Skip to content

Is your WiFi AP Missing Channels 12 & 13?

by on May 16, 2013

Wi-Fi_Logo.svg

Background

One thing I noticed about TPLink WR703N, was that it only operates on channels 1-11. Pentura is based in the UK – where the WiFi Regulations allow an extra two channels 12 & 13. This post will walkthrough the methods used to give the openwrt image access to these two additional channels and possibly more…

Finding the Problem

Using the dmesg command to view kernel messages we can see that the AP is configured to US settings by default:

$ dmesg
...
[   29.850000] ieee80211 phy0: Selected rate control algorithm 'minstrel_ht'
[   29.850000] Registered led device: ath9k-phy0
[   29.850000] ieee80211 phy0: Atheros AR9330 Rev:1 mem=0xb8100000, irq=2
[   29.860000] cfg80211: Calling CRDA for country: US
[   29.860000] cfg80211: Regulatory domain changed to country: US
[   29.870000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   29.880000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2700 mBm)
[   29.890000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 1700 mBm)
[   29.890000] cfg80211:   (5250000 KHz - 5330000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   29.900000] cfg80211:   (5490000 KHz - 5600000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   29.910000] cfg80211:   (5650000 KHz - 5710000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   29.920000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 3000 mBm)

Use the statement below to set the region, based on the two letter country code. In the example below we will use Great Britain (GB):
$ iw reg set GB

$ dmesg
[   90.200000] cfg80211: Calling CRDA for country: GB
[   93.370000] cfg80211: Calling CRDA to update world regulatory domain
[   93.370000] cfg80211: World regulatory domain updated:
[   93.380000] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[   93.380000] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   93.390000] cfg80211:   (2457000 KHz - 2482000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   93.400000] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[   93.410000] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[   93.410000] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)

$iwlist wlan0 channel
wlan0     11 channels in total; available frequencies :
Channel 01 : 2.412 GHz
Channel 02 : 2.417 GHz
Channel 03 : 2.422 GHz
Channel 04 : 2.427 GHz
Channel 05 : 2.432 GHz
Channel 06 : 2.437 GHz
Channel 07 : 2.442 GHz
Channel 08 : 2.447 GHz
Channel 09 : 2.452 GHz
Channel 10 : 2.457 GHz
Channel 11 : 2.462 GHz

As you can see from the list above; channels 12 and 13 are missing.

First the kernel loads the rules for the ‘world’ domain. No countries exist that allow you to go beyond these set WiFi frequencies. But many countries have additional restrictions. In the USA you cannot use channels 12,13 & 14. Japan, you can use channel 14, in Europe/UK you cannot use channel 14.

The kernel then proceeds to look for any hints from the hardware. The TPLink hardware EEPROM is set to 0×0. A value, which is mapped to the US. The kernel calls a userspace program crda to get the list of allowed frequencies and signal strenghts for the US.
After this has been done, you can typically calliw reg set XX to change your region. But you wont be able to go beyond the limits set previously – So we are still stuck with the US WiFi frequencies.

$dmesg
[   29.850000] ath: EEPROM regdomain: 0x0
[   29.850000] ath: EEPROM indicates default country code should be used
[   29.850000] ath: doing EEPROM country->regdmn map search
[   29.850000] ath: country maps to regdmn code: 0x3a
[   29.850000] ath: Country alpha2 being used: US
[   29.850000] ath: Regpair used: 0x3a

The compilance with radio hardware is that not only the users are subject to regulation, the sellers are too. You cannot sell non-compliant radio hardware. Now, the WiFi chip manufacturers do not physically limit a chip intended for sale in the US to channels 1-11. Chip manufacturers rather, mass produce chips and then the equipment manufacturers are supposed to configure the chip in compliance with its target market.
It appears that TP-Link have defaulted all their equipment to US, as the frequencies and 11 channels are broadly excepted world-wide.

Correcting CRDA

The userspace program crda can be used to supply a modified list of allowed frequencies. For more information on WiFi Regulations read: http://wireless.kernel.org

The CRDA source code can be found here Its easy to compile on any standard x86 or amd64 Linux environment, but the target system is MIPS. This means you need to download and install the development openwrt repository, and cross-compile relevant packages.

