13 Lab: Cellular Modem
13.1 Learning Objectives
By the end of this chapter, you will be able to:
- Analyse cellular modem architecture: Trace data flow from MCU application through UART, AT command parser, TCP/IP stack, and cellular RF interface to the network
- Construct AT command sequences: Write and debug a complete modem bring-up flow covering health check, SIM validation, signal query, and registration confirmation
- Evaluate modem registration status: Interpret AT+CREG/AT+CEREG response codes to determine whether a modem is registered, searching, roaming, or denied
- Diagnose common modem failures: Apply a systematic troubleshooting decision tree to isolate SIM, signal, power supply, and registration problems
- Design power-resilient modem interfaces: Calculate capacitor sizing for cellular TX burst currents and implement proper error handling with AT command timeouts
13.2 Prerequisites
Before diving into this chapter, you should be familiar with:
- Mobile Wireless: Fundamentals: Understanding electromagnetic waves, frequency bands, path loss calculations, and spectrum allocation is essential for interpreting lab results
- Mobile Wireless Technologies Basics: Knowledge of wireless communication principles, frequency characteristics, and propagation models provides the theoretical foundation for practical measurements
- Networking Basics for IoT: Basic networking concepts help in understanding how wireless technologies integrate into larger IoT systems
- Basic programming skills: Familiarity with C++ (Arduino/ESP32) and serial communication is needed for modem integration
Deep Dives:
- Cellular IoT Fundamentals - LTE-M and NB-IoT deep dive
- Mobile Labs: Wi-Fi Spectrum Analysis - RF spectrum analysis techniques
- Mobile Labs: Coverage Planning - Python tools for deployment planning
Comparisons:
- Mobile Wireless Comprehensive Review - Technology comparison matrix
- LPWAN Comparison - Range vs power trade-offs
Hands-On:
- Simulations Hub - RF propagation simulators
“A cellular modem is like having a walkie-talkie that connects to the phone network!” explained Max the Microcontroller. “But instead of pressing a button and talking, we send text commands called AT commands over a serial wire. It is like sending text messages to the modem, and the modem texts back with answers.”
Sammy the Sensor was curious. “What does AT even stand for?” Max explained, “Attention! Every command starts with AT to get the modem’s attention. Then you add a specific instruction. AT+CSQ asks about signal strength. AT+CPIN? checks if the SIM card is ready. It is like a checklist you follow every time you turn on the modem.”
“The order matters!” warned Bella the Battery. “If you try to send data before checking the SIM card and signal, it will fail. Always follow the bring-up sequence: first check the modem responds, then verify the SIM, then check signal strength, then confirm network registration. Skip a step, and you will waste my precious energy on failed attempts.”
Lila the LED added a debugging tip. “Most cellular modem problems are not software bugs – they are hardware issues. Check three things first: Is the power supply strong enough? Some modems need 2 amps during transmission bursts. Is the antenna connected properly? And is the SIM card activated with a data plan? Fix those, and 90 percent of problems disappear.”
13.3 Getting Started (For Beginners)
Cellular modems are separate modules that handle all the complexity of connecting to mobile networks. Your microcontroller (like an ESP32 or Arduino) communicates with the modem using simple text commands called AT commands.
Think of it like sending text messages to the modem: - You send: AT (Are you there?) - Modem replies: OK (Yes, I’m ready!)
Key concepts for this chapter:
| Concept | Plain explanation |
|---|---|
| AT Command | Text instruction sent to the modem via serial port |
| UART | The serial port connection between your MCU and modem |
| SIM Card | Holds your mobile identity and network credentials |
| Registration | The modem connecting to a cell tower |
| RSSI | Signal strength indicator (higher = better signal) |
If you’ve never worked with serial communication, try a simple Arduino “Hello World” that reads/writes to Serial first. AT commands are just structured serial messages.
