Qualcomm DIAG Mode on Android From Raw Chipset Access to Field Diagnostics
The Qualcomm DIAG interface is the access layer behind professional 5G field diagnostics on Android. This guide explains what DIAG is, what data it exposes, why root is required, and how HiCellTek wraps this interface into a production-ready measurement suite.
The Qualcomm DIAG interface is a proprietary chipset-level channel built into Qualcomm Snapdragon modems. On Android, it is exposed as a kernel device node restricted to root-privileged processes. It provides raw Layer 3 OTA messages (RRC, NAS, IMS/SIP), sub-frame RF measurements (RSRP, RSRQ, SINR, CQI, MCS, BLER), and QMDL-format log streams. HiCellTek wraps DIAG access into a structured Android suite — decoding ASN.1 messages, computing VoLTE MOS scores, and GPS-tagging every measurement in real time, with no separate Qualcomm toolchain required.
What the DIAG interface exposes
Standard Android telephony APIs expose modem-averaged signal levels reported to the application layer. DIAG exposes the raw chipset data stream before any averaging or filtering.
Layer 3 OTA messages
Full binary payloads of RRC, NAS, and IMS/SIP messages as received and transmitted by the modem, in ASN.1 packed encoding (PER). HiCellTek decodes these against 3GPP specifications (TS 36.331, TS 38.331, TS 24.301, TS 24.501, TS 24.229).
Chipset-level RF measurements
RSRP, RSRQ, SINR, CQI, MCS, MIMO rank, BLER — sampled at sub-frame resolution (1ms granularity). Up to 32 neighbor cells. Not averaged Android Telephony API values.
VoLTE / VoNR audio stream access
RTP and RTCP-XR packets from the modem-level voice bearer, enabling on-device ViSQOL MOS computation and per-packet jitter analysis — without interception at the Android audio HAL layer.
Internal modem events
RACH procedure outcomes, handover triggers and completions, beam selection events (NR), RLC retransmissions (AM mode), and PDCP discard events — all timestamped by the modem clock.
QMDL log stream
DIAG packets are wrapped in HDLC framing and recorded to QMDL format — the binary log standard used by Qualcomm diagnostic tools. HiCellTek writes QMDL files from the live DIAG stream, preserving full measurement fidelity for post-processing.
Encrypted HLOG export
HiCellTek also writes measurement sessions to HLOG v1 (proprietary, XChaCha20-Poly1305 encryption). HLOG provides tamper-evident archival suitable for regulator submissions and audit chains.
Why root access is required
This is a Linux kernel security boundary, not a Qualcomm or HiCellTek limitation.
The DIAG device node on Android (/dev/diag)
is owned by uid 0 (root) and assigned to the diag
Linux group with permissions 0660.
Standard Android application processes run in sandboxed user namespaces with no access to this group.
Root access (elevation to uid 0) is required for a process to open the DIAG device node and communicate
with the kernel driver. This security boundary is intentional and enforced at the Android kernel level.
Root is performed by the customer on their own device using Magisk or an equivalent rooting framework. HiCellTek does not provide pre-rooted devices and is not responsible for the rooting process. Rooting a device may affect the manufacturer warranty — consult your device documentation before proceeding.
How HiCellTek wraps DIAG access
Using the raw DIAG stream requires: HDLC framing and deframing, log code dispatch, typed callback registration, and ASN.1 decoding per 3GPP specification. HiCellTek handles this entire pipeline transparently.
The HiCellTek process opens /dev/diag and configures the Qualcomm DIAG client. Log masks are activated to enable relevant log codes — RRC OTA (0x1478 LTE, 0xB821 NR), NAS (0x713A, 0xB0EE), RF measurements, and voice stream log codes.
The native C++ DIAG parser deframes incoming HDLC packets (0x7E sync bytes, byte stuffing). Each packet is validated (CRC-16 CCITT), the command code identified, and the payload dispatched to the appropriate log code handler.
