Вы находитесь на странице: 1из 78

GSM, the Global System for Mobile communications, is a digital cellular communications system which has rapidly gained

acceptance and market share worldwide, although it was initially developed in a European context. In addition to digital transmission, GSM incorporates many advanced services and features, including ISDN compatibility and worldwide roaming in other GSM networks. The advanced services and architecture of GSM have made it a model for future thirdgeneration cellular systems, such as UMTS. This paper will give an overview of the services offered by GSM, the system architecture, the radio transmission structure, and the signaling functional architecture. Not only the price of building a new BTS is very high, but also acquiring the permits needed to build this BTS takes time, effort and money. After building the BTS there are many other difficulties such as the Un-Covered areas and the congestion problem at many places at rush-hours. It is clear that the previous difficulties, finding a suitable place to build the BTS, covering the small UnCovered areas and solving the congestion problem at rush-hours have proved to be a dilemma. Our experiment helps to overcome the mentioned difficulties as it consumes a very small area, its cost is very economic, can be used at different places with different frequencies and will give a solution for the congestion problem. This experiment will be of great importance to the mobile communication market as it will decrease the costs and ease the process of building a new BTS. Actually, we are building a new type of cellular network that could be deployed and operated with cost lower than the existing technologies and generating an air interface to the cell phone looks just like any other GSM cellular network. On the Network side its an Asterisk server (VoIP). What we're doing is putting a cellular air interface on an Asterisk PBX and using this Asterisk to connect calls. So far, we implemented a base station using state-of-the-art software and hardware components, namely GNU Radio, OpenBTS "software" and "hardware" platforms using USRP and two RFX daughterboard.

Introduction of Open BTS

Open BTS:Open-BTS is a software-defined GSM network access point that allows existing standard GSM compatible mobile stations to make phone calls without using the existing telecommunication service providers' networks. Open-BTS is the first free open source software implementation of the industry-standard GSM protocol stack. Open BTS is an open-source Unix application that uses the USRP to present a GSM air interface ("Um") to standard GSM handset and uses the Asterisk software PBX to connect calls. The combination of the ubiquitous GSM air interface with VoIP backhaul could form the basis of a new type of cellular network that could be deployed and operated at substantially lower cost than existing technologies in greenfields in the developing world. Open-BTS is in fact very different from a conventional GSM BTS, which is a dumb device that is managed externally by BSC and connects calls in a remote MSC. Because of this important architectural difference, the end product of this project is better referred to as an access point, even though the project is called Open-BTS

Fig 1-1 , block diagram of open BTS network

Open BTS Required Hardware:1- Universal Software Radio Peripheral (USRP)

Fig 1-2, USRP

2- USRP Motherboard

Fig 1-3 , Motherboard

3- USRP Daughterboards

Fig 1-4 , Daughterboard

GSM Network

The GSM History The foundation for the GSM Standard was laid already in 1978, four years before the name GSM was established. In 1978 the CEPT reserved a frequency range round 900 MHz for mobile communications in Europe. The limits of analog mobile communications in Europe were recognizable in the early 80s. At that time the first analog cellular networks were just beginning their operation and were still far from their maximum capacity. Despite this a group of experts was formed to establish the longer-term challenges of mobile communications and to develop a new binding international standard for digital mobile communications in Europe. Thus the GSM Standard became undoubtedly one of the most successful European products of the past decades; its sphere of influence is extended far beyond the originally planned European scope. Milestones of the GSM Standard 1982: The CEPT forms a team of experts, the Group Special Mobile (GSM) with the purpose of developing a binding international standard for mobile communications in Europe. 1984: 86: Various technical possibilities are compared in order to achieve an optimal utilization of the predefined frequency ranges. 1986: A permanent core of experts is employed. 1987: Main transmission principles are selected; 13 countries agree in the MoU (Memorandum of Understanding) to start GSM networks until 1991. 1988: The ETSI (European Telecommunication Standards Institute) is founded; most of the standardizing activities of the CEPT, including GSM, are assumed by this new body. Along with state-owned operators, industry, private network operators and consumer groups participate in the ETSI, too. 1989: GSM is renamed from "Group Special Mobile" to "Global System for Mobile Communications". 1990: GSM900 Standard (Phase 1) is adopted. DCS1800 Standard (Phase 1) is developed as first GSM adaptation. The first GSM systems are in test operation.

1992: Commercial introduction of many large GSM900 networks. 1993: Work begins on updating the GSM900/DCS1800 standards: GSM Phase 2. 1995: GSM-R (Railway): The ETSI reserves further frequency range for a railway networks; first test projects are started. GSM Phase 2 work is completed. 1996: Worldwide success of GSM Standard; used in more than 50 countries. PCS1900 (Public Cellular Systems) as further GSM adaptation in the USA. 1997: GSM Phase 2+ Annual Release 96: CAMEL Stage 1, ASCI for GSM-R. DCS1800 / PCS1900 are renamed to GSM1800 / GSM1900. Dual band equipment for GSM900 / GSM1800; 10 years of MoU: 109 countries; 239 operators; 44 million GSM subscribers; 28 % share of the world market. 1998: Phase 2+ Annual Release 97: HSCSD, GPRS Stage 1, CAMEL Stage 208/98: 100 million GSM subscribers in 120 countries; 35 % share of the world market; GSM is quasi world standard. GSM-R networks in operation. World-wide servicing through co-operation with mobile satellite systems (IRIDIUM). 1999: Phase 2+ Annual Release '98; 250 million subscriber; 130 countries 2000: Phase 2+ Annual Release '99: GPRS Stage 2, CAMEL Stage 3, EDGE, Virtual Home Environment VHE, Adaptive Multirate speech AMR,...GSM Rel. '99 services identical to UMTS Rel. '99 (first UMTS release); 410 million subscriber; 161 countries; approx. 60% of world-market.

The GSM Technical Guideline International standard for mobile communications; Guideline from the start: 2 x 25 MHz frequency bands at 900 MHz are reserved by the CEPT for mobile communications in Europe in 1978. 1982: Roaming; the user can change location, keep the connection and be reached in the entire range of a PLMN and in the entire GSM range (International Roaming), one user - one number the subscriber can be reached at a single personal number in the entire GSM range. The GSM Recommendations

GSM Standard have been established in now more than 150 recommendations; Subsystems, network components, interfaces, signaling, tests and maintenance aspects etc. are described. This allows a harmonious interaction of all elements of a mobile communication network designated as PLMN (Public Land Mobile Network).

Fig 2-1, GSM The Evolutionary Concept of GSM The GSM Standard consists of multiple of recommendations; when the standard was adopted. In 1988 it was recognized that not all of the planned services could be specified in the expected time frame. This led to the important decision to leave the GSM Standard incomplete and to leave space for further modifications and technical developments.

GSM Phase 1 In 1990 for GSM900 and in 1991 for GSM1800; Phase 1 comprises all of the most important prerequisites for digital information transmission. Speech transmission is of the greatest importance here. Data transmission is also defined by data transmission rates of 0.3 to 9.6 kbit/s. and only few supplementary services as call forwarding and barring. GSM Phase 2 Shortly after completion of Phase 1 and was closed in 1995. Supplementary Services comparable to ISDN (Integrated Services Digital Network) were included in the standard. Technical Improvements as Half Rate Speech, downwardcompatibility considered. GSM Phase 2+ Smooth transition, Main topics are new Supplementary Services as the ASCI services (Advanced Speech Call Items). The IN (Intelligent Network) feature Customized Applications for Mobile network Enhanced Logic CAMEL and Virtual Home Environment VHE, Features to achieve higher data rates i.e. HSCSD, GPRS and EDGE.

Fig 2-2, GSM evolutionary concept Adaptations of the GSM Standard The GSM adaptations GSM900, GSM1800, GSM1900, GSM-R and GSM400 differ in the frequency ranges used and the resulting different technical implementations. GSM900 (GSM, E-GSM) 2x25 MHz around 900 MHz (890 - 915; 935 960 MHz), an extension of this range, called E-GSM (Extended GSM) these ranges will be increased to 2 x 35 MHz (880 - 915; 925 - 960 MHz) on a national level when further operation licenses expire. GSM1800 (DCS1800)

An adaptation of the GSM900, (Digital Cellular System) was introduced in 1991 British initiative as a mass market, especially in urban areas. Range 2x75 MHz around 1800 MHz (1710 - 1785; 1805 - 1880 MHz).Designated later to GSM1800. GSM1900 (PCS1900) (Public Cellular System) is the American branch of the GSM. Range around 1900 MHz (1850 - 1910; 1930 - 1990 MHz).Designated Later GSM1900. GSM-R (Railway) For mobile communication of railway operators; Range 2x4 MHz in the frequency range of 876- 880 MHz; 921-925 MHz GSM400 The GSM400 frequency range enables large area cells for rural environment. Range between 450.4-457.6 MHz & 460.4-467.6 MHz respectively the ranges (of former 1G system).

