Skip to content

Frequency-resolved link quality (3/3): passive VHT compressed-beamforming report capture — per-tone data for free #151

Description

@josephnef

Why

802.11ac explicit beamforming sounding leaks per-subcarrier channel state onto the air: the beamformee estimates H(k) from an NDP, SVDs it, compresses the steering matrix V(k) into quantized Givens-rotation angles (phi/psi) plus per-tone SNR, and transmits the result as a VHT Compressed Beamforming Action frame (category 21/VHT, action 0). On Jaguar silicon this pipeline is hardware-terminated — our own chip's estimate is unreadable — but any monitor-mode RX we already have can capture the report a third-party beamformee transmits. That frame is genuine per-tone data: no chip feature, no debug port, no wedge risk.

What it gives the adaptive link

  • Per-tone average SNR (the report carries it explicitly per subcarrier group) and per-tone V(k) angles → the frequency-selective shape of someone else's path through the same environment.
  • Useful as an ambient "spectrum weather" source where BF-capable links (MU/SU-BF APs, 11ac wave-2) are active — complements issue 1 (our own coarse map) and issue 2 (our own per-tone, one-shot).
  • Caveats up front: only works while a BF link is sounding nearby; the path measured is theirs, not ours; angles encode relative channel shape, not absolute gain.

Scope

Driver-side this is nearly free — monitor mode already passes management/action frames. The work is a decoder + bench recipe:

  • M1 — decoder tool (tools/bfr_decode.py): parse VHT Compressed Beamforming Action frames from a pcap or from the <devourer-body> stream. Handle the MIMO control field (Nc, Nr, BW, grouping Ng, codebook size), unpack the angle stream, reconstruct V(k), extract per-tone SNR. Output a per-tone heatmap / CSV.
  • M2 — capture check on devourer RX: confirm the frames traverse our RCR filter and arrive intact on 8812AU/8822CU monitor RX (they're plain action frames, but verify no length/subtype filtering bites).
  • M3 — bench generator: a repeatable local source of reports — a BF-capable AP + STA pair (e.g. an 11ac wave-2 AP with SU-BF enabled + any beamformee-capable kernel STA), so validation doesn't depend on neighbourhood traffic.
  • M4 — validation: sanity-check the decoded per-tone SNR shape against a B210 capture of the same environment (coarse correlation, not exact — different path).

References

  • IEEE 802.11-2016 §9.4.1.48 (VHT MIMO Control), §9.4.1.49 (compressed beamforming report field), §19.3.12.3 (Givens decomposition).
  • Prior art: "BFI sensing" literature uses exactly this side channel for passive sensing.

Part 3 of a 3-issue series; part 1 is the narrowband sweep, part 2 is LA-mode IQ capture.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions