Cellular layer3 tracing possibility for Qualcomm based modules (2G/3G/4G,LTE-M,NB-IoT)

Wireless and IoT
1

I want to share a tool which I love and I think it will be very useful for many of you using a cellular module which has a Qualcomm based chipset (like EXS82 and ENS22 from Thales or BG95,BG96 from Quectel or uBlox Sara R410 etc.).
There is even a cheap LTE dongle available having an open diagnostic port.

This free tool is called QCSuper available on Github.

It is a python based tool which is able to decode the debug interface stream.
A simple call like:

./qcsuper.py --usb-modem /dev/ttyUSB0 --wireshark-live --decrypt-nas --reassemble-sibs --include-ip-traffic

and a working wireshark installation is enough to start it.
It will show you all the NAS messages, SIBs, pagings - all the messages which are sent over the air to your next cell tower.
For some modules, the needed dignostic port (DM port) needs to be enabled by some extra at-cmds.
For Quectel it is e.g.:

to enable modem log , pls send AT+QCFG="dbgctl",0
to disbale modem log ,pls send AT+QCFG="dbgctl",1

This is how it looks like in Wireshark:

image
image1396×508 56.2 KB

2 Likes
2

Is it possible to capture the SIP INVITE from the OSP/Carrier with this tool and the mentioned modems?

3

Hi,
I haven’t been able to catch SIP traffic with my available modules so far.
Sorry

2 Likes
4

Do you know of any that can? I was looking for a module with an open diag port. You mentioned the LTE dongle above and I was hopeful.

5

It is not as easy to get the module even start the IMS registration.
It might be possible trying to use other IMS services.
For VoLTE there needs to be audio ‘equipment’ connected to the module (digital or analog - depending on the moule type). Without e.g. a connected digital audio interface the module would not even try to start any voice services. So - the LTE dongle will not work.
Therefore using a mobile phone would be the best.

2 Likes