Hardware:AT Commands
From Openmoko
DolfjeBot1 (Talk | contribs) m (Replacing 'OpenMoko' with 'Openmoko') |
MrNerdHair (Talk | contribs) (Added information on how to run GSM algorithm using USIM commands) |
||
(8 intermediate revisions by 8 users not shown) | |||
Line 7: | Line 7: | ||
commands (AT+CLAC)." | commands (AT+CLAC)." | ||
− | On | + | On Openmoko, the commands should be used via [[gsmd]]. If you use FSO, you can enter commands with [[OpenmokoFramework/mickeyterm|mickeyterm]]. |
See also: | See also: | ||
+ | * [[Neo_1973_and_Neo_FreeRunner_gsm_modem]] for description of some proprietary TI commands | ||
* http://wiki.openezx.org/AT_commands | * http://wiki.openezx.org/AT_commands | ||
* http://www.3gpp.org/ftp/Specs/latest/Rel-7/27_series/27007-740.zip contains 27.007, "AT command set for User Equipment (UE)" | * http://www.3gpp.org/ftp/Specs/latest/Rel-7/27_series/27007-740.zip contains 27.007, "AT command set for User Equipment (UE)" | ||
* http://www.3gpp.org/ftp/Specs/latest/Rel-7/27_series/27005-700.zip contains 27.005, "Use of Data Terminal Equipment - Data Circuit terminating Equipment (DTE - DCE) interface for Short Message Service (SMS) and Cell Broadcast Service (CBS)" | * http://www.3gpp.org/ftp/Specs/latest/Rel-7/27_series/27005-700.zip contains 27.005, "Use of Data Terminal Equipment - Data Circuit terminating Equipment (DTE - DCE) interface for Short Message Service (SMS) and Cell Broadcast Service (CBS)" | ||
− | German Link for AT explainations: http://www.nobbi.com/atgsm. | + | German Link for AT explainations: http://www.nobbi.com/atgsm.html |
= On the Neo1973 = | = On the Neo1973 = | ||
Line 486: | Line 487: | ||
Note: The Calypso does not allow to access the GSM functions of the SIM card (all functions starting with A0). | Note: The Calypso does not allow to access the GSM functions of the SIM card (all functions starting with A0). | ||
see http://lists.openmoko.org/pipermail/gsmd-devel/2007-March/000009.html | see http://lists.openmoko.org/pipermail/gsmd-devel/2007-March/000009.html | ||
+ | ((changed with Moko9B2 and newer, see http://people.openmoko.org/joerg/calypso_moko_FW/all_version__CHANGELOG.txt)) | ||
+ | |||
If you try accessing GSM function, you will get an ERROR back. Access to USIM function is possible, though. | If you try accessing GSM function, you will get an ERROR back. Access to USIM function is possible, though. | ||
Line 492: | Line 495: | ||
AT+CSIM=54,"008800812210....." // USIM commands | AT+CSIM=54,"008800812210....." // USIM commands | ||
− | +CSIM: 4,6985E // | + | +CSIM: 4,6985E // |
+ | You can use the USIM AUTHENTICATE command in the GSM security context to get SRES and Kc from a given RAND. | ||
+ | |||
+ | AT+CSIM=46,"008800801110FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00" // USIM AUTHENTICATE command in GSM Context. 0xFF bytes are RAND. | ||
+ | +CSIM: 32,"04EEEEEEEE08FFFFFFFFFFFFFFFF9000" // Expected response. 0xEE bytes are SRES, 0xFF bytes are Kc. | ||
+ | |||
+ | The USIM command APDU consists of the class code 0x00, indicating ISO/IEC 7816-4 communication without secure messaging between terminal and card on logical channel 0 (the only one guaranteed to be always open). The instruction code 0x88 is the simpler of the two designated for use with the AUTHENTICATE command, used for authentication operations without TLV encapsulation. The first parameter byte is pre-defined as 0x00 when used with instruction code 0x88. The second parameter, 0x80, specifies the GSM security context (as opposed to the example above, which uses 0x81 to access the 3G security context). The next parameter is Lc, the length of the command data block. The command data block consists of a single parameter, RAND, preceded by its length, 16 bytes (0x10 in hex). Since RAND is of fixed length, and the GSM security context does not use a second parameter to specify AUTN, Lc will always be 17 bytes (0x11 hex). The trailing 0x00 byte is the expected length of the response. Setting this byte to 0 results in all response data being returned at once. Specifying a different length results in the response being truncated to the specified length before return. | ||
