How to extract RACH / PRACH configs and offset fields from EC25 / Qualcomm DIAG (no SDR, no QXDM)? — which DIAG messages contain raw SIBs?

Technical Subjects Open Solution
1

Hello everyone,

I am developing a multi-BTS parameter extraction tool for 2G/3G/4G (GSM / UMTS / LTE). My approach is:

  • Collect all passive/broadcast parameters from neighboring cells (BCCH / SIB / PHY measurements) using inexpensive consumer modules (Quectel EC25 and similar).
  • Only when necessary, perform a controlled active handshake/attach to obtain parameters that truly require it.

I already know which parameters are passive vs active (I listed them in my table), and I can read AT commands such as AT+QENG="servingcell" and AT+QENG="neighbourcell". The problem I face is: standard AT commands on EC25 do not expose the RACH (PRACH) configuration and many offset/reselection fields, and I do not have QXDM. I want a reliable method to extract the remaining “hard” parameters (mainly PRACH/RACH-related and offset fields) using EC25-like modules and/or by parsing the Qualcomm DIAG port (using open tools like QCSuper / scat or a custom DIAG parser).

Concretely I need practical, low-level answers to the following:

  1. Raw SIB/BCCH access

    • Can EC25 (or similar modules) be commanded (via AT, hidden AT, QMI or a debug UART) to return raw SIB/BCCH payloads (ASN.1 / hex RRC OTA blobs)? If yes, which commands / QMI calls / serial endpoints should I try for EC25 (firmware-specific hints welcome)?
    • If EC25 cannot, is the DIAG interface on Qualcomm devices the only realistic path to obtain raw RRC/SIB payloads without SDRs?

  2. DIAG specifics

    • Which DIAG packet types / subsystem IDs on Qualcomm typically carry raw RRC/SIB/BCCH payloads (or LTE-RRC PDUs)? Are there known stable IDs/fields to filter for (so I can implement a parser)?
    • What does the DIAG/QCDM framing look like (header fields, msg id, subsystem id, length, payload offset)? Any short examples or annotated DIAG hex dumps would speed up development.

  3. PRACH / RACH / offsets

    • Which PRACH/RACH fields are reliably present in broadcast SIBs (and which are often omitted or vendor-specific)? In particular I need to extract:
      • prach-ConfigIndex
      • prach-FreqOffset
      • rootSequenceIndex
      • preambleTransMax (PreambleTransMax)
      • powerRampingStep
      • preambleInitialReceivedTargetPower
      • zeroCorrelationZoneConfig / ZCZ configuration
      • PRACH resource lists / time-frequency resource mapping
    • Which reselection/offset fields are worth collecting passively (and what are their ASN.1 names I should look for)? Examples: cellReselectionPriority, cellReselectionOffset, qRxLevMinOffset, temporaryOffset, Qoffset.

  4. Practical parsing / decoding

    • If I obtain DIAG hex blobs containing RRC OTA payloads, is it reliable to feed them to Wireshark’s LTE-RRC dissector? If not, what ASN.1 toolchain do you recommend (asn1c / asn1tools / pycrate) and any ready schemas or parsing snippets you can share to decode SIB2→PRACH fields?
    • If DIAG captures are vendor-stripped or contain only parsed fields, what are the realistic fallbacks? (e.g., controlled attach + parse RRC messages produced during attach, or using engineering logs that report PRACH indices).

  5. Module suggestions

    • If EC25 proves limited, which consumer modules or modems (firmware versions) do you recommend that (a) expose DIAG/engineering ports easily, and/or (b) provide richer debug/AT/QMI access to raw SIBs without resorting to SDR? Practical module suggestions (Sierra, Quectel variants, Qualcomm reference modules) are welcome.

Most challenging parameters I care about (please reference these names in your reply):

LTE (challenging / scientific names)

  • prach-ConfigIndex
  • prach-FreqOffset
  • rootSequenceIndex
  • preambleTransMax (PreambleTransMax)
  • powerRampingStep
  • preambleInitialReceivedTargetPower
  • zeroCorrelationZoneConfig (ZCZ configuration)
  • cellReselectionOffset, qRxLevMinOffset, cellReselectionPriority, trackingAreaCode (TAC), timingAdvance (TA)

UMTS (challenging / scientific names)

  • RACH parameters in SIBs: preamble offset, maximum transmissions, max power, accessBurst settings
  • UARFCN, psc, RSCP, EcNo, timingAdvance, cellReselectionOffsets / Qoffset

