Telecom Operations and Interesting Concepts

This page covers practical telecom operations concepts including subscriber management, location tracking, inter-operator calls, billing, and special services.

HLR vs VLR - Understanding Subscriber Databases

HLR (Home Location Register)

The permanent home of subscriber data.

HLR Contains:

• IMSI (International Mobile Subscriber Identity): Permanent unique ID
• MSISDN (Mobile Station ISDN Number): Phone number
• Authentication key (Ki): Secret key stored in SIM and HLR
• Subscribed services: What the user is allowed to do
• Service restrictions: Roaming limits, barring
• Supplementary services: Call forwarding, call waiting, etc.
• Current VLR address: Where subscriber is currently located

Location: One per operator (centralized database)

Analogy: Your permanent home address and official records

---

VLR (Visitor Location Register)

Temporary local cache of subscriber information.

VLR Contains:

• Copy of subscriber data from HLR
• TMSI (Temporary Mobile Subscriber Identity): Temporary ID for privacy
• Location Area: Current LA where mobile is camping
• Active services: What's currently enabled
• Faster access: No need to query HLR for every call

Location: Usually co-located with MSC (one VLR per MSC coverage area)

Analogy: Hotel guest register - temporary records while you're in town

---

Key Differences

Feature	HLR	VLR
Purpose	Permanent home database	Temporary local cache
Scope	Entire operator network	MSC service area
Data	Complete subscriber profile	Copy of essential data
Number	1 per operator	Multiple (1 per MSC)
Updates	Permanent changes	Temporary, updated frequently
Location	Centralized	Distributed
Lifetime	Subscription lifetime	While in area
Speed	Slower access	Faster (local)

---

How VLR Works - Location Update Process

Why VLR is Needed:

1. Performance: Faster local access than querying central HLR
2. Scalability: Distributes load across network
3. Efficiency: Reduces signaling to HLR
4. Availability: Works even if HLR connection is slow

Example:

• You're from Delhi (HLR in Delhi network)
• Travel to Mumbai
• Mumbai VLR gets copy of your data from HLR
• All calls in Mumbai handled by local MSC/VLR
• No need to contact Delhi HLR for every call

---

Phone Location Identification

Location Area (LA) Concept

Location Area (LA): Group of cells managed together for location tracking

How Network Tracks Your Phone:

1. Location Area Updates

Periodic Location Updates:

• Even if not moving, phone updates periodically (every 6-12 hours)
• Ensures network knows phone is still active
• Prevents unnecessary paging

2. Paging - Finding the Exact Phone

When someone calls you:

Paging Process:

1. Network knows Location Area (group of cells)
2. Broadcasts page on all cells in that LA
3. Your phone hears its number
4. Responds with exact location
5. Call connected to that cell

3. Cell Selection and Reselection

Your phone constantly:

• Measures signal strength from nearby cells
• Selects best cell to camp on
• Reselects when moving to better cell
• Updates LA if crossing LA boundary

---

Call Not Answered - Announcements in Local Language

Announcement Service Architecture

How Announcement Works

1. No Answer Detection

2. Language Selection Logic

How language is determined:

IF Caller_Circle == "Mumbai" OR "Delhi" THEN
    Language = "Hindi" OR "English"
ELSE IF Caller_Circle == "Chennai" THEN
    Language = "Tamil" OR "English"
ELSE IF Caller_Circle == "Kolkata" THEN
    Language = "Bengali" OR "English"
ELSE IF Caller_Circle == "Karnataka" THEN
    Language = "Kannada" OR "English"

Factors:

1. Calling party's circle: Where caller is located
2. Called party's circle: Home circle of called number
3. Operator configuration: Pre-configured per circle
4. SIM card language: If available in VLR

3. Types of Announcements

Scenario	Announcement
Not Reachable	"The number you are calling is currently switched off or out of coverage area"
Not Answering	"The subscriber you are calling is not responding"
Busy	"The subscriber you are calling is busy on another call"
Invalid Number	"The number you have dialed is not in service"
Call Barred	"The number you are calling has barred incoming calls"
Out of Credit	"The subscriber you are calling has insufficient balance"

Recording Storage:

• Multiple languages pre-recorded
• Stored in Announcement Server / IVR (Interactive Voice Response)
• Fast retrieval (< 1 second)

---

Call Latching and Capacity Management

MSC Capacity and Call Limits

How Calls Are "Latched" (Established)

Circuit/Resource Allocation:

