Xiaomi Up The Power

• Some of the Mediatek 7628 based Xiaomi models does not use the all the available transmit power when running OpenWrt
• Both the 4A 100M Edition and 4C I purchased had this issue.
• Fortunately the fix is fairly simple.

• The Flash chip of the device is segmented in various blocks.
• One of these blocks is called factory and contains things specific to the device e.g. its MAC Address.
• When the operating system then boots up it reads a know location on this bloc to get and configure the device with the correct MAC Address.
• This block is also consulted when applying a limit on the broadcast power of the radio.
• With the default values in the factory block some devices has a limit of only 14.0 dBm TX power on the 2.4 radio.
• This is despite the fact that the radio on the device is capable to transmit much more.
• To overcome this limitation we will do the following on each device:
  • Flash a copy of the OpenWrt with MESHdesk firmware in device (it has kmod-mtd-rw included already).
  • Make a backup of the factory mtd block.
  • Modify some values in the copy of the factory mtd block.
  • Write the updated factory mtd block back to the device.
  • Reboot
  • Unleash the fury.

• To check what the current TX power limit is ssh into the device and issue the flowing command

iw list
#Look For This section
	HT TX/RX MCS rate indexes supported: 0-15
		Frequencies:
			* 2412 MHz [1] (14.0 dBm)
			* 2417 MHz [2] (14.0 dBm)
			* 2422 MHz [3] (14.0 dBm)
			* 2427 MHz [4] (14.0 dBm)
			* 2432 MHz [5] (14.0 dBm)
			* 2437 MHz [6] (14.0 dBm)
			* 2442 MHz [7] (14.0 dBm)
			* 2447 MHz [8] (14.0 dBm)
			* 2452 MHz [9] (14.0 dBm)
			* 2457 MHz [10] (14.0 dBm)
			* 2462 MHz [11] (14.0 dBm)
			* 2467 MHz [12] (disabled)
			* 2472 MHz [13] (disabled)
			* 2484 MHz [14] (disabled)
	valid interface combinations:

• There you can see our device is limited to 14 dBm transmit power.

• For this we use the Luci web interface to the device.
• Go to System → Backup / Flash Firmware.
• Under Save mtdblock contents select the factory mtdblock.
• Click the SAVE MTDBLOCK button to download it.
• The name of the file has a convention of <HOSTNAME>.<Partition name>.bin (e.g. 4C-GW.mtd2.bin)

• This is probably equivalent to brain surgery on a device
• Open the factory block file with a hex editor. We use GHex on Ubuntu.
• Starting from address A0 is a row of values.
• There are 14 of them.
• On my 4C it is C0.
• On the 4A 100M the value was 80 instead of C0 but the 14x pattern was still present.
• See screenshot below

• Change those values to FF.

• Save the file under another name to show its the high power tweaked one e.g. 4C-GW.mtd2_hp.bin

• Copy the modified file to the /tmp directory on the device.
• Insert the mtd-rw kernel module.
• Override the old factory block.

#My AP is on 192.168.8.120
scp 4C-GW.mtd2_hp.bin root@192.168.8.120:/tmp
#ssh into it
ssh root@192.168.8.120
#cd to /tmp
cd /tmp
#Insert the mtd_rw module 
# (You can potentially break the router but it is rare that's why you need the permission flag)
insmod mtd-rw.ko i_want_a_brick=1
#Substitute the name to match your file name
mtd write /tmp/4C-GW.mtd2_hp.bin factory
# This will happen
.....
Unlocking factory ...
 
Writing from /tmp/4C-GW.mtd2_hp.bin to factory ... 
# Reboot the device

• SSH into the device to check if it worked.

iw list 
 
#Look for this...
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: No restriction (0x00)
		HT TX/RX MCS rate indexes supported: 0-15
		Frequencies:
			* 2412 MHz [1] (30.0 dBm)
			* 2417 MHz [2] (30.0 dBm)
			* 2422 MHz [3] (30.0 dBm)
			* 2427 MHz [4] (30.0 dBm)
			* 2432 MHz [5] (30.0 dBm)
			* 2437 MHz [6] (30.0 dBm)
			* 2442 MHz [7] (30.0 dBm)
			* 2447 MHz [8] (30.0 dBm)
			* 2452 MHz [9] (30.0 dBm)
			* 2457 MHz [10] (30.0 dBm)
			* 2462 MHz [11] (30.0 dBm)
			* 2467 MHz [12] (disabled)
			* 2472 MHz [13] (disabled)
			* 2484 MHz [14] (disabled)