Saturday, 30 July 2011

Wi-Fi in Public Transport over LTE

Another interesting presentation from the LTE World Summit 2011 on how LTE can be used as a backhaul in the trains to provide passenger WiFi and other services.

Thursday, 28 July 2011

Human Activity Recognition for Personalised services

Interesting article from the NTT Docomo Technical journal.

How many radios are there in my phone?

Click to enlarge

From a presentation by John Haine of Cognovo in the Future of Wireless International Conference 2011.

Wednesday, 27 July 2011

MRO: Handover failures signalling

Continuing on the Self-organising Network (SON) feature of Mobility Robust Optimisation, Handover failures.

Click on image to enlarge

One of the discussions I had with a colleague is how would the signalling happen in case of Handover failures I mentioned earlier.

After the handover failure, when the connection is successfully established again either as a normal Setup or Re-Establishment or RRC Reconfiguration then a new optional field is available:

rlf-InfoAvailable-r10 ENUMERATED {true} OPTIONAL,

This is used to indicate to the network that the UE has some information relating to the RL Failure that occurred.

The network will then use the UE Information Request I blogged about earlier to ask for this information. The UE will send the information back in the response.

It should be noted that this UEInformationRequest and Response messages were introduced part of Release-9 but there has been since some updates in Release-10. The Response message now looks as follows:

RLF-Report-r9 ::= SEQUENCE {
measResultLastServCell-r9 SEQUENCE {
rsrpResult-r9 RSRP-Range,
rsrqResult-r9 RSRQ-Range OPTIONAL
measResultNeighCells-r9 SEQUENCE {
measResultListEUTRA-r9 MeasResultList2EUTRA-r9 OPTIONAL,
measResultListUTRA-r9 MeasResultList2UTRA-r9 OPTIONAL,
measResultListGERAN-r9 MeasResultListGERAN OPTIONAL,
measResultsCDMA2000-r9 MeasResultList2CDMA2000-r9 OPTIONAL
[[ locationInfo-r10 LocationInfo-r10 OPTIONAL,
failedPCellId-r10 CHOICE {
cellGlobalId-r10 CellGlobalIdEUTRA,
pci-arfcn-r10 SEQUENCE {
physCellId-r10 PhysCellId,
carrierFreq-r10 ARFCN-ValueEUTRA
reestablishmentCellId-r10 CellGlobalIdEUTRA OPTIONAL,
timeConnFailure-r10 INTEGER (0..1023) OPTIONAL,
connectionFailureType-r10 ENUMERATED {rlf, hof} OPTIONAL,
previousPCellId-r10 CellGlobalIdEUTRA OPTIONAL

Everything after the extension marker ellipses (...) is added in release 10. More information in Release-10 RRC specs (36.331)

Tuesday, 26 July 2011

Outline of GCF Certification Process

Click on Image to enlarge

From a presentation by Colin Hamling, Vice Chair, GCF Steering Group in LTE World Summit, Amsterdam, 18 May 2011

Monday, 25 July 2011

Femto Hacking in UMTS and LTE

Couple of weeks back, The Hacker’s Choice (THC) made available some documents about how the Vodafone's (UK) Femtocell (a.k.a. SureSignal) is unsecure and can be hacked. Everyone seemed to jump on this bandwagon with some news articles even sounding like the whole Vodafone network has been hacked and hackers may be sending messages and making calls via your phone number.

In the end it came to light that the problem was fixed over a year back when Vodafone was made aware of this problem. THC is still arguing that there is an architecture fault and the Femto can be compromised.

As a result I decided to think about what could happen if the Femtocell is hacked.

Lets take case of UMTS Femtocell. A simple network architecture with femtocell (oficially known as Home NodeB) is as follows:
As you can see, the signalling over the air interface is encrypted and integrity protected. If a hacker is able to get into the Femto and able to listen to all the packets using some tool like WireShark, he would be able to get hold of the Ciphering and Integrity Keys as they come in cleartext in the RANAP Security Mode Command message.