1. Check capacity: MSC checks available resources
2. Allocate circuit: Assign a circuit/bearer
3. Reserve trunk: Reserve inter-MSC trunk if needed
4. Latch: Call established and maintained on this circuit
5. Hold resources: Circuit held until call ends

Call Drop After Timeout

Call Supervision Mechanisms:

1. Inactivity Timer: Drops call if no media for X minutes
2. Maximum Call Duration: Some operators limit call length (e.g., 2 hours)
3. Keepalive: Periodic signals to check both ends alive
4. Resource Management: Free up circuits for new calls

MSC Locked Numbers (Capacity Protection)

When MSC is overloaded:

Call Gapping / Throttling:

• During peak hours (New Year's Eve)
• During disasters (earthquake)
• Call gapping: Only allow 1 call per 5 seconds per user
• Priority: Emergency > Postpaid > Prepaid
• Temporary blocking: Reject new calls to protect network

---

Inter-Operator Calls and Point of Interconnection (PoI)

PoI (Point of Interconnection)

Physical and logical connection between two operators' networks.

Call from Aircel to BSNL - Step by Step

PoI Technical Details

Physical Layer:

Aircel Data Center <------ Fiber Optic ------> BSNL Data Center
                     |                      |
                   E1/STM Links         SS7 Links
                   Voice Trunks     Signaling Network

Components at PoI:

1. Media Gateway (MGW): Carries voice traffic
2. Signaling Gateway (SGW): SS7 signaling
3. Border Gateway: Security and traffic management
4. Mediation Device: Call records for billing

---

Interconnection Charges - Who Pays?

IUC (Interconnection Usage Charges)

Principle: Calling party's operator pays terminating operator

Billing Example: Aircel to BSNL Call

Scenario: 10-minute call from Aircel to BSNL

User Perspective:

Aircel User calls BSNL number for 10 minutes
Aircel charges user: ₹1/min × 10 min = ₹10

Operator Settlement (B2B):

Aircel (Originating) pays BSNL (Terminating)
IUC Rate: ₹0.06 per minute (example rate)
Aircel pays BSNL: ₹0.06 × 10 min = ₹0.60

Aircel's Revenue: ₹10.00 (from user)
Aircel's Cost: ₹0.60 (to BSNL)
Aircel's Margin: ₹9.40

IUC Components (India Example)

Service	Rate (as of 2020)
Mobile to Mobile	₹0.06/min (reduced to ₹0 in 2021)
Mobile to Landline	₹0.06/min
Landline to Mobile	₹0/min
SMS Termination	₹0.30 per SMS

Recent Change (India):

• From Oct 2021: Mobile-to-mobile IUC = ₹0 (Zero)
• Bill and Keep model: No payment between operators
• Simplified billing

International Roaming

---

CUG (Closed User Group)

What is CUG?

CUG = Private virtual network within the public mobile network

CUG Features

1. Inbound/Outbound Restrictions

CUG Configuration Options:

1. Incoming Calls:
   - Accept only from CUG members
   - Accept from anyone
   
2. Outgoing Calls:
   - Call only CUG members
   - Call CUG + specific numbers (whitelist)
   - Call anyone (but CUG calls are free)
   
3. Preferential Treatment:
   - Free calls within group
   - Discounted rates to CUG
   - Separate billing

2. CUG Types

Type 1: Corporate CUG

Company with 1000 employees
All get free internal calls
External calls at normal rates
Manager can call anyone
Employee restricted to CUG only

Type 2: Family CUG

Family plan with 5 members
Free calls within family
Each member can call outside
Shared data allowance

Type 3: Restricted CUG

Security / VIP numbers
Can only call within group
Outside calls completely blocked
High privacy

CUG Implementation in Network

HLR Configuration:

Subscriber: +919900011114
CUG ID: ABC-Corp-001
CUG Restrictions:
  - Incoming: Allow all
  - Outgoing: CUG members only
  - Preferential billing: Free within CUG
  - Index: 5 (permission level)

CUG Benefits

For Enterprises:

• ✅ Reduced costs (free internal calls)
• ✅ Better control (restrict employee calls)
• ✅ Security (closed communication)
• ✅ Centralized billing
• ✅ Group identity

For Operators:

• ✅ Enterprise revenue (sell CUG plans)
• ✅ Customer retention (whole company locked-in)
• ✅ Predictable traffic patterns

---

Other Interesting Concepts

1. Call Forwarding

Types:

• Unconditional: All calls forwarded
• No Reply: Forward if not answered in 20s
• Busy: Forward if line busy
• Not Reachable: Forward if phone off

2. Call Barring

Barring Types:

BAOC (Barring All Outgoing Calls)
- Cannot make any calls
- Emergency calls still allowed

BOIC (Barring Outgoing International Calls)
- Cannot call international numbers
- Domestic calls OK

BAIC (Barring All Incoming Calls)
- No one can call you
- Useful when traveling

BAIC-Roam (Barring Incoming when Roaming)
- Avoid roaming charges

3. USSD (Unstructured Supplementary Service Data)

What is USSD?

