Wap11Hack

Wap11DowngradingFirmware

Wap11Ver22Hack

Wap11Ver22UnHack

WAP 11 Hack

NOTE ABOUT VERSION 2.8 WAP-11's This hack will show howto convert a linksys WAP11 version 2.8 into a D-Link DWL-700AP. Both devices use ADM8628 but the wap11 is one of the worst pieces of hardware ever built. By upgrading the firmware it will become a little nicer, with sitesurvey, (REAL APclient) not ATMEL client, Repeter,etc ... You can find in this site the complete howto step-by-step. You can also do a Power hack with a serial cable connected to the board. more info on this at here

POWER HACK ON v2.8

The power hack is via console, so u need to build a RS2323-TTL3.3v cable, there is a lot of schematic of how to build, but I use a USB-TTL cable. so I connect to the board http://www.areawireless.net/adm8628/images/jtag_serial.jpg TXd,RXd,Gnd

I open hyperterminal and set 115500,8,N,1 and will show like this http://www.areawireless.net/adm8628/images/power_hack.JPG

and the type c> settxpowerlv 1-5

http://www.areawireless.net/adm8628/images/wap11_power_hack.JPG

If you want to ask email me at <meno@areawireless.net> Hope you don't mind me telling everyone.

If you want a cheap serial adapter for the TTL levels serial port on your AP go get a nokia compatible DKU-5 usb to mobile cable. Inside it's a normal USB to TTL level serial. Drivers are found easy for bothe linux an dindows.

NOTE ABOUT VERSION 2.2 WAP-11's This hack cannot be performed on the Version 2.2 WAP-11. It is based on a different chipset, and is in no way compatable with this hack. According to the spec sheet, it's 20dbm, which would work out ot 100mw anyways. BUT, linksys is getting tricky. They're counting the gain from the stock antennas as part of the power output. The real power output can be found in the FCC Registration documentation on the FCC website, which states it is 38mW. There is an interesting hack where you can load the D-Link firmware onto a WAP-11 ver 2.2 (Wap11Ver22Hack) and get it to go 22Mbps (6Mbps real world) right now, and soon 44Mbps (12Mbps real world) when D-Link releases the new ver 2.4 firmware. I've preformed this hack myself and can verify that it works! - Andrew Hakman

NOTE ABOUT VERSION 2.6 WAP-11's This hack should work on the Ver 2.6's. I think I found out how to do this now. Check out the instructions at http://www.andrewhakman.dhs.org/wap11/files/ver26/instructions.gif Get the ver 2.6 SNMP manager from my website: http://www.andrewhakman.dhs.org/wap11/files/ver26 Some poeple say you have to install the original SNMP manager before this version for 2.6 will work. (Note that you should specify a community of "public" when you log into the access point for the first time.)

Installing the software

Windows

Use the USB configuration utility and set your IP Address and Password. The password setting is under the "Security" tab, and then the "Password setting" button.

Download and Install this (http://www.andrewhakman.dhs.org/wap11/atmel_config/SNMPV1743.exe). Once installed, go to c:\windows or c:\winnt (if you run nt4/2k) and find snmpmanager.ini.

Edit so it looks like this: [SNMPmanager] AppMode=2 AppView=2

Run the Atmel AP configurator, log into your AP using the password you previously set, and "Administrator" as the authority setting.

HAVE FUN - you have ALL the options, even the ones that the linksys software doesn't give you. This also gives any compatable AP (like the SMC MC2655W and the Netgear ME102) all the extra operating modes like briding and AP clinet and whatnot...

*nix

The AP-UTILS package is excellent - much easier to change the manufacturer password to get extra channels and things (as discussed below)

http://ap-utils.polesye.net/

From: Roman Festchook

Raw SNMP

WAP11 Hack Using snmp commands:

http://pasadena.net/aprf/

From: Frank Keeney http://www.wlanparts.com

Output Power Hack

Before doing any changes with output power of devices, PLEASE read http://www.maokhian.com/wireless/wap11.html. Thanks!

Go to the Radio -> Configuration menu. All the textboxes that come up are the power output for each channel. The highest output power (100mw supposedly) is at hex value 80, and as you change the value (in either direction) from 80, the power output drops linearly (so 7A and 86 are the same power output). These settings might also explain why out of the box, performance isn't the same on all channels (with ver 1.1 hardware, certain channels have lower output power by default, with ver 1 hardware, they're all the same)!

Use File -> download changes to send your new settings to the AP

(optional, but FUN FUN FUN!) Using your Orinoco signal meter, actually see an increase in power output from the WAP-11 (if you have an Orinoco card that is) - you should be able to see signal of -20dbm to -27dbm easily if you are close to the WAP-11, instead of the -37dbm you normally see from 30mW devices.

(optional, but may be necessary in some cases) If you still are using OLD firmware (1.4i1 or lower), I suggest you upgrade to 1.4J1. 1.4J1 is an easy upgrade as you can do it across the network. I'm going to try to reverse engineer this and see if I can make it version independent so it can be used for flashing any version of firmware across the network. If anyone else wants to take a stab at reverse engineering it, go to it! You can get it on my website here ("http://www.andrewhakman.dhs.org/wap11/firmware/1.4j1"). Flashing the firmware will not modify the power settings.

Firmware

You can upgrade FIRMWARE ACROSS THE NETWORK via SNMP. This means that you don't need to think about USB over Ethernet (I've tried it by the way - works to ~60 feet) or physical access to the unit's USB port to do firmware updates (like if you mount it in a weather proof box on your roof!).

UPDATE: The newest firmware (1.4J1) comes with a utility to do this. Get it from my website ("http://www.andrewhakman.dhs.org/wap11/firmware/1.4j1"). Linux users can do the update with ap-tftp (part of the above mentioned ap-utils package). NOTE ABOUT 1.4J1 to SMC2655W users - apparantly, 1.4J1 breaks the factory reset switch functions, and because the device doesn't have a USB port, you're going to want to make sure you always remember your snmp password!

With the ATMEL utility, there's a program called IPConfig.exe where you EXTRACT the self extracting .exe (NOT where you install it to) that allows you to type in the MAC address and set the IP address. This is usefull in downgrading firmware (Wap11DowngradingFirmware)

You can find various other things on my website at ("http://www.andrewhakman.dhs.org/wap11")

D-Link are maintaining an End Of Life product archive for those of you who might want a firmware/driver hard to find otherwise. Here's the link for the DWL-900AP:

Extra Channels, MAC changing, etc.

Want to access the additional 3 channels (12, 13, 14) the fcc didn't want you to have? New, web based instructions http://www.andrewhakman.dhs.org/wap11/region.html

Compatable Devices

Please Update this section as necessary. There was a lot of messages down below about "it also works with..." so I thought a table would be better. If you know any of the unknown fields please fill them in.

Manufacturer

Device

Hardware Version

Highest Working Firmware Version

Linksys

WAP11

V 1

1.4J1

Linksys

WAP11

V 1.1

1.4j3 (dlink USB updater)

Belkin

F5D6130??

?

1.4J1

Broadxent

2100(RTW020 rebadged)

?

?

D-Link

DWL-900AP (not +)

?

1.4j3

D-Link

DWL-1500

?

?

Edimax

EW-7205

?

?

Netgear

ME102

?

Carefull!!!

Phoebe

PHWL11-AP(RTW020 rebadged)

V1

1.4J1

Planet

1960

?

1.4J1

SMC

MC2655W

?

?

Sparklan

WX-1590

?

1.4J1

Sparklan

1590

?

?

Sweex

LC00040

?

?

TrendNet

TEW-210APB

?

?

ZAYETECH/PRIME ELECTRONICS

WA211P

?

?

Tonze

AW-2100R

?

?

Contact Info

Andrew Hakman - mailto:andrew_dot_hakman_at_gmail_dot_com

Credits

It was "Daniel C. Richardson" <plympton@plymptonia.com> that told me about the power hack. Thanks Daniel! Hope you don't mind me telling everyone

(Wiki by EricJohanson)

Other Info

Questions are better directed to the e-mail address above (in Contact Info). Place any other info you feel would be usefull in this section


/. has [an article|http://slashdot.org/article.pl?sid=01/12/31/1340247] about the 100mW hack right now. Here's the URL to the hack .txt file found on wi2600.org.

http://www.wi2600.org/mediawhore/nf0/wireless/docs/802.11/WAP11/fun_with_the_wap11.txt

- JeffLaPlante


The power level details given above are incorrect! Well at least that seems to be the case for my netgear me102 (which is meant to be the same), perhaps other people can confirm this. :-) The scale starts with 7F being the lowest power output. Power then increases as you reduce this value (approaching 00), then it wraps around to FF and increases as you continue reducing towards 80, i.e.

Lowest - 0mW Low Medium - 50mW High Highest - 100mW 7F 40 00/FF C0 80

OK, that's not amazingly clear... so lets try again:

Power

Decimal

Hex

Binary

Signed Decimal

0

127

7F

0111 1111

+127

10

101

65

0110 0101

20

76

4C

0100 1100

40

25

19

0001 1001

50

255

FF

1111 1111

-1

60

230

E6

1110 0110

70

205

CD

1100 1101

80

179

B3

1011 0011

90

154

9A

1001 1010

100

128

80

1000 0000

-127

Basically changing the value by 1 should result in a 0.4mW change if this is an at all accurate control! (I have no way of testing other than my wavelan card).

For example, the Netgear default is 0xEF or 239 decimal. This is 16 less than the value for 50mW (0xFF or 255), and since we increase TX power as the value is reduced we get: (60*0.4)+50=56.4mW.

Mike Saywell <mike_at_saywell.net>, Southampton, UK.


http://punk.net/~duncan/wap11/wap11_rssi_vs_cr31_teaser_small.png
My Linksys WAP11 seems to behave as Mike's Netgear ME102.

The signal strength hits a maximum near CR31=0x80 (at 0x98) and drops to a minimum near 0x78. Barring what looks like a few flipped configuration bits the power response is logarithmic from 0xd0 to 0xa4 with the indicated strength in dBm a linear function of the register setting.

More graphs and details (LiveJournal)
Duncan Campbell, California


Is it confirmed, that the output changes -linearly-? Mike states that he doesnt know if its an accurate control. With the info Mike provided, I think we have to deal with an x-axis moved sinus instead of a linear curve. -UPDATE: Sorry, I did some wrong math. Sorry- -LINEAR-

According to Mike's values (and if its a linear control), the function is:

f(x) = (-(256/100)*x)+100 -or- f(x)=(-0.390625*x)+100 defined in 0<x<255, x being Input Level and f(x) being Power Output on a scale of 0 - 100

According to Andrew's values (and if its a linear control), the functions are: For 0<x<126: f(x) = (128/100)*x+100 -or- f(x)=(1.28*x)+100 For x=127 f(x) = 100 For 127<x<255 f(x) = (-(128/100)*x)+100 -or- f(x)=(-1.28*x)+100

-SINUS- I tried some different algorithms but i couldn't find it yet but i have the feeling that's the solve is in front of my nose... Stay tuned

The basic algorithm is

nPowerOut = sin((nInput/(nMaxInput??/2))*90) * nMaxPowerOut??

( 1.227 = sin((1/128)*90) * 100 -and- 70.710 = sin((64/128)*90) * 100 -and- 70.710 = sin((192/128)*90) * 100 -and- 1.227 = sin((255/128)*90) * 100 )

but it only works for Andrew's case. You have to insert some magic somewhere to make it work for Mike, too (basic sinus curve movement and stretching... could be used as a protection or adjust hardware to software configuration. But that's a matter of opinion. I hope it helped... Christopher Eineke <christopher.eineke_at_gmx.de>, Exeter Wireless Project, Exeter, ON, Canad

The hack also worked for the Edimax EW-7205 Access Point.

Greetings from Holland.


According to the Intersil Spec sheet on the HF 3193 Power Amp chip, the maximum output is 18dBm.

http://www.intersil.com/data/fn/fn4635.pdf

Cheers ---

Hack also works on the DWL-1500 Access Points!

Sam, Bournemouth, UK


Hack works with SNMPmanager 1.7.4.5 http://www.sparklan.com/download/wx1592_v1.7.4.5.zip provided by sparklan for the WX-1590 AP http://www.sparklan.com/products_wx1590.htm I think it is same as WAP11. cheers <angelos@orion.gr>


How Hack PLANET 1965 to 100mW ???

Konrix

Only hardware metod I found. you must put the bias pin to gnd by shorting an 8,2k resistor with a wire the Pa is MAX 2242 see data sheet and find the bias pin.


I too have experimented with the SNMP software. What I found interesting is that the stock settings for two WAP11 v2.6 units were drastically different. Incase anyone is interested, here they are -- perhaps someone could shed some light on the matter.

Channel ##

CR17

CR20

CR21

CR17

CR20

CR21

Channel 1

7C

3C

44

C0

30

78

Channel 2

7C

3C

44

C0

30

78

Channel 3

7C

3C

44

C0

30

78

Channel 4

7C

3C

44

C0

30

78

Channel 5

7C

3C

44

C0

30

78

Channel 6

7C

3E

46

C0

30

78

Channel 7

7C

3E

46

C0

30

78

Channel 8

7C

3E

46

C8

35

7D

Channel 9

7C

3E

46

D0

3A

42

Channel 10

7C

3E

46

D8

3F

47

Channel 11

7C

3F

47

DC

04

4C

Channel 12

7C

3F

47

DC

04

4C

Channel 13

7C

3F

47

DC

04

4C

Channel 14

7C

3F

47

DC

04

4C

toxicanarchist@yahoo.com

(man was that table a pain to draw)


I brought a cheap Broadxent 2100(RTW020 rebadged). I did alot of testing with values and found that 8F/channel 11 is the highest/best setting for this AP. With 80 on other channels, the AP tends to "leak", and others AP's signal get crap up.

But 80/Channel 14 seems to work very well. Anyone tested this hack with channel 11 & 14 on other AP with stable results?


The hack works good, on Planet 1960, Sparklan 1590, Sweex LC00040, this shuold is same Atmel chip configuration, and set with an snmp manager. I test the D-Link Aircom DWL520+ PCI card and have measure aprox 200mW. This card have TI chip like D-Link DWL900AP+ and Planet WAP 1965, but hes out power is 50mW. Does any know how to crack some TI chip AP to pump up the power to 100 or 200mW like an 520+ card.

Thanks Mario SCG


I am using loads of WAP11 / ME102 / DWL900AP units as clients, and need some way of issuing a reset command to them from the windows box they are connected to, especially in a batch file. So I can reset them for example when the windows box reboots. Any ideas guys ??? Many thanks. PhutPing

Pls post here...


I am using ME102 with this hack..(I was) It works, but the performance is really poor, and there are a lot of signal spreading on the whole spectrum. I am connected to wireless network about 4 miles away (in Zagreb - Croatia - Europe: wifihr) with one orinocco pcmcia card. And I need two extra channels for local AP connections.. This hack only gives me additional noise, even when set to 80mw... that's why i am now considering to use ap-1000.

I tried cisco 350, but it is limited to 50mw on our location (and i do not know how to unlock it to 100mw), but it is so clean.. it can not be cleaner..

So.. the conclusion is: Netgear me102 is really bad piece of hardware, and do not buy if you need to use more than one wireless channel.. and this hack is useless for it.

goran.skular at migo-systems dot com


This hack is "dirty." See following:

http://www.maokhian.com/wireless/wap11.html

Perhaps only turning up one channel is best?


This hack works with linksys wmp11 adapter version 2.7??


Hi!!! There is a hack of transforming AT76C510 into SmartBridge AP - more info here: http://www.fuw.edu.pl/~pliszka/hints/at76c510.html


Am I correct in assuming that all the talk of the SMC2655W is referring to V.2? ?response - No, the version of the SMC2655W that is compatble is the older, larger one with the two sidemounted antennas (mine is FCC ID LLM0102WA3001A)

?From: Mike Keefer - mkeefer[at]wifreenet[dot]com I have tried this hack on many different versions of WAP11 and conversion WAP11s (ME102??), I am not sure this is the right place to post nor am I certain I am following proper netiquette by posting at the top (can't tell if I should post at the top or bottom) but here goes!

I constantly have to reset my WAP11s even when not using the "Wap11Hack" and since my particular situation puts my WAP11s into bridged mode on the rooftops of a major city block (yes 340+ feet apart), pulling power is a PITA! Even just under normal use I see the WAP11s begin to loose packets nearly once a week (usually while I am doing somthing critical)... To the point: I wrote a simple little app which will RESET the WAP11 over my network (no more 2am roof walks - really ticks the neighbors off), the app needs just the target WAP11 IP address and the RW community string (your password), best part is this will even work with the new, totally crappy 2.8 versions (what I am running now). Grab it from http://www.wifreenet.com/downloads/WAP11RR.ZIP (you will need the VB6 runtimes MSVBVM600.DLL I think) but no other OCX/DLL files are needed. For those of you who are untrusting (or want to know how to address SNMP using VB5/6) the source is also available http://www.wifreenet.com/downloads/WAP11RR_SRC.ZIP

And yes the website (wifreenet.com) is empty at the moment, I am working on it (documenting the freenet distribution, topology and custom hardware).

Hope this helps someone else!


have conceptronic c11apa gl2411ap and would like to burn d-link FW 2.5 can i do it ????TNX


CategoryHardware

Wap11Hack (last edited 2010-12-22 01:41:00 by 193)