It wouldnt be difficult to have a device that can listen to the conversations once provided with this keys. In fact if the hacker is able to listen to the messages, there is no reason he cannot stick his own messages at the right interval (when a voice call is ongoing) to send SMS and would appear that the message actually went from the phone number. Note that this message would be inserted in the Home NodeB and would be a NAS message. The end user would generally never find out that a message has been sent on behalf of his phone.

One thing that should be remembered though is that the phone would have to be in the range of the Femtocell and connected successfully to the network (via the Femto). One question someone may have is that can I not reverse engineer the key so that I can clone the SIM card. Fortunately for us, this is not easily possible. There are multiple levels of protection and generally it would be difficult to get the algorithms for generating the key. Also it should be noted that the authentication algorithms are confidential and only the operators know the algorithm.

Now lets look at the LTE Femtocell (a.k.a. Home eNodeB) as shown below:

One of the differences you may notice is that the signalling from Femto to the Core Network over S1 is encrypted and Integrity Protected. In case of the LTE Femto, there are multiple keys and only the required key (Kenb) is provided to the Femto. See the key hierarchy below:

This would sound like an ideal protection from the end user perspective but some of the problems still remain. If the hacker can get hold of the Kenb which is sent in cleartext over the S1 interface via Initial Context Setup Request message then he could easily use it to listen to the packets. Since there is no voice support as of yet in LTE, it would only be the packets that the hacker can listen to.

As you may notice, there is now an Integrity and Ciphering on the S1 interface for the UE messages, the hacker cannot get hold of the Kasme or the master keys K, CK and IK. This means that he cannot insert rouge messages that would for example send unsolicited SMS on behalf of the user as he would be able to do in case of UMTS.

There is a small caveat though. There are multiple Ciphering and Integrity algorithms defined in the standard. No ciphering is defined as eea0 algorithm. In Release-8 of LTE, there was no possibility to have Integrity switched off as there was no eia0 algorithm defined. In Release-9 though, the new eia0 has been defined which means that the network can set the Integrity to NULL. I am sure that the network would not want to do so as it makes absolutely no sense but the hacker can force it to do so.

When the Network requests the UE to send the capability information, the hacker can force it to say that it only supports eia0 and eea0 which would mean that the integrity and ciphering in the call would be off. To be honest, this is quite a difficult thing to do in real time and also the network would not accept a UE that does not support other Integrity and Ciphering algorithms.

3GPP has already forseen these kind of threats that could be affecting the networks in the future when they roll out the Femtocells. As a result they have produced 3GPP TR 33.820 that lists all the possible threats and the best practices that can help to minimise the chances of the network being compromised. If that document is too big and technical, you can go though this presentation as it summarises some of the problems.

Feel free to comment or correct any mistakes that you think I have made.

Friday, 22 July 2011

Mobility Robustness Optimization to avoid Handover failures

The following is from 4G Americas Whitepaper on SON:

Mobility Robustness Optimization (MRO) encompasses the automated optimization of parameters affecting active mode and idle mode handovers to ensure good end-user quality and performance, while considering possible competing interactions with other SON features such as, automatic neighbor relation and load balancing.

There is also some potential for interaction with Cell Outage Compensation and Energy Savings as these could also potentially adjust the handover boundaries in a way that conflicts with MRO. While the goal of MRO is the same regardless of radio technology namely, the optimization of end-user performance and system capacity, the specific algorithms and parameters vary with technology.

The objective of MRO is to dynamically improve the network performance of HO (Handovers) in order to provide improved end-user experience as well as increased network capacity. This is done by automatically adapting cell parameters to adjust handover boundaries based on feedback of performance indicators. Typically, the objective is to eliminate Radio Link Failures and reduce unnecessary handovers. Automation of MRO minimizes human intervention in the network management and optimization tasks.