Cellular modems expose a standardized text interface called AT commands (Hayes command set). Your microcontroller sends ASCII text like AT+CSQ\r\n over a UART serial connection, and the modem responds with text like +CSQ: 20,0\r\nOK\r\n. This request-response pattern creates a simple yet powerful abstraction: the modem handles all cellular radio complexity (PHY/MAC layers, network authentication, TCP/IP stack), while your application just sends strings and parses text responses. The bring-up sequence (AT → CPIN → CSQ → CREG → data) validates each layer systematically, ensuring each dependency (SIM authentication before registration, registration before data) is met before proceeding.
13.4 Cellular Modem Integration Architecture
Understanding how cellular modems integrate with microcontrollers is essential for implementing mobile wireless IoT solutions.
13.4.1 Understanding the Components
The cellular modem integration consists of several key layers:
Microcontroller Side:
- Your application code runs on the MCU
- Communicates with modem via UART (typically 115200 baud)
- Sends AT commands, parses responses
Modem Module:
- AT Command Parser: Interprets text commands into modem operations
- TCP/IP Stack: Handles socket connections (so you don’t have to!)
- Cellular RF Interface: Manages radio communication with towers
- SIM Authentication: Handles identity and encryption with the network
Network Side:
- Cell towers receive RF signals
- Core network routes data to the internet
- Your data reaches cloud servers
This layered view shows the same cellular modem integration as a vertical protocol stack, emphasizing how data flows from application through each layer to the cellular network.
This stack view helps understand where each component fits in the OSI model and how data is encapsulated at each layer.
13.5 AT Command Communication Flow
AT commands are the primary interface for controlling cellular modems. Understanding the command-response flow is crucial for reliable implementation.
13.5.1 Essential AT Commands Reference
| Command | Purpose | Expected Response |
|---|---|---|
AT |
Test modem responsiveness | OK |
AT+CPIN? |
Check SIM status | +CPIN: READY |
AT+CSQ |
Query signal strength | +CSQ: 20,0 (0-31 scale) |
AT+CREG? |
2G/3G registration status | +CREG: 0,1 (registered) |
AT+CEREG? |
LTE registration status | +CEREG: 0,1 (registered) |
AT+CGATT? |
GPRS attach status | +CGATT: 1 (attached) |
AT+COPS? |
Current operator | +COPS: 0,0,"Operator" |
13.5.2 Understanding CREG/CEREG Status Codes
The registration status (second number in response) tells you the modem’s network state:
| Code | Meaning |
|---|---|
| 0 | Not registered, not searching |
| 1 | Registered, home network |
| 2 | Not registered, searching |
| 3 | Registration denied |
| 4 | Unknown |
| 5 | Registered, roaming |
13.6 Mini Lab: AT Command Smoke Test
Before you write application code, validate the modem’s hardware, SIM, registration, and signal. Treat this as a bring-up checklist; exact commands vary by module/vendor, but the intent stays the same.
Equipment: modem module + antenna, SIM (if required), stable power supply, and a UART connection (USB-to-UART or MCU).
