A Lot Of WiFi Power, A Yagi, And A Sniper’s ‘Scope

Do you remember the early days of consumer wireless networking, a time of open access points with default SSIDs, manufacturer default passwords, Pringle can antennas, and wardriving? Fortunately out-of-the-box device security has moved on in the last couple of decades, but there was a time when most WiFi networks were an open book to any passer-by with a WiFi-equipped laptop or PDA.

The more sophisticated wardrivers used directional antennas, the simplest of which was the abovementioned Pringle can, in which the snack container was repurposed as a resonant horn antenna with a single radiator mounted on an N socket poking through its side. If you were more sophisticated you might have used a Yagi array (a higher-frequency version of the antenna you would use to receive TV signals). But these were high-precision items that were expensive, or rather tricky to build if you made one yourself.

In recent years the price of commercial WiFi Yagi arrays has dropped, and they have become a common sight used for stretching WiFi range. [TacticalNinja] has other ideas, and has used a particularly long one paired with a high-power WiFi card and amplifier as a wardriver’s kit par excellence, complete with a sniper’s ‘scope for aiming.

The antenna was a cheap Chinese item, which arrived with very poor performance indeed. It turned out that its driven element was misaligned and shorted by a too-long screw, and its cable was rather long with a suspect balun. Modifying it for element alignment and a balun-less short feeder improved its performance no end. He quotes the figures for his set-up as 4000mW of RF output power into a 25dBi Yagi, or 61dBm effective radiated power. This equates to the definitely-illegal equivalent of an over 1250W point source, which sounds very impressive but somehow we doubt that the quoted figures will be achieved in reality. Claimed manufacturer antenna gain figures are rarely trustworthy.

This is something of an exercise in how much you can push into a WiFi antenna, and his comparison with a rifle is very apt. Imagine it as the equivalent of an AR-15 modified with every bell and whistle the gun store can sell its owner, it may look impressively tricked-out but does it shoot any better than the stock rifle in the hands of an expert? As any radio amateur will tell you: a contact can only be made if communication can be heard in both directions, and we’re left wondering whether some of that extra power is wasted as even with the Yagi the WiFi receiver will be unlikely to hear the reply from a network responding at great distance using the stock legal antenna and power. Still, it does have an air of wardriver chic about it, and we’re certain it has the potential for a lot of long-distance WiFi fun within its receiving range.

This isn’t the first wardriving rifle we’ve featured, but unlike this one you could probably carry it past a policeman without attracting attention.

51 thoughts on “A Lot Of WiFi Power, A Yagi, And A Sniper’s ‘Scope

      1. This. Thank you

        dBm is a total amount of power, easily used for conducted energy like in a transmission line. Once you are radiating power, you have to either look at total radiated power, which is still 4W, or look at a field strength in a particular dimension. This is what the “antenna factor” parameter is for on and antenna. It lets you easily convert signal power (dBm) at the antenna feed to radiation field strength (V/m) in a particular direction. Gain just tells you how non-spherical the pattern is (and some indication of the antenna factor). Gain happens to be much more useful for link budgeting (where you have an antenna on each side of the radiation), so it’s super common to talk about.

    1. Also realize that antenna gain doesn’t increase power, it concentrates it. The 1.25kW transmitters that they are comparing to would be radiating in every direction, but this only transmits power in a narrow arc (and is very weak in other directions) it still only has a total out put power of 4W… Just directed into a small ark.

      Secondly if the target has a bad reciever (ie high noise figure). And his reciever is good… The power may actually be usefully. The 25dBi works both ways. Assume the target has a 100mw transmitter. If the noise figure of that reciever is 16dB worse than your reciever you need the extra transmission power to make the link work equally in both directions.

      1. Plus, an antenna will not just transmit better, it will also RECEIVE better.

        Assuming that both stations have receivers with the same performance, upgrading an antenna will benefit traffic in both directions, so there is no down side (except for being directional — have to aim it). Just blindly transmitting more power is likely to allow you be heard, but you still might not be able to hear the other station, and is hence useless unless you also boost the TX power at the other end.

  1. > even with the Yagi the WiFi receiver will be unlikely to hear the reply from a network responding at great distance using the stock legal antenna and power.

    I know nutin’ about all this RF black magic, but doesn’t the gain of an antenna work both ways? I.e. doesn’t it improve the transmission and reception in a given direction by the same factor?

