rayhunter/doc/lte-ml1-serving-cell-measurement.md

LTE ML1 Serving Cell Measurement (0xB193)

This document describes the Qualcomm DIAG log code 0xB193 (LTE ML1 Serving Cell Measurement Response), which provides detailed LTE signal strength measurements including RSRP, RSRQ, and RSSI.

Overview

Log code 0xB193 (LOG_LTE_ML1_SERVING_CELL_MEAS_RESPONSE) is emitted by the Qualcomm modem's Layer 1 (ML1) component and contains periodic measurements of the serving cell's signal characteristics. Rayhunter captures these measurements and includes the RSRP value in GSMTAP headers for PCAP output.

Packet Structure

The 0xB193 log uses a subpacket architecture common to many Qualcomm DIAG logs:

+------------------+
| Main Header      |  4 bytes
+------------------+
| Subpacket Header |  4 bytes
+------------------+
| Subpacket Data   |  Variable (version-dependent)
+------------------+

Main Header (4 bytes)

Offset	Size	Field	Description
0	1	main_version	Main packet version (observed: 1)
1	1	num_subpackets	Number of subpackets (typically 1)
2	2	reserved	Reserved/padding

Subpacket Header (4 bytes)

Offset	Size	Field	Description
0	1	subpacket_id	Subpacket identifier
1	1	subpacket_version	Subpacket version (see below)
2	2	subpacket_size	Size of subpacket including header

Known Subpacket Versions

Different modem firmware versions emit different subpacket versions. The field offsets within the subpacket data vary by version:

Version	PCI Offset	EARFCN Offset	RSRP Offset	Notes
4	0	2	12	Early format (SCAT)
7	0	4	14	Intermediate format
18-24	0	4	24	Common on Orbic RC400L
35-40	0	4	28	Newer modems

The Orbic RC400L device used for development emits subpacket version 18.

Signal Measurement Fields

RSRP (Reference Signal Received Power)

RSRP is the primary signal strength indicator for LTE. The raw 12-bit value is converted to dBm:

RSRP (dBm) = -180.0 + (raw_value & 0xFFF) * 0.0625

Typical range: -140 dBm (very weak) to -44 dBm (very strong)

PCI (Physical Cell ID)

The Physical Cell ID identifies the serving cell. Stored as a 16-bit little-endian value at the PCI offset.

Range: 0-503

EARFCN (E-UTRA Absolute Radio Frequency Channel Number)

The EARFCN identifies the carrier frequency. Stored as a 32-bit little-endian value at the EARFCN offset.

Implementation Notes

1. Caching Strategy: Since 0xB193 messages arrive independently from RRC OTA messages, rayhunter caches the most recent RSRP value and applies it to subsequent GSMTAP headers.

2. Signal Conversion: The signal_dbm field in GSMTAP headers is an i8, so the RSRP value is clamped to the range -128 to 0 dBm.

3. Version Detection: The subpacket version determines field offsets. Unknown versions fall back to the v7 layout.

References

SCAT (Signaling Collection and Analysis Tool)

The SCAT project by the Firmware Security (fgsect) research group at TU Berlin provides Qualcomm DIAG log parsers.

Relevant file: parsers/qualcomm/diagltelogparser.py

# SCAT v4/v5 parser structure (simplified)
# pci = struct.unpack('<H', payload[0:2])
# earfcn = struct.unpack('<H', payload[2:4])  # or <L for 32-bit
# rsrp_raw = struct.unpack('<L', payload[offset:offset+4])

Mobile Insight

The Mobile Insight project from UCLA WiNG Lab provides comprehensive Qualcomm DIAG parsing with extensive version support.

Relevant file: mobile_insight/analyzer/msg_logger.py and related LTE analyzers

Mobile Insight documents subpacket versions 4, 7, 18, 19, 22, 24, 35, 36, and 40, with version-specific field layouts.

QCSuper

The QCSuper project by P1 Security provides another implementation of Qualcomm DIAG protocol handling.

3GPP Specifications

• 3GPP TS 36.214: Physical layer measurements (defines RSRP, RSRQ, RSSI)
• 3GPP TS 36.133: Requirements for support of radio resource management

Example Output

When rayhunter captures a 0xB193 log, debug output shows:

ML1 0xB193 v18: RSRP=-94.8dBm, PCI=446, EARFCN=975

The corresponding GSMTAP packets in Wireshark will display Signal dBm: -95 (rounded to i8).