How a Cell Phone System Works
The 3 G’s
Cellular Data Networks
Circuit and Packet Switching
A physical path is obtained for and dedicated to a single
connection between two end-points in the network for the
duration of the connection. Ordinary voice phone service is
circuit-switched. The phone company reserves a specific
physical path to the number being called for the duration of
the call. During that time, no one else can use the physical
Small units of data called packets are routed through a
network based on the destination address contained within
each packet. The same data path can be used by many
users in the network. This type of communication between
sender and receiver is known as connectionless (rather than
dedicated). Most traffic over the Internet uses packet
switching. The Internet is basically a connectionless network.
Spread Spectrum Transmission
Direct Sequence Frequency Hopping
Highest power consumption Lower cost
Highest potential data rates Lowest power consumption
Lowest aggregate capacity using multiple Most tolerant to signal interference
physical layers than frequency hopping Lower potential data rates
Smallest number of geographically separate Highest aggregate capacity using multiple
radio cells due to limited channels physical layers
Greater range than frequency hopping Less range than direct sequence
Slices transmission into small coded bits Concentrates power in very narrow spectrum
and spreads message across whole Hops in random pattern 100 times/sec
Spreads power across band instead of signal
Utilizes wide signal channel
CDMA and TDMA
CDMA (Code-Division Multiple Access) a digital
cellular technology that uses spread-spectrum
techniques. Unlike systems that use TDMA, CDMA
does not assign a specific frequency to each user.
Instead, every channel uses the full available
spectrum. Individual conversations are encoded with
a pseudo-random digital sequence.
TDMA (Time Division Multiple Access) a technology
for delivering digital wireless service using time
division multiplexing. TDMA works by dividing a radio
frequency into time slots and then allocating slots to
multiple calls. In this way, a single frequency can
support multiple, simultaneous data channels. TDMA
is used by the GSM digital cellular system.
All BSs within a cluster
are connected to a
Each MSC of a cluster
is then connected to
the MSC of other
clusters and a PSTN
main switching center.
The MSC stores
information about the
within the cluster and is
directing calls to them.
Making a Call
1. Scan Control Channels: Your cell phone needs to use the "closest"
base station because that's the one with the strongest signal and the
one that will give the best connection. To find the closest base
station, your phone checks all 21 control channels and determines
which has the strongest signal.
2. Choose Strongest: Your cell phone chooses the strongest signal
and decides to use that one for placing the call.
3. Send Origination Message: Your cell phone now transmits a very
short message (about 1/4 second) that contains the MIN (Mobile
Identification Number, aka your cell phone number), its ESN
(Electronic Serial Number), and the number you just dialed.
4. Get Channel Assignment: After the cellular service provider verifies
that you are a valid, paying customer (based on the MIN and ESN
your phone sent), the base station sends a Channel Assignment
message to your phone (also a short 1/4-second burst). This
message tells your phone where (that is, on which channel) the
conversation will take place.
5. Begin Conversation
A wireless roaming network has five components that
make it work:
A database for storing customer profile information such as
features, dialing capabilities, and the home serving area
identification. This is called the home location register (HLR).
A database of mobile numbers used by each switch on the
A signaling network for transmitting data messages between
Routing specifications that direct the data messages to the
Public long-distance connections for call delivery
A registration cycle keeps track of a phone as it travels around
the network. It begins when a wireless user powers on their
phone. The general steps for this process are:
When the phone is powered on, it sends a data message to the
cellsite. This data message contains the Mobile Identification
Number (MIN or phone number) and the Electronic Serial
Number (ESN). The cellsite forwards this information to the
The switch compares the MIN with a table of all MINs in the
network. It will determine if the MIN belongs to a home
customer, or to a visiting customer. In either case, the switch will
request the subscriber's feature profile from the Home Location
Register (HLR). The HLR for home customers may be
integrated into the same switch or stored on a separate platform.
If the HLR is a separate platform, or if the customer is visiting
from another system, the switch then sends a data message to
the HLR across the signaling network. Routing specifications
stored at Signaling Transfer Points (STPs) provide the
necessary information to direct the message to the home
When the Home Location Register (HLR) receives the message,
it checks the MIN & the ESN. If the numbers are valid, the HLR
records the location of the phone and returns a message
containing the subscriber's feature list and calling restrictions to
the visited switch.
