[A][SGS2][Serial] How to talk to the Modem with AT commands

Search This thread
By:
Advanced…
S

Sollace

Member
Sep 21, 2017
11
5
E:V:A said:
However, although the connection is successful, there is no AT reaction on that line...
[EDIT] (See notes in a later post.)
Click to expand...
Click to collapse
Hi, I have a Sony Xperia ZX that I've been trying to communicate with the modem.

I've been able to identify a port at /dev/tty but when I use the command:

Code: 
busybox microcom -t 500000000 /dev/tty
The connection is successful, but I don't get any response to my AT commands exactly as described in the main post.

Where is this "later post" that is supposed to deal with this issue?

Edit:
After a little more investigating:

Code: 
cd /dev/
ls | grep tty

I was able to identify another port (/dev/ttyHS0) that seems to be providing some output.
Still no response to my AT commands when sent to it, though.

Logcat shows it's being opened and written to, and catting the file produces a lot of binary output, so something is definitely listening on it.
Code: 
logcat | grep /dev/
01-18 11:50:50.664  5446  5446 I WCNSS_FILTER/uart_utils.c: init_uart_transport: opening /dev/ttyHS0
....
 
Last edited:
Zibri

Zibri

Senior Member
Dec 10, 2010
203
47
Is it possible to connect to sony xperia z3 AT command port from linux?
 
S

Sollace

Member
Sep 21, 2017
11
5
Publii said:
I'm having the exact problem with ttyHS0. How did you get the output working?
Click to expand...
Click to collapse
Hi hi! Wow, it's been a hot minute. I almost forgot I even had this account.

Anyway, try using /dev/smd7 or /dev/smd8 for executing AT commands. Seems those are the correct places to look for the Sony XZs, not any of the tty* files.

My experience with busybox has also been... less than stellar. So the full solution I landed on was:

echo -e 'AT \r' > /dev/smd7
or
echo -e 'AT \r' > /dev/smd8
to execute, and a simple cat to read. Replace "AT" with whatever command you need from the reference pages.
 
  • Like
Reactions: Publii
P

Publii

Member
Oct 19, 2016
12
1
Sollace said:
Hi hi! Wow, it's been a hot minute. I almost forgot I even had this account.

Anyway, try using /dev/smd7 or /dev/smd8 for executing AT commands. Seems those are the correct places to look for the Sony XZs, not any of the tty* files.

My experience with busybox has also been... less than stellar. So the full solution I landed on was:

echo -e 'AT \r' > /dev/smd7
or
echo -e 'AT \r' > /dev/smd8
to execute, and a simple cat to read. Replace "AT" with whatever command you need from the reference pages.
Click to expand...
Click to collapse
Thank you so much for responding. I got it working. I was using microcom instead of cat and it was the problem. smd7 also worked for me.
 
You must log in or register to reply here.

Similar threads

K
SGS2 Canadian Thread (Bell/Virgin/Sasktel/Rogers) Root/Unlock/Firmware/Modems/Mods
Replies
3K
Views
630K
R
romeowen
S
[Q] SGS 2 Drivers (CDC Serial & SAMSUNG_Android)
Replies
24
Views
157K
G
gole.shabbu8
It_ler
  • Sticky
[QA][SGS2][Newbies][Experienced Users][RCs] New members friendly QA thread
Replies
8K
Views
530K
It_ler
It_ler
cabloomi
[guide] how to make your own usb jig / reset binary counter / remove yellow triangle
Replies
141
Views
367K
F
faisal_vistro
U
Samsung Galaxy S2 - Where is the serial number?
Replies
15
Views
143K
halagore
halagore

Top Liked Posts

24 Hours All time
  • There are no posts matching your filters.
  • 63
    E:V:A
    E:V:A
    This is a LIVE guide to communicating with your phones modem by AT commands. The information contained here is collected on a continuous basis from various places after having some trouble finding all relevant information in one place. Now this place is here, and if not please post a comment on what's missing and where to find it, if you do know.

    All results in this guide have been obtained using a Samsung Galaxy S2 running a stock rooted GB 2.3.4 with PDA:XWKI4 and PHONE:XXKI1 on the 2.6.35.7 Kernel.

    The key documents to have as a reference when working with the Android AT command set are found at the 3GPP site. In particular these 2 documents:

    [1] The ETSI GSM 07.07 (3GPP TS 27.007) specifies AT style
    commands for controlling a GSM phone or modem.
    [2] The ETSI GSM 07.05 (3GPP TS 27.005) specifies AT style
    commands for managing the SMS feature of GSM.

    These documents exists in many different versions, so they are not all equal in content. Make sure to check what document version you are using.

    Background

    To better understand mobile phone modems and the underlying hardware I strongly recommend reading Harald Welte's "Anatomy of contemporary GSM cellphone hardware" [3] and Telica's "Challenges in integrating modems on Open Platforms" [4]. To summarize enormously, I can say this. On a modern Android based "smart phone", there are essentially two processors. The Application Processor (AP) where your Android operating system (AOS) and user interface (UI) lives, and the Baseband/Cellular Processor (BP/CP) where all the GSM and other high-tech communication magic happens, including the modem we wish to communicate with. In the most modern phones the BP and the AP and all possible other peripheral devices are integrated into one piece of hardware, loosely known as a Smartphone or System on a Chip (SoC). On this SoC there are a number of peripheral devices such as RTC, UARTs, SPI, I2C, USB ports, SD/MMC card controllers and an ISO7816 SIM card reader. However, to preserve the layered hardware structure, the AP and BP still communicates via UART (serial line), USB, SPI or through shared RAM and/or a combination of these. Therefore there will always be some path directly accessible from the outside that we should be able to use to communicate directly with the BP. Exactly how this is done, is mostly unknown due to the closed source and protectionisitc nature of the SoC manufacturers, to the great dismay of the developer community.

    Although there are several methods for invoking and controlling modem services, the two most common are through the AT Commands (ATC) and/or through Remote Procedural Calls (RPC). The ATC method is by far the most popular and the ATC set can be categorized as follows.

