This text file by Xam (C) 2001 .. and all that jazz comments/questions/etc to xam@wi2600.org This file is a result of learning of an interesting set of features available to the user of a "WAP11" access point, sold by Linksys. The origional persons who dispensed this little bit of knowledge are deserving of much thanks and credit, however, I'm not sure if much detail should be gotten into. In any case, the origional discovery was not my own. For now, they are known as the: "super secret canadian wireless group" So, what's so cool about the WAP11? Well, lets cut to the chase; with a little bit of effort, you can turn the "normal" WAP11 into an Access Point with suprising range and power, by simply telling it's radio to output a stronger signal. Yes; the power output IS a software-controlable parameter set. A location in the bridges configuration space called "register CR31" contains 14 values, each one byte in size which serve to control the transmit power. Yes, there is a byte per channel; you're not stuck with a signle output power for all channels. This could serve to be usefull in cases where contoured power output within the 2400 to 2480 Mhz band is needed. Within the tool (discussed later) you'll be setting this byte to various values depending on the power output you're looking for. The scale is as follows: 00----------80----------FF 0mw--------100mw-------0mw The scale is linear, 80h (128 decimal) being the highest power, at nearly 100 mw! YES! The Wap11 in fact, contains a radio which is capable of 100 mw opperation. It is interesting to note that the power falls as you near FF and 00 on either end the byte values. Listed here is the default channel set power for a WAP11 bought recently with the FCC regulatory domain set. Channel Power 1 c0 2 bf 3 bb 4 bb 5 b9 6 b7 7 b7 8 b7 9 b5 10 b5 11 b5 12 b5 13 b5 14 b5 The defaults are moving away from higher values to lower values as you go from from channel 1 to 14. However, this translates into lower power UP to higher power through the band. This could simply be precompensation for greater absorbtion exerienced by higher frequencies. Or, a number other other reasons. I'm not inclined to think it's due to correcting for absorbtion; we're only talking an ~80Mhz band here, starting from 2400 MHz. In any case, the OEM gives us a good head-scratcher here. In effect, the radio on channel 1, is putting out about 50 mw. At channel 14, we're outputting nearer to 41 mw. I think we deserve a nice helping of gigahertz radiation. Lets crank all the values to "80h" (128 dec), and revel in our now gratuitously overpowered Access Point. Doing it: To mess with your access point, you'll probably want/need the tools to do it. You can find them here: http://www.wi2600.org/mediawhore/nf0/wireless/utils/ get: Atmel_SNMP_manager_v1.743.exe - this is for the config NOTE: This is a win32 program, prefers nt/2k over 9x NOTE: Will someone please do this procedure, and capture the whole mess on TCPDUMP? If you'd like to get a fimeware rev just one step ahead of what Linksys themselves are putting on their site, be sure to grab: AP14g7.rom from: http://www.wi2600.org/mediawhore/nf0/wireless/firmware/ATMEL/ Current (as of 12/17/01) is 1.4g5 for 1.0 hardware, 1.1 hardware seems to like 1.4h.3 better. In general, it's best to keep up yourself with the newer firmware rev's and what's prefered for 1.0/1.1 versions of the AP hardware. Some tell-tale signs that you have 1.0 hardware: -you bought the AP mid-summer 2001, or earlier -when running 1.4h.3, SNMP access is broken -ETSI regulatory domain is setfor US radios Some tell-tale signs that you have 1.1 hardware: -you bought the AP late-summer 2001, or later -when running anything older than 1.4h.3 things are unstable -running 1.4g5 or 1.4g7 firmware 'breaks' the AP -FCC regulatory domain set for US radios Now that you've downloaded the Atmel config tool, install it. After the installation is done, go edit the file called: "snmpmanager.ini" .. this will be located in %systemroot%\winnt or \windows depending on your OS. The default values of: [SNMPmanager] AppMode=0 AppView=0 Change both values to "2" .. this will essentialy 'unlock' the features we need in the Atmel config tool. Next, start the Atmel config tool (if you're in 9x you'll actualy need to reboot). Some notes about whats going on. -You'll need to have setup a writeable/readable community string on the AP you're working on. The best way to do this is to download the Linksys SNMP/USB config tool, and setup the AP via USB initialy. Once you get it's base config set, you can then connect via SNMP over IP. -You can get the linksys tool from the same location the the Atmel one is in: http://www.wi2600.org/mediawhore/nf0/wireless/utils/ -You'll need to be on the same subnet as the AP if your DHCP server isn't handing out leases with a default router specified. For some reason, you can't set a default route with the USB util. So, once you've gotten the bridge on the newer firmware, setup a read/write community string in the USB util, and put the thing on an IP you can contact, you're ready to rock. Within the Atmel tool, go to "connect to access point." You will want to login as "admin" and the community name will be the one you setup for read/write in the USB util. Procede to the "radio" menu, and select "radio config" Vola! Here's the CR31 register control. Go through and set the bytes to the value you love most, and that is "80." Upon hitting "set" your radio will recieve new config data, and restart. When it comes back up, you'll have that crazy power you allways dreamed of! So, that's all there is to it, realy. Spin through the other areas in the Atmel too; there certainly are quite a few more things than included with the Linksys util. ...and with that, enjoy.