How to Decode QMDL Logs Online — RRC & NAS Extraction Guide. HiCellTek

If you work with Qualcomm-based devices, you have QMDL files. Gigabytes of them. They contain every protocol message the modem exchanged with the network — RRC, NAS, PHY-layer measurements, GPS fixes — all packed into a proprietary binary format that you cannot read without the right tools.

The traditional workflow requires QCAT (Qualcomm’s desktop analysis tool), a Windows machine, and a lot of patience. But there is a faster path: extract the hex frames you need and decode them online, instantly.

This guide covers both approaches and shows you how to get from a raw QMDL file to a decoded RRC or NAS message as fast as possible.

What is the QMDL Format?

QMDL stands for Qualcomm Diagnostic Message Log. It is the binary log format produced by the Qualcomm DIAG interface (also called DM or Diagnostic Monitor port) present in every Qualcomm-based smartphone and modem.

A QMDL file contains a stream of diagnostic packets, each with:

A log code identifying the message type (e.g., 0xB0C0 for LTE RRC OTA, 0xB0E0 for LTE NAS)
A timestamp from the modem clock
The raw payload — typically the hex-encoded protocol message as it was sent or received over the air

QMDL files are generated by:

QXDM / QCAT connected via USB
Diagnostic logging apps on rooted Android devices
HiCellTek, which captures and decodes DIAG messages in real time on the device itself
Network testing tools like Accuver XCAL, Keysight Nemo, or PCTEL SeeHawk that use the DIAG interface internally

The files are typically large (hundreds of MB per hour of capture) because they contain all DIAG messages, not just the protocol signaling you care about.

Method 1 — QCAT Desktop Workflow

QCAT (Qualcomm Chipset Analysis Tool) is the standard tool for opening QMDL files. Here is the typical workflow:

Install QCAT on a Windows PC (requires a Qualcomm license or NDA access).
Open the .qmdl file — QCAT parses the binary stream and indexes all log packets.
Filter by log code — For RRC messages, filter on 0xB0C0 (LTE) or 0xB821 (NR). For NAS, use 0xB0E0 (LTE) or 0xB826 (NR 5G NAS).
View decoded messages — QCAT displays the ASN.1-decoded RRC or hex-decoded NAS content.
Export — You can export individual messages as hex, or save filtered logs.

Pros: Full access to all DIAG log codes, including PHY-layer and internal modem logs.

Cons: Requires a Windows machine, QCAT installation, and Qualcomm access. Not practical in the field. Processing large files is slow.

Method 2 — Extract Hex, Decode Online

If you only need RRC and NAS messages (which covers 90% of protocol troubleshooting), there is a much faster approach:

Step 1 — Extract Hex Frames from QMDL

You need to pull the raw hex payload out of the QMDL binary. Several tools can do this:

QCAT export: Open the QMDL in QCAT, right-click a message, and copy the hex payload.
qmdl-parser (open source): Command-line tools exist on GitHub that parse QMDL files and output hex frames per log code. Filter for the log codes you need.
HiCellTek app: If the capture was made with HiCellTek, the hex frames are already extracted and available in the app’s message list — just tap a message and copy its hex value.

The hex frame you extract will look something like this (LTE NAS example):

07 41 71 08 29 43 10 90 18 07 61 04 05 E0 60 ...

Step 2 — Paste Hex into an Online Decoder

Take the extracted hex string and paste it into the HiCellTek online decoder.

Select the protocol:

LTE RRC — for DL/UL-DCCH, BCCH, PCCH messages
LTE NAS — for Attach, Authentication, TAU, Service Request messages
NR RRC — for 5G RRC messages
NR NAS (5GMM/5GSM) — for 5G NAS messages

Click Decode. The output shows every Information Element parsed with field names, values, and the corresponding hex bytes — identical to what QCAT would show, but in your browser, in seconds.