    Code: 
    Call Control:           Commands for initiating and controling calls.
Data Call Control:      Commands for controlling the data transfer and QoS.
Network Service:        Commands for Supplementary services,ME, operator
                        selection, locking and registraction.
SMS Control:            Commands for sending, notifying, setting SMS services.
ME Control & Status:    Commands for ME power,keypad,display,phonebook,RTC's.
    The AOS provide support for this framwork in the Radio Interface Layer (RIL), which acts as the interface between the radio HW and the Java Applicaiton Programming Interface (API). However, the RIL is divided into 3 parts or layers if you want. (These are just arbitrary, and not GSM layers!)

    L3. The Java RIL (AOS API) accessible to all but with a limited set of commands.
    L2. The RIL Daemon (RILJ) acting as an interface between AOS and the Vendor RIL.
    L1. The Vendor RIL, which is a closed-source and HW-specific implemetation.
    L0. The OEM/Vendor modem HW and firmware then acts on the L1 ATC's. (?)

    Thus the job of the RIL is to translate all the telephony requests from the Android telephony framework and map them to the corresponding AT commands to the modem, and back again.

    Here are two useful pictures that try to explain the various RIL layers.

    Fig.1.

    Fig.2.


    Finding the correct serial device for the phone modem

    In your phone you will find hundreds of devices listed under /dev. Knowing which one is the serial device(s) used for communicating with your Baseband Processor's (BP) Modem, is key in getting a useful AT communication going. Here it is also good to know that there are several serial devices connected to the BP. These connections are working in parallel through a MUX. So it is very likely you will be able to use several different devices to send AT commands with.

    So how do we find an appropriate local serial device on the phone? One way is of course to try to connect via some terminal application to all devices and send some AT commands and look for a response, but that is not very scientific or practical. Different phones may use different default (Modem) serial devices. One way to find the serial devices is by listing available tty drivers.

    Code: 
    # cat /proc/tty/drivers
...
rfcomm               /dev/rfcomm         216    0-255           serial
g_serial             /dev/ttyGS          253    0               serial
ttySAC               /dev/s3c2410_serial 204    64-68           serial
serial               /dev/ttyS           4      64-67           serial
...
    So what are these doing and which one should we try?
    After Googling around we suspect that:

    rfcomm = Used by Bluetooth serial devices
    ttySAC = Used by serial SAmsung Console
    g_serial = "DataRouter" (also see dun: (10,123) )

    In addition and thanks to the documentation in Adam Outler's info package [5], it can be inferred from the block diagram that perhaps:

    Code: 
    s3c2410_serial0 - UART0 - Bluetooth (ttySAC)            
s3c2410_serial1 - UART1 - GPS                                 
s3c2410_serial2 - UART2 - AP PMIC - A/S1 ??                   
s3c2410_serial3 - UART3 - AP PMIC --> AP Level Shifter --> BP UART ?? 
s3c2410_serial4 - UART4 - not used?
    (PMIC = Power Management IC)

    The block diagram is this one, from the SGS-2 service manual.



    Connecting using: a local terminal application or the ADB shell

    So from our previous results, we would suspect that we could use /dev/ttyGS0. Since Busybox contain the microcom terminal program, we can simply do:

    Code: 
    # busybox microcom -t 5000 /dev/ttyGS0
AT
ATI
<nothing> :(
    However, although the connection is successful, there is no AT reaction on that line...
    [EDIT] (See notes in a later post.)


    Connecting using: Windows

    If you are using Windows, you can go into Device Manager (DM) to find the correct port(s) used by your phone. However, depending on whether you set your phone to be used as a "USB mass storage" device or not, there may appear different devices in the DM. Here we assume that we just physically connect the phone and do nothing more. I.e. We're not using the device as a USB storage.

    Next, under the device class listed as "Modems", you will probably find at least two modem devices. For example, I have one called "HDAUDIO Soft Data Fax Modem with SmartCP", which has nothing to do with Samsung and most likely came with the computer with some bloatware. The other one is called "SAMSUNG Mobile USB Modem", which is what we want. Then right-click to open Properties of the USB Modem device and navigate to the "Diagnostics" tab. Click on the "Query Modem" to send some test AT commands to your modem. If this doesn't work, you have a problem, and I don't have an answer. The result should look something like this:

    Code: 
    ATQ0V1E0    - OK
AT+GMM      - AT+GMM
       GT-I9100
AT+FCLASS=? - (0,8)
AT#CLS=?    - COMMAND NOT SUPPORTED
AT+GCI?     - COMMAND NOT SUPPORTED
AT+GCI=?    - COMMAND NOT SUPPORTED
ATI1 -  Manufacturer: SAMSUNG 
        Model: I9100 
        Revision: I9100XXKI1 
        IMEI: xxxxx 
ATI2 -  Manufacturer: SAMSUNG 
        Model: I9100 
        Revision: I9100XXKI1 
        IMEI: xxxxx 
...
    See below for an explanation of these commands.


    Now try this yourself with some terminal application. My personal favorite is the free and fully feature loaded "RealTerm". In the Display tab, use ANSI and check the "newLine mode" box, then in the Port tab, find your port as listed in Device Manager. For example, for me the modem port is located on COM port 12. This is listed as "12=\ssudmdm0000" in RealTerm.


    Connecting using: Cygwin (on Windows)

    First thing to know about using Cygwin, is that the windows COMn ports are addressed as /dev/ttyS[n-1], thus if you have connected your phone with a USB cable, and you find it is connected to COM port 12, then it will be accessible only through /dev/ttyS11 under Cygwin. Other terminal applications may use different ports. In addition you need to have installed/compiled some terminal program like: picocom, microcom or cu etc. Also make sure the COM port is not already occupied by another terminal program.

    $ picocom /dev/ttyS11
    ...

    This works as expected.

    Some basic AT command structure

    I'm not going to say much about the AT commands themselves, as they are almost as old as home computers themselves. However, let's have a brief look at the "Modem Query" above.

    Code: 
    ATQ0V1E0
- This is actually a concatenation of the 3 commands: 
  (ATQ0 + ATV1 + ATE0) where:
  ATQ0 - Disables echo suppression
  ATV1 - Enables Verbose command results mode
  ATE0 - Turns off local Echo

AT+GMM  
- This one doesn't work in direct serial mode (!) and 
  is equivalent to AT+CGMM which shows the device model 
  identification. (I9100)

AT+FCLASS=? 
- This queries the phone (TA) mode: (data, fax, voice etc.)

