Seminar Fs12 Alyafawi
-
Upload
gillette84 -
Category
Documents
-
view
221 -
download
0
Transcript of Seminar Fs12 Alyafawi
-
7/25/2019 Seminar Fs12 Alyafawi
1/29
26.March 2012 1CDS seminar
CDS Seminar, 26. March 2012
GSM Indoor Localization :
Mobile station eventsIslam Alyafawi
Universitt Bern
-
7/25/2019 Seminar Fs12 Alyafawi
2/29
26.March 2012 2CDS seminar
GSM indoor localization: Mobile station events
Outline
In3D guide objective
Challenges
Network Architecture
Paths under privacy roles
Future work
-
7/25/2019 Seminar Fs12 Alyafawi
3/29
26.March 2012 3CDS seminar
GSM indoor localization: Mobile station events
Objectives and Approaches
Guide people to their indoor
destinations using their mobile
phones
Using GSM technology
Independent from the local
cellular operator infrastructure
Transparent from the user side
Localization system based on
Multilateration technique
Analyze GSM signals based ontheir type, function, and identity.
Capture GSM signals (Mobile
GSM network) using wireless
sensors (USRP)
Multilaterationtechnique is based on the measurement of the difference in distance to two or
more stations at known locations
USRP : Universal Software Radio Peripheral
-
7/25/2019 Seminar Fs12 Alyafawi
4/29
26.March 2012 4CDS seminar
GSM indoor localization: Mobile station events
Hows ?
GSM Feature
TDMA/FDAM
Frequency hopping
Random Identity of users
Ciphering
Channels has different
functionality
Messages format depend
on its functionalities
Power control is on
Challenge
Time/frequency synch.
Know/ follow the hopping
sequence for single andmulti-users
Track unique user
Tracking the channel type
Analyzing GSM messages
Analyzing localization
parameters (e.g. TDoA)
Proposed solution
USRP follow MS wakeup
Using Airprobe
Read frequency sequence
transmitted over certain
channels
Find an algorithm to
match different identitiesto anonymous user
Synchronize USRPs
together
-
7/25/2019 Seminar Fs12 Alyafawi
5/29
26.March 2012 5CDS seminar
GSM indoor localization: Mobile station events
GSM network architecture
MS: Mobile Station BTS: Base Transiever Station
BSC: Base Station Controler MSC: Mobile Switching Center
HLR: Home Location Register VLR: Visitor Location Rigister
AuC: Authentication Center EIR: Equipment Identity Register
-
7/25/2019 Seminar Fs12 Alyafawi
6/29
26.March 2012 6CDS seminar
GSM indoor localization: Mobile station events
Functional layer of GSM
Connection management
Mobility management
Radio Resource management
Data link layer
Physical layer
CM
MM
RR
MS
Air Abis
RR
BTS BSC MSC
A
LAPDm
TDMA
FDMA
RR
LAPDm
TDMA
FDMA
CM
MM
n n
-
7/25/2019 Seminar Fs12 Alyafawi
7/2926.March 2012 7CDS seminar
GSM indoor localization: Mobile station events
MS identities
MSISDN: Mobile Subscriber ISDN Number
IMSI: InternationalMobileSubscriberIdentity
TMSI: Temporary Mobile Subscriber Identity,
MSRN: Mobile Station Roaming Number
LMSI: Local Mobile Subscriber Identity
LAI: Location Area Identity
-
7/25/2019 Seminar Fs12 Alyafawi
8/2926.March 2012 8CDS seminar
GSM indoor localization: Mobile station events
IMSI/TMSI structure
TMSI
Identification
Network Resource
Identifier (NRI)
TMSI
Generation
Temporary Mobile Subscriber Identity (TMSI)
All Parameters length and location are operater configuration
4 Octet
Mobile Subscriber
Identification Number
Mobile
Country Code
International Mobile Subscriber Identity (IMSI)
8 Octet
Mobile
Network Code
-
7/25/2019 Seminar Fs12 Alyafawi
9/2926.March 2012 9CDS seminar
GSM indoor localization: Mobile station events
Logical channels in GSM
Common Channels
CCH
Dedicated Channels
DCH
Broadcast Channels
BCH
Common Control
Channels
CCCH
Dedicated Control
Channels
DCCH
Traffic Channels
TCH
Frequency Correction
Channel
FCCH
Synchronization
ChannelSCH
Broadcast Control
Channel
BCCH
Paging Channel
PCH
Random Access
ChannelRACH
Access Grant
Channel
AGCH
Slow Dedicated
Control Channel
SDCCH
Slow Associated
Control ChannelSACCH
Fast Associated
Control Channel