Once the visited switch receives the return message, it creates a
Visitor Location Register (VLR) to store information about the
roamer, including the MIN, ESN, features, etc... This register will
be used by the roamer as long as they are registered in the
During a call, the base station would monitor the signal level
from the mobile phone. When the mobile phone is moving into a
new cell, the signal level will fall to a critical value causing the
base station to inform the Mobile Switching Center(MSC) about
this event. The MSC would instruct all the surrounding base
stations to measure the mobile phone's signal level and transfer
control to the base station receiving the strongest signal level.
This is known as hand-over and occurs within 400ms, so the
phone user is hardly aware of a break.
Registration is done again with the new base station. Location
information stored in the MSC about this mobile telephone is
updated. If the mobile telephone is moved into a cell belonging
to a different cluster it would also have to register with the new
Uses frequency division multiple access (FDMA) to
communicate (every call in one area uses its own set
of channels for communication)
No support for wireless data
NMT (Nordic Mobile Telephone) is an analog
cellular phone system deployed in more than 40
countries in Europe. NMT was the first analog cellular
phone system (launched in the Scandinavian
countries 1979). The system used originally 450 MHz
band (NMT 450), but later when more capacity was
needed, it was also adopted for 900 MHz band (NMT
AMPS (Advanced Mobile Phone System) is the
analog cellular phone system used in North and
South America. AMPS uses FDMA and operates at
800 MHz band. AMPS was introduced in the USA in
TACS (Total Access Communication System) was
developed in Britain using the 900 MHz band. TACS
was based on the AMPS system and was adopted in
other countries such as Hong Kong and Japan.
ETACS (Extended Total Access Communication
System) was developed in the UK and is available in
Europe and Asia.
Uses digital encoding and includes CDMA, TDMA
and GSM. Text messages can be sent on 2G
networks, but more bandwidth hungry applications
In the United States, GSM, TDMA, and CDMA are
assigned two frequency ranges that include the
frequency ranges assigned to analog cellular, 824
MHz to 849 MHz and 869 MHz to 894 MHz, and also
the frequency ranges of 1850 to 1910 MHz and 1930
MHz to 1990 MHz.
CDMA (Code Division Multiple Access) uses a
spread spectrum technique to scatter a radio signal
across a wide range of frequencies.
IDEN, (Integrated Digital Enhanced Network) is a
wireless technology from Motorola combining the
capabilities of a digital cellular telephone, two-way
radio, alphanumeric pager, and data/fax modem in a
single network. iDEN operates in the 800 MHz,
900MHz, and 1.5 GHz bands and is based on time
division multiple access (TDMA) and GSM
GSM (Global System for Mobile Communications)
is the digital transmission technique widely adopted
in Europe and supported in North America. GSM
uses 900 MHz and 1800 MHz in Europe. In North
America, GSM uses the 1900 MHz band.
TDMA (Time Division Multiple Access) divides
each cellular channel into three time slots in order to
increase the amount of data that can be carried.
GSM and D-AMPS use TDMA in one form or
another. It is also generally used to describe what
was formerly known as D-AMPS. TDMA networks are
operated in the United States, Latin America, New
Zealand, parts of Russia and Asia Pacific.
2G Vendor Support
Cingular supports TDMA and GSM.
Nextel relies on iDEN.
T-Mobile supports GSM.
AT&T Wireless supports TDMA and GSM
Verizon Wireless uses CDMA.
An enhancement to 2G networks that allows them to
operate in a "packet switched" manner
2.5G networks incorporate 2G technology with
GPRS' higher speeds to support data transport. 2.5G
is a bridge from the voice-centric 2G networks to the
data-centric 3G networks.
GPRS (General Packet Radio Service) is a radio
technology for GSM networks that adds packet-
switching protocols. As a 2.5G technology, GPRS
enables high-speed wireless Internet and other data
communications. GPRS networks can deliver SMS,
MMS, email, games, and WAP applications.
3G networks promise next-generation service
with transmission rates of 144Kbps and
higher that can support multimedia
applications, such as video, video
conferencing and Internet access. Both
UMTS (WCDMA) and EDGE will support 3G
services. 3G networks operate on a different
frequency than 2G networks.
