ath9k_htc AR9271 tx power increase weird problem + debug

[brunoaduarte]

Hi, i'm trying to increase tx power of my AR9271 card using ath9k_htc backports 4.0.1 driver + open-ath9k-htc-firmware, but i got this strange behavior:

iwconfig wlan0 set txpower (from 1 to 17) dBm

• increases rx power detected by the receiver (airodump-ng PWR column) step by step as expected (-79 to -62)

iwconfig wlan0 set txpower (from 18 to 23) dBm

• when set to 18, RX PWR makes a strange jump from -62 to -48 (why !?), and values over 18 (19 to 23), does not have any effect on RX PWR, it will stay at -48

Here are the measurements with more detailed info
https://docs.google.com/spreadsheets/d/1Ad3AoFaqREGViFPtKFfQzRQvgilnv9e008ltYJlwHG8/edit?usp=sharing

Some considerations:

• ath9k_htc backports driver makes a internal increase of (5 dBm) before setting the power with REG_WRITE

#define    AR5416_PWR_TABLE_OFFSET_DB -5
    for (i = 0; i < Ar5416RateSize; i++) {
        ratesArray[i] -= AR5416_PWR_TABLE_OFFSET_DB * 2
        // times 2 cause ratesArray needed half/dBm values;
    }

• So we have, 17 dBm (iwconfig) + 5 dBm (offset from ath9k_htc driver) = 23 dBm * 2 (cause the card works with half dBm values) = 46 (0x2E) as the maximum value that causes any effects on the firmware

Questions:

• Where in the firmware can i look to understand this -62 to -48 rx gap ?
• Is there anyway to do a live or even a log debug in this firmware ?
• In if_athvar.c

#define MAX_RATE_POWER    63 (0x3F) // half dbm correct ?

Does this define set the max firmware power as 63/2 = 31.5 dBm ? Why this value ? Can it be changed to go as high as 66 (0x42) (33 dBm) ?

Thanks

[erikarn]

hiya,

so no - the maximum rate power you can program into the chip for each of
the possible transmit rates is 0x3f. now, on ar9280 and later chips the
target transmit power starts at -5dBm, purely as a function of how the
transmit power control hardware works.

It sounds like there's a bug somewhere - but it sounds like it does clamp
the values /somewhere/. Just read back the TX power register values as you
up the transmit power via iwconfig and see whta they say. (AR_PHY_TXPOWER_*
...)

On 24 January 2016 at 09:26, Bruno Duarte notifications@github.com wrote:

Hi, i'm trying to increase tx power of my AR9271 card using ath9k_htc
backports 4.0.1 driver + open-ath9k-htc-firmware, but i got this strange
behavior:

iwconfig wlan0 set txpower (from 1 to 17) dBm

• increases rx power detected by the receiver (airodump-ng PWR column)
  step by step as expected (-79 to -62)

iwconfig wlan0 set txpower (from 18 to 23) dBm

• when set to 18, RX PWR makes a strange jump from -62 to -48 (why
  !?), and values over 18 (19 to 23), does not have any effect on RX PWR, it
  will stay at -48

Here are the measurements with more detailed info

https://docs.google.com/spreadsheets/d/1Ad3AoFaqREGViFPtKFfQzRQvgilnv9e008ltYJlwHG8/edit?usp=sharing
Some considerations:

• ath9k_htc backports driver makes a internal increase of (5 dBm)
  before setting the power with REG_WRITE

#define AR5416_PWR_TABLE_OFFSET_DB -5
for (i = 0; i < Ar5416RateSize; i++) {
ratesArray[i] -= AR5416_PWR_TABLE_OFFSET_DB * 2 // times 2 cause ratesArray needed half/dBm values;
}

• So we have, 17 dBm (iwconfig) + 5 dBm (offset from ath9k_htc driver)
  = 23 dBm * 2 (cause the card works with half dBm values) = 46 as the
  maximum value that causes any effects on the firmware

Questions:

• Where in the firmware can i look to understand this -62 to -48 rx
  gap ?
• Is there anyway to do a live or even a log debug in this firmware ?
• In if_athvar.c

#define MAX_RATE_POWER 63 // half dbm correct ?

Does this define set the max firmware power as 63/2 = 31.5 dBm ? Why this
value ? Can it be changed to go as high as 66 (33 dBm) ?

Thanks

—
Reply to this email directly or view it on GitHub
#82.

[brunoaduarte]

Thanks for the reply @erikarn

Seems that the registers are correctly set, this is my driver debug output (dmesg):

eeprom_4k.c -> ath9k_hw_4k_set_txpower

iwconfig wlan1 txpower 17
ath: ratesArray[0](d) -> 34 (17 dBm)
ath: ratesArray[0](d) -> 44 (22 dBm) (considering -5 dBm AR5416_PWR_TABLE_OFFSET_DB)
ath: REG_WRITE(AR_PHY_POWER_TX_RATE1) = 741092396 (0x2c2c2c2c)
ath: REG_WRITE(AR_PHY_POWER_TX_RATE2) = 741092396 (0x2c2c2c2c)
ath: REG_READ(AR_PHY_POWER_TX_RATE1) = 741092396 (0x2c2c2c2c)
ath: REG_READ(AR_PHY_POWER_TX_RATE2) = 741092396 (0x2c2c2c2c)

RX POWER LEVEL = -62

iwconfig wlan1 txpower 18
ath: ratesArray[0](d) -> 36 (18 dBm)
ath: ratesArray[0](d) -> 46 (23 dBm) (considering -5 dBm AR5416_PWR_TABLE_OFFSET_DB)
ath: REG_WRITE(AR_PHY_POWER_TX_RATE1) = 774778414 (0x2e2e2e2e)
ath: REG_WRITE(AR_PHY_POWER_TX_RATE2) = 774778414 (0x2e2e2e2e)
ath: REG_READ(AR_PHY_POWER_TX_RATE1) = 774778414 (0x2e2e2e2e)
ath: REG_READ(AR_PHY_POWER_TX_RATE2) = 774778414 (0x2e2e2e2e)

