Deep Technical

“Local Breakout” in GPRS

This article describes the “local breakout” function in YateBTS/OpenBTS GPRS cells, where user IP traffic originates directly from the cell site instead of from a centralized GGSN in the core network. Standard GPRS Architecture The standard GPRS data network has these parts: BTS – the actual radio basestation, which handles user traffic up to layer 2 BSC – the basestation controller, which handles layer 3 for multiple BTS units BSS – the BSC and the BTS units it controls, together as the “basestation subsystem” SGSN – “serving GPRS support node”, handles authentication and mobility procedures for data connections GGSN – …

“Local Breakout” in GPRS Read More »

Hardware Diagnostics in Your Cellular Network

The purpose of this article is to provide some background for network managers about the kinds of radio hardware diagnostics that are available from typical radio basestations (GSM BTS, UMTS NodeB, LTE eNodeB, 5G-NR gNodeB, etc.). They probably will not see these diagnostics directly, only the resulting warnings and alarms, but it takes some of the mystery out of the system to know how these warnings and alarms are generated. This article describes the internal diagnostics in our own SatSite product line, but the same principles apply in most cellular radio equipment. This article specifically focuses on diagnostics for the …

Hardware Diagnostics in Your Cellular Network Read More »

Sorting Out New-Generation RAN Terminology

This article is about protocols used or proposed for connecting remote radio heads (RRH) or radio units (RU) or whatever you call that part of the network to baseband units (BBU) or data units (DU) or C-RAN, or whatever you have in that other part of the network: RRH/RU/whatever <-> BBU/DU/C-RAN/whatever The fact that the sentence is so vague illustrates the need for this article. And the namespace for this topic is already so crowded with redundant terminology from different groups that it is difficult to talk even in general terms without accidentally using some defined term from a spec …

Sorting Out New-Generation RAN Terminology Read More »



This post describes the operation of the MTC Physical Downlink Control Channel (MPDCCH) for sending downlink assignments and uplink grants to the client device. Purpose of the MPDCCH In LTE-M, radio resources assignments (the times and frequencies when a device is expected to receive or transmit) are dynamic, for both downlink (“DL”, network to device) and uplink (“UL”, device to network). Every bandwidth allocation covers a period of one subframe (which is 1 millisecond) and every bandwidth allocation is assigned independently. We need a special control channel to carry this control information that is moving in the downlink direction, which …

The MPDCCH in LTE-M Read More »

Ad Hoc Private Networks in GSM

Introduction NiPC (“network in a PC”) is a mode of operation supported by YateBTS that allows the basestation to operate in 2.5G GSM/GPRS mode without a core network. While YateBTS NiPC mode does support normal authentication and ciphering with a local SIM database, NiPC also offers a feature that bypasses all security procedures and allows a phone to connect without authentication. Although we have moved along to private LTE/5G networks like everyone else in the world, there are still some use cases where this bypass can make GSM/GPRS as the best (or only) choice. This article describes the 2G security architecture that …

Ad Hoc Private Networks in GSM Read More »

Public Warning Systems in Mobile Networks

Introduction Cell broadcast (CB) is a way to deliver a text message to large numbers of handsets over the cellular network. Its main use today is the delivery of Public Warning System (PWS) messages, also called CMAS, ETWS, Presidential Alerts, EU-Alerts, or other names in different parts of the world. The Legba Lab Kit supports PWS messages through standard signaling from a core network, or through file-based configuration and command line controls (not requiring a core network). This makes the Lab Kit an easy and inexpensive way to test with PWS messages, for handset testing, for testing emergency message content …

Public Warning Systems in Mobile Networks Read More »

CSFB with the Legba Lab Kit

Introduction Many 4G networks cannot carry plain old telephone calls, so many mobile operators support voice calls by transferring the handset to a 2G or 3G network for the duration of the call. The procedure for doing this is called “Circuit-Switched Fallback”, or CSFB. CSFB is an interesting procedure from a network operation perspective and from a security perspective. With a pair of Legba LabKits, one in 2G mode and one in 4G mode, you can reproduce and modify the CSFB procedure on a test bench. The “Why” and “What” of Circuit-Switched Fallback Circuit-Switched? What is that anyway? Since 1876, …

CSFB with the Legba Lab Kit Read More »

Scroll to Top