      1. Antenna “gain” essentially comes from geometry – “concentrating” the radiation in one direction.
        So a very high gain antenna is great if the geometry between the Tx and Rx is well defined, controlled and consistent – like a point-to-point microwave link – but useless for anything where it may be variable.

    1. Yes, gain of antenna is reciprocal.

      But the text says “4000mW” from the transmitter, which s 4Watts. That seems a whole lot more than legal. If so, his signal is much stronger than at the other end. So his signal will be stronger, but the other end won’t be. If te other end can’t overcome the losses, he can transmit but not receive properly.


      1. Chinese power claims on knockoffs of ALFA network’s original wifi adaptors are wildly exagarated:

        No.1: If said wifiadaptor is going to work without an extra wall-wart, it cannot use more than 500mA from the USB port, which equals 2.5W electrical power. That can no way become 4W RF power!!!
        No.2: Whichever shady Chinese electronics exporter better comply to the destination country’s legislation, or they get raided if they export! The original, around 2005, ALFA AWUS036h claimed 1W transmit power, but the US version was throttled to 500mW and the EU version around 80-100mW. An often used sales trick is however to add antenna gain to the RF power to get more impressive numbers to write on the box.

        However, the original ALFA brand wifi adaptors and many of the copies, are capable of outputting 1-1.5W, but it takes eprom editing, and there is no control of RF power in the driver. The eprom on the RTL8187L chip has some addresses in the Eeprom with settable flags for user control of RF power, but the values to put in is not public information outside Realtek in Taiwan!.

        There is however is the famous “rtl8187 Mass production kit” (XP only software from a Chinese and a Polish website) for Eeprom editing and testing ALFA adaptors that let’s you choose peak TX power and it works, but not the exactly userfriendly solution for adjusting TX power on the fly when you change antennas.

        The way these high power adaptors work is by adding 1-3 TX PA IC stages after the radio chip that are enabled in bursts on transmitting, so it is not like they are running full power all the time anyway! Another Thing I found out was that upping TX peak power heated the adaptor substancially and, possibly because of the higher temperature, made the receiver less sensitive. Setting full power during an upload test into a dummy load drew 980mA on my bench PSU supported USB port. And my simple diode RF power meter confirmed that TX power was 20 times my normal 60mW wifi stick, so around 1200mW from the AWUS036h if you crank it up!

        If you want ridiculously long range wifi, go for the adaptor with the highest receive sensitivity and add the highest gain antenna you can carry. Transmit power will get you nowhere.

        The antenna in the article looks less than optimal: The tubes used for directors on the Yagi are too thick for 2.4GHZ. 2.4mm diameter is max at these frequencies. Secondly using a metallic, electrically connected boom is also wastefull at these frequencies. He does need a balun for an antenna like that running the cable straight to the folded dipole wastes at least a third of the power radiating off the coax shielding and likewise when he’s receiving. A folded dipole in free space has an impedance of 300 OHM. In an Yagi, it has less. 70-200 OHM depending on the spacing of the fist director and the reflector, so impedance matching is not the issue her, but the fact that a folded dipole has to be fed balanced and a coax is unbalanced, is serious. I’ve had great success with using a folded balun (that’s a name for a type of balun) on these frequencies. which is only 2:1 as opposed to the more traditional 4:1 coax balun used on UHF.

        1. Answering my own post: The performance test result in the project article is not very impressive and could be achieved with a proper antenna and 30mW of tx power! For comparison, With a measured 15Dbm, 16 element yagi and a 40mW wifi adaptor ( and no nonsense high power TX PA in between) I’ve achieved a solid 11Mb/s link with an AP 1.2 miles away and I bounced the signal off a high-rise facade to get around a building that was in between!!

          Radio amatuers do 10GHZ voice comms 50mi on 20mW TX power with a dish at each end! This guy is asking for trouble. I doubt he setup actually will work for data transfer because of massive multi-path interference. He has however have a somewhat directional jammer and can swamp out peoples wifi from a distance!!

          1. Since the P in PMPO is peak, it’s certainly possible to store large amounts of energy in capacitors for very short peaks without needing a large power supply. The majority of energy in a wave is well below the peak.

        2. To answer #1:

          The wall-wart in question is a 12-volt 1amp one, the external power supply I made for this is using a step-up DC-DC converter which is rated for a 3-amp input, and max 2.5-amp output. I paired this with a 2000mAh li-poly cell. The only thing running off from the USB is the Alfa card. The amplifier is powered by the battery pack.

