GSM Base Transceiver Station

Presentation by:
Naveen Jakhar
ITS 2014 Batch

1
Topics covered in this presentation:
What is a Base Transceiver Station ?
Components of any BTS
BTS transceiver, BTS O&M module, clock module
BTS Transmitter and Receiver Characteristics
BTS configurations
BTS functions and Protocols on Um and Abis Interface
BTS security aspects
Conclusion

2
Introduction to Base Transceiver Station:
BTS stands for Base Transceiver Station
A BTS is an equipment that facilitates wireless communication
between user equipment (UE) and a network
UEs are devices like mobile phones, WLL (Wireless in Local
Loop) phones, computers with wireless Internet connectivity
The network can be that of any of the wireless communication
technologies like GSM, CDMA, wireless local loop, Wi-Fi (wireless
fidelity), WiMAX (Worldwide Interoperability for Microwave
Access) or other wide area network(WAN) technology

3
Introduction to Base Transceiver Station:
BTS is also referred to as the radio base station (RBS), node
B(in 3G Networks) or, simply, the base station (BS)
The term BTS is applicable to
any of the wireless communication
standards, it is generally associated
with mobile communication technologies
like GSM and CDMA

4
Base Transceiver Station(BTS) components:
BTS provides the wireless connectivity to Mobile Station on one side
via Air Interface (also called )
BTS is connected to BSC via Abis Interface
Any BTS is having these components:
Transceiver (TRX) Power amplifier (PA)
Combiner Multiplexer
Antenna Baseband receiver unit (BBxx)
Control function Alarm extension system
Clock Module Operation and Maintenance module

5
Base Station Transceiver:
BTS Transceiver is responsible for transmission and reception of
signals
GSM recommendations allow one BTS to host up to 16 TRX
In field, majority of BTS have one to 4 TRX at max
TRX is having two parts: one, a low frequency part for digital signal
processing and other, high frequency part for GMSK modulation and
demodulation
Both parts are connected via a separate or an integrated frequency
hopping unit

6
Base Transceiver Diagram:

7
Base station components:
Combiner combines feeds from several TRXs so that they could be
sent out through a single antenna thus reducing the number of
antennas that need be installed
Power Amplifier Class C, aids in signal amplification from TRX for
transmission through the antenna
Duplexer is used for separating sending and receiving signals to or
from the antenna
Antenna is an external part of the BTS and it is used to transmit the
signals to other entity

8
Base station components:
Alarm Extension system collects working status alarms of various
units in the BTS and extends them to operations and maintenance
(O&M) monitoring stations

Control functions controls and manages the various units of BTS,

including any software. On-the-spot configurations, status changes,
software upgrades, etc. are done through the control function
module

9
BTS Operations and Maintenance module:
It consists of at least one central unit, which administers all other
parts of BTS
O&M module is connected to BSC by means of a special O&M
channel
O&M module allows a remote access from BSC for any software
update
A BTS is controlled by a parent BSC via the base station control
function(BCF), implemented in O&M module
O&M module also provides a Human Machine Interface, which
allows for local control of BTS

10
BTS Clock module:
Clock generation and distribution module is present inside O&M
module
Reference clock is derived from PCM signals on Abis Interface
BTS internal clock generation is mandatory when a BTS is to be
tested in standalone environment & when PCM clock is not available
due to link failure
GSM requires that all TRX of a BTS use same clock. The accuracy of
the signal has to have a precision of at least 0.05 ppm
1 MHz clock, precision should be .05 Hz

11
BTS Input and Output filters:
Input and output filters are used to limit the bandwidth of received
and transmitted signal
The input filter typically is a non-adjustable wideband filter that
allows GSM 900MHz, DCS 1800 MHz, PCS 1900 MHz frequencies to
pass in the uplink direction
The output filter is an adjustable wideband filter used in downlink
direction which limits the signal to 200 KHz bandwidth

12
BTS Transmitter Characteristics:
Output Power
Output RF Spectrum
Spurious emissions
Radiofrequency tolerance
Output level dynamic operation
Modulation accuracy
Intermodulation attenuation

13
BTS Transmitter Specifications:
For a normal BTS, the maximum output power measured at the input
of the BSS Tx combiner, shall be, according to its class, as defined in
the following table

14
Micro and pico -BTS Transmitter Specifications:
For a micro-BTS or a pico-BTS, the maximum output power per
carrier measured at the antenna connector after all stages of
combining shall be, according to its class, defined in the following
table.

