Study Guide: Short Message Service (SMS)

1. Introduction to SMS

▼

What is SMS?

Short Message Service (SMS) is a text messaging service component of most telephone, Internet, and mobile device systems. It uses standardized communication protocols to enable mobile devices to exchange short text messages. SMS was originally designed as part of the GSM standard but is now supported on CDMA, 3G, 4G, and 5G networks.

                    Historical Context: The first SMS message was sent on December 3, 1992, by Neil Papworth from his PC to a Vodafone Orbitel 901 handset. The message read "Merry Christmas." SMS was initially conceived as a way to send network notifications and service messages, not as a consumer service.
                

Key Characteristics

Fundamental Properties:

Message length limit: 160 characters (7-bit encoding) or 140 bytes
Store-and-forward messaging architecture
Uses signaling channels (SDCCH) rather than traffic channels
Best-effort delivery with no guarantee of delivery
Supports both point-to-point and broadcast messaging
Operates on control plane, independent of voice calls

Technical Insight: SMS is transported on the SDCCH (Standalone Dedicated Control Channel) in GSM, allowing messages to be sent/received even during active voice calls or when the mobile is idle. This is why SMS is often more reliable than voice in poor coverage areas.

SMS Evolution

1984: Concept proposed by Friedhelm Hillebrand and Bernard Ghillebaert as part of the GSM standardization process

1992: First SMS message sent; Commercial deployment begins

1995: First commercial SMS services launched in Europe

2000: SMS becomes mainstream with interoperability between carriers

2005: SMS concatenation (long SMS) and EMS (Enhanced Messaging Service) introduced

2010+: SMS over IMS, SMS over SGs (4G/LTE), and RCS (Rich Communication Services) evolution

2. SMS Network Architecture

▼

GSM SMS Architecture

The SMS architecture in GSM networks involves several network elements that work together to store, forward, and deliver messages between mobile subscribers.

SMS Network Architecture

Mobile Station
(MS/UE)

→

BTS
(Base Transceiver)

→

BSC
(Base Station Controller)

→

MSC
(Mobile Switching Center)

→

SMSC
(Message Center)

Key Network Elements

Element	Full Name	Function in SMS
MS	Mobile Station	Originating and terminating device; handles SMS composition, storage, and display
BTS	Base Transceiver Station	Radio interface handling; transmits SMS over air interface using SDCCH
BSC	Base Station Controller	Manages radio resources; allocates SDCCH for SMS transmission
MSC	Mobile Switching Center	Switching and mobility management; routes SMS to appropriate SMSC
VLR	Visitor Location Register	Stores temporary subscriber info; provides MSRN for SMS delivery
HLR	Home Location Register	Permanent subscriber database; stores SMSC address and service profile
SMSC	Short Message Service Center	Core element: stores and forwards messages; handles retry attempts
IWMSC	Interworking MSC	Interface between PLMN and external networks (PSTN, Internet)

SMS Interworking

                    Inter-PLMN SMS: When sending SMS between different networks (e.g., AT&T to Verizon), the SMSC of the originating network communicates with the HLR of the destination network via SS7 signaling (MAP protocol) to determine the current location of the recipient before forwarding the message.
                

Inter-Network SMS Flow

Originating
PLMN
SMSC

→

SS7
Network
(MAP)

→

Destination
PLMN
HLR

→

Destination
PLMN
VLR/MSC

→

Recipient
MS

3. SMS Protocol Stack & Interfaces

▼

Protocol Architecture

SMS uses a layered protocol stack that operates across different interfaces in the mobile network. Understanding these layers is crucial for comprehending how SMS messages are formatted, transmitted, and processed.

SM-AL (Application Layer)
SMS User Interface

SM-TL (Transfer Layer)
TPDU Formatting

SM-RL (Relay Layer)
RP-DATA Messages

CMOL (Connection Management)
CP-DATA

RR Layer (Radio Resource)
SDCCH/SACCH

Detailed Protocol Layers

SM-TL (Short Message Transfer Layer):

Handles TPDU (Transfer Protocol Data Unit) formatting
Manages message types: SMS-DELIVER, SMS-SUBMIT, SMS-STATUS-REPORT
Provides addressing, PID, DCS, and timestamp information
Interface between mobile and SMSC

SM-RL (Short Message Relay Layer):

Handles RP-DATA, RP-ACK, RP-ERROR messages
Provides reliable transport between MSC and MS
Maps to MM (Mobility Management) layer for connection establishment
Uses RP (Relay Protocol) messages encapsulated in CMOL

Air Interface Signaling

On the Um interface (air interface between MS and BTS), SMS is transmitted using:

SDCCH (Standalone Dedicated Control Channel): Used when MS is idle
SACCH (Slow Associated Control Channel): Used during active voice calls

Channel Data Rate: SDCCH = 0.6 kbps (full rate)
SMS Transmission Time ≈ 240 ms (single SMS on SDCCH)

MAP Protocol (Mobile Application Part)

Between SMSC and HLR/VLR, SMS uses MAP operations over SS7:

MAP Operation	Description	Direction
sendRoutingInfoForSM	Request routing information for SMS delivery	SMSC → HLR
forwardSM	Forward short message to MSC	SMSC → MSC
mo-forwardSM	Mobile originated SMS forwarding	MSC → SMSC
reportSM-DeliveryStatus	Report delivery success/failure	MSC → SMSC
alertServiceCentre	Notify SMSC that MS is reachable	HLR → SMSC

4. SMS Message Formats & PDU

▼

TPDU (Transfer Protocol Data Unit)

The SMS TPDU is the fundamental data structure used to transport short messages. Different TPDU types exist for mobile-originated (MO) and mobile-terminated (MT) messages.

SMS-SUBMIT TPDU Structure (Mobile Originated)

SCA
1-12 octets

PDU
Type
1 octet

MR
1 octet

DA
2-12 octets

PID
1 octet

DCS
1 octet

VP
0-7 octets

UDL
1 octet

UD
0-140 octets

Field Descriptions

Field	Name	Size	Description
SCA	Service Centre Address	1-12 octets	Address of the SMSC including type of number and numbering plan
PDU Type	Protocol Data Unit Type	1 octet	Message type indicator, validity period format, status report request
MR	Message Reference	1 octet	Unique identifier assigned by MS (0-255)
DA	Destination Address	2-12 octets	Recipient address (BCD encoded)
PID	Protocol Identifier	1 octet	Indicates SMS protocol or interworking type
DCS	Data Coding Scheme	1 octet	Character set, message class, compression
VP	Validity Period	0-7 octets	Time period for SMSC delivery attempts
UDL	User Data Length	1 octet	Length of user data in septets or octets
UD	User Data	0-140 octets	Actual message content (160 chars max for 7-bit)

Data Coding Scheme (DCS)

                    The DCS octet determines how the message text is encoded:
                    
                    Bits 3-2 (Coding Group):

                    00 = 7-bit GSM default alphabet (160 chars)

                    01 = 8-bit data (140 chars)

                    10 = UCS2 (16-bit) (70 chars)

                    11 = Reserved

Maximum Characters = floor(140 × 8 / bits_per_character)
7-bit: floor(1120/7) = 160 chars
8-bit: floor(1120/8) = 140 chars
16-bit: floor(1120/16) = 70 chars

Address Field Encoding

Phone numbers in SMS PDUs are encoded using BCD (Binary Coded Decimal) with semi-octet swapping:

Example: Number +12345678901
BCD Digits: 21 43 65 87 09 F1 (swapped pairs, F added for odd length)
Type of Number: 91 (International)
Address Length: 0B (11 digits)

Concatenated SMS (Long SMS)

For messages exceeding 160 characters, SMS uses concatenation with a User Data Header (UDH):

UDH Structure for Concatenation:

IEI (Information Element Identifier): 00 for concatenation
IEDL (Length): 03 (3 bytes follow)
Reference Number: 1 byte (same for all parts)
Total Parts: 1 byte
Part Number: 1 byte (sequence)

5. SMS Procedures & Call Flows

▼

Mobile Originated SMS (MO-SMS)

The procedure for sending an SMS from a mobile station to another subscriber or application.

MO-SMS Call Flow

                        1. MS → BSC: Channel Request (RACH)

                        2. BSC → MS: Immediate Assignment (AGCH) - SDCCH allocated

                        3. MS → MSC: CM Service Request (SMS)

                        4. MSC → MS: CM Service Accept

                        5. MS → MSC: CP-DATA (RP-DATA [TPDU])

                        6. MSC → SMSC: MAP mo-forwardSM

                        7. SMSC → MSC: MAP mo-forwardSM Ack

                        8. MSC → MS: CP-ACK

                        9. MSC → MS: CP-DATA (RP-ACK)

                        10. MS → MSC: CP-ACK

                        11. MSC → MS: Channel Release

Mobile Terminated SMS (MT-SMS)

The procedure for delivering an SMS to a mobile station from the SMSC.

