We are currently working on a project to implement DMVPN (IWAN) over BGAN. This is the process I went through to discover how to send AT commands from our Cisco IOS Router to the BGAN unit.

Router Configuration

vrf definition INMARSAT
 rd 1:1
 address-family ipv4
interface GigabitEthernet0
 vrf forwarding INMARSAT
 ip address dhcp

Telnet to the BGAN Unit.

LAB-819# telnet /vrf INMARSAT
Trying ... Open

VxWorks login: bganuser
Password: broadband

Getting Help in VxWorks

When interacting with VxWorks, you can type help to get the main help menu. Note that the help menu is broken up into additional subHelp menus providing topics on specific types of tasks.

-> help

help                           Print this list
dbgHelp                        Print debugger help info
edrHelp                        Print ED&R help info
ioHelp                         Print I/O utilities help info
nfsHelp                        Print nfs help info
netHelp                        Print network help info
rtpHelp                        Print process help info
spyHelp                        Print task histogrammer help info
timexHelp                      Print execution timer help info
h         [n]                  Print (or set) shell history
i         [task]               Summary of tasks' TCBs
ti        task                 Complete info on TCB for task
sp        adr,args...          Spawn a task, pri=100, opt=0x19, stk=20000
taskSpawn name,pri,opt,stk,adr,args... Spawn a task
td        task                 Delete a task
ts        task                 Suspend a task
tr        task                 Resume a task
tw        task                 Print pending task detailed info
w         [task]               Print pending task info
d         [adr[,nunits[,width]]] Display memory
m         adr[,width]          Modify memory
mRegs     [reg[,task]]         Modify a task's registers interactively
pc        [task]               Return task's program counter
iam       "user"[,"passwd"]    Set user name and passwd
whoami                         Print user name
devs                           List devices
ld        [syms[,noAbort][,"name"]] Load stdin, or file, into memory
                               (syms = add symbols to table:
                               -1 = none, 0 = globals, 1 = all)
lkup      ["substr"]           List symbols in system symbol table
lkAddr    address              List symbol table entries near address
checkStack  [task]             List task stack sizes and usage
printErrno  value              Print the name of a status value
period    secs,adr,args...     Spawn task to call function periodically
repeat    n,adr,args...        Spawn task to call function n times (0=forever)
version                        Print VxWorks version info, and boot line
shConfig  ["config"]           Display or set shell configuration variables
strFree   [address]            Free strings allocated within the shell (-1=all)

NOTE:  Arguments specifying 'task' can be either task ID or name.

value = 1 = 0x1

Execute the netHelp command to retrieve syntax for network related commands.

-> netHelp
hostAdd   "hostname","inetaddr"    - add a host to remote host table;
                                     "inetaddr" must be in standard
                                     Internet address format e.g. ""
hostShow                           - print current remote host table
netDevCreate "devname","hostname",protocol
                                   - create an I/O device to access files
                                     on the specified host
                                     (protocol 0=rsh, 1=ftp)
routeAdd     "destaddr","gateaddr" - add route to route table
routeDelete  "destaddr","gateaddr" - delete route from route table
routeShow                          - print current route table
iam          "usr"[,"passwd"]      - specify the user name by which you
                                     will be known to remote hosts
                                     (and optional password)
whoami                             - print the current remote ID
rlogin       "host"                - log in to a remote host;
                                     "host" can be inet address or
                                     host name in remote host table
ifShow       ["ifname"]            - show info about network interfaces
inetstatShow                       - show all Internet protocol sockets
tcpstatShow                        - show statistics for TCP
udpstatShow                        - show statistics for UDP
ipstatShow                         - show statistics for IP
icmpstatShow                       - show statistics for ICMP
arptabShow                         - show a list of known ARP entries
mbufShow                           - show mbuf statistics

EXAMPLE:   -> hostAdd "wrs", ""
           -> netDevCreate "wrs:", "wrs", 0
           -> iam "fred"
           -> copy  rlogin "wrs"            /* rlogin to host "wrs" */

value = 1 = 0x1


ipstatShow is similar to netstat in linux or unix systems and provides a listing of running services which are listening for connections to the system as well as current sockets in use.