GSM (challenging / scientific names)

  • BCCH-derived fields: ARFCN, BSIC, RxLev/RxQual, Timing Advance, cell reselection offsets (Temporary Offset / Qoffset)
  • GSM RACH related CCCH/PCCCH fields (access parameters / maximum transmit power / access class controls)

What I tried (short):

  • I can already parse AT+QENG="servingcell" and AT+QENG="neighbourcell" from EC25 and I know which fields are passive vs active in my table. Those AT outputs do not include PRACH/offsets I need.
  • I can open a DIAG port on rooted Qualcomm phones and can capture using QCSuper / scat, but I don’t have QXDM and want to automate DIAG→RRC parsing (open-source tools only).
  • I prefer not to use SDR/USRP in this project — the goal is an EC25/DIAG-based solution, if possible.

What I can attach / share on request:

  • Raw AT+QENG outputs from EC25 (servingcell + neighbourcell).
  • Sample DIAG hex/text dumps from a Qualcomm device (I can paste one or two small captures).
  • EC25 firmware/modem model strings (firmware version, PID/VID) on request.

Concrete asks (please answer any you can):

  • Which exact DIAG subsystem IDs / message types should I capture and parse to find raw RRC/SIB payloads (or LTE-RRC PDUs)? Any annotated DIAG dump would be ideal.
  • If EC25 supports raw SIB extraction, which AT/QMI or debug endpoints should I call (firmware-specific examples appreciated)?
  • If you have code snippets or tools (Python/C) that parse DIAG→RRC OTA blobs or that decode SIB2→PRACH fields, please share or point me to repos/docs.

Thank you — very concrete, low-level replies (DIAG byte layout, sample hex blob + annotation, short parser snippets) are most helpful.

2

Based on my personal experience, you need to use Qualcomm’s QXDM tool to conduct a detailed analysis of the logs in order to view more parameters of the BTS.

3

Dear Qualcomm Support Team,

I hope you are doing well.
I am an electrical and telecommunications engineering student currently doing research related to cellular network analysis and parameter extraction (2G/3G/4G).
As part of my study, I am learning how to interpret diagnostic messages (DIAG / QCDM) from Qualcomm-based modems,

I understand that QXDM is a proprietary Qualcomm tool, but I would like to ask whether there is any academic or individual license available for students or researchers, or if there is an educational version of QXDM that can be requested for non-commercial use.
If not, could you please advise the proper way to obtain a legitimate copy or temporary access for study and learning purposes?

I am not affiliated with any company or commercial project — this request is purely for academic and research use.

Thank you for your time and for any guidance you can provide.

Best regards,

4

Qualcomm should not have the QXDM community version or the educational version. Usually, companies that use Qualcomm chips have these tools. If you only provide the logs, QUECTEL can help you analyze them. In my opinion, it might take them a relatively long time to communicate.

5

Thank you for your response—I really appreciate it

could you please help me understand:

  1. What engineering mode (or engineering interfaces) the EC25 supports (if any)? For example, is there a special UART or debugging port, or commands to enable a “DM/Diagnostic mode” or “engineering shell” to access internal logs / raw SIB / BCCH traffic?

  2. Are there additional internal / confidential documents or firmware guides (e.g. reserved AT commands, QMI diagnostic protocols, register-level reference, internal message formats) that are available for developers or research (even under NDA) that would help me dig deeper and access advanced radio parameters?

  3. If engineering mode is supported, can you point me to any reference commands or sequences (enablement steps) to start capturing raw RRC / broadcast system information (SIB, BCCH) or deeper radio parameters beyond the standard AT interface?

  4. Beyond the AT commands listed on the EC25 product summary and AT command manual (as per your website link above), are there any additional AT commands / hidden commands / diagnostic commands not documented publicly that are used internally (for example for engineering or test modes)? If so, can you point me to their names or how to enable them (e.g. via firmware flags or hardware jumper)?

6

I have sent you the tool for capturing logs and the instructions. You need to capture the logs, and QUECTEL will assist in parsing the logs through QXDM.

7

I’m using a Quectel EC25 module with the following version:
Revision: EC25EUXGAR08A09M1G

Could you please provide me with the latest available firmware for this module?
Also, I would like to know whether the EC25 and EG25-G modules support the OpenCPU feature.

Thank you for your assistance.

8

It is supported, but you need to apply to Quectel.