GSM Architecture:-

Fig 2-3, Network Architecture

Mobile Station (MS):Mobile station (MS) is a portable data and/or voice communications station which acts as a normal telephone whilst being able to move over a wide area. A mobile station is typically made up of: an antenna an amplifier a receiver a transmitter and similar hardware and software for sending and receiving signals and converting between RF waves and audio signals The mobile station (MS) comprises all user equipment and software needed for communication with a Wireless telephone network. MS refers to the Mobile Phone. i.e. the handset held by the users in the mobile network. This is the terminology of 2G systems like GSM. In the 3G systems, MS (mobile station) is now referred as User Equipment UE. The MS includes radio equipment and the man machine interface (MMI) that a subscribe needs in order to access the services provided by the GSM PLMN. MS can be installed in Vehicles or can be portable or handheld stations. The MS may include provisions for data communication as well as voice. A mobile transmits and receives message to and from the GSM system over the air interface to establish and continue connections through the system. In GSM, the Mobile Station consists of four main components: Mobile Terminal (MT) - offers common functions that are used by all the service the Mobile Station offers. It is equivalent to the network termination of an ISDN access and is also the end-point of the radio interface. Terminal Equipment (TE) - is a peripheral device of the Mobile Station and offers services to the user. It does not contain any functions specific in GSM.

Terminal Adapter (TA) - hides radio-specific characteristics. Subscriber Identity Module (SIM) - is a personalization of the Mobile Station and stores user specific parameters (such as mobile number, contacts etc).

Fig 2-4, MS component Each MS is identified by an IMEI that is permanently stored in the mobile unit. Upon request, the MS sends this number over the signaling channel to the MSC. The IMEI can be used to identify mobile units that are reported stolen or operating incorrectly. Just as the IMEI identities the mobile equipment, other numbers are used to identity the mobile subscriber. Different subscriber identities are used in different phases of call setup. The Mobile Subscriber ISDN Number (MSISDN) is the number that the calling party dials in order to reach the subscriber. It is used by the land network to route calls toward an appropriate MSC. The international mobile subscribe identity (IMSI) is the primary function of the subscriber within the mobile network and is permanently assigned to him.

The Mobile Station (MS) performs the following:

Radio transmission termination Radio channel management Speech encoding/decoding Radio link error protection Flow control of data Mobility management Performance measurements of radio link The MS has two very important entities, each with its own identity: Subscriber Identity Module (SIM) Mobile equipment .

Subscriber Identity Module (SIM):-

Fig 2-5, SIM GSM subscribers are provided with a SIM (subscriber identity module) card with its unique identification at the very beginning of the service. By divorcing the subscriber ID from the equipment ID, the subscriber may never own the GSM mobile equipment set. The subscriber is identified in the system when he inserts the SIM card in the mobile equipment. This provides an enormous amount of

flexibility to the subscribers since they can now use any GSM-specified mobile equipment. The SIM is a removable, the size of a credit card, and contains an integrated circuit chip with a microprocessor, random access memory (RAM), and read only memory (ROM). The subscriber inserts it in the MS unit when he or she wants to use the MS to make or receive a call. As stated, a SIM also comes in a modular from that can be mounted in the subscribers equipment. When a mobile subscriber wants to use the system, he or she mounts their SIM card and provide their Personal Identification Number (PIN), which is compared with a PIN stored within the SIM. If the user enters three incorrect PIN codes, the SIM is disabled. The service provider if requested by the subscriber can also permanently bypass the PIN. Disabling the PIN code simplifies the call setup but reduces the protection of the users account in the event of a stolen SIM.

Functions of a SIM: Authentication of the validity of the MS when accessing the network User authentication Storage of subscriber-related information, which can be: data fixed during administrative phase (e.g., subscriber identification), and temporary network data (e.g., cell location identity).

Mobile Equipment (ME):The mobile equipment is also called the terminal and is responsible for communication with the GSM system and converting the radio signals in to human voice and reverse is also true. According to the power and applications of it, ME is divided into different types: Fixed Terminals Portable Terminals Handheld terminals

a) Fixed Terminals
These MEs are installed in cars having the maximum power output of 20 W. b) Portable Terminals Portable terminals are also installed in the vehicles. Their maximum allowed output power is 8 W.

c) Handheld terminals
The handheld terminals are most popular because of their smaller size and weight, which are decreasing continuously. These terminals can emit up to 2 W of power. With evolution in technology, the maximum allowed power is reduced to 0.8 W.

Base Station System (BSS):All radio-related functions are performed in the BSS, which consists of base station controllers (BSCs) and the base transceiver stations (BTSs). BSCThe BSC provides all the control functions and physical links between the MSC and BTS. It is a high-capacity switch that provides functions such as handover, cell configuration data, and control of radio frequency (RF) power levels in base transceiver stations. A number of BSCs are served by an MSC. BTS The BTS handles the radio interface to the mobile station. The BTS is the radio equipment (transceivers and antennas) needed to service each cell in the network. A group of BTSs are controlled by a BSC. A BTS is a network component that serves one cell and is controlled by a BSC. BTS is typically able to handle three to five radio carries, carrying between 24 and 40 simultaneous communication. Reducing the BTS volume is important to keeping down the cost of the cell sites. A BTS compares radio transmission and reception devices, up to and including the antennas, and also all the signal processing specific to the radio interface. A single transceiver within BTS supports eight basic radio channels of the same TDM frame. There are two categorize in which, BTS may be arranged in the cells depending upon the circumstances of the region in which they are to be used. The two arrangements are shown in figure below.

Fig 2-6, BTS Arrangement

Fig 2-7, BSS

Fig 2-8,BTS

Functions of BTS:The primary responsibility of the BTS is to transmit and receive radio signals from a mobile unit over an air interface. To perform this function completely, the signals are encoded, encrypted, multiplexed, modulated, and then fed to the antenna system at the cell site. Transcoding to bring 13-kbps speech to a standard data rate of 16 kbps and then combining four of these signals to 64 kbps is essentially a part of BTS, though; it can be done at BSC or at MSC. The voice communication can be either at a full or half rate over logical speech channel. In order to keep the mobile synchronized, BTS transmits frequency and time synchronization signals over frequency correction channel (FCCH and BCCH logical channels. The received signal from the mobile is decoded, decrypted, and equalized for channel impairments. Random access detection is made by BTS, which then sends the message to BSC. The channel subsequent assignment is made by BSC. Timing advance is determined by BTS. BTS signals the mobile for proper timing adjustment. Uplink radio channel measurement corresponding to the downlink measurements made by MS has to be made by BTS.

Network and Switching Subsystem (NSS)

Components 1. MSC (Mobile Services Switching Center): a. GMSC (Gateway MSC) b. IWF (Interworking Functions) 2. Databases a. HLR (Home Location Register) b. VLR (Visitor Location Register) c. EIR (Equipment Identity Register) d. AUC (Authentication Center)

Fig 2-9,NSS

Mobile Switching Center (MSC)

Functions of a MSC Management of network resources Interworking functions via Gateway MSC (GMSC) Integration of several databases Specific functions for paging and call forwarding Termination of SS7 (signaling system no. 7) Mobility specific signaling: Location registration and forwarding of location information Support of short message service (SMS) Generation and forwarding of accounting and billing Information

IWF 1. Rate adaption (from mobile rate to internet rate and vice versa) 2. Protocol Conversion (from mobile protocol to internet protocol and vice versa) ECHO Canceller to covert from 4 wires to 2 wires to cancel the echo

Home Location Register (HLR) Management of mobile subscribers, stores the international mobile subscriber identity (IMSI), mobile station ISDN number (MSISDN) and current visitor location register (VLR) address Keeps track of the services associated with each MS

Functions of HLR:The main function of the HLR is to manage the fact that SIMs and phones move around a lot. The following procedures are implemented to deal with this: Manage the mobility of subscribers by means of updating their position in administrative areas called 'location areas', which are identified with a LAC. The action of a user of moving from one LA to another is followed by the HLR with a Location area update while retrieving information from BSS as base station identity code (BSIC). Send the subscriber data to a VLR or SGSN when a subscriber first roams there. Broker between the G-MSC or SMSC and the subscriber's current VLR in order to allow incoming calls or text messages to be delivered. Remove subscriber data from the previous VLR when a subscriber has roamed away from it.

Visitor Location Register (VLR) Caches some information from the HLR as necessary for call control and service provisioning for each mobile currently located in the geographical area controlled by this VLR Connected to one MSC and is often integrated into the MSC Data stored in VLR IMS I (the subscriber's identity number). Authentication data. MSISDN (the subscriber's phone number). GSM services that the subscriber is allowed to access. access point (GPRS) subscribed. The HLR address of the subscriber. Functions of VLR

The primary functions of the VLR are: To inform the HLR that a subscriber has arrived in the particular area covered by the VLR. To track where the subscriber is within the VLR area (location area) when no call is ongoing. To allow or disallow which services the subscriber may use. To allocate roaming numbers during the processing of incoming calls. To purge the subscriber record if a subscriber becomes inactive whilst in the area of a VLR. The VLR deletes the subscriber's data after a fixed time period of inactivity and informs the HLR (e.g., when the phone has been switched off and left off or when the subscriber has moved to an area with no coverage for a long time). To delete the subscriber record when a subscriber explicitly moves to another, as instructed by the HLR. Authentication Center (AUC) The authentication centre (AUC) is a function to authenticate each SIM card that attempts to connect to the GSM core network (typically when the phone is powered on). Once the authentication is successful, the HLR is allowed to manage the SIM and services described above. An encryption key is also generated that is subsequently used to encrypt all wireless communications (voice, SMS, etc.) between the mobile phone and the GSM core network. If the authentication fails, then no services are possible from that particular combination of SIM card and mobile phone operator attempted. There is an additional form of identification check performed on the serial number of the mobile phone described in the EIR section below, but this is not relevant to the AUC processing. Proper implementation of security in and around the AUC is a key part of an operator's strategy to avoid SIM cloning. The AUC does not engage directly in the authentication process, but instead generates data known as triplets for the MSC to use during the procedure. The security of the process depends upon a shared secret between the AUC and the SIM called the Ki. The Ki is securely burned into the SIM during manufacture and is also securely replicated

onto the AUC. This Ki is never transmitted between the AUC and SIM, but is combined with the IMSI to produce a challenge/response for identification purposes and an encryption key called Kc for use in over the air communications. Equipment Identity Register (EIR) The EIR is a database that contains information about the identity of mobile equipment that prevents calls from stolen, unauthorized, or defective mobile stations. The AUC and EIR are implemented as stand-alone nodes or as a combined AUC/EIR node. EIR is a database that stores the IMEI numbers for all registered ME units. The IMEI uniquely identifies all registered ME. There is generally one EIR per PLMN. It interfaces to the various HLR in the PLMN. The EIR keeps track of all ME units in the PLMN. It maintains various lists of message. The database stores the ME identification and has nothing do with subscriber who is receiving or originating call. There are three classes of ME that are stored in the database, and each group has different characteristics: White List: contains those IMEIs that are known to have been assigned to valid MSs. This is the category of genuine equipment. Black List: contains IMEIs of mobiles that have been reported stolen. Gray List: contains IMEIs of mobiles that have problems (for example, faulty software, and wrong make of the equipment). This list contains all MEs with faults not important enough for barring.

Operation Subsystem (OSS)

The Operations and Maintenance Center (OMC) is the centralized maintenance and diagnostic heart of the Base Station System (BSS). It allows the network provider to operate, administer, and monitor the functioning of the BSS. An OMS consists of one or more Operation & Maintenance Centre (OMC).

Fig 2-10,OMC

The operations and maintenance center (OMC) is connected to all equipment in the switching system and to the BSC. The implementation of OMC is called the operation and support system (OSS). The OSS is the functional entity from which the network operator monitors and controls the system. The purpose of OSS is to offer the customer cost-effective support for centralized, regional and local operational and maintenance activities that are required for a GSM network. An important function of OSS is to provide a network overview and support the maintenance activities of different operation and maintenance organizations. The OMC provides alarm-handling functions to report and log alarms generated by the other network entities. The maintenance personnel at the OMC can define that criticality of the alarm. Maintenance covers both technical and administrative actions to maintain and correct the system operation, or to restore normal operations after a breakdown, in the shortest possible time. The fault management functions of the OMC allow network devices to be manually or automatically removed from or restored to service. The status of network devices can be checked, and tests and diagnostics on various devices can be invoked. For example, diagnostics may be initiated remotely by the OMC. A mobile call trace facility can also be invoked. The performance management functions included collecting traffic statistics from the GSM network entities and archiving them in disk files or displaying them for analysis. Because a potential to collect large amounts of data exists, maintenance personal can select which of the detailed statistics to be collected based on personal interests and past experience. As a result of performance analysis, if necessary, an alarm can be set remotely. The OMC provides system change control for the software revisions and configuration data bases in the network entities or uploaded to the OMC. The OMC also keeps track of the different software versions running on different subsystem of the GSM.


Introduction to Software Defined Radio:A software-defined radio system, or SDR, is a radio communication system where components that have been typically implemented in hardware (e.g. mixers, filters, amplifiers, modulators/demodulators, detectors, etc.) are instead implemented by means of software on a personal computer or embedded computing devices. While the concept of SDR is not new, the rapidly evolving capabilities of digital electronics render practical many processes which used to be only theoretically possible. You can think of SDR as a transceiver that would operate in the whole spectrum range from DC to infinity compatible with all standards independent of any modulation technique using the same Hardware. Simply, Software Defined Radio is defined as: "Radio in which some or all the entire physical layer functions are software defined" (When we say Radio, we're really talking about any sort of wireless communications, one-way or two-way). SDR as an idea was presented to our world for the first time by the defense sector in the late 1970s in both U.S. and Europe under the name SPEAKeasy by the U.S army in which a programmable processing was implemented to emulate more than ten existing military radios operating in frequency bands between 2 MHz and 2000 MHz was implemented. Lately the term Soft-Defined Radio was coined by Joseph Mitola in 1991. SDR defines a collection of hardware and software technologies where some or all of the radios operating functions are implemented through modifiable software or firmware operating on programmable processing technologies. These devices include field programmable gate arrays (FPGA), digital signal processors (DSP), general purpose processors (GPP), programmable System on Chip (SOC) or other application specific programmable processors. The use of these technologies allows new wireless features and capabilities to be added to existing radio systems without requiring new hardware.

Fig 3-1, SDR sections SDR technology can be used in signal processing that would be done digitally using FPGA, DSP and GPP. But this is not as easy as it seems because of the limitation on the technology that comes from 2 points: 1- That it is still unavailable communication hardware blocks (i.e. Highly Linear Low Noise Amplifiers, Highly Selective Tunable Filters, etc) that could work in the whole range needed by SDR. 2- No Data converters (DACs, ADCs, DUCs, DDCs, etc..) that could operate in the very high data rates (Sample Rates) due to electronic limitations.

Benefits of SDR:SDR has enlarged and expanded the idea of open-source and enabled amateur radio users and students to try and share in the world of communications with very reasonable costs and without the need of complicated hardware. All what is needed is a Computer or any other processing unit, a single transceiver and a software code that can be easily implemented or can be obtained from the internet and it could be found easily. All this Software enabled the prototyping to be faster and cheaper than hardware prototyping. Mathematically sophisticated signal processing techniques can be performed in the digital domain (software), Libraries of software radio components are easily created and shared. From the point of view of Radio equipment Manufacturers and System Integrators, SDR enables the implementation of a family of radio products using a common platform architecture allowing the prototyping and so faster introduction of new products. SDR would allow bug fixing over the air or other remote reprogramming thus reducing both time and cost associated with operation and maintenance. While for service providers, new features and capabilities could be added without requiring major modifications to the hardware as the old hardware could be used with simple modifications to the software to upgrade the whole system to work with the new features and services. All in all, SDR to communications world is very similar to the feeling of typewriters on substituting typewriters with computers. You would gain a vast range of new capability because what SDR does is through program code "not physical parts". A Software Defined Radio can easily be many different kinds of radio, often several different types at once. SDR has the potential to be a revolutionary technology that will dramatically impact the wireless technology industry.

