OpenWrt Forum Archive

Topic: NetGear WNDR3700 above 17 dBm ?

The content of this topic has been archived on 17 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

I have a couple NetGear WNDR3700, which I would like to bump to 20 dBm on 2.4GHz to increase quality of my bridged link.

Is it possible to increase power ? Seems like some regional versions will do the 20dBm.

I have looked at the wireless stuff, made my own firmware with ATH9K_USER_REGD=y. Does not seem to work. I can change country as I want, and iw reg will show me whatever I changed it to. But iw list still shows only 17 dBm. I want to get the German 20 dBm.

I have looked at the crda, and have the feeling it is not needed for the latest trunk ? I installed it with a hacked database, and it did not help.

Where is the limit imposed ? Guess it is not crda, since it is not installed per default -  in the new 80211 layer ?
Or do I need to find and flash another EEPROM ?

If I can get a hint, I can dig a bit deeper into the driver source and see if I can hack something that way around.

I am in Europe where modifying things are not illegal.

If the WNDR3700 can't go above 17dBm in Europe, what other APs can be recommended with more power ? (I know they will be locked down with stock kernel)

I have wndr3800 (should be identical with wndr3700v2 but with more falsh/ram)
I've purchased 3800 in europe, bet set it to 'US':

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '4'
        option macaddr '74:44:01:84:b0:18'
        option hwmode '11ng'
        option htmode 'HT20'
        list ht_capab 'SHORT-GI-40'
        list ht_capab 'TX-STBC'
        list ht_capab 'RX-STBC1'
        list ht_capab 'DSSS_CCK-40'
        option country 'US'
        option txpower '23'

"iw phy" output claims capabilities up to 27 dBm:

Wiphy phy0
        Band 1:
                Capabilities: 0x11ce
                        HT20/HT40
                        SM Power Save disabled
                        RX HT40 SGI
                        TX STBC
                        RX STBC 1-stream
                        Max AMSDU length: 3839 bytes
                        DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: 8 usec (0x06)
                HT TX/RX MCS rate indexes supported: 0-15
                Frequencies:
                        * 2412 MHz [1] (27.0 dBm)
                        * 2417 MHz [2] (27.0 dBm)
                        * 2422 MHz [3] (27.0 dBm)
                        * 2427 MHz [4] (27.0 dBm)
                        * 2432 MHz [5] (27.0 dBm)
                        * 2437 MHz [6] (27.0 dBm)
                        * 2442 MHz [7] (27.0 dBm)
                        * 2447 MHz [8] (27.0 dBm)
                        * 2452 MHz [9] (27.0 dBm)
                        * 2457 MHz [10] (27.0 dBm)
                        * 2462 MHz [11] (27.0 dBm)
                        * 2467 MHz [12] (disabled)
                        * 2472 MHz [13] (disabled)
                        * 2484 MHz [14] (disabled)

Think there are differences in eeprom, or something else. My WNDR3700 is the one with printed antennas, so it might be one reason it is limited. The dd-wrt page says it is limited to 17 dBm, yet I see others saying it is 20 or 23 dBm max.

My patched kernel says:
root@OpenWrt /root# iw reg get
country DE:
        (2400 - 2483 @ 40), (N/A, 20)
        (5150 - 5250 @ 40), (N/A, 20), NO-OUTDOOR
        (5250 - 5350 @ 40), (N/A, 20), NO-OUTDOOR, DFS
        (5470 - 5725 @ 40), (N/A, 27), DFS

# iw list
....
                Frequencies:
                        * 2412 MHz [1] (17.0 dBm)
                        * 2417 MHz [2] (17.0 dBm)
                        * 2422 MHz [3] (17.0 dBm)
                        * 2427 MHz [4] (17.0 dBm)
                        * 2432 MHz [5] (17.0 dBm)
                        * 2437 MHz [6] (17.0 dBm)
                        * 2442 MHz [7] (17.0 dBm)
                        * 2447 MHz [8] (17.0 dBm)
                        * 2452 MHz [9] (17.0 dBm)
                        * 2457 MHz [10] (17.0 dBm)
                        * 2462 MHz [11] (17.0 dBm)
                        * 2467 MHz [12] (17.0 dBm)
                        * 2472 MHz [13] (17.0 dBm)
                        * 2484 MHz [14] (disabled)

