Modifying Consumer Off the Shelf Wireless LAN devices for specialized amateur use



Background:

Since 1999 and possibly earlier, the US Department of Defense has used modified Consumer Off The Shelf (COTS) wireless LAN products reprogrammed to operate in military frequency bands with enhanced encryption. Most COTS WLAN products can be easily modified to employ these frequencies because of their modular architecture. Their future versions of modified COTS WLAN products may include frequency agile transceivers that can work in multiple frequency bands via plug-in modules or software selection.

It's a fact that most wireless devices are manufactured for international marketing. The manufacture just makes minor hardware or firmware changes to comply to the intended countries radio rules. These firmware options usually include minor output power and band plan changes. It may be possible and to a hams advantage to shift the center frequency of your device to avoid Part 15 interference or increase the devices output power to overcome Part 15 interference. Also to avoid Part 15 interference a ham may be able to change the country code in the devices firmware to shift frequency operation into foreign band plans that might not be shared with Part 15 here in the US.

Shifting frequency to keep out Part 15 may be a difficult or impractical option, but there are others ways which will have the same desired effect. It might be fairly easy to create a "non-compatible" fork of the source code for hams, that would keep 99.95% of the general public (Part 15) out of ham space.

There are several different chipsets out there such as; Marvell, Atmel, Atheros, Hermes, ADMTek, Infineon, Broadcom, Intersil/Prism, Ralink, Realtek, Texas Instruments, WiDeFi, VIA, Conexant.

The quicker overview of two pertinent areas you may be curious about: Enabling ham radio channels in wireless 802.11 devices

The Atheros chipsets for the IEEE 802.11 standard of wireless networking are used by over 30 different wireless device manufacturers, including Netgear, D-Link and Linksys. They were founded in 1998. The Atheros chipset doesn't really know about channels; they are determined by the code that's loaded into it at boot time. All of these country codes (including XX or ## which have been used for "without regulatory constraints") are part of the driver, or "hardware abstraction layer" (HAL). Atheros will sell you the tools to build a driver, if you're manufacturing a device and do a licensing agreement with them.

All of the below country codes (including XX or ## which have been used for "without regulatory constraints") are part of the driver, or "hardware abstraction layer" (HAL). These are the secrets to unlock all channels supported by the Atheros hardware (2312-2732, 4920-6100 MHz). It is up to the end user to ensure they stay within their region's regulatory channel ranges. (While IEEE has not assigned channels to these upper 2.4 GHz frequencies, however they would equate to 0, -1, -2, etc.)

These two-letter codes can be entered on the Atheros configuration dialog to enable certain bands for that country. Country codes can be used on cards with Regulatory Type (RT): All_Countries as shown in the regulatory information box.

Artheros Supported Channels (Center Frequencies) - 2GHz IEEE 802.11b/g channels (frequencies are given in MHz):

2312, 2314, 2317, 2319, 2322, 2324, 2327, 2329, 2332, 2334, 2337, 2339, 2342, 2344, 2347, 2349, 2352, 2354, 2357, 2359, 2362, 2364, 2367, 2369, 2372, 2374, 2377, 2379, 2382, 2384 2387, 2389, 2392, 2394, 2397, 2399, 2402, 2404, 2407, 2409, 2412, 2414, 2417, 2419, 2422, 2424, 2427, 2429, 2432, 2434, 2437, 2439, 2442, 2444, 2447, 2449, 2452, 2454, 2457, 2459, 2462, 2464, 2467, 2469, 2472, 2474, 2477, 2479, 2482, 2484, 2487, 2489, 2492, 2494, 2497, 2499, 2512, 2532, 2552, 2572, 2592, 2612, 2632, 2652, 2672, 2692, 2712, 2732

802.11a channels:

4920, 4925, 4930, 4935, 4940, 4945, 4950, 4955, 4960, 4965, 4970, 4975, 4980, 4985, 4990, 4995, 5000, 5005, 5010, 5015, 5020, 5025, 5030, 5035, 5040, 5045, 5050, 5055, 5060, 5065, 5070, 5075, 5080, 5085, 5090, 5095, 5100, 5105, 5110, 5115, 5120, 5125, 5130, 5135, 5140, 5145, 5150, 5155, 5160, 5165, 5170, 5175, 5180, 5185, 5190, 5195, 5200, 5205, 5210, 5215, 5220, 5225, 5230, 5235, 5240, 5245, 5250, 5255, 5260, 5265, 5270, 5275, 5280, 5285, 5290, 5295, 5300, 5305, 5310, 5315, 5320, 5325, 5330, 5335, 5340, 5345, 5350, 5355, 5360, 5365, 5370, 5375, 5380, 5385, 5390, 5395, 5400, 5405, 5410, 5415, 5420, 5425, 5430, 5435, 5440, 5445, 5450, 5455, 5460, 5465, 5470, 5475, 5480, 5485, 5490, 5495, 5500, 5505, 5510, 5515, 5520, 5525, 5530, 5535, 5540, 5545, 5550, 5555, 5560, 5565, 5570, 5575, 5580, 5585, 5590, 5595, 5600, 5605, 5610, 5615, 5620, 5625, 5630, 5635, 5640, 5645, 5650, 5655, 5660, 5665, 5670, 5675, 5680, 5685, 5690, 5695, 5700, 5705, 5710, 5715, 5720, 5725, 5730, 5735, 5740, 5745, 5750, 5755, 5760, 5765, 5770, 5775, 5780, 5785, 5790, 5795, 5800, 5805, 5810, 5815, 5820, 5825, 5830, 5835, 5840, 5845, 5850, 5855, 5860, 5865, 5870, 5875, 5880, 5885, 5890, 5895, 5900, 5905, 5910, 5915, 5920, 5925, 5930, 5935, 5940, 5945, 5950, 5955, 5960, 5965, 5970, 5975, 5980, 5985, 5990, 5995, 6000, 6005, 6010, 6015, 6020, 6025, 6030, 6035, 6040, 6045, 6050, 6055, 6060, 6065, 6070, 6075, 6080, 6085, 6090, 6095, 6100