Step 3 — Analyze the Decoded Output

The decoded message gives you exactly what you need for troubleshooting:

Message type (e.g., RRCConnectionReconfiguration, AttachReject)
All IEs with their decoded values
Nested structures fully expanded (e.g., measConfig inside RRCReconfiguration, or ESM container inside AttachRequest)
Raw hex alongside each field for validation

Supported Message Types

The HiCellTek decoder supports the following protocol message types from QMDL extractions:

Protocol	Direction	Common Messages
LTE RRC (DL-DCCH)	Downlink	RRCConnectionReconfiguration, SecurityModeCommand, RRCConnectionRelease
LTE RRC (UL-DCCH)	Uplink	MeasurementReport, RRCConnectionReconfigurationComplete, SecurityModeComplete
LTE RRC (BCCH)	Broadcast	SIB1, SIB2, SIB3, SIB5, MasterInformationBlock
LTE NAS	Both	AttachRequest/Accept/Reject, TAURequest, AuthenticationRequest, SecurityModeCommand, ESM messages
NR RRC	Both	RRCReconfiguration, MeasurementReport, RRCSetup, RRCRelease
NR NAS (5GMM)	Both	RegistrationRequest/Accept/Reject, AuthenticationRequest, ServiceRequest

Batch Decoding for Large Log Files

When you are processing a full drive test log with hundreds or thousands of protocol messages, a one-by-one copy-paste workflow does not scale. Here are practical approaches for batch processing:

Scripted Extraction

Use a QMDL parser to extract all messages of a given log code into individual hex files, then decode them in sequence. A simple workflow:

Parse the QMDL with a command-line tool, outputting one hex file per message.
Feed each hex file to the decoder.
Collect the decoded output for analysis.

Filter Before You Decode

You rarely need to decode every message in a QMDL. Focus on:

RRCConnectionReconfiguration — for handover and measurement configuration analysis
MeasurementReport — for mobility event triggers
AttachRequest / AttachReject — for registration failures
RRCConnectionRelease — for drop analysis (check the release cause)

This reduces a 500 MB QMDL file down to a few dozen messages that actually matter.

HiCellTek Real-Time Alternative

Instead of capturing a QMDL and post-processing it later, HiCellTek decodes the DIAG stream in real time on the device. Every RRC and NAS message is parsed and displayed as it happens, with no QMDL file to process at all.

This eliminates the entire extract-decode pipeline for field troubleshooting. You still get the hex values for each message if you need to share them with colleagues or paste them into another tool.

QCAT vs. Online Decoding — When to Use Each

Criteria	QCAT Desktop	Online Hex Decoder
Setup required	Windows + QCAT install + license	Browser only
Speed	Minutes to load large files	Instant per message
PHY-layer logs	Yes (all DIAG codes)	No (RRC/NAS only)
Field use	Not practical	Works on any device
Batch processing	Built-in filtering	Manual or scripted
ASN.1 RRC decoding	Yes	Yes
NAS decoding	Yes	Yes
Cost	Qualcomm license required	Free

For protocol-level troubleshooting (attach failures, handover issues, measurement config problems), the online decoder covers everything you need. Reserve QCAT for situations where you need PHY-layer internals or modem-specific debug logs.

Key Takeaways

QMDL files contain raw protocol messages in Qualcomm’s binary diagnostic format.
Extracting hex frames from QMDL (via QCAT, parsers, or HiCellTek) lets you decode messages online without a full desktop toolchain.
The HiCellTek online decoder handles LTE and NR RRC/NAS messages instantly in the browser.
For field work, real-time decoding on the device eliminates the QMDL post-processing step entirely.
Focus your decoding effort on the messages that matter: handover reconfigurations, attach procedures, measurement reports, and release causes.

The fastest path from “something went wrong” to “here is why” runs through decoded protocol messages. Whether you start from a QMDL file or capture live, the goal is the same: read what the network is telling the device.

How to Decode QMDL Logs Online — RRC & NAS Extraction Guide