USSD is a session-based communication protocol used in 2G/3G networks for quick, real-time interaction with applications.

Think of it like: A quick chat with the network - you ask, network answers immediately.

Common USSD codes:

• *123# - Check balance
• *121# - Recharge
• *141# - Caller tunes
• *555# - Service menu

Key Characteristics:

• Works without internet
• Real-time, session-based
• Uses SS7 signaling network (control channel)
• Available in 2G/3G networks

---

DTMF - IVR Interaction

How Pressing "1" on IVR Works

DTMF (Dual-Tone Multi-Frequency) - Each number creates two audio tones

DTMF Frequency Table:

        1209 Hz  1336 Hz  1477 Hz
697 Hz    1        2        3
770 Hz    4        5        6
852 Hz    7        8        9
941 Hz    *        0        #

Example: Customer Care IVR

How it works:

1. User presses key → Phone generates two simultaneous audio tones
2. Tones travel as voice signal through the call
3. IVR receives and decodes tones using DTMF decoder
4. System responds based on which digit was pressed

---

USSD vs App-Based Services

Why JIO (4G/5G) Doesn't Support USSD

Why USSD Doesn't Work in 4G/5G:

Feature	2G/3G (R4)	4G/5G (VoLTE/VoNR)
Voice Network	Circuit Switched	Packet Switched (IP)
Signaling	SS7	SIP (Session Initiation Protocol)
USSD	✅ Supported (uses SS7)	❌ Not supported (no SS7)
Balance Check	*123# USSD	MyJio App / Website
Recharge	*121# USSD	Mobile App

JIO's Solution:

• MyJio App - Check balance, recharge, manage services
• Website - Online portal for services
• SMS - Send SMS to get balance

Why JIO has no 2G/3G:

• Started directly with 4G (2016)
• Never built R4 (2G/3G) infrastructure
• Pure all-IP network from day one

---

Flash Messages After Call

How Balance Flash Works (2G/3G)

Flash SMS (Class 0 SMS):

• Displays immediately on screen (not stored)
• Disappears when dismissed (not saved in inbox)
• Used for: Balance updates, promotional messages

In 4G/5G (VoLTE):

• Push Notifications from app
• SMS to inbox (not flash)
• In-app balance display

---

Circuit Switched vs Packet Switched Calls

How Calls Work in 2G/3G (Circuit Switched)

Think of it like: Reserving a private road from your house to your friend's house

Circuit Switched (2G/3G):

• Dedicated path created for entire call
• Fixed bandwidth reserved (even during silence)
• Continuous connection from start to end
• Wasteful: Path blocked even when you're not talking
• Quality: Consistent, dedicated line

Example:

Call duration: 10 minutes
You talk: 5 minutes
Silent/listening: 5 minutes

Bandwidth reserved: 10 minutes (full duration)
Wasted: 5 minutes of reserved but unused circuit

---

How Calls Work in 4G/5G (Packet Switched - VoLTE)

Think of it like: Sending letters through postal service

Packet Switched (4G/5G VoLTE/VoNR):

• Voice converted to data packets (like WhatsApp call)
• Each packet travels independently through network
• Shares network with other data (no dedicated path)
• Efficient: Only uses bandwidth when talking
• Intelligent: Packets take fastest available route

Simple Explanation:

2G/3G (Circuit):
├─ Like reserving entire highway lane for 10 minutes
├─ Even if you stop driving, lane is blocked
└─ Other cars can't use it

4G/5G (Packet):
├─ Like sending packages through courier
├─ Each word is a package traveling independently
├─ When you're silent, no packages sent = no bandwidth used
└─ Other data uses the same network efficiently

VoLTE Call as Packets:

Key Differences:

Feature	2G/3G Circuit	4G/5G Packet (VoLTE)
Connection	Dedicated path	Shared network
Efficiency	Wastes bandwidth during silence	Uses bandwidth only when talking
Quality	Consistent	Depends on network load
Setup Time	Slower (2-3 seconds)	Faster (1 second)
Voice Quality	Good (8 kHz)	Excellent (16 kHz HD Voice)
During Call	Cannot use fast internet	Can use LTE data simultaneously

---

PoI Charges in VoLTE Calls

Do VoLTE Calls Pay PoI Charges?

