How to extract RACH / PRACH configs and offset fields from Qualcomm DIAG (no SDR, no QXDM)?

[MJ-Hashemi]

Hello everyone,

I am developing a multi-BTS parameter extraction tool for 2G/3G/4G (GSM / UMTS / LTE). My approach is:

• Collect all passive/broadcast parameters from neighboring cells (BCCH / SIB / PHY measurements) using inexpensive consumer modules (Quectel EC25 and similar).
• Only when necessary, perform a controlled active handshake/attach to obtain parameters that truly require it.

I already know which parameters are passive vs active (I listed them in my table), and I can read AT commands such as AT+QENG="servingcell" and AT+QENG="neighbourcell". The problem I face is: standard AT commands on EC25 do not expose the RACH (PRACH) configuration and many offset/reselection fields, and I do not have QXDM. I want a reliable method to extract the remaining “hard” parameters (mainly PRACH/RACH-related and offset fields) using EC25-like modules and/or by parsing the Qualcomm DIAG port (using open tools like QCSuper / scat or a custom DIAG parser).

Concretely I need practical, low-level answers to the following:

1. Raw SIB/BCCH access

   • Can EC25 (or similar modules) be commanded (via AT, hidden AT, QMI or a debug UART) to return raw SIB/BCCH payloads (ASN.1 / hex RRC OTA blobs)? If yes, which commands / QMI calls / serial endpoints should I try for EC25 (firmware-specific hints welcome)?
   • If EC25 cannot, is the DIAG interface on Qualcomm devices the only realistic path to obtain raw RRC/SIB payloads without SDRs?

2. DIAG specifics

   • Which DIAG packet types / subsystem IDs on Qualcomm typically carry raw RRC/SIB/BCCH payloads (or LTE-RRC PDUs)? Are there known stable IDs/fields to filter for (so I can implement a parser)?
   • What does the DIAG/QCDM framing look like (header fields, msg id, subsystem id, length, payload offset)? Any short examples or annotated DIAG hex dumps would speed up development.

3. PRACH / RACH / offsets

   • Which PRACH/RACH fields are reliably present in broadcast SIBs (and which are often omitted or vendor-specific)? In particular I need to extract:
     • prach-ConfigIndex
     • prach-FreqOffset
     • rootSequenceIndex
     • preambleTransMax (PreambleTransMax)
     • powerRampingStep
     • preambleInitialReceivedTargetPower
     • zeroCorrelationZoneConfig / ZCZ configuration
     • PRACH resource lists / time-frequency resource mapping
   • Which reselection/offset fields are worth collecting passively (and what are their ASN.1 names I should look for)? Examples: cellReselectionPriority, cellReselectionOffset, qRxLevMinOffset, temporaryOffset, Qoffset.

4. Practical parsing / decoding

   • If I obtain DIAG hex blobs containing RRC OTA payloads, is it reliable to feed them to Wireshark’s LTE-RRC dissector? If not, what ASN.1 toolchain do you recommend (asn1c / asn1tools / pycrate) and any ready schemas or parsing snippets you can share to decode SIB2→PRACH fields?
   • If DIAG captures are vendor-stripped or contain only parsed fields, what are the realistic fallbacks? (e.g., controlled attach + parse RRC messages produced during attach, or using engineering logs that report PRACH indices).

5. Module suggestions

   • If EC25 proves limited, which consumer modules or modems (firmware versions) do you recommend that (a) expose DIAG/engineering ports easily, and/or (b) provide richer debug/AT/QMI access to raw SIBs without resorting to SDR? Practical module suggestions (Sierra, Quectel variants, Qualcomm reference modules) are welcome.

---

Most challenging parameters I care about (please reference these names in your reply):

LTE (challenging / scientific names)

• prach-ConfigIndex
• prach-FreqOffset
• rootSequenceIndex
• preambleTransMax (PreambleTransMax)
• powerRampingStep
• preambleInitialReceivedTargetPower
• zeroCorrelationZoneConfig (ZCZ configuration)
• cellReselectionOffset, qRxLevMinOffset, cellReselectionPriority, trackingAreaCode (TAC), timingAdvance (TA)

UMTS (challenging / scientific names)

• RACH parameters in SIBs: preamble offset, maximum transmissions, max power, accessBurst settings
• UARFCN, psc, RSCP, EcNo, timingAdvance, cellReselectionOffsets / Qoffset

GSM (challenging / scientific names)

• BCCH-derived fields: ARFCN, BSIC, RxLev/RxQual, Timing Advance, cell reselection offsets (Temporary Offset / Qoffset)
• GSM RACH related CCCH/PCCCH fields (access parameters / maximum transmit power / access class controls)

---

What I tried (short):

• I can already parse AT+QENG="servingcell" and AT+QENG="neighbourcell" from EC25 and I know which fields are passive vs active in my table. Those AT outputs do not include PRACH/offsets I need.
• I can open a DIAG port on rooted Qualcomm phones and can capture using QCSuper / scat, but I don’t have QXDM and want to automate DIAG→RRC parsing (open-source tools only).
• I prefer not to use SDR/USRP in this project — the goal is an EC25/DIAG-based solution, if possible.

What I can attach / share on request:

• Raw AT+QENG outputs from EC25 (servingcell + neighbourcell).
• Sample DIAG hex/text dumps from a Qualcomm device (I can paste one or two small captures).
• EC25 firmware/modem model strings (firmware version, PID/VID) on request.

---

Concrete asks (please answer any you can):

• Which exact DIAG subsystem IDs / message types should I capture and parse to find raw RRC/SIB payloads (or LTE-RRC PDUs)? Any annotated DIAG dump would be ideal.
• If EC25 supports raw SIB extraction, which AT/QMI or debug endpoints should I call (firmware-specific examples appreciated)?
• If you have code snippets or tools (Python/C) that parse DIAG→RRC OTA blobs or that decode SIB2→PRACH fields, please share or point me to repos/docs.

Thank you — very concrete, low-level replies (DIAG byte layout, sample hex blob + annotation, short parser snippets) are most helpful.