The scope of mobility robustness optimization as described here assumes a well-designed network with overlapping RF coverage of neighboring sites. The optimization of handover parameters by system operators typically involves either focused drive-testing, detailed system log collection and postprocessing, or a combination of these manual and intensive tasks. Incorrect HO parameter settings can negatively affect user experience and waste network resources by causing HO ping-pongs, HO failures and Radio Link Failures (RLF). While HO failures that do not lead to RLFs are often recoverable and invisible to the user, RLFs caused by incorrect HO parameter settings have a combined impact on user experience and network resources. Therefore, the main objective of mobility robustness optimization should be the reduction of the number of HO-related radio link failures. Additionally, sub-optimal configuration of HO parameters may lead to degradation of service performance, even if it does not result in RLFs. One example is the incorrect setting of HO hysteresis, which may results in ping-pongs or excessively delayed handovers to a target cell. Therefore, the secondary objective of MRO is the reduction of the inefficient use of network resources due to unnecessary or missed handovers.

Most problems associated with HO failures or sub-optimal system performance can ultimately be categorized, as either too-early or too-late triggering of the handover, provided that the required fundamental network RF coverage exists. Thus, poor HO-related performance can generally be categorized by the following events:

* Intra-RAT late HO triggering
* Intra-RAT early HO triggering
* Intra-RAT HO to an incorrect cell
* Inter-RAT too late HO
* Inter RAT unnecessary HO

Up to Release 9, a UE is required to send RLF report only in case of successful RRC re-establishment after a connection failure. Release 10 allows support for RLF reports to be sent even when the RRC reestablishment does not succeed. The UE is required to report additional information to assist the eNB in determining if the problem is coverage related (no strong neighbors) or handover problems (too early, too late or wrong cell). Furthermore, Release 10 allows for precise detection of too early / wrong cell HO.

Thursday, 21 July 2011

Smart Deployment with Smart Antennas and ORI

This is from a presentation by Dr. Peter Meissner, Operating Officer, NGMN Alliance.

Its very interesting the way the Antennas are evolving.

If you are interested in reading more about ORI, see the earlier post here.

Wednesday, 20 July 2011

NSN Celebrating 20 years of GSM

Its been 20 years since the first GSM call was made and GSM is still as relevant today as it was 10 years back.My earlier post today was about the technology deployment and adoption trends and my guess is that GSM/GPRS will be still relevant for long time to come especially its de-facto fallback for the roaming calls. Some Facts about GSM that would should know:* First network launched in 1991* There are 838 GSM Networks in 234 countries with 4.4 Billion subscribers* In 2010, 1.44 million GSM subscribers were added every day* 545 EDGE networks in 198 countries with 1.5 Billion subscribers* By 2015, 1.5billion GSM M2M subscribers will be present

Here is a presentation from NSN about 20 years of GSM and since they had the privilege of launching the first commercial network I am sure they have a good reason to celebrate.

20 Years of GSM: Past, Present & Future
View more presentations from Nokia Siemens Networks
A new section on 3G4G website on GSM has been added here.

Technology Deployment and Adoption Trends

This informative slide shows the number of years it takes after the technology is launched to reach the peak volumes. Though we know this to be true for the 1G and 2G systems, I find it difficult to believe the same would be true for 3G and 4G systems.

If the LTE deployments are going to happen as per the plans then we may see the peak volumes for 3G/HSPA+ around 2016. It would be difficult to predict the same for '4G' systems as we do not know as of know what all would be part of 4G. As you would recall that LTE was supposed to be 3.9G but was too confusing so everyone adopted it as 4G. LTE-A, the real 4G, I guess would still be part of 4G. What else would end up as 4G is hard to predict so we will have to go with the prediction for the time being.

Tuesday, 19 July 2011

Dual-Mode and Multi-Mode Femtocells

Came across this slide in one of the presentations from MWC.

The Dual-Mode and maybe Multi-Mode solution (in future) may be very useful, not only from the point of view that it can serve LTE as well as 3G mobile devices but in case of a LTE mobile where for voice calls the UE may have to fall back on 3G network, if there is no 3G coverage then there would be no voice communication possible.

One of the ways to do have a voice communication in the initial phases of LTE is CS Fallback (CSFB). CSFB is possible by the UE establishing the call on UMTS or GSM network. If for some reason the coverage on those networks is non-existent then having a dual-mode femtocell can be really helpful as it would seamlessly transfer the voice call on the 3G.

Hopefully in the future when VoLTE is here these problems would be solved automatically.

