IRIDIUM

TECHNICAL DETAILS

Certus
Iridium Satellite Time and Location
Deorbiting
New Frequencies
Collision
Signals
Hardware
SIM
Test Mode
References
9602 AT Commands

LINKS

IRIDIUM Corporate webpage.

Iridium History and News.


IRIDIUM CERTUS

Iridium Next is expected to be significantly more capable than the legacy system, which was originally designed by Motorola primarily for voice communications in the 1990s. Since then, the company has squeezed more capability out of the system by bundling and using channel compression to keep up with demands for higher throughputs, operating at about 2.4 kilobytes per second.

The new Certus waveform will allow for more efficient channels and new antenna types that will increase bandwidth for handheld man-packable radios from 9.6 kilobytes per second to 88 kps. Large terminals, which are more likely to be used on vessels and land stations in the Arctic will range from 32 kps to 128 kps.

Certus 20   22 kbps
Certus 100   88 kbps
Certus 200   176 kbps
Certus 350   352 kbps
Certus 700   704 kbps
Certus 1400   1.4 Mbps

Iridium Certus terminals are being built by Cobham, L3 Communications, Rockwell-Collins, and Thales USA.

New satellites orbit at 780 km with an 86.4° inclination and can support 1,100 simultaneous equivalent user channels (peak).

IRIDIUM SATELLITE TIME AND LOCATION

Iridium launched the Satellite Time and Location (STL) service in May 2016, with primary technology partner Satelles (a division of iKare Corporation).

STL uses the narrowband paging channels of Iridium, a one-way transmission from the satellite with a high gain system. The STL signal is different from the wide band, lower gain two-way channel of the Iridium phone.

The STL signal is 1,000 times stronger than GPS because it originates from the Iridium constellation of 66 satellites orbiting in a low earth orbit. It is also encrypted for high security, which greatly enhances resilient positioning, navigation and timing (PNT).

The Iridium Constellation consists of 66 Low Earth Orbiting (LEO) satellites, primarily used for global communications. The satellites transmit in the L-Band at carrier frequencies in the range of 1616-1626.5 MHz, using Quadrature Phase Shift Keying (QPSK) with a symbol rate of 25,000 symbols per second. Transmission is frame based, with frame length of 90 ms.

Iridium satellites travel at speeds of about 7500 m/s, resulting in variations of up to +/- 40 kHz from the nominal carrier frequency due to Doppler effects. Compared to GNSS signals, Iridium signals have much higher raw signal power (300 ~ 2400x) as seen by a receiver on Earth.

Two main technical innovations are applied to the existing Iridium QPSK transmission scheme in order to facilitate precision measurements. First, the QPSK data at the beginning of a STL burst is manipulated to form a continuous wave (CW) marker, which can be used for burst detection and coarse measurement. Second, the remaining QPSK data in the burst is organized into pseudo-random sequences, reducing the effective information data rate while providing a mechanism for precise measurement via correlation with locally generated sequences. The processing gain associated with the sequence correlation operation also enhances the capability of the STL signal to penetrate buildings and other occlusions.

STL bursts are transmitted once every 1.4 seconds on average. If coarse time is known, such as in the case of a receiver with a network connection, then precise time can be calculated by processing a single burst. Assuming the receiver can process a burst in < 0.6 seconds, precise time and frequency can typically be acquired using STL in under 2 seconds. The precise time and frequency information derived from a single STL burst can be used to assist weak-signal GNSS acquisitions. Since the STL signal is more robust than GNSS, precise assistance is provided to acquire GNSS signals as weak as -160 dBm, assuming that the STL and GNSS signals are attenuated similarly by path occlusions.

DEORBIT

Iridium completed deorbiting of 65 operational first-generation satellites on December 28, 2019, a process started in 2017 as Iridium NEXT began launching. A total of 95 satellites were launched between 1997 and 2002. Thirty of those malfunctioned and remain in low earth orbit.
LAUNCHES FOR IRIDIUM NEXT

A SpaceX Falcon 9 rocket launched from Vandenberg Air Force Base lofted the first ten Iridium Next satellites into orbit on January 14, 2017.