You will notice that the channels appear to overlap. But you can lock in rates other than full speed and thusly use less bandwidth. A normal 802.11b channel @ 11Mbps occupies about 20 MHz, the 802.11g equivalent at 54 Mbps will also occupy about 20 MHz. There are a variety of different supported-rates and corresponding channel widths you can lock in; 1Mbps 2Mbps 5.5Mbps 6 Mbps, 9 Mbps, 11Mbps, 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps. Some of these rates are tied to the mode, 802.11b or 802.11g or the supported channels, so you will need to pay attention to that. The lowest Atheros channel a ham can use is centered at 2394 MHz.

As you can see my utilizing different supported-rates, you can take advantage of the different channels with minimal or no overlapping. You may also be able to fit a ham only channel in in band segments not shared with Part 15, resulting in a lower noise floor.

Atheros 10MHz and 5 Mhz modes.. (especially 5MHz) what modulation do they use, and what is the speed/ rx sensitivity in 5MHz channel mode/rate? compared to the published -95 or -97 dBm for 1Mbps (b) mode or the -92dBm for OFDM 6Mbps mode?

Here is a typical comparison chat that I managed to find in a FCC product ID test report:

Tx/Rx Specification 5 MHz Channel BW (QUARTER RATE) Data Rate Modulation Tx Power (± 1 dBm) Rx Sensitivity (± 2 dBm) 1.5 Mbps BPSK/COFDM 30 dBm -97 dBm 2.25 Mbps BPSK/COFDM 30 dBm -97 dBm 3 Mbps QPSK/COFDM 30 dBm -95 dBm 4.5 Mbps QPSK/COFDM 30 dBm -93 dBm 6 Mbps 16QAM/COFDM 30 dBm -90 dBm 9 Mbps 16QAM/COFDM 29 dBm -96 dBm 12 Mbps 64QAM/COFDM 28 dBm -81 dBm 13.5 Mbps 64QAM/COFDM 27 dBm -78 dBm

Tx/Rx Specification 10 MHz Channel BW (HALF RATE) Data Rate Modulation Tx Power (± 1 dBm) Rx Sensitivity (± 2 dBm) 3 Mbps BPSK/COFDM 30 dBm -95 dBm 4.5 Mbps BPSK/COFDM 30 dBm -95 dBm 6 Mbps QPSK/COFDM 30 dBm -93 dBm 9 Mbps QPSK/COFDM 30 dBm -91 dBm 12 Mbps 16QAM/COFDM 30 dBm -88 dBm 18 Mbps 16QAM/COFDM 29 dBm -84 dBm 24 Mbps 64QAM/COFDM 28 dBm -79 dBm 27 Mbps 64QAM/COFDM 27 dBm -76 dBm

Tx/Rx Specification 20 MHz Channel BW (FULL RATE) Data Rate Modulation Tx Power (± 1 dBm) Rx Sensitivity (± 2 dBm) 1 Mbps DBPSK/DSS 30 dBm -97 dBm 2 Mbps DBPSK/DSS 30 dBm -95 dBm 5.5 Mbps CCK/DSS 30 dBm -92 dBm 11 Mbps CCK/DSS 30 dBm -90 dBm 6 Mbps BPSK/COFDM 30 dBm -93 dBm 9 Mbps BPSK/COFDM 30 dBm -93 dBm 12 Mbps QPSK/COFDM 30 dBm -91 dBm 18 Mbps QPSK/COFDM 30 dBm -89 dBm 24 Mbps 16QAM/COFDM 30 dBm -86 dBm 36 Mbps 16QAM/COFDM 29 dBm -82 dBm 48 Mbps 64QAM/COFDM 28 dBm -77 dBm 54 Mbps 64QAM/COFDM 27 dBm -74 dBm

The long and sort of it is that the RX sensitivity doesn't change much. This is what I suspected all along since no one was claiming anything miraculous. While the carrier width might be less, I think the non-difference is more so explained by the spread spectrum loss of signal processing gain. Notice how the modulation changes at the various channel widths (but at the same data rate).

For a while no open source HAL's existed that can let you do 5/10Mhz mode. You had to use MikroTik, StarOS, IkarusOS, DD-WRT and a few others for these modes. As of June 2010, it appears that 5/10 Mhz support seems to be implemented in ath5k now.