RX POWER LEVEL = -48

iwconfig wlan1 txpower 19
ath: ratesArray[0](d) -> 38 (19 dBm)
ath: ratesArray[0](d) -> 48 (24 dBm) (considering -5 dBm AR5416_PWR_TABLE_OFFSET_DB)
ath: REG_WRITE(AR_PHY_POWER_TX_RATE1) = 808464432 (0x30303030)
ath: REG_WRITE(AR_PHY_POWER_TX_RATE2) = 808464432 (0x30303030)
ath: REG_READ(AR_PHY_POWER_TX_RATE1) = 808464432 (0x30303030)
ath: REG_READ(AR_PHY_POWER_TX_RATE2) = 808464432 (0x30303030)

RX POWER LEVEL = -48

iwconfig wlan1 txpower 20
ath: ratesArray[0](d) -> 40 (20 dBm)
ath: ratesArray[0](d) -> 50 (25 dBm) (considering -5 dBm AR5416_PWR_TABLE_OFFSET_DB)
ath: REG_WRITE(AR_PHY_POWER_TX_RATE1) = 842150450 (0x32323232)
ath: REG_WRITE(AR_PHY_POWER_TX_RATE2) = 842150450 (0x32323232)
ath: REG_READ(AR_PHY_POWER_TX_RATE1) = 842150450 (0x32323232)
ath: REG_READ(AR_PHY_POWER_TX_RATE2) = 842150450 (0x32323232)

RX POWER LEVEL = -48

[olerem]

Hi,
which adapter are you using? Is it one with external amplifier?

[brunoaduarte]

It's Alfa AWUS036NHA, it has a Skyworks SE2576L power amplifier onboard.

[olerem]

Ok, i had some doubts that amp is correctly set, so may be it is the case.
Take look at ar5416SetupTxDesc_20.

If i see it correctly some gpio should be pulled up to set max power on this amp.

[brunoaduarte]

Well @olerem , i'm not sure how this works, but the only connection between SE2576L and AR9271L is this:

SE2576L - PIN 2 (EN) - Power Amplifier Enable
AR9271L - PIN 67 (XPABIAS) - Bias for optional external power amplifier
they're connected thru a 10 ohm resistor

I can't measure this pin precisely cause i don't have a oscilloscope (it's an analog output), but with the multimeter i've measured 10 mV with some 25 mV peak.

I've looked at "ar5416SetupTxDesc_20" but can't see anything related to this BIAS control there.

[olerem]

hm.. according doc i would expect 3.3V on SE2576L - PIN 2 (EN).
If i remember correctly, windows driver was providing option to enable high gain TX.
Do you have M$ can you compare both drivers?

I pointed to ar5416SetupTxDesc_20 as example where TX gain is set.

[brunoaduarte]

@olerem , I installed latest AWUS036NHA drivers from alfa.com.tw in my Windows XP machine.
There's no option to enable high gain TX in the Atheros utilities or the driver management tab.

Maximum setable tx power that appeared here is 100 mW.

I've measured the pin again and there's nothing there, as always (0 V).
I'm not sure if there are any cases where this power amplifier is used.
Also, i've manually pull up this pin to 3V, using a resistor, and nothing happened, i could not see any difference in output power (i'm going to try this again with a lower value resistor).

When you first mentioned this power amplifier, i thought that maybe the power level gap i see in my receiver, when setting

TX: iwconfig wlan1 txpower 17 -> RX = -62
TX: iwconfig wlan1 txpower 18 -> RX = -48

was caused because of the power amplifier being turned off and on respectively, but that makes no sense if the EN pin of SE2576L doesn't change.

[brunoaduarte]

Seems that the power amplifier is working... I've set lowest transmission power

iwconfig wlan1 txpower 1

and RX power level on receiver was -70...
So i manually pull up the SE2576L EN pin to 3.3V using a 100 ohm resistor
and RX power level became -55 without any iwconfig changes

ps: even if i remove the pull up resistor, power stays at the same -55, power amplifier doesn't get deactivated

then i do iwconfig wlan1 txpower 18 and rx level became -40

then i reset everything and set

iwconfig wlan1 txpower 18

and RX power level is instantaneously -40
now i repeated the process and manually pulled up EN pin... nothing happened

RX level stayed at the same -40...
So it means that, somehow, after

iwconfig wlan1 txpower 18

the power amplifier is being turned on...
Maybe it doesn't need constant dc current on it. Maybe it's just a pulse (like a manually did with the resistor)...

btw, when i do the manual pull up, i get this debug message from the driver

ath: phy7: NF did not complete in calibration window
ath: phy7: Reset TX queue: 0
ath: phy7: tx ok 0x0 err 0x0 desc 0x10f eol 0x10f urn 0x0
ath: phy7: Reset TX queue: 1
ath: phy7: tx ok 0x0 err 0x0 desc 0x10f eol 0x10f urn 0x0
ath: phy7: Reset TX queue: 2
ath: phy7: tx ok 0x0 err 0x0 desc 0x10f eol 0x10f urn 0x0
ath: phy7: Reset TX queue: 3
ath: phy7: tx ok 0x0 err 0x0 desc 0x10f eol 0x10f urn 0x0
ath: phy7: Reset TXQ, inactive queue: 4
ath: phy7: Reset TXQ, inactive queue: 5
ath: phy7: Reset TXQ, inactive queue: 6
ath: phy7: Reset TXQ, inactive queue: 7
ath: phy7: Reset TX queue: 8
ath: phy7: tx ok 0x0 err 0x0 desc 0x10f eol 0x10f urn 0x0
ath: phy7: Reset TX queue: 9
ath: phy7: tx ok 0x0 err 0x0 desc 0x10f eol 0x10f urn 0x0
ath: phy7: ah->misc_mode 0xc
ath: phy7: enabling ADC Gain Calibration
ath: phy7: enabling ADC DC Calibration
ath: phy7: enabling IQ Calibration
ath: phy7: starting ADC Gain Calibration

[erikarn]

HI,

Check the RX rate. I wonder if hte rate is changing and you're seeing a
lower rate at a higher tx power..

-a

[brunoaduarte]

How do i check RX rate @erikarn ?
I'm doing my tests using a fake access point (hostapd) on tx side (awus036nha), and airodump-ng running on receiver side to check RX power level.

[erikarn]

So, each rate has a different max transmit power. Lower rates have higher
maximum transmit powers. So unless you fix a rate somehow (can that work
with ath9k_htc right now?) then the rate control may be stepping the rate
down and transmitting at a higher max poewr.

So on the receiver, log both the RSSI /and/ the RX rate (Mbit/sec) so we
can see.

