ALFA AWUS036NH txpower boost working

[mokba]

Hi

If you follow this forum you'll remember me from the AWUS036NHA thread which was about hacking EEPROM to get higher power output from the card. The work there is still in progress and there seem to be some success in raising power over 20dBm.

However this thread is about different type of alfa card that is running on ralink's RT3070 chipset. Probably even more interesting since the market is flooded with RT3070 cards, and there is a **** good reason for that: Their performance is fantastic.

The goal is still the same, but the problem too: set txpower to any value higher than 20dBm has no effect on output power.

If you know of a way to increase txpower on RT3070 chipsets without breaking txpower control please share some info.

Cheers.

update: following patch allows 6-7dB higher output power on RT3070 chipsets, when set to 0dBm the actual power is 20dBm.

Code:

--- rt2800lib.c.orig	2015-06-12 15:39:33.431148783 +0200
+++ rt2800lib.c	2015-06-10 00:17:19.899382817 +0200
@@ -13,6 +13,8 @@
 	  Copyright (C) 2009 Xose Vazquez Perez <[email protected]>
 	  <http://rt2x00.serialmonkey.com>
 
+Boost Version with maximum Power settings from Dr. Rolf Freitag, 2013-10-03.
+
 	This program is free software; you can redistribute it and/or modify
 	it under the terms of the GNU General Public License as published by
 	the Free Software Foundation; either version 2 of the License, or
@@ -1711,7 +1713,7 @@ static void rt2800_config_channel_rf2xxx
         rt2x00_set_field32(&rf->rf3, RF3_TXPOWER_A_7DBM_BOOST,
                            (info->default_power1 >= 0));
 
-        if (info->default_power1 < 0)
+        //if (info->default_power1 < 0)
             info->default_power1 += 7;
 
         rt2x00_set_field32(&rf->rf3, RF3_TXPOWER_A, info->default_power1);
@@ -1719,7 +1721,7 @@ static void rt2800_config_channel_rf2xxx
         rt2x00_set_field32(&rf->rf4, RF4_TXPOWER_A_7DBM_BOOST,
                            (info->default_power2 >= 0));
 
-        if (info->default_power2 < 0)
+        //if (info->default_power2 < 0)
             info->default_power2 += 7;
 
         rt2x00_set_field32(&rf->rf4, RF4_TXPOWER_A, info->default_power2);
@@ -2591,8 +2593,13 @@ static u8 rt2800_compensate_txpower(stru
     } else
         reg_limit = 0;
 
-    txpower = max(0, txpower + delta - reg_limit);
-    return min_t(u8, txpower, 0xc);
+    //txpower = max(0, txpower + delta - reg_limit);
+    //return min_t(u8, txpower, 0xc);  
+    (void) printk(KERN_DEBUG
+                  "rt2800_compensate_txpower end, txpower: %u, txpower (old) target: %u, delta: %d, reg_limit: %u\n",
+                  max(0, txpower + delta), min_t(u8, max(0, txpower + delta - reg_limit),
+                                 0xc), delta, reg_limit);
+    return max(0, txpower + delta);             // return 100 % power, +delta for compensation, e. g. temperature compensation
 }
 
 /*
@@ -2641,9 +2648,10 @@ static void rt2800_config_txpower(struct
      * BBP_R1 controls TX power for all rates, it allow to set the following
      * gains -12, -6, 0, +6 dBm by setting values 2, 1, 0, 3 respectively.
      *
-     * TODO: we do not use +6 dBm option to do not increase power beyond
-     * regulatory limit, however this could be utilized for devices with
-     * CAPABILITY_POWER_LIMIT.
+     * OLD: TODO: we do not use +6 dBm option to do not increase power beyond
+     * 		regulatory limit, however this could be utilized for devices with
+     * 		CAPABILITY_POWER_LIMIT.
+     * New: We use the +6 dBm option.
      *
      * TODO: add different temperature compensation code for RT3290 & RT5390
      * to allow to use BBP_R1 for those chips.
@@ -2656,10 +2664,16 @@ static void rt2800_config_txpower(struct
         } else if (delta <= -6) {
             power_ctrl = 1;
             delta += 6;
-        } else {
+        } else if (delta <= 0) {
             power_ctrl = 0;
+        } else {
+            power_ctrl = 3;
+            delta -= 6;
         }
-        rt2x00_set_field8(&r1, BBP1_TX_POWER_CTRL, power_ctrl);
+        rt2x00_set_field8(&r1, BBP1_TX_POWER_CTRL, 3); //power_ctrl);
+        
+    (void) printk(KERN_DEBUG  "rt2800_config_txpower, old power_ctrl = %d\n", power_ctrl);        
+        
         rt2800_bbp_write(rt2x00dev, 1, r1);
     }
 
@@ -2670,6 +2684,13 @@ static void rt2800_config_txpower(struct
         if (offset > TX_PWR_CFG_4)
             break;
 
+        /*
+         * The eeprom contains the tx power values for each rate. These 
+         * values map to 100% tx power. Each 16bit word contains four tx 
+         * power values and the order is the same as used in the TX_PWR_CFG 
+         * registers. 
+         */
+
         rt2800_register_read(rt2x00dev, offset, &reg);
 
         /* read the next four txpower values */
@@ -2901,6 +2922,7 @@ void rt2800_config(struct rt2x00_dev *rt
                    struct rt2x00lib_conf *libconf,
                    const unsigned int flags)
 {
+    (void) printk(KERN_DEBUG "rt2800_config start: flags = %u\n", flags);
     /* Always recalculate LNA gain before changing configuration */
     rt2800_config_lna_gain(rt2x00dev, libconf);

[grid]

While it's not legal in all areas, the following commands have worked for me:
iw reg set GY
iwconfig [interface] txpower 30

The first command sets your wireless regulations to Guyana, which allows for 30 dBm of transmitting power.

[mokba]

I'm aware of that. But have you actually checked if there is a change of RSSI value on the remote AP?

[grid]

No, I haven't...but I have been able to inject packets further from the AP. That being said, after verifying, my chipset is not RT3070, so this may not apply/be helpful to you. Sorry about that.

[mokba]

No problem, since this isn't of a big importance to me anyway. But I'm curious now, what kind of card is that if it ain't got RT3070? NH or maybe H or some other?

[grid]

I have 2 Alfa cards: AWUS036H and AWUS036NEH. Don't recall the chipset off the top of my head.

[Bee1TO]

Txpower is the last thing worry about...seems the alfa awus036nh does not work with new kali linux rolling edition. The awus036nh will not capture handshakes therefore nullifing a lot of aircrack-ng functions when it comes to wifi hacking. The alfa awus051nh captures handshakes and so far with my testing with new kali seems to works quite well.

[Skyman]

Has anyone else verified that "The awus036nh will NOT capture handshakes in the new Kali Linux Rolling edition"?