DIY Box Reflector - sick gainz!

The gear needed for wardriving

5 posts • Page 1 of 1

Postby SkywardLark » Tue Sep 14, 2021 3:50 am

This is not my original idea, it's my practical implementation of the Ez-10 corner reflector. It makes omnis directional like a dish would but it's less picky about conditions. You can make this thing in 15 minutes, it costs nothing and it folds for storage. I got a ~10 dBm difference in software to a faraway 2.4 GHz access point. That represents about a tenfold difference in received signal power.

Materials:
-Your favorite USB wifi adapter + USB extension cable

Recommended: $16 Terow ROW02CD AC1200M (MediaTek MT7612U) with CD driver. No CD version causes annoyances in Windows. https://smile.amazon.com/dp/B086L6TR6G/
The Terow is similar to the Alfa AWUS036ACM but 3x cheaper, lacks any accessories and has poorer construction. I own both and they're functionally almost the same. MT76 adapters are infamous for being more hassle free.
Linux: Drivers already there. Supports pentesting features on both bands. Do not try to go directly from monitor to AP mode, needs to be in managed first. This is the only quirk I can think of.
Windows: Use NetGear A6210 drivers. Few extra settings compared to the ones on MediaTek's website.

-Boxcutter
-Rectangular box, as big as you can feasibly make and use
Recommended: Used USPS 1095 priority box
Approx: 15" (L) x 12" (W) x 3-1/8"(H)
-Shipping Tape
-Aluminum Foil

Warning: Exceeding EIRP limits is generally illegal.
Warning 2: Highly directional equipment may skew Wigle data. Use good judgement.


Instructions:
1. Make two cuts into your box to chop off one of the short sides. Your box should now open like a trifold. Save this flap.
2. You will make slots and thread the cardboard flap through for structural support. Cut slots near the top of the box on the two side walls.
3. As neatly as you can, grab your reel of aluminum foil. Tape aluminum foil on the two inside side walls of the box.
4. Take off your antennas if they are removable. Make a hole and jam your adapter through, either just the USB bits (easier to get a tight fit) or the whole thing if you need to adjust antenna/reflector distance.
5. Hook the adapter to the USB extension cable.
5. Thread flap through top slots.
6. Hook antennas back up.
7. If you have a two antenna adapter, deploy them completely parallel or in a V shape, see which one works better. You can hang the adapter from flaps, use string, zip ties for tight fit if you think it's necessary. Use MacGyver skills.
Optional (?): Cover the middle panel with aluminum foil, either on the inside or the outside of the box. Try to leave no gaps but it shouldn't matter that much.

Adjustments:
-Connect to the AP and run "watch -n0 iwconfig" in Linux or equivalent stat panel. Steer your antenna towards the AP. Stop steering when bit rate, link quality and signal level look good.
Note: Also try "watch -n0 iw dev wlanX station dump" it has a lot of useful info!
-Indoors = Signals will bounce and make consistent testing difficult. If you do not have direct line of sight sometimes pointing slightly away from the AP works better.
-Beamforming may affect results
-Making the side walls bigger will improve gain with diminishing returns
-My (v1) reflector is probably incomplete since I don't have any foil in the middle. I don't know if putting it that close to the adapter causes interference, will test later.

References:
http://www.freeantennas.com/projects/Ez-10/
https://en.wikipedia.org/wiki/Corner_reflector_antenna

Edit: Added picture of a v2 I made. I did not chop off the flaps so the box is taller and I added foil to the middle section. I've slightly updated the instructions to make them simpler.

"The spacing of the rods D should not be more than 0.06 (6%) of the wavelength." -Wikipedia

I'm not sure if that instruction is properly cited but it would suggest you want continuous foil if possible with no gaps. The wavelength of 2.4 GHz is about 12 cm and 5 GHz is about 6 cm. 6% of those lengths is extraordinarily tiny.

v2 achieved best performance with the antennas deployed parallel, while v1 seemed to like the V pattern. In terms of performance both reflectors work, I didn't compare them very hard. Someone more knowledgeable should chime in.

Edit 2: Tips from an antenna design book I couldn't completely verify:
-The angle of the reflector should vaguely be 90 degrees. A more narrow corner supposedly improves gain and directivity but may require larger side walls. I experimented but couldn't come up with a good conclusion. Since this contraption is kind of flimsy I found the 90 degree angle to cause least problems.

-The antenna(s)' distance from the reflector's center should be between 25% and 75% of the intended wavelength, with a suggested value of 50%. So in theory:
2.4 GHz: antennas ~6.2455 cm from center
5 GHz: antennas ~2.998 cm from center

This does seem to matter somewhat and could explain why I found differences from arranging the antennas full parallel vs V pattern. But even if your antennas are really far away you still get some gain. I recommend sliding your USB adapter around to see what works. Try your luck getting good clearance with your MacGyver skills.
Attachments
reflectorv2.jpg
reflectorv2.jpg (154.53 KiB) Viewed 20156 times
reflector.jpg
reflector.jpg (80.23 KiB) Viewed 21717 times
Last edited by SkywardLark on Mon Nov 15, 2021 4:57 am, edited 24 times in total.
Image
I did some internet digging. I managed to find a real commercial product that uses the same trifold reflector idea along with dimensions and photos from a guy called SkootS :lol:

