For the PDF version of this article, click here.

In the mid 1980s, the Federal Communications Commission (FCC) required that each handset in the United States have a unique identifier. Electronic serial numbers (ESNs) were introduced to fulfill this requirement. However, shortly after this introduction to the analog market, ESNs expanded globally as ANSI-41 networks were deployed worldwide. With the introduction of digital technologies over ANSI-41 networks, ESNs continued to be the means used to uniquely identify mobile devices.

Each ESN is a 32-bit number consisting of two components: a manufacturer ID code field and a mobile serial number field. The original length of the manufacturer ID code field was eight bits, while the remaining 24 bits comprised the mobile serial number field. This provided 256 unique manufacturer ID codes, with 16 million unique mobile serial numbers assigned to each manufacturer. This also provided an ESN pool of more than 4.2 billion serial numbers.

Further definition of the manufacturer ID code field allowed an eight-bit code to be replaced by a 14-bit field, leaving 18 bits (or about 250,000 unique combinations) for the mobile serial number field. This provided the FCC, who then administered global ESN pool assignments, the flexibility of assigning either 250,000 or 16 million serial numbers to a manufacturer. This scheme is still in use by the TIA, who currently manages the ESN pool.

However, due to poor record keeping in the early days of ESN assignments, the 4.2 billion ESN space is now facing a premature exhaustion. The date of ESN exhaustion was previously forecasted to be as early as the fourth quarter of 2004, but most estimates now put the exhaustion date near the end of the second quarter of 2007. This current estimate is based on a linear extrapolation of the run-rate of ESN assignments over the past 12 months. While this forecast has been stable for nearly a year now, better than expected conservation effort results or a “run on the bank” scenario could shift the exhaust date in either direction. In any case, given the severe consequences of ESN exhaustion, a solution is needed now to avoid a scenario where no new mobile devices can be introduced to the market.

Recognizing the prospect of running out of ESN resources, the CDMA industry defined mobile equipment identifier MEID in 3GPP2 C.S0004-D signaling link access control (LAC) standard for cdma2000 spread spectrum systems-Release D and C.S0005-D upper layer (Layer 3) signaling standard for cdma2000 spread spectrum systems-Release D. Hereafter, these specifications are collectively referred to using their TIA nomenclature: IS-2000 Release D.

MEID is defined as a 14-hexadecimal digit (56 bit) number that, like ESNs, consists of two major components: an eight-hex digit (32 bit) manufacturer code and a six-hex digit (24 bit) serial number (ZZZZZZ) (Figure 1). The manufacturer code is further divided into two components: a two-hex digit (eight bit) regional code (RR) and a six-hex digit (24 bit) code (XXXXXX) assigned by the Global Hexadecimal MEID Administrator (GHA) to a manufacturer for a line of mobile devices.

The structure of MEID was defined to ensure compatibility with the International Mobile Equipment Identities (IMEI) value, a 14-decimal digit (56 bit) identification already in use by GSM and W-CDMA mobile devices. Since IMEI consists of decimal digits while MEID uses hexadecimal digits, MEID regional codes (RR) use the hex values A0 through FF, thus ensuring the MEID space and the IMEI space remain mutually exclusive. For devices with CDMA and GSM/W-CDMA capability, the regional code of 99 has been reserved, thus enabling a single MEID/IMEI to be assigned to devices with dual air interface capability.

IS-2000 release D introduced changes to both the link access control (LAC) layer and layer 3 signaling to accommodate MEID. For example, the addressing sublayer within the LAC layer was enhanced to offer the option of using MEID to address messaging to particular mobile devices. At the layer 3 level, a new record type was introduced that allows a network to send a status request message that queries a device for its MEID. If on a dedicated channel, the mobile would then respond to this request with a status response message containing a record with its 56-bit MEID. If on a common channel, the mobile would then respond with an extended status response message.

However, although these IS-2000 Release D changes would avert problems caused by ESN exhaustion, deployment of this specification is still years away at best. With ESN exhaustion being a real issue needing a solution now, the CDMA industry had to consider a more timely answer. Pseudo ESNs (pESN) were one of the first considerations as a near-term fix to ESN exhaustion.

pESN presents the option for an MEID-equipped device to exist on a currently deployed CDMA network (e.g., a network conforming to IS-2000 Release 0 or IS-2000 Release A). Like a true ESN, a pESN is a 32-bit number. A pESN uses an eight-bit manufacturer ID code field that, by definition, is set to a fixed value of 0×80. In other words, one of the eight-bit manufacturer ID codes (0×80) from the overall ESN space is now reserved to indicate that a pESN is in use. The remaining 24 bits of a pESN are derived from the MEID programmed into the device. The least significant 24 bits of an SHA-1 digest[1] of the device's MEID are used to populate the lower 24 bits of the pESN (Figure 2).