Yes! Even though it's data, VoLTE calls still generate interconnection charges.

How PoI Works for VoLTE:

1. JIO user calls Airtel user (both on VoLTE)
2. JIO's IMS Core processes the call
3. JIO Media Gateway converts to standard format
4. Travels through PoI (physical interconnection)
5. Airtel Media Gateway receives and processes
6. Airtel delivers to user
7. JIO pays Airtel IUC (interconnection charge)

Interesting:

• Even though it's "data" packets, it's still a "voice call"
• Interconnection charges apply same as 2G/3G
• PoI still needed for inter-operator calls

---

Multimedia in 2G/3G

Picture Messages via SMS (Before GPRS/MMS)

EMS (Enhanced Messaging Service) - Picture messages sent purely via SMS, no data connection needed

Think of it like: Image broken into tiny pieces and sent as multiple SMS messages

How It Works (Simple Explanation):

Your phone:
1. Takes a small pixel image (e.g., 16x16 pixels, black & white)
2. Converts pixels to binary data (0s and 1s)
3. Splits data into multiple SMS (each SMS = 140 bytes)
4. Sends as concatenated SMS

Receiver's phone:
1. Receives 3 separate SMS messages
2. Recognizes EMS header (special flag)
3. Reassembles the parts
4. Decodes binary → displays pixel image

SMS Count for Different Media:

Content Type	SMS Count	Size	Example
Text SMS	1	160 characters	"Hello, how are you?"
Picture (small)	3 SMS	~400 bytes	Black & white smiley face
Picture (larger)	5-7 SMS	~700-1000 bytes	Small icon or logo
Simple Ringtone	6 SMS	~800 bytes	Monophonic tune
Animation	10-15 SMS	~1500-2000 bytes	Small animated emoji

Real Example:

Sending a simple smiley face picture:

Your SMS quota: 100 SMS/day
You send 1 picture message → Uses 3 SMS
Remaining quota: 97 SMS

Your friend receives:
├─ SMS 1/3 (binary data)
├─ SMS 2/3 (binary data)
└─ SMS 3/3 (binary data)
   → Phone combines all → Shows smiley image

EMS vs MMS Comparison

Feature	EMS (SMS-based)	MMS (Data-based)
Data Connection	❌ Not needed	✅ Required (GPRS/EDGE)
Image Quality	Low (pixel art, B&W)	High (color, photos)
Image Size	400-1000 bytes	100-300 KB
SMS Count	3-7 SMS	0 SMS (uses data)
Cost	Free (uses SMS quota)	Data charges apply
Speed	Fast (direct SMS)	Slower (upload + download)
Phone Support	Old phones (2000-2005)	Newer phones (2005+)
Popular Era	2000-2005	2005-2015

Why 1 Picture = 3 SMS?

SMS Capacity:
├─ Normal SMS: 160 characters (or 140 bytes for binary)
├─ Picture data: ~400 bytes (small pixel image)
├─ Calculation: 400 bytes ÷ 140 bytes = 2.8 → Rounds to 3 SMS
└─ Phone sends: [Header + Part 1] + [Part 2] + [Part 3]

Each SMS contains:
├─ SMS 1: EMS Header + First 130 bytes of image
├─ SMS 2: Middle 140 bytes of image
└─ SMS 3: Last 130 bytes of image

---

How Ringtones Were Sent via SMS (No GPRS)

Monophonic Ringtones - Simple tunes sent as SMS

How Ringtone SMS Works:

RTTTL Format Example:
"HappyBday:d=4,o=5,b=125:8g,8g,a,g,c6,2b"

Encoding Process:
1. Ringtone in RTTTL text format (~800 bytes)
2. Convert to binary format
3. Split into 6 SMS (each 140 bytes)
4. Send as concatenated SMS

Receiving Process:
1. Phone gets 6 SMS messages
2. Recognizes EMS/Smart Messaging header
3. Reassembles the parts
4. Decodes into musical notes (beep-beep pattern)
5. Saves to ringtone folder

SMS Count for Music/Ringtones:

Simple Monophonic Ringtone:
├─ Size: ~800 bytes
├─ SMS needed: 800 ÷ 140 = 5.7 → 6 SMS
├─ Quality: Beep-beep tones (like Nokia ringtones)
└─ Duration: 15-30 seconds

Your quota impact:
├─ Before: 100 SMS/day remaining
├─ Receive 1 ringtone: -6 SMS
└─ After: 94 SMS remaining

Types of Ringtones (Evolution):

Type	Format	Size	SMS Count	Era	Quality
Monophonic	RTTTL	800 bytes	6 SMS	1998-2003	Beep-beep
Polyphonic	MIDI	3-5 KB	22-36 SMS	2003-2006	Multi-instrument
Real Tone (MP3)	MP3	500 KB	❌ Too large	2006+	CD quality

Why Polyphonic via SMS Was Rare:

Polyphonic ringtone: 5 KB = 5000 bytes
SMS needed: 5000 ÷ 140 = 36 SMS messages!