Main Architecture of SDR:-

Fig 3-2, Typical Transmitter & Receiver Block Diagram of SDR

In the last figure we can see the block diagrams of both receiver and transmitter of SDR. It is so obvious their simplicity taking into consideration that the complexity level has been transferred to the PC part where the code is written to perform baseband processing. The USRP (Universal Software Radio Peripheral) and RF Front End represent the hardware of the SDR. USRP could be considered the IF-Section of the SDR where the filters should be sharp and oscillators & mixers should be accurate. RF Front End is the block responsible for capturing the signal then using a low noise amplifier to amplify the signal and at last demodulate in the receiver path or to transmit the signal after being amplified and modulated in the transmitter path. The PC or the User-defined Code could be considered as the Software part and the software is independent on the hardware. However there are some software that has a built in interface with its hardware. For Example, the USRP has already built in interface with GNURadio.

Applications on SDR:The use of SDR widened the scope of applications that could be done using the same hardware. Speaking about nearly a decade or two of open source developing we could be talking about several hundreds of applications.

1-Cognitive Radio:An application that could be considered one of the most important application in the SDR. Cognitive Radio can be considered as the model for wireless communications systems in the very near future once the electronic limitations on the data converters and RF Front Ends dealt with. Simply it is considered to be a radio that is able to acquire knowledge of the condition of the spectrum to which it has access. In other words it is used to determine which channels and services are in use and the intensity of the usage patterns, and avoid those channels in order to optimize performance. The idea of Cognitive Radio is depending on the set of parameters taken into account in deciding on transmission and reception changes. We can distinguish certain types of Cognitive Radio. The main two types are: Full Cognitive Radio in which every possible parameter observable by a wireless node or network is taken into account. Spectrum Sensing Cognitive Radio in which only the radio frequency spectrum is considered. Also, depending on the parts of the spectrum available for cognitive radio. Licensed Band Cognitive Radio in which cognitive radio is capable of using bands assigned to licensed users, apart from unlicensed bands, such as U-NII band or ISM band. The IEEE 802.22 working group is developing a standard for WRAN (Wireless Regional Area Network) which will operate in unused television channels. Unlicensed Band Cognitive Radio in which Cognitive Radio can only utilize unlicensed parts of radio frequency spectrum.

2-Radio Frequency Identification (RF-ID):Radio Frequency Identification (RFID) is currently one of the hottest technologies in wireless applications area. It is a technology to store and retrieve information remotely using electromagnetic waves. RFID has enormous potential to change the way industries collect and manage information. Its unique advantages such as data transmission with extreme low power or even without power in tag can be the biggest beneficial for goods management. In the next future, RFID technology can be the perfect replacement option of bar code which is widely used in supermarket for many decades. Research in the area of Radio Frequency Identification (RFID) has been growing during the last decade. RFID communication protocols are not mature and are under constant change and improvement by authorities. As such, in order to improve performance of RFID systems, there is an urgent need for an open platform for development, implementation and optimization of novel communication protocols. An open-source software-defined radio architecture based on GNURadio platform is well-poised to achieve these goals.

Fig 3-3, Block Diagram of a Typical RFID Tag/Reader System

The technology is used for automatically identifying a package or an item. To do this, it relies on RFID tags. These are small transponders (combined radio receiver and transmitter) that will transmit identity information over a short distance when they are asked to. The other piece to make use of RFID tags is an RFID tag reader. In RFID systems, an item is tagged with a tiny silicon chip and an antenna. The chip plus antenna (together called a tag) can then be scanned by mobile or stationary readers using radio waves (the RF). The chip can be encoded with a unique identifier allowing tagged items to be individually identified by a reader (the ID). Thus, for example, in a clothing store, each particular suit jacket including its style, color, and size can be identified electronically. In a pharmacy, a druggist can fill a prescription from a bottle bearing an RFID-chipped label confirming the authenticity of its contents. On the highway, cars with RFID tags on their windshields can move swiftly through highway tollbooths saving time and reducing traffic congestion. At home, pets can be implanted with chips so that lost animals can be identified and returned to their owners more readily. Some tags can be read from several meters away and beyond the line of sight of the reader. Most tags carry a plain text inscription and a barcode as complements for direct reading and for cases of any failure of radio frequency electronics. RFID applications are endless and new applications are emerging day after day, that this technology nowadays is being used without us noticing that we do some of these examples are the tags placed on books to identify Library books checkin/check-out, Pet ownership identification, Warehouse management and logistics, Product tracking in a supply chain, Product security and much more applications. Most RFID tags contain at least two parts. The first is an integrated circuit for storing and processing information, modulating and de-modulating a radiofrequency (RF) signal and other specialized functions. The second is an antenna for receiving and transmitting the signal.

There are generally two types of RFID tags: Active RFID tags which contain a battery. Passive RFID tags which have no battery and could harvest their power from the existing RF in the air.

Fig 3-4, RF-ID Block Diagram

As an SDR application the RFID tag reader would be the part to be implemented and the software responsibility would be to both signal-processing and identifying the tag communicating with it and the USRP would be still responsible for the IF section. The USRP could be substituted by any other hardware that does the same operation but on using USRP the RF Front End used is a Daughterboard that would be connected to the mother-board of the USRP and according to the application in which the SDR would be used the appropriate RF Front End is placed to fit the application.

3- OpenBTS:OpenBTS is a software-based GSM access point, allowing standard GSMcompatible mobile phones to make telephone calls without using existing

telecommunication providers' networks. OpenBTS is notable for being the first software implementation of the industry-standard GSM protocol stack. OpenBTS is an open-source UNIX application that uses the Universal Software Radio Peripheral (USRP) to present a GSM air interface ("Um") to standard GSM handset and uses the Asterisk software PBX to connect calls. The combination of the ubiquitous GSM air interface with VoIP backhaul could form the basis of a new type of cellular network that could be deployed and operated at substantially lower cost than existing technologies in green fields in the developing world. OpenBTS is in fact very different from a conventional GSM BTS, which is a dumb device that is managed externally by a Base Station Controller (BSC) and connects calls in a remote Mobile Switching Center (MSC) as explained before. Because of this important architectural difference, the end product of this project is better referred to as an access point, even though the project is called OpenBTS. Future versions of the OpenBTS may well support GPRS and EDGE. GPRS, when available, should be a software-only upgrade for any installed OpenBTS system. EDGE support may require additional computational resources but the additional software is not complex, at least when compared to the rest of the BTS. UMTS is a radically different CDMA-style physical layer and well outside the current scope of this project. The end product of this application is a complete network that supports a full GSM network enabling complete telephone calls, sending and receiving text messages, having a mailbox, transferring data (on upgrading to GPRS or EDGE) and it could even be connected to the local phone network and so could make external calls using the local phone network.

Open BTS Hardware & Software

OpenBTS Hardware:The Smart OpenBTS Mobile Network is our SDR applications. As explained before that the SDR can be considered as "Radio in which some or all the entire physical layer functions are software defined". But sure there are some hardware that can't be replaced by software. The required hardware for Smart OpenBTS application is as following: 01 - Computer (Core 2 Duo 2.0 GHz, 2GB RAM, USB port). Unlocked cellular phone. SIM Card (preferred for those with possibility to edit network list). 01 - USRP-PKG (USRP Package, includes Motherboard, Enclosure, 2 RF Cables, USB Cable, Power Supply, and Hardware Package USD 700). 02 - RFX900 for GSM 850/900 (800-1000MHz Transceiver, 200 mW output USD 275 each). 02 - VERT900 (824-960 MHz, 1710-1990 MHz Quad-band Cellular/PCS and ISM Band Vertical Antenna, 3dBi Gain, 9 Inches, Ideal for RFX900 and RFX1800). All hardware items except the computer, cell phone and SIM Card can be found directly from Ettus Research Universal Software Radio Peripheral:Universal Software Radio Peripheral (USRP) is a hardware module developed exclusively for use with GNURadio, by Matt Ettus and his team at the Ettus Research. The USRP is designed to allow general purpose computers to function as high bandwidth software radios. In essence, it serves as a digital baseband and IF section of a radio communication system. The basic design philosophy behind the USRP has been to do all of the waveformspecific processing, like modulation and demodulation, on the host CPU (Computer). All of the high-speed general purpose operations like digital up and down conversion, decimation and interpolation are done on the FPGA.

The true value of the USRP is in what it enables engineers and designers to create on a low budget and with a minimum of effort. A large community of developers and users have contributed to a substantial code base and provided many practical applications for the hardware and software. The powerful combination of flexible hardware, open-source software and a community of experienced users make it the ideal platform for your software radio development.