-> inetstatShow
Active Internet connections (including servers)
PCB      Proto Recv-Q Send-Q  Local Address         Foreign Address       (state)
-------- ----- ------ ------  --------------------- --------------------- -------
a0c41920 TCP        0      0 ESTABLISHED
a0c406c0 TCP        0      0             LISTEN     
a0c3fee0 TCP        0      0             LISTEN     
a0c3f9a0 TCP        0      0               LISTEN     
a0c3f460 TCP        0      0             LISTEN     
a0c3ef20 TCP        0      0             LISTEN     
a0c3e200 TCP        0      0               LISTEN     
a0c3dcc0 TCP        0      0               LISTEN     
a0c36080 UDP        0      0                        
a0c35cc0 UDP        0      0                          
a0c35b80 UDP        0      0                  
a0c357c0 UDP        0      0                        
value = 1 = 0x1


Note the results of the table above:

  • Our current active Telnet Session.
  • Unknown (non-registered) TCP Ports … these are what we will be looking into.
  • HTTP Daemon providing local management of UT (User Terminal aka BGAN IDU/ODU).
  • FTP Daemon providing access to local filesystem.
  • Unknown (non-registered) UDP Ports.
  • BOOTP/DCHP Daemon providing Address Assignment on the LAN.

Identifying Services on Unknown TCP Ports

So now that we have identified the listening TCP and UDP sockets in the unit, lets try and identify what each TCP port is used for.

LAB-819# telnet 1825 /vrf INMARSAT
Trying, 1825 ... Open
Accepted connection from client on port 48648.

[     UMTSMB] LVL:CRITICAL TIM:6544835 umtsmendScanAcaAlwaysOnEntries: ACA ALWAYS ON context(1) is NOT active.
[     UMTSMB] LVL:CRITICAL TIM:6544835 ACA SCAN PDP Reactivation Request: CID [1]
[     psCtrl] LVL:CRITICAL TIM:6545284 umop_handle_pdp_activate_rej: rab_id [1], c_id [1]
[     psCtrl] LVL:CRITICAL TIM:6545284 umop_handle_pdp_activate_rej: pclSMCauseValueIE = 0x1d
...response shortened for brevity...

<Press ctrl-shift-6 x keys>
LAB-819# disconnect
Closing connection to [confirm]<Press enter key>

It appears that Port 1825 is being utilized as a monitor or logging port. Lets try 1827.

LAB-819# telnet 1827 /vrf INMARSAT
Trying, 1827 ... Open


<Press ctrl-shift-6 x keys>

Well we’ll have to dig back into that one later.. lets take a look at 1828

LAB-819# telnet 1828 /vrf INMARSAT
Trying, 1828 ... Open


<Press ctrl-shift-6 x keys>

Again.. no response.. lets try 1829.

LAB-819# telnet 1829 /vrf INMARSAT
DMVPN-LAB-SITE#telnet 1829 /vrf INM:OKE
Trying, 1829 ... Open




Bingo… no this is looking promising. Lets now reference the Hughes AT Command Reference and see what we can’t accomplish.



AT ??


I spent quite some time in here trying to figure out why I couldn’t get any response but ERROR. After reading through some of the command reference I noticed a section on the AT_ICLCK: Facility Lock Configure which allows you lock, unlock, or interrogate a MT (Mobile Terminal) facility. By providing “AD” for Administrator Lock, 0 to Unlock and “admin” for the password the AT interface becomes available for interrogation. (admin is the default password and may need to be enabled in the Security Section of the Web GUI prior to issuing this command to continue.)



AT ??

Type "AT  ??" to get a detailed description of the 
Help commands
AT ??        List supported AT commands

ITU-T V.25ter: DTE-DCE Interface Commands
AT S         Set register
AT E         Command echo

ITU-T V.25ter: Call Control Commands
AT D         Dial
AT H         Hook control

ETSI GSM 07.07: General Commands
AT +CGMI     Request Manufacturer Identification
AT +CGMM     Request Model Identification
AT +CGMN     Request Manufacturer Name
AT +CGMP     Request Manufacturer Part Number
AT +CGMR     Request Revision Identification
AT +CGMS     Request Manufacturer Serial Number
AT +CGSN     Request Product Serial Number Identification
AT +CSCS     Select TE Character Set
AT +CIMI     Request International Mobile Subscriber Identity (IMSI)
AT +CCLK     Time of Day (UTC), as known to the terminal
AT +CNUM     Subscriber Number
AT +CREG     Network Registration
AT +COPS     Operator Selection
AT +CPOL     Preferred PLMN List
AT +CPLS     Preferred PLMN List
AT +CLCK     Facility Lock
AT +CPWD     Change Password
AT +CCUG     Closed User Group
AT +CLCC     List Current Calls
AT +CUSD     Unstructured Supplementary Service Data
AT +CPAS     Phone Activity Status
AT +CFUN     Set Phone Functionality
AT +CPIN     Enter PIN
AT +CBC      Battery Charge
AT +CIND     Indicator
AT +CPBS     Select Phonebook Memory Storage
AT +CPBR     Read Phonebook Entries
AT +CPBW     Write/Delete Phonebook Entry
AT +CRSM     Restricted SIM Access
AT +CMAR     Master Reset
AT +CMEE     Report Mobile Equipment Error

