reznor::dot::com has nothing to do with the origination of this piece, technical accuracy, voided warranties, etc. You know the drill.

This text file by Xam (C) 2001 .. and all that jazz

comments/questions/etc to xam@wi2600.org

This file is a result of learning of an interesting 
set of features available to the user of a "WAP11" 
access point, sold by Linksys. The origional persons 
who dispensed this little bit of knowledge are 
deserving of much thanks and credit, however, I'm not 
sure if much detail should be gotten into. In any 
case, the origional discovery was not my own.

For now, they are known as the:

	"super secret canadian wireless group"



So, what's so cool about the WAP11? Well, lets cut to
the chase; with a little bit of effort, you can turn
the "normal" WAP11 into an Access Point with suprising
range and power, by simply telling it's radio to 
output a stronger signal. 

Yes; the power output IS a software-controlable
parameter set. A location in the bridges configuration
space called "register CR31" contains 14 values, each 
one byte in size which serve to control the transmit
power. Yes, there is a byte per channel; you're not 
stuck with a signle output power for all channels. This
could serve to be usefull in cases where contoured 
power output within the 2400 to 2480 Mhz band is needed.

Within the tool (discussed later) you'll be setting this 
byte to various values depending on the power output
you're looking for. 

The scale is as follows:

00----------80----------FF
0mw--------100mw-------0mw

The scale is linear, 80h (128 decimal) being the highest
power, at nearly 100 mw! YES! The Wap11 in fact, contains
a radio which is capable of 100 mw opperation. It is
interesting to note that the power falls as you near FF
and 00 on either end the byte values.  

Listed here is the default channel set power for a WAP11
bought recently with the FCC regulatory domain set.

Channel		Power

1		c0
2		bf
3		bb
4		bb
5	 	b9
6		b7
7		b7
8		b7
9		b5
10		b5
11		b5
12		b5
13		b5
14		b5

The defaults are moving away from higher values to lower
values as you go from from channel 1 to 14. However, this 
translates into lower power UP to higher power through 
the band. This could simply be precompensation for greater
absorbtion exerienced by higher frequencies. Or, a number
other other reasons. I'm not inclined to think it's due
to correcting for absorbtion; we're only talking an ~80Mhz
band here, starting from 2400 MHz. In any case, the OEM
gives us a good head-scratcher here.

In effect, the radio on channel 1, is putting out about 
50 mw. At channel 14, we're outputting nearer to 41 mw. 


I think we deserve a nice helping of gigahertz radiation.
Lets crank all the values to "80h" (128 dec), and revel 
in our now gratuitously overpowered Access Point. 

Doing it:

To mess with your access point, you'll probably want/need
the tools to do it. You can find them here:

http://www.wi2600.org/mediawhore/nf0/wireless/utils/

get:

Atmel_SNMP_manager_v1.743.exe - this is for the config  

NOTE: This is a win32 program, prefers nt/2k over 9x 

NOTE: Will someone please do this procedure, and capture
the whole mess on TCPDUMP?  

If you'd like to get a fimeware rev just one step 
ahead of what Linksys themselves are putting on their site,
be sure to grab:

AP14g7.rom  from:

http://www.wi2600.org/mediawhore/nf0/wireless/firmware/ATMEL/

Current (as of 12/17/01) is 1.4g5 for 1.0 hardware, 1.1 
hardware seems to like 1.4h.3 better. In general, it's best
to keep up yourself with the newer firmware rev's and what's 
prefered for 1.0/1.1 versions of the AP hardware.

Some tell-tale signs that you have 1.0 hardware:

-you bought the AP mid-summer 2001, or earlier
-when running 1.4h.3, SNMP access is broken
-ETSI regulatory domain is setfor US radios

Some tell-tale signs that you have 1.1 hardware: 

-you bought the AP late-summer 2001, or later
-when running anything older than 1.4h.3 things are unstable
-running 1.4g5 or 1.4g7 firmware 'breaks' the AP
-FCC regulatory domain set for US radios
 
Now that you've downloaded the Atmel config tool, install it. 
After the installation is done, go edit the file called:

"snmpmanager.ini" .. this will be located in 
%systemroot%\winnt or \windows depending on your OS. The 
default values of:

[SNMPmanager]
AppMode=0
AppView=0

Change both values to "2" .. this will essentialy 'unlock' 
the features we need in the Atmel config tool.

Next, start the Atmel config tool (if you're in 9x you'll 
actualy need to reboot). Some notes about whats going on. 

-You'll need to have setup a writeable/readable community
string on the AP you're working on. The best way to do this
is to download the Linksys SNMP/USB config tool, and setup 
the AP via USB initialy. Once you get it's base config set,
you can then connect via SNMP over IP. 

-You can get the linksys tool from the same location the
the Atmel one is in:

http://www.wi2600.org/mediawhore/nf0/wireless/utils/

-You'll need to be on the same subnet as the AP if your
DHCP server isn't handing out leases with a default router
specified. For some reason, you can't set a default route
with the USB util. 

So, once you've gotten the bridge on the newer firmware, 
setup a read/write community string in the USB util, and
put the thing on an IP you can contact, you're ready to 
rock.  

Within the Atmel tool, go to "connect to access point." You 
will want to login as "admin" and the community name will be
the one you setup for read/write in the USB util. 

Procede to the "radio" menu, and select "radio config" Vola! 
Here's the CR31 register control. Go through and set the bytes
to the value you love most, and that is "80." Upon hitting 
"set" your radio will recieve new config data, and 
restart. When it comes back up, you'll have that crazy power
you allways dreamed of! 

So, that's all there is to it, realy. Spin through the other 
areas in the Atmel too; there certainly are quite a few more 
things than included with the Linksys util. 

...and with that, enjoy.