A SpaceX Falcon 9 rocket launched from Vandenburg Air Force Base lifted the second set of ten Iridium NEXT satellites on June 25, 2017.

A SpaceX Falcon 9 rocket launched from Vandenburg Air Force Base lifted the third set of ten Iridium NEXT satellites in October 9, 2017.

NEW FREQUENCIES

In October 2008, the FCC granted Iridium exclusive access to 1617.775 to 1618.725 MHz and shared access to 1618.725 to 1626.5 MHz, based on a sharing plan set out in November 2007.

COLLISION

In 2009, Iridium-33 collided with Cosmos-2251, a Russian satellite, resulting in more than a thousand pieces of debris.
SIGNALS

Iridium uses a Frequency Division Multiple Access/Time Division Multiple Access (FDMA/TDMA) scheme for communication with the satellites using differentially-encoded QPSK modulation at 2400 bits per second.

The subscriber links are in L-band between 1616 and 1626.5 MHz.

Feederlinks are in Ka band, with downlinks between 19.4 and 19.6 GHz and uplinks between 29.1 and 29.3 GHz.

Intersatellite links are between 23.18 and 23.38 GHz at 25 Mbps.

Ka band uplinks and cross-links are packetized TDMA, transmitted via QPSK with 1/2 rate convolutional forward error correction.

Each satellite provides 48 individual spot beams, sharing 240 traffic channels with a frequency re-use pattern.

Voice
The Iridium SDU incorporates a 2.4 kbps Advanced Multi-Band Excitation (AMBE) vocoder developed by Digital Voice System Inc. (DVSI). This vocoder is tailored to the Iridium communication channel.

Channels
An Iridium channel is a specific FDMA frequency and TDMA timeslot.
Duplex Frequencies

Frequency access is 41.667 kHz
Occupied bandwidth is 31.5 kHz
Eight frequency accesses in a sub-band of 333.333 kHz
30 sub-bands total (240 frequency accesses)
currently sub-bands 8 - 30 in use

Sub-band   Lower Frequency   Upper Frequency
1 1616.000000 1616.333333
2 1616.333333 1616.666667
... ... ...
30 1625.666667 1626.000000

Simplex Frequencies

Channel   Center Frequency
1 1626.020833
2 1626.062500
... ...
12 1626.479167

  • Simplex
    • Ring Alert (downlink only)
      Broadcast every 48 frames in each beam
      User sees Ring burst every 4.32 sec in each beam
      Length is between 7 and 20.32 ms
    • Broadcast (downlink only)
      Frequency, timing, and other system information
      Acquisition acknowledgment
      Channel assignments
    • Acquisition (uplink only)
      Slotted aloha random access
      Uses DE-BPSK
    • Message (downlink only)
  • Duplex
    • Synchronization
      prior to traffic channel operation
      same frequency and slot as traffic channel
      uplink uses DE-BPSK
    • Traffic
      Voice and Data
      Data uses 24-bit Frame Check Sequence

TDMA Frame
90 ms (2250 symbols = 4500 bits)
25 ksps

Guard time 1.00 ms
Simplex (downlink only) 20.32 ms
Preamble (unmodulated carrier) 64 symbols
Unique word (789 hex)
Guard time 1.24 ms
Uplink slot 1 8.28 ms
Guard time 0.22 ms
Uplink slot 2 8.28 ms
Guard time 0.22 ms
Uplink slot 3 8.28 ms
Guard time 0.22 ms
Uplink slot 4 8.28 ms
Guard time 0.24 ms
Downlink slot 1 8.28 ms
141 channel bits
Preamble (unmodulated carrier) 16 symbols
Unique word
Link Control word
Payload field
Guard time 0.1 ms
Downlink slot 2 8.28 ms
Preamble (unmodulated carrier) 16 symbols
Unique word
Link Control word
Payload field
Guard time 0.1 ms
Downlink slot 3 8.28 ms
Preamble (unmodulated carrier) 16 symbols
Unique word
Link Control word
Payload field
Guard time 0.1 ms
Downlink slot 4 8.28 ms
Preamble (unmodulated carrier) 16 symbols
Unique word
Link Control word
Payload field

Data Bursts

The uplink and downlink traffic channels use identical burst structures.