Once CRDA is installed you should have the following files/directories:

  • /usr/bin/iw
  • /usr/bin/regdbdump

Depending on your install the following folder is either /usr/lib/crda or /lib/crda:

/usr/lib/crda $ ls
pubkeys  regulatory.bin  setregdomain

Note: Depending on your system you may only see regulatory.bin!

Running the next command should return an editable version of the regulatory database.
regdbdump /lib/crda/regulatory.bin

country 00:
(2402.000 - 2472.000 @ 40.000), (3.00, 20.00)
(2457.000 - 2482.000 @ 20.000), (3.00, 20.00), PASSIVE-SCAN, NO-IBSS
(2474.000 - 2494.000 @ 20.000), (3.00, 20.00), NO-OFDM, PASSIVE-SCAN, NO-IBSS
(5170.000 - 5250.000 @ 40.000), (3.00, 20.00), PASSIVE-SCAN, NO-IBSS
(5735.000 - 5835.000 @ 40.000), (3.00, 20.00), PASSIVE-SCAN, NO-IBSS

country GB:
(2402.000 - 2482.000 @ 40.000), (N/A, 20.00)
(5170.000 - 5250.000 @ 40.000), (N/A, 20.00)
(5250.000 - 5330.000 @ 40.000), (N/A, 20.00), DFS
(5490.000 - 5710.000 @ 40.000), (N/A, 27.00), DFS

You can then make any necessary changes, for example:

country 00:
(2402.000 - 2494.000 @ 40.000), (N/A, 30.00)
(4910.000 - 5835.000 @ 40.000), (N/A, 30.00)

country GB:
(2402.000 - 2482.000 @ 40.000), (N/A, 20.00)
(5170.000 - 5250.000 @ 40.000), (N/A, 20.00)
(5250.000 - 5330.000 @ 40.000), (N/A, 20.00), DFS
(5490.000 - 5710.000 @ 40.000), (N/A, 27.00), DFS

To convert the textfile back into binary form you need the following two python scripts:

  • db2bin.py
  • dbparse.py

Download here which can be found in the wireless-regdb source code releases. To get these scripts to work you need python and m2crypto library.

On Debian:
apt-get install python2.7 python-m2crypto

Dealing with reglatory.bin

Now with your edited regulatory.txt, we need to convert this file back into its binary form:
./db2bin.py regulatory.bin db.txt

Then verify your changes via the regdbdump command:
regdbdump regulatory.bin

You may (depending on your system and version of openwrt) get an error about a signed or public key not found, it that is the case read on below…  Else continue to New Configuration.

Dealing with a Signed reglatory.bin

The following steps were not needed for the attitude-adjustment version of Openwrt on the TPLink WR703n.  They were however, needed to correct regulatory.bin on the Raspberry Pi.  I thought I’d cover signed database binaries here to cover all bases.

Now the binary database may require to be digitally signed. No problem… lets create a private and public key:

openssl genrsa -out your.key.priv.pem 2048

openssl rsa -in your.key.priv.pem -out your.key.pub.pem -pubout -outform PEM

Then just add the private key onto the end of the db2pin.py command
./db2bin.py regulatory.bin db.txt your.key.priv.pem

Then copy (or scp across) the newly generated public key, into crda’s public keys directory:

cp your.key.pub.pem /lib/crda/pubkeys/

New Configuration

Copy (or scp) the new database file regulatory.bin over to Openwrt image. Restart the device

$ dmesg
cfg80211: Calling CRDA to update world regulatory domain
cfg80211: World regulatory domain updated:
    (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
    (2402000 KHz - 2494000 KHz @ 40000 KHz), (N/A, 3000 mBm)
    (4910000 KHz - 5835000 KHz @ 40000 KHz), (N/A, 3000 mBm)
ath: EEPROM regdomain: 0x0
ath: EEPROM indicates default country code should be used
ath: doing EEPROM country->regdmn map search
ath: country maps to regdmn code: 0x37
ath: Country alpha2 being used: GB
ath: Regpair used: 0x37
phy0: Selected rate control algorithm 'ath9k_rate_control'
phy0: Atheros AR9100 MAC/BB Rev:0 AR2133 RF Rev:a2 mem=0xb80c0000, irq=2
cfg80211: Calling CRDA for country: GB
cfg80211: Regulatory domain changed to country: GB
    (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
    (2402000 KHz - 2494000 KHz @ 40000 KHz), (N/A, 3000 mBm)
    (4910000 KHz - 5835000 KHz @ 40000 KHz), (N/A, 3000 mBm)