ATI     
- This lists: Manufacturer, Model, Revision, IMEI


    NOTE    : AT commands can be concatenated on one line with each line starting with AT, and each command separated by ";". In some cases the semicolon is not needed. Typically a command without "=" or "?" is a general command, that sets or gets some parameters. But any command with "=" is a setting command, unless it is directly followed by "?", in which case you are querying the available/allowed parameters and their range. If the command is followed by "?" without a "=" it is a query, asking the values for something.

    WARNING!
    DO NOT SEND RANDOM COMMANDS/CHARACTERS TO YOUR PHONE MODEM

    Many AT commands can easily wipe or brick your phone or SIM card!
    I am in no way responsible for anyone bricking their phones, and
    I cannot help you if you do so. So you better know exactly what you
    send before you send anything at all.

    General AT command list extracted from 3GPP TS 27.007

    Here is a list with general AT commands and a brief description of their functions and the document section they are found at. The document version I used for the info extraction is shown on the first line.

    Note: Several of these commands are deprecated or simply not available on the Android/Samsung phone modems, at least not int he form shown in that document.

    Code: 
    3GPP TS 27.007 Release 9 145 V9.4.0 (2010-06)

AT+CAAP         7.25            -  Automatic answer for eMLPP Service 
AT+CACM         8.25            -  Accumulated call meter 
AT+CAEMLPP      7.22            -  eMLPP Priority Registration and Interrogation 
AT+CAHLD        11.1.3          -  Leave an ongoing Voice Group or Voice Broadcast Call 
AT+CAJOIN       11.1.1          -  Accept an incoming Voice Group or Voice Broadcast Call 
AT+CALA         8.16            -  Alarm 
AT+CALCC        11.1.6          -  List current Voice Group and Voice Broadcast Calls 
AT+CALD         8.38            -  Delete alarm 
AT+CALM         8.20            -  Alert sound mode 
AT+CAMM         8.26            -  Accumulated call meter maximum 
AT+CANCHEV      11.1.8          -  NCH Support Indication 
AT+CAOC         7.16            -  Advice of Charge 
AT+CAPD         8.39            -  Postpone or dismiss an alarm 
AT+CAPTT        11.1.4          -  Talker Access for Voice Group Call 
AT+CAREJ        11.1.2          -  Reject an incoming Voice Group or Voice Broadcast Call 
AT+CAULEV       11.1.5          -  Voice Group Call Uplink Status Presentation 
AT+CBC          8.4             -  Battery charge 
AT+CBCAP        8.59            -  Battery Capacity 
AT+CBCHG        8.61            -  Battery Charger Status 
AT+CBCON        8.60            -  Battery Connection Status 
AT+CBCS         11.3.2          -  VBS subscriptions and GId status 
AT+CBKLT        8.51            -  Backlight 
AT+CBST         6.7             -  Select bearer service type 
AT+CCFC         7.11            -  Call forwarding number and conditions 
AT+CCHC         8.46            -  Close Logical Channel 
AT+CCHO         8.45            -  Open Logical Channel 
AT+CCLK         8.15            -  Clock 
AT+CCUG         7.10            -  Closed user group 
AT+CCWA         7.12            -  Call waiting 
AT+CCWE         8.28            -  Call Meter maximum event 
AT+CDIP         7.9             -  Called line identification presentation 
AT+CDIS         8.8             -  Display control 
AT+CEAP         8.47            -  EAP authentication 
AT+CEER         6.10            -  Extended error report 
AT+CEMODE       10.1.28         -  UE modes of operation for EPS 
AT+CEPTT        11.1.10         -  Short Data Transmission during ongoing VGCS 
AT+CEREG        10.1.22         -  EPS network registration status 
AT+CERP         8.48            -  EAP Retrieve Parameters 
AT+CFCS         7.24            -  Fast call setup conditions 
AT+CFUN         8.2             -  Set phone functionality 
AT+CGACT        10.1.10         -  PDP context activate or deactivate 
AT+CGATT        10.1.9          -  PS attach or detach 
AT+CGCLASS      10.1.17         -  GPRS mobile station class 
AT+CGCLOSP      10.1.13         -  Configure local Octet Stream PAD parameters 
AT+CGCMOD       10.1.11         -  PDP Context Modify 
AT+CGCONTRDP    10.1.23         -  PDP Context Read Dynamic Parameters 
AT+CGCS         11.3.1          -  VGCS subscriptions and GId status 
AT+CGDATA       10.1.12         -  Enter data state 
AT+CGDCONT      10.1.1          -  Define PDP Context 
AT+CGDSCONT     10.1.2          -  Define Secondary PDP Context 
AT+CGEQOS       10.1.26         -  Define EPS Quality Of Service 
AT+CGEQOSRDP    10.1.27         -  EPS Quality Of Service Read Dynamic Parameters 
AT+CGEREP       10.1.19         -  Packet Domain event reporting 
AT+CGLA         8.43            -  Generic UICC Logical Channel access 
AT+CGMI         5.1             -  Request manufacturer identification 
AT+CGMM         5.2             -  Request model identification 
AT+CGMR         5.3             -  Request revision identification 
AT+CGREG        10.1.20         -  GPRS network registration status 
AT+CGSMS        10.1.21         -  Select service for MO SMS messages 
AT+CGSN         5.4             -  Request product serial number identification 
AT+CGTFT        10.1.3          -  Traffic Flow Template 
AT+CGTFTRDP     10.1.25         -  Traffic Flow Template Read Dynamic Parameters 
AT+CHLD         7.13            -  Call related supplementary services 
AT+CHSC         6.15            -  HSCSD current call parameters 
AT+CHSD         6.12            -  HSCSD device parameters 
AT+CHSR         6.16            -  HSCSD parameters report 
AT+CHST         6.13            -  HSCSD transparent call configuration 
AT+CHSU         6.17            -  HSCSD automatic user initiated upgrading 
AT+CHUP         6.5             -  Hangup call 
AT+CIMI         5.6             -  Request international mobile subscriber identity 
AT+CIND         8.9             -  Indicator control 
AT+CKPD         8.7             -  Keypad control 
AT+CLAC         8.37            -  List all available AT commands 
AT+CLAE         8.31            -  Language Event 
AT+CLAN         8.30            -  Set Language 
AT+CLCC         7.18            -  List current calls 
AT+CLCK         7.4             -  Facility lock 
AT+CLIP         7.6             -  Calling line identification presentation 
AT+CLIR         7.7             -  Calling line identification restriction 
AT+CLVL         8.23            -  Loudspeaker volume level 
AT+CMAR         8.36            -  Master Reset 
AT+CMEC         8.6             -  Mobile Termination control mode 
AT+CMEE         9.1             -  Report mobile termination error 
AT+CMER         8.10            -  Mobile Termination event reporting 
AT+CMOD         6.4             -  Call mode 
AT+CMOLR        8.50            -  Mobile Originated Location Request 
AT+CMOLRE       9.1             -  Report mobile originated location request error 
AT+CMOLRE       9.3             -  Mobile termination error result code 
AT+CMTLR        8.57            -  Mobile Terminated Location Request notification 
AT+CMUT         8.24            -  Mute control 
AT+CMUX         5.7             -  Multiplexing mode 
AT+CNAP         7.30            -  Calling name identification presentation 
AT+CNUM         7.1             -  Subscriber number 
AT+COLP         7.8             -  Connected line identification presentation 
AT+COLR         7.31            -  Connected line identification restriction status 
AT+COPN         7.21            -  Read operator names 
AT+COPS         7.3             -  PLMN selection 
AT+COTDI        11.1.9          -  Originator to Dispatcher Information 
AT+CPAS         8.1             -  Phone activity status 
AT+CPBF         8.13            -  Find phonebook entries 
AT+CPBR         8.12            -  Read phonebook entries 
AT+CPBS         8.11            -  Select phonebook memory storage 
AT+CPBW         8.14            -  Write phonebook entry 
AT+CPIN         8.3             -  Enter PIN 
AT+CPLS         7.20            -  Selection of preferred PLMN list 
AT+CPNET        7.27            -  Preferred network indication 
AT+CPNSTAT      7.28            -  Preferred network status 
AT+CPOL         7.19            -  Preferred PLMN list 
AT+CPOS         8.55            -  Positioning Control 
AT+CPOSR        8.56            -  Positioning Reporting 
AT+CPPS         7.23            -  eMLPP subscriptions 
AT+CPROT        8.42            -  Enter protocol mode
AT+CPSB         7.29            -  Current Packet Switched Bearer 
AT+CPUC         8.27            -  Price per unit and currency table 
AT+CPWC         8.29            -  Power class 
AT+CPWD         7.5             -  Change password 
AT+CR           6.9             -  Service reporting control 
AT+CRC          6.11            -  Cellular result codes 
AT+CREG         7.2             -  Network registration 
AT+CRLA         8.44            -  Restricted UICC Logical Channel access 
AT+CRLP         6.8             -  Radio link protocol 
AT+CRMC         8.34            -  Ring Melody Control 
AT+CRMP         8.35            -  Ring Melody Playback 
AT+CRSL         8.21            -  Ringer sound level 
AT+CRSM         8.18            -  Restricted SIM access 
AT+CSCC         8.19            -  Secure control command 
AT+CSCS         5.5             -  Select TE character set 
AT+CSDF         6.22            -  Settings date format 
AT+CSGT         8.32            -  Set Greeting Text 
AT+CSIL         6.23            -  Silence Command 
AT+CSIM         8.17            -  Generic SIM access 
AT+CSNS         6.19            -  Single numbering scheme 
AT+CSQ          8.5             -  Signal quality 
AT+CSSAC        7.32            -  Service Specific Access Control restriction status 
AT+CSSN         7.17            -  Supplementary service notifications 
AT+CSTA         6.1             -  Select type of address 
AT+CSTF         6.24            -  Settings time format 
AT+CSVM         8.33            -  Set Voice Mail Number 
AT+CTFR         7.14            -  Call deflection 
AT+CTZR         8.41            -  Time Zone Reporting 
AT+CTZU         8.40            -  Automatic Time Zone Update 
AT+CUAD         8.49            -  UICC Application Discovery 
AT+CUSD         7.15            -  Unstructured supplementary service data 
AT+CVHU         6.20            -  Voice Hangup Control 
AT+CVIB         8.22            -  Vibrator mode 
AT+CVMOD        6.4             -  Voice Call Mode 
AT+FCLASS       C.2.1           -  Select mode 
AT+VBT          C.2.2           -  Buffer threshold setting 
AT+VCID         C.2.3           -  Calling number ID presentation 
AT+VGR          C.2.4           -  Receive gain selection 
AT+VGT          C.2.5           -  Transmit gain selection 
AT+VIP          C.2.6           -  Initialise voice parameters 
AT+VIT          C.2.7           -  Inactivity timer 
AT+VLS          C.2.8           -  Line selection 
AT+VRX          C.2.9           -  Receive data state 
AT+VSM          C.2.10          -  Select compression method 
AT+VTD          C.2.12          -  Tone duration 
AT+VTS          C.2.11          -  DTMF and tone generation 
AT+VTX          C.2.13          -  Transmit data state
    Questions and Help Needed