Purpose   Bits
Preamble 32
Unique Word 24
Link Control Word 46
Iridium Radio Link Protocol (IRLP)
(includes 24-bit Frame Check Sequence)
56
Iridium Layer 2 Relay (I-L2R) 8
User Payload 248
--- ---
Total Bits 414

All data is transmitted at 50 kbps, so a 8.28 ms frame transfers 414 bits.

A 2400 bps traffic channel uses one Uplink and one Downlink per frame

  • Simplex Time Slot
    • Ring Alert
    • Messaging
  • Uplink Time Slot
    • Acquisition
    • Synchronization
    • Traffic
  • Downlink Time Slot
    • Broadcast
    • Synchronization
    • Traffic

Paging

From the FCC Order and Authorization (DA 96-1789). [MSC is Motorola Satellite Communications, Inc.]

Enhanced ringing and paging services. MSC requests explicit authorization for the IRIDIUM System to provide enhanced ringing and paging services, in addition to the kinds of MSS service that it originally proposed to provide. The enhancement would enable users to receive ringing and paging messages during heavier atmospheric fading conditions and in buildings where attenuation is greater, according to MSC. One-way "ring alert" channels at 1626.270833 MHz would be used to alert subscribers with special receive-only mobile earth terminals to the presence of incoming paging calls. Paging messages would be transmitted to the receive-only terminals at 1626.437500, 1626.395833, 1626.145833, or 1626.104167 MHz. Their duration would not exceed 20.32 milliseconds. The transmit power for the ring alert channel would be somewhat higher than the power used for a voice/data channel, so as to enable the mobile earth terminals to receive ring alerts even when their antennas are stowed, but spurious- emission performance would be better than that of the two-way channels on the system when fully loaded. MSC therefore contends that the addition of these services would not increase interference levels or complicate satellite-system coordination. No one else filed comments on this proposal.

Frequency   Comments
1626.104167 Paging messages (Quaternary)
1626.145833 Paging messages (Tertiary)
1626.270833 Ring Alert for incoming paging calls
1626.395833 Paging messages (Secondary)
1626.437500 Paging messages (Primary)

Acquisition

  1. Turn on receiver
  2. Acquire Ring Alert Channel
  3. Determine Broadcast Channel frequency and time
  4. Acquire Broadcast Channel for current beam
  5. Listen to Broadcast Acquisition Information message
  6. If acqusition is permitted, continue
  7. Select random Acquisition Channel
  8. Determine Doppler to correct uplink burst timing
  9. Transmit Acquisition Request message
  10. Listen for acknowledgment on Broadcast Channel
  11. If no answer, try again on random Acquisition Channel after random delay (slotted Aloha)
  12. Receive Channel Assignment message
  13. Move to Synchronization Channel
  14. Transmit Synchronization Check message
  15. Receive Synchronization Report message
  16. If Sync Status = Repeat Burst, adjust freq and timing and transmit Sync Check message
  17. If Sync Status = OK, send Sync Check message
  18. Receive Synchronization Report message or Traffic Switch message

Ring Alert

The Iridium Ring Alert broadcast channel operates at 1626.270 MHz and is an unencrypted downlink-only channel used to send messages to individual subscriber units. These messages contain the satellite identifier, beam identifier, the latitude and longitude of the satellite location at ground level (derived from a proprietary algorithm), satellite altitude.