Atheros Based Devices (known third party firmware exists for those in bold):

Accton: MR3101A, MR3202A, WN6301, WN5301D, WN4402,

Airlink 101: AR335W, AR430W, AR431W

Airlive / Ovislink: WHA-5500CPE, WHA-5500CPE-NT, WLA-5000, WLA-9000ap

Allnet: All0285

Asus: WL-200

Buffalo: WHR-HP-AG108

Conceptronic: C54APT

Compex: NP25G

D-Link: DIR-300, DIR-400, DIR-615, DIR-625, DIR-628, DSM-G600, DWL-2100, DWL-2100, DWL-G650, DWL-G520, DWL-AB650, DWL-AB520, DWL-A520,

FON: La Fonera

Gateway: 7001

Linksys: WRT54G v7.0, WRT55AG

Meraki: Mini, Outdoor

Netgear: WGT624, WGT624

OSBRiDGE: 24XLG, 24XLGi, 5Si

Senao / EnGenius: EAP-3660, ECB-3500, EOA-3650, EOC-1630, EOC-1650, EOC-2610, EOC-5610

SparkLAN: WX7615A, WX7800A

Ubiquiti: All products

US Robotics: USR5453

Wistron: CA8-4 Pro, RDAA-81, RDAT-81 PCBA

And even more interesting is that that within the Atheros chip it is possible for licensed developers to enable a local oscillator generation for a direct conversion radio transceiver. This is Not an open function, but irregardless, this is how 802.11 products on 900 MHz (Ubiquiti XR9), and 3 GHz (XR3) (as well as other places) are possible and on the market.

By 2003 the Linux community rallied behind Atheros and their technology. Open Source developer Sam Leffler, released an open source Linux driver for the 802.11a/b/g Atheros chipset. Leffler's, Multiband Atheros Driver for WiFi is also know as madwifi. His driver is actually partially open source driver per agreement with Atheros as the hardware abstraction layer (HAL) is a locked-down binary that restricts you to the Part 15 channels. MadWifi is a loadable kernel module driver for the Linux kernel that allows Atheros-based cards to work in Linux-based operating systems. The name is short for Multiband Atheros Driver for Wireless Fidelity. (It should be noted that the MadWifi project uses a HAL supplied by Sam Leffler. His HAL version differs from Atheros HAL)

Basically the Hardware Abstraction Layer (HAL) prevents developers from having access to most of the radio functionality, which would might allow use of frequencies that aren’t legal in particular countries, use of encodings that aren’t allowed, and other regulatory problems.

The Atheros chips have quite a bit of capability beyond the 802.11a/b/g bands and bandwidths. Around 2006 narrow channel 20/10/5MHz channel width cloaking options started to be discussed on the madwifi development lists. These capablies are used to reduce the channel spacing to produce more usable channels, at a cost of throughput. In typical 2.4GHz wireless AP, there are only 3 non-overlapping channels available but with cloaking we can use all 14 channels without interference. This is done by reducing the channel bandwidth spacing down to as low as 5 MHz per channel instead of 20 in normal mode. These adjustable channels widths are now part of the standard Atheros/Madwifi HAL.

Note: Madwifi has been subsumed by ath5k and ath9k for all intents and purposes.

A company called, Ascom in Switzerland, has written their own Atheros driver (under Atheros license), and will provide various versions of it for a fee. It is believed that this is the source of the implementations out there that permit operation out of the ISM/UNII bands such as Mikrotik, StarOS, Ikarus. If you pay an extra $10, Mikrotik will give you a code which unlocks the "custom" frequencies in 2.4 and 5 GHz that the Atheros chipset will support. They will ask that you sign a statement that you will comply with the rules of your country.

July 2007:

"A driver for Atheros wireless cards is available in OpenBSD that talks directly to the hardware, based on reverse engineering efforts done by Reyk Floeter. Relevant parts of the driver have been ported to Linux by Nick Kossifidis to start OpenHAL, a free (as in freedom) replacement of the proprietary HAL. Claims that the OpenBSD driver (and thus also OpenHAL) contains stolen code slowed down the OpenHAL efforts but finally could be voided. The Software Freedom Law Center (SFLC), with the help of Atheros, performed a thorough code review and concluded "that OpenHAL does not infringe copyrights held by Atheros". In other words, the way is clear now for the inclusion of an OpenHAL-based driver into the Linux kernel." Since this announcement madwifi has abandoned their prior proprietary partially open driver in favor of this new totally open one.

This new driver is called ath5k. "ath5k is a completely FOSS Linux driver for Atheros wireless cards. It is based on MadWifi and the OpenHAL. In ath5k we've gotten rid of the entire 2-module-layer HAL architecture, ath5k now just calls hardware functions directly."

Atheros obviously understands that a blob does not help to prevent people from tuning the radio to frequencies they are not allowed to use. Luis Rodriguez is working on a in-kernel framework called "Central Regulatory Domain Agent" (CRDA) which will take care of the regulatory issues involved in running a WLAN device. He has been hired by Atheros as they are now is sponsoring his work.

July 2008:

ath9k is the youngest of the three (completely FOSS) drivers. Initial development was done by Atheros, who then released the complete source code to the community. ath9k supports all currently available 802.11n chipsets from Atheros, where-as ath5k just supports a/b/g.

http://madwifi-project.org/ticket/941

http://madwifi-project.org/ticket/793

The WRT54G is notable for being the first consumer-level network device that had its firmware source code released to satisfy the obligations of the GNU GPL. This allows programmers to modify the firmware to change or add functionality to the device. Several third-party firmware projects provide the public with enhanced firmware for the WRT54G.

The WRT54G was released in 2003 in anticipation of the 802.11g standard. In June 2003 some folks on the Linux Kernel Mailing List sniffed around the WRT54G and found that its firmware was based on Linux components. Because Linux is released under the GNU General Public License, or GPL, the terms of the license obliged Linksys to make available the source code to the WRT54G firmware. As most router firmware is proprietary code, vendors have no such obligation. It remains unclear whether Linksys was aware of the WRT54G’s Linux lineage, and its associated source requirements, at the time they released the router. But ultimately, under outside pressure to deliver on their legal obligation under the GPL, Linksys open sourced the WRT54G firmware in July 2003.