Fig 4-1, USRP USRP Motherboard:The USRP module comes with a motherboard which has USB 2.0 interface for connection to the computer and the power connector. Up to four Daughter boards can be connected to one USRP which are clipped on to the motherboard directly most of the time. The four connectors on the USRP motherboard consist of two transmitters, TXA and TXB, and two receivers, RXA and RXB. The USRP currently has four AD Converters with 64MS/s sampling rate and four DA Converters with 128MS/s each with a 2V peak-to-peak with amplified up to 20dB with a Programmable Gain Amplifier (PGA). The USRP gives 4 inputs and 4 outputs or 2 complex inputs and 2 complex outputs.

Fig 4-2, USRP Motherboard

USRP Motherboards Main Components:AD/DA Converters:Two mixed-signal front end processors (AD9862) from Analog Devices has been used in the USRP board to perform all the analog to digital and digital to analog conversions. There are 4 high-speed 12-bit AD converters. The sampling rate is 64M samples per second. In principle, it could digitize a band as wide as 32MHz. The AD converters can band pass-sample signals of up to about 150MHz, though. If we sample a signal with the IF larger than 32MHz, we introduce aliasing and

actually the band of the signal of interest is mapped to some places between 32MHz and 32MHz. The full range on the ADCs is 2V peak to peak, and the input is 200 ohms differential. This is 40mW, or 16dBm. There is a Programmable Gain Amplifier (PGA) before the ADCs to amplify the input signal to utilize the entire input range of the ADCs, in case the signal is weak. The PGA is up to 20dB. At the transmitting path, there are also 4 high-speed 14-bit DA converters. The DAC clock frequency is 128 MS/s, so Nyqnuist frequency is 64MHz. However, we will probably want to stay below it to make filtering easier. A useful output frequency range is from DC to about 44MHz. The DACs can supply 1V peak to a 50 ohm differential load, or 10mW (10dBm). There is also PGA used after the DAC, providing up to 20dB gain. This PGA is software programmable. Cypress FX2:The Cypress FX2 interfaces between the FPGA and a USB 2.0 port. The USRP connects to a USB port on the host computer where modulation and demodulation is performed. Field Programmable Gate Array (FPGA):Field Programmable Gate Array FPGA plays an important role in this Software Radio project. All the ADCs and DACs are connected to the FPGA. FPGA does signal processing for the transmit and receive paths. Some of the high bandwidth math has been done into the FPGA to reduce the data rates so that the data can be transported through the USB 2.0 bus. The FPGA connects to a USB2 interface chip "Cypress FX2". The FPGA has some important registers. These registers are separated out into three different sections: Common, Standard, and Custom. The registers are writeonly with values shadowed on the host for read back except for three readable standard

Digital Down Converters (DDC):The standard FPGA configuration includes Digital Down Converters (DDC) implemented with 4 stages Cascaded Integrator-Comb (CIC) filters. CIC filters are very high-performance filters using only adders and delays. For spectral shaping and out of band signals rejection, there are also 31 tap halfband filters cascaded with the CIC filters to form complete DDC stage. The standard FPGA configuration implements 2 complete digital down converters (DDC). Also there is a configuration with 4 DDCs but without half band filters, which allows 1, 2 or 4 separate RX channels. In the 4 DDC implementation, at the RX path we have 4 ADCs and 4 DDCs. Each DDC has two inputs (I, Q). Each of the 4 ADCs can be routed to either of (I) or the (Q) input of any of the 4 DDCs. This allows for having multiple channels selected out of the same ADC sample stream.

Fig 4-3, the Block Diagram of the USRP Digital Down Converter

The Digital Down Converter (DDC) down converts the signal from the IF band to the base band. Also, it decimates the signal so that the data rate can be adapted by the USB 2.0 and is reasonable for the computers' computing capability. Regarding the bandwidth, we can sustain 32MB/sec across the USB. All samples sent over the USB interface are in 16-bit signed integers in (IQ) format, i.e. 16-bit I and 16-bit Q data (complex) which means 4 bytes per complex sample. This resulting in a (32MByte per sec/4Byte) 8Mega complex samples/sec across the USB. Since complex processing was used, this provides a maximum effective total spectral bandwidth of about 8MHz by Nyquist criteria. Of course we can select much narrower ranges by changing the decimation rate. For Example, suppose we want to design an FM receiver. The bandwidth of a FM station is generally 200 kHz. So we can select the decimation factor to be 250. Then the data rate across the USB is 64MHz / 250 = 256 kHz, which is well suited for the 200 kHz bandwidth without losing any spectral information. The decimation rate must be in [8, 256]. Finally the complex I/Q signal enters the computer via the USB. That's the software world!

Fig 4-4, CIC Decimator

Note. That when there are multiple channels (up to 4), the channels are interleaved. For Example, with 4 channels, the sequence sent over the USB would be I0 Q0 I1 Q1 I2 Q2 I3 Q3 I0 Q0 I1 Q1 etc. In multiple RX channels (1, 2, 3, or 4) all input channels must be the same data rate (i.e. same decimation ratio). In the receive path of FPGA, the ADCs are connected to the MUX and each IQ of the MUX is connected to a DDC which is connected to a data interleave which puts the data in the receive path queue. The Digital up Converters (DUC):At the TX path, the story is pretty much the same, except that it happens reversely. We need to send a baseband I/Q complex signal to the USRP board. The Digital Up Converter (DUC) will interpolate the signal, up convert it to the IF band and finally send it through the DAC.

Fig 4-5, USRP FPGA Digital Down Converter

Note. TX rate may be different from the RX rate. The USRP can operate in full duplex mode. In this mode, transmit and receive sides are completely independent of one another. The only consideration is that the combined data rate over the bus must be 32 Megabytes per second or less. In the transmit path, the IQ data coming from the queue is CIC filtered and then entered into the DEMUX. The DEMUX is contained within the FPGA.

Fig 4-6, FPGA DEMUX Implementation in Transmit Path

Daughter boards:On the mother board there are four slots, where you can plug in up to 2 RX basic daughter boards and 2 TX basic daughter boards or 2 RFX boards. The daughter boards are used to hold the RF receiver interface or tuner and the RF transmitter. There are slots for 2 TX daughter boards, labeled TXA and TXB, and 2 corresponding RX daughter boards, RXA and RXB. Each daughter board slot has access to 2 of the 4 high-speed AD / DA converters (DAC outputs for TX, ADC inputs for RX). This allows each daughter board which uses real (not IQ) sampling to have 2 independent RF sections, and 2 antennas (4 total for the system). If complex IQ sampling is used, each board can support a single RF section, for a total of 2 for the whole system. Normally, we can see that there are two SMA connectors on each daughter board. We usually use them to connect the input or output signals. No anti-alias or reconstruction filtering is provided on the USRP motherboard. This allows for maximum flexibility in frequency planning for the daughter boards. Every daughterboard has an I2C EEPROM (24LC024 or 24LC025) onboard which identifies the board to the system. This allows the host software to automatically set up the system properly based on the installed daughterboard. The EEPROM may also store calibration values like DC offsets or IQ imbalances. If this EEPROM is not programmed, a warning message is printed every time USRP software is run. Basic TX/RX Daughter boards:Each has two SMA connectors that can be used to connect external up/down tuners or signal generators. We can treat it as an entrance or an exit for the signal without affecting it. Some form of external RF Front End is required. The ADC inputs and DAC outputs are directly transformer-coupled to SMA connectors (50 impedance) with no mixers, filters, or amplifiers. The Basic TX and Basic RX give direct access to all of the signals on the daughterboard interface. Each of the Basic TX/RX boards has logic analyzer connecters for the 16 general purpose IOs. These pins can be used to help debugging your FPGA design by providing access to internal signals.

Low Frequency TX/RX Daughter boards :The LFTX and LFRX are very similar to the Basic TX and Basic RX respectively with 2 main differences. Because the LFTX and LFRX use differential amplifiers instead of transformers, their frequency response extends down to DC. The LFTX and LFRX also have 30 MHz low pass filters for anti-aliasing. RFX Daughter boards :The RFX family of daughter boards is a complete RF transceiver system. They have Independent local oscillators (RF synthesizers) for both TX and RX which enables a split-frequency operation. Also, it has a built-in T/R switching and signal TX and RX can be on same RF port (connector) or in case of RX only, we can use auxiliary RX port. Most boards have built-in analog RSSI measurement. All boards are fully synchronous design and MIMO capable. For RFX daughter boards RF frequency range.

Fig 4-7, RFX900 Daughterboard

Sure the antennas will be connected to the RFX900 Daughterboard interface by using the Co-axial cables.

