the networks cannot select a single frequency. In addition, there are 20% alien communication standards. Where does the root of evil come from? The countries of the second half of the twentieth century developed in isolation. The frequencies of 900 MHz of the USSR were occupied by military, civilian air navigation.

GSM: 900 MHz

In parallel with the development by Europe of the first versions of GSM, NPO Astra, Research Institute Radio, Research Institute of the Ministry of Defense started research, which ended with field tests. The delivered verdict:

• The joint operation of navigation and the second generation of cellular communication is possible.

1. NMT-450.

Please note: again 2 standards. Each uses its own frequency grid. The announced GSM-900 distribution tender was won by NPO Astra, OJSC MGTS (now MTS), Russian companies, Canadian BCETI.

NMT-450MHz - first generation

So, Moscow used, starting in 1992, the 900 MHz band (see above), because other GSM frequencies were not yet born. In addition NMT (Nordic Mobile Phones) ... Initially, the Nordic countries developed two options:

1. NMT-450.
2. NMT-900 (1986).

Why did the Russian government choose the first answer? Probably decided to try two ranges. Please note that these standards describe analog communication (1G). Developing countries began to cover the shop in December 2000. Iceland (Siminn) was the last to surrender (September 1, 2010). Experts point out an important advantage of the 450 MHz band: range. A significant plus, assessed by remote Iceland. The Russian government wanted to cover the country's area with a minimum of towers.

The NMT is loved by fishermen. The released grid was taken by digital CDMA 450. In 2015, Scandinavian technologies have mastered 4G. The Russian Uralvestcom vacated the closet on September 1, 2006, Sibirtelecom - January 10, 2008. Subsidiary (Tele 2) Skylink scores a range in the Perm and Arkhangelsk regions. The license expires in 2021.

D-AMPS: UHF (400..890 MHz) - second generation

US 1G networks using the AMPS specification refused to accept GSM. Instead, two alternatives have been developed to organize mobile networks second generation:

1. IS-54 (March 1990, 824-849; 869-894 MHz).
2. IS-136. Differs in a large number of channels.

The standard is now dead, everywhere replaced by descendants of GSM / GPRS, CDMA2000.

Why does a Russian need D-AMPS

The Russian man in the street often uses used equipment. D-AMPS equipment has reached Tele 2 and Beeline warehouses. On November 17, 2007, the latter closed the shop for the Central Region. The license of the Novosibirsk region expired on December 31, 2009. The last swallow flew away on October 1, 2012 (Kaliningrad region). Kyrgyzstan used the range until March 31, 2015.

CDMA2000 - 2G +

Some protocol variants use:

1. Uzbekistan - 450 MHz.
2. Ukraine - 450; 800 MHz.

In the period December 2002 - October 2016 specifications 1xRTT, EV-DO Rev. A (450 MHz) used Skylink. Now the infrastructure has been modernized, LTE has been introduced. On September 13, 2016, the world portals spread the news: Tele 2 stops using CDMA. The American MTS began the process of introducing LTE a year earlier.

GPRS - second to third generation

The development of the CELLPAC protocol (1991-1993) was a turning point in the development of cellular communications. 22 US patents received. LTE, UMTS are considered to be the descendants of the technology. Packet data transmission is designed to speed up the process of information exchange. The project aims to improve GSM networks (frequencies are listed above). The user is obliged to the service to obtain technologies:

1. Access to the Internet.
2. Obsolete "click to talk".
3. Messenger.

The overlap of two technologies (SMS, GPRS) speeds up the process many times over. The specification supports IP, PPP, X.25 protocols. Packages continue to arrive even during a call.

EDGE

The next step in the evolution of GSM is conceived by AT&T (USA). Compact-EDGE has taken the D-AMPS niche. The frequencies are listed above.

UMTS - full-fledged 3G

The first generation, which required updating the equipment of the base stations. The frequency grid has changed. The maximum line rate for a line that takes advantage of HSPA + is 42 Mbps. Really achievable speeds significantly exceed 9.6 kbps GSM. Starting in 2006, countries started to renew themselves. Using orthogonal frequency multiplexing, the 3GPP committee set out to achieve the 4G level. The early birds were released in 2002. Initially, the developer laid down the following frequencies:

1. .2025 MHz. An upstream connected branch.
2. .2200 MHz. Downlink connected branch.

