About YateBTS

What is YateBTS?

YateBTS is a software implementation of a GSM/GPRS radio access network based on Yate and is compatible with both 2.5G and 4G core networks comprised in our YateUCN unified core network server.
Resiliency, customization and technology independence are the main attributes of YateBTS.
YateBTS takes a GSM signal from your cell-phone or any other machine, and sends it through a VoIP connection anywhere in the world.

Software Products

We offer an extended range of software solutions:

It is comprised of the full source code of Yate, released under the GPLv2 license, the MBTS radio component and the radio transceiver, released under the AGPLv3, and Yate’s built-in Javascript engine, which enables a simplified set of experiments and test procedures.
It is comprised of the MBTS radio component and the radio transceiver, released under the AGPLv3 license, and the commercial version of Yate, released under a binary license.
The Hosted Core comprises a YateUCN™ server, acting as a MSC/VLR, a YateHSS/HLR and an SMSC, allowing users to experiment the real feel of a fully functional GSM core network.

Hardware Products

We offer two main hardware products:

It is intended for mobile network operator labs, M2M application development, mobile phone vendors, academics and security researchers.
The Kit includes full source code for Yate (GPLv3) and the MBTS radio component (AGPLv3), and Yate’s built-in Javascript engine that simplifies the development of experiments and text procedures.

When connected to a tower mounted booster, the YateBTS SatSite can reach a power output ranging from 10 to 50W.
YateBTS SatSite is a simplified solution that implements both the radio access network and the core network, offering the complete functionality of a 2.5G network.
It is highly power efficient, and can be charged by solar panels.
SatSite also comes with the great advantage of being based on commodity hardware that can be serviced locally, in the carrier’s operating country.

How It Works

When you use your cell in a YateBTS network, the GSM signal reaches the antenna of the YateBTS.

Afterwards, the signal passes up to Layers 1 and 2 where the GSM signal is processed and is fed through the socket to Yate.
Yate renders the received connection with the protocol needed (SIP or another) to communicate with the outside server of the VoIP provider, for example, that links you to the person or machine that you want to communicate with.
YateBTS has been created with the purpose of delivering an enhanced and combined solution between L1 PHY, L2 Link Layer and L3 Radio Resource Manager, also know as MBTS, and Yate’s multiple features, such as the IAX over satellite, SS7 and Diameter, USSD, RManager, roaming or local phone switch.
YateBTS is a fundamental element in the YateUCN™, a single core solution for both LTE and 2/2.5 G networks.
It is is usually configured to operate in one of two modes:

  • YateUCN™  for for 2G SS7/MAP or 4G IMS/VoLTE mobile operate networks or
  • another YateBTS installation in NiPC mode for multi-site private networks.
Before moving to other concepts, it is important to go through the main reasons why YateBTS is different than any typical 2G base station on the market.

The Conventional Network Architecture Vs. the Unified Core Network™

Below you can find a classic GSM network with both its Radio Access Network and its Core Network:
GSM Network

Here is the Unified Core Network solution proposed by Legba and SS7Ware:

Unified core network

How the Unified Core Network Works

YateBTS transmits call traffic from the 2.5G mobile stations, as SIP, to OpenVoLTE. OpenVoLTE is SS7Ware’s open license solution for Voice over LTE. In a 2.5G network, OpenVoLTE acts as a MSC/VLR. OpenVoLTE then communicates through SS7/MAP to OpenHSS, which is both an HSS and an HLR. The same SS7/MAP interface is used to perform roaming with outside partners.
For the transmission of data, through GPRS, the YateBTS base station communicates with OpenSAE, which acts as a typical 2.5G GGSN element, over a GTP interface, thus routing traffic to and from the Internet. YateBTS covers all frequencies between 70 Mhz up to 3 GHZ.


In the following figure, you can discover the inner structure of a YateBTS base station. First of all, YateBTS has two main parts: the lower layer, managed by MBTS and the radio transceiver, handling the GSM part of the system, – and the network layer, handled by Yate and comprised of YBTS, the Yate module, and other Yate application modules (NiPC, Javascript, accfile for outbound calls or SIP/IAX).

Second of all, the MBTS connects to the radio transceiver through a socket interface, the same way the MBTS does to the network layer.
The Javascript module can handle RTP and SIP.

the inner structure of a YateBTS base station

Network in a PC

Network in PC is a Javascript implementation of a GSM core network.