Once a pESN is derived, an MEID-equipped device can use that pESN in any scenario where a true ESN would have been used, including over-the-air messaging sent to a network. Conversely, the CDMA network can use this same pESN to address messaging to the device. Because pESN is compatible with the existing structure of true ESNs, no changes are required to the currently deployed CDMA air interface.

Use of pESNs is unfortunately not without its problems, though. Since all pESNs use the manufacturer ID code of 0×80, there are only a little more than 16 million unique pESN values. This ensures that there will almost certainly be multiple devices deriving the same pESN. In a CDMA network, this creates the possibility of at least two problems:

1. ESNs have been a predominant method used by a network to address messaging to a mobile device. If multiple devices are operating with the same pESN, there is a chance that more than one of these devices might receive a mobile-directed message and respond to it.

2. In all CDMA networks deployed to date, a device's ESN is used to derive a public long code mask (PLCM). The PLCM is the coding used to separate multiple users transmitting reverse dedicated channels on the same frequency at the same time. Again, if multiple devices are operating with the same pESN, they would also derive the same PLCM, and if using reverse dedicated channels at the same time, there is a good chance the network will not be able to demodulate their reverse traffic. Of course, the chance of a collision is slim: a collision would only occur when two mobiles with the same pESN transmitted at the same time to the same base station. Statistically, though, some of those calls will be emergency calls, making this an unacceptable risk.

CDMA air interface technology already offers a solution to the first problem. While ESN addressing is one option available to networks, other options also exist. For example, by addressing messages with ESN plus international mobile station identifiers (IMSI), a network can ensure that no more than one mobile device will match a message's addressing fields.

The second problem, however, cannot be solved with existing CDMA deployments. To that end, a group of leading CDMA industry participants converged last February on a proposed solution to the PLCM collision problem. This proposed solution was summarized in CDG reference document 107, published in March 2005, and has subsequently undergone minor modifications. As of this article's writing, a final air interface definition for a proposed solution was on the verge of publication as 3GPP2 C.S0072 mobile station equipment identifier (MEID) support for cdma2000 spread spectrum systems, also to be known as TIA-1082.

C.S0072 proposes changes to currently deployed CDMA releases to accommodate the introduction of mobile devices equipped with MEIDs. Most notably, C.S0072 solves the PLCM collision problem introduced by the use of pESNs on MEID-equipped devices. In essence, C.S0072 allows current IS-2000 releases Release 0 and Release A to use a limited set of features that were originally designed into Release C and Release D.

As was previously mentioned, a current mobile device can derive a PLCM from its ESN for use on reverse dedicated channels. IS-2000 Release C introduced other means of deriving PLCMs, including one option that allows the base station (BS) to assign PLCMs. If a base station opts to use BS-assigned PLCMs instead of ESN-based PLCMs, the base station can now manage the PLCM space and ensure there are no PLCM collisions, even if two mobile devices are operating in close proximity with the same pESN (Figure 3).

In IS-2000 Release C, a BS-assigned PLCM can be communicated to a mobile via the extended channel assignment message (ECAM). During a hand-off, though, the PLCM might have to change in mid-call to avoid PLCM collisions at the base station. In this case, the PLCM is conveyed via the universal hand-off direction message (UHDM).

While the IS-2000 Release C ECAM and UHDM offer a solution to PLCM collision, they cannot be used “as is.” When a network advertises its compliance to a revision of the air interface specification, the mobile device will make certain assumptions about the messages it receives from the network. In order for a network to send an IS-2000 Release C formatted ECAM or UHDM, it must advertise that it is compliant with at least IS-2000 Release C. Unfortunately, as soon as a network makes that advertisement, it implies that it supports a host of “required” IS-2000 Release C features, most of which are not necessarily related to MEID, PLCM assignments or ESN exhaustion. For that statement to be true, a substantial additional set of features would have to be developed, which would make IS-2000 Release C deployment untimely to resolve the ESN exhaustion issue.