+ | |||
+ | The USIM response is big-endian. The length of SRES is 4 bytes, the length of Kc is 8 bytes, and the status word 0x9000 indicates success. The expected response length parameter does not include the size of the trailing status word, so the trailing 0x00 byte in the example above could be replaced with any value which is at least 0x0E (14 decimal: length of SRES (4) + length of Kc (8) + 2 bytes specifying the aforementioned lengths). | ||
== Miscellaneous == | == Miscellaneous == | ||
Line 531: | Line 542: | ||
Where *#123# is the command sent. <!-- what is the other parameters? --> | Where *#123# is the command sent. <!-- what is the other parameters? --> | ||
− | [ | + | == Echo Suppression and Noise Reduction == |
− | + | The following commands were [http://lists.openmoko.org/pipermail/hardware/2008-August/000451.html posted] on the hardware list. The descriptions are the return string from the command, and that's about all we know about them. The values appear to be a bitmask, but combinations other than the ones listed are not accepted by the modem. | |
− | [[Category: | + | <pre> |
+ | AT%Nxxxx where xxxx is one of the numbers below: | ||
+ | |||
+ | 0083 "Short AEC is active" | ||
+ | 0283 "Long AEC is active" | ||
+ | 028B "Long AEC -6 dB is active" | ||
+ | 0293 "Long AEC -12 dB is active" | ||
+ | 029B "Long AEC -18 dB is active" | ||
+ | 0105 "Noise reduction is active" | ||
+ | 0125 "Noise reduction -6 dB is active" | ||
+ | 0145 "Noise reduction -12 dB is active" | ||
+ | 0165 "Noise reduction -18 dB is active" | ||
+ | 0187 "Both AEC and Noise reduction are active" | ||
+ | 0001 "AEC and Noise reduction are unactivated" | ||
+ | </pre> | ||
+ | |||
+ | [[Category:GSM]] |
Latest revision as of 09:16, 3 April 2011
The protocol used to access the GSM chip is part of the GSM standard.
Harald wrote on 2007-01-31 on the list http://lists.openmoko.org/pipermail/community/2007-January/002708.html "The chipset supports all of the mandatory ETSI GSM TS 07.07 commands (use http://pda.etsi.org/pda/queryform.asp to get it), plus some of the optional ones. This GSM standard even has a command that lists the list of available commands (AT+CLAC)."
On Openmoko, the commands should be used via gsmd. If you use FSO, you can enter commands with mickeyterm.
See also:
- Neo_1973_and_Neo_FreeRunner_gsm_modem for description of some proprietary TI commands
- http://wiki.openezx.org/AT_commands
- http://www.3gpp.org/ftp/Specs/latest/Rel-7/27_series/27007-740.zip contains 27.007, "AT command set for User Equipment (UE)"
- http://www.3gpp.org/ftp/Specs/latest/Rel-7/27_series/27005-700.zip contains 27.005, "Use of Data Terminal Equipment - Data Circuit terminating Equipment (DTE - DCE) interface for Short Message Service (SMS) and Cell Broadcast Service (CBS)"
German Link for AT explainations: http://www.nobbi.com/atgsm.html
[edit] On the Neo1973
[edit] Uncommented List of AT Commands
(AT+CLAC) on the Neo1973 gives this list:
AT+CACM AT+CAMM AT+CAOC AT+CBC AT+CBST AT+CCFC AT+CCUG AT+CCWA AT+CCWE AT+CEER AT+CFUN AT+CGACT AT+CGANS AT+CGATT AT+CGAUTO AT+CGCLASS AT+CGDATA AT+CGDCONT AT+CGEREP AT+CGMI AT+CGMM AT+CGMR AT+CGPADDR AT+CGQMIN AT+CGQREQ AT+CGREG AT+CGSMS AT+CGSN AT+CHLD AT+CHUP AT+CIMI AT+CLAC AT+CLAE AT+CLAN AT+CLCC AT+CLCK AT+CLIP AT+CDIP AT+CLIR AT+CLVL AT+CMEE AT+CMGC AT+CMGD AT+CMGF AT+CMGL AT+CMGR AT+CMGS AT+CMGW AT+CMOD AT+CMSS AT+CMMS AT+CMUT AT+CMUX AT+CNMA AT+CNMI AT+CNUM AT+COLP AT+COPN AT+COPS AT+CPAS AT+CPBF AT+CPBR AT+CPBS AT+CPBW AT+CPIN AT+CPMS AT+CPOL AT+CPUC AT+CPWD AT+CR AT+CRC AT+CREG AT+CRES AT+CRLP AT+CRSL AT+CRSM AT+CSAS AT+CSCA AT+CSCB AT+CSCS AT+CSDH AT+CSIM AT+CSMP AT+CSMS AT+CSNS AT+CSQ AT%CSQ AT+CSSN AT+CSTA AT+CSVM AT+CTFR AT+CUSD AT+DR AT+FAP AT+FBO AT+FBS AT+FBU AT+FCC AT+FCLASS AT+FCQ AT+FCR AT+FCS AT+FCT AT+FDR AT+FDT AT+FEA AT+FFC AT+FHS AT+FIE AT+FIP AT+FIS AT+FIT AT+FKS AT+FLI AT+FLO AT+FLP AT+FMI AT+FMM AT+FMR AT+FMS AT+FND AT+FNR AT+FNS AT+FPA AT+FPI AT+FPS AT+FPW AT+FRQ AT+FSA AT+FSP AT+GCAP AT+GCI AT+GMI AT+GMM AT+GMR AT+GSN AT+ICF AT+IFC AT+ILRR AT+IPR AT+VTS AT+WS46 AT%ALS AT%ATR AT%BAND AT%CACM AT%CAOC AT%CCBS AT%STDR AT%CGAATT AT%CGMM AT%CGREG AT%CNAP AT%CPI AT%COLR AT%CPRIM AT%CTV AT%CUNS AT%NRG AT%SATC AT%SATE AT%SATR AT%SATT AT%SNCNT AT%VER AT%CGCLASS AT%CGPCO AT%CGPPP AT%EM AT%EMET AT%EMETS AT%CBHZ AT%CPHS AT%CPNUMS AT%CPALS AT%CPVWI AT%CPOPN AT%CPCFU AT%CPINF AT%CPMB AT%CPRI AT%DATA AT%DINF AT%CLCC AT%DBGINFO AT%VTS AT%CHPL AT%CREG AT+CTZR AT+CTZU AT%CTZV AT%CNIV AT%PVRF AT%CWUP AT%DAR AT+CIND AT+CMER AT%CSCN AT%RDL AT%RDLB AT%CSTAT AT%CPRSM AT%CHLD AT%SIMIND AT%SECP AT%SECS AT%CSSN AT+CCLK AT%CSSD AT%COPS AT%CPMBW AT%CUST AT%SATCC AT%COPN AT%CGEREP AT%CUSCFG AT%CUSDR AT%CPBS AT%PBCF AT%SIMEF AT%EFRSLT AT%CMGMDU AT%CMGL AT%CMGR ATA ATB AT&C ATD AT&D ATE ATF AT&F ATH ATI AT&K ATL ATM ATO ATP ATQ ATS ATT ATV ATW AT&W ATX ATZ
[edit] Results of AT Commands
Taken from "3rd Generation Partnership Project; Technical Specification Group Core Network and Terminals; AT command set for User Equipment (UE) (Release 7)" - 3GPP TS 27.007 V7.2.0 (2006-09)
[edit] Section 5, General Commands
Request manufacturer identification +CGMI
AT+CGMI <manufacturer> OK
Request model identification +CGMM
AT+CGMM <model> OK
Request revision identification +CGMR
AT+CGMR <revision> OK
Request product serial number identification +CGSN
AT+CGSN <serial number> OK
Select TE character set +CSCS
AT+CSCS? +CSCS: "IRA" OK
AT+CSCS=? +CSCS: "GSM","IRA","PCCP437","PCDN","8859-1","HEX","UCS2" OK
Request international mobile subscriber identity +CIMI
AT+CIMI *************** (I'm not giving you my IMSI!) OK
Request subscriber number +CNUM
AT+CNUM +CNUM: ,"0123456789",122 OK
Multiplexing mode +CMUX
AT+CMUX? ERROR AT+CMUX=? +CMUX: (1),(0),(1-5),(10-100),(1-255),(0-100),(2-255),(1-255),(1-7) OK
PCCA STD 101 [17] select wireless network +WS46
AT+WS46=? +WS46: (12) OK
[edit] Section 6, Call control commands and methods
Select type of address +CSTA
AT+CSTA? +CSTA: 129 OK AT+CSTA=? +CSTA: (129,145) OK
Call mode +CMOD
AT+CMOD=? +CMOD: (0-3) OK
Select bearer service type +CBST
AT+CBST? +CBST: 7,0,1 OK AT+CBST=? +CBST: (0-7,12,14,65,66,68,70,71,75),(0),(0-3) OK
Radio link protocol +CRLP
AT+CRLP? +CRLP: 61,61,48,6 OK AT+CRLP=? +CRLP: (0-61),(0-61),(39-255),(1-255) OK
Service reporting control +CR
AT+CR? +CR: 0 OK AT+CR=? +CR: (0,1) OK
Extended error report +CEER
AT+CEER +CEER: 0,0,5,16,normal call clearing OK
Cellular result codes +CRC
AT+CRC=1 OK +CRING: VOICE
Single numbering scheme +CSNS
AT+CSNS=? +CSNS: (0-7) OK
[edit]
7.2 Network registration +CREG
AT+CREG? +CREG: 0,0 OK AT+CREG=? +CREG: (0-2) OK
7.3 PLMN selection +COPS
AT+CREG=1 OK AT+COPS=0 OK +CREG: 2 +CREG: 1
[edit] Section 8, Mobile Termination control and status commands
8.1 Phone activity status +CPAS
AT+CPAS +CPAS: 0 OK AT+CPAS=? +CPAS: (0-5) OK
8.2 Set phone functionality +CFUN
AT+CFUN? +CFUN: 1 OK AT+CFUN=? +CFUN: (0,1,4),(0) OK
