Setting TXPOWER as high as your card can go


You bought a WiFi card that can be used at 500mw or even 1w. You run iwconfig and see that txpower is only set to 20. You try to set it to 30, and it doesn’t let you. You try to set your location to Bolivia, because you read that this would fix it, but it doesn’t help.

Maybe that card is an Alfa AWUS036NHA, or maybe it’s a different model.

Well it turns out that some cards have the location set in their EEPROM, so even if you are located in Canada, where you should be able to set your power to 27, you can’t go above 20 because the card thinks it’s in the UK.

Here’s how to fix it in Linux. These instructions have been tested in Backtrack 5RC3.

Here is how things work:

When the card is hooked up, a call is made to CRDA, which will set your location from the data contained on the eeprom. Then, wireless-regdb’s provided regulatory.bin file contains the appropriate restrictions to apply for this location. So all that is needed to fix this is to put a regulatory.bin that replaces the wrong country’s restrictions with the appropriate ones. However, that binary file is signed, and the system verifies it hasn’t been tampered with. Here are the simple steps you need to follow in the right order to defeat this check.

WARNING: Removing all restrictions might be illegal. Do not do it, and if you do, then that’s your decision to break the law, not mine.

  1. Ensure you have the following packages installed:  python-m2crypto libgcrypt11 libgcrypt11-dev libnl-dev
  2. Download wireless-regdb and CRDA from Be sure to grab the latest versions.
  3. Extract them, each in their own directory.
  4. In the wireless-regdb directory, you will find db.txt. This is the ASCII version of regulatory.bin. Edit it to your liking, but remember that restrictions are applied first for the “world” (00), and then for the country. So for example, BO has no restrictions, so copy that over to the “World” restrictions. See warning about legality above. Apply the proper restrictions for your country to the country your card believes it’s in. That way, your country’s restrictions will apply even for a card that believes it is for example in “GB”.
  5. make wireless-regdb.
  6. The compilation process generated a self-signed regulatory.bin. Overwrite the one that was on your system (which you should backup first) in /usr/lib/crda/regulatory.bin
  7. Copy any .pem files from the wireless-regdb extracted directory to the crda/pubkeys directory. This is what crda will use to check regulatory.bin is valid.
  8. Go into the extracted crda directory and make. If you get an access denied on key2pub, you might want to chmod +x that file.
  9. make install CRDA.
  10. Reboot and test your card. It should now be allowed to work at the maximum power allowed in your country!
Posted in Gadgets, Security and tagged , , , . Bookmark the permalink. RSS feed for this post. Leave a trackback.

53 Responses to Setting TXPOWER as high as your card can go

  1. J says:

    Tried a couple of times following along exactly as written and received no errors. Upon reboot I can change country to BO (and displays as such when getting the reg) but it still won’t allow me to increase txpower beyond 20. Any idea what the problem might be?

    I have the NHA and was using BT5R3 as well – exact same equipment.

    • Guillaume says:

      Some cards have their region burned in. This trick is to boost that region instead of trying to change to BO. Once your OS has the right settings for the region your card is in, you should be able to set the power right without switching to BO.

      What region does your card think it’s in?

      I saw this with a card locked to GB.

      • J says:

        Not sure what it thought it was originally, though I was able to change regions after your following your method and it reports back as being in BO. Based on your response I assume I could just replace the information for all of the countries and go at it that way? Or is there an easier way of going back to “stock” and just tackling the home region?

        Thanks for the help. 🙂

    • chemist says:

      The NHA can not go further than 20 tx-power, as it is not as powerful as the 036H (tx – 30) or the NH (tx 33 or smth)

      • Pi Air says:

        Open terminal in CRDA folder and type

        openssl genrsa -out your.key.priv.pem 2048

        This generates a new key, a new .pem file… Copy that to the /usr/lib/crda/pubkeys/ folder…

        go back to the crda folder and type (as superuser, else you put sudo in front of it):

        make clean


        now you won’t get a Database signature verification failed error… Reboot, done! Now it works for me too, in Kali…

        Hope this helps

        • Pi Air says:

          [email protected]:~# dmesg | tail
          [43991.791414] ath: Country alpha2 being used: GB
          [43991.791415] ath: Regpair used: 0x37
          [43991.796030] ieee80211 phy2: Atheros AR9271 Rev:1
          [43991.796068] cfg80211: Calling CRDA for country: GB
          [43991.828097] cfg80211: Regulatory domain changed to country: GB
          [43991.828101] cfg80211: DFS Master region: unset
          [43991.828101] cfg80211: (start_freq – end_freq @ bandwidth), (max_antenna_gain, max_eirp)
          [43991.828103] cfg80211: (2402000 KHz – 2482000 KHz @ 40000 KHz), (N/A, 3000 mBm)
          [43991.828104] cfg80211: (5735000 KHz – 5835000 KHz @ 40000 KHz), (N/A, 3000 mBm)
          [44041.070262] IPv6: ADDRCONF(NETDEV_UP): wlan1: link is not ready
          [email protected]:~# iwconfig wlan1
          wlan1 IEEE 802.11bgn ESSID:off/any
          Mode:Managed Access Point: Not-Associated Tx-Power=30 dBm
          Retry short limit:7 RTS thr:off Fragment thr:off
          Encryption key:off
          Power Management:off

  2. Rich says:

    Cheers for the guide man, got as far as installing CRDA and I get the following error:

    install: cannot stat `regdbdump’: No such file or directory
    make: *** [install] Error 1

    any ideas?



    • Guillaume says:

      It seems that either you don’t have the proper permissions (are you root, using su?) OR maybe regdbdump isn’t available. What distro are you using?

    • Mr-Protocol says:

      Rich, do you have ia32-libs installed? That might resolve your issue if you are on a 64 bit Linux OS.

  3. 11idan1q says:

    I am running BT5RC3 and have both an Alfa AWUS036H and AWUS036NH. A few months ago I was easily able to do this on the H but when I was trying again on the NH (or the H again after a fresh re-install for that matter) I was unable to move it off 20dbm after I modified the db.txt and copied the files etc. If I copied the backup regulatory.bin back over and restarted, I could do the normal iw reg set BO and get it to 30dbm again but not 33 where the NH loves to play :).
    I found the solution was that I was doing a ‘make’ for both the wireless-regdb and the crda instead of a make on the wireless-regdb and a make install on the crda. Once I did that, everything came good. Hope this helps someone.

  4. Mr-Protocol says:

    Rich, do you have ia32-libs installed? That might resolve your issue if you are on a 64 bit Linux OS.

  5. nico says:

    Hey, thanks. works like a charm in ubuntu 12.04. you don’t even need to build crda! if you do that, then it won’t work (database verification failed for me). just build the regulatory.bin and put in in /lib along with the keys. awus036nha

  6. Jon says:

    Hi. I am a total noob and cannot extract the latest-regulatory.bin in bt5r3. Please can someone let me know what command I should be using? ./latest-regulatory.bin is giving an error. (I have run chmod +x on the file already). Thanks

    • Matt says:

      The file you mentioned is in binary format, there is nothing to extract from it…
      By issuing the command ./latest-regulatory.bin you are telling the system to run the file as if it were a program or script, but it isn’t either and therefore you get an error.
      Files that you can extract in linux typically have an extenstion “.tar.gz” or “.tgz” and you would extract them with the command tar -xvzf filename.tar.gz

  7. Marco says:

    I can’t believe how long it took me to find this solution and I wanted to show my gratitude by saying “thanks” – “iw phy1 info” shows 30 dBm and my regulatory domain (which is hard-coded to GB in firmware) now reports 30 dBm. Once again, thank you sir 🙂

    • bruno says:

      Hi Marco,

      I am still trying to get my working properly… I already did all the steps, but when I try to change to BO it doesn’t work, keeps the previous settings 00:

      I really would appreciate any help!

      Thanks bruno.

  8. Pascal says:

    I tried tailing the log/message to get my region but nothing is there. I edited the 00 World region and tried to make wireless-regdb but get this error msg:

    make: *** No rule to make target `wireless-regdb’. Stop.