Since the USA already used 1900 MHz, it chose the 1710..1755 segments; 2110..2155 MHz. Many countries followed America's example. The frequency 2100 MHz is too busy. Hence the numbers given at the beginning:

• 850/1900 MHz. Moreover, 2 channels are selected using one range. Either 850 or 1900.

Agree, it is incorrect to braid GSM, following a bad common example. The second generation used a half-duplex single channel, UMTS used two at once (5 MHz wide).

Frequency grid UMTS Russia

The first attempt to distribute the spectra took place from February 3 to March 3, 1992. The solution was adapted by the Geneva conference (1997). It was the S5.388 specification that fixed the ranges:

• 1885-2025 MHz.
• 2110-2200 MHz.

The decision required further clarification. The commission identified 32 ultra-channels, 11 constituted an unused reserve. Most of the others received qualifying names, since individual frequencies coincided. Russia rejected European practice, disdaining the United States, adopting 2 UMTS-FDD bands:

1. No. 8. 900 MHz - E-GSM. The ascending branch is 880..915 MHz, the descending branch is 925..960 MHz.
2. No. 3. 1800 MHz - DCS. Ascending branch - 1710..1785 MHz, descending - 1805..1880 MHz.

Specifications cell phone should be selected according to the information provided. The Wikipedia table revealing the frequency plan of planet Earth is completely useless. Forgot to take into account the Russian specifics. Europe operates the nearby IMT channel # 1. In addition, there is a UMTS-TDD grid. The equipment of the two types of overhead networks is incompatible.

LTE - 3G +

Evolutionary continuation of the GSM-GPRS-UMTS bundle. Can serve as a superstructure for CDMA2000 networks. Only a multi-frequency phone is capable of providing LTE technology. Experts directly indicate the place below the fourth generation. Contrary to the claims of marketers. Initially, the ITU-R organization recognized the technology as appropriate, later the position was revised.

LTE is a registered trademark of ETSI. Key idea was the use of signal processors and the introduction of innovative methods of carrier modulation. IP-addressing of subscribers was found to be expedient. The interface has lost backward compatibility, the frequency spectrum has changed again. The first mesh (2004) was launched by the Japanese company NTT DoCoMo. The exhibition version of the technology overtook Moscow in hot May 2010.

Following the experience of UMTS, the developers implemented two air protocol options:

1. LTE-TDD. Time division of channels. The technology is widely supported by China, South Korea, Finland, Switzerland. The presence of a single frequency channel(1850..3800 MHz). Partially overlaps with WiMAX, upgrade is possible.
2. LTE-FDD. Frequency division of channels (separately downstream, upstream).

The frequency plans of the 2 technologies are different, 90% of the core design is the same. Samsung, Qualcomm produce phones that can handle both protocols. Occupied ranges:

1. North America. 700, 750, 800, 850, 1900, 1700/2100, 2300, 2500, 2600 MHz.
2. South America. 2500 MHz.
3. Europe. 700, 800, 900, 1800, 2600 MHz.
4. Asia. 800, 1800, 2600 MHz.
5. Australia, New Zealand. 1800, 2300 MHz.

Russia

Russian operators have chosen LTE-FDD technology, they use frequencies:

1. 800 MHz.
2. 1800 MHz.
3. 2600 MHz.

LTE-A - 4G

The frequencies remained the same (see LTE). Timeline of launches:

1. On October 9, 2012, Yota acquired 11 base stations.
2. Megafon on February 25, 2014 covered the Garden Ring of the capital.
3. Beeline has been operating on LTE 800, 2600 MHz since August 5, 2014.

DownLink - communication channel from the base station to the subscriber
UpLink is a communication channel from the subscriber to the operator's base station.

4G / LTE standard Frequency 2500

This type of communication is developing relatively recently and mainly in cities.

FDD (Frequency Division Duplex) - This DownLink and UpLink operate on different frequency bands.
TDD (Time division duplex) - DownLink and UpLink operate on the same frequency band.

Yota: FDD DownLink 2620-2650 MHz, UpLink 2500-2530 MHz
Megaphone: FDD DownLink 2650-2660 MHz, UpLink 2530-2540 MHz
Megaphone: TDD 2575-2595 MHz - this frequency band is allocated only in the Moscow region.
MTS: FDD DownLink 2660-2670 MHz, UpLink 2540-2550 MHz
MTS: TDD 2595-2615 MHz - this frequency band is allocated only in the Moscow region.
Beeline: FDD DownLink 2670-2680 MHz, UpLink 2550-2560 MHz
Rostelecom: FDD DownLink 2680-2690 MHz, UpLink 2560-2570 MHz
After purchase by Megaphone of Yota, Yota began to work virtually like a Megafon.