With the code in hand, developers learned exactly how to talk to the hardware inside and how to code any features the hardware could support. It has spawning a handful of open source firmware projects for the WRT54G that extend its capabilities, and reliability, far beyond what is expected from a cheap consumer-grade router. In short due to open source, one can load a third party firmware on the router and give a $60 consumer homegrade router into a all the functionality of a $600 Cisco professional router. The Linksys WRT routers use the Broadcom chipset.

This firmware build came into being stemming from the Linksys WRT54G GPL discovery. Many other firmware builds use the OpenWrt code as a base and reference. It originally had no web interface, and around 2008 a very basic one was added. Since then it has matured significantly. What sets this firmware build apart aside from being the most open, is the numerous optional software packages available to add further features, most of which can be installed from the web interface.

It's worth looking at the Openwrt and Cerowrt projects. Cerowrt is based on openwrt and is developing support for mesh networks. Instead of building your own WRT package, use what exists and add resources to a great project.

MikroTik is a Latvian manufacturer of computer networking equipment, founded in 1995. The main product of MikroTik is a Linux-based operating systems known as MikroTik RouterOS The RouterOS, combined with their hardware product line, known as MikroTik RouterBOARD, is marketed at small to medium sized wireless Internet service providers, typically providing broadband wireless access in remote areas. It was one of the first combinations of hardware and software able to use Atheros channels/frequencies outside the Part 15 band. All one needed was a superchannel license.

From the Property Description section of the MikroTik reference manual:

frequency-mode (regulatory-domain | manual-tx-power | superchannel; default: superchannel) - defines which frequency channels to allow

• regulatory-domain - channels in configured country only are allowed, and transmit power is limited to what is allowed in that channel in configured country minus configured antenna-gain.

Also note that in this mode card will never be configured to higher power than allowed by the respective regulatory domain

• manual-tx-power - channels in configured country only are allowed, but transmit power is taken from tx-power setting

• superchannel - only possible with superchannel license. In this mode all hardware supported channels are allowed

/interface wireless set wlan1 frequency=XXXX

The Mikrotik Groove, is comparable to the Ubiquiti Bullet it was introduced to the market in 2011. It has all channels unlocked and is capable of 31 dBm (1.3 w)

Mikrotik Groove 2Hn

Mikrotik Groove 52HPn

Mikrotik Groove A-52HPn

Mikrotik Metal 5SHPn

Mikrotik Metal 2SHPn

Ubiquiti Networks was founded in 2005. Their frequency freedom technology (802.11 from 400MHz to 9GHz), seems to lead the way and promise integrated radio technology which uses an advanced RF integration and firmware design to provide a powerful platform capable of operation in any frequency imaginable. Basically Ubiquiti radios are Atheros chipsets with transverters onboard.

They have devices based on the Atheros 802.11 chipset for 902-928 MHz, 2.3 - 2.7 GHz 3.3 - 3.7 GHz, and 4.9 - 6.1 GHz on 802.11a devices

When WiMAX platforms for operation around 3 GHz were in their planning stage, Ubiquiti acted quickly to provide a 3 GHz 802.11 solution for direct competition. August 2007 the XR3 became available, exceeding the performance of available WiMAX offerings. The XR3 is available in three different models with frequency operation spanning 2.7GHz to 3.7GHz. The XR3 was specifically designed for long-distance, outdoor broadband wireless applications. This worked out well for us hams, as there is a 3 GHz ham allocation, and their XR3-3.5 yields over 30 non-overlapping full-width channels unshared with Part 15 unlicensed devices.

XR3's are 5 GHz card with a down converter to 3 GHz so it will work with 802.11a setting using 2GHz offset conversion, similar to how the XR9 are 2.4ghz with a down converter to 900 MHz... If you want to use 3.65 GHz you will choose 5.65GHz . Just add 2 GHz to the frequency you need.

8/07: A group of Italian ham radio operators break a distance record (189 miles) using the Ubiquiti XR5.

NS2 is listed at 400 mW with an integrated 10dBi gain antenna MSRP $79

NS5 is listed at 250 mW with an integrated 13 dBi gain antenna MSRP $89

NS3 is listed at 250 mW with an integrated 13 dBi gain antenna - Unveiled Feb 2009 expected MSRP $80-95... perfect for 3 GHz!

Note: The NanoStation 3 will likely never be certified for use in the US as it is mainly an overseas OEM product, with a suggested price of $87. Hams can buy it from Europe or Latin America. (Hams use other radios not certified all the time.) However the XR3, is a MiniPCI card and works fine and can be bought in the US. As well as these TDMA solutions:

The NanoStation M3 is a 3.3-3.7GHz (320 mW) 2x2 MIMO AirMax TDMA Station. $165.00

Rocket M3: 3.3-3.7GHz Hi Power (320 mW) 2x2 MIMO AirMax TDMA BaseStation. $189.00

NanoStation2/5 “LOCO” - This dual-polarity (auto-switching/diversity) 8db antenna has 100mw output and POE (18V). The 5ghz version comes with 13dbi integrated antenna. The NS2/NS5 “LOCO” does not have external antenna connector like the standard NS2/NS5. It's also a little less powerful, only 20 dBm (100 mW) instead of 26 dBm. (400 mW).. Keep in mind after market firmware hacks let you do nearly one watt with the normal NS2, so this is likely a low ended report of what is actually capable of.

