Why
802.11ac explicit beamforming sounding leaks per-subcarrier channel state onto the air: the beamformee estimates H(k) from an NDP, SVDs it, compresses the steering matrix V(k) into quantized Givens-rotation angles (phi/psi) plus per-tone SNR, and transmits the result as a VHT Compressed Beamforming Action frame (category 21/VHT, action 0). On Jaguar silicon this pipeline is hardware-terminated — our own chip's estimate is unreadable — but any monitor-mode RX we already have can capture the report a third-party beamformee transmits. That frame is genuine per-tone data: no chip feature, no debug port, no wedge risk.
What it gives the adaptive link
- Per-tone average SNR (the report carries it explicitly per subcarrier group) and per-tone V(k) angles → the frequency-selective shape of someone else's path through the same environment.
- Useful as an ambient "spectrum weather" source where BF-capable links (MU/SU-BF APs, 11ac wave-2) are active — complements issue 1 (our own coarse map) and issue 2 (our own per-tone, one-shot).
- Caveats up front: only works while a BF link is sounding nearby; the path measured is theirs, not ours; angles encode relative channel shape, not absolute gain.
Scope
Driver-side this is nearly free — monitor mode already passes management/action frames. The work is a decoder + bench recipe:
- M1 — decoder tool (
tools/bfr_decode.py): parse VHT Compressed Beamforming Action frames from a pcap or from the <devourer-body> stream. Handle the MIMO control field (Nc, Nr, BW, grouping Ng, codebook size), unpack the angle stream, reconstruct V(k), extract per-tone SNR. Output a per-tone heatmap / CSV.
- M2 — capture check on devourer RX: confirm the frames traverse our RCR filter and arrive intact on 8812AU/8822CU monitor RX (they're plain action frames, but verify no length/subtype filtering bites).
- M3 — bench generator: a repeatable local source of reports — a BF-capable AP + STA pair (e.g. an 11ac wave-2 AP with SU-BF enabled + any beamformee-capable kernel STA), so validation doesn't depend on neighbourhood traffic.
- M4 — validation: sanity-check the decoded per-tone SNR shape against a B210 capture of the same environment (coarse correlation, not exact — different path).
References
- IEEE 802.11-2016 §9.4.1.48 (VHT MIMO Control), §9.4.1.49 (compressed beamforming report field), §19.3.12.3 (Givens decomposition).
- Prior art: "BFI sensing" literature uses exactly this side channel for passive sensing.
Part 3 of a 3-issue series; part 1 is the narrowband sweep, part 2 is LA-mode IQ capture.
Why
802.11ac explicit beamforming sounding leaks per-subcarrier channel state onto the air: the beamformee estimates H(k) from an NDP, SVDs it, compresses the steering matrix V(k) into quantized Givens-rotation angles (phi/psi) plus per-tone SNR, and transmits the result as a VHT Compressed Beamforming Action frame (category 21/VHT, action 0). On Jaguar silicon this pipeline is hardware-terminated — our own chip's estimate is unreadable — but any monitor-mode RX we already have can capture the report a third-party beamformee transmits. That frame is genuine per-tone data: no chip feature, no debug port, no wedge risk.
What it gives the adaptive link
Scope
Driver-side this is nearly free — monitor mode already passes management/action frames. The work is a decoder + bench recipe:
tools/bfr_decode.py): parse VHT Compressed Beamforming Action frames from a pcap or from the<devourer-body>stream. Handle the MIMO control field (Nc, Nr, BW, grouping Ng, codebook size), unpack the angle stream, reconstruct V(k), extract per-tone SNR. Output a per-tone heatmap / CSV.References
Part 3 of a 3-issue series; part 1 is the narrowband sweep, part 2 is LA-mode IQ capture.