Each beam transmits a Ring Alert message every 4.32 seconds. Since each satellite has 48 beams, a subscriber unit will receive a generic Ring Alert message every 90 milliseconds (4,320 ms /48 beams).

Short Burst Data (SBD)

  • Data transfer rate: 125 bytes per second
  • Maximum Mobile-Originated: 1960 = 70 byte header segment + up to 14 segments of 135 bytes
  • Maximum Mobile-Terminated: 1890 = Up to 14 segments of 135 bytes
  • Service start announced in June 2003
SBD uses the Iridium signaling channel for data transport with a special message delivery protocol that is separate than that used for circuit-switched data calls. This results in each Iridium TDMA burst consisting of 160 SBD information bits, 20 SBD header bits and 234 other overhead bits. These 160 information bits are protected by a BCH(31,20) FEC code, which is capable of correcting up to two bit errors. This error correction coded data is then protected by a 16-bit CRC error detection code that is used in conjunction with a selective ARQ process.

At the output of the BCH decoding process, there are ten, 20-bit words (one header word, eight data words and one CRC word) that make up one SBD PDU being fed to the CRC-16 decoding process.

HARDWARE

Model Type Make Date
9500 Handset Motorola 1998
9501 Pager Motorola  
9505 Handset Motorola 1999
9505A Handset Motorola  
9520 Mobile Motorola 1998
9522 Mobile Motorola 2002
9522A Mobile Iridium 2005
9522B Mobile Iridium  
9523 Module Iridium  
9555 Handset Iridium 2008
9570 Dock Iridium  
9575 Handset Iridium  
9601 SBD Module Iridium  
9602 SBD Module Iridium  
9603 SBD Module Iridium  
9770 Certus Module Iridium  
9810 Certus Module Iridium  
SP-66 Pager Kyocera  
SS-66K Handset Kyocera 1999

Emission Designator

The pertinent emission designator for the mobile satellite phone is 41K7Q7W.

Bandwidth is primarily determined by a 96 tap FIR filter used to filter I and Q channel modulating signals and is consistent with a necessary bandwidth specification of 41.667 kHz. Converting this result yields 41K7.

a. First Symbol - Type of Modulation of the main carrier.
The main carrier is pulsed in a TDMA format, utilizing Differentially Encoded Quadrature Phase-Shift Keying (DEQPSK) techniques. This corresponds to symbol Q, associated with the carrier being "angle modulated during the period of the pulse".

b. Second Symbol - nature of signal(s) modulating the main carrier.
In-phase (I) and Quadrature (Q) modulating signals representing sampled, quantized voice or other audio information or data, modulates the main carrier.

This corresponds to symbol 7, derived from two channels "containing quantized or digital information" modulated in-phase and quadrature modulated.

c. Third Symbol - Type of information to be transmitted.
The information transmitted is a combination of data transmission (command data) and telephony (sample quantized voice or other audio signals).

This corresponds to W, defined as "combinations of above" which would be the combination of the symbol D, "Data transmission, telemetry, telecommand", and symbol E, "Telephony (including sound broadcasting)". The resulting complete emission designator is then 41K7Q7W.

IRIDIUM 9501 PAGER

FCC ID: E969898

Dimensions: 77w x 72.3h x 22.5d mm (3.03w x 2.85h x .88d in)
Weight: 118 grams (4.16 oz)
Battery Life: 30 days
Operating Temperature: -10°C to +50°CC (14°CF to 122°CF)
Operating Frequencies:
    Primary: 1626.437500 MHz
    Secondary: 1626.395833 MHz
    Tertiary: 1626.145833 MHz
    Quaternary: 1626.104167 MHz
Power Supply: one 1.5v AA-size alkaline battery
Alert Tone Frequency/Duration: 3200 Hz standard alert with 9 user selectable alerts
Alert Tone Loudness: 80dB typical at 12"

Motorola Part Numbers

Programming Kit MKLN4255A
Adapter IR 5862002D10
Software 6881032B40

Channel Plan

The frequency range of the equipment is in the band of 1616 MHz to 1626 MHz.