NS2L listed at 100 mW with an integrated 8db antenna MSRP $ 49

NS5L listed at 160 mW with an integrated 13 dBi gain antenna MSRP $69

If you need an external antenna, never fear they have the Bullet This is the cheapest, most simplistic device yet. An integrated outdoor adaptor, simply with an N connector and POE ethernet port. There are high power versions available too. They use the 6th generation Atheros AR5414 chipset is rated at 1 watt.

Bullet2 - 2.4 GHz listed at 100 mW, MSRP of $39

Bullet5 - 5 GHz 150 mW MSRP of $59

Bullet2HP - listed at 800mW MSRP of $79

BulletM5HP - listed at 320 mW MSRP of $79

ExtremeRange XR3-3.5 - While it lists as 300 mW, it uses the Atheros, 6th Generation, AR5414 chipset capable of 1 watt. The 3 GHz ham allocations are from 3.3 to 3.5 GHz yielding over 30 better suited non-overlapping full-width channels unshared with Part 15 unlicensed devices. The MSRP is $240. The price is still considerably lower that an Icom ID-1 implementation and yields much higher throughput.

Here is a screen shot of how to enable the ham channels in Air-OS when you have Atheros hardware to support it: http://www.qsl.net/kb9mwr/projects/wireless/airos-ham.jpg

Note: In early 2011 the FCC tightened rules for manufactures on compliance for a specific country. This was in response to a few WISPs that had been operating outside of Part 15 frequencies and running beyond the power limits imposed by Part 15 in addition to disabling radar detection in use near an airport on 5 GHz. As a result the "Compliance Test" and other Country Code selection functions are no longer available in AirOS unless you can get you hands on the older models or the worldwide/export models. Typically you'll have to sign a FCC sales and shipping restrictions declaration for the seller. You may be able get that functionality loading alternative firmware like DD-WRT with the superchannel license (I received a report 9/14 that may no longer work)

Note that with release 5.5.8 of AirOS (January 23, 2014), the compliance test mode (commonly used by hams to access ham only channels) was removed from the airMAX product line regardless of whether or not you have the export/worldwide hardware versions! You'll need to downgrade back to 5.5.6 to have that functionally.

DD-WRT is probably one of the most prominent third party firmware's available for a wide assortment of various off-the-shelf router hardware. It unlocks a ton of features that the standard factory firmware isn't capable of. Sebastian Gottschall (BrainSlayer) created DD-WRT to offer a free version of Sveasoft. (Sveasoft was based on the original versions of the WRT54G firmware from Linksys and was one of the first third party firmware packages for the WRT54G)



DD-WRT v24 presents support for all Ubiquiti devices (LS2, LS5, NS2, NS5, PS2, PS5) for the latest release candidate RC7. The associated firmware versions are part of the line of DD-WRT firmwares for professional use. Ubiquiti offers affordable yet powerful devices based on Atheros wireless technology and allows high performance long range Wireless LAN connections, especially when driven by DD-WRT.



http://www.dd-wrt.com/dd-wrtv3/community/developmentnews/1-common/21-dd-wrt-for-ubiquiti-devices.html

The 'superchannel' marked Tab only appears when DD-WRT is used on Atheros based routers. Broadcom do not, as they just can't be opened in this manner. Meraki, Accton, Fonera, Siemens, etc... are those with Atheros... The superchannel option does offer it (2.3 - 2.7 ghz for 802.11g devices and 4.9 - 6.1 ghz on 802.11a devices)

Since the Atheros chipset based routers and extra channels are typically used mostly by professional users which use it for business, DD-WRT offers the Superchannel Activation extension for around $25.

Here is a screen shot of how to enable the ham channels in DD-WRT when you have Atheros hardware to support it: http://www.qsl.net/kb9mwr/projects/wireless/ddwrt-ham.jpg

In the Fall of 2008, a group of amateurs from the Texas area announced development of their own custom firmware for the WRT-54G to enable HSMM-Mesh networking. This is the first ham specific firmware build. It is also one of the first firmware builds to support OLSR, an ad-hoc wireless mesh routing daemon. Initially this ham firmware build was limited to the Linksys WRT54 series of wireless routers. In April 2013, the name changed to Broadband Hamnet from HSMM-Mesh. In February 2014 the development team added members that drove the development of the BBHN port to some of the Ubiquiti hardware family. In July 2014 support was extended to Ubiquiti 5 GHz devices.

Glenn, KD5MFW Founder

Rick, NG5V Founder

Dave, AD5OO Founder

Bob, WB5AOH Founder

Rusty, AE5AE

Kipton, AE5IB

Jim, K5KTF

Paul, KF5JIM

Clint, AE5CA

Brian, KF5GAH

I should note that this firmware does not yet support non-part 15 channels, aka, extended channels / custom frequencies.

If you are knowledgeable with the Linux Kernel programming please consider reaching out to the development team.

http://www.broadband-hamnet.org/download/firmware/

A discussion on the Broadband Hamnet / HSMM-Mesh ham firmware about using channels outside of the Part 15 space:

http://www.broadband-hamnet.org/hsmm-mesh-forums/view-postlist/forum-1113/topic-1113-default-channel-1-why-not-use-channel-0-or-channel-1.html

In March 2015 the BBHN group split over disagreements on moving forward and adding new features (like tunneling) while maintaining interoperability.

So the members of the BBHN Dev Team responsible for producing and testing versions of BBHN from version 1.0.1 thru version 3.0.1, that extended support to Ubiquiti hardware split off and forked the project. Their May 2015 beta firmware release was the first to have expanded channel support. 2.4 GHz now offers channels 0, -1, and -2. 3.4 GHz offers 24 new channels from 3.380 to 3.495 GHz, as well as 802.11n support.

Andre, K6AH

Randy, WU2S

Darryl, K5DLQ

Joe, AE6XE

Randy Smith, WU2S

Gordon, W2TTT

http://www.arednmesh.org/

This is a group of hams into HSMM mesh networking in the Pacific North-West region of the USA. The main place for their discussion/documentation and firmware is on their NW-MESH Yahoo group. They were the first to make HSMM-Mesh on Ubiquiti devices happen in April 2013. They also have firmware builds for the non-M bullets and other Ubiquiti devices with the limited 4M flash memory.

If you aren't into a pre-rolled firmware. They also have an interesting step how-to on how to roll your own HSMM-Mesh/ BBHN compatible build. You start by flashing OpenWRT, and then add in the OLSR module.



Configuring OpenWRT Devices for Operation on the NW-MESH Network via the GUI:

http://www.qsl.net/kb9mwr/projects/wireless/NW-MESH_GUI_Config-2012101401.pdf

This is ideal for those seeking a customized mesh network. Idea for those seeking to use Amprnet IP addresses (44/8, 44net) rather than the 10/8 network that is pre-configured in the BBHN builds. This eliminates the need to setup GRE tunneling as 44net is already connected.

Enabling ham radio channels in wireless devices

The Ubiquiti extreme range mini PCI modules are meant to be used with a router board / station. (MikroTik networking equipment works similarly.) These boards have multiple slots to support multiple radio modules. For instance you could have a 900 MHz user LAN module and a 5.8 GHz backbone module. The router station comes preloaded with Open-WRT Standard. Open WRT is a Linux-based firmware program that primarily uses a command-line interface, but also features an optional web-based GUI interface. The Open WRT distribution has all the necessary drivers to see the radio modules and network routing and madwifi radio drivers. Optionally you can load something like DD-WRT if you are more familiar with that.

To enable the ham radio channels on these mini PCI devices you can do this from the linux command line if you are using Open WRT. It's very easy, all you do is edit the /etc/modules.d/50-madwifi to include the countrycode parameter, use country code XX to enable without regulatory constraints.

Embedded Atheros radio devices such as La Fonera, D-Link DIR-300 home grade as well as Ubiquit Nano staiton, and Bullet professional grade products all have firmware running onboard Flash ram to control the radio chipset. All you do is go into the graphical user interface with your web browser and change the country code (or enable the super channel for DD-WRT). (With home grade Atheros routers such as the La Fonera, D-Link DIR-300, you will likely need to load third party firmware such as DD-WRT to be able to enable out of band opperation. This is done via the web based firmware update box or using TFTP)

Once you have done this a new channels list will be available. 2312-2484 MHz for 802.11g devices and 5160-5840 MHz for 802.11a devices. Expanded channel lists for proprietary radio modules such as the 900 MHz and 3 GHz devices work similarly. They simply have integrated tranverters using a local oscillator that shift the frequency from the base 802.11g or a chipset.

Channel-Power-vs-Frequency-Ubiquiti-devices: http://interline.pl/Tests-and-comparisons/Channel-Power-vs-Frequency-Ubiquiti-devices

Using WiFi Atheros chips in ham radio bands - ath9k: http://yo3iiu.ro/blog/?p=1301 - This is an excellent staring point for building your own custom firmware and drivers to enable out of part 15 space operation.

Change channel center frequency - ath5k: https://forum.openwrt.org/viewtopic.php?id=50609

Concerning Calibration Data

When considering taking a wireless devise far from is normal frequency operating range it is important to remember that a non-calibrated wifi signal may lead to spurious emissions. The hardware may have serious trouble decoding the signal and essentially it is just putting high level noise on the bands (if it is even transmitting at full power), and keep in mind we are secondary users of these bands. Part 15 users are required to employ Dynamic Frequency Selection (DFS) for all devices due to potential interference with government weather radar systems.

Each Atheros chip is a little different and consequently each chip requires individual RF calibration on the production line. The calibration data also is accounting for the effects of the RF strip line, an external amplification circuit, etc. This calibration ensures each product has uniform transmit power and meets certain performance criteria.

The calibration data is stored at the end of the SPI flash chip and loaded by the WiFi driver at boot time, which is typically never overwritten. Calibration is performed on the production line using a bunch of expensive RF test equipment connected via GPIB to a host computer running special software.

RF Hacking: http://villagetelco.org/2009/11/rf-hacking/

Output Power vs. Spectrum: http://hamwan.org/t/RouterBoard+Metal+5SHPn?structure=HamWAN

XR3 Frequency Response: http://hamwan.org/t/Ubiquiti+X R3?structure=HamWAN

Qualcomm Atheros related software and firmware: https://github.com/qca/

So what about unlocking additional channels in other chipsets/hardware?

As you can see open source drivers unlocked the possibility of additional frequency support. It allows programmers to be able to write a driver. This can even be be loaded onto open source/ Linux based hardware routers.

In summary; Atheros has allowed a third party to create a layer between the low-level functions of its chips and high-level drivers via the madwifi development.

Broadcom is the the chipset of most common Linksys WRT54G routers. Broadcom as of 2005 has declined so far to provide non-licensed access to it's chips. A project that has been working to reverse engineer access using legal means has released its first working drivers for Broadcom 4300 series chips. The project requires the use of the SoftMAC software as well to compile working drivers within Linux. The first successful use was documented in email Dec. 4 to the developer’s mailing sent from a PowerBook running Linux with the project’s drivers installed. This appears to be more of platform abstraction layer. Broadcom has since repeatedly stated that they fully intend to release open source drivers for their wireless chipsets. The real question is will it be down to the desired hardware layer?

http://bcm43xx.berlios.de/

http://linuxwireless.org/en/users/Drivers/b43

The legal concerns stem from that FCC forbidding selling radio devices in which user has total control over radio frequency being used. This is part of the certification process. That's the reason Atheros, Broadcom and others don't open their software outright. Manufacturers have to be sensitive when it comes to wireless gear. The wireless chipsets are capable of operating outside of their allotted spectrum in many countries and the only thing that stops them from doing so is the lowest level of software/firmware. Their licenses to sell this stuff relies on their being able to stay within their allocated frequency ranges so they are caught between a rock and a hard place. If they allow the hardware to be run without software/firmware/HAL that they wrote, then they can get into trouble. Obviously, company lawyers tend to err on the cautious side, hence the 'hard line' that OSS developers are seeing from some of these companies. They see it as an extreme liability issue, with the capacity to severely harm their company. For more info see "Towards a free Atheros Driver."

Note: Over the years most of these legal sensitive concerns have diminished a bit, and either way popular third party developers such as the popular DD-WRT have added a superchannel GUI tab option, so this is even easier yet.

Historically chipset manufactures have been pretty timid, and have held back features that are legally sensitive, and typically don't speak much publicly about this matter.

From: Progress on Linux Support for Contemporary Wi-Fi By Glenn Fleishman



Linux, and other variants have lagged in Wi-Fi support due to chip vendor’s stated concerns about access to the low-level radio functions on their chips. A Linux Wireless Summit, in February 2007 apparently has helped move development along. The summit’s organizer is quoted and paraphrased as stating that the FCC will only certify Wi-Fi devices that have a closed-source component for handling low-level radio settings, such as frequency choice and power levels. Actual evidence as to this fact, was remained to be seen. That would be an extra-regulatory step for the FCC, as there is no defined requirement for releasing radios that cannot be modified. The burden of responsibility is typically on the purchaser who modifies hardware conforming to regulatory limits, and suffering the penalties if they fail to conform.

Hardware vendors license their equipment under FCC section 15 regulations, even though technically pure software devices could be under SDR (Software Defined Radio) regulations. FCC wants all devices to have a 'no trespassing' sign on radio settings but there is no consensus on what that means. However Wi-Fi chips that don’t use formally use SDR, they have aspects of SDR that make their concerns about opening up full control reasonable.

FCC Rules on FOSS and Software-Defined Radio

FCC Proposes Rule Changes To Facilitate Software Defined Radio Deployment



http://lwn.net/Articles/456762 /



http://linuxwireless.org/en/us ers/Drivers/brcm80211

This recently released (2010) Broadcom wireless driver seems to have structures which imply the PHY in the chips can be directly controlled to program HSMM channels.

Hardware mods:

Prior in older hardware these tweaks were simple hardware changes. Such as in our original work with the Proxim Symphony, it was possible to tweak the card to double its output power.

On the Proxim Symphony it's was possible to change out the dropping resistors that run the RF power amplifer IC and run the IC at 3.6 - 3.9 volts to double the RF power output. The maximum DC voltage for this IC is 4 volts and the maximum RF power output is around +23 dBm (200 mW).

It's also possible to tap the PIN diode bias line to control an external amplifier on most wireless devices.

For more information on this modification see: http://www.qsl.net/n9zia/wireless/cardmap.html

For info on 802.11 hardware mods see: http://www.qsl.net/n9zia/wireless/appendixG.html

Some hams in Germany recrystaling WRTs to go outside of the ISM band: Arsene, LX1TB has modified the Linksys WRT54G(S) models to tune the frequencies below 2400 MHz for better fit with the hamradio bandplan.. Look on his German website to get the details:

http://www.rlx.lu/~lx1tb/wrt54gs/

http://db0fhn-i.ampr.org/wrt54gs/

Also see this chart from Kipton, AE5IB

Modified firmware:

In our day we also attempted to see what was possible by modifying and reverse engineering the Proxim Symphony Driver. See: http://www.qsl.net/n9zia/wireless/page03.html

[At the time I also contacted and spoke with several people at Proxim to try and obtain a schematic or block diagram to aide in our project. I even indicated that I might be willing to sign a non-disclosure agreement to obtain this information. The response from a Proxim wireless head official was to the effect of "I'm sorry but our designs are proprietary and we are unable to assist you." We ended up reverse-engineering it all by hand with an oscilloscope and some data books. Interestingly enough a few years later, other companies, namely Linksys, did grasp the open source concept.]

Now days with 802.11 hardware a whole new world of firmware changes are possible. For many old prism cards, the channels (frequencies) were a bitmap in the firmware. Atheros is even easier.

Linksys and other manufactures have been using embedded Linux on their products. Linksys and others have released their source under the GPL. People have been writing alternative 3rd party firmware versions for these devices, adding tons of fixes and great new features. The most popular device to have alternative firmware is the WRT54G (Wireless G router) since this is the device that sort of kick this whole thing in motion.

70 cm 420-450 MHz

-Telsima has certified a WiMAX platform for operation at 70 and 33 cm (specifically, 400-1000 MHz), with selectable channel widths from 1.5 MHZ to 7 MHz: http://www.telsima.com/index.php?i=84 According to this http://www.telsima.com/pic/pdf/download/Demo_Brief-50km.pdf Telsima got 6.5 Mbps out of 3.7 MHz over 30 miles on 450 MHz.



If issues of platform cost and amateur band encryption use can be overcome, this could be a viable platform for some HSMM applications.

-John Stevensen, KD6OZH, is developing a 70 cm OFDM modem. The (DCP-1) modem is similar to 802.11 modems but the subcarrier spacing is less (1-8 kHz vs 312.5 kHz) and consequently the amount of multipath that can be tolerated is higher (30-240 vs 0.8 microseconds). This allows operation over longer paths with omnidirectional antennas.

John reported in the Summer of 2009 that he is working on the DCP-3, a less expensive version of the DCP-1 and hardware that is more flexible. The external microcontroller has been replaced by a soft CPU inside the FPGA. The winter TAPR newsletter has an article on this CPU and the source code is on the TAPR web site. "A Soft Processor for Digital Signal Processing"



He notes that OFDM is limited to AM voice bandwidth on the VHF bands. However, 8PSK could fit in the same 20 kHz bandwidth as 9600 bps FSK and could operate at 3 times the data rate.

Further reading: 70cm ATV History and case for modified future HSMM use - Notes and Misc.

Doodle Labs - DL-435

Doodle Labs, is a privately held manufacturing company with headquarters in Singapore that designs and manufactures a line of long range Wireless Data Transceiver devices.

They are the first to list a true NLOS solution, capable of operation in the 70cm band that could easily fit into unused ATV channels between 420-430 MHz using a 2019.5 MHz offset.

In November 2011 Doodle Labs announced that it has successfully developed a family of compact, embedded OFDM Broadband radio transceivers specially optimized for the Amateur Radio bands to dramatically improve the data throughput and enable new IP based applications. These Broadband transceivers are the industry first for the various Amateur Radio bands within the frequency range of 435 MHz (70 Cm) to 5800 MHz (5 Cm).

http://doodlelabs.com/products-and-services/amateur-bands/420-450-mhz-band-dl435.html



XAGYL Communications - XAGYL XC420M

XAGYL Communications, is a Canadian Distributor of Ultra High-Speed, Long Range Wireless equipment.

http://www.xagyl.com/store/product.php?productid=16450&cat=251&page=1

They also have a radio capable of operation in the 70cm band that could easily fit into unused ATV channels between 420-430 MHz. They have been listing the radio on their site since, April 2010. The projected availability is March 2012.

The Xagyl 70 cm radio, uses a 1994.5 MHz offset. It should be noted that these are not compatible with the Doodle Labs cards.

Transverters and amplifiers:



RF Linx had some Bi-directional 2.4 GHz amplifier kits that were really cheap.

http://www.rflinx.com/2.4GHz%20Bi-Directional%20PCB.htm

They look to be based around some WJ ICs.



Transverters:

http://www.teletronics.com/Frequency%20Converters.html

Options like 2.4 to 900 MHz (1 & 4 watts), 2.4 to; 3.4 GHz, 3.5 GHz, 5.8 GHz

http://www.rflinx.com/products/converters/

http://www.teletronics.com/specialfreq.html

2.4 GHz to 1.2 GHz @ 1 watt



http://www.ubnt.com/super_range9.php4 700 mW on 900 MHz - 54 Mbps

Teletronics Prices 2/2007



1 Watt Outdoor 2.4 GHz 2 pc SmartAmp List Price: $399.99

1 Watt, 2.4GHz Indoor SmartAmp $199.00 US

SmartAmp Bi-directional RF Amplifier 900 MHz Series 4 Watt Price: $900.00

SmartAmp Bi-directional RF Amplifier 900 MHz Series 1 Watt. Price: $800.00

HyperLink Technologies Prices 2/2007:

1 Watt, 900 MHz Indoor model HA901I-APC $350.00

3 Watts, 900 MHz Indoor model HA903I-APC $440.00

1 Watt, 2.4 GHz Indoor model HA2401RTGXI1000 $180.00

2 Watt, 2.4 GHz Indoor model HA2402GXI-NF $350.00

HyperLink became L-Com in 2008:

http://www.l-com.com/productfamily.aspx?id=6376

1 Watt 2.4 GHz 802.11b Outdoor WiFi Amplifier HA2401G-1000 $170.00

3 Watt 2.4 GHz Amplifier HA2401-XL3000 $250.00

1 Watt (30 dBm) Indoor 900 MHz Amplifier w/Active Power Control HA901I-APC $330.00

3 Watt (35 dBm) Indoor 900 MHz Amplifier w/Active Power Control HA903I-APC $380.00

http://www.shireeninc.com/300-500mhz-20-watts-outdoor-amplifier/ 300-500MHz 20 Watts Outdoor Amplifier $2650 (2/2014)

SSB Electronics released at Dayton 2003, "Amateur use only" mast mount biamp for $599 (rumored price) that's up to 4 watts out, 22db Rx amplifier with 1.8 db noise figure.

Fleeman Anderson Bird Corp offers a radio amateur discount, put your callsign in the order comments, 7% will be taken off your order when shipped.