13.6.1 Step-by-Step Bring-Up Checklist
- Basic health check: send
AT→ expectOK - SIM status:
AT+CPIN?→ expectREADY(or a PIN-required state you can resolve) - Signal quality:
AT+CSQ→ capture RSSI/BER (use it as a relative indicator) - Registration:
- 2G/3G:
AT+CREG? - LTE:
AT+CEREG? - Expect a “registered” state (often
stat=1home,stat=5roaming)
- 2G/3G:
- Packet service attach (if applicable):
AT+CGATT?/AT+CGATT=1 - Data session (module-specific):
- Configure APN/PDP context (often
AT+CGDCONT=...) - Open a socket / start a connection (vendor-specific; e.g.,
AT+...OPEN)
- Configure APN/PDP context (often
13.6.2 Sample Arduino Code for Modem Bring-Up
#include <SoftwareSerial.h>
// Modem connected to pins 10 (RX) and 11 (TX)
SoftwareSerial modem(10, 11);
void setup() {
Serial.begin(115200);
modem.begin(115200);
delay(1000);
Serial.println("=== Cellular Modem Bring-Up ===\n");
// Step 1: Basic health check
Serial.println("1. Testing modem...");
sendCommand("AT", 1000);
// Step 2: SIM status
Serial.println("\n2. Checking SIM...");
sendCommand("AT+CPIN?", 2000);
// Step 3: Signal quality
Serial.println("\n3. Signal quality...");
sendCommand("AT+CSQ", 1000);
// Step 4: Network registration
Serial.println("\n4. Registration status...");
sendCommand("AT+CREG?", 2000);
sendCommand("AT+CEREG?", 2000);
// Step 5: Operator info
Serial.println("\n5. Current operator...");
sendCommand("AT+COPS?", 3000);
Serial.println("\n=== Bring-Up Complete ===");
}
void loop() {
// Pass through for manual testing
if (Serial.available()) {
modem.write(Serial.read());
}
if (modem.available()) {
Serial.write(modem.read());
}
}
void sendCommand(const char* cmd, int timeout) {
Serial.print("TX: ");
Serial.println(cmd);
modem.println(cmd);
unsigned long start = millis();
String response = "";
while (millis() - start < timeout) {
if (modem.available()) {
char c = modem.read();
response += c;
}
}
Serial.print("RX: ");
Serial.println(response);
}- Read the AT manual for your module: TCP/UDP commands differ a lot between SIMCom/Quectel/u-blox.
- Start simple: prove registration and stable RSSI before debugging MQTT/HTTP stacks.
- Power matters: cellular TX bursts can cause brownouts; if you see random resets, suspect supply/decoupling.
- Timeouts are critical: Some commands (like registration) can take 30+ seconds.
13.7 Common Modem Issues and Solutions
13.7.1 Troubleshooting Reference Table
| Symptom | Likely Cause | Solution |
|---|---|---|
| No response to AT | Power/UART issue | Check voltage (3.3V/4V), verify baud rate, check TX/RX wiring |
+CPIN: SIM PIN |
PIN required | Send AT+CPIN=1234 with correct PIN |
+CPIN: SIM PUK |
SIM locked | Contact carrier for PUK code |
+CSQ: 0,99 |
No signal | Check antenna, move outdoors, verify band support |
+CREG: 0,2 |
Searching | Wait 30-60 seconds, may be weak coverage |
+CREG: 0,3 |
Denied | SIM not activated, wrong operator, no coverage |
| Random resets | Power brownout | Add capacitors, use stronger power supply |
13.8 Knowledge Check: Cellular Bring-Up
The Problem: Cellular modems experience random resets, failed registrations, or corrupted data during transmission despite reporting good signal strength (CSQ 18-22). The modem responds correctly to AT commands until data transfer begins, then mysteriously reboots.
Root Cause: Most cellular modem issues aren’t software bugs - they’re power supply brownouts during transmission bursts.
Why It Happens:
Cellular modems have dramatically different power requirements across states:
| State | Current Draw | Duration |
|---|---|---|
| Sleep (PSM) | 5-50 uA | Hours (configurable) |
| Idle (registered) | 5-15 mA | Between transmissions |
| Receiving | 50-100 mA | During RX windows |
| Transmitting | 200-2000 mA | Burst (~500ms-2s) |
Key Problem: TX current peaks can be 100-400x higher than idle current, lasting 0.5-2 seconds.
