====== Xiaomi Up The Power  ======
===== Are You Low On TX Power? =====
  * Some of the Mediatek **7628** based Xiaomi models does not use the all the available transmit power when running OpenWrt
  * Both the **4A 100M Edition** and **4C** I purchased had this issue.
  * Fortunately the fix is fairly simple.

===== Up The TX Power - The Action Plan  =====
  * The Flash chip of the device is segmented in various blocks.
  * One of these blocks is called **factory** and contains things specific to the device e.g. its MAC Address.
  * When the operating system then boots up it reads a know location on this bloc to get and configure the device with the correct MAC Address.
  * This block is also consulted when applying a limit on the broadcast power of the radio.
  * <wrap em>With the default values in the **factory** block some devices has a limit of only 14.0 dBm TX power on the 2.4 radio.</wrap>
  * This is despite the fact that the radio on the device is capable to transmit much more.
  * To overcome this limitation we will do the following on each device:
        * Flash a copy of the OpenWrt with MESHdesk firmware in device //(it has kmod-mtd-rw included already)//.
        * Make a backup of the **factory** mtd block.
        * Modify some values in the copy of the **factory** mtd block.
        * Write the updated **factory** mtd block back to the device.
        * Reboot
        * Unleash the fury.

===== Current TX Power =====
  * To check what the current TX power limit is ssh into the device and issue the flowing command

<code shell>
iw list
#Look For This section
	HT TX/RX MCS rate indexes supported: 0-15
		Frequencies:
			* 2412 MHz [1] (14.0 dBm)
			* 2417 MHz [2] (14.0 dBm)
			* 2422 MHz [3] (14.0 dBm)
			* 2427 MHz [4] (14.0 dBm)
			* 2432 MHz [5] (14.0 dBm)
			* 2437 MHz [6] (14.0 dBm)
			* 2442 MHz [7] (14.0 dBm)
			* 2447 MHz [8] (14.0 dBm)
			* 2452 MHz [9] (14.0 dBm)
			* 2457 MHz [10] (14.0 dBm)
			* 2462 MHz [11] (14.0 dBm)
			* 2467 MHz [12] (disabled)
			* 2472 MHz [13] (disabled)
			* 2484 MHz [14] (disabled)
	valid interface combinations:
</code>
  * There you can see our device is limited to 14 dBm transmit power.

===== Backup factory block =====
  * For this we use the Luci web interface to the device.
  * Go to **System** -> **Backup / Flash Firmware**.
  * Under **Save mtdblock contents** select the **factory** mtdblock.
  * Click the **SAVE MTDBLOCK** button to download it.
  * The name of the file has a convention of <HOSTNAME>.<Partition name>.bin (e.g. 4C-GW.mtd2.bin)

<WRAP center round tip 90%>
Keep in mind that the factory block on each device is unique to that device and has to be treated as such.
</WRAP>

===== Edit The Factory Block =====
  * This is probably equivalent to brain surgery on a device LOL
  * Open the factory block file with a hex editor. We use GHex on Ubuntu.
  * Starting from address **A0** is a row of values.
  * There are **14** of them.
  * On my **4C** it is **C0**.
  * On the **4A 100M** the value was **80** instead of **C0** but the 14x pattern was still present.
  * See screenshot below
{{:2021:hex_4c.png?nolink|}}
  * Change those values to **FF**.
{{:2021:hex_4c_hp.png?nolink|}}
  * Save the file under another name to show its the high power tweaked one e.g. 4C-GW.mtd2_hp.bin

===== Replace The factory Block  =====
  * Copy the modified file to the ///tmp// directory on the device.
  * Insert the **mtd-rw** kernel module.
  * Override the old **factory** block.
<code bash>
#My AP is on 192.168.8.120
scp 4C-GW.mtd2_hp.bin root@192.168.8.120:/tmp
#ssh into it
ssh root@192.168.8.120
#cd to /tmp
cd /tmp
#Insert the mtd_rw module 
# (You can potentially break the router but it is rare that's why you need the permission flag)
insmod mtd-rw.ko i_want_a_brick=1
#Substitute the name to match your file name
mtd write /tmp/4C-GW.mtd2_hp.bin factory
# This will happen
.....
Unlocking factory ...

Writing from /tmp/4C-GW.mtd2_hp.bin to factory ... 
# Reboot the device
</code> 

===== UNLEASH THE FURY=====

<WRAP round box>
==== UNLEASH THE FURY - HOWTO ====
{{ youtube>LLMMx3MRi0s }}
\\
During boot time shout **Unleash the Fury** at the Xiaomi 
</WRAP>

  * SSH into the device to check if it worked.
<code bash>
iw list 

#Look for this...
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: No restriction (0x00)
		HT TX/RX MCS rate indexes supported: 0-15
		Frequencies:
			* 2412 MHz [1] (30.0 dBm)
			* 2417 MHz [2] (30.0 dBm)
			* 2422 MHz [3] (30.0 dBm)
			* 2427 MHz [4] (30.0 dBm)
			* 2432 MHz [5] (30.0 dBm)
			* 2437 MHz [6] (30.0 dBm)
			* 2442 MHz [7] (30.0 dBm)
			* 2447 MHz [8] (30.0 dBm)
			* 2452 MHz [9] (30.0 dBm)
			* 2457 MHz [10] (30.0 dBm)
			* 2462 MHz [11] (30.0 dBm)
			* 2467 MHz [12] (disabled)
			* 2472 MHz [13] (disabled)
			* 2484 MHz [14] (disabled)
</code>