As a result, C.S0072 takes a two-pronged approach to pulling the BS-assigned PLCM functionality of IS-2000 Release C ECAM and UHDM forward:

1. For IS-2000 revisions already commercially deployed (i.e., IS-2000 Release 0 and IS-2000 Release A), C.S0072 introduces two new messages: the MEID extended channel assignment message (MECAM) and the MEID universal hand-off direction message (MUHDM). The MECAM and MUHDM have the same format and content as the ECAM and UHDM, respectively, from IS-2000 Release 0 and IS-2000 release. One exception is that the fields required to specify a BS-assigned PLCM have been appended to the end.

2. For IS-2000 revisions not yet commercial deployed (i.e., IS-2000 Release B), C.S0072 modifies the ECAM and UHDM to add the fields required to specify a BS-assigned PLCM to the end of those messages.

In either case, a mobile device compatible with C.S0072 will be able to receive a BS-assigned PLCM by way of a channel assignment or hand-off direction message. This will only occur when the network also supports C.S0072.

However, before a network can send an MECAM or MUHDM to a mobile device, it must first have a means to determine if the device supports C.S0072. This is addressed in C.S0072 by using an obsolete bit in the station class mark (SCM). The SCM is an eight-bit value transmitted by a mobile device whenever the mobile registers with the network, originates a call, or responds to a mobile-terminated call. The SCM provides a way for the mobile to indicate some of its capabilities to the network. Bit 4 of the SCM was previously defined as the “IS-54 power class” bit. Per IS-2000, this bit must always be set to ‘0.’ C.S0072 reclaims this bit and uses it as an “MEID indicator” bit, so a mobile device will now set this bit to ‘1’ to indicate it is compliant with C.S0072.

So, when can BS-assigned PLCM be used to eliminate the chance of PLCM collisions? That answer depends on a number of variables already discussed, including whether the mobile device supports C.S0072, whether the network supports C.S0072, and whether either the device or the network support IS-2000 Release D. Table 1 summarizes these scenarios.

Finally, C.S0072 provides a means for the network to query a mobile device for its MEID. As mentioned earlier, IS-2000 Release D added this capability via a new record type and status request/response messages. C.S0072 pulls this IS-2000 Release D capability forward.

C.S0072 offers air interface modifications to support MEID prior to IS-2000 Release D. The next step (one that actually occurred in parallel with the development of the air interface modifications) is the development of testing methodologies to verify that these modifications function correctly (Figure 4). This work, started in a CDG ad-hoc group and completed by 3GPP2, is on the verge of publication as C.S0073 signaling test specification for mobile station equipment identifier (MEID) support for cdma2000 spread spectrum systems, also to be known as TIA-1084.

C.S0073 contains a set of signaling conformance test cases, optimized for implementation on commercial test equipment in a cabled lab environment, as well as a set of interoperability test cases, optimized for implementation on commercial infrastructure components. In either case, a common set of over-the-air functionality is verified. C.S0073 contains test cases confirming the following:

• Does a mobile device conforming to C.S0072 properly set bit 4 (“MEID indicator” bit) whenever it transmits its SCM to the network?

• When the network queries the MEID of the device via the status request message, does the device respond with the correct MEID value in a status response message (for dedicated channels) or an extended status response message (for common channels)?

• Does the device properly derive a pESN from its programmed MEID, and use that pESN in all scenarios where a true ESN would have historically been used?

• If the network assigned a traffic channel with a BS-assigned PLCM, does the device successfully establish traffic in both directions?

• As the device moves within a CDMA network, can it successfully maintain traffic if the multiple base stations involved change the PLCM, including transition from a BS-assigned PLCM to an ESN-based PLCM and vice versa?

ESN exhaustion is a harsh reality that, if not soon resolved, will have dire consequences for the CDMA industry. Although already addressed from a standards perspective in IS-2000 Release D, delayed deployment of this revision of the CDMA air interface specification necessitates a more timely solution.

In conjunction with implementation of the proposed C.S0072 air interface specification, the use of pESNs, allows for the rapid deployment of MEID-equipped mobile devices prior to complete exhaustion of the ESN pool. As with any new deployment, and particularly given the aggressive timeline for realization of C.S0072, adequate testing must be performed. Fortunately, C.S0073 already provides the necessary definition of test cases to verify proper C.S0072 implementation.

1. The SHA-1 algorithm is defined in National Institute of Standards and Technology, FIPS 180-1, “Secure Hash Standard,” April 17, 1995.

Mike Keeley is CDMA market segment manager at Spirent Communications, Industrial Way West, Eatontown, N.J. He can be reached at mike.keeley@spirentcom.com.