  9. Max says:

    I got a porblem.
    I’m using Kali Linux (intel verison) and own the alfa awus036nha.

    I don’t know how to download and install ‘python-m2crypto libgcrypt11 libgcrypt11-dev libnl-dev’ on Kali Linux,
    so I just started with step 2.
    everything works fine from step 2 to step 7, but in step 8 I got an issue.
    I go to my extracted crda directory an want to make but it gives me an error:
    “Makefile:76: *** Cannot find development files for any supported version of libnl.”

    So I tried to reboot and test if it works anyways.
    I typed in: iw reg get
    And it showed country 00 with my edited settings, but if I try to set it higher then 20db it still gives me an error.

    Please help :/

    • Pascal says:

      apt-get install “package name”

    • Bruno says:

      He Max, I am having the same issue, after following all those steps, now when I try to set any different country such as BO or even US it doesn’t work…. Only shows me: iw reg get : 00
      Like I don’t know how to make the changes on the db.txt affective. I am editing with vi but for some reason it doesn’t work… thanks guys!

  10. Rick says:

    Thank you very much for this. I have spent at least a week scouring the ‘internets’ for information on this subject.

    My situation differs in the details but want to achieve the same goal. I am using a Netgear WNDR3700v1 flashed with the latest dd-wrt firmware build specific to my model. It appears to offer the option to adjust the tx power but actually default to world or ‘least common denominator’ mode. Limiting my transmit power severely, 17Dbm. 🙁

    I was wondering if anyone here is familiar with dd-wrt implementation and could lend some insight. I am contemplating ssh’ing into the firmware from my MacBook Pro to make the necessary adjustments. I have been all over the dd-wrt forums and ‘Googled’ the sh*t out of this. I can’t even find a good list of the reg-domains by country. The dd-wrt should allow this mod. It’s open source (I know) and Linux based (I believe). There are a bunch of fellow hobbyists out here in userland that are trying to do this same thing. It’s hard to believe there isn’t more out there about this, on any platform.


  11. bruno says:

    Hi Guys,

    In the wireless-regdb directory, I can’t find the db.txt. I am running Kali 64bits…


  12. Paul says:

    ok, so it worked for me. I got 30dBm until I rebooted my machine and now I’m getting

    “:~# iwconfig wlan1 txpower 30
    Error for wireless request “Set Tx Power” (8B26) :
    SET failed on device wlan1 ; Invalid argument.

    Any ideas??? My rt3070l will still go to 30dBm just not my AWUS036NHA 🙁

  13. Phil says:

    Cheers for this bud, i have BO in my iw reg get result, im using the AWUS036NHA device can’t get it go above 20 on ubuntu 12.04

    Didnt need to follow the steps above as mine already shows BO or have i missed the point?

    Cheers in advance.


  14. Ryoko says:

    I’ve used this guide with Kali but I needed to make a temporary folder in /usr/lib/ by copying the original CRDA folder from /lib to compile properly. So I just did the MAKE magic in the temporary folder and then copied the results over the real CRDA folder. Worked like a charm for my awus036nha. Running at 27dBm. It can run up to 28dBm (The signal amp chip on this can theoretically take 30dBm, I wouldn’t recommend doing this though. Might burnout your chip.), but that would require a Y usb cable anyway. The max any usb port can deliver is 500mw.

    Source for power limits here. See the link for the skyworks chip for limitations.

  15. Pingback: Maximizing the Tx-Power of Alfa AWUS036NHA | A Teen's Blog

  16. crashdogy says:

    how to make ??? 5.make wireless-regdb

  17. cashdogy says:

    ok, got it now, but get error when make crda (make:** [verify] error 234) its at the end when this pops up.

  18. crashdogy says:

    Dame it that is a real pain in the A## its so finicky on how you do it. but thanks its working

  19. kal says:

    Hi I am getting errors on Ubuntu 12 when I try and make the reg-db file:

    ubuntu:~/Downloads/tmp/wireless-regdb$ make wireless-regdb
    make: *** No rule to make target `wireless-regdb’. Stop.

    Any ideas what I am doing wrong?

    • JoeBlow says:

      Hello Kal, don’t type the “wireless-regdb” text there… open the wireless-regdb folder and right-click an empty spot in there and scroll down to “open terminal here” and click. Then at the prompt just type:
      and then hit ENTER. Then continue with the steps. Good luck!

  20. nomoi says:

    hi how do you solve this “reboot” issue on a liveusb version
    reload modules?

  21. x says:

    To make do the following:
    1. apt-get install pkg-config
    2. make clean
    3. make
    4. make install

    pkg-config is needed in the makefile. You could edit the file but it is easier to just install the program.

  22. JoeBlow says:

    I forgot to save my modified db.txt before doing the rest of the steps. How do I undo all of this so I can start fresh?
    (i’m a noob! lol)

  23. miked says:

    I did all the steps and because i am using kali linux i had to copy crdp to /usr/lib/crdp to make. Well i forgot to delete it before i rebooted and now kali wont boot it freezes at the login screen with the mouse and the loading symbol. I loaded up my kali live cd and deleted the folder in /usr/lib but it still wont boot. Any ideas how to fix it ?

  24. DR says:

    Running Ubuntu 12.04. Having trouble with an AWUS036NHA. My 036H can be set to 30dbm using set reg BO, but that’s not working for the 036NHA. I looked under dmesg and found exactly the problem described here:

    cfg80211: Ignoring regulatory request Set by core since the driver uses its own custom regulatory domain
    cfg80211: Calling CRDA for country: BO
    cfg80211: Ignoring regulatory request Set by user since the driver requires its own regulatory domain to be set first
    cfg80211: Regulatory domain changed to country: BO

    and later …

    cfg80211: Regulatory domain changed to country: GB

    I haven’t tried any of the fixes yet, but I do see that I have an /etc/default/crda, and that the variable REGDOMAIN is not set.

  25. Pi Air says:

    I’ve been busy for over 5 hours now and finally i got it working…

    Every time I tried to make the crda it gave an error, Database signature verification failed…

    So I read the README in the CRDA folder, and no one behold, the answer…. Open terminal in CRDA folder and type

    openssl genrsa -out your.key.priv.pem 2048

    This generates a new key, a new .pem file… Copy that to the /usr/lib/crda/pubkeys/ folder…

    go back to the crda folder and type (as superuser, else you put sudo in front of it):

    make clean


    now you won’t get a Database signature verification failed error… Reboot, done! Now it works for me too, in Kali…

    Hope this helps

    Pi Air

  26. Pi Air says:

    Ow i forgot to mansion that the Makefile needs to be edited too…

    Mine looks like this… And I use Kali

    # Modify as you see fit, note this is built into crda,
    # so if you change it here you will have to change crda.c

    PREFIX ?= /usr/
    MANDIR ?= $(PREFIX)/share/man/

    SBINDIR ?= /sbin/

    # Use a custom CRDA_UDEV_LEVEL when callling make install to
    # change your desired level for the udev regulatory.rules
    # You can customize this if your distributions uses
    # a different location.

    # If your distribution requires a custom pubkeys dir
    # you must update this variable to reflect where the
    # keys are put when building. For example you can run
    # with make PUBKEY_DIR=/usr/lib/crda/pubkeys

    CFLAGS += -Wall -g

    all: all_noverify verify

    all_noverify: crda intersect regdbdump

    ifeq ($(USE_OPENSSL),1)
    CFLAGS += -DUSE_OPENSSL -DPUBKEY_DIR=\”$(RUNTIME_PUBKEY_DIR)\” `pkg-config –cflags openssl`
    LDLIBS += `pkg-config –libs openssl`

    reglib.o: keys-ssl.c

    LDLIBS += -lgcrypt

    reglib.o: keys-gcrypt.c

    MKDIR ?= mkdir -p
    INSTALL ?= install

    NL1FOUND := $(shell pkg-config –atleast-version=1 libnl-1 && echo Y)
    NL2FOUND := $(shell pkg-config –atleast-version=2 libnl-2.0 && echo Y)
    NL3FOUND := $(shell pkg-config –atleast-version=3 libnl-3.0 && echo Y)
    NL32FOUND := $(shell pkg-config –atleast-version=3 libnl-3.2 && echo Y)