ETSI GSM 07.05: General Configuration Commands
AT +CSMS     Select Message Service
AT +CPMS     Preferred Message Storage
AT +CMGF     Message Format

ETSI GSM 07.05: Message Configuration Commands
AT +CSCA     Service Center Address
AT +CSMP     Set Text Mode Parameters
AT +CSDH     Show Text Mode Parameters
AT +CSCB     Select Cell Broadcast Message Types
AT +CSAS     Save Settings
AT +CRES     Restore Settings

ETSI GSM 07.05: Message Receiving and Reading Commands
AT +CNMI     New Message Indications to TE
AT +CMGL     List Messages
AT +CMGR     Read Message

ETSI GSM 07.05: Message Sending and Writing Commands
AT +CMGS     Send Message
AT +CMSS     Send Message from Storage
AT +CMGW     Write Message to Memory
AT +CMGD     Delete Message
AT +CGDCONT  Define PDP Context
AT +CGDSCONT Define Secondary PDP Context
AT +CGEQREQ  3G Quality of Service Profile (Requested)
AT +CGQREQ   Quality of Service Profile (Requested)
AT +CGQMIN   Quality of Service Profile (Minimum Acceptable)
AT +CGEQMIN  3G Quality of Service Profile (Minimum Acceptable)
AT +CGEQNEG  3G Quality of Service Profile (Negotiated)
AT +CGATT    Attach or Detach
AT +CGACT    PDP Context Activate or Deactivate
AT +CGCMOD   PDP Context Modify
AT +CGTFT    Traffic Flow Template
AT +CGDATA   Data Mode
AT +CGPADDR  Show PDP Address
AT +CGCLASS  GPRS Mobile Station Class
AT +CGREG    GPRS Network Registration Indication
AT +CGSMS    Select Service for MO SMS Messages

Inmarsat Specific AT Commands
AT _IPOINT   Antenna Pointing
AT _IGPS     GPS Location Information
AT _INIS      Network Interface Status
AT _ITFT     Uplink Traffic Flow Template
AT _ITEMP    BGAN Terminal Temperature
AT _ILOG     Retrieve Log File
AT _ISLEEP   MT Sleep Status Indicator
AT _IMETER   Call Metering
AT _ISIG     Signal Strength Indicator
AT _IBALARM  Alarm Indicator
AT _ISATINFO BGAN Satellite Information
AT _ISATVIS  BGAN Satellite(s) Visible
AT _ISATCUR  BGAN Current Satellite
AT _IBNOTIFY Control Unsolicited Commands
AT _IERROR   BGAN Terminal Error Reports
AT _IGETFW   Get firmware file from FTP server
AT _IUPDFW   Trigger firmware update.
AT _ISENDFILESend file from UT to FTP server
AT _IGETFILE Download file from FTP server to UT
AT _IUPDCFG  Install new 'config.txt' file.
AT _IREMWEB  Control HTTP access to UT.
AT _ICLCK    Facility Lock Configure
AT _ICPWD    Change Facility Password
AT _IMACLOC  Enable/Disable Ethernet MAC filtering.
AT _IMACLOCADConfigure allowed Ethernet MAC addresses.
AT _IPWSAVSCHThis command is used to input criteria for power save mode.
AT _ISMSRMT  Enable/Disable remote SMS commands.
AT _IATCSCN  Inititate RX ATC Scan
AT _IATCROBSTEnable / Disable ATC robustness mode