MT-SMS Call Flow

                        1. SMSC → HLR: MAP sendRoutingInfoForSM

                        2. HLR → SMSC: MAP sendRoutingInfoForSM Ack (IMSI, VLR address)

                        3. SMSC → MSC/VLR: MAP forwardSM

                        4. MSC → MS: Paging Request

                        5. MS → MSC: Page Response → SDCCH allocated

                        6. MSC → MS: CP-DATA (RP-DATA [TPDU])

                        7. MS → MSC: CP-ACK

                        8. MS → MSC: CP-DATA (RP-ACK)

                        9. MSC → SMSC: MAP forwardSM Ack

                        10. MSC → MS: CP-ACK

                        11. MSC → MS: Channel Release

SMS Delivery States

State	Description	SMSC Action
Immediate Delivery	Recipient MS is reachable	Deliver immediately, delete from queue
Deferred Delivery	MS temporarily unreachable	Store and retry based on validity period
Alert Procedure	MS becomes reachable after being unreachable	HLR alerts SMSC, SMSC initiates delivery
Delivery Failure	Permanent error or validity expired	Return error to originator, delete message

Important: If the recipient MS is not reachable (powered off, out of coverage), the SMSC stores the message and the HLR sets a "Message Waiting" flag. When the MS re-registers, the HLR triggers the AlertServiceCentre operation to notify the SMSC to attempt delivery.

Status Reports

SMS supports delivery confirmation through status reports (SMS-STATUS-REPORT TPDU). When requested by the originator (SRR bit set in PDU type), the SMSC generates a status report upon successful delivery or failure.

Status Report Contents:

Message Reference (MR) - matches original submission
Recipient Address
Service Centre Timestamp
Discharge Time (actual delivery time)
Status: Delivered, Failed, Buffered, etc.

6. Advanced SMS Features

▼

SMS Cell Broadcast (SMS-CB)

SMS-CB allows messages to be broadcast to all mobile stations within a specific geographical area (cell or location area). Unlike point-to-point SMS, CB messages are not acknowledged and are not stored if the MS is unreachable.

SMS-CB Characteristics:

Message length: 93 characters (82 octets)
Serial Number, Message Identifier, Data Coding Scheme
Used for: Emergency alerts, weather warnings, traffic info
ETWS (Earthquake and Tsunami Warning System) uses CB
Channel: CBCH (Cell Broadcast Channel)

Enhanced Messaging Service (EMS)

EMS extends SMS to support enhanced content while maintaining compatibility with standard SMS:

Formatted text (bold, italic, alignment)
Small pictures (16x16, 32x32 bitmaps)
Simple animations
User-defined sound melodies
Concatenation support up to 760 characters

SMS over GPRS/3G/4G

                    GPRS/EDGE: SMS can be sent over GPRS using the Gb interface, reducing signaling load on the CS domain. Uses PDP context for transport.
                    
                    3G (UMTS): SMS uses dedicated signaling bearers on RRC connection. Can be sent over CS or PS domain.
                    
                    4G (LTE): SMS over SGs interface (CS Fallback) or SMS over IMS (IP-SM-GW). SGs connects MME to MSC for SMS delivery without CSFB for voice.

SMS Security

SMS security involves several layers:

Layer	Mechanism	Description
Air Interface	Ciphering	A5/1, A5/2, A5/3 algorithms encrypt SMS content on Um interface
SS7 Network	MAPsec	Security for MAP messages between networks (optional)
Application	SIM Toolkit	Secure messaging to SIM for OTA updates, banking

Security Note: Standard SMS is not end-to-end encrypted. Messages are stored in plaintext at the SMSC. For sensitive communications, application-layer encryption (e.g., OTT apps) or SIM-based security (messaging to SIM) should be used.

SIM Application Toolkit (SAT)

SAT enables proactive SIM applications using SMS as transport:

OTA (Over-The-Air) Provisioning: Remote SIM updates
Mobile Banking: Secure transaction verification
Menu-driven Services: Interactive USSD-like services via SMS
Data Download: Polling, cell info, call control

7. Performance Analysis & Calculations

▼

SMS Throughput Calculations

SMS Capacity Calculator

Number of SDCCH channels per cell:

Average SMS length (characters):

Channel multiplexing:

SMS per second per cell: ~2.6
SMS per hour per cell: ~9,360

Transmission Time Analysis

T_SMS = T_setup + T_transfer + T_release
Where:
T_setup ≈ 500-800 ms (channel allocation, authentication)
T_transfer ≈ 240-400 ms (actual message transmission)
T_release ≈ 200 ms

Total: ~1-1.5 seconds per SMS

Signaling Load

SMS generates significant signaling traffic relative to its payload:

Interface	Signaling Messages per SMS	Approximate Bytes
Um (Air)	8-10 messages	400-600 bytes
Abis	8-10 messages	400-600 bytes
A (MSC-BSC)	6-8 messages	300-500 bytes
MAP (SMSC-PLMN)	2-4 operations	200-400 bytes

                    Signaling Efficiency: For a 160-character SMS (140 bytes payload), the total signaling overhead is approximately 10-15x the payload size. This is why SMS is considered a signaling-heavy service and why operators implement SMS over GPRS/PS domains to offload the CS signaling network.
                

