Introduction All the processing has been done in MatLab (mixed with some manual calculations). I chose to use MatLab instead of trying to write new GnuRadio blocks because:

- I have more experience with MatLab and the available time was short - The files are relatively short and to get the maximum amount of information out of

them they cannot be processed the same way one would do with data from the air. - Several of the functions needed (channel impulse response calculation, viterbi

detection, block (de)coding) where already available in GSMsim, which runs in MatLab.

I have submitted all the MatLab files that I have used. It is very easy to single step through a MatLab function to learn how it works. I believe that the files can be used equally well with Octave, but the functions from the signal processing tool box might have to be replaced if you do not have it installed. Numbers in square brackets are references to GSM standards. Example: [04.03: 10.3.4] = 3GPP TS 04.03 sub-clause 10.3.4. File names in italics are MatLab files. Example: (calc_freq_offset.m).

Initial processing of the files The following had to be done before any data could be extracted from the files:

1. Low pass filter (load_filter_resample.m) 2. Resample to 4x GSM bit rate (load_filter_resample.m) 3. Find a frequency correction burst (find_fcch.m) 4. Calculate the frequency offset (calc_freq_offset.m) 5. Correct the frequency (xlat_freq.m)

How to get control channel messages The main steps involved in extracting a layer 3 data messages is:

1. Calculate burst locations based on synchronization channel information 2. Find the channel impulse response and exact bit timing for the burst (mafi.m) 3. Demodulate using the viterbi algorithm (viterbi_detector.m) 4. De-map the data bits (DeMUX.m) [05.03: 4.1.5] 5. De-interleave 4 burst to get 1 block of data (deinterleave.m) [05.03: 4.1.4] 6. De-convolute the block code (channel_dec_sacch.m) [05.03: 4.1.3] 7. Check block parity (check_parity_sacch.m) [05.03: 4.1.2]

GSMSP_20070204_robert_dbsrx_953.6MHz_128.cfile

Physical channel 0

Frequency Correction Channel (FCCH) The file contains 3 frequency correction bursts. They start at sample 51841, 101841 and 151840 (sample numbers are after re-sampling). The MatLab script fcch.m shows their location and calculates the frequency error to be 8097 Hz, 8051 Hz and 8076 Hz. The error is probably the same for all of them, but the calculation method is not that accurate.

Synchronization Channel (SCH) The file contains 3 frequency synchronization bursts. The MatLab script sch.m calculates their exact location (based on approximate locations manually calculated from the frequency correction burst locations). The data in the sync bursts [44.018: 9.1.30a] indicate: Burst starting at 57018 is frame number 857107 Burst starting at 107018 is frame number 857117 Burst starting at 157017 is frame number 857127 Base Station Identity Code (BSIC) = 56 (PLMN colour code = 7, BS colour code = 0)

Broadcast Control Channel (BCCH) Frames 857108 – 857111 [45.002] contain a BCCH message: Message header:

L2 pseudo length = 18 octets L3 protocol discriminator = Radio Resource Management Message type = SYSTEM INFORMATION TYPE 3 [44.018: 9.1.35]

Cell identity = 0x3b2d Location area identifier:

Mobile Country Code = 272 = “Ireland” Mobile Network Code = 02 = “O2 / Digifone mmO2” Location Area Code = 0x3aa8

Control channel description [3GPP TS 44.018: 10.5.2.11]: MSCR = 1 = “MSC is Release ’99 onwards” ATT = 1 = “MSs in the cell shall apply IMSI attach and detach procedure” BS-AG-BLKS-RE = 2 = “2 blocks reserved for access grant” CCCH_CONF = 0 = “1 basic physical channel for CCCH, not combined with SDCCH” BS-PA-MFRMS = 3 = “5 multiframes periods for PAGING REQUEST“ CBQ3 = 0 = “/u mode not supported” T3212 timeout vaule = 60

Cell options (BCCH): Radio link timeout = 4 DTX = 1 = “The MS shall use uplink discontinuous transmission” PWRC = 1 DN-IND = 0 = “Dynamic AFRCN mapping not used”

Cell Selection Parameters [44.018: 10.5.2.4]: MS-TXPWR-MAX-CCH = 5

CELL-RESELECT-HYSTERESIS = 3 RXLEV-ACCESS-MIN = 6 NECI = 0 ACS = 0

RACH Control Parameters [10.5.2.29]: RE = 1 = “Call reestablishment not allowed in the cell” CELL BARR ACCESS = 0 = “Cell is not barred” Tx-Integer = 14 = “32 slots used to spread transmission” Max retrans = 2 = “Maximum 4 retransmissions” Access Control Class = 0

The above message contents were manually interpreted from the layer 3 data extracted from the sample file by the MatLab script bcch.m. The location of BCCH bursts were manually calculated based on SCH information.

Paging Channel (PCH) Following the BCCH message there are 2 empty paging requests [04.06: 5.4.2.3]:

Protocol discriminator = 6 = Radio Resource Management [04.07: 11.2.3.1.1] Message type = 0x21 = PAGING REQUEST TYPE 1 [44.018: 10.4][44.018: 9.1.22]

Page mode = 0 = Normal [44.018: 10.5.2.26] Channel needed = 1 = SDCCH [44.018: 10.5.2.8] Mobile identity = 0 = This is a paging channel fill message [24.008: 10.5.1.4] Run MatLab script pch.m to display the message contents.