    ifeq ($(NL32FOUND),Y)
    NLLIBS += $(shell pkg-config –libs libnl-genl-3.2)
    NLLIBNAME = libnl-3.2
    ifeq ($(NL3FOUND),Y)
    NLLIBS += $(shell pkg-config –libs libnl-genl-3.0)
    NLLIBNAME = libnl-3.0
    ifeq ($(NL2FOUND),Y)
    NLLIBS += -lnl-genl
    NLLIBNAME = libnl-2.0
    ifeq ($(NL1FOUND),Y)
    NLLIBNAME = libnl-1

    ifeq ($(NLLIBNAME),)
    $(error Cannot find development files for any supported version of libnl)

    NLLIBS += `pkg-config –libs $(NLLIBNAME)`
    CFLAGS += `pkg-config –cflags $(NLLIBNAME)`

    ifeq ($(V),1)
    [email protected]
    [email protected]
    [email protected]

    $(NQ) ‘ EXIST ‘ $(REG_BIN)
    $(NQ) ERROR: The file: $(REG_BIN) is missing. You need this in place in order
    $(NQ) to verify CRDA. You can get it from:
    $(NQ) $(REG_GIT)
    $(NQ) “Once cloned (no need to build) cp regulatory.bin to $(REG_BIN)”
    $(NQ) “Use \”make noverify\” to disable verification”
    $(Q) exit 1

    keys-%.c: utils/ $(wildcard $(PUBKEY_DIR)/*.pem)
    $(NQ) ‘ GEN ‘ [email protected]
    $(NQ) ‘ Trusted pubkeys:’ $(wildcard $(PUBKEY_DIR)/*.pem)
    $(Q)./utils/ –$* $(wildcard $(PUBKEY_DIR)/*.pem) [email protected]

    %.o: %.c regdb.h reglib.h
    $(NQ) ‘ CC ‘ [email protected]
    $(Q)$(CC) -c $(CPPFLAGS) $(CFLAGS) -o [email protected] $/dev/null

    %.gz: %
    @$(NQ) ‘ GZIP’ $<
    $(Q)gzip < $ [email protected]

    install: crda crda.8.gz regdbdump.8.gz
    $(NQ) ‘ INSTALL crda’
    $(Q)$(INSTALL) -m 755 -t $(DESTDIR)/$(SBINDIR) crda
    $(NQ) ‘ INSTALL regdbdump’
    $(Q)$(INSTALL) -m 755 -t $(DESTDIR)/$(SBINDIR) regdbdump
    $(NQ) ‘ INSTALL $(UDEV_LEVEL)regulatory.rules’
    @# This removes the old rule you may have, we were not
    @# putting it in the right place.
    $(Q)rm -f $(DESTDIR)/etc/udev/rules.d/regulatory.rules
    $(Q)sed ‘s:$$(SBINDIR):$(SBINDIR):’ udev/regulatory.rules > udev/regulatory.rules.parsed
    $(Q)ln -sf regulatory.rules.parsed udev/$(UDEV_LEVEL)regulatory.rules
    $(Q)$(INSTALL) -m 644 -t \
    $(NQ) ‘ INSTALL crda.8.gz’
    $(Q)$(MKDIR) $(DESTDIR)$(MANDIR)/man8/
    $(Q)$(INSTALL) -m 644 -t $(DESTDIR)/$(MANDIR)/man8/ crda.8.gz
    $(NQ) ‘ INSTALL regdbdump.8.gz’
    $(Q)$(INSTALL) -m 644 -t $(DESTDIR)/$(MANDIR)/man8/ regdbdump.8.gz

    $(Q)rm -f crda regdbdump intersect *.o *~ *.pyc keys-*.c *.gz \
    udev/$(UDEV_LEVEL)regulatory.rules udev/regulatory.rules.parsed

    • luca says:

      at the end i have this problem:
      Makefile:76: *** Cannot find development files for any supported version of libnl. Arresto.


Leave a Reply

Your email address will not be published. Required fields are marked *

Swedish Greys - a WordPress theme from Nordic Themepark.