    Q1: What is the correct device on the SGS2, for ATC communication to the modem?

    Q2: How and where is this device selected/configured?

    Q3: What do the various Proprietary AT commands (AT+X...) do?

    Q4: Where can I find more documentation on the BP/CP?
    References:

    [1] http://www.3gpp.org/ftp/Specs/html-info/27007.htm
    [2] http://www.3gpp.org/ftp/Specs/html-info/27005.htm
    [3] Harald Welte's "Anatomy of contemporary GSM cellphone hardware"
    http://laforge.gnumonks.org/papers/gsm_phone-anatomy-latest.pdf
    [4] Telica's White Paper: "Challenges in integrating modems on Open Platforms"
    http://teleca.com/Home/news_room/Whitepapers.aspx
    [5] Adam Outler's "The all-in-one Galaxy S2 Hack Pack"
    [6] Fabien Sanglard's non-blog: "Tracing the baseband":
    http://fabiensanglard.net/cellphoneModem/index2.php
    [7] "Android Application Development" (Android Telephony Internals, Ch.15.2),
    R.Rogers/J.Lombardo, O'Reilly Media 2009
    http://androidapps.org.ua/i_sect18_d1e18369.html


    Keywords: AT Commands, Modem, Terminal, CDC-ACM, RIL, Serial, UART

    If you like this work, please hit the thank you button!
    View
    9
    E:V:A
    E:V:A
    The GT-I9100 Baseband Processor (BP/CP) Specifications

