Cellular Network Infrastructure

h1. Cell Broadcast

{{>toc}}

Normally, all user plane data in GSM/GPRS networks are sent in point-to-point channels from the network to the user. Those are called "dedicated" radio channels whcih exist between the network and one given phone/subscriber at a time.

Cell Broadcast is an exception to that rule.  It permits user data (so-called SMS-CB data) to be broadcast by the network in a way that can be received by all phones in the coverage area of the given [[BTS]] simultaneously.

More high-level information can be found at https://en.wikipedia.org/wiki/Cell_Broadcast and the related specification is found at "3GPP TS 23.041 Technical realization of Cell Broadcast Service (CBS)":http://www.3gpp.org/ftp/Specs/html-info/23041.htm

*NOTE: In 3G/UMTS networks, Cell Broadcast is called [[Service_Area_Broadcast]] and we have a dedicated wiki page for it.*

{{graphviz_link()

digraph G {

  BTS0 [label="BTS"];

  BTS1 [label="BTS"];

  BTS10 [label="BTS"];

  BTS11 [label="BTS"];

  BSC1 [label="BSC"];

  User -> CBC [label="proprietaty"];

  CBC -> BSC [label="CBSP"];

  CBC -> BSC1 [label="CBSP"];

  BSC -> BTS0 [label="RSL"];

  BSC -> BTS1 [label="RSL"];

  BSC1 -> BTS10 [label="RSL"];

  BSC1 -> BTS11 [label="RSL"];

  BTS0 -> MS [label="CBCH"];

}

}}

h2. Use Cases

Cell Broadcast was used for various different use cases primarily in the 1990ies and early 2000s, including

* advertisement of the GPS position of the cell tower you're currently camping on

* advertisement of the calling codes of your current "home zone", i.e. a "lower cost short distance" call zone travelling with you as you roam around.

More recently, SMS-CB is seeing some uptake by various desaster warning systems, such as

* CMAS (Commercial Mobile Alert System), later renamed to WEA ("Wireless Emergency Alerts":https://en.wikipedia.org/wiki/Wireless_Emergency_Alerts) in the US.

* EU-Alert in the European union

* Messer Ishi (Rocket Alert) in Israel

* ETWS (Earthquake and Tsunami Warning System) in Japan

* KPAS (Korean Public Alert System)

h2. Osmocom Cell Broadcast support

* [[OsmoBTS:]] implements

** the CBCH channel (both BASIC and EXTENDED) in the SDCCH/4 and SDCCH/8

** the "SMS BROADCAST COMMAND" Message in RSL according to Section 8.5.8 of 3GPP TS 08.58

** the "CBCH LOAD INDICATION" Message in RSL, which allows the BSC to perform flow control of CBCH messages

* [[OsmoNITB:]] and [[OsmoBSC:]] implement a VTY command @bts <0-255> smscb-command <1-4> HEXSTRING@ to send a given hex-formatted cell broadcast message to a specified BTS (this is more a hack for manual testing)

** you (obviously) first need to enable a timeslot/channel combination on the BTS that actually includes a CBCH, i.e. ccch+sdcch4+cbch or sdcch8+cbch

* [[OsmoBSC:]] implements

** the scheduling / allocation of CBCH resources in presence of possibly many SMSCB messages, taking into account their message size, repetition period, duration

** the CBSP protocol according to 3GPP TS 48.049 for interaction with a CBC

** CBCH flow control based on incoming CBCH LOAD INDICATION via RSL from BTSs

** transmission of SMSCB using SMS BROADCAST COMMAND via RSL to BTSs

* [[OsmoCBC:]] implements

* FIXME

h3. How to test/use it

h4. Using recent OsmoBSC and OsmoCBC

h5. make sure your related BTS is configured to use a channel combination with CBCH

For using a combined CCCH with SDCCH/4 and CBCH you can use the following example snippet as part of osmo-bsc.cfg:

<pre>

network

 bts 0

  trx 0

   timeslot 0

    phys_chan_config CCCH+SDCCH4+CBCH

</pre>

h5. Setting up OsmoCBC

FIXME.

h4. Using the "manual hack" via BSC/NITB VTY command

!osmocom-cbs.png!