FACCH
Full rate
TCH/F
Half rate
TCH/H
-
7/25/2019 Seminar Fs12 Alyafawi
10/2926.March 2012 10CDS seminar
GSM indoor localization: Mobile station events
Analyzing GSM messages (LAPDm)
Signalling dataFill-in bit
Fill octet
A-Format
Address field
8 bits
Control field
8 bits
Frame length
8 bits
B-Format
Bbis-Format
N201 = 23 octets
Address field: - Service Access Point Identifier
- Link Protocol Discriminator
Control field: - Send/receive sequence number
- Frame type
Frame length: -The signalling data length
Fill-in bit : all 1 bits to extend the length to
the desired N201 bits
Fill octet
Abis-Format
Signalling dataFill-in bit
Usage:
A, B:
SACCH, FACCH, SDCCH
Abis, Bbis:
BCCH, PCH, AGCH
-
7/25/2019 Seminar Fs12 Alyafawi
11/2926.March 2012 11CDS seminar
GSM indoor localization: Mobile station events
Analyzing GSM messages (LAPDm)
Channel N201
SACCH 18 octets
SDCCH, FACCH 20 octets
BCCH, AGCH, PCH 22 octets
Fill octetType ID
8 bits
Message Type
8 bits
Type ID: - Protocl discriminator
Message type: -Determine all messages that
are define on the air interface
-
7/25/2019 Seminar Fs12 Alyafawi
12/2926.March 2012 12CDS seminar
GSM indoor localization: Mobile station events
Burst types (156.25 bits)
TB
3
F
1
GB
8.25
Encrypted bits
57
Training sequence
26
F
1
Encrypted bits
57
TB
3
Normal Burst (NB)
TB
3
GB
8.25
Fixed bits
142
TB
3
Frequency correction Burst (FB)
TB
3
F
1
GB
8.25
Encrypted bits
39
Synchronization sequence
64
F
1
Encrypted bits
39
TB
3
Synchronization Burst (SB)
TB
3
GB
68.25
Encrypted bits
36
Synchronization 41
sequence
TB
3
Access Burst (AB)
TB
3
Training sequence
26
Mix bits
58
Dummy Burst (DB)
GB
8.25
TB
3
Mix bits
58
TB: Tail Bit
F: Flag
GB:Gard Band
-
7/25/2019 Seminar Fs12 Alyafawi
13/2926.March 2012 13CDS seminar
GSM indoor localization: Mobile station events
TDMA, bursts to frame
TS 0 TS 1 TS 2 TS 3 TS 4 TS 5 TS 6 TS 7
TS 0 TS 1 TS 2 TS 3 TS 4 TS 5 TS 6 TS 7
200 KHz
45MHz
577 s
TS 0 TS 1 TS 2
TS 0 TS 1 TS 2
Time
1 TDMA frame = 4.165 ms
Downlink
Uplink
-
7/25/2019 Seminar Fs12 Alyafawi
14/2926.March 2012 14CDS seminar
GSM indoor localization: Mobile station events
Frame structure in GSM
TS 0 TS 1 TS 2 TS 3 TS 4 TS 5 TS 6 TS 7
0 1 24 25 0 1 49 50
TB3
F1
GP8.25
Encrypted bits57
Training sequence26
F1
Encrypted bits57
TB3
0 1 24 25
0 1 49 50
0 1 2046 20472
TDMA frame
Multi
frame
Time slot
Super
frame
Hyper
frame
-
7/25/2019 Seminar Fs12 Alyafawi
15/2926.March 2012 15CDS seminar
GSM indoor localization: Mobile station events
FDMA
Time
Frequency
577 s
200KHz
GSM900
Uplink: 890-915MHz
Down: 935-960MHz
Duplex interval: 45MHz
Bandwidth: 25MHz
Frequency interval: 200KHz
Burst
-
7/25/2019 Seminar Fs12 Alyafawi
16/2926.March 2012 16CDS seminar
GSM indoor localization: Mobile station events
Frequency hopping
The hopping rate is about 217 changes per second
There are essentially two types of hopping algorithms available
Cyclic hopping: the transmit frequency in accordance to a predefined
list of frequencies in sequential order
Random hopping: the transmit frequency randomly through a set of
frequencies
-
7/25/2019 Seminar Fs12 Alyafawi
17/29
26.March 2012 17CDS seminar
GSM indoor localization: Mobile station events
In3D guide structure
NO ACCESS
-
7/25/2019 Seminar Fs12 Alyafawi
18/29
26.March 2012 18CDS seminar
GSM indoor localization: Mobile station events
USRP: Hardware-Software
Hardware
Contain s radio daughterboard's (e.g. RFX900, 800-1000 MHz
Transceiver, WBX 50-2200 MHz Transceiver)
Analog to digital converters (ADCs), 64 M sample/s
digital to analog converters (DACs), 128 M sample/s
200 us PLL lock time
Software
GNU Radio is a free software development toolkit that provides the signal processing runtimeand processing blocks to implement software radios using readily-available, low-cost external
RF hardware and commodity processors
AirProble is a free software tool to build an air-interface analysis for the GSM mobile phone
standard
-