    Currently I have got two different specifications regarding what BP is used in the SGS2, most likely due to the different versions available of the SGS2 in Europe vs. USA. The ones I have are:

    1. Intel/Infineon XMM6260 is the "platform" that consists of:

      a) The X-GOLD 626 (ARM1176?, 40nm) baseband processor
      b) The SMARTi UE2 RF-transceiver (65nm CMOS)
      c) The 3GPP Release 7 HSPA+ protocol stack with:
      Downlink: Category 14, Uplink: Category 7
      d) Alternative Names*: Infineon IFX6260 = Intel IMC6260 = Intel XMM6260
      e) Picture: http://www.infineon.com/export/sites/default/media/press/Image/press_photo/X-GOLD626.jpg
      f) Datasheet: N/A :(
      g) Most likely used in European phones
      h) is apparently also present in the iPhone 4S.. (check!)
      i) Closest available documentation:.
    2. Qualcomm QSC6085 (65nm,424 CSP, 12x12mm) contain:

      a) BP: ARM926EJS @ 192 MHz
      b) + QDSP @ 96 MHz (also on BP)
      c) Modem: IS-95 A/B, 1X Rel.0, EVDOr0, EVDOrA
      d) is apparently also present in the "Verizon Wireless USB760 Modem"
      e) Picture: N/A
      f) Datasheet: N/A :(
      g) Most likely used in North American (US) phones (CDMA)
    *It should be noted that Infineon Technologies (Wireless Division) has been acquired by Intel Mobile Communications, in early 2011.

    In fact these two differences just made a whole lot of sense from the available AT command sets. Basically the modem specific AT commands immediately give up the manufacturer of the modem firmware. (Yes, competing OEM developers do work together!) Because the command sets usually consists of 3 types.

    • The old school "Hayes" AT standard given by ETSI GSM 07.07.
    • Vendor Proprietary AT commands, specific for each OEM.
    • Carrier Proprietary AT commands, specific to some service providers. (E.g. AT&T, Sprint, T-mobile, Verizon etc.)
    So for our 2 modem cases above we have the obvious Proprietary AT extensions:
    Qualcomm QSCnnnn: AT$Q<something>
    Intel/Infineon XMMnnnn: AT+X<something>
    which indeed confirms the BP of my SGS2. Obviously there is a far easier way to reach this conclusion...
    ---------------------------------------------------------------
    TIPS!
    To see what baseband processor you have,
    you can enter into ServiceMode and check.
    This should always work as many ServiceMode
    functions are directly modem dependent.
    ---------------------------------------------------------------
    Why? Because the ServiceMode application
    actually reside in the modem firmware!
    Do this:
    Dial: *#197328640#
    Code: 
    MAIN MENU:
...
[2] VERSION INFO. -->
        [1] SW VERSION -->
                [5] READ ALL SW VERSION:
                ...
        ======>[COLOR=Red] IFX [/COLOR]SW VER: [COLOR=Red]SP6260[/COLOR]_U1_01.1135
                ...
    This implies the phone is using software for the (Infineon) IFX 6260...
    But the ServiceMode is just talking to the modem, so you can get the
    same information by opening an (external) terminal shell and send
    the following ATC:
    Code: 
    [B]AT+XGENDATA[/B]

+XGENDATA: "    [COLOR=Red]SP6260[/COLOR]_U1_01.1135_DB110831 2011-Sep-2 18:14:20                  
    PDB_NOT_AVAILABLE                                                           
*SP6260_U1_01.1135_DB110831*"                                                   
                                                                                
"*" 
OK
    Here is the FBGA pin-out of that chip:
    Fig.4.


    A small addendum about the SMARTi UE2 chip

    The BP is communicating with the RF-tranceiver chip called SMARTi UE2
    (labelled "5712"), using a communication interface that corresponds to
    the (MIPI) DigRF 3G (V.3.09) standard. Through this protocol the BP
    (or other device) can also control some aspects of the RF to some
    minor extent. But without the proper specifications of the 5712, it
    may also contain other interfaces...

    The DigRF connections:
    Fig.5.

    The SMARTi UE2 chip:
    Fig.6.

    Here are more link for the interested reader:

    General DigRF info:
    http://www.mipi.org/specifications/digrfsm-specifications
    http://www.mipi.org/sites/default/files/Specification Overview final.pdf
    http://electronicdesign.com/article/test-and-measurement/digrf-faqs19953.aspx

    The DigRF protocol details:
    http://www.siliconreleasesolutions.com/pdf/DigRF-TMWorld0509-FINAL.pdf
    http://www.docstoc.com/docs/53386199/DigRF-BASEBAND-RF-DIGITAL-INTERFACE-SPECIFICATION
    View
    7
    E:V:A
    E:V:A
    Complete AT command list for Samsung Galaxy S2 (GB 2.3.4, KI4)
    These were obtained by sending the "list all available AT commands" request: AT+CLAC .
    Their functions have been collected from many different sources, none of which originates
    from Samsung. Thus many ATC's are marked with one or more "?" to signify the uncertainty.

    The standard AT set as shown in the OP, I have not bothered to describe here.

    Code: 
    ATA                             - Answer
ATD                             - Dial ...
ATE                             - Enable command echo (0=disable, 1=enable)
ATH                             - ??? Hangup/Hook
ATO                     ??      - Return to Online Data Mode
ATQ                             - Result code supression 
ATS                             - Command line termination?     S[3,4,5]
ATV                             - Command response format (0=Numerical, 1=Verbose)
ATX                             - Result code format for CONNECT        Mfg!
ATZ                             - Reset Modem (...)
ATl                             - 
ATm                             - 

AT&C                    ?       - (Received line signal detector) Behaviour
AT&D                    ?       - (Data terminal ready) Behaviour
AT&F                    ?       - Restore Factory Default Configuration

AT\Q                    ?       - Local flow control selection

AT+CACM
AT+CAMM
AT+CAOC
AT+CBC
AT+CBST
AT+CCFC
AT+CCHC
AT+CCHO                         - Open Logical Channel
AT+CCID                         - SIM Serial Number
AT+CCLK                         - Realtime clock
AT+CCUG
AT+CCWA
AT+CCWE
AT+CEER         
AT+CFUN         *               ? This command selects the level of  functionality <fun> in the MS. Only some values of<fun> are  allowed (see Defined values).