It is called the Hawking Tech "HAI15SC 2.4GHz Hi-Gain Wireless Corner Antenna." The claimed rating is 15 dBi. The product has a 5 dBi dipole encased in plastic and a trifold corner reflector made of aluminum. They probably assumed the reflector was 10 dBi and did funky math. Seems like retail price was around $30. Well now you know, if you don't mind a flimsy product you can just build it yourself.

https://web.archive.org/web/20211023100 ... fi-ant.php
(Scroll down to L. Hawking Tech., 15 dBi. They are using a free web host, I don't want to kill their website)
https://www.hawkingtech.com/product/hai ... -specs_tab

I've attached some of the photos because I think this is hilarious.
wifi-hw-01.jpg
wifi-hw-01.jpg (18.2 KiB) Viewed 20108 times
hawking-hai15sc.gif
hawking-hai15sc.gif (12.95 KiB) Viewed 20108 times
hawking-radiation-pattern-1.gif
hawking-radiation-pattern-1.gif (14.24 KiB) Viewed 20108 times
Last edited by SkywardLark on Mon Oct 25, 2021 12:53 am, edited 1 time in total.
Image

Postby pejacoby » Sat Oct 23, 2021 10:13 pm

My WiFi router sits to one side of my house, on an outside wall, leaking signal into the neighbors lot. Curious how putting one of these behind the router, or each of the four antenna, would boost my signal in the farther areas of the house.

Next Amazon box I receive might just have to launch a few experiments...
Image
I think putting a small reflector behind each antenna would look the least ugly. It's also what the Ez-10 guide shows on the website. You might get away with taping foil to the wall if the router is next to it.

Made a v3 for another adapter, an old 802.11b/g ALFA AWUS036H. I had a feeling old faithful would get good results. :wink: Single antenna design so no need to mount inside reflector. I eyeballed where everything should've been. You can probably ignore the min signal reading it's always bad when the adapter starts up. ~20dBm difference in software but this chipset is old so take these readings with a grain of salt.

Alfa w/ only 9dBi antenna, AP nearby in unknown location:
Latest Signal -58 dbm
Min. Signal -71 dbm
Max. Signal -48 dbm


Alfa w/ 9 dBi antenna + reflector steered vaguely in the right direction:
Latest Signal -38 dbm
Min. Signal -74 dbm
Max. Signal -30 dbm


Alfa w/ 9dBi antenna + reflector perfectly steered. AP a few meters away, same room. No before photo but signal was between -10 and -20 dBm
AF.jpg
AF.jpg (57.66 KiB) Viewed 20033 times
Reflector: USPS 1095 almost entirely clad in foil with only a tiny gap near the top for slots/flaps

AWUS036H:
TX Power: :?
Antenna: Ridiculously tall 2.4 GHz tuned dipole, probably rated 7-9 dBi. I don't remember where I got this.
Stats: Kismet

Research topics:
-Apparently grounding the reflector can improve gain. For something this MacGyvered maybe you'd alligator clip the RP-SMA connector to a part of the reflector. If you're using a USB adapter that probably leads to ground.
-How important is the thickness of the material? Would foiling the other side help? I noticed when you use this setup with the adapter in AP mode it's still possible to get a weak signal directly behind the reflector. I'm sure some of it is due to signal bounce but I'm not entirely convinced. I think some of the signal is wasted going through the single layer of foil.
Image
Reflector works alright for 5 GHz connections too. Not a huge difference in usability for this test since the test AP is easily reachable without it (~15m distance.) I used two mostly similar adapters so I wouldn't need to re-point the reflector afterwards. :lol:

Terow AC1200M (no reflector)
BSS -- associated
freq: 5805
signal: -64 [-66, -64] dBm
signal avg: -63 [-66, -63] dBm
beacon signal avg: -62 dBm
tx bitrate: 390.0 MBit/s VHT-MCS 4 80MHz short GI VHT-NSS 2
rx bitrate: 390.0 MBit/s VHT-MCS 4 80MHz short GI VHT-NSS 2
expected throughput: 61.980Mbps

Hosted by...: 25.241 ms
Download: 125.43 Mbit/s
Upload: 96.17 Mbit/s

PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=59 time=8.29 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=59 time=9.76 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=59 time=14.5 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=59 time=6.95 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=59 time=5.00 ms

Alfa AWUS036ACM (reflector)
BSS -- associated
freq: 5805
signal: -57 [-61, -57] dBm
signal avg: -56 [-59, -56] dBm
beacon signal avg: -55 dBm
tx bitrate: 780.0 MBit/s VHT-MCS 8 80MHz short GI VHT-NSS 2
rx bitrate: 585.0 MBit/s VHT-MCS 7 80MHz VHT-NSS 2
expected throughput: 68.389Mbps

Hosted by...: 26.488 ms
Download: 143.72 Mbit/s
Upload: 131.18 Mbit/s

PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=59 time=7.26 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=59 time=8.50 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=59 time=10.3 ms
64 bytes from 1.1.1.1: icmp_seq=4 ttl=59 time=9.73 ms
64 bytes from 1.1.1.1: icmp_seq=5 ttl=59 time=9.06 ms
Image

5 posts • Page 1 of 1

Return to “Net Hugging Hardware and Software”

Who is online

Users browsing this forum: No registered users and 5 guests