Problem:
├─ Too many SMS (expensive)
├─ Slow delivery (36 messages take time)
├─ Many parts can fail/arrive out of order
└─ Solution: Use GPRS/WAP Push instead

---

MMS (Multimedia Messaging Service)

MMS - Modern picture messages using data connection (GPRS/EDGE)

How it works (Simple):

1. You send picture from your phone
2. Phone uploads to MMS server using GPRS/EDGE data
3. MMS server stores image and creates download link
4. SMS notification sent to friend: "You got MMS!"
5. Friend clicks to download
6. Friend's phone downloads image using GPRS data

Why MMS replaced EMS:

• Color photos (not just pixel art)
• Larger images (up to 300 KB vs 1 KB)
• Video clips (10-30 seconds)
• Audio (voice messages, music)
• No SMS quota impact (uses data instead)

---

OTA (Over The Air) Ringtone Delivery

Method 1: WAP Push (Most Common)

Method 2: Direct SMS (Old Method)

Music Provider → Binary SMS (6 messages) → Your phone
Phone reassembles → Saves ringtone

Cost Comparison (2005-2010 Era):

Method	SMS Cost	Data Cost	Total	Speed
SMS (Monophonic)	6 × Rs 1 = Rs 6	Rs 0	Rs 6	Fast
WAP Push + GPRS	Rs 1	Rs 5 (500 KB @ Rs 10/MB)	Rs 6	Slow
Direct Download	Rs 0	Rs 10	Rs 10	Medium

Popular Services:

2005-2010 Era Services:
├─ "SMS SONG to 54321" → Get ringtone via SMS
├─ "Visit wap.music.com" → Download via WAP
├─ Operator portals (Airtel Live, Vodafone Live)
└─ Bluetooth transfer (free, peer-to-peer)

---

VoWiFi (Voice over WiFi)

What is VoWiFi?

VoWiFi allows you to make calls using WiFi network instead of cellular towers.

Think of it like: Your phone uses your home/office WiFi to connect to operator's network, then makes calls as usual.

VoWiFi Call Flow

Key Components:

• ePDG (Evolved Packet Data Gateway): Secure gateway to operator's network
• IPSec Tunnel: Encrypted connection from your phone to operator
• SIM Authentication: Your SIM card authenticates with operator
• IMS Core: Same IMS used for VoLTE

How VoWiFi is "Latched" (Connected):

1. Phone connects to WiFi (your home/office)
2. Phone detects operator's ePDG server (pre-configured)
3. Creates IPSec tunnel (encrypted connection) through internet
4. SIM authenticates with operator's ePDG
5. Registers with IMS - now ready for calls
6. Makes call - goes through WiFi → Internet → ePDG → IMS → Destination

Advantages:

• ✅ Works in areas with no cellular signal but WiFi available
• ✅ Better indoor coverage (basements, buildings)
• ✅ HD voice quality (if good WiFi)
• ✅ Same phone number - seamless handoff to cellular
• ✅ Free - no extra charges (uses WiFi data)

Limitations:

• ❌ Requires good WiFi (minimum 100 kbps upload/download)
• ❌ Battery drain (maintains IPSec tunnel)
• ❌ Quality depends on internet speed

---

VoIP Calls (WhatsApp, Skype, etc.)

VoIP vs VoLTE vs VoWiFi

Comparison Table

Feature	VoLTE	VoWiFi	VoIP (WhatsApp)
Network	4G Cellular	WiFi + Operator	Any Internet
Phone Number	Yes	Yes	No (username)
SIM Required	Yes	Yes	No
Billing	Operator charges	Operator charges	Free (uses data)
Call To	Any phone number	Any phone number	Only app users
Quality	HD (16 kHz)	HD (depends on WiFi)	Varies
Regulation	Regulated	Regulated	Less regulated
Emergency Calls	✅ Works	✅ Works	❌ No 911/112
Handoff	To 3G/2G	To VoLTE/3G	No handoff

Simple Explanation:

VoLTE:
└─ Like calling from your phone as normal (uses 4G towers)

VoWiFi:
└─ Like calling from your phone via WiFi (still operator network)
└─ Same phone number, same billing

VoIP (WhatsApp/Skype):
└─ Like video calling (uses internet only)
└─ No phone number involved
└─ Can only call others with same app

---

Pilot Number

What is a Pilot Number?

Pilot Number = A main number that routes to a group of numbers (hunt group)

Think of it like: Calling a company's main number, and it automatically finds a free agent.

Pilot Number Use Cases

1. Customer Care Centers

Company: XYZ Bank
Pilot Number: 1800-123-4567

Hunt Group:
├─ Agent 1: +919900011111 (Busy)
├─ Agent 2: +919900011112 (Busy)
├─ Agent 3: +919900011113 (Available) ← Call connects here
├─ Agent 4: +919900011114 (Available)
└─ Agent 5: +919900011115 (On break)

Customer dials 1800-123-4567
→ System finds Agent 3 available
→ Call connected to +919900011113

2. Hunt Group Algorithm

Sequential (Round Robin):
└─ Try Agent 1 → Agent 2 → Agent 3 in order

Simultaneous (Ring All):
└─ Ring all agents, first to answer gets call

Least Busy:
└─ Route to agent with fewest calls today

Priority Based:
└─ Senior agents get priority

---

SS7 (Signaling System 7)

What is SS7?

SS7 is the control channel for the entire telecom network - it's how networks talk to each other.

Think of it like: The command center that coordinates all calls, SMS, and roaming.

SS7 Protocol Stack

Application Layer:
├─ MAP (Mobile Application Part) - Mobile services
├─ ISUP (ISDN User Part) - Call setup/teardown
└─ TCAP (Transaction Capabilities) - Queries

Transport Layer:
├─ SCCP (Signaling Connection Control Part) - Routing
└─ MTP3 (Message Transfer Part 3) - Network layer

Physical Layer:
├─ MTP2 (Data link)
└─ MTP1 (Physical links - E1/T1)

What SS7 Does

SS7 is used for:

1. Call Setup/Teardown (ISUP messages)
2. SMS Delivery (MAP messages)
3. Roaming (Location updates)
4. Number Portability (Query which operator owns number)
5. USSD (Balance check, recharge)
6. Caller ID (Sending calling number)
7. Fraud Prevention (Detect cloned SIMs)

SS7 Vulnerabilities:

• ❌ Not encrypted by design (1980s protocol)
• ❌ Intercept calls - SS7 hacking
• ❌ Track location - Query HLR for user location
• ❌ Redirect SMS - Intercept OTPs

Modern Security:

• Firewalls at SS7 gateways
• Filter suspicious queries
• Limit international SS7 access

---

Phone Tapping and Lawful Intercept

How Police Intercepts Calls

Lawful Intercept (LI) is a legal mechanism for authorized agencies to monitor communications.

Lawful Intercept Architecture (Indian System)

How Numbers Are Marked for Interception

Operator Side Configuration:

HLR/HSS Database Entry:

Subscriber: +919900012345
IMSI: 404451234567890
Services: Voice, Data, SMS

Lawful Intercept Flags:
├─ LI_ACTIVE: TRUE
├─ LI_REQUEST_ID: COURT_2024_12345
├─ LI_TYPE: FULL (Voice + SMS + Data + Location)
├─ LI_DURATION: 90 days
├─ LI_AUTHORITY: Delhi Police / CBI
├─ LI_DESTINATION: LEMF_Delhi
└─ MARKING: ** (Internal operator code)

Call Processing:
├─ When call setup initiated
├─ MSC queries HLR
├─ HLR returns: LI_ACTIVE = TRUE
├─ MSC routes copy to LI Gateway
└─ Original call continues normally

Number Marking Conventions (Operator Internal):

Marking	Meaning	Access Level
*	VIP - Priority service, no barring	Limited engineers
**	Lawful Intercept - Under surveillance	Security team only
***	Fraud Alert - Suspected fraud, monitor	Fraud dept
VVIP	Government VIP - Special handling	Top management
TEST	Test numbers - No billing	Network team

What Data is Captured

Captured Information:

1. Voice Calls: Actual audio recording
2. SMS: Content and sender/receiver
3. Location: Real-time cell tower location
4. Metadata: Who called whom, when, duration
5. Data: Internet usage (websites, apps) - if warrant allows
6. IMEI: Device identification
7. IMSI: SIM card identification