The main problem that I can see with this Dual-mode or Multi-mode solution is that the operator would have to be supporting both Small Cells solution across both the networks and I guess they would be slightly expensive.

Monday, 18 July 2011

Infographic on 'The Internet of Things'

Very interesting Infographic from Cisco on the 'Internet of Things' that we have discussed before.

Since its not possible for me to put the whole Infographic here, you can check it out on Cisco blogs.

A Survey on 3GPP Hetrogeneous Networks

Available for limited time to download free from here.

Sunday, 17 July 2011

Network Mode of Operation (NMO)

Picture Source: Tektronix

The Network Mode of Operation (NMO) is also sometimes referred to as Network Operation Mode (NOM). The Network Modes have different values and interpretation in UTRAN and GERAN

In both the cases the Operation modes is decided based on the Gs interface between the CS CN (core network) a.k.a. MSC and the PS CN a.k.a. SGSN


Network Operation Mode I (NMO-I) is used when the Gs interface is present. In this case during the registration a Combined Attach (includes GPRS Attach & IMSI Attach procedures) procedure can be performed. A GMM Attach Request message with the attach type set to Combined Attach is used. Upon completion of this procedure, MM Status is IMSI Attached and GMM State is Attached.

In Network Operation Mode II (NMO-II) the GS Interface is not present. So the GMM attach procedure and the IMSI Attach (via Location Update) has to be performed seperately. This causes additional signalling.

Basic air interface signalling in case of NMO2 is shown here.


Network operation mode 1. A network which has the Gs interface implemented is referred to as being in network operation mode 1. CS and PS paging is coordinated in this mode of operation on either the GPRS or the GSM paging channel. If the mobile device has been assigned a data traffic channel then CS paging will take place over this data channel rather than the paging channel (CS or PS).

Network operation mode 2. The Gs interface is not present and there is no GPRS paging channel present. In this case, paging for CS and PS devices will be transferred over the standard GSM common control channel (CCCH) paging channel. Even if the mobile device has been assigned a packet data channel, CS paging will continue to take place over the CCCH paging channel and thus monitoring of this channel is still required.

Network operation mode 3. The Gs interface is not present. CS paging will be transferred over the CCCH paging channel. PS paging will be transferred over the packet CCCH (PCCCH) paging channel, if it exists in the cell. In this case the mobile device needs to monitor both the paging channels.

The GERAN part above is extract from the book Convergence Technologies for 3G Networks.

The Gs interface, has a number of subtle but important advantages:

During an ongoing GPRS / EDGE data transfer (TBF established), mobiles can't detect incoming voice calls and SMS messages as they are focused on receiving packets and thus can not observe the paging channel. In NMO-1, the circuit switched part of the network forwards the paging message to the packet switched side of the network which then forwards the paging message between the user data blocks while a data transfer is ongoing. Mobiles can thus receive the paging message despite the ongoing data transfer, interrupt the session and accept the voice call or SMS.

Location/Routing area updates when moving to a cell in a different location/routing area are performed much faster as the mobile only communicates with the packet switched part of the network. The packet switched network (the SGSN) then forwards the location update to the circuit switched part of the network (to the MSC) which spares the mobile from doing it itself. This is especially important for ongoing data transfers as these are interrupted for a shorter period of time.

Cell reselections from UMTS to GPRS can be executed much faster due to the same effect as described in the previous bullet. Whithout NOM-1 an Inter RAT (Radio Access Technology) cell reselection with Location and Routing Area update requires around 10 to 12 seconds. With NOM-1 the time is reduced to around 5 to 6 seconds. An important difference as this reduces the chance to miss an incoming call during the change of the radio network. Also, ongoing data transfers are interrupted for a shorter time,an additional benefit that should not be underestimated.

Tuesday, 12 July 2011

Couple of presentations on GNSS and LCS

I came across couple of presentations from International Conference on Localization and GNSS, held in Tampere, Finland, June 29-30, 2011

This first presentation by Lauri Wirola of Nokia gives good summary of standardized positioning technologies in use today. It also lists the difference between control plane and user plane positioning. The 3GPP based positioning from Rel 5 to Rel 8 has been listed. Overall a very interesting presentation.

