This is a LIVE guide to communicating with your phones modem by AT commands. The information contained here is collected on a continuous basis from various places after having some trouble finding all relevant information in one place. Now this place is here, and if not please post a comment on what's missing and where to find it, if you do know.Keywords: AT Commands, Modem, Terminal, CDC-ACM, RIL, Serial, UART
All results in this guide have been obtained using a Samsung Galaxy S2 running a stock rooted GB 2.3.4 with PDA:XWKI4 and PHONE:XXKI1 on the 126.96.36.199 Kernel.
The key documents to have as a reference when working with the Android AT command set are found at the 3GPP site. In particular these 2 documents:
 The ETSI GSM 07.07 (3GPP TS 27.007) specifies AT style
commands for controlling a GSM phone or modem.
 The ETSI GSM 07.05 (3GPP TS 27.005) specifies AT style
commands for managing the SMS feature of GSM.
These documents exists in many different versions, so they are not all equal in content. Make sure to check what document version you are using.
To better understand mobile phone modems and the underlying hardware I strongly recommend reading Harald Welte's "Anatomy of contemporary GSM cellphone hardware"  and Telica's "Challenges in integrating modems on Open Platforms" . To summarize enormously, I can say this. On a modern Android based "smart phone", there are essentially two processors. The Application Processor (AP) where your Android operating system (AOS) and user interface (UI) lives, and the Baseband/Cellular Processor (BP/CP) where all the GSM and other high-tech communication magic happens, including the modem we wish to communicate with. In the most modern phones the BP and the AP and all possible other peripheral devices are integrated into one piece of hardware, loosely known as a Smartphone or System on a Chip (SoC). On this SoC there are a number of peripheral devices such as RTC, UARTs, SPI, I2C, USB ports, SD/MMC card controllers and an ISO7816 SIM card reader. However, to preserve the layered hardware structure, the AP and BP still communicates via UART (serial line), USB, SPI or through shared RAM and/or a combination of these. Therefore there will always be some path directly accessible from the outside that we should be able to use to communicate directly with the BP. Exactly how this is done, is mostly unknown due to the closed source and protectionisitc nature of the SoC manufacturers, to the great dismay of the developer community.
Although there are several methods for invoking and controlling modem services, the two most common are through the AT Commands (ATC) and/or through Remote Procedural Calls (RPC). The ATC method is by far the most popular and the ATC set can be categorized as follows.
The AOS provide support for this framwork in the Radio Interface Layer (RIL), which acts as the interface between the radio HW and the Java Applicaiton Programming Interface (API). However, the RIL is divided into 3 parts or layers if you want. (These are just arbitrary, and not GSM layers!)Code:Call Control: Commands for initiating and controling calls. Data Call Control: Commands for controlling the data transfer and QoS. Network Service: Commands for Supplementary services,ME, operator selection, locking and registraction. SMS Control: Commands for sending, notifying, setting SMS services. ME Control & Status: Commands for ME power,keypad,display,phonebook,RTC's.
L3. The Java RIL (AOS API) accessible to all but with a limited set of commands.
L2. The RIL Daemon (RILJ) acting as an interface between AOS and the Vendor RIL.
L1. The Vendor RIL, which is a closed-source and HW-specific implemetation.
L0. The OEM/Vendor modem HW and firmware then acts on the L1 ATC's. (?)
Thus the job of the RIL is to translate all the telephony requests from the Android telephony framework and map them to the corresponding AT commands to the modem, and back again.
Here are two useful pictures that try to explain the various RIL layers.
Finding the correct serial device for the phone modem
In your phone you will find hundreds of devices listed under /dev. Knowing which one is the serial device(s) used for communicating with your Baseband Processor's (BP) Modem, is key in getting a useful AT communication going. Here it is also good to know that there are several serial devices connected to the BP. These connections are working in parallel through a MUX. So it is very likely you will be able to use several different devices to send AT commands with.
So how do we find an appropriate local serial device on the phone? One way is of course to try to connect via some terminal application to all devices and send some AT commands and look for a response, but that is not very scientific or practical. Different phones may use different default (Modem) serial devices. One way to find the serial devices is by listing available tty drivers.
So what are these doing and which one should we try?Code:# cat /proc/tty/drivers ... rfcomm /dev/rfcomm 216 0-255 serial g_serial /dev/ttyGS 253 0 serial ttySAC /dev/s3c2410_serial 204 64-68 serial serial /dev/ttyS 4 64-67 serial ...
After Googling around we suspect that:
rfcomm = Used by Bluetooth serial devices
ttySAC = Used by serial SAmsung Console
g_serial = "DataRouter" (also see dun: (10,123) )
In addition and thanks to the documentation in Adam Outler's info package , it can be inferred from the block diagram that perhaps:
(PMIC = Power Management IC)Code:s3c2410_serial0 - UART0 - Bluetooth (ttySAC) s3c2410_serial1 - UART1 - GPS s3c2410_serial2 - UART2 - AP PMIC - A/S1 ?? s3c2410_serial3 - UART3 - AP PMIC --> AP Level Shifter --> BP UART ?? s3c2410_serial4 - UART4 - not used?