-a

On 26 January 2016 at 21:34, Bruno Duarte notifications@github.com wrote:

What do you mean by RX rate @erikarn https://github.com/erikarn ? How
do i check it ?
I'm doing my tests using a fake access point (hostapd) on tx side
(awus036nha), and airodump-ng running on receiver side.

—
Reply to this email directly or view it on GitHub
#82 (comment)
.

[brunoaduarte]

Ahh ok. I don't think that's the case @erikarn ... as hostpad seems to set a fixed default rate of 11 mbps and i'm not forcing it to any other...

Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g,
Default: IEEE 802.11b

CH  6 ][ Elapsed: 14 mins ][ 2016-01-27 14:50  ][  1/  1/   1 ][ paused output                                                     

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                       

 00:C0:CA:AA:AA:AA  -58  93     8521        0    0   6  11   OPN              Alfa

I've tried some EEPROM hacking on the adapter. I've replaced the rates power table with higher values, but no success increasing TX POWER.

I've related my tests in this topic:

https://forums.kali.org/showthread.php?28874-ALFA-AWUS036NHA-hacking-EEPROM-via-UART-JTAG&p=55742&viewfull=1#post55742

FYI: the tests i've related here before, were made with original EEPROM data. These EEPROM tests i've made were specific tests.

[yipperr]

@brunoaduarte any further news on the tx power also have you noticed the weird hum this card makes at high data rates one other dude confirmed this in another thread

[psyborg55]

Hi

Thanks for the detailed test results. Can you tell me how to calculate checksum on modified EEPROM data? The reader used was not able to do ICP R/W so I'll have to unsolder the chip and I won't even try that before I'm sure I can get working modified EEPROM.

As per comment located in this post https://forums.kali.org/showthread.php?28874-ALFA-AWUS036NHA-hacking-EEPROM-via-UART-JTAG&p=59550&viewfull=1#post59550

I've seen the change in driver behaviour, but only in such a way that the power gap between 17 and 18 dBm is reduced and spread across 17-27 dBm. Still no power increase in my case.

Also, any ideas where in the code they've broke rate control so I can set fixed rate?

Wish I could find an old revision of the NHA card because I get feeling this thing with power amplifier is crippled.

[jholster]

@brunoaduarte I'm also trying to figure out how to boost the output from AWUS036NHA. It seems that simple software hacks like hardcoding the desired power level into driver source does not work. I suspect that there is a hardware closed loop controlling the output power.

Did you notice that there is another connection between the chips, the DET output from SE2576L is connected to PDET input of AR9271. It signals the AR9271 the actual power output, so that AR9271 can adjust the input signal accordingly, if I understand correctly. Check the http://www.skyworksinc.com/uploads/documents/202428A.pdf datasheet page 5 for voltage curve. Maybe we could fake this signal to enable the full power output e.g. by pulling down or putting a resistor between (not easy soldering job!), so AR9271 thinks the output is lower than it actually is.

Your findings about pulling up the EN pin are interesting. I wonder if pull up causes overheating by 100% duty cycle and some protection mode kicks on? Did you check temperature? The fact that SE2576L datasheet mentions EN rise time hints that you are supposed to drive it by dynamically, i.e. only when you are actually transmitting?

(I'm not an EE, all the above are only amateur guessing.)

PS. The wifibroadcast project contains a patch for fixed rate: https://befinitiv.wordpress.com/2015/02/22/finding-the-right-wifi-dongle-and-patching-its-kernel-driver-and-firmware/

[psyborg55]

doing a check of driver code i found this:

/* PA CAL is not needed for high power solution */
if (ah->eep_ops->get_eeprom(ah, EEP_TXGAIN_TYPE) ==
    AR5416_EEP_TXGAIN_HIGH_POWER)
    return;

static void ar9271_hw_init_txgain_ini(struct ath_hw *ah, u32 txgain_type)
{
if (txgain_type == AR5416_EEP_TXGAIN_HIGH_POWER)
INIT_INI_ARRAY(&ah->iniModesTxGain,
ar9271Modes_high_power_tx_gain_9271);
else
INIT_INI_ARRAY(&ah->iniModesTxGain,
ar9271Modes_normal_power_tx_gain_9271);

static const u32 ar9271Modes_high_power_tx_gain_9271[][5] = {

looks like we need a way of forcing the card into high power mode.

also, grep through backports directory for power offset regarding infamous 5dB returned:

ath/ath9k/eeprom.h:#define AR5416_PWR_TABLE_OFFSET_DB -5
ath/ath9k/eeprom.h:#define AR9287_PWR_TABLE_OFFSET_DB -5
ath/ath9k/ar9003_eeprom.h:#define AR9300_PWR_TABLE_OFFSET 0

maybe setting it back to 0 as it's already set for ar9300 could help too.

could you guys create a complete map of EEPROM so we can know what exactly is and should be set in there?

[erikarn]

hi,

So, the power offset needs to be -5 unless its overridden by something in
the EEPROM.

Yeah, can someone please dump the contents out of eeprom? There's an ath9k
eeprom entry in debugfs that prints out everything in text format. Could
you please attach that?

Thanks!

-adrian

[psyborg55]

do you know offset of that "something" ?

there are dumps for AWUS036NHA TL-WN721NC and TL-WN722N on kali forums: https://forums.kali.org/showthread.php?28874-ALFA-AWUS036NHA-hacking-EEPROM-via-UART-JTAG

[erikarn]

hi,

Sure, but if you cat a specific file in debugfs, you get the dump in a
pretty format.

If someone cats that, then I can go through it and figure out what's going
on.

Thanks,

-adrian

On 11 August 2016 at 13:11, psyborg55 notifications@github.com wrote:

do you know offset of that "something" ?

there are dumps for AWUS036NHA TL-WN721NC and TL-WN722N on kali forums:
https://forums.kali.org/showthread.php?28874-ALFA-
AWUS036NHA-hacking-EEPROM-via-UART-JTAG

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#82 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABGl7d_ph2hpYXhdOA38DkqaUC__f-bIks5qe4HxgaJpZM4HLL6H
.

[olerem]

Hi :)

cat ath9k_htc/base_eeprom
Major Version : 14
Minor Version : 15
Checksum : 51114
Length : 376
RegDomain1 : 33594
RegDomain2 : 0
TX Mask : 1
RX Mask : 1
Allow 5GHz : 0
Allow 2GHz : 1
Disable 2GHz HT20 : 0
Disable 2GHz HT40 : 0
Disable 5Ghz HT20 : 0
Disable 5Ghz HT40 : 0
Big Endian : 0
Cal Bin Major Ver : 0
Cal Bin Minor Ver : 8
Cal Bin Build : 131
TX Gain type : 1
MacAddress : 00:c0:ca:72:6b:17

cat ath9k_htc/modal_eeprom
2GHz modal Header :
Chain0 Ant. Control : 0
Ant. Common Control : 286331969
Chain0 Ant. Gain : 0
Switch Settle : 44
Chain0 TxRxAtten : 32
Chain0 RxTxMargin : 0
ADC Desired size : 226
PGA Desired size : 0
Chain0 xlna Gain : 13
txEndToXpaOff : 0
txEndToRxOn : 2
txFrameToXpaOn : 14
CCA Threshold) : 28
Chain0 NF Threshold : 186
xpdGain : 12
External PD : 1
Chain0 I Coefficient : 0
Chain0 Q Coefficient : 0
pdGainOverlap : 4
O/D Bias Version : 4
CCK OutputBias : 3
BPSK OutputBias : 2
QPSK OutputBias : 2
16QAM OutputBias : 0
64QAM OutputBias : 0
CCK Driver1_Bias : 2
BPSK Driver1_Bias : 0
QPSK Driver1_Bias : 0
16QAM Driver1_Bias : 0
64QAM Driver1_Bias : 0
CCK Driver2_Bias : 2
BPSK Driver2_Bias : 0
QPSK Driver2_Bias : 0
16QAM Driver2_Bias : 0
64QAM Driver2_Bias : 0
xPA Bias Level : 2
txFrameToDataStart : 14
txFrameToPaOn : 14
HT40 Power Inc. : 0
Chain0 bswAtten : 0
Chain0 bswMargin : 0
HT40 Switch Settle : 44
Chain0 xatten2Db : 0
Chain0 xatten2Margin : 0
Ant. Diversity ctl1 : 2
Ant. Diversity ctl2 : 6
TX Diversity : 0

[psyborg55]

so, did somebody tried to figure out what is going on according to the eeprom dump in previous message?

replacing ar9271Modes_normal_power_tx_gain_9271 with ar9271Modes_high_power_tx_gain_9271
i was able to get increased txpower output about 5dB at 150Mbps rate with tl-wn722n

i think this applies to tl-wn722n only since awus036nha is already using high power setting

[olerem]

@psyborg55 can you please describe your setup. What you change, how do you measure. What is the distance between sender and receiver. As match as possible.
5dB difference i get without change any setup, just by moving my self in the room. So actually every object make the difference.

[psyborg55]

ar9331 router with external antenna was about 1.5m away from the usb port on my notebook to which tl-wn722n was attached. rx rate in openwrt interface 150Mbps, signal level -45dBm. doing a change mentioned in my previous message, recompiling a driver and restarting makes the signal go to -40dBm while still at 150Mbps rate. i was sitting still in front of the notebook so no moving objects around. reverting the change and restarting gave back -45dBm. usb adapter region was changed to US and power limit increased to 30dBm in EEPROM.

[erikarn]

hi,

can someone please at least give me a hex file binary dump of the eeprom
contents? :) All the firmware posts have varying forms of dumps and it's
all super-inconvienent.

(I have /all/ the kit I need to debug this; just need some eeprom dumps :)

-a

On 28 August 2016 at 04:46, psyborg55 notifications@github.com wrote:

ar9331 router with external antenna was about 1.5m away from the usb port
on my notebook to which tl-wn722n was attached. rx rate in openwrt
interface 150Mbps, signal level -45dBm. doing a change mentioned in my
previous message, recompiling a driver and restarting makes the signal go
to -40dBm while still at 150Mbps rate. i was sitting still in front of the
notebook so no moving objects around. reverting the change and restarting
gave back -45dBm. usb adapter region was changed to US and power limit
increased to 30dBm in EEPROM.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#82 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABGl7bKydElUM7MsCLPtaG8X0KP7dwFtks5qkXT_gaJpZM4HLL6H
.

[psyborg55]

just did some tests with patched htc driver:

remote AP running NS2 firmware

CH13 RSSI -72dBm at 54Mbps, with increased power would show -67dBm

but

CH239 (2322MHz) RSSI -67dBm with increased power show -51dBm

this is quite a huge difference, is it possible it only happens because of interference clear channel?

also, i could not get the card transmit at full power at 48 or 54Mbps, maybe because of open/closed loop control or some other protection mechanism?

[erikarn]

Hi,

the high TX rates typically have reduced power anyway, due to PA/FEM
linearality.

-adrian

On 8 September 2016 at 11:25, psyborg55 notifications@github.com wrote:

just did some tests with patched htc driver:

remote AP running NS2 firmware

CH13 RSSI -72dBm at 54Mbps, with increased power would show -67dBm

but

CH239 (2322MHz) RSSI -67dBm with increased power show -51dBm

this is quite a huge difference, is it possible it only happens because of
interference clear channel?

also, i could not get the card transmit at full power at 48 or 54Mbps,
maybe because of open/closed loop control or some other protection
mechanism?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#82 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABGl7fjG9I89FL-QHF8d4-7iXocG3xMuks5qoFMXgaJpZM4HLL6H
.

[psyborg55]

that's true but i've seen some hardware specs where various cards rated 1W have 27dBm output at 54 Mbps. maybe i'll have to mod eeprom on alfa too.. do you know if AR9271/htc driver support ANI ?

[erikarn]

Hi,

I have a spectrum analyser, so I can test out whether it's actually true or
not. you have to be careful going and fiddling with that stuff!

-a

[psyborg55]

i've checked debug output from alfa and it is the same olerem posted. tl-wn722n has some differences:

root@OpenWrt:~# cat /sys/kernel/debug/ieee80211/phy1/ath9k_htc/base_eeprom
       Major Version :         14
       Minor Version :         13
            Checksum :      38964
              Length :        376
          RegDomain1 :      33608
          RegDomain2 :          0
             TX Mask :          1
             RX Mask :          1
          Allow 5GHz :          0
          Allow 2GHz :          1
   Disable 2GHz HT20 :          0
   Disable 2GHz HT40 :          0
   Disable 5Ghz HT20 :          0
   Disable 5Ghz HT40 :          0
          Big Endian :          0
   Cal Bin Major Ver :          0
   Cal Bin Minor Ver :          8
       Cal Bin Build :        109
        TX Gain type :          0
          MacAddress : 00:00:00:00:00:00
root@OpenWrt:~# cat /sys/kernel/debug/ieee80211/phy1/ath9k_htc/modal_eeprom
   2GHz modal Header :
 Chain0 Ant. Control :          0
 Ant. Common Control :  289674257
    Chain0 Ant. Gain :          0
       Switch Settle :         44
    Chain0 TxRxAtten :         32
   Chain0 RxTxMargin :          0
    ADC Desired size :        226
    PGA Desired size :          0
    Chain0 xlna Gain :         13
       txEndToXpaOff :          0
         txEndToRxOn :          2
      txFrameToXpaOn :         14
      CCA Threshold) :         28
 Chain0 NF Threshold :        186
             xpdGain :         12
         External PD :          1
Chain0 I Coefficient :          0
Chain0 Q Coefficient :          0
       pdGainOverlap :          6
    O/D Bias Version :          4
      CCK OutputBias :          5
     BPSK OutputBias :          4
     QPSK OutputBias :          4
    16QAM OutputBias :          0
    64QAM OutputBias :          0
    CCK Driver1_Bias :          4
   BPSK Driver1_Bias :          0
   QPSK Driver1_Bias :          0
  16QAM Driver1_Bias :          0
  64QAM Driver1_Bias :          0
    CCK Driver2_Bias :          4
   BPSK Driver2_Bias :          0
   QPSK Driver2_Bias :          0
  16QAM Driver2_Bias :          0
  64QAM Driver2_Bias :          0
      xPA Bias Level :          1
  txFrameToDataStart :         14
       txFrameToPaOn :         14
     HT40 Power Inc. :          0
     Chain0 bswAtten :          0
    Chain0 bswMargin :         31
  HT40 Switch Settle :         44
    Chain0 xatten2Db :          0
Chain0 xatten2Margin :          0
 Ant. Diversity ctl1 :         13
 Ant. Diversity ctl2 :          9
        TX Diversity :          0

[psyborg55]

The eeprom can be nicely analysed using struct ar5416_eeprom_4k in kernel sources.

but won't show mapping to hex addresses of the values. and there isn't any in the pdf doc too.

looks like your method of dumping eeprom data did not reveal values for 3rd tplink regdomain - maybe this is debug domain allowing all channels that misidentifies as ?11A? ?

What I am wondering, why the Alfa has similar txpower as tplink if the limits are removed for both - the alfa has an amplifier while tplink does not, right?

different pcb design is enough to require different eeprom for another card and looks like it can be tuned in many possible and impossible ways. maybe the amp is not set for any amplification, but is only passing data through? maybe it's bias level could be increased?

[j4nn]

Well, the pdf was interesting to me as the content of the eeprom is very similar and it describes the purpose. Offsets do not matter really, there are also structs in the pdf and they match with kernel sources more or less.
3rd tplink regdomain - not sure what you mean?

I am also wondering about the bias level of the external amp in case of the alfa card.
But how to increase it?

[psyborg55]

3rd regdomain refers to ctlindex in tplink eeprom that has no valid data according to your previous comment. bias level should be easily changed, simply replace value at 0xCF. why it's set to 1 in card eeproms that have no xPA i do not know

[j4nn]

The 0xCF xPA Bias Level, i.e. modal_hdr->xpaBiasLvl attribute in driver source (eeprom_4k.c) is not used anywhere else than the eeprom dump function.
So I am afraid that changing that (in ath9k_htc driver memory copy of the eeprom) would not make any difference.
Do you think that the card could use the eeprom content directly in the firmware, using the value?
Possibly even in the ROM part of the firmware (which is not open)?
I think I already tried to find the use in the firmware source without luck (that does not mean it's not there).
To change that would require flashing of the eeprom, that is something I did not try yet (also because I am sceptical about that the firmware is using it before kernel driver).

[psyborg55]

well if there's no driver code to support xPA it might be possible it's configured some other way, GPIO for example. i've used tool for art partitions to dump values, only replaced reg limits with the ones from tplink eeprom this was the output:

   Regulatory 2.4GHz : FCC__11B FCC__11G FCC_HT20 FCC_HT40 ETSI_11B ETSI_11G ETSIHT20 ETSIHT40 ???__11A ???__11A ???__11A ???__11A

         Frequency 0 :  2412[1] 2462[11]  2412[1] 2462[11]  2412[1] 2462[11]  2422[3]  2447[8]  2412[1] 2472[13]  2412[1] 2472[13]
        Power|Edge 0 :   48|1     44|2     58|1     19|2     00|0     00|0     00|0     00|0     00|0     00|0     00|0     00|0  

         Frequency 1 :  2336[0]  2336[0]  2333[0]  2334[0]  2332[0]  2333[0]  2318[0]  2390[0]  2332[0]  2332[0]  2332[0]  2332[0]
        Power|Edge 1 :   32|0     32|0     32|0     32|1     00|0     00|0     00|0     00|0     00|0     00|0     00|0     00|0  

         Frequency 2 :  2417[2]     0x00  2417[2]     0x00  2417[2]     0x00  2427[4]  2452[9]  2417[2]     0x00  2417[2]     0x00
        Power|Edge 2 :   53|1     00|0     63|1     34|2     00|0     00|0     00|0     00|0     00|0     00|0     00|0     00|0  

         Frequency 3 :  2400[0]     0x00  2400[0]     0x00  2400[0]     0x00  2390[0]  2319[0]  2396[0]     0x00  2396[0]     0x00
        Power|Edge 3 :   32|1     00|0     32|1     32|0     00|0     00|0     00|0     00|0     00|0     00|0     00|0     00|0  

same values dump from alfa:

   Regulatory 2.4GHz : FCC__11B FCC__11G FCC_HT20 FCC_HT40 MKK__11B MKK__11G MKK_HT20 MKK_HT40 ETSI_11B ETSI_11G ETSIHT20 ETSIHT40

         Frequency 0 :  2412[1] 2462[11]  2412[1] 2462[11]  2412[1] 2462[11]  2422[3]  2447[8]  2412[1] 2472[13]  2412[1] 2472[13]
        Power|Edge 0 :   48|1     44|2     58|1     19|2     48|1     44|2     48|1     44|2     48|1     44|2     58|1     19|2  

