This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| 2021:xiaomi_power [2021/11/16 15:44] – [Up The TX Power - In Theory] admin | 2021:xiaomi_power [2021/11/17 06:00] (current) – [Edit The Factory Block] admin | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Xiaomi Up The Power ====== | ====== Xiaomi Up The Power ====== | ||
| ===== Are You Low On TX Power? ===== | ===== Are You Low On TX Power? ===== | ||
| - | * Some of the Mediatek 7628 based Xiaomi models does not use the all the available transmit power when running OpenWrt | + | * Some of the Mediatek |
| - | * Both the **4A 100M Edition** and **4C** I purchased | + | * Both the **4A 100M Edition** and **4C** I purchased had this issue. |
| * Fortunately the fix is fairly simple. | * Fortunately the fix is fairly simple. | ||
| Line 18: | Line 18: | ||
| * Write the updated **factory** mtd block back to the device. | * Write the updated **factory** mtd block back to the device. | ||
| * Reboot | * Reboot | ||
| - | * Enjoy more power. | + | * Unleash the fury. |
| + | |||
| + | ===== Current TX Power ===== | ||
| + | * To check what the current TX power limit is ssh into the device and issue the flowing command | ||
| + | |||
| + | <code shell> | ||
| + | iw list | ||
| + | #Look For This section | ||
| + | HT TX/RX MCS rate indexes supported: 0-15 | ||
| + | Frequencies: | ||
| + | * 2412 MHz [1] (14.0 dBm) | ||
| + | * 2417 MHz [2] (14.0 dBm) | ||
| + | * 2422 MHz [3] (14.0 dBm) | ||
| + | * 2427 MHz [4] (14.0 dBm) | ||
| + | * 2432 MHz [5] (14.0 dBm) | ||
| + | * 2437 MHz [6] (14.0 dBm) | ||
| + | * 2442 MHz [7] (14.0 dBm) | ||
| + | * 2447 MHz [8] (14.0 dBm) | ||
| + | * 2452 MHz [9] (14.0 dBm) | ||
| + | * 2457 MHz [10] (14.0 dBm) | ||
| + | * 2462 MHz [11] (14.0 dBm) | ||
| + | * 2467 MHz [12] (disabled) | ||
| + | * 2472 MHz [13] (disabled) | ||
| + | * 2484 MHz [14] (disabled) | ||
| + | valid interface combinations: | ||
| + | </ | ||
| + | * There you can see our device is limited to 14 dBm transmit power. | ||
| + | |||
| + | ===== Backup factory block ===== | ||
| + | * For this we use the Luci web interface to the device. | ||
| + | * Go to **System** -> **Backup / Flash Firmware**. | ||
| + | * Under **Save mtdblock contents** select the **factory** mtdblock. | ||
| + | * Click the **SAVE MTDBLOCK** button to download it. | ||
| + | * The name of the file has a convention of < | ||
| + | |||
| + | <WRAP center round tip 90%> | ||
| + | Keep in mind that the factory block on each device is unique to that device and has to be treated as such. | ||
| + | </ | ||
| + | |||
| + | ===== Edit The Factory Block ===== | ||
| + | * This is probably equivalent to brain surgery on a device LOL | ||
| + | * Open the factory block file with a hex editor. We use GHex on Ubuntu. | ||
| + | * Starting from address **A0** is a row of values. | ||
| + | * There are **14** of them. | ||
| + | * On my **4C** it is **C0**. | ||
| + | * On the **4A 100M** the value was **80** instead of **C0** but the 14x pattern was still present. | ||
| + | * See screenshot below | ||
| + | {{: | ||
| + | * Change those values to **FF**. | ||
| + | {{: | ||
| + | * Save the file under another name to show its the high power tweaked one e.g. 4C-GW.mtd2_hp.bin | ||
| + | |||
| + | ===== Replace The factory Block ===== | ||
| + | * Copy the modified file to the ///tmp// directory on the device. | ||
| + | * Insert the **mtd-rw** kernel module. | ||
| + | * Override the old **factory** block. | ||
| + | <code bash> | ||
| + | #My AP is on 192.168.8.120 | ||
| + | scp 4C-GW.mtd2_hp.bin root@192.168.8.120:/ | ||
| + | #ssh into it | ||
| + | ssh root@192.168.8.120 | ||
| + | #cd to /tmp | ||
| + | cd /tmp | ||
| + | #Insert the mtd_rw module | ||
| + | # (You can potentially break the router but it is rare that's why you need the permission flag) | ||
| + | insmod mtd-rw.ko i_want_a_brick=1 | ||
| + | #Substitute the name to match your file name | ||
| + | mtd write / | ||
| + | # This will happen | ||
| + | ..... | ||
| + | Unlocking factory ... | ||
| + | |||
| + | Writing from / | ||
| + | # Reboot the device | ||
| + | </ | ||
| + | |||
| + | ===== UNLEASH THE FURY===== | ||
| + | |||
| + | <WRAP round box> | ||
| + | ==== UNLEASH THE FURY - HOWTO ==== | ||
| + | {{ youtube> | ||
| + | \\ | ||
| + | During boot time shout **Unleash the Fury** at the Xiaomi | ||
| + | </ | ||
| + | |||
| + | * SSH into the device to check if it worked. | ||
| + | <code bash> | ||
| + | iw list | ||
| + | |||
| + | #Look for this... | ||
| + | Maximum RX AMPDU length 65535 bytes (exponent: 0x003) | ||
| + | Minimum RX AMPDU time spacing: No restriction (0x00) | ||
| + | HT TX/RX MCS rate indexes supported: 0-15 | ||
| + | Frequencies: | ||
| + | * 2412 MHz [1] (30.0 dBm) | ||
| + | * 2417 MHz [2] (30.0 dBm) | ||
| + | * 2422 MHz [3] (30.0 dBm) | ||
| + | * 2427 MHz [4] (30.0 dBm) | ||
| + | * 2432 MHz [5] (30.0 dBm) | ||
| + | * 2437 MHz [6] (30.0 dBm) | ||
| + | * 2442 MHz [7] (30.0 dBm) | ||
| + | * 2447 MHz [8] (30.0 dBm) | ||
| + | * 2452 MHz [9] (30.0 dBm) | ||
| + | * 2457 MHz [10] (30.0 dBm) | ||
| + | * 2462 MHz [11] (30.0 dBm) | ||
| + | * 2467 MHz [12] (disabled) | ||
| + | * 2472 MHz [13] (disabled) | ||
| + | * 2484 MHz [14] (disabled) | ||
| + | </ | ||
| + | |||
| + | |||
| + | |||