Legal Framework (India)

Laws Governing Interception:

1. Indian Telegraph Act, 1885 - Section 5(2)
2. IT Act, 2000 - Section 69
3. Criminal Procedure Code - Section 91

Authorization Required:

• Union Home Secretary or State Home Secretary
• Valid for max 180 days (renewable)
• Court order or emergency provisions

Who Can Order:

• Central Government (National Security)
• State Government (Public Safety)
• Must be in "interest of sovereignty, security, public order"

---

Fraud Call Blocking at HLR

How Operator Blocks Fraud Calls

Fraud Detection Patterns

1. High Volume Fraud

Normal User:
├─ 10-20 calls per day
├─ Call duration: 3-10 minutes
└─ Familiar numbers

Fraud Pattern:
├─ 500+ calls per day
├─ Call duration: 2-5 seconds (just connect and disconnect)
├─ Sequential numbers (+919900012345, +919900012346...)
└─ Purpose: Test active numbers for spam database

2. International Premium Rate Fraud

Fraud Pattern:
├─ Calls to international premium numbers
├─ Countries: Estonia, Latvia, small islands
├─ High cost: Rs 200-500 per minute
├─ Victim's phone hacked/cloned
└─ Fraudster gets revenue share from premium number

3. SIM Box Fraud

Fraud Setup:
├─ 100+ SIM cards in device (SIM box)
├─ Converts VoIP calls to GSM calls
├─ Bypass international charges
├─ Operator loses revenue

Detection:
├─ Same location for many numbers
├─ Simultaneous calls
├─ Unusual IMEI changes

HLR-Based Blocking

HLR Fraud Flags:

Subscriber: +919900012345

Fraud Indicators:
├─ FRAUD_SCORE: 95/100 (HIGH)
├─ BARRING_STATUS: OUTGOING_INTERNATIONAL
├─ CALL_LIMIT: 50 calls/day
├─ PREMIUM_RATE_BLOCK: YES
├─ NOTIFY_ON_ROAMING: YES
└─ AUTO_SUSPEND: ENABLED

Actions Taken:
├─ Block international calls
├─ Limit to 50 calls per day
├─ SMS alert on every call
└─ Customer care notification

Fraud Prevention Measures:

1. Velocity Checks: Limit calls per hour
2. Destination Blocking: Block high-risk countries
3. Spending Limits: Max Rs 5000/day for international
4. Location Tracking: Alert if location changes too fast
5. IMEI Validation: Check if device is cloned
6. AI/ML Models: Detect unusual patterns

---

HLR in 4G/5G Networks

HSS (Home Subscriber Server) - The 4G/5G HLR

In 4G/5G, HLR is replaced/evolved into HSS

Comparison: HLR vs HSS vs UDM

Feature	HLR (2G/3G)	HSS (4G)	UDM (5G)
Full Name	Home Location Register	Home Subscriber Server	Unified Data Management
Network	Circuit Switched (2G/3G)	All-IP (4G LTE)	Cloud Native (5G)
Protocol	SS7/MAP	Diameter	HTTP/2, SBI
Architecture	Monolithic	Monolithic	Microservices
Data Stored	IMSI, MSISDN, Ki, VLR	IMSI, IMEI, Keys, MME	SUPI, Keys, Network Slices
Authentication	GSM AKA	LTE AKA (EPS-AKA)	5G AKA
Connected To	MSC, VLR, GMSC	MME, S-GW, P-GW	AMF, SMF, UPF

4G HSS Functions

HSS Database Contents:

Subscriber: +919900012345
IMSI: 404451234567890
IMEI: 123456789012345

Authentication:
├─ K (Secret Key)
├─ OPc (Operator Code)
├─ SQN (Sequence Number)
└─ Authentication Vectors (4G)

Subscription:
├─ APN: internet, ims
├─ QoS Profile: Gold (50 Mbps)
├─ Network Slicing: eMBB, URLLC
├─ VoLTE: Enabled
├─ VoWiFi: Enabled
└─ Data Limit: 2 GB/day

Current Location:
├─ MME: MME_Mumbai_1
├─ TAI (Tracking Area): TA_4501
└─ eNodeB: eNB_12345

Lawful Intercept:
├─ LI_ACTIVE: FALSE
└─ FRAUD_SCORE: 15/100 (LOW)

5G UDM (Unified Data Management)

In 5G, HSS evolves to UDM + other network functions

5G Changes:

1. UDM: Handles data management (like HSS)
2. UDR: Unified Data Repository (database layer)
3. AUSF: Authentication Server Function (separate from UDM)
4. Microservices: Each function is independent
5. Cloud Native: Runs on cloud infrastructure
6. HTTP/2 APIs: Modern protocols (not Diameter)

Why Separate in 5G?

