Hi

Got one of the GB region EEPROM locked NHA cards, any attempt to raise power to at least 27dBm fails. Tried several driver hacks, including hardcoding txpower in driver, regulatory gameplays, and even openwrt the results is always the same:

I can set whatever power I want, 15,27,30 dBm etc. but values over 20dBm simply have no effect. I know there are hundreds of regulatory/crda tutorials around the web that make me sick where people report success not knowing it is false success because the actual power is not raised.

I've also tried the same with TL-WN722N adapter and there is situation even worse: Any txpower value larger than 16dBm (possibly 15 or even 14, I didn't do precise test due to lack of RF measuring equipment) won't make any difference on the remote access point.

From a very quick comparison I can tell AWUS036NHA has about 3-5 db stronger txpower and about 5-7 db better reception sensitivity than TL-WN722N which has CN region burned in.

Further I have tried to run both cards on Win XP where Ubiquiti client utility can be used. This utility displays adapter's txpower in windows and for TL-WN722N it was set to 630mW while for AWUS036NHA it was set to 1000mW. Hoping it might give some boost I tried connecting to an access point and checking the RSSI there but unfortunately RSSI is the same as it was on ubuntu with default 20dBm. Even though the card reports 1W in utility it doesn't look like it is really transmitting at 1W.

So it seems there is only one approach left: EEPROM hacking

I knew this card has an UART that can be easily accessed so I did a bit googling and found someone who has already managed to get UART output
Code:
http://bobcopeland.com/blog/2015/05/reserialized/
But there's not much info on what can be done from serial console and even basic info is missing like baudrate so I got an idea to register here and start this thread in a hope there will be more people interested in doing this.

There are also JTAG leads on PCB pulled from AR9271L chip going down left to the EEPROM chip, you can see it on a picture and find out more if you look at the AR9271L datasheet so in case UART is not much of a help maybe EEPROM could be dumped via JTAG and flashed back after it's modifed.



I'd prefer any of the two methods since I have both serial and JTAG adapter rather than unsoldering and buying an EEPROM programmer. Even better would be if we could add it's support to some of the EEPROM modding tools so everyone can use it without opening the case.

Let's get this thing unlocked to it's full power.