          1. Not to dizz you, but criticizing crazy manufacturers claims that defy the laws of physics not your math skills. Naturally you would need a separate power supply for the amp, but your wifi adapter before the amp is not putting out watts of power. I’ve recently done an experiment somewhat related: Public buses have just been installed with free open wifi through a cellular modem access point on each bus. The ssid is common for all the busses, so I wondered if a good directional antenna would be able to look far enough down the street to give me continuous coverage roaming from bus to bus connecting to the best signal. In the rush hour 2 to 5 buses are always in range of my yagi, so my PC just connects with the strongest signal and has continuous connection First is through a captive portal that consists of clicking a button, then my MAC is saved server side by the bus company, so the next bus I connect to gives me access right away as if I was still connected to the firs bus. So it really works seamlessly for a full hour, after which I have to go through the portal again to renew my lease, but that could be automated.

  2. No, the antenna gain goes both ways. It will help you transmit, but also help you receive the signal from the router. It even helps more in reception than transmission. While in transmission your signal will be stronger in the pointing direction, the router with its omni antenna is still receiving interference from all directions. Your signal may thus get lost in a collision with another network. On reception you not only improve the reception in the wanted direction, but also attenuate the signals coming from other directions, making collisions much less likely.

    1. EDIT: Connecting a 2000mW radio to a 4000mW amplifier seems wrong. This only adds 3dB which has almost no effect on range (x1.4 theoretically). Furthermore, I would expect the amplifier to be designed for more modest input powers (10-100mW or so). With this high power, assuming the amp doesn’t just break, I would expect the signal to get seriously distorted due to gain compression.

    2. With the higher transmit power of this thing, you are can theoretically ‘call’ an access point that is not powerful enough to be heard in reply.

      I don’t see this as an issue, though. You’re out to discover new APs; if you can’t receive it, you haven’t discovered it.

  3. The 25dB claimed is probably based on a theoretical maximum achievable for a standard Yagi with that number of elements. The manufacturer is unlikely to be able to afford to quantitatively test this, or test the loss of the balun, let alone put the right screws in it. Tuned up and tweaked though this yagi could be 20 to 23 dBi gain, highly directional, with I am guessing about a 10 degree beamwidth. 4W input will realistically output ~400W ERP in the direction it is pointed. The scope is an unnecesary convenience, unrelated to the antenna beamwidth, but will likely scare the crap out of anyone non-technical seeing its use. Do not point this thing at police cars, you may end up with lead poisioning. And probably obvious but of course don’t point it at people within a few inches of the business end of the antenna.

    Electrically and functionally, it is a very cool hack project. Thanks for posting it.

      1. Maybe a [military-esq] small array of them on amiable platform to work out the direction of the signal and once targeted filter out reflections. Or perhaps a 3D version of the 2d wave, guide array, nantenna that was on here a while back. I had a go at printing them with a litescribe onto a stack of cds a while back, just to see if I can, with limited success.

    1. About 5 years ago I literally built this device, complete with an airsoft AR-15 body for aiming and a tripod/bipod mount. Scope, the whole nine yards. I eventually wanted to take angle measurements from an I2C sensor and GPS at the pull of the trigger. I put the thing together, took it out one evening, and got ready to “scan” a couple of the high rises in the area and realized exactly what it would look like. My locale isn’t one where you can even think about doing something like this.

      Scared the bejeezus out of me. Took it apart in the back seat of the car. Eventually tried out the forward portion of the assembly (I had to counter-balance the “barrel”), and got some pretty good results. I’ll have to see if I can find the pictures I took, for that brief moment where I was proud of my creation.

      High on the list of my “stupids”, and I’ve built some pretty amazingly dangerous items in my life.

  4. I don’t think a “sniper scope” is a thing, I believe you mean a rifle scope… Misusing phrases like this just feeds the stupidity surrounding firearms and peoples opinions about them.

      1. I fucking hate apostrophes… …but first let’s get some definitions out of the way.

        Apostrophe- this mark of punctuation has three distinct jobs: to show possession, make contractions, and form odd plurals.

        Sniper- …is a marksman or qualified specialist who operates alone, in a pair, or with a sniper team to maintain close visual contact with the enemy and engage targets from concealed positions or distance.

