CSI Extraction for Mediatek based Wi-Fi chipsets

DanielAW · December 31, 2025, 7:39am

Hi everybody,

a friend of mine and I managed to enable extraction of CSI (Channel State Information) on Mediatek based Wi-Fi chipsets. The project can be found here: https://github.com/MtkWifiRev/MtkCSIdump
No firmware modifications are necessary, its purely done by some patches in mt76. The driver changes are based on this patch set. We provide squashfs images for two mt7981 based routers which we tested:

OpenWRT One
Xiaomi Mi AX3000T

It should work for other chipsets as well, but Wi-Fi 7 based cards might need a different interpretation of the CSI data.
In our repo you can find:

A tool to run on the OpenWRT based router to start collection of the CSI data
A Python based GUI which can be used to receive the CSI data via UDP from the OpenWRT router.

I hope this is interesting and helpful to some people.

Update:
Here is a link to a recording from Nullcon this year were we presented this (sorry for the bad audio). And a link to the slides.

-Daniel

brada4 · December 31, 2025, 7:58am

Why not mainline it?

olek210 · December 31, 2025, 10:36am

I would love to have spectral scan in LuCI, just like in Ubiquiti and Mikrotik.

brada4 · December 31, 2025, 10:46am

You have survey dump at 5MHz chunks already.

olek210 · December 31, 2025, 11:13am

Not all channels return noise floor from what I can see.

root@OpenWrt:~# iw dev phy0-ap0 survey dump
Survey data from phy0-ap0
        frequency:                      2412 MHz
        noise:                          -91 dBm
        channel active time:            48 ms
        channel busy time:              11 ms
        channel receive time:           8 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms
Survey data from phy0-ap0
        frequency:                      2417 MHz
        channel active time:            0 ms
        channel busy time:              0 ms
        channel receive time:           0 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms
Survey data from phy0-ap0
        frequency:                      2422 MHz
        channel active time:            0 ms
        channel busy time:              0 ms
        channel receive time:           0 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms
Survey data from phy0-ap0
        frequency:                      2427 MHz
        channel active time:            0 ms
        channel busy time:              0 ms
        channel receive time:           0 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms
Survey data from phy0-ap0
        frequency:                      2432 MHz
        channel active time:            0 ms
        channel busy time:              0 ms
        channel receive time:           0 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms
Survey data from phy0-ap0
        frequency:                      2437 MHz
        channel active time:            0 ms
        channel busy time:              0 ms
        channel receive time:           0 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms
Survey data from phy0-ap0
        frequency:                      2442 MHz
        channel active time:            0 ms
        channel busy time:              0 ms
        channel receive time:           0 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms
Survey data from phy0-ap0
        frequency:                      2447 MHz
        channel active time:            0 ms
        channel busy time:              0 ms
        channel receive time:           0 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms
Survey data from phy0-ap0
        frequency:                      2452 MHz
        channel active time:            0 ms
        channel busy time:              0 ms
        channel receive time:           0 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms
Survey data from phy0-ap0
        frequency:                      2457 MHz
        channel active time:            0 ms
        channel busy time:              0 ms
        channel receive time:           0 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms
Survey data from phy0-ap0
        frequency:                      2462 MHz [in use]
        noise:                          -90 dBm
        channel active time:            234027155 ms
        channel busy time:              74846531 ms
        channel receive time:           72670783 ms
        channel BSS receive time:       12505 ms
        channel transmit time:          916557 ms
Survey data from phy0-ap0
        frequency:                      2467 MHz
        channel active time:            0 ms
        channel busy time:              0 ms
        channel receive time:           0 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms
Survey data from phy0-ap0
        frequency:                      2472 MHz
        channel active time:            0 ms
        channel busy time:              0 ms
        channel receive time:           0 ms
        channel BSS receive time:       0 ms
        channel transmit time:          0 ms

DanielAW · December 31, 2025, 12:32pm

We can try, but I think the question is always how to maintain it. And I can't do it in the long run.

We do have another project were we enabled raw I/Q capture on a specific Android chipset, see MtkICAPtool. We are trying to get this working on other chipsets, but no luck so far. But I don't think this is the level of data you are looking for, right?

olek210 · December 31, 2025, 12:47pm

Only FFT data is required. This is what FFT visualisation looks like on Ubiquiti:

Source: https://flyteccomputers.com/blog/unlocking-wifi-optimization-with-the-u7promax-realtime-spectrum-analyzer/?srsltid=AfmBOooT_b_fUHyokiYBsqxDn2QYiIPjswHGYoGiYHSkLbPrsM19cDZt

olek210 · December 31, 2025, 12:50pm

All devices I have seen that support this feature have an Atheros chip. This feature is supported by the ath9k/ath10k and ath11k drivers. Here is the interface documentation. It would be ideal if Mediatek had the same interface.

DanielAW · January 1, 2026, 9:05am

Thats interesting, thanks for the pointer @olek210. mt76 does mention a "WIFI_SPECTRUM" mode:

There are even more details in mt_wifi. We already tried to enable this but it did not work so far, we will keep trying to figure out how to get this one enabled.

bmork · January 1, 2026, 10:12am

Interesting work!

Took a quick look at the driver code, and it's completely crazy. TLVs from the firmware are parsed using a packed struct:

github.com/cmonroe/feed-wifi-master

mt76/patches/1001-wifi-mt76-mt7915-csi-implement-csi-support.patch

aa187c7de


      
          +} __packed;
          +
          +struct csi_tlv {
          +	__le32 tag;
          +	__le32 len;
          +} __packed;
          +
          +#define CSI_MAX_COUNT	256
          +#define CSI_MAX_BUF_NUM	3000
          +
          +struct mt7915_mcu_csi_report {
          +	struct csi_tlv _t0;
          +	__le32 ver;
          +	struct csi_tlv _t1;
          +	__le32 ch_bw;
          +	struct csi_tlv _t2;
          +	__le32 rssi;
          +	struct csi_tlv _t3;
          +	__le32 snr;
          +	struct csi_tlv _t4;
          +	__le32 band;

This is unnecessarily fragile and unmaintainable. Extending it to more chipsets is meaningless. Why not start mapping the TLVs? I bet they are the same across different chipsets and firmwares, but possibly with variable lengths and order