This is sufficient for manual transmission of cell-broadcast messages in a lab environment or in small networks.  The functionality has been developed and "used at the 31st annual CCC congress (31C3) to deliver spoofed _Presidential Level Alert_ messages":https://twitter.com/2b_as/status/549695235207737344/photo/1

You need to perform two steps:

h5. make sure your related BTS is configured to use a channel combination with CBCH

For using a combined CCCH with SDCCH/4 and CBCH you can use the following example snippet as part of osmo-bsc.cfg:

<pre>

network

 bts 0

  trx 0

   timeslot 0

    phys_chan_config CCCH+SDCCH4+CBCH

</pre>

h5. telnet to osmo-bsc at port 4242, and enter something like

<pre>

enable

bts 0 smscb-command 1 001000320f1141660c344dd3cba09a0c

</pre>

where "1" is the number of blocks required (each 22 bytes need one block)

and the hex-dump at the end is the encoded GSM 04.12 message to be broadcast.

h2. Message Structure

* Message has maximum 15 pages

* Each page is 82 bytes of data, resulting in 93 characters in GSM 7-bit default alphabet

* Messges are broadcast on logical channels (more like an address)

* Subscribers can activate/deactivate selective addresses

h2. Further Reading

* ITU-T SG2 (Standardization of CB Channels)

* ETSI 102 444

* "3GPP TS 23.041 GSM: Technical realization of Cell Broadcast Service (CBS)":https://www.etsi.org/deliver/etsi_ts/123000_123099/123041/15.02.00_60/ts_123041v150200p.pdf

* "3GPP TS 48.049 GSM: Baste Station Controller - Cell Broadcast Centre (BSC-CBC) interface specification; Cell Broadcast Service Protocol (CBSP)":https://www.etsi.org/deliver/etsi_ts/148000_148099/148049/15.00.00_60/ts_148049v150000p.pdf

* "3GPP TS 22.268 PWS: Public Warning System (PWS) requirements":http://www.etsi.org/deliver/etsi_ts/122200_122299/122268/14.00.00_60/ts_122268v140000p.pdf

* "3GPP TS 44.012 GSM: Short Message Service Cell Broadcast (SMSCB) support on the mobile radio interface":https://www.etsi.org/deliver/etsi_ts/144000_144099/144012/15.00.00_60/ts_144012v150000p.pdf

* "Whitepaper on Displaying Cell Broadcast":https://www.one2many.eu/assets/files/19_displaying-cb-messages.pdf

h3. EU-Alert

* "ETSI/EMTEL TS 102 900":https://www.etsi.org/deliver/etsi_ts/102900_102999/102900/01.01.01_60/ts_102900v010101p.pdf

h3. CMAS

* "FCC 08-99: First Report and Order":https://www.one2many.eu/assets/files/16_first-report-and-order.pdf

* "FCC 08-164: Second Report and Order":https://www.one2many.eu/assets/files/17_second-report-and-order.pdf

* "FCC 08-184: Third Report and Order":https://www.one2many.eu/assets/files/18_third-report-and-order.pdf

* "ATIS/TIA Standard J-STD-100 (Mobile Device Behavior)":https://global.ihs.com/doc_detail.cfm?&document_name=TIA%20J-STD-100

* "ATIS/TIA Standard J-STD-101 (Federal Alert Gateway to CMSP Gateway Interface Spec)":https://global.ihs.com/doc_detail.cfm?&document_name=TIA%20J-STD-101

* "ATIS/TIA Standard J-STD-102 (Federal Alert Gateway to CMSP Gateway Interface Test Spec)":https://global.ihs.com/doc_detail.cfm?&document_name=TIA%20J-STD-102

* "ATIS 0700006 eWEA via GSM/UMTS Cell Broadcast Service Spec":https://global.ihs.com/doc_detail.cfm?document_name=ATIS%200700006

* "ATIS 0700007 Implementation Guidelines and Best Practises for GSM/UMTS Cell Broadcast Service":https://global.ihs.com/doc_detail.cfm?document_name=ATIS%200700007

* "ATIS 0700008 Cell Broadcast Entity (CBE)-to-Cell Broadcast Center (CBC) Interface Specification":https://global.ihs.com/doc_detail.cfm?document_name=ATIS%200700008

* "ATIS 0700010 Enhanced Wireless Emergency Alert (eWEA) via EPS Public Warning System Specification":https://global.ihs.com/doc_detail.cfm?document_name=ATIS%200700010

h3. ETWS

* "3GPP TS 22.168: ETWS Requirements Stage 1":https://www.etsi.org/deliver/etsi_ts/122100_122199/122168/08.03.00_60/ts_122168v080300p.pdf

* various modifications to TS 23.038, 23.401, 25.304, 25.331, see http://www.3gpp.org/DynaReport/WiCr--370051.htm

h2. Cell Broadcast in 3G/UMTS

See [[Service_Area_Broadcast]]

h3. Cell Broadcast in 4G/LTE

h4. SBc interface between CBC and MME

The interface is based on a ASN.1 based protocol called SBc-AP which is specified in "3GPP TS 29.168":https://www.etsi.org/deliver/etsi_ts/129100_129199/129168/15.01.00_60/ts_129168v150100p.pdf

The protocol operates over SCTP. Connections are initiated by the CBC to the MME, and the MME listens for SBcAP connections on SCTP port 29168.