         Frequency 1 :  2360[0]  2360[0]  2360[0]  2360[0]  2360[0]  2360[0]  2360[0] 2424[3+]  2360[0]  2360[0]  2360[0]  2360[0]
        Power|Edge 1 :   60|0     60|0     60|0     60|1     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|1  

         Frequency 2 :  2417[2]     0x00  2417[2]     0x00  2417[2]     0x00  2427[4]  2452[9]  2417[2] 2484[14]  2417[2]     0x00
        Power|Edge 2 :   53|1     00|0     63|1     34|2     53|1     00|0     53|1     00|0     53|1     00|0     63|1     34|2  

         Frequency 3 : 2424[3+]     0x00 2424[3+]     0x00 2424[3+]     0x00 2424[3+]  2360[0] 2424[3+]  2360[0] 2424[3+]     0x00
        Power|Edge 3 :   60|1     00|0     60|1     60|0     60|1     00|0     60|1     00|0     60|1     00|0     60|1     60|0  

[olerem]

Just a side note: bootrom code is in this git repo. So, it is open,

[psyborg55]

maybe my mod is inaccurate due to differences in eeprom layouts?

   Regulatory 2.4GHz : MKK__11B MKK__11G MKK_HT20 MKK_HT40 FCC__11B FCC__11G FCC_HT20 FCC_HT40 ETSI_11B ETSI_11G ETSIHT20 ETSIHT40

         Frequency 0 :  2312[0]  2312[0]  2312[0]  2312[0]  2312[0]  2312[0]  2312[0]  2312[0]  2312[0]  2312[0]  2312[0]  2312[0]
        Power|Edge 0 :   60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0  

         Frequency 1 :  2412[1]  2412[1]  2412[1]  2412[1]  2412[1]  2412[1]  2412[1]  2412[1]  2412[1]  2412[1]  2412[1]  2412[1]
        Power|Edge 1 :   60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0  

         Frequency 2 : 2462[11] 2462[11] 2462[11] 2462[11] 2462[11] 2462[11] 2462[11] 2462[11] 2462[11] 2462[11] 2462[11] 2462[11]
        Power|Edge 2 :   60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0  

         Frequency 3 : 2484[14] 2484[14] 2484[14] 2484[14] 2484[14] 2484[14] 2484[14] 2484[14] 2484[14] 2484[14] 2484[14] 2484[14]
        Power|Edge 3 :   60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0     60|0  

[j4nn]

@psyborg55: the driver uses only ctl with nonzero index, it's in the for loop in eeprom_4k.c - it ends the loop when ctlIndex is zero in the eeprom:

for (i = 0; (i < AR5416_EEP4K_NUM_CTLS) &&
    pEepData->ctlIndex[i]; i++) {

that's why I am not parsing the zeroes there, having the same loop.

@olerem: did not know that, still, as it's a rom code, we can only hope, that the vendor used the same source. This may actually be different on each card (like tplink vs alfa vs ubqt). Is there any way we can read out the binary blob of the rom code? Possibly compare it with the build one?

[erikarn]

for reference - xpa isn't used any longer in anything seful. most of the time the tx power offset stuff is all subtly weirdly wrong. Has someone put together a table showing each TX power setting (in 0.5dBm increments) versus measured output? the problem is when it crosses into that secondary tx power curve, right?

…

-a

[j4nn]

for reference - xpa isn't used any longer in anything seful.

Could you please elaborate?
From hw point of view, xpa is in the alfa and it is also in the ubqt wifi station ext.
But it looks like the xpa is not used/enabled (at least with oss linux driver & fw) in any of those cards, as the signal strength received is close to each other even when the txpower limitations are removed.

How can we set txpower with 0.5dBm increments?
I am using following command:
iw dev wlan3 set txpower limit 1900
to set 19dBm txpower, but if 1950 is used, it returns
command failed: Operation not supported (-95)

I can provide tables for the graphs posted here, there are signal strength measurements for 1dBm txpower increments. But I do not have a spectrum analyser, if you mean that kind of output measurement.

I see following problems:

• the alfa card shows a txpower anomaly when switching between the two power detector gains and corresponding power detector curves set in calibration data in eeprom
• the cards having external power amp should show significantly stronger signal if all the regulatory & eeprom limits are removed, but it looks like there is only a small difference vs the common tplink card

[psyborg55]

between the two power detector gains

shouldn't that refer to xPA steps e.g from 1 to 2 ?

[j4nn]

It seems to me that output power is under the control of power detector closed loop - there are PDADC voltage levels set that correspond to output power in 0.5dBm steps, the programmed table has 128 pwr/voltage entries, the table is split in two, first half corresponds to power detector gain0 and the second half to PD gain1, the split is not in the middle, the split point is calculated by the driver and few other settings in the eeprom: pdGainOverlap_t2 and calculated gainBoundaries[].
It looks like the chip adjusts the output power to meet the requested target power for used transfer rate, using the power detector and voltages set in it.

Check this comment to see the behavior - the second gain was changed by factor 2 (as 0x0c was switched to 0x0a in xpdGain mask) making the voltage levels insufficient for target power and so the txpower jumps to the flat top when the PD gain is switched to the second one.

Check the pdf pointed above, it is described on page 14 and 15.

[erikarn]

hi, yes. it's this. There's multiple (up to two now I think?) PDADC voltage <-> dBm curves in 0.5dBm steps. The curves typically overlap. The table has an offset compared to AR5416->AR9160 because at least starting with ar9280 the target tx power starts at -5dBm and not 0 dBm. (You can't accurately transmit /at/ 0dBm; they just gave the target TX power programming more headroom.) Then starting with AR9285 the power control changed a little bit more; the AR9271 is effectively an AR9285 + AR7010 with some other little bits and pieces. Then there's a power table offset that takes into account what the output PA is. Some XPAs have a couple of gain settings; others can be enabled for TX but have no gain. So there's a couple of bits that run out of the chip to control whether to use the first or second XPA gain config; then external chips can determine which does what. (look for "switch table"..) I'm kinda at the point where I'll take loaner AR9271 units to plug into a spectrum analyser here and debug whats going on. I'm actually kitted up here to do TX power calibration. :-) So, which NICs should I either acquire and/or get donated? Thanks!