        The term in question- “SNIPER’S ‘SCOPE”… we don’t care about “‘scope’- it’s a contraction and completely viable on it’s own. “Sniper’s”… /Sniper/ is a noun that requires a qualifying verb. For something to be a sniper-anything it has to be engaged in the act of. There is no such thing as a ‘sniper rifle’ or an ‘assault rifle’, walk into any gun store and ask the person at the counter to purchase either of these items and prepare for an introduction to shit customer service.

        Point is- they are terms of contention. Kinda stupid, sure but it is what it is.

        1. Could I snipe cans from 300′ away or must one be a professional marksman paid by the government? I’m joking, you already fixed that. :P

          I’m pedantic about weapon terminology as well, but even some bb rifles market them as “sniper scopes”.

  5. I know this is being pedantic but, given this is a tech site, it helps to be accurate. The old, VHT TV antennas were log-periodic, not yagi. The Wikipedia entry for ‘Log-periodic antenna’ describes the difference.

    1. Given that this was written from the UK, almost all our TV antennas, UHF and including a lot of the VHF ones were or are some form of Yagi. There are a few UHF log-periodics, but they’re very rare. I can’t speak for other parts of the world.

  6. Seems like a great idea and similar to something I designed for Bluetooth years ago. However there really is no need for a super overpowered transmission amp. By adding more output power you start to degrade your receive performance unless you are switching the transmit and sadly not many transmitters are able to do that.

    Standard low power gear with high gain antennas can do really long range by having a better receive side. We did 2.4Ghz links over distances of 30 to 40 Km even over water. and had licenced 2.3Ghz links stable over 50+Km.

  7. FCC part 15.247 has the rules. http://www.ecfr.gov/cgi-bin/text-idx?node=pt47.1.15&rgn=div5#se47.1.15_1247

    Which includes this relevant bit requiring a system with a high gain antenna be “used exclusively for fixed, point-to-point operations”. So an antenna attached to a portable gun-shaped stick may not qualify if it’s transmitting while it moves around. He could move it while it’s passively listening for a signal, but once zoned in he’d have to leave the antenna in the fixed position during transmission. Which is the general idea, but it d

    (i) Systems operating in the 2400-2483.5 MHz band that are used exclusively for fixed, point-to-point operations may employ transmitting antennas with directional gain greater than 6 dBi provided the maximum conducted output power of the intentional radiator is reduced by 1 dB for every 3 dB that the directional gain of the antenna exceeds 6 dBi.
    (iii) Fixed, point-to-point operation, as used in paragraphs (c)(1)(i) and (c)(1)(ii) of this section, excludes the use of point-to-multipoint systems, omnidirectional applications, and multiple co-located intentional radiators transmitting the same information. The operator of the spread spectrum or digitally modulated intentional radiator or, if the equipment is professionally installed, the installer is responsible for ensuring that the system is used exclusively for fixed, point-to-point operations.

  8. Thanks for featuring my project here!

    As I was reading through the comments I’d also like to make my point.

    1. It’s true that the antenna gain goes for both ways. That’s why in my tests I also included the RSSI (-db) along with the signal strength (“%” strength indicator). The Signal strength can be 100%, but the RSSI can be somewhere between (-0db???) -1db to -25db.

    2. It’s also true that the amplifier only works one way. Think of it as two people talking a few meters apart. The amplifier just amplifies one person’s voice, but not his hearing. The person on the other end can hear it, but not able to reply back. This application can still be useful for DeAuth Attacks.

    3. I mentioned in my article that I have used a sketchy Chinese knock-off. So the specs, and quality of it may be questionable. However, I did modifications to it, which may have altered how it performs. Although looking at legitimate 15 element WiFi yagi antennas, these actually go around 16dBi to 18dBi.

    4. One thing to mention is the noise output of WiFi amplifiers in general. I have read through several forums that other than it being useless in communication both ways, it also increases the noise levels. I don’t have proper test equipments for these scenarios, but one thing is for sure. At very short ranges, it’s unable to detect my router. Probably drowning the beacons sent out.

    5. I may have missed to mention the amplifier in question. It’s from Edup. It’s branded as a 4000mW amplifier, but as everyone else mentions, realistic figures may have been exaggerated.

  9. I did think of a rationale for having a bit higher tx gain, you’ve no idea, how ugly the noise floor is on the receiving equipment the other end, so a few more dB can ensure that you are heard.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s