Free Tool

RRC Message Decoder for LTE & 5G NR

Decode Radio Resource Control messages from your drive test captures, QMDL files or DIAG logs. Paste a hex frame, get the full ASN.1 tree in seconds. Supports 3GPP Release 17, CellGroupConfig, EN-DC tunnel and conditional handover.

Open the Decoder See Plans

What is RRC?

RRC (Radio Resource Control) is the signaling protocol between your phone and the base station. It controls everything about the radio connection: how the phone attaches to a cell, how it gets handed over to a neighbor cell, how it reports signal measurements, and how security keys are configured.

For LTE, RRC is defined in 3GPP TS 36.331. For 5G NR, in 3GPP TS 38.331. Both use ASN.1 UPER encoding, which makes raw hex frames unreadable without a decoder.

RRC State Machine

Understanding RRC states is essential for diagnosing connectivity issues. An unexpected state transition often points to a coverage hole, a misconfigured timer or a congested cell.

🔴

RRC_IDLE

No active radio connection. The phone performs cell reselection autonomously and monitors paging. Minimal battery consumption.

🟢

RRC_CONNECTED

Active radio bearer. The network controls handovers, measurement reporting and scheduling. Data transfer is possible.

🟡

RRC_INACTIVE (5G only)

UE context stored at the network. Fast resume without full connection setup. Saves battery while enabling quick reconnection.

Key RRC Messages for Field Troubleshooting

🔗

RRCSetup / RRCSetupComplete

Initial connection establishment. A missing RRCSetupComplete indicates the phone cannot complete the attach procedure (typically RACH failure or weak coverage).

⚙️

RRCReconfiguration

The most complex RRC message. Carries CellGroupConfig (add/modify cells), measConfig (measurement setup), and nr-SecondaryCellGroupConfig for EN-DC/NR-DC activation. A failed reconfiguration causes call drops.

📡

MeasurementReport

Sent by the UE to the network with neighbor cell measurements (RSRP, RSRQ, SINR). These reports trigger handover decisions. Analyzing them reveals whether handover failures are caused by late reporting or weak neighbor signal.

❌

RRCRelease

Connection teardown with a cause value. Common causes: redirectedCarrierInfo (inter-frequency redirect), deprioritisationReq (load balancing), or t310-Expiry (radio link failure). The cause tells you exactly why the connection dropped.

📡

SIB1 / SIB2 (SystemInformation)

Broadcast by the cell. SIB1 carries cell identity, PLMN, tracking area and access control. SIB2 contains radio resource configuration (RACH parameters, paging config, UL power control). Essential for verifying cell-level configuration.

How to Decode an RRC Message

Get the hex frame

From a QMDL capture, HiCellTek app export, Wireshark PCAP, or any DIAG log. The frame is a hexadecimal string representing the UPER-encoded RRC message.

Select the logical channel

Choose DL-DCCH (downlink dedicated), UL-DCCH (uplink dedicated), BCCH-DL-SCH (broadcast), or PCCH (paging). This tells the decoder which ASN.1 structure to apply.

Decode and analyze

The C++ ASN.1 engine parses the frame in under 1 ms. Browse the result in tree, raw or table view. Use search to find specific IEs like measConfig, cellGroupConfig or sCellToAddModList.

Try the RRC Decoder Now

LTE RRC vs 5G NR RRC

Feature	LTE RRC (TS 36.331)	NR RRC (TS 38.331)
States	IDLE, CONNECTED	IDLE, CONNECTED, INACTIVE
Encoding	ASN.1 UPER	ASN.1 UPER
Max SCells	7 (CA)	31 (CA) + 32 (DC)
Handover	Standard HO	CHO (Conditional) + DAPS (Dual Active)
Key message	RRCConnectionReconfiguration	RRCReconfiguration
Dual Connectivity	EN-DC (nr-SCG-r15)	NR-DC (CellGroupConfig)

Related Protocol Decoders

📡

L3 Protocol Decoder

Full decoder: RRC + NAS, all technologies, batch mode.

🔐

NAS Decoder

Decode NAS messages: Attach, Authentication, PDU Session, Registration.

📄

QMDL Decoder

Read and decode Qualcomm DIAG logs on Android.

Frequently Asked Questions

What is RRC in LTE and 5G NR?

RRC (Radio Resource Control) is the Layer 3 protocol between the UE (phone) and the base station (eNB for LTE, gNB for NR). It manages radio bearer setup, handovers, measurement reporting, cell reselection and security configuration. RRC is defined in 3GPP TS 36.331 for LTE and TS 38.331 for 5G NR.

What are the most important RRC messages to decode?

The five critical RRC messages for field troubleshooting are: RRCSetup (initial connection), RRCReconfiguration (handover, carrier aggregation, NR-DC setup), MeasurementReport (neighbor cell measurements that trigger handovers), RRCRelease (connection teardown with cause), and SystemInformationBlock (SIB1/SIB2 carrying cell parameters).

How do I decode an RRC message from a QMDL file?

Extract the hex payload from the QMDL file using HiCellTek or a DIAG parser. Select the logical channel (DL-DCCH for downlink, UL-DCCH for uplink), paste the hex into the decoder, and click Decode. The ASN.1 engine parses the UPER-encoded frame and displays the full message tree.

What is RRCReconfiguration and why does it matter?

RRCReconfiguration (TS 38.331) is the most complex RRC message. It carries CellGroupConfig for adding/modifying cells, measConfig for measurement setup, radioBearerConfig for DRB setup, and the critical nr-SecondaryCellGroupConfig for EN-DC/NR-DC. A failed RRCReconfiguration often causes call drops or 5G fallback to LTE.

What is the difference between LTE RRC and NR RRC?

LTE RRC (TS 36.331) uses ASN.1 UPER encoding and manages a simpler state machine (RRC_IDLE, RRC_CONNECTED). NR RRC (TS 38.331) adds RRC_INACTIVE state for power saving, supports CellGroupConfig with multi-cell configurations (up to 32 SCells), and introduces conditional handover (CHO) and DAPS handover for zero-interruption mobility.

Can I decode the NR config inside an LTE RRCConnectionReconfiguration?

Yes. In EN-DC (E-UTRA NR Dual Connectivity), the LTE RRCConnectionReconfiguration carries an nr-SecondaryCellGroupConfig-r15 IE that encapsulates the full NR CellGroupConfig. The HiCellTek decoder automatically detects and expands this nested structure, including Base64-encoded payloads.

What are RRC states and why do they matter for troubleshooting?

RRC states determine how the UE interacts with the network. In RRC_IDLE, the phone is not connected and performs cell reselection autonomously. In RRC_CONNECTED, the phone has an active radio bearer and the network controls handovers. In NR RRC_INACTIVE (5G only), the phone maintains its context but releases radio resources. Unexpected RRC state transitions (e.g., frequent RRC_CONNECTED to RRC_IDLE) indicate network issues like aggressive release timers or coverage holes.

How does the RRC decoder handle Release 17?

The decoder uses an ASN.1 schema compiled from the official 3GPP Release 17 specifications. This includes support for NR-DC enhancements, FR2 band extensions, conditional handover improvements, reduced capability (RedCap) UE configurations, and NTN (Non-Terrestrial Network) parameters.

📡

Go deeper with real-time L3 analysis

HiCellTek decodes RRC, NAS and IMS/SIP directly on your smartphone. Identify root causes in seconds.

✓ Full ASN.1 decoding
✓ Real-time filters and search
✓ Wireshark PCAP export

Request a demo View pricing