…

-adrian

On 28 October 2017 at 13:33, j4nn ***@***.***> wrote: It seems to me that output power is under the control of power detector closed loop - there are PDADC voltage levels set that correspond to output power in 0.5dBm steps, the programmed table has 128 pwr/voltage entries, the table is split in two, first half corresponds to power detector gain0 and the second half to PD gain1, the split is not in the middle, the split point is calculated by the driver and few other settings in the eeprom: pdGainOverlap_t2 and calculated gainBoundaries[]. It looks like the chip adjusts the output power to meet the requested target power for used transfer rate, using the power detector and voltages set in it. Check this comment <#82 (comment)> to see the behavior - the second gain was changed by factor 2 (as 0x0c was switched to 0x0a in xpdGain mask) making the voltage levels insufficient for target power and so the txpower jumps to the flat top when the PD gain is switched to the second one. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#82 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABGl7f7worCM0LRgCbZHjAhrw1cte-pbks5sw4-BgaJpZM4HLL6H> .

[j4nn]

I would be interested to see proper measurements for these units (that I have collected;-)

• Alfa AWUS036NHA
• Tplink TL-WN722N
• Ubiquiti WiFiStation EXT (if possible to get)
• Netgear WNDA3200 (no external antenna, so not sure if applicable for the measurement and possibly hard to get, but it's ath9k-htc with 5GHz support)
• Panasonic N5HBZ0000055 (similar as the netgear, except it has only 1 tx chain instead of 2, but possibly even harder to get)
• Alfa AWUS052NH (but this is not ath9k-htc, still advertised as high power, so it may be interesting - it has linear signal strength increase if not limited by regdb up to 30dBm of txpower but that max is more or less at the same max level as alfa or tplink have, if not limited by driver/regdb/eeprom)

[j4nn]

Ubiquiti WiFiStation EXT is interesting particularly because the external amp used there does not have the Power Detector Output signal like it is the case with the Alfa.
Not 100% sure about that, but it seems to me, that the ubqt still uses the PDADC closed loop, but the adc voltage is probably measured directly by the atheros chip on it's own output (before going to ext amp).

[erikarn]

Hi, Check to see if it's using the open loop power control. It's a bit set somewhere in the EEPROM.

…

-adrian

[j4nn]

Hi, I am afraid that this bit is not present in the 4k eeprom - it is not in the ar5416_eeprom_4k struct (which has different base header than ar5416_eeprom_def struct, in which the bit is there).
The ar5416_eeprom_def is used with Netgear WNDA3200 and Panasonic N5HBZ0000055.
These two units have it in the base_eeprom like this:
OpenLoop Power Ctrl : 0
so closed loop even with these two.

I think I read somewhere that the open loop means the output power is not directly measured for the amplification adjustments, while the closed loop means, the output power is really sampled on the RF output.

I have the case of open loop power control with the jjplus JWX6082 mini PCIe card (3T3R Atheros AR9390) - it has entirely different calibration setup in the eeprom. The open loop seems to use temperature sensor instead of sampling the output signal directly.

[erikarn]

Hi, So the AR9380 and later 11n parts are all open loop power control. I think the 11ac parts flipped back to close loop.

…

-adrian

[j4nn]

Hi, I've improved my measurements scripts, now transmitting and receiving is done by multiple cards at the same time, so we can compare under the very same interference conditions:

• patched ath9k_htc driver so that 20 beacons are sent with txpower tag added into SSID right after txpower is changed on the card in the driver (otherwise beacons with original /not tagged/ ssid are sent)
• starting multiple hostapd one for each transmit card with SSID containing the card id/name
• to include the Alfa AWUS052NH card in the test: patched rt2800usb driver to stop beaconing just before txpower is to be changed, apply the txpower change and request beacon update (with restart of beaconing) adding also txpower tag into SSID (cannot limit just to 20 beacons as they are transmitted by card's firmware without linux being involved) - this allows to test also the alfa5g card
• patched rt2800usb driver to improve txpower: using not used +6dBm gain and shifting tx power by +12 dBm (I guess the increase may be therefore max +12dBm if not clamped to just +6dBm)
• generated graphs now contain also an indication how many percent of packets that were expected were really received (may not be precise in case of the alfa5g card, but is precise for all ath9k_htc cards)
• graph of each card (and orig/test run) is shifted by 0.1 on x-axis in order to allow better readability allowing also the packet % indication at bottom to be drawn without collisions

This allows easy parsing of tcpdump captured data, having just one file for each receiving card, containing all transmitting beacons from all tx cards for all txpower levels, having txp level recorded in the packets' SSID. As receivers are receiving at the same time we can compare how the very same data and corresponding signal levels were viewed by different receiver cards.
I've also added a new tplink on the receiver side, so we have easier to get reference on both tx and rx ends.

I've used channel 8 for the tests as that channel looked the most free here with regard to possible interference (including nearby channels). A hostapd for each transmit card is started one after each other, using sleep .01 in bash script in between, using txpower of 20dBm. Then tcpdump is started on all remote receiving cards, using filter for beacons only with all the bssid addresses known from transmit cards. Then it waits for 5 seconds to hopefully resolve interference among the transmitters if there is any. Then measuring sequence starts with txpower limit changing from 0 to 30 dBm, sleeping in each txpower step for 0.1234 seconds (i.e. 21 times beacon interval, expecting capture of 20 tagged beacons in each step).
This process is run twice, first with 'orig' eeprom setup and then with 'test' eeprom setup (i.e. with increased txpower limits).
You can find the tcpdump capture files and resulting gnuplot graphs rendering sources attached here:
txpower-comp-xtag.tar.gz
To repeat again: the graphs shows transmitting and receiving from the same time, the same packets - only the "orig" and "test" variants were executed in sequence as reload of eeprom modifications are needed (this is to show the limitations from eeprom).

The results are interesting, but a bit confusing: we have a new winner - the alfa5g card (but only if the data is received by tplnk2) - comparing the alfa5g-test with alfa5g-orig shows the signal level increase is probably around the expected 12dBm:

but it's not clear on the graphs from the other receiving cards - here ubqte2 receiver shows that winner is ubqte1-test. And visibly lower are tplink-test, alfa5g-test and ubqte1-orig having practically the same max level, followed by a bit lower alfa2g-test :

The jjplus receiver shows that the most powerful were tplink-test with ubqte1-test both having the same max signal level, while alfa5g-test is visibly lower (on the same level with ntgear-test):

And the confusion is even worse with askeyc as the receiver - that one shows nearly the same max signal level for alfa5g-test, ubqte1-test and tplink-test:

Please also note in the above graphs, how ubqte2 nicely receives ubqte1, while tplnk2 receives tplink-test quite badly (losing there), while tplink-test is received greatly on askeyc (nearly at winning level) and jjplus (being one of the winners there). The graphs also show again the previously described alfa2g txpower anomally - it's level is also interesting, comparing it to the other cards (and to it's own signal level corresponding to max /not clamped/ txpower level, i.e. the 26dBm).

As all these measurements are relative - it would be interesting to know, what txpower is really on the RF output of any of those cards - for example the very common tplink - the txpower from spectrum analyser with original and with patched eeprom (on 26dBm txpower limit level set) would be great.

Not sure what can be concluded from the above tests - it looks like the high power expensive cards from alfa perform quite similar to tplink if the eeprom limitations are removed, at least in case of the most receivers (in 3 out of 4)?
Or is there still any limitation to be found or some setting to activate higher external amplifier gain?
It would be also interesting to measure the power of the Alfa AWUS036H card, of which there is a common belief (or myth?) that it has 1W txpower output. I do not have that card for comparison and do not consider one to collect as it become obsolete.

[psyborg55]

you will get regression with tplink if try you to patch it to more than 23dBm, both on windows and linux

[j4nn]

I am not sure what you mean exactly?
If eeprom of tplink is patched (in ram copy) in linux, signal level continues to rise with txpower up to 26dBm - as visible in every graph in my last comment, the black triangle vs red dot (which is limited in eeprom since 16dBm of txpower).
I do not know about the behaviour on windows - did not test that. I do not even know how it is with drivers on windows - are they also open source?
If not, such testing would need true write in the eeprom to have the changes persistent across different OSes.

[psyborg55]

i know that i even managed to patch the eeprom in a way that setting the power over 26dBm doesn't crash the signal. but highest output power would help only if used 1Mbps rate.

at 23dBm rate power for 6-24 and 20dBm for 54, bandwidth test on both windows and linux was about 90Mbps, if increased for only 1dBm there is a drop to 70Mbps

[j4nn]

That is something I did not test yet. But I understand that higher rates need to have lower power.
So my 'test' change of the eeprom is basically finding max value in target power table, calculate difference of that max to reach 60 and add this diff to all target power table values.
So decreasing of txpower for higher rates was still kept in the "modified" eeprom, but shifted higher.
I plan to use the above graphs to find a top txpower and set the eeprom in a way that it would go flat for higher txpower values (so avoiding the drop for txpower > 26). After that it would be good to test performance of higher rates.

I am wondering what did you change to avoid the drop for txpower over 26dBm, while still getting the signal even stronger?
Did you manage that only with tplink or with alfa as well?

[psyborg55]

it wasn't stronger. it was just capped at 26 (i put 26 as target power) even if your driver set 30 or 27 as default. i only tried with tplink. can you describe how you shift +12dB power in rt2x00 driver?

[j4nn]

This is maybe getting a bit off topic - this issue should be about the AR9271 chipset, particularly the alfa AWUS036NHA txpower anomaly.
The txpower increase in rt2800usb driver is hinted already in the comment, but I am sending you an email with more details.
Do you have the AWUS052NH card too?

[psyborg55]

no

[psyborg55]

can driver load eeprom from 24C32 eeprom instead of 24C08?

[alismatales]

No new developments on this?
I ran into this bug as well. I have 2 of the AWUS036NHA with the Atheros AR9271 chipset and with some experimentation i figured out that it has the highest transmit power at the setting of 16-17 dBm, it while it reduces considerably when you set it higher.

I confirmed that three ways:

1. The signal level reported by an access point it is connected to (tp link router running openwrt)
2. Power consumption measured by a USB amp meter
3. Using the second AWUS cards spectrum analysis capability with https://github.com/bcopeland/speccy

At a setting of 16 dBm the card consumes about 3.3 watts which drops down to less than half when it's set above 16.

Setting to 20 or 30 doesnt make any difference.

I mean i can live with that since i know where the sweet spot is, but seeing how many people try to coax their cards up to 30 dBm with regulatory hacks and driver patches while it wont do anything at all..

Besides, i think this should be further analyzed and fixed because it could lead to people operating their cards illegally unintentionally.
I cant measure the exact power transmitted, but i kinda doubt that it is only sending actual 40 mW at a setting of 16 dBm, when the card consumes over 3 watts at that setting and it even makes my 2.4 Ghz wireless mouse and keyboard unusable in the same room.

[sergiy213]

Possible than full power permitted become luck of power because also reciever consume. среда, 7 августа 2019 г. пользователь alismatales <notifications@github.com> написал:

…

No new developments on this? I ran into this bug as well. I have 2 of the AWUS036NHA with the Atheros AR9271 chipset and with some experimentation i figured out that it has the highest transmit power at the setting of 16-17 dBm, it while it reduces considerably when you set it higher. I confirmed that three ways: 1. The signal level reported by an access point it is connected to (tp link router running openwrt) 2. Power consumption measured by a USB amp meter 3. Using the second AWUS cards spectrum analysis capability with https://github.com/bcopeland/speccy <https://github.com/bcopeland/speccy> At a setting of 16 dBm the card consumes about 3.3 watts which drops down to less than half when it's set above 16. Setting to 20 or 30 doesnt make any difference. I mean i can live with that since i know where the sweet spot is, but seeing how many people try to coax their cards up to 30 dBm with regulatory hacks and driver patches while it wont do anything at all.. Besides, i think this should be further analyzed and fixed because it could lead to people operating their cards illegally unintentionally. I cant measure the exact power transmitted, but i kinda doubt that it is only sending actual 40 mW at a setting of 16 dBm, when the card consumes over 3 watts at that setting and it even makes my 2.4 Ghz mouse and keyboard unusable in the same room. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#82?email_source=notifications&email_token=AIBWFOMSYHOPKV7GSRK5AVLQDKKD5A5CNFSM4BZMX2D2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD3X2W6A#issuecomment-519023480>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AIBWFOKAELD7PYOGCHL5APLQDKKD5ANCNFSM4BZMX2DQ> .