The second presentation by Ignacio Fernández Hernández of the European Commission, gives an overview of the EU satnav programmes (Galileo, EGNOS) and current R&D status; Present some numbers and findings of the overall GNSS R&D panorama in EU and abroad; Present some trends and challenges in location technologies for the following years. Another interesting presentation I think.

Thursday, 7 July 2011

Antenna height and coverage

From a presentation by Ed Candy of '3' in FWIC.
Self explanatory.

Tuesday, 5 July 2011

Revenues vs Network Investments

Nice Pic summarising the Network investments vs Revenue for Voice and Data. Click on Pic to enlarge.

Friday, 1 July 2011

Summary of 'The Future of Wireless International Conference' #fwic

Here is a summary of the Future of Wireless International conference held in Cambridge on the 27th and 28th of June 2011. The summary is a compilation of my notes with the tweets sent using the #FWIC tag.


Roberto di Pietro, VP Product Marketing and Business Development, Qualcomm CDMA Technologies
• 26 million 3G connections being added every month
• 226% growth is seen in smartphones from 2010 - 2014
• Mobile as a single platform for developers.
• Devices smart enough to know which network to connect to
• Qualcomm arrived on the scene 6 months after everyone but they are the only ones with 4G, 3G and 2G multi-mode chips
• In 2012 they would be releasing the new System Architecture with Single / Dual / Quad cores upto 2.5GHz (Snapdragon next gen)
• Question: Will smartphones die in the future when people move to tablets for everything except for voice/sms and they get simpler phones for that
• Answer: Smartphones will co-exist as companion devices with the tablets and will continue growing for a while.
• In other discussions: QoS will be a big differentiator and offloading would certainly be needed. Femtocells are going to form part of any strategy.
• Network signaling load and need for developers to improve apps design noted in qualcomm keynote here in cambridge

Mr. BongGoon Kwak, Senior Vice President, The head of Mobile Business Fast Incubation Business Department Mobile Business Group in Korea Telecom.
• KT adding 0.5 million users every month.
• Mobile data predicted to grow 26 fold by 2015 (6.2 exabytes/month)
• E = MC^2. Where E = evolution, M = mobile and C = connectivity
• mobile banking users in Korea increased 100% to 18 million due to smartphones
• smartphone ARPU up 32% on feature phone
• KakaoTalk ( users have increased which has in turn reduced the SMS ARPU
• NaaS (Network as a Service) is a new trend

Mr. Edward Zhou, CMO of Western European Region, Huawei Technologies Co. Ltd.
• states they have 5300 people in Europe but only 65% are from local market
• No. 2 telecom solution provider with revenues of $28 billion
• has 110,000+ employees with 150 nationalities worldwide, more than half work in R&D
• By 2020 there will be 5.5B MBB (Mobile Broadband) users as opposed to 1.5B FBB (Fixed Broadband)
• 70% of companies (especially SMEs) will be using cloud based services.

Mr. R. Swaminathan, Senior Executive Vice President, Reliance Communications Ltd.
• Low cost mobile networks and devices helped drive innovation in low cost business models in Rural India
• Customisation is a mecessity for the rural market.
• One offering includes a fixed phone that uses Mobile as a backhual using the Yagi antenna
• 15 operators in rural India. Voice tariff went from 20cents to 1 cent. Entry cost reduced by 95%
• ARPU in rural India is $2.
• Telecom operators have done innovations to keep costs to minimum
• Phone to tablet is best evolution for Indian rural market, using visual images and txt to speech technologies not smartphones
• Good to have some text to voice and vice-versa apps
• Ends with saying that there are 870 million people in rural India and possible market size is $25 billion that can be exploited

Kanwar Chadha, Chief Marketing Officer and Board Member of Cambridge Silicon Radio
• Innovations in location-aware wire-free connected world
• Spoke on view of local business vs global, very entertaining perspective , assume nothing and be careful of interpretation
• Example is the initial GPS cost $3700 but was still successful in Japan because guys wanted to show it off to their dates.
• Maslow's hierarchy of needs dont work for India as its more important to have entertainment (TV) than roof.
• FM very succesful in India but nowhere else.
• Sat Navs will not succeed in India because addresses and maps not very well mapped. Things like coupons, sms will be very successful

Innovation Hothouse: Mr. Christian Leicher, Member of the Executive Board at Rohde & Schwarz GmbH & Co. KG.