AT+CGACT                        - 
AT+CGATT                        - 
AT+CGAUTO                       - 
AT+CGCLASS                      - 
AT+CGCMOD                       - 
AT+CGDATA                       - 
AT+CGDCONT                      - 
AT+CGDSCONT                     - 
AT+CGEQMIN                      - 
AT+CGEQNEG                      - 
AT+CGEQREQ                      - 
AT+CGEREP       *               - Packet Domain event reporting
AT+CGLA                 E       - Generic UICC Logical Channel access
AT+CGMI                         - Request manufacturer identification 
AT+CGMM                         - Request model identification
AT+CGMR                         - Request revision identification
AT+CGPADDR                      - 
AT+CGQMIN                       - 
AT+CGQREQ                       - 
AT+CGREG        *               - GPRS network registration status                              AT+CGREG=2;+CGREG?
AT+CGSMS                        - 
AT+CGSN         *               - Request product serial number identification (IMEI)
AT+CGTFT

AT+CHLD
AT+CHUP                         - Hangup call
AT+CIMI         *               - Request international mobile subscriber identity (IMSI)
AT+CLAC                         - List all available AT commands
AT+CLAN
AT+CLCC
AT+CLCK
AT+CLIP
AT+CLIR
AT+CMEE                         - Report mobile termination error (+CME) verbosity mode (0,1,2)
AT+CMGC
AT+CMGD
AT+CMGF
AT+CMGL
AT+CMGR
AT+CMGS
AT+CMGW
AT+CMMS
AT+CMOD
AT+CMSS
AT+CMUX                         - Set multiplexing protocol control channel mode(s)
AT+CNAP
AT+CNMA
AT+CNMI         *               - This command selects the procedure,  how receiving of new SMS from network is indicated to the TE
AT+CNUM
AT+COLP
AT+COLR
AT+CONNECTPORT
AT+COPN
AT+COPS                         - 
AT+CPAS
AT+CPIN
AT+CPIN2
AT+CPLS
AT+CPMS
AT+CPOL
AT+CPUC
AT+CPWD
AT+CPWROFF
AT+CR
AT+CRC
AT+CREG
AT+CRES
AT+CRLA                 ?       - Restricted UICC Logical Channel access
AT+CRLP         *               - Radio link protocol
AT+CRSM
AT+CSAS
AT+CSCA
AT+CSCB
AT+CSCS
AT+CSDH
AT+CSIM
AT+CSMP
AT+CSMS
AT+CSQ                          - Signal Quality
AT+CSSN
AT+CSTA
AT+CSVM
AT+CTFR
AT+CTZR
AT+CTZU
AT+CUAD                         - UICC Application Discovery
AT+CUSD
AT+CVHU

AT+FCLASS                       - Select mode: put TA into mode: (data, fax, voice etc.)
AT+IPR                          - This command specifies the data rate  at which the DCE will accept commands. The full range of data rate  values may be reduced dependent on HW or other criteria.
AT+NEER                         
AT+TRACE        *               ? (see: +XSIO) This command controls the  trace; it allows selecting the trace mode, method and the trace data  transfer rate. 
AT+VTD                          
AT+VTS                          

AT+XAACOPS                      ?
AT+XAPP         *       !       - Known buffer overflow in Iphone 4S  (unsigned code execution):  Probably used to send executable code  (application) to BB! 
AT+XBANDSEL                     ? This command allows to switch from  automatic band selection to selection of one or more (up to four) bands.
AT+XCALLSTAT    *               ? Set reporting call status: This  command allows enabling / disabling the reporting voice call status on  DTE using an unsolicited result code +XCALLSTAT:  <call_id><stat>.
AT+XCEER                        ?
AT+XCGCLASS                     ?? Changing the startup MS Mobile class ("B", "CC")
AT+XCONFIG              +       ?? This command allows the configuration of DLCs (Data Logical Channels). (see +XMUX)
AT+XCOPS                        ? Display of the most adapted name of  the network.The command parameter <type> allows requesting the  name type which shall be displayed.
AT+XCSP                         ? This command reads the customer  service profile (CSP) from the SIM. The CSP indicates the services that  are user accessible.
AT+XCSPAGING                    ? This command allows enable/disable the  circuit switching paging. The command has an effect only when used  before +COPS or +CGATT.     
AT+XCSSMS                       ? Initiate Resending of SMS over CS if GPRS Fails
AT+XCTMS                        ? This command allows to set the TTY/CTM  behavior. The selected setting is stored also in NVRAM and remains  valid also after switch off the mobile
AT+XDATACHANNEL                 ? This command configures the channel over which CSD or GPRS data shall be routed.
AT+XDLCTEST                     ?
AT+XDNS                         ? This command enables / disables a  dynamic DNS (Domain Name Service) request before context activation.
AT+XDTMF                        ? This command allows setting the value  of SEND DTMF user setting that controls whether the DTMF tone generation  on request from SIM-TK is allowed.
AT+XEER                         ?
AT+XEONS                        ? displays the list of available  networks with details like long operator name, short operator name,  MCC/MNC, Long EONS name, Short EONS name for each PLMN.
AT+XFDOR                        ? Trigger Fast Dormancy
AT+XFDORT                       ? Set Fast Dormancy Timer
AT+XGAUTH                       ? This proprietary command allows to  enter the type of authentication for a user-name (using a password) for  the specified PDP context
AT+XGENDATA                     ? This command requests the software version and generation data.
AT+XHOMEZR                      ? This Set command enables and disables  the home zone change event reporting. If the reporting is enabled; the  MT returns the unsolicited result code +XHOMEZR: <label> whenever  the home zone is changed.
AT+XHSDUPA                      ? This command configures the mode of  HSDPA and HSUPA (by changing the appropriate dynamic NVRAM parameter)
AT+XL1SET                       ? Call the L1-specific function
AT+XLEMA                        ??? Emergency number list (Ofono)
AT+XLIN                         ? This command sets the current line.
AT+XLOG         *       !       - Known buffer overflow in Iphone 4S  (unsigned code execution) ? This command allows displaying the  exceptions stored in NVRAM on DTE. The MS-error LOG is contained in a  response code formatted as +XLOG:  <num>,<code>,<file>,<line>,<count> or an  other appropriate format as specified below.
AT+XMER                         ? Enables or disables sending of  unsolicited result codes from the MS to the DTE when the battery charge  level or the radio signal level crosses a defined threshold.
AT+XMUX                 +       ? Multiplexing mode: This command configures the GSM 07.10 multiplexing protocol. 
AT+XNOTIFYDUNSTATUS             ??? (LG) This command is used to notify DNS setting status
AT+XNVMMCC                      ?
AT+XNVMPLMN                     ?
AT+XPINCNT                      - This command reads the remaining attempts for SIM PIN, SIM PIN2, SIM PUK and SIM PUK2.        
AT+XPOW                         ? This command sets the powersaving-mode.
AT+XPROGRESS                    ? This command allows enabling /  disabling the display of an unsolicited result code + XPROGRESS:  <cin> (call number indication), <status> on DTE while a call  is in progress.
AT+XRAT                         ? This command forces the selection of the Radio Access Technology (RAT) in the protocol stack.
AT+XREDIAL                      ? Enabling of automatic redialing if the called party was busy.
AT+XREG                 !       ? Involved in the iPhone unlock hacks...
AT+XRXDIV       *               ? This command is used to allow external  control of the Rx Diversity feature during runtime.            
AT+XSETCAUSE                    ?
AT+XSIMSTATE                    ? Display SIM and Phonelock Status  (write at+xsimstate=1 to turn on, at+xsimstate=0 to turn off) 
AT+XSIO         *               ? This command allows the configuration  of the modem-interface (AT), trace-interface, IrDA interface and  MUX-interface by setting the variant number.
AT+XSMS                         ? Detection of Signal DR_SM_FINISHED_IND
AT+XSVM                         ? This command allows to set the voice mail server number.
AT+XSYSTRACE                    ?
AT+XTESM                        ?
AT+XTRACECONFIG                 ?
AT+XUBANDSEL                    ?
AT+XUICC                        - Checks for UICC Card, whether the current SIM is a 2G or 3G sim.
AT+XVTS                         -
    As you can see there are quite a few OEM commands here, whose functions I have not been able to
    figure out yet. Please post if you know anything or have any documentation on these. They all
    start with: AT+X<something>. There are also others that, that are not documented at all, AFAIK.
    [2012-02-05]