4G / LTE standard Frequency 800

The network was launched into commercial operation at the beginning of 2014, mainly outside the city, in rural areas.

UpLink / DownLink (MHz)

Rostelecom: 791-798.5 / 832 - 839.5
MTS: 798.5-806 / 839.5 - 847.5
Megaphone: 806-813.5 / 847 - 854.5
Beeline: 813.5 - 821 / 854.5 - 862

3G / UMTS standard Frequency 2000

3G / UMTS2000 is the most widespread cellular communication standard in Europe, mainly used for data transmission.

UpLink / DownLink (MHz)

Skylink: 1920-1935 / 2110 - 2125 - in the end, most likely these frequencies will go to Rostelecom. On this moment the network is not used.
Megaphone: 1935-1950 / 2125 - 2140
MTS: 1950-1965 / 2140 - 2155
Beeline: 1965 - 1980/2155 - 2170

2G / DCS standard Frequency 1800

DCS1800 is the same GSM, only in a different frequency range, mainly used in cities. But, for example, there are regions where the TELE2 operator works only in the 1800 MHz band.

UpLink 1710-1785 MHz and Downlink 1805-1880 MHz

It doesn't make much sense to show division by operators, tk. in each region, the frequency distribution is individual.

2G / DCS standard Frequency 900

GSM900 is the most widespread communication standard in Russia today and is considered to be the second generation communication.

There are 124 channels in GSM900 MHz. In all regions of the Russian Federation, GSM frequency bands are allocated between operators individually. And there is E-GSM exists as an additional GSM frequency band. It is shifted in frequency from the base by 10 MHz.

UpLink 890-915 MHz and Downlink 935-960 MHz

UpLink 880-890 MHz and Downlink 925-935 MHz

3G standard Frequency 900

Due to the lack of channels on the 2000 frequency, frequencies of 900 MHz were allocated for 3G. They are actively used in the field.

CDMA standard Frequency 450

CDMA450 - in the central part of Russia this standard is used only by the SkyLink operator.

UpLink 453 - 457.5 MHz and DownLink 463 - 467.5 MHz.

As a result, the physical channel between the receiver and the transmitter is determined by the frequency, allocated frames and the numbers of timeslots in them. Typically, base stations use one or more ARFCN channels, one of which is used to identify the presence of the BTS on the air. The first timeslot (index 0) of the frames of this channel is used as the base control channel (base-control channel or beacon channel). The rest of the ARFCN is allocated by the operator for CCH and TCH channels at its discretion.

2.3 Logical channels

Logical channels are formed on the basis of physical channels. Um-interface implies the exchange of both user information and service information. According to the GSM specification, each type of information corresponds to a special type of logical channels implemented by means of physical:

• traffic channels (TCH - Traffic Channel),
• service information channels (CCH - Control Channel).

Traffic channels are divided into two main types: TCH / F- Full rate channel with a maximum speed of up to 22.8 Kbps and TCH / H- Half rate channel with maximum speed up to 11.4 Kbps. These types of channels can be used for voice transmission (TCH / FS, TCH / HS) and user data (TCH / F9.6, TCH / F4.8, TCH / H4.8, TCH / F2.4, TCH / H2. 4), for example, SMS.

Service information channels are divided into:

• Broadcast (BCH - Broadcast Channels).
  • FCCH - Frequency Correction Channel. Provides information required by the mobile phone for frequency correction.
  • SCH - Synchronization Channel. Provides the mobile phone with the information needed for TDMA synchronization with a base station (BTS) as well as its BSIC identity.
  • BCCH - Broadcast Control Channel. Transmits basic information about the base station, such as the way of organizing the service channels, the number of blocks reserved for grant messages, and the number of multiframes (51 TDMA frames) between Paging requests.
• Channels general purpose(CCCH - Common Control Channels)
  • PCH - Paging Channel. Looking ahead, I will tell you that Paging is a kind of ping of a mobile phone, which allows you to determine its availability in a certain coverage area. This channel designed for just that.
  • RACH - Random Access Channel. Used by mobile phones to request their own SDCCH overhead. Exclusively Uplink channel.
  • AGCH - Access Grant Channel. On this channel, base stations respond to RACH requests of mobile phones, allocating SDCCH, or immediately TCH.
• Dedicated Control Channels (DCCH)
  Own channels, like TCH, are allocated to specific mobile phones. There are several subspecies:
  • SDCCH - Stand-alone Dedicated Control Channel. This channel is used for mobile phone authentication, encryption key exchange, location update procedure, as well as for making voice calls and exchanging SMS messages.
  • SACCH - Slow Associated Control Channel. Used during a conversation, or when the SDCCH channel is already in use. With its help, the BTS sends periodic instructions to the phone to change the timings and signal strength. In the opposite direction, there are data on the received signal strength (RSSI), TCH quality, as well as the signal strength of the nearest base stations (BTS Measurements).
  • FACCH - Fast Associated Control Channel. This channel is provided together with the TCH and allows the transmission of urgent messages, for example, during the transition from one base station to another (Handover).

2.4 What is burst?

On-air data is transmitted in the form of sequences of bits, most often called "burst", within timeslots. The term "burst", the most suitable analogue of which is the word "burst", should be familiar to many radio amateurs, and most likely appeared in the compilation of graphical models for the analysis of radio broadcast, where any activity is like waterfalls and splashes of water. You can read more about them in this great article (source of images), we will focus on the most important thing. A schematic representation of a burst might look like this:

Guard Period
To avoid interference (ie overlapping of two busrts), burst duration is always shorter than the timeslot duration by a certain value (0.577 - 0.546 = 0.031 ms), called "Guard Period". This period is a kind of margin of time to compensate for possible time delays in signal transmission.

Tail Bits
These markers define the start and end of the burst.

Info
Burst payload, such as subscriber data or service traffic. Consists of two parts.

Stealing flags
These two bits are set when both portions of the TCH burst data are transmitted on the FACCH. One transmitted bit instead of two means that only one part of the burst is transmitted on the FACCH.

Training Sequence
This part of the burst is used by the receiver to determine the physical characteristics of the channel between the phone and the base station.

2.5 Types of burst

Each logical channel corresponds to certain types of burst:

Normal burst
Sequences of this type implement traffic channels (TCH) between the network and subscribers, as well as all kinds of control channels (CCH): CCCH, BCCH and DCCH.

Frequency Correction Burst
The name speaks for itself. Implements a one-way downlink FCCH, allowing mobile phones to more accurately tune to the BTS frequency.

Synchronization Burst
Burst of this type, like Frequency Correction Burst, implements a downlink channel, only SCH, which is designed to identify the presence of base stations on the air. Similar to beacon packets in WiFi networks, each burst is transmitted at full power, and also contains information about the BTS necessary to synchronize with it: frame rate, identification data (BSIC), and others.

Dummy burst
A dummy burst sent by the base station to fill unused timeslots. The fact is that if there is no activity on the channel, the signal strength of the current ARFCN will be significantly less. In this case, the mobile phone may feel that it is far from the base station. To avoid this, BTS floods unused timeslots with meaningless traffic.

Access Burst
When establishing a connection with the BTS, the mobile phone sends a dedicated SDCCH request on the RACH. The base station, having received such a burst, assigns the subscriber its FDMA system timings and responds on the AGCH channel, after which the mobile phone can receive and send Normal Bursts. It is worth noting the increased duration of Guard time, since initially neither the phone nor the base station knew information about time delays. If the RACH request does not hit the timeslot, the mobile phone sends it again after a pseudo-random time interval.

2.6 Frequency Hopping

Quoting from Wikipedia:

Frequency-hopping spread spectrum (FHSS) is a method of transmitting information by radio, the peculiarity of which is the frequent change of the carrier frequency. The frequency changes according to a pseudo-random sequence of numbers known to both the sender and the receiver. The method increases the noise immunity of the communication channel.

3.1 Basic attack vectors

Since the Um interface is a radio interface, all of its traffic is "visible" to anyone within range of the BTS. Moreover, you can analyze the data transmitted over the air, even without leaving your home, using special equipment (for example, an old mobile phone supported by the OsmocomBB project, or a small RTL-SDR dongle) and the direct hands of an ordinary computer.

There are two types of attacks: passive and active. In the first case, the attacker does not interact with the network or the attacked subscriber in any way - only receiving and processing information. It is not difficult to guess that it is almost impossible to detect such an attack, but it does not have as many prospects as an active one. An active attack involves the interaction of the attacker with the attacked subscriber and / or the cellular network.