Session on start-ups very interesting
• Augmentra talked of GPS based smartphone apps. Users can share and get paid when someone else download what they share. Their guidebooks, etc are trusted by half the search and rescue mountain teams
• Oxems have a solution for the new plastic pipes that are being deployed. The normal metal detectors cant detect these pipes so they have a RFID based solution.
• Pneumacare has a non-contact medicare solution that can be used to track people with respiratory problems
• has a unique app discovery solution that can reach upto 6 millions users in 90 different countries.
• Cambridge temperature concepts has a solution that can increase the chances of fertility without IVF to the same levels after 6 months use.

Interesting points from the breakout sessions:
• Mike Bowerman of Alcatel-Lucent: Soon we will see pricing based on time of day, location, etc. Infrastructure sharing lower costs but it means that coverage from some location can completely vanish.
• John frieslaar of Huawei talks about how many will be connected to networks and the cause of demand
• Stephen temple says industry must spur innovation not gov.agree but will gov let us?
• 75% of UK mobile data consumption is driven by BBC iplayer, YouTube and adult videos says Sam Leinhardt of Penthera
• Ed Candy, 3: Apps evolving from Handset Apps to Widgets to Intelligent Browsers based
• Content is king but context is queen
• O2 in UK started putting data caps and lost 7K customers in London. They were using 7% of network capacity so O2 happy to get rid of them

Stephen Baily, General Manager, BBC R&D
• BBC R&D iPlayer usage on tablets is 3million/mth 2% of total
• Dual screens being explored by BBC with a universal controller API. The proposal has been submitted to W3C.
• Working on Dual-Screen concept where iPad becomes a complimentary device to TV (See
• BBC R&D iPlayer usage on tablets is 3million/mth 2% of total
• BBC is looking again at mobile broadcasting based on DVB-t2m standard
• 90% of broadcast os normal schedule than the time shifted one.

Dr. Tapani Ryhänen, Laboratory Director, heading Eurolab (Cambridge and Lausanne) of Nokia Research Centre
• Imagining tomorrow devices, creating technology today
• Morph concept video

• Nokia Research Center in Cambridge working in lots of futuristic technologies like Data driven Apps, Stretchable electronics, Bend to zoom, flexible phone and display
• Another video that I wasnt able to locate on Youtube

Few points from The "Can big wireless deliver on the promise of a big society?" Panel Debate
• Motorola's David Chater-Lea: "Due to spectrum needs we're going to see breakdown of barriers between commercial & private networks"
• Neul/Ofcom's William Webb: "To get a truely wireless society we need more small cells and increased backhaul. Then we need FTTH"
• Otherwise we're going to have situation where wireless will be held back by the wired network
• Public safety: should governments use private networks or commercial networks & give priority to emergency services over customers?

Graham Fisher, Former CEO of Orange Labs R&D, BathCube:
• Net neutrality doesn't work in a world of finite resources
• High end phones expectaions include screens that can work in sunlight, AR, 3D, etc.
• When it comes to retail price plans mobile operators are all in a bargain basement, they need to reintroduce value

Dan Reed, Corporate Vice President, Technology Policy and Strategy and eXtreme Computing Group at Microsoft
• The uber change happening is collision of computing/comms/content. We need to work out how to work together

Ken Blakeslee, Chairman of WebMobility Ventures:
• Digital natives vs digital immigrants
• Is mobile too inward looking?
• We're moving from hardware to software driven marketplace where communities are the new currency
• Users can be bought and bribed, communities can not

Interesting Obervation:
• Cambridge Wireless - run largely by women as an organisation but 95% of attendees at Future of Wireless conf #fwic are male

Poll of #fwic audience returns 50:50 re: whether mobile infrastructure should be common wholesale solution vs competitive between operators

Hopefully you have enjoyed this summary!