Band is channelized. Center frequency determined by:
1616 + 0.020833(2n - 1) MHz where (n = 1, ..., 240)


Channel Frequency
001 1616.021
003 1616.104
005 1616.188
007 1616.271
120 1620.979
122 1621.063
124 1621.146
126 1621.229
232 1625.646
234 1625.729
236 1625.813
238 1625.896

A 12-frequency access band is reserved for the simplex (ring alert and messaging) channels. These channels are located in a globally allocated 500 kHz band between 1626.0 MHz and 1626.5 MHz. These frequency accesses are only used for downlink signals and they are the only L-band frequencies that may be transmitted during the simplex time-slot.

Channel
Number
Center
Frequency
Allocation
1 1626.020833 Guard Channel
2 1626.062500 Guard Channel
3 1626.104167 Quaternary Messaging
4 1626.145833 Tertiary Messaging
5 1626.187500 Guard Channel
6 1626.229167 Guard Channel
7 1626.270833 Ring Alert
8 1626.312500 Guard Channel
9 1626.354167 Guard Channel
10 1626.395833 Secondary Messaging
11 1626.437500 Primary Messaging
12 1626.479167 Guard Channel

Frequency Stability: +/- 0.00015 % (1.5 ppm)

This equipment uses Automatic Frequency Control (AFC) to lock within +/- 600 Hz of the received frequency from the Space Vehicle (SV). The mobile performs all frequency pre-correction for Doppler shifts, up to +/- 37.5 kHz. The system is designed to be tolerant of these frequency offsets.

Radio Frequency Output Power ranges from 0.1 to 0.6 Watts. The mobile maximum output power is achieved under closed loop control with the SV network. The mobile power will respond to commands from the SV network to change power levels as defined in the specifications.

RF Power Output: Variable range from 0.1 to 0.6 Watts (by control of satellite network via closed loop power control). The transmitter duty cycle allows for bursted transmission every 8.28 ms out of 90 ms, or 9.2%, at a rate of 50 kbps, or 25 k symbols/sec.

Modulation is DEQPSK (Differentially Encoded Quadrature Phase Shift Keying).

ACCESS AND PRIORITY

Each satellite beam broadcasts which Acquisition Classes are allowed to acquire satellite resource on that beam. Only SDUs with the proper Acquisition Class (AC) are allowed to start the acquisition process. Acquisition Class ranges from 0-15. Default non-safety Iridium terminals use an Acquisition Class in the range of 0-9.

Acquisition Class is mainly used for satellite load shedding. In a satellite beam with heavy traffic load, certain Acquisition Classes (e.g., AC0-9) will be shut down to prohibit further traffic load on the satellite.

0-9: Regular Subscribers
10: Emergency Calls
11: Fire, Police, Rescue Agencies
12-13: Reserved
14: Aeronautical Safety Service
15: Iridium Use

The Acquisition Class affects how calls initially gain access to the satellite constellation.

The Iridium Satellite Network allows for four levels of priority. Each satellite has priority queuing for both channel assignment of new calls and handoff order of in-progress calls. High priority calls, taking precedence, are queued before low priority calls.

Currently both the Acquisition Class and Priority Class are encoded on a SIM card; hence the Acquisition Class and Priority Class are associated with a SIM card and an SDU that uses that SIM card.

SIM

Iridium SIM Iridium devices that are capable of completing circuit-switched calls use a Subscriber Identity Module (SIM), a type of smartcard.

IRIDIUM-Specific SIM Files

Besides the standard SIM files for a GSM (Global System for Mobiles) network, Iridium SIMs also contain an additional Directory File (DF) called DFIRIDIUM with an identifier of 5F30.