    On this list, the most interesting ATC's for our purposes are AT+XSIO and AT+XTRACE as described here:
    Code: 
    [B]AT+XSIO[/B]         This command allows the configuration of the modem-interface (AT), 
                trace-interface, IrDA interface and MUX-interface by setting the 
                variant number.

                • Set command allows the configuration of the modem-interface (AT), trace-interface, IrDA interface and
                  MUX-interface by setting the variant number. The set variant number becomes active only after a reset
                • Read command allows seeing which is the current variant and which is the requested variant. A star marks
                  the active variant.
                • Test command returns the possible and customizable variants.

Defined values:
                <requested>     requested variant, which may be in range 0-255
                <active>        currently active variant, which may be in range 0-255
                <AT-interface>  NULL, UART0, …, UARTn
                <Trace>         NULL, UART0, …, UARTn
                <MUX>           1-x
                <IrDA>          NULL, UART0, …, UARTn
Example:

[B]AT+XSIO=?[/B]                                                                       

+XSIO: [SP62XX_es1] Variant=0:  AT= USART2 USB[03]; BB-Trace= USB1; 3G-Trace= USB2; OCT= USB6;                                                                  
+XSIO: Variant=1 :  AT= USART2 USB[03]; BB-Trace= TADO0; 3G-Trace= TADO1; OCT= USB1;                                                                            
+XSIO: Variant=2 :  AT= USART2 USB[01]; BB-Trace= BG0; 3G-Trace= BG1;           
+XSIO: Variant=3 :  AT= USB[01]; BB-Trace= USART2; 3G-Trace= USIF5; OCT= USB6;  
+XSIO: Variant=4 :  AT= USART2 USB[01]; BB-Trace=/bbt/0; 3G-Trace=/3gt/0;       

[B]AT+XSIO? [/B]                                                                       

+XSIO: 0, *0

-------------------------------------------------------------------------------
[B]AT+TRACE[/B]        This command controls the trace; it allows selecting the trace mode,
                method and the trace data transfer rate. 

                • Set command switches the trace on or off. It allows the trace mode, method and the trace data transfer rate.
                • Read command allows seeing the current set mode value along with the speed, i.e. data transfer rate. It also
                  allows knowing which traceable unit is on or off.
                • Test command returns all the possible values of mode, data transfer rate, traceable unit, their mode and
                  power saving countdown.

Command Syntax:
                
AT+TRACE=[<mode>],[<speed>],[<unit>=<umode>],[<method>],[PowerSavingCountdown]

Defined Valuse:

<mode>  may be
0       switch trace off
1       switch trace on (all kinds of traces are switched on)
128     This value can not be entered, it is only displayed via read 
        syntax if trace configuration is done by unitdefinitions
        the last time. See <umode> & <unit> for trace configuration;

<unit>=<umode>
<unit> indicates a traceable unit as follows:

St stack
Pf printf
Bt Bluetooth
Ap apoxi
Db debug
Lt LLT (Low Level Trace)
Li LwIP (Lightweight TCP/IP Stack)
Ga GATE (3rd Party Software Decoding with a Windows DLL)

<umode> defines whether the unit related trace is on or off and can have the values:

0 unit-trace off
1 unit-trace on

<method> sting type indicating the trace method with possible values:

"BTM" byte stuffing trace method
"EBTM" extended byte stuffing trace method

<PowerSavingCountdown> 
        Integer value indicating the power saving countdown 
        value in units of milliseconds. The maximum valid value is
        30000.

Example:

[B]AT+TRACE? [/B]                                                                      
+TRACE: 1,921600,"ap=1;st=1;db=1;pr=1;bt=1,lt=1;li=1;ga=1;ae=1","DTM",0
    [2012-02-14]

    Additional hidden AT commands on the SGS-2

    Runing strings on the stock /system/bin/drexe , you will find the following AT commands embedded.
    These are probably not directly supported by Modem, but rather interpreted by drexe, as
    they're not present in the +CLAC list. In addition, some of them just don't work and maybe only
    provided for backward compatibility for other devices and modems.