root@pineapple:~# iwlist wlan0 channel
wlan0     13 channels in total; available frequencies :
          Channel 01 : 2.412 GHz
          Channel 02 : 2.417 GHz
          Channel 03 : 2.422 GHz
          Channel 04 : 2.427 GHz
          Channel 05 : 2.432 GHz
          Channel 06 : 2.437 GHz
          Channel 07 : 2.442 GHz
          Channel 08 : 2.447 GHz
          Channel 09 : 2.452 GHz
          Channel 10 : 2.457 GHz
          Channel 11 : 2.462 GHz
          Channel 12 : 2.467 GHz
          Channel 13 : 2.472 GHz
          Current Frequency=2.452 GHz (Channel 9)

Legalities

The Radio Spectrum is split into different categories and sub categories, in the UK Ofcom (http://www.ofcom.org.uk) manages the allocation. There is good reason why the WiFi signal is split into its numerous channels and why certain channels are omitted. This is to prevent interference and disruption to existing frequencies already in use.

There are serious penalties for breaching ETSI and/or FCC Policies! I strongly advise that you do not tamper with the frequencies or channels outside of your native regulatory body. This blog post has demoed introducing the missing UK frequencies and/or channels, if you live outside the UK do not follow these instructions.

Pentura and myself are not responsible for how you may configure your personal devices!

ETSI

European Telecommunications Standards Institute (ETSI) is the standards body for most of Europe, Africa, the Middle East, and parts of Asia. For more information: http://www.etsi.org

FCC

The Federal Communications Commission is the regulatory agency and standards body for the Americas and parts of Asia. For more information: http://www.fcc.gov/

MIC (Japan)

Ministry of Internal Affairs and Communications (MIC) (formerly TELEC) is the standards body for Japan. For more information: http://www.telec.or.jp/eng/Index_e.htm

Links

About these ads

From → pentesting, pentura, WiFi

8 Comments
  1. Adam11 permalink

    HI Andy.Thank you for such a good post.I have a nano station m2 , can I enable channels from 2312 to 2732 which is possible in airos firmware ? also when I edit the regularity domian (regdbdump /lib/crda/regulatory.bin) do i have to download it from my open wrt machine and then convert it to .bin in my linux machine? thanks

    • It should be possible depending on your firmware?
      Yes, its best to download the file (if you have one, else install crda for it to usually appear) from your router, modify it, and upload it back.

  2. Adam11 permalink

    many thanks Andy.I wanna use OpenWrt firmware. Why should compile OpenWrt from beginning in order to install crda ? can I just install it using opkg install crda?
    thanks and very sorry for any disturbance.

    • You should be able to ‘opkg install crda’ but it depends on the branch/version of Openwrt.
      Sometimes branches like the hak5 wifi pineapple, and the Dragino do not have crda support built into the kernel or as a package?
      You should be fine with a pure Openwrt.

  3. Adam11 permalink

    I red that OpenWrt isn’t using crda anymore and the regdb.txt is located in package/mac80211/files/regdb.txt. So can I edit directly before compiling? how to implement this exactly? thanks

    • Hmm, looks like I’ve been using older Openwrt instances (Due to specific branches/forks on projects).
      Looks like now the kernel can ignore the hardset country code, and you just use the command “iw reg set XX” where XX is your country code.
      Hopefully, you have an unlocked radio. As I’ve noticed manufacturers are burning the country code onto the ROM chips inside the WiFi device ;)

  4. Adam11 permalink

    That’s right Mr Andy.Any way I wanna use this extended range of frequencies 2312 – 2732 any tipts ?
    thanks.

    • Hmm, your starting point is slightly below 2.4GHz, your radio might not go that low? also you then specify a range between 2.5-2.7 GHz which is licensed MMDS. I think you have left the realm of WiFi and have entered the realm of an SDR!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 132 other followers

%d bloggers like this: