So I like to tinker with stuff like Kismet, build a wifi-lan, inject some packets, see what happens. You know, experiment a bit.

To do so I got myself a nice high power wifi adapter to experiment with in a ‘controlled environment’. But when I wanted to scan the full range of channels and try some packet injection I found something was capping the maximum output power of my newly acquired gear. And on top of that it didn’t want to use the 13th and 14th channel that it should support according to the specs. What the %^&$ was going on here?

What was happening is that I stumbled upon(over) the regulatory implementation in Linux Wireless. This implements a region based limitation of features of wireless adapters based on local laws and regulations. It limits the following features:

  • Channels/frequencies that can be used
  • Channel bandwidth
  • Allowed antenna amplification
  • Allowed maximum output power

Most wireless chips support all channels and maximum power, but as a lot of things there are government rules to what we may and may not do. After the click I’ll describe the way to circumvent the limitations built into linux wireless.

In this part I’m going to show you how to add a new region (country) called HX, which does not define any limitations.

Setting the regulatory region is done based on the well known two letter country code, US/BE/DE/NL/FR and so on. Setting and getting the current setting is done with the iw command like so:

iw reg get
iw reg set <countrycode>

This manipulates the settings governed by cfg80211 kernel module. When this kernel module loads it gets the regulatory data from a (often)signed binary database that is located at /usr/lib/crda/regulatory.bin

We’re going to replace this database with our own, that is fitted with the new ‘HX’ region. To accomplish this we need to do the following:

1) Generate a new regulatory database and sign it with our own pub/priv keys

  • Download the latest wireless-regdb and unpack it
  • open db.txt in a text editor to add this to the end of the file:
country HX:
       (4910 - 5835 @ 40), (N/A, 35)
       (2402 - 2494 @ 40), (N/A, 35)
  • now save db.txt & exit the editor
  • run ‘make‘ to create the new regulatory.bin and pub/priv keys it will be signed with, the keys will be stored in $BUILDDIR/<username> (this is the public key) and ~/.wireless-regdb-<username>.key.priv.pem (this is the private key)
  • Now copy the regulatory.bin to /usr/lib/crda and make a backup copy of the old one just in case. (note: it could also be stored in /usr/lib64/crda)

2) Install the new Central Regulatory Domain Agent (crda), fitted with your public key to verify the validity of the regulatory.bin. This agent is used on load by the cfg80211 module.

  • Download the latest crda and unpack it
  • Now copy your public key (<username> from the wireless-regdb build directory to the crda-x.x.x/pubkeys directory
  • run ‘make’
  • and run ‘sudo make install’ to install the crda

3) reload the cfg80211 module

  • You can either attempt to unload & load the wireless modules including the cfg80211, but this can be cumbersome since there are some dependancies
  • A reboot will suffice

4) activate the new HX country regulatory profile

  • Run ‘sudo iw reg set HX’ to load the new regulatory profile
  • Verify if it has loaded correctly by running ‘iw reg get’ it should output the lines added to db.txt

Here is a short command glossary for easy use and to see the actual power/channels that your adapter can use:

‘iwlist <DEV> txpower’ — get the transmit power used by <DEV> (DEV is wlan0 for example)

‘iwlist <DEV> freq’ — get the supported channels by <DEV>

‘sudo iwconfig <DEV> txpower NN’ — set the transmit power to NN dB (can also use mW)

A note on the dot11MultiDomainCapabilityEnabled flag, which is by default set to ‘enabled’ in the source code, according to the cfg80211 documentation:

The Linux kernel wireless subsystem always enables the dot11MultiDomainCapabilityEnabled flag. Therefore, it tries to follow country information received in AP beacons.

If an AP supports sending the Country IE it will send the country IE appended on every beacon. Since we have an initial regulatory setting (set by the user, driver, or core) we don’t pay attention to the country IE until we try to associate to the AP.


Using a wifi device outside the ranges your local law defines could get your into trouble, be careful and don’t fry your complete neighborhood.

Happy hacking!

  1. [...] Dit blogartikel was vermeld op Twitter door Rick Deckardt, Alfons Dreschler. Alfons Dreschler heeft gezegd: RT @RickDeckardt: New article: "Regulatory limitations in Linux wireless and how to circumvent them…" #hacking [...]