Fig 4-8, VERT900 (824-960 MHz, 1710-1990 MHz) Quad-band Cellular/PCS and ISM Band Vertical Antenna, 3dBi Gain)

Basic operation of the USRP:The USRP is a data acquisition board containing several distinct sections. The analog interface portion contains four Analog to Digital Converters (ADC) and four Digital to Analog Convertors (DAC). The ADC's operate at 64 million samples per second (Msps) and the DAC's operate at 128 Msps. Since the USB bus operates at a maximum rate of 480 million bits per second (Mbps), the FPGA must reduce the sample rate in the receive path and increase the sample rate in the transmit path to match the sample rates between the high speed data converter and the lower speeds supported by the USB connection. The AD9862 provides several functions. Each receive section contains four ADC's. Before the ADC's there are Programmable Gain Amplifiers (PGA) available to adjust the input signal level in order to maximize use of the ADC's dynamic range. The transmit path provides an interpolator and up converter to match the output

sample rate to the DAC sample rate and convert the baseband input to a low IF output. There are PGA's after the DAC's. Most of the received signal processing is performed in the FPGA. The signal is coupled into the AD9862. This chip contains two channels of ADC's and two channels of DAC's. The clock provided by the USRP drives the ADC's at 64 Msps. If needed the AD9862 may divide this clock by two to reduce the sample rate. This only affects the clock rate of the ADC's, most of the sample rate conversion is done in the FPGA. After the signal is digitized, the data is sent to the FPGA. The standard FPGA firmware provides two Digital Down Converters (DDC). The FPGA uses a multiplexer to connect the input streams from each of the ADC's to the inputs of the DDC's. This multiplexer allows the USRP to support both real and complex input signals. The DDC's operate as real down converters using the data from one ADC fed into the real channel or as complex DDC's where the data from one ADC is fed to the real channel and the data from another ADC is fed to the complex channel via the multiplexer. The DDC consists of a numerically controlled oscillator, a digital mixer, and a Cascade Integrate Comb (CIC) filter. These components down convert the desired channel to baseband (or low IF), reduce the sample rate and provide low pass filtering. For this project the maximum decimation rate available of 128 is used. The signal delivered from the USRP to the signal processing platform has a sample rate of 250 Ksps.

The transmit path for the USRP is similar to the receive path, however there are differences. Since the sample rate the DAC's operate at 128 Msps, an interpolator running on the FPGA increases the sample rate. The AD9862 also provides a further sample rate increase by a factor of four. The transmit portion of the AD9862 provides the mixer and NCO required to set the IF frequency of the transmitted signal, the FPGA performs this function in the receive path.

Fig 4-9, Basic USRP Block Diagram

OpenBTS Software:The Smart OpenBTS Mobile Network is our SDR applications. As explained before that the SDR can be considered as "Radio in which some or all the entire physical layer functions are software defined". So there are some software that will be used in the Smart OpenBTS application to work as the ignored hardware. The major software you need for Smart OpenBTS application is as following: or a Debian is typically a good choice. GNURadio Asterisk OpenBTS Python GNURadio:GNURadio is an open source Software Defined Radio (SDR) project that was started about ten years ago by Eric Blossom, an electrical engineer. The main idea which is behind this project was to turn all the hardware problems into software problems, that moves the complexity of a radio equipment from the hardware level to the software one, and get the software as close to the antenna as possible. Blossom initiated this project because he was disappointed by the SDR projects available at that time: all of them had a proprietary nature, and he wanted to bring the free-software philosophy into the SDR world. Richard Stallman, the GNU Project founder, liked Blossoms idea and agreed to take the project under the GNU aegis. So far, the GNURadio project has not disappointed its affiliates and supporters. Eric Blossom, together with his development colleague Matt Ettus, have realized a project which can turn an ordinary PC into a good quality radio receiver; the only additional hardware required are a low-cost RF tuner and an analog-to-digital

converter to convert the received signal into digital samples. GNURadio is a free software development toolkit which allows to develop a custom non commercial radio receiver just combining and nterconnecting appropriate software modules, as if they were functional blocks (the package includes about 100 modules, but others can be added to the initial library). Each module is able to perform a specific signal processing function (for example a mixer, a phase lock loop and a filter) with a real-time behavior and with highthroughput. For this reason, a recent PC with enough processing capability and memory shall be used. With the GNURadio approach, the designer is a software developer who builds the radio by creating a graph (in a similar way to what happens in the graph theory) where the vertices are signal processing blocks and the edges represent the data flow between them. The signal processing blocks are normally implemented in C++, whereas the graph structure is defined in Python. GNURadio is well known and widely used especially in academic environments and among hobbyists and radio amateurs. It is used either to implement real and working radio equipments, or just as a research project in the area of wireless communication and transmission. GNURadio software modules support various modulations (GMSK, PSK, QAM and OFDM) error corrections codes (Reed-Solomon, Viterbi and Turbo Codes) and signal processing capabilities (filters, FFTs, equalizers and timing recovery). GNURadio applications are mainly written in Python. However, the critical and low-level algorithms and signal processing modules are written using the C/C++ programming language, with wide usage of floating-point specific instructions for the relevant processor. Python is primarily used to setup the flow graph, after that most of the work is done in C/C++. GNURadio is simple to use and a radio receiver can be created in a fast and straightforward manner. Moreover, the development of a signal processing algorithm can be carried out using a prerecorded or generated data set, thus allowing the development without the need for a real RF hardware. An example of minimal hardware required to work with GNURadio is offered by the USRP.

GNURadio Companion:GRC is an Acronym for GNURadio Companion, the graphical user interface used to string GNURadio blocks together. GNURadio is an open source toolkit developed by Eric Blossom owner of Blossom Research LLC. GRC is graphical user Interface of GNURadio (GUI). Using drag and drop feature. Flow can be created merely by connecting the block by mouse click. Generate source code as per the block connections. Every block in GRC has a corresponding xml file that contains parameters, IO ports, and a template for code generation. The ID key and file name of each xml file matches up exactly with the name of the GNURadio block to ensure future portability. GRC validates all blocks definitions upon execution, and will exit with error if any definitions fail the validation. Blocks are manually integrated into GRC via descriptive python definitions. The definitions are very flexible, and allow multiple GNURadio blocks to be grouped into a single "super-block". A graphical interface allows the user to configure and connect these blocks into a flow graph. The flow graph is saved in an xml format. Another program reads this xml file and reconstructs the flow graph with native GNURadio blocks. Asterisk:Asterisk is a software implementation of a telephone Private Branch Exchange (PBX). It was created in 1999 by Mark Spencer of Digium. Like any PBX, it allows attached telephones to make calls to one another, and to connect to other telephone services including the Public Switched Telephone Network (PSTN) and Voice Over Internet Protocol (VoIP) services. Its name comes from the asterisk symbol, *.

Fig 4-10, Asterisk

Asterisk was originally built as a PBX and today represents an astonishing 18% of global market for business telephone systems. The base feature set includes many of the most popular and powerful PBX functions. Tapping the power of Asterisk requires some knowledge of Linux, telephony, basic script programming and IP networking. For those who would rather point and click than compile and script and a complete IP PBX system based on Asterisk.

Features of Asterisk:The Asterisk software includes many features available in proprietary PBX systems: voice mail, conference calling, interactive voice response (phone menus), and automatic call distribution.Users can create new functionality by writing dial plan scripts in several of Asterisk's own extensions languages, by adding custom loadable modules written in C, or by implementing Asterisk Gateway Interface (AGI) programs using any programming language capable of communicating via the standard streams system (stdin and stdout) or by network TCP sockets. To attach traditional analog telephones to an Asterisk installation, or to connect to PSTN trunk lines, the server must be fitted with special hardware. Digium and a number of other firms sell PCI cards to attach telephones, telephone lines, T1 and E1 lines, and other analog and digital phone services to a server. Perhaps of more interest to many deployers today, Asterisk also supports a wide range of Video and Voice over IP protocols, including SIP, MGCP and H.323. Asterisk can interoperate with most SIP telephones, acting both as registrar and as a gateway between IP phones and the PSTN. Asterisk developers have also designed a new protocol, Inter-Asterisk Exchange (IAX2), for efficient trunking of calls among Asterisk PBXs, and to VoIP service providers who support it. Some telephones support the IAX2 protocol directly. By supporting a mix of traditional and VoIP telephony services, Asterisk allows deployers to build new telephone systems, or gradually migrate existing systems to new technologies. Some sites are using Asterisk servers to replace proprietary PBXs; others to provide additional features (such as voice mail or voice response menus, or virtual call shops) or to reduce costs by carrying long-distance calls over the Internet (toll bypass). VoIP telephone companies can, as an option, support Asterisk as a user agent or trunked connection with the IAX2 or SIP trunking protocols along with ATAs and other software user agents.