It performs registering, routing calls, SMS, USSD messages and authenticates users to the public release of YateBTS.
NiPC consists of an HLR, an AuC and a VLR/MSC.

NiPC structure

Features of public and private versions of YateBTS

In the following, you will discover a diagram with the main features of both the open source and the commercial versions of YateBTS. YateBTS’ commercial version comes with roaming support, SS7 and Diameter and USSD.
Yatebts features.

YateBTS Architecture


YateBTS is comprised of two main parts:
  • a radio transceiver
  • MBTS, the L1 PHY, L2 link layer and L3 radio resource manager.
  • YBTS, a Yate module, is connected to the lower layers, namely Layer 1, 2 and 3, by a hard socket.
  • Yate application modules (Network in a PC, Javascript, the accfile module for outbound calls, SIP/IAX modules depending on the chosen outside connection)
yatebts architecture

The Advantages of YateBTS Architecture

YateBTS combines a resilient GSM implementation and Yate’s powerful telephony engine.This architecture offers many advantages, including:

Yate and YBTS


YBTS is a Yate module that implements the majority of the GSM Layer 3 functionality. YBTS uses MBTS as a modem. MBTS supervises the physical and link layers and also does radio resource management. MBTS forwards all received frames to YBTS that implements control functions.
In other words, MBTS sets up the radio channel and forwards all information received on that channel to YBTS. YBTS then sees if it’s a call/SMS/USSD/registration/etc. request and sends a specific Yate message for that type of request. Other Yate modules or custom applications handle this messages. An example of this lays in the Network in a PC application that comes by default with YateBTS. YBTS is the link between MBTS, Yate and its many functionalities.


The YateBTS design derives from one of Yate’s main design mantras: “Holding the code base as simple as possible and adding functionality as needed allows one to find the best balance between desired functionality, performance and stability.”

The architecture of Yate is based on a message passing system and can be divided into four main parts as you can see below:

  • dynamic libraries loaded as plugins in the engine (YBTS is one such module)
  • Javascript applications interpreted at runtime by Yate’s Javascript interpretor. (Network in a PC is a Javascript application)
  • or external applications started by a specific module (extmodule) that allows them to talk to the engine and other modules.
 External applications can be written in a multitude of scripting languages such as PHP, Python, Perl etc and Yate comes by default with libraries in this languages that help you develop custom functionality.
Reviewing the richness of protocols and methods implemented in Yate, you begin to understand how versatile this software can be.

It is worth mentioning that VoIP or PBX is just one of the implemented modules and not the core functionality.
In fact Yate is a multifunctional type of product, that can be used in many situations, where distance communication is to take place.
Some types of modules that could bring great value when used together with YateBTS are: billing, monitoring and the various software drivers that Yate offers, such as SIP, IAX, Jabber (public version) and SS7 (in the commercial version of YateBTS).
For a more in-depth description of Yate modules functionalities please see: Modules


As stated above, MBTS acts as a modem. MBTS supervises the psyhical (L1) and link layers (L2) and also does radio resource management (part of L3). After the radio channel is established it forwards the received frames to YBTS.

Layer 3 Radio Resource Management

The Um network layer, or Layer 3 is defined in GSM 04.07 and 04.08 and has multiple sublayers. The lowest of these sublayers is the radio resource management layer, which is responsible for allocating, assigning and releasing radio channels between the handset and the network.

Layer 2 Functions

GSM layer 2 LAPDm, also known as the data link layer, is defined in GSM 04.05 and 04.06. LAPDm is the mobile analog to ISDN’s LAPD.

Layer 1 Functions

The Um physical layer is defined in the GSM 05.xx series of specifications, with the introduction and overview in GSM 05.01. For most channels, Um L1 transmits and receives 184-bit control frames or 260-bit vocoder frames over the radio interface in 148-bit bursts with one burst per timeslot.
These are its main functions:


GSM uses GMSK or 8PSK modulation with 1 bit per symbol which produces a 13/48 MHz (270.833 kHz or 270.833 K symbols/second) symbol rate and a channel spacing of 200 kHz.

