Send AT command on rooted Xperia Z android device

Julio picture Julio · Oct 1, 2013 · Viewed 7.4k times · Source

I have a rooted xperia Z phone. I would like to send USSD command and catch the answer.

My first idea was to send AT command through the good interface thanks to adb shell interface.

I listed all the interfaces:

/dev/tty             /dev/tty        5       0   system:/dev/tty
/dev/console         /dev/console    5       1   system:console
/dev/ptmx            /dev/ptmx       5       2   system
/dev/vc/0            /dev/vc/0       4       0   system:vtmaster
rfcomm               /dev/rfcomm   216 0-255     serial
usbserial            /dev/ttyUSB   188 0-253     serial
msm_serial_hsl       /dev/ttyHSL   244 0-3       serial
msm_serial_hs        /dev/ttyHS    245 0-255     serial
pty_slave            /dev/pts      136 0-1048575 pty:slave
pty_master           /dev/ptm      128 0-1048575 pty:master
smd_tty_driver       /dev/smd      251 0-36      serial
unknown              /dev/tty        4 1-63      console

I am not able to find the good interface. I tried with this command set:

root@android:/tmp/tst # tail -f /dev/ttyHSL1 &
root@android:/tmp/tst # echo -e "AT\r" > /dev/ttyHSL1

But I got no answer.

Any idea how to find the good port?

EDIT1: As required by Alex P.

root@android:/ # getprop | grep -i ril
[gsm.version.ril-impl]: [Qualcomm RIL 1.0]
[init.svc.ril-daemon]: [running]
[init.svc.ril-qmi]: [stopped]
[persist.rild.nitz_long_ons_0]: []
[persist.rild.nitz_long_ons_1]: []
[persist.rild.nitz_long_ons_2]: []
[persist.rild.nitz_long_ons_3]: []
[persist.rild.nitz_plmn]: []
[persist.rild.nitz_short_ons_0]: []
[persist.rild.nitz_short_ons_1]: []
[persist.rild.nitz_short_ons_2]: []
[persist.rild.nitz_short_ons_3]: []
[persist.ro.ril.sms_sync_sending]: [1]
[ril.cat.first.start]: [false]
[ril.ecclist]: [911,112]
[ril.icctype]: [2]
[ril.subscription.types]: [NV,RUIM]
[rild.libargs]: [-d /dev/smd0]
[rild.libpath]: [/system/lib/libril-qc-qmi-1.so]
[ro.ril.svdo]: [false]
[ro.ril.svlte1x]: [false]
[ro.ril.transmitpower]: [true]


goot@android:/ # grep -i ril /init*rc /init*sh
/init.qcom.rc:    onrestart /system/bin/log -t RIL-ATFWD -p w "ATFWD daemon restarted"
/init.qcom.rc:service ril-daemon1 /system/bin/rild -c 1
/init.qcom.rc:    socket rild1 stream 660 root radio
/init.qcom.rc:    socket rild-debug1 stream 660 radio system
/init.rc:service ril-daemon /system/bin/rild
/init.rc:    socket rild stream 660 root radio
/init.rc:    socket rild-debug stream 660 radio system
/init.target.rc:service ril-qmi /system/bin/sh /init.qcom.ril.sh
/init.qcom.class_main.sh:# start ril-daemon only for targets on which radio is present
/init.qcom.class_main.sh:multirild=`getprop ro.multi.rild`
/init.qcom.class_main.sh:    setprop ro.radio.noril yes
/init.qcom.class_main.sh:    stop ril-daemon
/init.qcom.class_main.sh:          setprop ro.multi.rild true
/init.qcom.class_main.sh:          stop ril-daemon
/init.qcom.class_main.sh:          start ril-daemon
/init.qcom.class_main.sh:          start ril-daemon1
/init.qcom.class_main.sh:    case "$multirild" in
/init.qcom.class_main.sh:             start ril-daemon1
/init.qcom.ril.sh:# start two rild when dsds property enabled
/init.qcom.ril.sh:    setprop ro.multi.rild true
/init.qcom.ril.sh:    stop ril-daemon
/init.qcom.ril.sh:    start ril-daemon
/init.qcom.ril.sh:    start ril-daemon1


root@android:/ # busybox netstat -lpnx | grep -i ril
unix  2      [ ACC ]     STREAM     LISTENING       7312 277/rild            /dev/socket/rild-debug
unix  2      [ ACC ]     STREAM     LISTENING       7314 277/rild            /dev/socket/rild

