2 minute read

6 month ago or so, I thought the easiest and quickest way to realize a cheap and decent quality digital video link was to use the widely available wifi chipsets.

Of course, using wifi does not mean using the wifi protocol. The idea here, is to setup the chipsets into raw mode and push our own protocol over.

Not only this allow one to have a much higher throughput (nearly the full link’s speed, so 50Mbits at 54Mbit sync is achievable), but also a much higher point-to-point reliability for video and audio protocols.

ACK (acknowledgement) packets are not necessary, and the whole stack of protocols overhead is anyway gone, including IP.

The idea

You can easily do this using wifi driver’s injection support in Linux. A very well known chipset for this is the 8187L from Realtek, it even support diversity. That’s very fine on the transmitter side, but unfortunately does not live up to either hype or specs on the receiver side. Instead, after extensive testing I have found the Ralink 2870 to be nearly matching it’s sensitivity specs, which gives twice the range the Realtek could provide.

With simple 5dbi antennas, at 100mW I’m easily getting a signal behind a few 10 stories buildings and a few hundred meters. The equivalent regular wifi signal is long gone at this range.

Using a small yagi antenna on the receiving side and no objects in the way, I’m getting the excellent range of 20 km in the air while retaining enough bandwidth for a HD video signal.


On the software side, regular data can be transmitted, however it’s a lot better for audio of video where frames can be transmitted with errors and often display fine or have noticeable artifacts. Fortunately, most wifi drivers actualy let you turn off CRC checks do not discard incorrect frames. Usage of x264 in ultra low latency mode is recommended.

Unfortunately, the chipsets usually accept packets that look like wifi packets, so we retain overhead of a few bytes to make packets appear as NULL DATA wifi packets. All the information fields (MAC address, etc) are overwritten by our own protocol data.

Libraries to achieve this are osdep from the excellent Aircrack-ng project, the other Lorcon from a Kismet programmer.

I have been using osdep as it was a lot more simple to hack through, although Lorcon seems more polished and solves a few issues that I had to work around manually in osdep.

Source code

Soon enough ;)