UMTS (Universal Mobile Telecommunications
System) or WCDM (Wideband Code Division
Multiple Access) was selected as the successor to
GSM. It is the European standard for 3G wideband
digital radio communications, and it utilizes one 5
MHz channel for both voice and data, offering data
speeds up to 2 Mbps.
EDGE is a mobile network radio technology that
allows current GSM networks to offer 3G services
within existing frequencies. As an evolution of
GSM/GPRS, EDGE is an upgrade to GPRS' data and
GSM's voice networks. EDGE provides data speed
three times that of GPRS.
Cellular Data Networks
Short Message Service
Multimedia Message Service
General Packet Radio Service
High Speed Circuit Switched Data
Enhanced Data Rates for Global Evolution
Short Message Service (SMS)
Globally accepted wireless service that enables the
transmission of alphanumeric messages between mobile
devices and external systems
Available in US on GSM-based PCS as well as TDMA and
CDMA based cellular systems
Short Message Service Center (SMSC) acts as a relay and
store and forward system for messages
Point to point delivery of messages
Active mobile handset is able to receive or send a short
message at any time, independent of whether a voice or data
call is in progress
Utilizes out-of-band packet delivery and low-bandwidth message
Guarantees delivery of the short message by the network.
Temporary transmission failures are identified, and the message
is stored in the network until the destination becomes available
Multimedia Message Service, a store-and-forward method of
transmitting graphics, video clips, sound files and short text
messages over wireless networks using the WAP protocol.
Carriers deploy special servers, dubbed MMS Centers (MMSCs)
to implement the offerings on their systems.
MMS also supports e-mail addressing, so the device can send
e-mails directly to an e-mail address. The most common use of
MMS is for communication between mobile phones. MMS,
however, is not the same as e-mail. MMS is based on the
concept of multimedia messaging. The presentation of the
message is coded into the presentation file so that the images,
sounds and text are displayed in a predetermined order as one
singular message. MMS does not support attachments as e-mail
To the end user, MMS is similar to SMS.
GPRS (General Packet Radio Service) is a specification for data
transfer on TDMA and GSM networks. The theoretical limit for
packet switched data is approx. 170 kb/s. A realistic bit rate is
30-70 kb/s. . GPRS supports both TCP/IP and X.25
It provides moderate speed data transfer, by using unused
TDMA channels on a GSM network.
GSM circuit switch connections are still used for voice, but data
is sent and received in "packets" in the same way as it would be
in the fixed internet environment.
The advantage is that network resources are used more
efficiently. Rather than maintaining a circuit for the duration of
the connection, which ties up resources regardless of whether
anything is actually being sent or received, GPRS only
consumes resource when information packets are transmitted.
HSCSD (High Speed Circuit Switched Data) is a
specification for data transfer over GSM networks.
HSCSD utilizes up to four 9.6Kb or 14.4Kb time slots,
for a total bandwidth of 38.4Kb or 57.6Kb.
14.4Kb time slots are only available on GSM
networks that operate at 1,800Mhz. 900Mhz GSM
networks are limited to 9.6Kb time slots. Therefore,
HSCSD is limited to 38.4Kbps on 900Mhz GSM
networks. HSCSD can only achieve 57.6Kbps on
1,800Mhz GSM networks.
HSCSD vs. GPRS
HSCSD has an advantage over GPRS in that HSCSD supports
guaranteed quality of service because of the dedicated circuit-
switched communications channel. This makes HSCSD a better
protocol for timing-sensitive applications such as image or video
GPRS has the advantage over HSCSD for most data transfer
because HSCSD, which is circuit-switched, is less bandwidth
efficient with expensive wireless links than GPRS, which is
For an application such as downloading, HSCSD may be
preferred, since circuit-switched data is usually given priority
over packet-switched data on a mobile network, and there are
few seconds when no data is being transferred.