8.4 Battery charge +CBC
AT+CBC +CBC: 0,0 OK AT+CBC=? +CBC: (0-3),(0-100) OK
8.17 Sim Access +CSIM
Note: The Calypso does not allow to access the GSM functions of the SIM card (all functions starting with A0). see http://lists.openmoko.org/pipermail/gsmd-devel/2007-March/000009.html ((changed with Moko9B2 and newer, see http://people.openmoko.org/joerg/calypso_moko_FW/all_version__CHANGELOG.txt))
If you try accessing GSM function, you will get an ERROR back. Access to USIM function is possible, though.
AT+CSIM=42,"A088000010FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" // GMS auth function ERROR // not allowed for security reasons
AT+CSIM=54,"008800812210....." // USIM commands +CSIM: 4,6985E //
You can use the USIM AUTHENTICATE command in the GSM security context to get SRES and Kc from a given RAND.
AT+CSIM=46,"008800801110FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00" // USIM AUTHENTICATE command in GSM Context. 0xFF bytes are RAND. +CSIM: 32,"04EEEEEEEE08FFFFFFFFFFFFFFFF9000" // Expected response. 0xEE bytes are SRES, 0xFF bytes are Kc.
The USIM command APDU consists of the class code 0x00, indicating ISO/IEC 7816-4 communication without secure messaging between terminal and card on logical channel 0 (the only one guaranteed to be always open). The instruction code 0x88 is the simpler of the two designated for use with the AUTHENTICATE command, used for authentication operations without TLV encapsulation. The first parameter byte is pre-defined as 0x00 when used with instruction code 0x88. The second parameter, 0x80, specifies the GSM security context (as opposed to the example above, which uses 0x81 to access the 3G security context). The next parameter is Lc, the length of the command data block. The command data block consists of a single parameter, RAND, preceded by its length, 16 bytes (0x10 in hex). Since RAND is of fixed length, and the GSM security context does not use a second parameter to specify AUTN, Lc will always be 17 bytes (0x11 hex). The trailing 0x00 byte is the expected length of the response. Setting this byte to 0 results in all response data being returned at once. Specifying a different length results in the response being truncated to the specified length before return.
The USIM response is big-endian. The length of SRES is 4 bytes, the length of Kc is 8 bytes, and the status word 0x9000 indicates success. The expected response length parameter does not include the size of the trailing status word, so the trailing 0x00 byte in the example above could be replaced with any value which is at least 0x0E (14 decimal: length of SRES (4) + length of Kc (8) + 2 bytes specifying the aforementioned lengths).
[edit] Miscellaneous
AT+CPAS +CPAS: 5 OK
AT+CPAS? ERROR AT+CPAS=? +CPAS: (0-5) OK
AT%BAND? %BAND: 0 OK AT%BAND=? %BAND: (0-1),(1-31) OK
AT+CSSN? +CSSN: 0,0 OK AT+CSSN=? +CSSN: (0,1),(0,1) OK
AT+CUSD=1,"*#123#",15
Where *#123# is the command sent.
[edit] Echo Suppression and Noise Reduction
The following commands were posted on the hardware list. The descriptions are the return string from the command, and that's about all we know about them. The values appear to be a bitmask, but combinations other than the ones listed are not accepted by the modem.
AT%Nxxxx where xxxx is one of the numbers below: 0083 "Short AEC is active" 0283 "Long AEC is active" 028B "Long AEC -6 dB is active" 0293 "Long AEC -12 dB is active" 029B "Long AEC -18 dB is active" 0105 "Noise reduction is active" 0125 "Noise reduction -6 dB is active" 0145 "Noise reduction -12 dB is active" 0165 "Noise reduction -18 dB is active" 0187 "Both AEC and Noise reduction are active" 0001 "AEC and Noise reduction are unactivated"