EDIT2:

As I saw /dev/smd0, I listed all the smd interface:

root@android:/ # ls -l /dev/smd*
ls -l /dev/smd*
crw------- root     root     251,   1 2013-10-01 21:53 smd1
crw------- root     root     251,  11 1970-05-31 18:07 smd11
crw-rw---- bluetooth bluetooth 251,   2 1970-05-31 18:07 smd2
crw------- root     root     251,  21 1970-05-31 18:07 smd21
crw------- root     root     250,   8 1970-05-31 18:07 smd22
crw------- root     root     251,  27 1970-05-31 18:07 smd27
crw-rw---- bluetooth bluetooth 251,   3 2013-10-01 17:45 smd3
crw------- root     root     251,  36 1970-05-31 18:07 smd36
crw-rw---- system   system   251,   4 1970-05-31 18:07 smd4
crw------- root     root     251,   5 1970-05-31 18:07 smd5
crw------- root     root     251,   6 1970-05-31 18:07 smd6
crw-rw---- bluetooth bluetooth 251,   7 1970-05-31 18:07 smd7
crw-r----- radio    radio    250,  22 1970-05-31 18:07 smd_cxm_qmi
crw------- root     root     250,  23 1970-05-31 18:07 smd_pkt_loopback
crw------- root     root     250,  21 1970-05-31 18:07 smd_sns_adsp
crw------- root     root     250,  18 1970-05-31 18:07 smd_sns_dsps
crw------- root     root     250,   9 1970-05-31 18:07 smdcnt_rev0
crw------- root     root     250,  10 1970-05-31 18:07 smdcnt_rev1
crw------- root     root     250,  11 1970-05-31 18:07 smdcnt_rev2
crw------- root     root     250,  12 1970-05-31 18:07 smdcnt_rev3
crw------- root     root     250,  13 1970-05-31 18:07 smdcnt_rev4
crw------- root     root     250,  14 1970-05-31 18:07 smdcnt_rev5
crw------- root     root     250,  15 1970-05-31 18:07 smdcnt_rev6
crw------- root     root     250,  16 1970-05-31 18:07 smdcnt_rev7
crw------- root     root     250,  17 1970-05-31 18:07 smdcnt_rev8
crw-r----- radio    radio    250,   0 1970-05-31 18:07 smdcntl0
crw-r----- radio    radio    250,   1 1970-05-31 18:07 smdcntl1
crw-r----- radio    radio    250,   2 1970-05-31 18:07 smdcntl2
crw-r----- radio    radio    250,   3 1970-05-31 18:07 smdcntl3
crw-r----- radio    radio    250,   4 1970-05-31 18:07 smdcntl4
crw-r----- radio    radio    250,   5 1970-05-31 18:07 smdcntl5
crw-r----- radio    radio    250,   6 1970-05-31 18:07 smdcntl6
crw-r----- radio    radio    250,   7 1970-05-31 18:07 smdcntl7
crw------- root     root     250,  20 1970-05-31 18:07 smdcntl8

I have no /dev/smd0 interface mounted

EDIT3:

I tried the socket solution:

new-host:platform-tools julio$ ./adb forward tcp:8080 localfilesystem:/dev/socket/rild-debug
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
new-host:platform-tools julio$ 



>>> MaSocket = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
>>> MaSocket.connect(('127.0.0.1',8080))
>>> MaSocket.send('AT\r\n')
4
>>> print MaSocket.recv(1)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
socket.error: [Errno 54] Connection reset by peer
>>> print MaSocket.recv(1)

>>> 

Answer

Ahmed Gawad picture Ahmed Gawad · Feb 4, 2015

I had the same Issue: You can use /dev/smd7, /dev/sdm8, /dev/smd11
EX:

echo "AT\r" | busybox microcom -t 500 /dev/smd11