Re: Turning up the power?


From: Jouni Malinen (jkmaline_at_cc.hut.fi)
Date: 2002-01-01 06:13:37 UTC



On Mon, Dec 31, 2001 at 01:58:14PM -0500, Mark wrote:

> http://www.wi2600.org/mediawhore/nf0/wireless/docs/802.11/WAP11/fun_with_the_wap11.txt
>
> This link is to a hack that lets one turn up the power on the Linksys WAP11
> AP. (to 100 mW) This is done with software. If this can be done with software
> on this unit, is there something hidden in other Prisim ][ based cards as
> well?? Just wondering.

Well, it is not really "hidden".. Prism2 chipset uses HFA 3861 (or 3863) baseband processor and Intersil has a data sheet for it at http://www.intersil.com/Data/FN/FN4/FN4816/FN4816.pdf

BBP has control registers for setting, e.g., the TX power. This is the "register CR31" mentioned in the WAP11 document. However, this is a 8-bit register (of which 7 bits are used). It looks like WAP11 uses an internal mapping for each channel and then writes the configured value to CR31 according to the current channel.

I've tested setting up CR31 (Manual TX Power Control) from prism2.o driver. This can be done using WriteMIF command. Actually, there is still code for reading the control registers in the driver (e.g., 'iwpriv wlan0 readmif 62' reads the CR31).

However, there is a problem that seems to prevent the driver from overriding the TX power. I have successfully set CR31 to some other value for couple of milliseconds, but something (I would guess MAC) reverts the change almost instantly. In order to control the TX power manually, this automatic setting should be disabled somehow (or it could be used, if MAC has a setting for TX power control). I haven't looked very closely into this, but this could require firmware changes..

If someone would like to test this, here's an example code I used to set CR31:

/* HFA3861 Control Registers */
#define HFA3861_CR_MANUAL_TX_POWER 0x3E

if (hfa3841_cmd(dev, HFA3841_CMDCODE_WRITEMIF,

                HFA3861_CR_MANUAL_TX_POWER, &val, NULL))
	printk("WRITEMIF failed\n");


(val is a 16-bit little-endian value; of which the lowest 8 bits are written to CR31).

-- 
Jouni Malinen                                            PGP id EFC895FA


This archive was generated by hypermail 2.1.4.