L3 OTA message payloads are decoded against compiled 3GPP ASN.1 grammars: LTE RRC (25 MB grammar, TS 36.331), NR RRC (22 MB grammar, TS 38.331), EPS NAS and 5GS NAS. The decoded output is a structured message tree with field names and enum labels.
Every decoded message and RF measurement is timestamped (modem clock, µs resolution) and geo-tagged with the concurrent GPS fix. Measurement events are correlated across layers — L3 events are matched to the RF conditions at the exact same timestamp.
In parallel, the raw DIAG stream is written to QMDL (binary, Qualcomm-compatible) and optionally to HLOG v1 (XChaCha20-Poly1305 encrypted). Both formats are written without buffering — data is flushed per packet to avoid loss in case of sudden session interruption.
Frequently Asked Questions
What is the Qualcomm DIAG interface?
The Qualcomm DIAG (Diagnostic Monitor) interface is a proprietary communication channel built into Qualcomm Snapdragon chipsets. It exposes chipset-level diagnostic data through a serial protocol over USB — including raw Layer 3 OTA messages (RRC, NAS), chipset RF measurements at sub-frame resolution, and internal modem events. It was originally designed for use with Qualcomm's own diagnostic tools (QXDM/QCAT). The DIAG protocol is not a public standard; it is a proprietary Qualcomm interface.
Why does accessing the DIAG interface require root?
On Android, the DIAG device node (/dev/diag) is restricted by the Linux kernel to the "diag" group with mode 0660. Standard Android applications do not have access to this group — they run in sandboxed user namespaces with no kernel device access. Root access (via Magisk, for example) elevates the process to uid 0, allowing direct access to the DIAG device node and the underlying kernel driver. This is a deliberate Android security boundary.
What data is accessible through the DIAG interface?
Through DIAG, HiCellTek accesses: (1) Layer 3 OTA messages — LTE RRC (3GPP TS 36.331), NR RRC (TS 38.331), EPS NAS (TS 24.301), 5GS NAS (TS 24.501), and IMS/SIP (TS 24.229); (2) Chipset-level RF measurements — RSRP, RSRQ, SINR, CQI, MCS, MIMO rank, BLER at sub-frame resolution, up to 32 neighbor cells; (3) Internal modem events — handover triggers, beam switches, RACH procedure outcomes, RLC AM/UM errors; (4) VoLTE/VoNR RTP and RTCP-XR streams for MOS computation.
Can I use HiCellTek without rooting my device?
No. Root access is required to access the Qualcomm DIAG interface, which is the source of Layer 3 data and chipset-level RF measurements. Without DIAG access, only standard Android telephony API data is available (averaged signal levels, cell identity, technology indicator) — which HiCellTek does not use. Root is performed by the customer on their own device using Magisk; HiCellTek does not provide pre-rooted devices.
What is a QMDL file and what can I do with it?
QMDL (Qualcomm Modem Device Log) is a binary log format that stores Qualcomm DIAG packets in their native framing. HiCellTek writes measurement sessions to QMDL, producing files that can be read by Qualcomm-compatible log analysis tools. QMDL files preserve the full fidelity of the DIAG stream — every log code, every timestamp, every raw packet — enabling off-device post-processing, log sharing with vendor escalation teams, and archival for audit purposes.
Which Android devices are compatible with HiCellTek via the DIAG interface?
HiCellTek requires an Android smartphone with a Qualcomm Snapdragon chipset that exposes the DIAG interface, rooted via Magisk. Validated device families include Samsung Galaxy S and A series (Qualcomm variants — note that Samsung sells both Exynos and Qualcomm variants depending on region), OnePlus, Xiaomi, and Google Pixel. The device must run Android 9.0 or above; Android 12 or later is recommended for stability. A trial activation on your specific device is the most reliable compatibility check.
Use DIAG professionally — without building the toolchain yourself
HiCellTek handles DIAG framing, ASN.1 decoding, GPS tagging, and QMDL export out of the box. 14-day free trial, full feature access, no credit card.
Pro EUR 249/month/device · Team EUR 399/month (3 devices min) · Enterprise on quote