If I change to country JP, I get this from iw list - so it seems like 20 dBm iw possible, but only on channel 14. So something is limiting me to 17 dBm. And I think it is the eeprom.

iw reg set JP
iw list

                Frequencies:
                        * 2412 MHz [1] (17.0 dBm)
                        * 2417 MHz [2] (17.0 dBm)
                        * 2422 MHz [3] (17.0 dBm)
                        * 2427 MHz [4] (17.0 dBm)
                        * 2432 MHz [5] (17.0 dBm)
                        * 2437 MHz [6] (17.0 dBm)
                        * 2442 MHz [7] (17.0 dBm)
                        * 2447 MHz [8] (17.0 dBm)
                        * 2452 MHz [9] (17.0 dBm)
                        * 2457 MHz [10] (17.0 dBm)
                        * 2462 MHz [11] (17.0 dBm)
                        * 2467 MHz [12] (17.0 dBm)
                        * 2472 MHz [13] (17.0 dBm)
                        * 2484 MHz [14] (20.0 dBm)


As a father, I don't have too much hacking time. This is why I am looking for info on where to start the hacking. Maybe the eeprom read routine, and faking the values there.

The values you are seeing indeed come from the eeprom, which resides in the 'art' partition. I don't know how feasible flashing another eeprom is; there can be some checks in the bootloader which prevent booting with a modified eeprom.

Regarding the actual values, there can be a power amplifier in the router, which the driver doesn't know about, and the actual transmit powers could be higher. Moreover, the number and type of antennae affect the transmit power.

So conclusion is, driver hack and fake EEPROM from file is best bet

ATH9K_USER_REGD=y will limit output to 17dBm. It was said before this is a bug or maybe intentional to limit power output when regdomain is not respected.
Your best bet is to set ATH9K_USER_REGD=n and use a modified regdomain or use a driver hack posted by jow: http://luci.subsignal.org/~jow/reghack/README.txt

Back to latest kernel  (nightly build) so REGD=n, did the reghack stuff, used US settings (the one he hacked) no luck. Still 17dBm in 2.4GHz.
Then installed crda + regulatory.bin - iw list still says 17 dBm.
No improvement when I use iw dev wlan0 set txpower fixed 2300.

Not sure what the next step is, doing driver debugging takes time I don't have.

I'm interested in this too.  Does anyone know where the datasheet is for this chip so we can see what it is supposed to be able to output?

The chip will go to 27dBm. But the antennas printed on PCB might be a limiting factor.
I think there are 2 ways to go. One is to flash the EEPROM. There are tools for this as some users had a zapped EEPROM after upgrade.
Usually this requires EEPROM from a working device. But people can still change MAC address. Guess you can from another device which is not locked down.

The amplifier does not check power but maybe firmware in chip? Or maybe we still suffer from driver respecting EEPROM.  That is why looking at driver is still a possible solution.

CRDA and ATH9K_USER_REGD=y have no effect in recent builds.

You will need to disable mac80211's built-in regdomain settings to be able to override them with user settings.

Doing so may or may not break the law. I wouldn't condone it but it is described in the existing WNDR3700 thread: https://forum.openwrt.org/viewtopic.php?id=27722

There are some, however that are indeed calibrated with lower limits in the EEPROM. I do not know if these also come with weaker amplifier chips that necessitate it (take it apart and look) or if it was just for EU compliance.

(Last edited by qasdfdsaq on 12 Feb 2013, 00:42)

povlhp wrote:

The chip will go to 27dBm. But the antennas printed on PCB might be a limiting factor.

I would hope that a PCB can support 27 dBm as easily as it can support 17 dBm. After all, 27 dBm is only 1/2 W output, and the only way the PCB would be seeing any heating is if some meaningful fraction of that power wasn't getting radiated. I would assume that there aren't any significant resistive losses in either the feedlines or the patches (or the router's performance would totally suck both on receive as well as transmit).

(Last edited by jeffster on 12 Feb 2013, 06:50)

The discussion might have continued from here.