15
BTS Transmitter Specifications:
The tolerance of the actual maximum output power of the BTS for
each supported modulation shall be 2 dB under normal conditions
and 2.5 dB under extreme conditions
Power can be increased in steps, each step size is of 2 dB with
accuracy of 1 dB
dBc (decibels relative to the carrier) is the power ratio of a signal to a
carrier signal, expressed in decibels
The Residual output power, if a timeslot is not activated, shall be
maintained at, or below, a level of -30 dBc on the frequency channel

16
BTS Receiver Characteristics:
Blocking Characteristics

AM Suppression Characteristics

Intermodulation Characteristics

Spurious emissions

17
BTS Receiver Blocking Characteristics:
The blocking characteristics of the receiver are specified separately
for in-band and out-of-band performance

18
BTS configurations:
BTS Configurations depend on load, subscriber behaviour and area
to be covered
Three different configurations of BTS:
Standard omnidirectional configuration
Umbrella shape configuration
Sectorized or Cell configuration

19
BTS Standard Omnidirectional Configuration:
Omnidirectional antennas are used

No fine load balancing with respect to the load and clutter

Inefficient resource utilization

Low antenna gain

20
BTS Umbrella Cell Configuration:
Umbrella cell configuration consists of one BTS with high
transmission power and an antenna installed high above the ground
that serves as an umbrella for a number of BTSs with low
transmission power
and small diameters
Use of Umbrella cell
Configuration ?

21
BTS Umbrella Cell Configuration:
Umbrella cell configuration high rise antenna may be a solution to
provide coverage for fast moving cars (how can they be detected
using timing advance parameter updated after every 480 ms by
MEAS_RES message)and antennas with lesser height can provide
coverage to dense areas within a city
Umbrella configuration not specified by GSM, so additional design
updates required in BTS and BSC
Drawback: Interference and non-reuse of frequency

22
BTS Sectorized(Collocated) Configuration:
Several BTSs are collocated at one site but their antennas cover only
an area of 120 or 180 degrees
Fairly easy to fine-synchronize the cells with each other and thus
allows for synchronised handover between the two cells
Re-use of frequencies
Sectorization eases the demand for frequencies especially in urban
areas

23
BTS Sectorized(Collocated) Configuration:

24
BTS functions:
BTS is an important component of BSS
Channel encoding and decoding
Burst formatting and Interleaving
Encryption and decryption (ciphering)
setup of LAPD connection on BSC side and LAPDm on Um interface
GMSK modulation and demodulation
Creation and transmission of BCCH
Measurements of signal strength and forward the results to BSC

25
BTS Interface Protocols and signal transfer :
interface :
This interface uses LAPDm protocol for signalling, to conduct call
control,measurement reporting reporting, handover, power
control, authentication, authorization, location update and so on. Traffic and
signaling are sent in bursts of 0.577 ms at intervals of 4.615 ms, to form data
blocks each 20 ms
LAPDm does not have CRC for Error detection
Abis Interface :
Uses TDM sub channels for traffic (TCH), LAPD protocol for BTS supervision and
telecom signalling, and carries synchronization from the BSC to the BTS and MS

26
BTS Interface Protocols:

27
BTS Interface Protocols and signal transfer :
GSM Layer 1:
FDMA/TDMA is the air interface(radio), also called Um interface

At Mobile Station, FDMA/TDMA is used which is also followed at

BTS, BTS takes this format from MS and convert it to 64kbps digital
format for the digital link and interfaces with BSC

28
BTS Interface Protocols and signal transfer :
GSM Layer 2:
Layer 2 is the data link layer, which does following three main
functions.
Establish and maintain the link
Flow control
Error detection
Work on layer 3 frames
.

29
BTS Interface Protocols and signal transfer :
GSM Layer 2:
At Layer-2 LAPD and LAPDm is used. LAPD is the ISDN(Integrated Services
Digital Network) protocol for D Channel

LAPDm is the modified version of LAPD for mobile station

LAPDm does not have CRC for Error detection

LAPD at BTS converts potentially unreliable physical link of MS into reliable

link

30
Security aspects at BTS:
All BTS are comprised of software and radio equipment and most of
the vendors use a similar transceiver code base means all can be
attacked using this flaw
A malicious hacker can take control of BTS from any remote place
results in compromised BTS functionalities
The attacker could impersonate a parallel BTS communicating with it
and could send GSM data bursts to the transceiver itself, thus
conducting attacks such as IMSI detaching, encryption downgrading,
and denial of service against mobile subscribers

31
Conclusion and way forward:
BTS is an important device for Mobile communication and any
security breach at BTS would expose the entire mobile network to
many vulnerabilities
Vendors are coming up with these improvements in BTS design:
change firewall rules to block traffic coming from external networks
to specific ports
Enhanced authentication process
perform additional code audits before releasing alpha version of any
software patch

32
References:
Book GSM networks : Protocols, Terminology and Implementation by
Gunnair Heine
3GPP TS 05.05 version 8.20.0 Release 1999, ETSI TS 100 910 V8.20.0
(2005-11)
http://www.securityweek.com/critical-vulnerabilities-affect-open-
source-base-transceiver-stations
http://www.rfwireless-world.com/
http://whytelecom.com/
https://en.wikipedia.org/wiki/Base_transceiver_station

33
 Thank You
Communication The Human Connection is the key to Personal and Career Success

34