Real-World Failure - Smart Meter Deployment (2023):
A European utility deployed 5,000 NB-IoT smart meters with this power design:
Power supply: USB 5V/500mA adapter
↓
3.3V LDO regulator (500mA max)
↓
ESP32 (50mA avg) + NB-IoT modemExpected: Each meter consumes ~100 mA average → 500 mA supply sufficient
Reality:
- Idle: 60 mA (ESP32 + modem registered)
- TX burst: 1.8A peak for 800ms (modem at max power)
- LDO output droops to 2.9V
- Modem brownout threshold: 3.0V
- Result: Modem resets mid-transmission, loses registration
Field symptoms:
- 42% of meters failed to report daily readings
- “Good signal” (CSQ 19) but 80% transmission failure rate
- AT commands worked, data transfer failed
- Meters in strong signal areas (CSQ 25+) worked fine
Root cause diagnosis:
- Used oscilloscope to measure 3.3V rail during transmission
- Voltage sagged from 3.3V to 2.85V for 800ms
- Modem brownout detector triggered at 3.0V
- Fix: Added 2200uF bulk capacitor at modem power input
Correct Power Supply Design:
Option 1: Bulk Capacitance (budget solution)
LiPo Battery 3.7V
↓
3.3V Buck converter (2A capable)
↓
2200-4700uF low-ESR capacitor ← stores energy for burst
↓
NB-IoT/LTE-M modemEnergy calculation:
Burst current: 1.8A
Burst duration: 0.8 seconds
Charge delivered: 1.8A × 0.8s = 1.44 coulombs (0.4 mAh)
Capacitor sizing:
E = 0.5 × C × V²
Target: Voltage sag < 0.3V (3.3V → 3.0V minimum)
C = 2 × E / (V_high² - V_low²)
C = 2 × 1.44 / (3.3² - 3.0²) = 2.88 / 1.89 = 1.52 F
Practical: 2200-4700 uF is sufficient for 500-800ms burstsOption 2: Battery (field deployment solution)
Primary: LiPo 2000mAh 3.7V
↓
3.3V Buck converter
↓
Modem (no additional cap needed if battery ESR is low)
Battery can source 2A continuously
Internal resistance provides stable voltage
No sag during transmission burstsOption 3: Dual supply (ultra-reliable)
Main: Buck converter from mains (when available)
Backup: Supercapacitor 10F or LiPo backup
↓
Load switch (automatic failover)
↓
ModemWhen designing power supplies for cellular modems, the capacitor must store enough energy to support the transmission burst without voltage sag exceeding 10%. For a 1.8A burst lasting 800ms with a 3.3V supply that must not drop below 3.0V:
\[ C = \frac{2 \times I \times t}{V_{\text{high}}^2 - V_{\text{low}}^2} = \frac{2 \times 1.8 \times 0.8}{3.3^2 - 3.0^2} = \frac{2.88}{1.89} \approx 1.52 \text{ F} \]
Worked example: A modem transmits at 1.8A peak for 800ms. Charge delivered: \(Q = I \times t = 1.44\) coulombs. To keep voltage sag under 0.3V (3.3V to 3.0V), we need: \(C \approx 1.52\) farads. Since typical bulk electrolytics range 2200-4700µF, use multiple capacitors in parallel (e.g., 2× 2200µF = 4400µF provides adequate margin with low ESR for the brief 800ms discharge).
Design Validation Checklist:
Measure actual TX current:
# Set modem to maximum power AT+CFUN=1 AT+CPSMS=0 # Disable PSM for testing # Measure current during AT+CIPSEND (send data) # Expect: 200mA (good signal) to 2000mA (weak signal)Scope the power rail during transmission:
- Connect oscilloscope to 3.3V rail
- Trigger on voltage drop
- Verify sag < 0.3V (3.3V → 3.0V is acceptable)
Stress test at weak signal:
- Cellular modems transmit at higher power in weak coverage
- Test in basement or shielded room (CSQ 5-10)
- Verify no resets at minimum signal levels
Check datasheet carefully:
- “Average current” is misleading for cellular
- Look for “peak TX current” specification
- Account for worst-case: maximum TX power + poor signal
Warning Signs Your Power Supply is Marginal:
- Modem works fine in lab (strong signal) but fails in field (weak signal)
- Registration succeeds but data transfer fails
- Higher failure rate during evening hours (congested towers → more retries)
- Random resets exactly at start of transmission
AT+CSQshows good signal but connection timeout errors
Cost of Getting It Wrong:
Smart meter example: - Redesign: $3 per unit for better regulator + capacitor = $15,000 - Field tech dispatch: $50/visit × 2,100 failed units = $105,000 - Reputation damage: Utility canceled 45,000-unit expansion - Total loss: $120,000+ plus lost contract
Quick Fix for Existing Deployments:
If you already have deployed units with marginal power: 1. Reduce TX power via AT commands (if signal allows): bash AT+CEDRXS=0 # Disable eDRX AT+CPSMS=1 # Enable PSM (reduce idle current) 2. Increase transmission interval (reduce duty cycle) 3. Send smaller payloads (shorter TX bursts) 4. Schedule transmissions during low-congestion periods
Key Takeaway: Always design cellular IoT power supplies for peak TX current, not average. A $0.50 capacitor or slightly better regulator prevents $50+ field service calls.
13.9 Concept Relationships
| Concept | Relationship to Other Concepts | Practical Impact |
|---|---|---|
| AT Commands | Standardized Hayes command set abstracts cellular radio complexity | Enables device-agnostic modem control code |
| UART Interface | Serial connection between MCU and modem for AT communication | Baud rate mismatch causes garbled responses |
| Bring-Up Sequence | Systematic validation: modem → SIM → signal → registration → data | Skipping steps wastes debugging time on wrong layer |
| RSSI/CSQ | Signal quality indicator from +CSQ command | CSQ < 10 causes frequent retransmissions |
| Network Registration | CREG/CEREG status indicates cellular network attachment | stat=2 (searching) can take 30-60s, not an error |
| Power Supply | Peak TX current (500-2000 mA) vs idle (5-20 mA) | Inadequate supply causes brownout resets mid-TX |
13.10 See Also
- Cellular IoT Fundamentals - LTE-M and NB-IoT technology deep dive
- Mobile Labs: Wi-Fi Spectrum Analysis - RF scanning and channel analysis
- Mobile Labs: Coverage Planning - Python link budget tools
- Mobile Wireless Comprehensive Review - Technology comparison matrix
Common Pitfalls
Cellular modems require time to scan and register on a network (typically 5-30 seconds after power-on). Sending data AT commands before registration completes returns CME ERROR. Always poll AT+CREG? or AT+CEREG? and wait for registration status 1 or 5 before proceeding.
Many SIM cards require a PIN at power-on. If the PIN is not entered via AT+CPIN, the modem stays locked and cannot register. Test with a PIN-protected SIM early in development. Production devices should use PIN-disabled SIMs or implement automatic PIN entry securely in firmware.
Cellular modems can crash or become unresponsive, especially after signal loss or power instability. Without a watchdog that detects modem non-responsiveness and performs a hardware reset, deployed devices can permanently lose cellular connectivity. Always implement hardware reset capability and modem health monitoring.
Synchronous AT command loops that wait indefinitely for responses block the main application. Cellular operations (network registration, data connection) can take seconds to minutes. Use timeout-based command processing and asynchronous URC (Unsolicited Result Code) handling for robust production firmware.
13.11 Summary
This chapter provided hands-on experience with cellular modem integration:
- Architecture understanding helps you design robust modem interfaces knowing how data flows from MCU through modem to network
- AT command flow is the fundamental interface - mastering the request/response pattern is essential
- Systematic bring-up using the smoke test checklist prevents hours of debugging higher-level issues
- Troubleshooting skills let you quickly diagnose power, SIM, signal, and registration problems
- Vendor documentation is your friend - AT commands vary significantly between SIMCom, Quectel, and u-blox modules
13.12 What’s Next
| Chapter | Focus | Why Read It Next |
|---|---|---|
| Mobile Labs: Wi-Fi Spectrum Analysis | Channel scanning and interference detection with SDR tools | Apply RF analysis skills to diagnose interference that degrades cellular signal quality |
| Mobile Labs: Coverage Planning | Python link-budget calculators for deployment planning | Use signal strength knowledge from this lab to model real-world cellular coverage areas |
| Cellular IoT Fundamentals | LTE-M and NB-IoT protocol details and power modes | Deepen your understanding of the cellular technologies behind the AT commands practised here |
| Mobile Wireless Comprehensive Review | Cross-technology comparison matrix and selection criteria | Compare cellular modem trade-offs against Wi-Fi, LoRa, and other wireless options for IoT |