The most dangerous types of attacks to which subscribers of cellular networks are exposed can be identified:

• Sniffing
• Leakage of personal data, SMS and voice calls
• Location data leak
• Spoofing (FakeBTS or IMSI Catcher)
• Remote SIM capture, arbitrary code execution (RCE)
• Denial of Service (DoS)

3.2 Subscriber identification

As mentioned at the beginning of the article, subscribers are identified by IMSI, which is recorded in the subscriber's SIM card and the operator's HLR. Mobile phones are identified by serial number- IMEI. However, after authentication, neither IMSI nor IMEI fly over the air in clear text. After the Location Update procedure, the subscriber is assigned a temporary identifier - TMSI (Temporary Mobile Subscriber Identity), and further interaction is carried out with its help.

Attack methods
Ideally, the subscriber's TMSI is known only to the mobile phone and cellular network. However, there are ways to bypass this protection. If you cyclically call a subscriber or send SMS messages (or better Silent SMS), watching the PCH channel and performing correlation, you can select the TMSI of the attacked subscriber with a certain accuracy.

In addition, having access to the SS7 inter-operator communication network, you can find out the IMSI and LAC of its owner by the phone number. The problem is that in the SS7 network, all operators "trust" each other, thereby reducing the level of confidentiality of their subscribers' data.

3.3 Authentication

To protect against spoofing, the network authenticates the subscriber before starting to serve it. In addition to the IMSI, the SIM card stores a randomly generated sequence called Ki, which it only returns in a hashed form. Ki is also stored in the operator's HLR and is never transmitted in cleartext. Overall, the authentication process is based on the four-way handshake principle:

1. The subscriber makes a Location Update Request, then provides the IMSI.
2. The network sends a pseudo-random RAND value.
3. The phone's SIM card hashes Ki and RAND using the A3 algorithm. A3 (RAND, Ki) = SRAND.
4. The network also hashes Ki and RAND using the A3 algorithm.
5. If the SRAND value on the subscriber side coincides with the one calculated on the network side, then the subscriber has been authenticated.

Attack methods
Iterating over Ki with RAND and SRAND values ​​can take quite a long time. In addition, operators can use their own hashing algorithms. There is quite a bit of information on the net about brute force attempts. However, not all SIM cards are perfectly protected. Some researchers have been able to get direct access to file system SIM card and then remove Ki.

3.4 Traffic encryption

According to the specification, there are three algorithms for encrypting user traffic:

• A5 / 0- formal designation of the lack of encryption, just like OPEN in WiFi networks. I myself have never seen a network without encryption, however, according to gsmmap.org, A5 / 0 is used in Syria and South Korea.
• A5 / 1 is the most common encryption algorithm. Despite the fact that his hacking has already been repeatedly demonstrated at various conferences, it is used everywhere and everywhere. To decrypt traffic, it is enough to have 2 TB of free disk space, a regular personal computer with Linux and the Kraken program on board.
• A5 / 2- an encryption algorithm with deliberately weakened protection. If it is used where, it is only for beauty.
• A5 / 3 is currently the most secure encryption algorithm, developed back in 2002. On the Internet, you can find information about some theoretically possible vulnerabilities, but in practice, no one has yet demonstrated how to crack it. I don’t know why our operators do not want to use it in their 2G networks. After all, this is far from being a hindrance, tk. the encryption keys are known to the operator and the traffic can be decrypted quite easily on his side. And all modern phones support it perfectly. Fortunately, modern 3GPP networks use it.

Attack methods
As already mentioned, having sniffing equipment and a computer with 2 TB of memory and the Kraken program, you can quickly (a few seconds) find the A5 / 1 session encryption keys, and then decrypt anyone's traffic. German cryptologist Karsten Nohl demonstrated in 2009 how to hack A5 / 1. A few years later, Carsten and Sylvian Muno demonstrated the interception and decryption method. telephone conversation with the help of several old Motorola phones (OsmocomBB project).

Conclusion

My long story has come to an end. In more detail and from a practical point of view, it will be possible to get acquainted with the principles of cellular networks in the series of articles Acquaintance with OsmocomBB, as soon as I add the remaining parts. I hope I managed to tell you something new and interesting. I look forward to your feedback and comments! Add tags