Enhanced Data Rates for Global Evolution (EDGE) is a bolt-
on enhancement to 2G and GPRS networks. This technology is
compatible with TDMA and GSM networks. EDGE uses the
same spectrum allocated for GSM850, GSM900, GSM1800 and
Instead of employing GMSK (Gaussian minimum-shift keying)
EDGE uses 8PSK (8 Phase Shift Keying) producing a 3bit word
for every change in carrier phase. This effectively triples the
gross data rate offered by GSM. EDGE, like GPRS, uses a rate
adaptation algorithm that adapts the modulation and coding
scheme (MCS) used to the quality of the radio channel, and thus
the bit rate and robustness of data transmission. It introduces a
new technology not found in GPRS, Incremental Redundancy,
which, instead of retransmitting disturbed packets, sends more
redundancy information to be combined in the receiver. This
increases the probability of correct decoding.
Wireless Application Protocol
An application communication protocol
Used to access services and information
Inherited from Internet standards
Used for handheld devices such as mobile phones
A protocol designed for micro browsers
Enables the creating of web applications for mobile
Uses the mark-up language WML (not HTML)
WML is defined as an XML 1.0 application
The WAP standard is based on HTML, XML and TCP/IP. It
consists of a WML language specification, a WMLScript
specification, and a Wireless Telephony Application Interface
WML stands for Wireless Markup Language. It is a mark-up
language inherited from HTML, but WML is based on XML, so it
is much stricter than HTML.
WML uses WMLScript to run simple code on the client.
embedded in the WML pages. WML pages only contain
references to script URLs. WML scripts need to be compiled into
byte code on a server before they can run in a WAP browser.
ISM Frequency Bands
The three ISM frequency bands are the only ones available
for unlicensed wireless transmission in the US. Only one
band has world-wide availability.
Industrial, Scientific, and
Medical (ISM) spread
2.4-2.4835 GHz (home of
microwave oven band)
under 1 watt transmitter
more bandwidth with higher
frequencies, which support
higher data rates.
The following standards exist :
•IEEE 802.11 - The original 2 Mbit/s, 2.4 GHz standard
•IEEE 802.11a - 54 Mbit/s, 5 GHz standard
•IEEE 802.11b - Enhancements to 802.11 to support 5.5 and 11 Mbit/s
•IEEE 802.11d - New countries
•IEEE 802.11e - Enhancements: QoS, including packet bursting
•IEEE 802.11f - Inter-Access Point Protocol (IAPP)
•IEEE 802.11g - 54 Mbit/s, 2.4 GHz (backwards compatible with b)
•IEEE 802.11h - 5 GHz spectrum, Dynamic Channel/Frequency Selection
(DCS/DFS) and Transmit Power Control (TPC) for European compatibility
•IEEE 802.11i - Enhanced security
•IEEE 802.11j - Extensions for Japan
•IEEE 802.11n - Higher throughput improvements
•IEEE 802.11p - Adding wireless capabilities to mobile vehicles such as
ambulances and passenger cars
802.11b has a range of about 50 meters with the low-gain
omnidirectional antennas typically used in 802.11b devices.
802.11b has a maximum throughput of 11 Mbit/s, however a
significant percentage of this bandwidth is used for
communications overhead; in practice the maximum throughput
is about 5.5 Mbit/s. Metal, water, and thick walls absorb 802.11b
signals and decrease the range drastically. 802.11 runs in the
2.4 GHz spectrum and uses Carrier Sense Multiple Access with
Collision Avoidance (CSMA/CA) as its media access method.
With high-gain external antennas, the protocol can also be used
in fixed point-to-point arrangements, typically at ranges up to 8
kilometers (although some report success at ranges up to 80-
120 km where line of sight can be established). This is usually
done to replace leased lines, or in place of microwave
communications equipment. Current cards can operate at 11
Mbit/s, but will scale back to 5.5, then 2, then 1, if signal strength
becomes an issue.
The 802.11a standard uses the 5 GHz band, and operates at a
raw speed of 54 Mbit/s, and more realistic net achievable
speeds in the mid-20 Mbit/s. The speed is reduced to 48, 36, 34,
18, 12, 9 then 6 Mbit/s if required. 802.11a has 12 non-
overlapping channels, 8 dedicated to indoor and 4 to point to
802.11a has not seen wide adoption because of the high
adoption rate of 802.11b, and because of concerns about range:
at 5 GHz, 802.11a cannot reach as far as 802.11b, other things
(such as same power limitations) being equal; it is also
absorbed more readily. Most manufacturers of 802.11a
equipment countered the lack of market success by releasing
dual-band or dual-mode/tri-mode cards that can automatically
handle 802.11a and b or a, b and g as available. Access point
equipment which can support all these standards
simultaneously is also available.