Physical channels 1-3 These channels are sending dummy bursts [05.02: 5.2.6] only. View them by running phych1.m, phych2.m or phych3.m.

Physical channels 4-6 These channels are sending mostly normal burst but there are also some dummy burst at the end. The data seems to be encoded the same way as the control channels. The file is long enough to extract 4 blocks of data (messages) from each channel, but they all seem to be sending only some fill message. Run MatLab scripts phych4.m phych5.m or phych6.m to have a look at the data blocks.

Physical channel 7 This channel is sending mostly dummy bursts, but there are 2 normal bursts in the file, 26 frames apart. There is not enough information to tell what data is being transferred. Run MatLab script phych7.m to have a look at the bursts.

GSMSP_20070204_robert_dbsrx_941.0MHz_128.cfile

Physical channel 0

Frequency Correction Channel (FCCH) The file contains 3 frequency correction bursts. They start at sample 14939, 64937 and 114936 (sample numbers are after re-sampling). The MatLab script fcch.m shows their location and calculates the frequency error to be 7819 Hz, 7806 Hz and 7833 Hz. The error should probably the same for all of them, but the calculation method is not that accurate.

Synchronization Channel (SCH) The file contains 3 frequency synchronization bursts. The MatLab script sch.m calculates their exact location (based on approximate locations manually calculated from the frequency correction burst locations). The data in the sync bursts [44.018: 9.1.30a] indicate: Burst starting at 19946 is frame number 674996 Burst starting at 69944 is frame number 675006 Burst starting at 169943 is frame number 675016 Base Station Identity Code (BSIC) = 128 ( PLMN colour code = 4, BS colour code = 0)

Paging channel (PCH) There are 6 paging channel messages in the file: Message 1: Frames 674997 – 675000 Message 2: Frames 675001 – 675004 Message 3: Frames 675007 – 675010 Message 4: Frames 675012 – 675014 Message 5: Frames 675017 – 675020 Message 6: Frames 675021 - 675024 Message 1-2 and 5-6:

Protocol discriminator = 6 = Radio Resource Management [04.07: 11.2.3.1.1] Message type = 0x21 = PAGING REQUEST TYPE 1 [44.018: 10.4][44.018: 9.1.22]

Page mode = 0 = Normal [44.018: 10.5.2.26] Channel needed = 1 = SDCCH [44.018: 10.5.2.8] Mobile identity = 0 = This is a paging channel fill message [24.008: 10.5.1.4] Message 3:

Protocol discriminator = 6 = Radio Resource Management [04.07: 11.2.3.1.1] Message type = 0x21 = PAGING REQUEST TYPE 1 [44.018: 10.4][44.018: 9.1.22] Page mode = 0 = Normal [44.018: 10.5.2.26] First channel needed = 2 = TCH/F Second channel needed = 2 = TCH/F Mobile identity 1 = TMSI 0x2402810b [24.008: 10.5.1.4] Mobile identity 2 = TMSI 0x18000312 [24.008: 10.5.1.4]

Message 4: Protocol discriminator = 6 = Radio Resource Management [04.07: 11.2.3.1.1]

Message type = 0x21 = PAGING REQUEST TYPE 1 [44.018: 10.4] Page mode = 0 = Normal [44.018: 10.5.2.26] First channel needed = 2 = TCH/F Second channel needed = 0

Mobile identity 1 = TMSI 2e020e94 Run MatLab script pch.m to see the contents of the messages.

Physical channel 1- 7 All these channels are sending dummy bursts only. View them by running for example phych1.m.

GSMSP_20070204_robert_dbsrx_953.6MHz_64.cfile

Physical channel 0

Frequency Correction Channel (FCCH) information The file contains 2 frequency correction bursts. They start at sample 25695 and 75700 (sample numbers are after re-sampling). The MatLab script fcch.m shows their location and calculates the frequency error to be 8047 Hz and 8050 Hz. The error should probably the same for all of them, but the calculation method is not that accurate.

Synchronization Channel (SCH) information The data in the sync bursts [44.018: 9.1.30a] indicate: Burst starting at 30704 is frame number 834983 Burst starting at 80703 is frame number 834993 Base Station Identity Code (BSIC) = 56 (PLMN colour code = 7, BS colour code = 0)

Common Control Channel (CCCH) information The two first messages (frames numbered 834978 to 834981 and 843984 to 843987) are fill messages [04.06: 5.4.2.3]. The third message (frame numbers 843988 – 843991) is an empty PAGING REQUEST TYPE 1 message as previously described.

Physical channels 1-3 and 7 These channels are sending dummy bursts [05.02: 5.2.6] only. View them by running for example phych1.m.

Physical channels 4-6 These channels are sending mostly normal burst but there are also some dummy burst at the end. The data seems to be encoded the same way as the control channels. The file is long enough to extract 3 blocks of data (messages) from each channel, but they all seem to be sending only some fill message. Run MatLab scripts phych4.m phych5.m or phych6.m to have a look at the data blocks.