Asterisk was one of the first open source PBX software packages, of which there are now many. In addition to VoIP protocols, Asterisk supports many traditional circuit-switching protocols such as ISDN and SS7. This requires appropriate hardware interface cards supporting such protocols, marketed by third-party vendors. Configure of Asterisk:Asterisk is controlled by editing a set of configuration files. One of these, extensions.conf, contains the dialplan and controls the operational flow of Asterisk. A native scripting language is used to define the elements of process control, namely named variables, procedural macros, contexts, extensions, and actions. A context groups all the valid destination numbering codes which apply to a set of channels on which incoming (to Asterisk) calls can be presented. These numbering codes, called extensions (even though they often are not) are the starting points for the scripts which instruct Asterisk how to process calls made to those numbers within that context. Python:Python is a general-purpose high-level programming language whose design philosophy emphasizes code readability. Python aims to combine "remarkable power with very clear syntax", and its standard library is large and comprehensive, Python is one of those rare languages which can claim to be both simple and powerful. You will find that you will be pleasantly surprised on how easy it is to concentrate on the solution to the problem rather than the syntax and structure of the language you are programming in. In our application and examples we would like to think of Python as a net-list to the GRC though the Python could be used by itself but thats how it would be used in most of our upcoming examples.

Features of Python:

Simple Python is a simple and minimalistic language. Reading a good Python program feels almost like reading English, although very strict English! This pseudo-code nature of Python is one of its greatest strengths. It allows you to concentrate on the solution to the problem rather than the language itself. Easy to Learn As you will see, Python is extremely easy to get started with. Python has an extraordinarily simple syntax, as already mentioned.

Free and Open Source Python is an example of FLOSS (Free Libr and Open Source Software). In simple terms, you can freely distribute copies of this software, read its source code, make changes to it and use pieces of it in new free programs. This is one of the reasons why Python is so good - it has been created and is constantly improved by a community who just want to see a better Python. High-level Language When you write programs in Python, you never need to bother about the lowlevel details such as managing the memory used by your program, etc. Object Oriented Python supports procedure-oriented programming as well as object-oriented programming. In procedure-oriented languages, the program is built around procedures or functions which are nothing but reusable pieces of programs. In object-oriented languages, the program is built around objects which combine data and functionality.

Into Python:We would be giving a brief for the use of Python and short explanation for the syntax and any further details could be found in a textbook that we highly recommend called A Byte of Python for its writer Swaroop C H. The book is very useful for both programming beginners and experts and would be perfect for those having C or C++ background.

OpenBTS:OpenBTS is a software-based GSM access point, allowing standard GSMcompatible mobile phones to make telephone calls without using existing telecommunication providers' networks. OpenBTS is notable for being the first software implementation of the industry-standard GSM protocol stack. OpenBTS is an open-source UNIX application that uses the Universal Software Radio Peripheral (USRP) to present a GSM air interface ("Um") to standard GSM handset and uses the Asterisk software PBX to connect calls. The combination of the ubiquitous GSM air interface with VoIP backhaul could form the basis of a new type of cellular network that could be deployed and operated at substantially lower cost than existing technologies in green fields in the developing world. OpenBTS is in fact very different from a conventional GSM BTS, which is a dumb device that is managed externally by a Base Station Controller (BSC) and connects calls in a remote Mobile Switching Center (MSC) as explained before. Because of this important architectural difference, the end product of this project is better referred to as an access point, even though the project is called OpenBTS. Future versions of the OpenBTS may well support GPRS and EDGE. GPRS, when available, should be a software-only upgrade for any installed OpenBTS system. EDGE support may require additional computational resources but the additional software is not complex, at least when compared to the rest of the BTS. UMTS is a

radically different CDMA-style physical layer and well outside the current scope of this project. The end product of this application is a complete network that supports a full GSM network enabling complete telephone calls, sending and receiving text messages, having a mailbox, transferring data (on upgrading to GPRS or EDGE) and it could even be connected to the local phone network and so could make external calls using the local phone network.


Network Structure:The Smart OpenBTS network has the same structure of any other GSM network. The structure of our network depends mainly on the SDR application. The SDR application divides the structure of the network into two main parts. One part for the hardware which is represented by the USRP with its daughter boards (RFX900). The other part for the software and it is the dilemma. The software in the point of view of the SDR must do the same tasks of the complicated hardware at the traditional GSM networks. The required software for our network is (GNURadio, Asterisk, Python, OpenBTS and other software).

Fig 5-1, The Traditional GSM Network Structure

The difference is clear between the structure of the traditional GSM network and the Smart OpenBTS network. Although, the GSM network has some parts that don't exist in our network such as (Authentication Center AUC, Billing center), our network structure still simpler than the traditional GSM network structure.

Network Operation:Even, the structure of the traditional GSM network and the Smart OpenBTS network isn't the same; but the point is to reach the same operation efficiency of the Smart OpenBTS network compared to the traditional GSM network. The traditional GSM network provides the Air Interface by using the BTS, the Call Switching using the MSC and Database for the Subscriber Parameters by using HLR as mentioned before. Smart OpenBTS provides the same functions by using other technologies. As the Air Interface is provided by using the (USRP-Daughter boards (RFX900)-GNURadio-OpenBTS) and the Call Switching with the Database for the Subscriber Parameters are provided by using the Asterisk.

Fig 5-2, Smart OpenBTS Network Operation

Call Flow Establishment:Due to the structure differences between the traditional GSM network and the Smart OpenBTS network, the call flow will change from one to the other. But at the end, the call would be established after some steps. Sure the steps at the Smart OpenBTS would be less than the steps of the traditional GSM network. The cause of this conclusion is that the structure of the traditional GSM network is more complicated than the Smart OpenBTS network. Also, the various functions that the traditional GSM network provides for the users make the network more complicated and the call steps more difficult than the Smart OpenBTS network. The call flow of the Smart OpenBTS network is the same of call flow of the traditional GSM network as explained before.

Fig 5-3, Call Flow for the Traditional GSM Network

Fig 5-4, Call Flow for the Smart OpenBTS Network

Software Installation Guide

The required software for the Smart OpenBTS network is as the following: GNU/Linux - Ubuntu 10.04 - 32 bits C++ Boost 1.38.0 GNURadio 3.3.0 OpenBTS 2.6.0Mamou

Linux-Ubuntu 10.04 Installation:

Install Ubuntu 10.04 on a computer (Core 2 Duo 2.0 GHz, 2GB RAM, USB port) or higher. Remember to install the Ubuntu on a partition with extension (EXT4) and put a swap partition about 1GB. After the installation, all the coming work will be on the terminal.

Simple Basics of Linux:This would be a very basic tutorial on using the terminal of the Linux. It would be just to make you familiar with some used expressions. It will enable you to have an overview understanding of any installation steps in any installation guide or on the internet instead of doing it without understanding.

C++ Boost 1.38.0 and GNURadio 3.3.0 Installation:Open the terminal and follow the following steps: 1- Installing the dependencies
Sudo apt-get updae sudo apt-get -y install libfontconfig1-dev libxrender-dev libpulse-dev swig g++ automake autoconf libtool python-dev libfftw3-dev \ libcppunit-dev libboost-all-dev libusb-dev fort77 sdcc sdcclibraries\ libsdl1.2-dev python-wxgtk2.8 git-core guile-1.8-dev\ libqt4-dev python-numpy ccache python-opengl libgsl0-dev\ python-cheetah python-lxml doxygen qt4-dev-tools\ libqwt5-qt4-dev libqwtplot3d-qt4-dev pyqt4-dev-tools pythonqwt5-qt4

For different Ubuntu versions you can install the dependencies from here: http://gnuradio.org/redmine/wiki/1/UbuntuInstall 2- Getting and installing boost libraries wget http://kent.dl.sourceforge.net/sourceforge/boost/boost_ 1_38_0.tar.gz tar xvzf boost_1_38_0.tar.gz cd boost_1_38_0 BOOST_PREFIX=/opt/boost_1_38_0 . /configure --prefix=$BOOST_PREFIX --withlibraries=thread,date_time,program_options make sudo make install You can download the boost_1_38_0.tar.gz from the internet using the traditional method and then put it at the administrator folder. So you will not need the first step of the (wget). You can also extract the downloaded file by using ---- right click on the folder, then extract here. So you will not need the second step of the (tar xvzf).