    Code: 
    AT+APPLIST
AT+AUTHKEY=
AT+BATGETLEVEL?
AT+CERTKEY
AT+CGMM
AT+CGSN
AT+CGTEMR=NewPCStudio
AT+DEVAUTH
AT+DEVCONINFO
AT+DISSTRNO=
AT+FOTALOC?
AT+FOTAREADY?
AT+FOTASTART
AT+FUS?
AT+GMM
AT+GSN
AT+HIDSWVER
AT+IMEINUM
AT+PASSWORDINPUT
AT+PRODUCTCODE
AT+PROF=
AT+SECUKEY
AT+SUDDLMOD=
AT+SUPPORTFUS
AT+SWVER
AT+SYNCML=MOBEXSTART
AT+SYNCML=MOBEXSTOP
    [2012-02-09]
    View
    7
    PaulKocialkowski
    PaulKocialkowski
    I am the Replicant developer who worked on Nexus S port and also did the work on aries (galaxy s, galaxy tab) devices and wrote a big part of the free RIL.

    Replicant is a fully free Android derivate running on some devices (mostly Google phones).

    If you have any question regarding samsung modems in Android phones, i'd be happy to answer them!

    I'll attach the mail I sent back to E:V:A next

    ---------- Post added at 08:27 PM ---------- Previous post was at 08:22 PM ----------

    Modems on Android devices is a wide domain.
    Phones differ on many things, like:
    * modem chipset
    * modem firmware
    * transport modem <-> AP
    * modem protocol
    * user-space integration (Android RIL)

    First thing is the modem chipset. There are quite a few. For instance on
    HTC phones, you'll have the ones included in the MSM or QSD SoCs (which
    is quite unusual, modems aren't often part of the SoC) IIRC.
    On other devices, it'll be a separate chip connected to the SoC via
    various transport methods.

    I know better the case of recent Samsung phones, like Nexus S, Galaxy S,
    Galaxy Tab (first gen), Galaxy S2, etc.

    There, you have the modem, usually an intel x-gold 6xx, that is wired to
    the SoC. So transport is done via serial line and/or some dedicated RAM
    memory (not from the main sticks).

    Even though a phone can have the same modem wired (at hardware level)
    the same way, the kernel drivers can be different. That's the case of
    nexus s and galaxy s. On the first one, modem Rx/Tx with AP is done via
    ioctls while on galaxy s it's done via a PHONET network interface
    (svnet0). SO it's not (and particularly on Samsung phones) only a serial
    interface you can open with screen: you need to understand how it's done
    and write dedicated software to reproduce this (cf. the code on
    libsamsung-ipc/devices/ that is device-specific).

    So once you have transport set up, you need to know about the protocol
    the modem speaks. This depends on the firmware the modem is running.
    I know that the modem used in Nexus S is also used in some iPhone (4G
    IIRC) but it has a different firmware and so speaks a different
    protocol. I suspect it to be AT on the iPhone while Nexus S speaks a
    samsung-specific modem protocol. They invented that protocol and
    rewritten the modem firmware to use it instead of AT or anything else.
    This protocol is usually called "Samsung IPC Protocol" and we have a
    free implementation of it in libsamsung-ipc and samsung-ril.

    On the Nokia N900, transport is also a PHONET socket and the protocol is
    neither AT nor Samsung IPC but some protocol made by nokia and
    implemented in ofono.

    So you have exemples of different transport methods and modem protocols.
    I could give you more exemples.

    Of course, on Android, you need to have the user-space programs (the RIL
    mainly) to match both the transport scheme and the modem protocol to
    have anything working.

    > Please have a look at our XDA-forum thread:
    >
    > "How to talk to the Modem with AT commands":
    > http://forum.xda-developers.com/showthread.php?t=1471241

    Apparently you were able to contact the modem with some AT commands.
    Either the modem has an AT mode that can run along with IPC (would
    surprise me, but why not), but it may very well be uncompleted and is
    anyway not used at all in official binaries, either this is Android
    emulating and AT device while sending back stuff from and to the RIL,
    either this is not the modem.

    Anyway I can tell you for sure that this is absolutely not the way to
    talk to the modem properly. The correct way is to use the IPC protocol
    and appropriate transport handling (which is way more complex than only
    opening a serial line).

    I just started the work on galaxy s2, I'll soon have done the transport
    layer and we already know the protocol.
    View
    3
    R
    Rebellos
    Very good to read, thanks for linking me that. :)
    But just to correct - AT is abit deprecated interface in SGS, SGS2 and similiar models. It can be used to control modem directly from PC (not sure if PC is really directly talking to modem or to part of Android's HALs, which is then talking to modem, for eg. USB-UART multiplexer in I9000 and S8500/S8530 is capable to switch phone MicroUSB port between AP USB/UART and CP USB/UART.
    The main controlling interface used in above models is RPC through oneDRAM shared-memory area. You can find devices like "dpram", "onedram", "modemctl" in kernel - these are critical for proper working of modem. Even if RIL is using AT commands, it does send them through RPC.
    AP-CP UART connection seems to be used only for early booting stage (at least in I9000 and S8500, haven't analysed I9100 but guess that's similiar)


    Ad1. There may be no real ability to communicate with modem directly on SGS2 and AT responses you are getting may be from Android, working on AP only, not AMSS (Advanced Mobile Subscriber Software - RTOS working on Qualcomm's CP)

    Ad4. These datasheets are most guarded secrets of manufacturers. Only single, incomplete manuals leak from Qualcomm, not really useful. Also AP-CP RPC protocol is proprietary of Samsung, they got AMSS sources from Qualcomm and they are adding their own drivers there.

    Oh yes, I gave Qualcomm as example, but is CP in SGS2 Qualcomm? It wasn't QC product on SGS1 but tbh it is also very closed source.

    While AP-CP low level protocol is opensource (you can find it in dpram/onedram/modemctl drivers in kernel), higher level of that layer - compiled into sec-RIL, is not.
    AP-CP protocol is different between I9000 and S8500 (general concept remains the same, just it has been rewriten so packet types and structures are different), but if you are interested - we're creating opensource RIL for S8000/S8500/S8530/S8600 device series, supposed to work with Android ports for them - http://code.google.com/p/bada-modemril/ (branch experimental-MochaIPC)
    View

New posts