[MF/DF] RFU: 00 00
  Free Memory: 00 00
  File ID:     5F 30 (DF-IRIDIUM)
  File Type:   02 (Directory File)
  RFU:         00 00 00 00 00
  Length Following: 0D
  File characteristics:    13
    Clock stop:     Allowed, no preferred level
    Required speed: 13/4
    CHV:            Enabled
  Child DFs:               00
  Child EFs:               07
  CHVs, Unblock CHVs, etc: 04
  RFU:                     00
  CHV1 Status:             83 (Initialized, 3 remaining)
  Unblock CHV1 Status:     8A (Initialized, 10 remaining)
  CHV2 Status:             83 (Initialized, 3 remaining)
  Unblock CHV2 Status:     8A (Initialized, 10 remaining)
  RFU:                     00

This DF contains seven Elementary Files. I do not have documentation for these files:

  1. [EF] RFU:    00 00
      File Size:   00 10
      File ID:     4F 20 (Unknown)
      File Type:   04 (Elementary File)
      RFU:         00
      Access:      11 00 44
        Read/Seek:    CHV1
        Update:       CHV1
        Increase:     Always
        RFU:          Always
        Rehabilitate: Admin 4
        Invalidate:   Admin 4
      Status:      01 (Not Invalidated)
      Length:      01
      EF Structure:  00 (Transparent)
    
      Data in 4F20 (16): FF 15 FC AF 05 2C 0A 4C FE 44 EB DC 1B 00 08 31
    

  2. [EF] RFU:    00 00
      File Size:   00 0E
      File ID:     4F 21 (Unknown)
      File Type:   04 (Elementary File)
      RFU:         00
      Access:      11 00 44
        Read/Seek:    CHV1
        Update:       CHV1
        Increase:     Always
        RFU:          Always
        Rehabilitate: Admin 4
        Invalidate:   Admin 4
      Status:      01 (Not Invalidated)
      Length:      02
      EF Structure:  01 (Linear Fixed)
      Record Length: 0E
    
      Data in 4F21 Record 1 (14 bytes): FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    

  3. [EF] RFU:    00 00
      File Size:   00 03
      File ID:     4F 23 (Unknown)
      File Type:   04 (Elementary File)
      RFU:         00
      Access:      14 00 44
        Read/Seek:    CHV1
        Update:       Admin 4
        Increase:     Always
        RFU:          Always
        Rehabilitate: Admin 4
        Invalidate:   Admin 4
      Status:      01 (Not Invalidated)
      Length:      01
      EF Structure:  00 (Transparent)
    
      Data in 4F23 (3): 13 F0 10
    

  4. [EF] RFU:    00 00
      File Size:   00 14
      File ID:     4F 24 (Unknown)
      File Type:   04 (Elementary File)
      RFU:         00
      Access:      04 00 44
        Read/Seek:    Always
        Update:       Admin 4
        Increase:     Always
        RFU:          Always
        Rehabilitate: Admin 4
        Invalidate:   Admin 4
      Status:      01 (Not Invalidated)
      Length:      02
      EF Structure:  01 (Linear Fixed)
      Record Length: 04
    
      From 4F24 Record 1 (4 bytes): 11 F2 FF 08
      From 4F24 Record 2 (4 bytes): 19 F1 FF 08
      From 4F24 Record 3 (4 bytes): FF FF FF FF
      From 4F24 Record 4 (4 bytes): FF FF FF FF
      From 4F24 Record 5 (4 bytes): FF FF FF FF
    

  5. [EF] RFU:    00 00
      File Size:   00 01
      File ID:     4F 25 (Unknown)
      File Type:   04 (Elementary File)
      RFU:         00
      Access:      14 00 44
        Read/Seek:    CHV1
        Update:       Admin 4
        Increase:     Always
        RFU:          Always
        Rehabilitate: Admin 4
        Invalidate:   Admin 4
      Status:      01 (Not Invalidated)
      Length:      01
      EF Structure:  00 (Transparent)
    