The block diagram is this one, from the SGS-2 service manual.
Connecting using: a local terminal application or the ADB shell
So from our previous results, we would suspect that we could use /dev/ttyGS0. Since Busybox contain the microcom terminal program, we can simply do:
However, although the connection is successful, there is no AT reaction on that line...Code:# busybox microcom -t 5000 /dev/ttyGS0 AT ATI <nothing> :(
[EDIT] (See notes in a later post.)
Connecting using: Windows
If you are using Windows, you can go into Device Manager (DM) to find the correct port(s) used by your phone. However, depending on whether you set your phone to be used as a "USB mass storage" device or not, there may appear different devices in the DM. Here we assume that we just physically connect the phone and do nothing more. I.e. We're not using the device as a USB storage.
Next, under the device class listed as "Modems", you will probably find at least two modem devices. For example, I have one called "HDAUDIO Soft Data Fax Modem with SmartCP", which has nothing to do with Samsung and most likely came with the computer with some bloatware. The other one is called "SAMSUNG Mobile USB Modem", which is what we want. Then right-click to open Properties of the USB Modem device and navigate to the "Diagnostics" tab. Click on the "Query Modem" to send some test AT commands to your modem. If this doesn't work, you have a problem, and I don't have an answer. The result should look something like this:
See below for an explanation of these commands.Code:ATQ0V1E0 - OK AT+GMM - AT+GMM GT-I9100 AT+FCLASS=? - (0,8) AT#CLS=? - COMMAND NOT SUPPORTED AT+GCI? - COMMAND NOT SUPPORTED AT+GCI=? - COMMAND NOT SUPPORTED ATI1 - Manufacturer: SAMSUNG Model: I9100 Revision: I9100XXKI1 IMEI: xxxxx ATI2 - Manufacturer: SAMSUNG Model: I9100 Revision: I9100XXKI1 IMEI: xxxxx ...
Now try this yourself with some terminal application. My personal favorite is the free and fully feature loaded "RealTerm". In the Display tab, use ANSI and check the "newLine mode" box, then in the Port tab, find your port as listed in Device Manager. For example, for me the modem port is located on COM port 12. This is listed as "12=\ssudmdm0000" in RealTerm.
Connecting using: Cygwin (on Windows)
First thing to know about using Cygwin, is that the windows COMn ports are addressed as /dev/ttyS[n-1], thus if you have connected your phone with a USB cable, and you find it is connected to COM port 12, then it will be accessible only through /dev/ttyS11 under Cygwin. Other terminal applications may use different ports. In addition you need to have installed/compiled some terminal program like: picocom, microcom or cu etc. Also make sure the COM port is not already occupied by another terminal program.
$ picocom /dev/ttyS11
This works as expected.
Some basic AT command structure
I'm not going to say much about the AT commands themselves, as they are almost as old as home computers themselves. However, let's have a brief look at the "Modem Query" above.
Code:ATQ0V1E0 - This is actually a concatenation of the 3 commands: (ATQ0 + ATV1 + ATE0) where: ATQ0 - Disables echo suppression ATV1 - Enables Verbose command results mode ATE0 - Turns off local Echo AT+GMM - This one doesn't work in direct serial mode (!) and is equivalent to AT+CGMM which shows the device model identification. (I9100) AT+FCLASS=? - This queries the phone (TA) mode: (data, fax, voice etc.) ATI - This lists: Manufacturer, Model, Revision, IMEI
NOTE: AT commands can be concatenated on one line with each line starting with AT, and each command separated by ";". In some cases the semicolon is not needed. Typically a command without "=" or "?" is a general command, that sets or gets some parameters. But any command with "=" is a setting command, unless it is directly followed by "?", in which case you are querying the available/allowed parameters and their range. If the command is followed by "?" without a "=" it is a query, asking the values for something.General AT command list extracted from 3GPP TS 27.007
WARNING!DO NOT SEND RANDOM COMMANDS/CHARACTERS TO YOUR PHONE MODEM
Many AT commands can easily wipe or brick your phone or SIM card!
I am in no way responsible for anyone bricking their phones, and
I cannot help you if you do so. So you better know exactly what you
send before you send anything at all.
Here is a list with general AT commands and a brief description of their functions and the document section they are found at. The document version I used for the info extraction is shown on the first line.
Note: Several of these commands are deprecated or simply not available on the Android/Samsung phone modems, at least not int he form shown in that document.