HNS Specific AT Commands
AT _IHINIT   Initial Configuration Settings
AT _IHIP     Internet Protocol Settings
AT _IHSTATUS HNS Terminal Status
AT _IHSET    HNS Set Terminal Configuration
AT _IHREAD   HNS Terminal Version Information
AT _IHDEFCNT Define a Default PDP Context
AT _IHACA    Automatic Context Activation
AT _IHTM     Set CM to Test Mode
AT _IHTXCW   Transmit CW
AT _IHSTXCW  Stop CW Transmission
AT _IHTXMOD  Transmit Modulated Signal
AT _IHSTXMOD Stop Modulated Signal Transmission
AT _IHGFACQ  Ask PSAB Acquisition Status
AT _IHSIGACQ Ask Signal Acquisition Status
AT _IHGF     Obtain Satellite Information for Antenna Pointing
AT _IHGPS    Initiate or Update GPS Information to CM
AT _IHPWROFF CM Accomplishes Deregistration Procedure
AT _IHREBOOT Reboot Terminal
AT _IHCCAL   Send Cable Calibration Data to CM
AT _IHSWUPG  SW Upgrade Indication
AT _IHSWDATA Request a block of image file.
AT _IHLOG    Write String to Console and Syslog
AT _IHPIN    Query PIN/PUK Status
AT _IHPACKET Report PS Call Log Information
AT _IHSMS    Report Short Message Delivery Status
AT _IHBEAM   Report Beam ID in which UT is Operating
AT _IHTIMER  Set Timeouts for Connections and Leases
AT _IHARP    Terminal ARP Entries
AT _IHPING   Terminal-initiated PING.
AT _IHTEXT   Terminal Text Message
AT _IHPBIT   Command UT to Perform Platform Built-In Test and Check Status
AT _IHEVENT  BGAN Terminal Event Reports
AT _IHCIRCUITBGAN Terminal CS Call Reports
AT _IHTEMP   HNS Terminal Temperature
AT _IHMETER  Expanded Call Metering
Summary of Inmarsat Specific Result Codes


_ILOG: "syslog"


_ILOG: [     UMTSMB] LVL:CRITICAL TIM:1228835 ACA SCAN PDP Reactivation Request: CID [1]

_ILOG: [     psCtrl] LVL:CRITICAL TIM:1229268 umop_handle_pdp_activate_rej: rab_id [1], c_id [1]

_ILOG: [     psCtrl] LVL:CRITICAL TIM:1229268 umop_handle_pdp_activate_rej: pclSMCauseValueIE = 0x1d

_ILOG: [     UMTSMB] LVL:CRITICAL TIM:1231835 umtsmendScanAcaAlwaysOnEntries: ACA ALWAYS ON context(1) is NOT active.

_ILOG: [     UMTSMB] LVL:CRITICAL TIM:1231835 ACA SCAN PDP Reactivation Request: CID [1]

_ILOG: [     psCtrl] LVL:CRITICAL TIM:1232268 umop_handle_pdp_activate_rej: rab_id [2], c_id [1]

_ILOG: [     psCtrl] LVL:CRITICAL TIM:1232268 umop_handle_pdp_activate_rej: pclSMCauseValueIE = 0x1d

_ILOG: [     UMTSMB] LVL:CRITICAL TIM:1234835 umtsmendScanAcaAlwaysOnEntries: ACA ALWAYS ON context(1) is NOT active.

_ILOG: [     UMTSMB] LVL:CRITICAL TIM:1234835 ACA SCAN PDP Reactivation Request: CID [1]

...response shortened for brevity...

_ILOG: [     UMTSMB] LVL:CRITICAL TIM:1225835 ACA SCAN PDP Reactivation Request: CID [1]

_ILOG: [     psCtrl] LVL:CRITICAL TIM:1226284 umop_handle_pdp_activate_rej: rab_id [0], c_id [1]

_ILOG: [     psCtrl] LVL:CRITICAL TIM:1226284 umop_handle_pdp_activate_rej: pclSMCauseValueIE = 0x1d





_IHSTATUS: "GPS",  37.15058,-94.99178,3D,allowed,16/01/26,20:26:37


_IHSTATUS: "CONN", PS Attached / CS Attached




+CGPADDR: 1,""


+CGPADDR: 1,""



Note the interface does not auto-lock after you terminate the TCP session, so you must enter the last command (AT_ICLCK=”AD”,1,”admin”) to lock the MT AT interface so any untrusted connections to this port will be required to know the password to unlock the interface and issue AT commands.

So thats about how far I’ve gotten thus far.. My next steps will be to write a TCL script around this to allow the router to make decisions based on the state in the BGAN UT and to control the UT. Check back for further updates!