      Data in 4F25 (1): 05
    

  6. [EF] RFU:    00 00
      File Size:   00 01
      File ID:     4F 26 (Unknown)
      File Type:   04 (Elementary File)
      RFU:         00
      Access:      14 00 44
        Read/Seek:    CHV1
        Update:       Admin 4
        Increase:     Always
        RFU:          Always
        Rehabilitate: Admin 4
        Invalidate:   Admin 4
      Status:      01 (Not Invalidated)
      Length:      01
      EF Structure:  00 (Transparent)
    
      Data in 4F26 (1): 05
    

  7. [EF] RFU:    00 00
      File Size:   00 01
      File ID:     4F 27 (Unknown)
      File Type:   04 (Elementary File)
      RFU:         00
      Access:      14 00 44
        Read/Seek:    CHV1
        Update:       Admin 4
        Increase:     Always
        RFU:          Always
        Rehabilitate: Admin 4
        Invalidate:   Admin 4
      Status:      01 (Not Invalidated)
      Length:      01
      EF Structure:  00 (Transparent)
    
      Data in 4F27 (1): 05
    

A summary of the data in the Iridium-specific files:

  4F20 (16 bytes): FF 15 FC AF 05 2C 0A 4C FE 44 EB DC 1B 00 08 31
  4F21 Record 1 (14 bytes): FF FF FF FF FF FF FF FF FF FF FF FF FF FF
  4F23 (3 bytes): 13 F0 10
  4F24 Record 1 (4 bytes): 11 F2 FF 08
  4F24 Record 2 (4 bytes): 19 F1 FF 08
  4F24 Record 3 (4 bytes): FF FF FF FF
  4F24 Record 4 (4 bytes): FF FF FF FF
  4F25 (1 byte): 05
  4F26 (1 byte): 05
  4F27 (1 byte): 05

Authentication

The Iridium authentication process is adapted without change directly from the GSM specifications.

The GSM encryption algorithm A3 is executed on SIM card to generate Signed Result (SRES) response based on the following inputs:

  • Secret Ki parameter stored in SIM card
  • RAND parameter supplied by network

The Iridium SIM supports the standard GSM authentication algorithm (known as A3) and the ciphering key generating algorithm (known as A8). They are combined in a single SIM instruction called "RUN GSM ALGORITHM".

Example:

To SIM (21): A0 88 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (The "RUN GSM ALGORITHM" and 16 bytes representing RAND)
From SIM (2): 9F 0C (Instruction was successful, 12 bytes of response are available)
To SIM (5): A0 C0 00 00 0C (The "GET RESPONSE" instruction)
From SIM (14): 00 91 AD C7 49 58 94 27 2C 02 90 00 90 00 (12 bytes of response plus two additional bytes)

  • The first four bytes (00 91 AD C7) comprise the signed response (SRES)
  • The next eight bytes (49 58 94 27 2C 02 90 00) are the cipher key (Kc)
  • The last two bytes (90 00) indicate successful execution of the command.

It is interesting to note that the last ten bits of Kc are always zero, reducing the effective keyspace from 64 to 54 bits. Terrestrial GSM has long been limited, as summarized in a document (Tdoc SMG P-99-011) from an ETSI/TC/SMG meeting in Italy in 1998:

The GSM encryption uses in principle a 64 bit key. However at introduction of GSM it was decided to limit the effective key size to 54 bits. This should have been realised by the SIM and the Authentication Centre (AuC) both forcing 10 specific bits of the encryption key to zero.

KEYPAD COMMANDS

Command Description
*#06# Display IMEI
*#91# Display Firmware Version (some models)
  - Works on 9500 version INC0620 but not INC0202
*#323# [Green key] Reformat the phonebook file system (9555)
*#888# [Green key] Put the phone in DFU mode (9555)

TEST MODE

The original Motorola 9500 handset supports a test mode using a special test SIM card. There is some overlap between the test commands used on Motorola GSM cellular telephones.

I would be interested in receiving a list of all the available test mode commands, and/or the entire service manual for an Iridium phone.

With the special SIM card in place, press and hold the [#] key for more than three seconds.

