How to extract RACH / PRACH configs and offset fields from Qualcomm DIAG (no SDR, no QXDM)? — which DIAG messages contain raw SIBs?

4G LTE
, , ,
1

Hello everyone,

I am developing a multi-BTS parameter extraction tool for 2G/3G/4G (GSM / UMTS / LTE). My approach is:

  • Collect all passive/broadcast parameters from neighboring cells (BCCH / SIB / PHY measurements) using inexpensive consumer modules (Quectel EC25 and similar).
  • Only when necessary, perform a controlled active handshake/attach to obtain parameters that truly require it.

I already know which parameters are passive vs active (I listed them in my table), and I can read AT commands such as AT+QENG="servingcell" and AT+QENG="neighbourcell". The problem I face is: standard AT commands on EC25 do not expose the RACH (PRACH) configuration and many offset/reselection fields, and I do not have QXDM. I want a reliable method to extract the remaining “hard” parameters (mainly PRACH/RACH-related and offset fields) using EC25-like modules and/or by parsing the Qualcomm DIAG port (using open tools like QCSuper / scat or a custom DIAG parser).

Concretely I need practical, low-level answers to the following:

  1. Raw SIB/BCCH access

    • Can EC25 (or similar modules) be commanded (via AT, hidden AT, QMI or a debug UART) to return raw SIB/BCCH payloads (ASN.1 / hex RRC OTA blobs)? If yes, which commands / QMI calls / serial endpoints should I try for EC25 (firmware-specific hints welcome)?
    • If EC25 cannot, is the DIAG interface on Qualcomm devices the only realistic path to obtain raw RRC/SIB payloads without SDRs?

  2. DIAG specifics

    • Which DIAG packet types / subsystem IDs on Qualcomm typically carry raw RRC/SIB/BCCH payloads (or LTE-RRC PDUs)? Are there known stable IDs/fields to filter for (so I can implement a parser)?
    • What does the DIAG/QCDM framing look like (header fields, msg id, subsystem id, length, payload offset)? Any short examples or annotated DIAG hex dumps would speed up development.

  3. PRACH / RACH / offsets

    • Which PRACH/RACH fields are reliably present in broadcast SIBs (and which are often omitted or vendor-specific)? In particular I need to extract:
      • prach-ConfigIndex
      • prach-FreqOffset
      • rootSequenceIndex
      • preambleTransMax (PreambleTransMax)
      • powerRampingStep
      • preambleInitialReceivedTargetPower
      • zeroCorrelationZoneConfig / ZCZ configuration
      • PRACH resource lists / time-frequency resource mapping
    • Which reselection/offset fields are worth collecting passively (and what are their ASN.1 names I should look for)? Examples: cellReselectionPriority, cellReselectionOffset, qRxLevMinOffset, temporaryOffset, Qoffset.

  4. Practical parsing / decoding

    • If I obtain DIAG hex blobs containing RRC OTA payloads, is it reliable to feed them to Wireshark’s LTE-RRC dissector? If not, what ASN.1 toolchain do you recommend (asn1c / asn1tools / pycrate) and any ready schemas or parsing snippets you can share to decode SIB2→PRACH fields?
    • If DIAG captures are vendor-stripped or contain only parsed fields, what are the realistic fallbacks? (e.g., controlled attach + parse RRC messages produced during attach, or using engineering logs that report PRACH indices).

  5. Module suggestions

    • If EC25 proves limited, which consumer modules or modems (firmware versions) do you recommend that (a) expose DIAG/engineering ports easily, and/or (b) provide richer debug/AT/QMI access to raw SIBs without resorting to SDR? Practical module suggestions (Sierra, Quectel variants, Qualcomm reference modules) are welcome.

Most challenging parameters I care about (please reference these names in your reply):

LTE (challenging / scientific names)

  • prach-ConfigIndex
  • prach-FreqOffset
  • rootSequenceIndex
  • preambleTransMax (PreambleTransMax)
  • powerRampingStep
  • preambleInitialReceivedTargetPower
  • zeroCorrelationZoneConfig (ZCZ configuration)
  • cellReselectionOffset, qRxLevMinOffset, cellReselectionPriority, trackingAreaCode (TAC), timingAdvance (TA)

UMTS (challenging / scientific names)

  • RACH parameters in SIBs: preamble offset, maximum transmissions, max power, accessBurst settings
  • UARFCN, psc, RSCP, EcNo, timingAdvance, cellReselectionOffsets / Qoffset

GSM (challenging / scientific names)

  • BCCH-derived fields: ARFCN, BSIC, RxLev/RxQual, Timing Advance, cell reselection offsets (Temporary Offset / Qoffset)
  • GSM RACH related CCCH/PCCCH fields (access parameters / maximum transmit power / access class controls)

What I tried (short):

  • I can already parse AT+QENG="servingcell" and AT+QENG="neighbourcell" from EC25 and I know which fields are passive vs active in my table. Those AT outputs do not include PRACH/offsets I need.
  • I can open a DIAG port on rooted Qualcomm phones and can capture using QCSuper / scat, but I don’t have QXDM and want to automate DIAG→RRC parsing (open-source tools only).
  • I prefer not to use SDR/USRP in this project — the goal is an EC25/DIAG-based solution, if possible.

What I can attach / share on request:

  • Raw AT+QENG outputs from EC25 (servingcell + neighbourcell).
  • Sample DIAG hex/text dumps from a Qualcomm device (I can paste one or two small captures).
  • EC25 firmware/modem model strings (firmware version, PID/VID) on request.

Concrete asks (please answer any you can):

  • Which exact DIAG subsystem IDs / message types should I capture and parse to find raw RRC/SIB payloads (or LTE-RRC PDUs)? Any annotated DIAG dump would be ideal.
  • If EC25 supports raw SIB extraction, which AT/QMI or debug endpoints should I call (firmware-specific examples appreciated)?
  • If you have code snippets or tools (Python/C) that parse DIAG→RRC OTA blobs or that decode SIB2→PRACH fields, please share or point me to repos/docs.

Thank you — very concrete, low-level replies (DIAG byte layout, sample hex blob + annotation, short parser snippets) are most helpful.