Code:3GPP TS 27.007 Release 9 145 V9.4.0 (2010-06) AT+CAAP 7.25 - Automatic answer for eMLPP Service AT+CACM 8.25 - Accumulated call meter AT+CAEMLPP 7.22 - eMLPP Priority Registration and Interrogation AT+CAHLD 11.1.3 - Leave an ongoing Voice Group or Voice Broadcast Call AT+CAJOIN 11.1.1 - Accept an incoming Voice Group or Voice Broadcast Call AT+CALA 8.16 - Alarm AT+CALCC 11.1.6 - List current Voice Group and Voice Broadcast Calls AT+CALD 8.38 - Delete alarm AT+CALM 8.20 - Alert sound mode AT+CAMM 8.26 - Accumulated call meter maximum AT+CANCHEV 11.1.8 - NCH Support Indication AT+CAOC 7.16 - Advice of Charge AT+CAPD 8.39 - Postpone or dismiss an alarm AT+CAPTT 11.1.4 - Talker Access for Voice Group Call AT+CAREJ 11.1.2 - Reject an incoming Voice Group or Voice Broadcast Call AT+CAULEV 11.1.5 - Voice Group Call Uplink Status Presentation AT+CBC 8.4 - Battery charge AT+CBCAP 8.59 - Battery Capacity AT+CBCHG 8.61 - Battery Charger Status AT+CBCON 8.60 - Battery Connection Status AT+CBCS 11.3.2 - VBS subscriptions and GId status AT+CBKLT 8.51 - Backlight AT+CBST 6.7 - Select bearer service type AT+CCFC 7.11 - Call forwarding number and conditions AT+CCHC 8.46 - Close Logical Channel AT+CCHO 8.45 - Open Logical Channel AT+CCLK 8.15 - Clock AT+CCUG 7.10 - Closed user group AT+CCWA 7.12 - Call waiting AT+CCWE 8.28 - Call Meter maximum event AT+CDIP 7.9 - Called line identification presentation AT+CDIS 8.8 - Display control AT+CEAP 8.47 - EAP authentication AT+CEER 6.10 - Extended error report AT+CEMODE 10.1.28 - UE modes of operation for EPS AT+CEPTT 11.1.10 - Short Data Transmission during ongoing VGCS AT+CEREG 10.1.22 - EPS network registration status AT+CERP 8.48 - EAP Retrieve Parameters AT+CFCS 7.24 - Fast call setup conditions AT+CFUN 8.2 - Set phone functionality AT+CGACT 10.1.10 - PDP context activate or deactivate AT+CGATT 10.1.9 - PS attach or detach AT+CGCLASS 10.1.17 - GPRS mobile station class AT+CGCLOSP 10.1.13 - Configure local Octet Stream PAD parameters AT+CGCMOD 10.1.11 - PDP Context Modify AT+CGCONTRDP 10.1.23 - PDP Context Read Dynamic Parameters AT+CGCS 11.3.1 - VGCS subscriptions and GId status AT+CGDATA 10.1.12 - Enter data state AT+CGDCONT 10.1.1 - Define PDP Context AT+CGDSCONT 10.1.2 - Define Secondary PDP Context AT+CGEQOS 10.1.26 - Define EPS Quality Of Service AT+CGEQOSRDP 10.1.27 - EPS Quality Of Service Read Dynamic Parameters AT+CGEREP 10.1.19 - Packet Domain event reporting AT+CGLA 8.43 - Generic UICC Logical Channel access AT+CGMI 5.1 - Request manufacturer identification AT+CGMM 5.2 - Request model identification AT+CGMR 5.3 - Request revision identification AT+CGREG 10.1.20 - GPRS network registration status AT+CGSMS 10.1.21 - Select service for MO SMS messages AT+CGSN 5.4 - Request product serial number identification AT+CGTFT 10.1.3 - Traffic Flow Template AT+CGTFTRDP 10.1.25 - Traffic Flow Template Read Dynamic Parameters AT+CHLD 7.13 - Call related supplementary services AT+CHSC 6.15 - HSCSD current call parameters AT+CHSD 6.12 - HSCSD device parameters AT+CHSR 6.16 - HSCSD parameters report AT+CHST 6.13 - HSCSD transparent call configuration AT+CHSU 6.17 - HSCSD automatic user initiated upgrading AT+CHUP 6.5 - Hangup call AT+CIMI 5.6 - Request international mobile subscriber identity AT+CIND 8.9 - Indicator control AT+CKPD 8.7 - Keypad control AT+CLAC 8.37 - List all available AT commands AT+CLAE 8.31 - Language Event AT+CLAN 8.30 - Set Language AT+CLCC 7.18 - List current calls AT+CLCK 7.4 - Facility lock AT+CLIP 7.6 - Calling line identification presentation AT+CLIR 7.7 - Calling line identification restriction AT+CLVL 8.23 - Loudspeaker volume level AT+CMAR 8.36 - Master Reset AT+CMEC 8.6 - Mobile Termination control mode AT+CMEE 9.1 - Report mobile termination error AT+CMER 8.10 - Mobile Termination event reporting AT+CMOD 6.4 - Call mode AT+CMOLR 8.50 - Mobile Originated Location Request AT+CMOLRE 9.1 - Report mobile originated location request error AT+CMOLRE 9.3 - Mobile termination error result code AT+CMTLR 8.57 - Mobile Terminated Location Request notification AT+CMUT 8.24 - Mute control AT+CMUX 5.7 - Multiplexing mode AT+CNAP 7.30 - Calling name identification presentation AT+CNUM 7.1 - Subscriber number AT+COLP 7.8 - Connected line identification presentation AT+COLR 7.31 - Connected line identification restriction status AT+COPN 7.21 - Read operator names AT+COPS 7.3 - PLMN selection AT+COTDI 11.1.9 - Originator to Dispatcher Information AT+CPAS 8.1 - Phone activity status AT+CPBF 8.13 - Find phonebook entries AT+CPBR 8.12 - Read phonebook entries AT+CPBS 8.11 - Select phonebook memory storage AT+CPBW 8.14 - Write phonebook entry AT+CPIN 8.3 - Enter PIN AT+CPLS 7.20 - Selection of preferred PLMN list AT+CPNET 7.27 - Preferred network indication AT+CPNSTAT 7.28 - Preferred network status AT+CPOL 7.19 - Preferred PLMN list AT+CPOS 8.55 - Positioning Control AT+CPOSR 8.56 - Positioning Reporting AT+CPPS 7.23 - eMLPP subscriptions AT+CPROT 8.42 - Enter protocol mode AT+CPSB 7.29 - Current Packet Switched Bearer AT+CPUC 8.27 - Price per unit and currency table AT+CPWC 8.29 - Power class AT+CPWD 7.5 - Change password AT+CR 6.9 - Service reporting control AT+CRC 6.11 - Cellular result codes AT+CREG 7.2 - Network registration AT+CRLA 8.44 - Restricted UICC Logical Channel access AT+CRLP 6.8 - Radio link protocol AT+CRMC 8.34 - Ring Melody Control AT+CRMP 8.35 - Ring Melody Playback AT+CRSL 8.21 - Ringer sound level AT+CRSM 8.18 - Restricted SIM access AT+CSCC 8.19 - Secure control command AT+CSCS 5.5 - Select TE character set AT+CSDF 6.22 - Settings date format AT+CSGT 8.32 - Set Greeting Text AT+CSIL 6.23 - Silence Command AT+CSIM 8.17 - Generic SIM access AT+CSNS 6.19 - Single numbering scheme AT+CSQ 8.5 - Signal quality AT+CSSAC 7.32 - Service Specific Access Control restriction status AT+CSSN 7.17 - Supplementary service notifications AT+CSTA 6.1 - Select type of address AT+CSTF 6.24 - Settings time format AT+CSVM 8.33 - Set Voice Mail Number AT+CTFR 7.14 - Call deflection AT+CTZR 8.41 - Time Zone Reporting AT+CTZU 8.40 - Automatic Time Zone Update AT+CUAD 8.49 - UICC Application Discovery AT+CUSD 7.15 - Unstructured supplementary service data AT+CVHU 6.20 - Voice Hangup Control AT+CVIB 8.22 - Vibrator mode AT+CVMOD 6.4 - Voice Call Mode AT+FCLASS C.2.1 - Select mode AT+VBT C.2.2 - Buffer threshold setting AT+VCID C.2.3 - Calling number ID presentation AT+VGR C.2.4 - Receive gain selection AT+VGT C.2.5 - Transmit gain selection AT+VIP C.2.6 - Initialise voice parameters AT+VIT C.2.7 - Inactivity timer AT+VLS C.2.8 - Line selection AT+VRX C.2.9 - Receive data state AT+VSM C.2.10 - Select compression method AT+VTD C.2.12 - Tone duration AT+VTS C.2.11 - DTMF and tone generation AT+VTX C.2.13 - Transmit data stateReferences:Questions and Help Needed
Q1: What is the correct device on the SGS2, for ATC communication to the modem?
Q2: How and where is this device selected/configured?
Q3: What do the various Proprietary AT commands (AT+X...) do?
Q4: Where can I find more documentation on the BP/CP?
 Harald Welte's "Anatomy of contemporary GSM cellphone hardware"
 Telica's White Paper: "Challenges in integrating modems on Open Platforms"
 Adam Outler's "The all-in-one Galaxy S2 Hack Pack"
 Fabien Sanglard's non-blog: "Tracing the baseband":
 "Android Application Development" (Android Telephony Internals, Ch.15.2),
R.Rogers/J.Lombardo, O'Reilly Media 2009
If you like this work, please hit the thank you button!