7/25/2019 Seminar Fs12 Alyafawi
19/29
26.March 2012 19CDS seminar
GSM indoor localization: Mobile station events
Frequency/time synchronization
Scanning GSM
bands, 200 kHz
> Power
threshold
NoFCCH
channel
No
Yes
The mobile wakes
up for the first time
Record FCCH
sequence (zeros)
Frequency
correction
Yes
The USRP wakes up in the same was as mobile station
Frequency Synchronization
-
7/25/2019 Seminar Fs12 Alyafawi
20/29
26.March 2012 20CDS seminar
GSM indoor localization: Mobile station events
Frequency/time synchronization
Scan SCH channel
-Training sequence for timesynchronization
-Current frame number for
the serving BTS
-Base station Identity code-Base station color code
-Network color code
The USRP wakes up in the same was as mobile station
Time Synchronization
-
7/25/2019 Seminar Fs12 Alyafawi
21/29
26.March 2012 21CDS seminar
GSM indoor localization: Mobile station events
Frequency hopping
BTS hopping MS hopping
Obtaining Frequency
hopping Sequence
Listening to 4
BCCH slots
Listening to
CCCH channels
AGCH
channel
No
Obtain
Hopping Sequence Number
Mobile Allocation Index Offset
Yes
-
7/25/2019 Seminar Fs12 Alyafawi
22/29
26.March 2012 22CDS seminar
GSM indoor localization: Mobile station events
Authentication
Base
Stations
MSC /
VLR
HLR /
AuC
MS request
IMSI, TMSI_old
Mobile
Stations
REQ_INFO
IMSI
IMSI, triplets
(RAND, SRES, Kc)
IMSI, RANDAUTH_REQ
RANDAUTH_RES
SRES Compare SRES
CIPH_MOD_CMD
CIPH_MOD_COM
Cipher ModeTMSI_REAL_CMD
TMSI
Request:-Location update
-IMSI detach
-CM Servicve
Request
-
7/25/2019 Seminar Fs12 Alyafawi
23/29
26.March 2012 23CDS seminar
GSM indoor localization: Mobile station events
IMSI attach/Location update
MobileStation
BaseStations
MSC /VLR
CHAN_REQ
IMM_ASS_CMD
SDCCHLOC_UPD_REQ
IMSI, TMSIREQ_ACK LOC_UPD_REQ
IMSI, TMSI
HLR /AuC
Cipher Mode
LOC_UPD_ACCTMSI
TMSI_REAL_CMD
TMSITMSI_REAL_COMLOC_UP
CHAN_REL
Authentication
-
7/25/2019 Seminar Fs12 Alyafawi
24/29
26.March 2012 24CDS seminar
GSM indoor localization: Mobile station events
IMSI detach
MobileStation
BaseStations
MSC /VLR
CHAN_REQ
IMM_ASS_CMD
SDCCHIMSI_DET_IND
IMSI, TMSI
HLR /AuC
Authentication
Location Cancel
Request
Removes any pointers for
the IMSI from its registryLocation Cancel
Acknowledge
Mobile Base MSC / HLR /
-
7/25/2019 Seminar Fs12 Alyafawi
25/29
Mobile
Station
Base
Stations
MSC /
VLR
PAG_REQ
IMSI, TMSI
HLR /
AuC
Cipher Mode
Authentication
The Call in progress
CHAN_REQ
IMM_ASS_CMD
SDCCHPAG_RES
SETUP(CLIP)
CLIP = Calling Line
Identification Presentation
CALL_CON
TCH
ASS_CMD
ASS_COM
ALERT
Connect with PTSN
CON_ACK
The calling party terminatethe call
Mobile Base MSC / HLR /
-
7/25/2019 Seminar Fs12 Alyafawi
26/29
Mobile
Station
Base
Stations
MSC /
VLR
HLR /
AuC
Disconnect-Release channel
Close the call
DISC
REL
REL_CMD
CHAN_REL
DISC (LAPDm)
-
7/25/2019 Seminar Fs12 Alyafawi
27/29
26.March 2012 27CDS seminar
GSM indoor localization: Mobile station events
Power control
Calculated power
level at BTS
Within
threshold
Send command
over SACCH
header withpower
adjustment level
SACCH at FN
12 and 25
Yes No
Send command
over SACCHheader with NO
power
adjustment level
Slow power control every 480 ms
Fast power control every 20 ms, signalling is made over
enhanced inband associated control channel (E-IACCH)
-
7/25/2019 Seminar Fs12 Alyafawi
28/29
26.March 2012 28CDS seminar
GSM indoor localization: Mobile station events
USRPs synchronization
-GPS does not work for indoor enviroments
-Coaxial cable delay is not tolerated at
high data rate
Training sequence
based on the internal
clock
Adjust the internal clock
based on the sequence
If the USRPs are not synchronize with eath
other after synchronizing with BTS
-
7/25/2019 Seminar Fs12 Alyafawi
29/29
GSM indoor localization: Mobile station events
4. Future work
Invistigating more research for the messages in the bit level
The physical layer of GSM technology (Modulation, coding,...)
Algorithm(s) to connect messages flow/TMSI and unique user