Storage Requirements

SMSC storage calculation for deferred messages:

Storage (MB) = N_sub × R_SMS × T_store × S_SMS
Where:
N_sub = Number of subscribers
R_SMS = SMS arrival rate per subscriber (msg/sec)
T_store = Average storage time (seconds)
S_SMS = Average SMS size (~200 bytes including headers)

Example: For 1 million subscribers, 0.001 SMS/sec/sub (3.6 SMS/hour), 1 hour average storage time:
Storage = 1,000,000 × 0.001 × 3600 × 200 = 720 MB

8. Modern Evolution: RCS & Beyond

▼

Rich Communication Services (RCS)

RCS is the successor to SMS, designed to provide enhanced messaging capabilities over IP networks while maintaining the ubiquity of SMS.

RCS Key Features:

Rich media sharing (high-res photos, videos, audio)
Read receipts and typing indicators
Group chat with up to 100+ participants
File transfer (up to 100MB)
Location sharing and contact cards
Integration with business messaging (chatbots)
End-to-end encryption (in some implementations)

SMS over IP (SMSoIP)

In 4G/5G networks, SMS can be delivered over IP bearers:

SMS over SGs: Traditional SMS over LTE control plane (CSFB)
SMS over IMS: SMS encapsulated in SIP messages via IP-SM-GW
SMS over NAS: 5G native SMS support in Non-Access Stratum

5G SMS Architecture

UE

→

gNB

→

AMF

→

SMSF

→

IP-SM-GW

→

SMSC

Comparison: SMS vs. OTT vs. RCS

Feature	SMS	OTT (WhatsApp, etc.)	RCS
Transport	Signaling Channel	Internet/Data	Internet/Data
Interoperability	Universal	App-dependent	Carrier-dependent
Authentication	SIM-based	App credentials	SIM-based
Reliability	High (control plane)	Medium	High
Features	Text only	Rich media	Rich media
Encryption	Air interface only	End-to-end	Variable

                    Industry Trend: While OTT messaging dominates consumer communication, SMS remains critical for:
                    Two-factor authentication (2FA) and security codes
Emergency alerts and public warning systems
IoT device management and telemetry
Banking and financial transaction notifications
Network operator service messages

                

9. Key Takeaways & Review

▼

Essential Concepts Checklist

Architecture & Network:

Understand the roles of SMSC, HLR, VLR, MSC in SMS delivery
Know the difference between MO-SMS and MT-SMS procedures
Understand store-and-forward architecture and deferred delivery
Comprehend SS7/MAP signaling for inter-PLMN SMS

Protocols & Formats:

TPDU structure: SCA, PDU Type, MR, DA, PID, DCS, VP, UDL, UD
Protocol stack: SM-TL, SM-RL, CMOL, RR layers
Address encoding: BCD with semi-octet swapping
Data Coding Schemes: 7-bit, 8-bit, UCS2 encoding

Technical Specifications:

160 character limit (7-bit) / 140 bytes payload
SDCCH for SMS transport (0.6 kbps)
Concatenated SMS using UDH for long messages
Validity period and status report mechanisms

Important Formulas to Remember

Max Characters = floor(140 × 8 / bits_per_char)
7-bit GSM: 160 chars | 8-bit: 140 chars | UCS2: 70 chars

SMSC Storage = Subs × Rate × Time × Size

Transmission Time ≈ 1-1.5 seconds (including setup)

Common Exam Topics

Draw and explain the SMS network architecture
Describe the MO-SMS and MT-SMS call flows with message sequences
Encode a phone number into SMS address field format
Calculate maximum SMS capacity for a given cell configuration
Explain the store-and-forward mechanism and alert procedure
Compare SMS, EMS, and RCS technologies
Describe SMS security mechanisms and vulnerabilities
Explain SMS transport in 4G/5G networks (SGs, IMS)

Study Tip: Focus on understanding the TPDU format and MAP operations as these are frequently tested in mobile communications exams. Practice encoding/decoding phone numbers and calculating user data lengths for different encoding schemes.