• Scalability: Scale each function independently
• Flexibility: Mix and match vendors
• Cloud: Deploy on AWS, Azure, GCP
• Network Slicing: Different UDMs for different slices

---

Signal Jammers

How Jammers Work

Jammer = Device that blocks mobile signals by creating radio interference

Think of it like: Shouting loudly in a room so no one can hear each other talk.

Jammer Technical Working

How Jamming Works (Simple Explanation)

Radio Basics:

• Mobile networks use radio frequencies (like FM radio)
• Each generation uses specific bands:
  • 2G GSM: 900 MHz, 1800 MHz
  • 3G WCDMA: 2100 MHz
  • 4G LTE: 1800 MHz, 2300 MHz, 2500 MHz
  • 5G NR: 3500 MHz, 700 MHz

Jammer Operation:

1. Jammer broadcasts NOISE on same frequencies
2. Noise is MUCH LOUDER than tower signal
3. Phone cannot decode tower signal
4. Phone thinks: "No signal available"
5. Shows: "Emergency Calls Only" or "No Service"

Example:

Without Jammer:
Tower signal: -70 dBm (phone can decode)
Background noise: -110 dBm (very quiet)
Result: Phone registers, makes calls ✓

With Jammer:
Tower signal: -70 dBm (same)
Jammer noise: -40 dBm (VERY LOUD)
Result: Phone cannot decode tower signal
Status: "No Service" ✗

Types of Jammers

1. Portable Jammer

Size: Small briefcase
Range: 10-50 meters
Power: Battery operated
Bands: Selected (e.g., only 4G)
Use: Personal, illegal in most countries

2. High Power Jammer

Size: Large unit (vehicle-mounted)
Range: 500 meters - 2 km
Power: External power supply
Bands: All (2G/3G/4G/5G)
Use: Military, prisons, VIP security

3. Selective Jammer

Blocks: Only specific frequencies
Example: Block 4G, allow 2G for emergency
Use: Exam halls (allow calls, block internet)

Jammer Architecture

Effect on Different Services

Service	Effect	Why
Voice Calls	❌ Blocked	Cannot connect to tower
SMS	❌ Blocked	Needs tower connection
Mobile Data	❌ Blocked	No network signal
WiFi	✅ Works (if WiFi jammer not used)	Different frequency
GPS	⚠️ May work	Satellites (not cellular), unless GPS jammer
Emergency Calls	❌ Blocked	Cannot reach tower

Legal Aspects (India)

Legality:

• ❌ Illegal for public use (Wireless Telegraphy Act)
• ✅ Allowed for:
  • Prisons (prevent prisoner communication)
  • Exam Halls (prevent cheating)
  • VIP Security (prevent remote bomb triggers)
  • Military (tactical operations)

Permission Required:

• Department of Telecommunications (DoT)
• Ministry of Home Affairs
• Specific court orders

Penalties for Illegal Use:

• Imprisonment: Up to 3 years
• Fine: Up to Rs 5 lakhs
• Equipment seizure

Detection of Jammers

Network Side:

Detection Indicators:

1. Sudden drop of all users in area
2. Time pattern (e.g., during exams)
3. Localized (small area affected)
4. All frequencies jammed simultaneously
5. RF spectrum shows unusual noise

Counter-Measures:

1. Spectrum Analyzer: Detect jamming signal
2. Direction Finding: Locate jammer source
3. Legal Action: Seize equipment
4. Frequency Hopping: Some military systems can hop to clear frequency

---

Summary

Key Concepts Covered

Database Management:

• HLR: Permanent home subscriber database
• VLR: Temporary local cache for faster access
• Location tracking: Via Location Area and paging

Call Handling:

• Announcements: Local language based on circle
• Call capacity: MSC limits, call gapping
• Call supervision: Timers and resource management

Inter-Operator:

• PoI: Physical connection between operators
• IUC: Interconnection charges (originating pays terminating)
• Settlement: B2B billing between operators

Special Services:

• CUG: Closed user groups for enterprises
• Call forwarding: Redirect calls
• Call barring: Restrict calls
• USSD: Quick service codes

Understanding Telecom Billing

---

Related Topics

• 2G/3G Architecture - Network components
• VoLTE & IMS Architecture - Modern networks
• Call Flow Diagrams - Detailed call flows