3- Getting and installing GNURadio cd wget ftp://ftp.gnu.org/gnu/gnuradio/gnuradio3.3.0.tar.gz tar xvzf gnuradio-3.3.0.tar.gz cd gnuradio-3.3.0 ./configure --with-boost-includedir=$BOOST_PREFIX/include/boost-1_38/ make sudo make check sudo make install sudo ldconfig 4- Adding user permissions to work with the USRP sudo addgroup usrp sudo addgroup <YOUR_USER> usrp echo 'ACTION=="add", BUS=="usb", SYSFS{idVendor}=="fffe", SYSFS{idProduct}=="0002", GROUP:="usrp", MODE:="0660"' > tmpfile sudo chown root.root tmpfile sudo mv tmpfile /etc/udev/rules.d/10-usrp.rules 5- Testing the USRP Restart the computer (it should work without it, but even restarting the udev service, the USRP worked with user privileges only by restarting the machine). sudo reboot Connect the USRP to the USB port. cd /usr/local/share/gnuradio/examples/usrp/ ./usrp_benchmark_usb.py The output must be something near these values Testing 2MB/sec... usb_throughput = 2M ntotal = 1000000 nright = 998435 runlength = 998435

delta = 1565 OK Testing 4MB/sec... usb_throughput = 4M ntotal = 2000000 nright = 1998041 runlength = 1998041 delta = 1959 OK Testing 8MB/sec... usb_throughput = 8M ntotal = 4000000 nright = 3999272 runlength = 3999272 delta = 728 OK Testing 16MB/sec... usb_throughput = 16M ntotal = 8000000 nright = 7992153 runlength = 7992153 delta = 7847 OK Testing 32MB/sec... usb_throughput = 32M ntotal = 16000000 nright = 15986239 runlength = 15986239 delta = 13761 OK Max USB/USRP throughput = 32MB/sec

OpenBTS 2.6.0Mamou Installation:Open the terminal and follow the following steps: 1- Installing the dependencies cd sudo apt-get install asterisk libosip2-dev libortp7-* 2- Getting the source code Download the source code OpenBTS 2.6.0Mamou from the internet (must be .tar.gz) and then copy it to the home folder, then extract it. 3- Installing OpenBTS cd cd openbts-2.6.0Mamou export LIBS=-lpthread ./configure make sudo make install 4- Configuring the settings This is a very important step. After getting everything compiled, its time to configure the OpenBTS. Open the apps/OpenBTS.config with you preferred editor (gedit). If it isn't found, create it. The GSM.MCC (Mobile Country Code) can be set according to your country. In our case is 602 (Egypt). A complete table with these codes can be found here: http://en.wikipedia.org/wiki/Mobile_country_code The GSM.MNC (Mobile Network Code) must be any code between 0 and 99 since its not used by a local operator. A good way to check it is by scanning the network with the phone and checks the operators code (01 Mobinile, 02 Vodafone and 03 Etisalat). Normally itll be showed in the MCC-MNC format (e.g. 602-04). This means that the country is Egypt and network code is 04. The GSM band defines the frequency band that the OpenBTS will operate. The best is to use a band not allocated in your region, but sometimes this is not possible. If its your case, youll need to check using a Spectrum Analyzer, what is

the band has a free space. This link shows the frequency and channel allocation by the GSM bands (NOTE: Downlink is the frequency that the BTS transmits, so thats the ones we need to care about): http://en.wikipedia.org/wiki/GSM_frequency_ranges Since this is a low cost project, its very probable that you wont have a Spectrum Analyzer that is an expensive test instrument. The good news is that GNURadio has a simple ones, which can be used to check the band and channel allocations. To use it, go to GNURadio examples folder and execute the following: cd /usr/local/share/gnuradio/examples/usrp ./usrp_wfm_rcv_pll.py

Fig 6-1, the spectrum analyzer using the USRP and the GNURadio

Notes. If the last method of the Spectrum Analyzer couldn't work, you can use another method which is: usrp_fft.py d 64 f 0

So, we see that frequency 944MHZ, this is occupied frequency by an operator, so we cant use it. According to the results of the Spectrum Analyzer, we will use our operating frequency. We chose it as 937MHz.

chapter 1


Fig 1-1 , block diagram of open BTS network ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 2 Fig 1-2, USRP ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 3 Fig 1-3 , Motherboard ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 4 Fig 1-4 , Daughterboard ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,5

chapter 2
Fig 2-1, GSM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, 9 Fig 2-2, GSM evolutionary concept ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,11 Fig 2-3, Network Architecture,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,13 Fig 2-4, MS component,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,15 Fig 2-5, SIM,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,16 Fig 2-6, BTS Arrangement,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,19 Fig 2-7, BSS,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,20 Fig 2-8,BTS,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,20 Fig 2-9,NSS,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,22 Fig 2-10,OMC,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,26

chapter 3
Fig 3-1, SDR sections,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,31 Fig 3-2, Typical Transmitter & Receiver Block Diagram of SDR,,,,,,,,,,,,,,,,,,,,,,,,,,,,33 Fig 3-3, Block Diagram of a Typical RFID Tag/Reader System,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,35 Fig 3-4, RF-ID Block Diagram,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,37

chapter 4
Fig 4-1, USRP,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,41 Fig 4-2, USRP Motherboard,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,42 Fig 4-3, the Block Diagram of the USRP Digital Down Converter,,,,,,,,,,,,,,,,,,,,,,,,44 Fig 4-4, CIC Decimator,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,45 Fig 4-5, USRP FPGA Digital Down Converter,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,46 Fig 4-6, FPGA DEMUX Implementation in Transmit Path,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,47 Fig 4-7, RFX900 Daughterboard,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,49 Fig 4-8, VERT900 ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,50 Fig 4-9, Basic USRP Block Diagram,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,52 Fig 4-10, Asterisk,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,56

chapter 5
Fig 5-1, The Traditional GSM Network Structure,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,63 Fig 5-2, Smart OpenBTS Network Operation,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,64 Fig 5-3, Call Flow for the Traditional GSM Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,65 Fig 5-4, Call Flow for the Smart OpenBTS Network,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,66

chapter 6
Fig 6-1, the spectrum analyzer using the USRP and the GNURadio,,,,,,,,,,,,,,,,,,,,74











[IEE98] IEEE. IEEE Standard for Safety Levels with Respect to Human Exposure to Radio Frequency Electromagnetic Fields, 3 kHz to 300 GHz, 1998. http://www.icnirp.org/documents/emfgdl.pdf. [Mun] Sylvain Munaut. pySIM. http://git.osmocom.org/gitweb?p=pysim.git;a=summary. [opea] Kal v0.3. http://sourceforge.net/mailarchive/attachment.php?list_name= openbtsdiscuss&message_id=AANLkTimOp6tMUb69OaCtoEaf5x71ZPVZeYiAryEGCTAK% 40mail.gmail.com&counter=1. [opeb] OpenBTS. https://secure.wikimedia.org/wikipedia/en/wiki/OpenBTS. [opec] OpenBTS Clock Modifications. http://gnuradio.org/redmine/wiki/gnuradio/ OpenBTSClockModifications. [oped] OpenBTS Clocks. http://sourceforge.net/apps/trac/openbts/wiki/OpenBTS/Clocks. [opee] OpenBTS Discuss mailing-list. http://sourceforge.net/mailarchive/forum.php?forum_name=openbts-discuss. [opef] PhoneInfo. http://www.newlc.com/en/phoneinfo.

[ope09] FAQ for the Burning Man 2009 Papa Legba Test Network, 2009. http://sourceforge.net/apps/trac/openbts/wiki/OpenBTS/BM2009FAQ.

www.hutchison-whampoa.com/eng/telecom/htil/htil.htm http://en.wikipedia.org/wiki/GSM_frequency_ranges www.hutchison-whampoa.com/eng/telecom/htil/htil.htm http://www.iec.org/online/tutorials/gsm/topic05.asp] http://www.telecomspace.com/gsm-specifications.html http://www.tutorialspoint.com/gsm/gsm_specification.htm http://www.visualtron.com/gsm_topic05.htm http://www.visualtron.com/gsm_topic04.htm http://www.cs.ucl.ac.uk/staff/t.pagtzis/wireless/gsm/arch.html www.tutorialspoint.com/gsm/gsm_architecture.htm http://www.sitefinder.ofcom.org.uk/jargon.htm]