Code Function Result
01# Exit test mode Exits test mode
19# Show call processor software version Host INC0212
191# Show boot version Boot INC0212
192# Show modem version Modem INC0212
193# Show vocoder version Vocoder INC0216
194# Show EEPROM version EEPROM INC0205
58# Show security code SECUR 000000
59# Show lock code LOCK 1234
60# Show IMEI 3000001000344001
61# Show Location MCC LAI MCC 001
62# Show Location MNC LAI MNC 01
63# Show Location LAC LAI LAC 65534
64# Show Location Update Loc Updt Stat 1
65# Show IMSI (from SIM) 001010123456789
661# Show TMSI 1 TMSI 1 244
662# Show TMSI 2 TMSI 1 255
69# Cipher Key Cipher Key 7
7101# Show self test information INFO 01 02
7102# Show self test information INFO 02 00
7103# Show self test information INFO 03 02
7104# Show self test information INFO 04 01
7105# Show self test information INFO 05 F8
88# Display real-time clock Tue Sep 19
11:47:58 1995
99# Display hardware test All display elements illuminate


27 is a transmit test.

xxx = channel number
yy = power step
z = modulation

Transmit random data (z = 1) on channel 001 at maximum power (00): 27001001#

Transmit a tone (z = 0) on channel 240 at minimum power (08): 27240080#

Stop transmitting: 27#


One command that is different is the Static Traffic Channel command ( #29xxyyzabc# ).

REFERENCES

  • Application of Iridium Telecommunications to Oceanographic and Polar Research, 2004
  • Manual on the Aeronautical Mobile Satellite (Route) Service, ICAO Document 9925, 2010
  • 3rd Generation Partnership Project; Technical Specification Group Services and system Aspects; Security related network functions (Release 11) , 3GPP TS 43.020, 2011

9602 AT COMMANDS

The 9602 is a Short Burst Data (SBD) module that provides packetized data connectivity. It communicates with an external device via a serial connection and uses "AT" commands.

Default serial communication parameters: 9600 baud, no parity, 8 data bits, 1 stop bit.
DTR and RTS lines are raised. CTS and DSR will be asserted in response.

Command Response
ATI0 2400
OK
ATI1 0000
OK
ATI2 OK
OK
ATI3 TA10003
OK
ATI4 IRIDIUM 9600 Family
OK
ATI5 8816
OK
ATI6 07X
OK
ATI7 BOOT07d2/HW03(9602revE)/04/RAW02
OK
ATI8 ERROR
ATI9 ERROR
AT&V ACTIVE PROFILE:
 
E1 Q0 V1 D2 K3
 
S02:043 S03:013 S04:010 S05:008 S13:049 S14:170 S21:048 S23:012
 
S39:003 S121:001S122:001
 
STORED PROFILE 0:
 
E1 Q0 V1 D2 K3
 
S02:043 S13:049 S14:170 S21:048 S23:012 S39:003 S121:001S122:001
 
S02:043 S13:049 S14:170 S21:048 S23:012 S39:003 S121:001S122:001
 
STORED PROFILE 1:
 
E1 Q0 V1 D2 K3
 
S02:043 S13:049 S14:170 S21:048 S23:012 S39:003 S121:001S122:001
 
S02:043 S13:049 S14:170 S21:048 S23:012 S39:003 S121:001S122:001
 
OK
AT+CCLK ERROR
AT+CGMI Iridium
 
OK
AT+CGMM IRIDIUM 9600 Family SBD Transceiver
 
OK
AT+CGMR Call Processor Version: TA10003
 
DSP Version: 1.3 svn: 719
 
DBB Version: 0x0001 (ASIC)
 
RFA Version: 0x0003
 
NVM Version: KVS
 
BOOT Version: BOOT07d2/HW03(9602revE)/04/RAW02
 
OK
AT+CGSN 300234010602700
 
OK


Send mail to Dan Veeneman
Updated November 21, 2021