802.11g works in the 2.4 GHz band (like 802.11b) but operates
at 54 Mbit/s raw, or about 24.7 Mbit/s net, throughput like
802.11a. It is fully backwards compatible with b and uses the
same frequencies. In older equipment, however, the presence of
an 802.11b participant significantly reduces the speed of an
A new feature called Super G is now integrated in certain
access points. These can boost network speeds up to 108
Mbit/s by using channel bonding. This feature may interfere with
other networks and may not support all b and g client cards. In
addition, packet bursting techniques are also available in some
chipsets and products which will also considerably increase
speeds. Again, they may not be compatible with some
In January 2004, IEEE announced that it will develop
a new standard for wide-area wireless networks. The
real speed would be 100 Mbit/s (even 250 Mbit/s in
PHY level), and so up to 4-5 times faster than
802.11g, and perhaps 50 times faster than 802.11b.
As projected, 802.11n will also offer a better
operating distance than current networks. The
standardization progress is expected to be completed
by the end of 2006.
802.11 Security (WEP)
Wired Equivalent Privacy
A security protocol for wireless local area networks defined in the
802.11b standard. WEP is designed to provide the same level of
security as that of a wired LAN. LANs are inherently more secure than
WLANs because LANs are somewhat protected by the physical
properties of their structure, having some or all part of the network
inside a building that can be protected from unauthorized access.
WLANs, which operate over radio waves, do not have the same
physical structure and therefore are more vulnerable to tampering.
WEP aims to provide security by encrypting data over radio waves so
that it is protected as it is transmitted from one end point to another.
Data encryption protects the vulnerable wireless link between clients
and access points; once this measure has been taken, other typical
LAN security mechanisms such as password protection, end-to-end
encryption, virtual private networks (VPNs), and authentication can be
put in place to ensure privacy.
802.11 Security (WEP)
Some versions use the 40-bit key that was originally used to formulate
the standard, while other newer versions use a 128-bit (104 in reality)
key; to each is added a 24-bit initialization vector (IV) which is
transmitted in the clear.
When WEP is active in a wireless LAN, each 802.11 packet is
encrypted separately with an RC4 cipher stream generated by an RC4
key. This key is composed of a 24-bit initialization vector (IV) and the
40 (or 104)-bit WEP key. The encrypted packet is generated with a
bitwise exclusive OR (XOR) of the original packet and the RC4 stream.
The IV is chosen by the sender and can be changed periodically so
every packet won't be encrypted with the same cipher stream. The IV is
sent in the clear with each packet. An additional 4-byte Integrity Check
Value (ICV) is computed on the original packet and appended to the
end. The ICV (be careful not to confuse this with the IV) is also
encrypted with the RC4 cipher stream.
802.11 Security (WEP Weaknesses)
WEP has been widely criticized for a number of weaknesses:
A high percentage of wireless networks have WEP disabled because
of the administrative overhead of maintaining a shared WEP key.
WEP has the same problem as all systems based upon shared keys:
any secret held by more than one person soon becomes public
knowledge. Take for example an employee who leaves a company -
they still know the shared WEP key. The ex-employee could sit
outside the company with an 802.11 NIC and sniff network traffic or
even attack the internal network.
The ICV algorithm is not appropriate: The WEP ICV is based on
CRC-32, an algorithm for detecting noise and common errors in
transmission. CRC-32 is an excellent checksum for detecting errors,
but an awful choice for a cryptographic hash. Better-designed
encryption systems use algorithms such as MD5 or SHA-1 for their
The initialization vector that seeds the WEP algorithm is sent in the
The WEP checksum is linear and predictable.
802.11 Security (WPA)
Wi-Fi Protected Access
The Wi-Fi Alliance has taken a subset of the draft 802.11i standard,
calling it WPA, and now certifies devices that meet the requirements.