Since adjacent channels overlap, the standard does not allow adjacent channels to be used in the same cell.
The standard defines several bands ranging from 400 MHz to 1990 MHz.
Uplink and downlink bands are generally separated by 45 or 50 MHz (at the low-frequency end of the GSM spectrum) and 85 or 90 MHz (at the high-frequency end of the GSM spectrum).
Uplink/downlink channel pairs are identified by an index called the ARFCN.
Within the BTS, these ARFCNs are given arbitrary carrier indexes C0..Cn-1, with C0 designated as a Beacon Channel and always operated at constant power.
GSM has physical and logical channels.
The logical channel is time-multiplexed into 8 timeslots, with each timeslot lasting for 0.577ms and having 156.25 symbol periods.
These 8 timeslots form a frame of 1,250 symbol periods.
Channels are defined by the number and position of their corresponding burst period.
The capacity associated with a single timeslot on a single ARFCN is called a physical channel (PCH) and referred to as “CnTm” where n is a carrier index and m is a timeslot index (0-7).
Each timeslot is occupied by a radio burst with a guard interval, two payload fields, tail bits, and a midamble (or training sequence).
The lengths of these fields vary with the burst type but the total burst length is 156.25 symbol periods.
The most commonly used burst is the Normal Burst (NB).

Multiplexing and Timing

Each physical channel is time-multiplexed into multiple logical channels according to the rules of GSM 05.02.

One logical channel constitute of 8 burst periods (or physical channels) which is called a Frame.
Traffic channel multiplexing follows a 26-frame (0.12 second) cycle called a “multiframe”.
Control channels follow a 51-frame multiframe cycle.
The C0T0 physical channel carries the SCH, which encodes the timing state of the BTS to facilitate synchronization to the TDMA pattern.
GSM timing is driven by the serving BTS through the SCH and FCCH.
All clocks in the handset, including the symbol clock and local oscillator, are slaved to signals received from the BTS, as described in GSM 05.10.
BTSs in the GSM network can be asynchronous and all timing requirements in the GSM standard can be derived from a stratum-3 OCXO.


The coding sublayer provides forward error correction.

As a general rule, each GSM channel uses a block parity code (usually a Fire code), a rate-1/2, 4th-order convolutional code and a 4-burst or 8-burst interleaver.
Notable exceptions are the synchronization channel (SCH) and random access channel (RACH) that use single-burst transmissions and thus have no interleavers.
For speech channels, vocoder bits are sorted into importance classes with different degrees of encoding protection applied to each class (GSM 05.03).
Both 260-bit vocoder frames and 184-bit L2 control frames are coded into 456 bit L1 frames.
On channels with 4-burst interleaving (BCCH, CCCH, SDCCH, SACCH), these 456 bits are interleaved into 4 radio bursts with 114 payload bits per burst.
On channels with 8-burst interleaving (TCH, FACCH), these 456 bits are interleaved over 8 radio bursts so that each radio burst carries 57 bits from the current L1 frame and 57 bits from the previous L1 frame.
Interleaving algorithms for the most common traffic and control channels are described in GSM 05.03 Sections 3.1.3, 3.2.3 and 4.1.4.

Closed Loop Power Control

The CLPC is a Layer 1 function, managing the power level at which the handset has to transmit according to the Received Signal Strength Indication (RSSI) parameter of YateBTS.

The reason that you have such a function is because the power level is a critical component for communication.
Without a power level management, the nicest thing that can happen is the voice call will have a poor quality.
What it usually happens is that the voice call will be dropped or you cannot establish one due to the saturation of the YateBTS receiver.
It’s called a loop because twice a second there is a message exchange between the mobile station and YateBTS in the following order:

The new commanded power level is:

Pcommnand = Ptx + (Ptarget – Prx)

This is subject to the power limits of the handset.

In the lower bands (850 and 900), the power control range is 5-33 dBm.
In the upped bands (1800 and 1900) the range is usually 5-30 dBm.
The difference between transmitted and received power is due to path loss, (Lpath).
The formula relating transmitted and received power to path loss is:

Prx = Ptx – Lpath + Ga

where Ga is the combination of the antenna gains and cable losses.

This is expressed in decibels, so this is actually a logarithmic equation.
Lpath is typically in the range of 120 to 170 dB.
For a correct setup of the RSSI target parameter please see the subsection about “Radio.RSSITarget” in the “gsm_advanced” configuration section.

Closed Loop Timing Control

Varying radio propagation delays, due to varying distances of handsets from the base station, can cause handsets to violate the time-multiplexing rules of the Um interface.

To solve this problem, GSM using a timing correction called timing advance, which is controlled in a closed-loop process similar to the process used for closed loop power contro