WPA uses Temporal Key Integrity Protocol (TKIP) as the protocol and
algorithm to improve security of keys used with WEP. It changes the
way keys are derived and rotates keys more often for security. It also
adds a message-integrity-check function to prevent packet forgeries.
While WPA goes a long way toward addressing the shortcomings of
WEP, not all users will be able to take advantage of it. That's because
WPA might not be backward-compatible with some legacy devices and
operating systems. Moreover, not all users can share the same security
infrastructure. Some users will have a PDA and lack the processing
resources of a PC.
TKIP/WPA will degrade performance unless a WLAN system has
hardware that will run and accelerate the WPA protocol. For most
WLANs, there's currently a trade-off between security and performance
without the presence of hardware acceleration in the access point.
802.11 Security (RSN)
Robust Security Network
RSN uses dynamic negotiation of authentication and encryption
algorithms between access points and mobile devices. The
authentication schemes proposed in the draft standard are based on
802.1X and Extensible Authentication Protocol (EAP). The encryption
algorithm is Advanced Encryption Standard (AES).
Dynamic negotiation of authentication and encryption algorithms lets
RSN evolve with the state of the art in security, adding algorithms to
address new threats and continuing to provide the security necessary
to protect information that WLANs carry.
Using dynamic negotiation, 802.1X, EAP and AES, RSN is significantly
stronger than WEP and WPA. However, RSN will run very poorly on
legacy devices. Only the latest devices have the hardware required to
accelerate the algorithms in clients and access points, providing the
performance expected of today's WLAN products.
WPA will improve security of legacy devices to a minimally acceptable
level, but RSN is the future of over-the-air security for 802.11.
Royalty free operation
721 kbps plus three voice channels
2.402-2.480 GHz unlicensed ISM band
Frequency hopping spread spectrum
79 hops separated by 1 MHz
Range < 20 feet
Transmit power 0.1mW
Bluetooth supports both
point-to-point and point
2 1 connections. Several
Piconets can be
established and linked
1 together ad hoc. Each
4 2 Piconet is identified by a
3 different frequency
Moderate duty cycle, secondary battery lasts same
Very high QoS and very low, guaranteed latency
Quasi-static star network up to seven clients with
ability to participate in more than one network
Frequency Hopping Spread Spectrum is extremely
difficult to create extended networks without large
ZigBee-compliant products take full advantage of a
powerful IEEE 802.15.4 physical radio standard and
operate in unlicensed bands worldwide at 2.4GHz
(global), 915Mhz (Americas) and 868Mhz (Europe).
Raw data throughput rates of 250Kbs can be
achieved at 2.4GHz (16 channels), 40Kbs at 915Mhz
(10 channels) and 20Kbs at 868Mhz (1 channel).
Transmission distances range from 10 to 100 meters,
depending on power output and environmental
Very low duty cycle, very long primary battery life
Static and dynamic star and mesh networks, >65,000
nodes, with low latency available
Ability to remain quiescent for long periods without
Direct Sequence Spread Spectrum allows devices to
sleep without the requirement for close
Automatic Meter Reading
Wireless smoke and CO detectors
Blind, drapery and shade controls
Medical sensing and monitoring
Universal Remote Control to a Set-Top Box which includes
Industrial and building automation
“Bluetooth on steroids”
Designed for short-range, wireless personal area
networks (WPANs) enabling wireless connection of
multiple devices for transmission of video, audio and
other high-bandwidth data.
Its use will be to relay data from a host device to
other devices in the immediate area (up to 10 meters
or 30 feet).
UWB uses very low-powered, short-pulse radio
signals many times in the picosecond duration range
to transfer data over a very wide range of
frequencies. A UWB transmission involves billions of
pulses spread over several gigahertz.
UWB should deliver bandwidths from about 40Mbps
to 600Mbps, and eventually data rates could be up to
gigabits-per-second (with higher power).
UWB systems consume very little power, around one
ten-thousandth of that of cell phones. This makes
UWB practical for use in smaller devices, such as cell
phones and PDAs, that users carry at all times.
Because UWB operates at such low power, it has
very little interference impact on other systems. UWB
causes less interference than conventional radio-
network solutions. In addition, the relatively wide
spectrum that UWB utilizes significantly minimizes
the impact of interference from other systems as well.