Mustek S400W iScan Air Wifi How-To

I am running debian. So apt-get will appear in this document. Your mileage may vary. Resoures used:



If your board has an internal free PCIe or mini-PCIe slot, you can us this, otherwise just get a cheap wlan stick. In any case you'll need 802.11n, WPA2 capability, and linux support.


Avoid endless waiting at boot:
mkdir /etc/systemd/system/networking.service.d
edit /etc/systemd/system/networking.service.d/reduce-timeout.conf
[Service] TimeoutStartSec=60 # or 30

DHCP is necessary so if you don't have one: apt-get install dhclient
/etc/dhcp/dhclient.conf should not have interface entries if you can avoid it (they will be renewed when our wlan connects, not really problem, just annoying).

If you have dhcp running with a router and you have no resolvconf package installed, you might want to protected /etc/resolv.conf:
chmod +i /etc/resolv.conf
If your dhcp client can be configured to not overwrite it, then you don't need it.

If you have or want (apt-get install resolvconf) to use resolvconf:
edit /etc/resolvconf/interface-order
and make sure that wlan entries comes after eth.
(If you have a bridge setup, e.g. you have more than ethernet port and use it as switch, don't forget to add a br* wildcard).

Connecting to the scanner with wpa_supplicant

Ok, dhcp and resolving is set up, lets get started with wpa!

What we want is to detect a turned on scanner within 30 seconds and if it is turned off, notice that fairly quickly, too. So that interfaces and dhcp leases can be removed (dhcp lease time is rather big, but needs to be redone every time we connect to the scanner). The older tutorial did this all by hand, but debian has support for this built in (and probably most other distro): wifi roaming! I'll append the old script at the end, but it never worked as well as the inbuilt stuff.

Note: This documentation assumes our wlan is wlan0

Roaming wpa_supplicant.conf

Create /etc/wpa_supplicant/wpa_supplicant.conf if not already there, and edit it.
Alter the ssid to match your DIRECT-<6 digits>-<AirCopy|iScanAir|etc> and set the correct country:

# "roaming" config for mustek s400w scanner update_config=1 ctrl_interface=DIR=/run/wpa_supplicant GROUP=netdev country=DE fast_reauth=1 eapol_version=1 ap_scan=1 filter_ssids=1 autoscan=periodic:30 network={ id_str="s400w" ssid="DIRECT-ABCDEF_AirCopy" proto=WPA2 psk="12345678" ap_max_inactivity=20 key_mgmt=WPA-PSK pairwise=CCMP group=CCMP #disabled=1 }

Protect it: chmod 0600 /etc/wpa_supplicant/wpa_supplicant.conf


edit /etc/network/interfaces and add the following (choose the right driver):

allow-hotplug wlan0 iface wlan0 inet manual wpa-driver nl80211,wext wpa-roam /etc/wpa_supplicant/wpa_supplicant.conf iface s400w inet dhcp

Protect it: chmod 0600 /etc/network/interfaces

restart networking and ifup / down wlan0, maybe reboot:
ifdown wlan0 /etc/init.d/networking restart ifup wlan0


Problem 1: wlan0 must not overwrite our default route.
A solution for dhclient is to create a file in /etc/dhcp/dhclient-enter-hooks.d:
edit /etc/dhcp/dhclient-enter-hooks.d/s400w:

#!/bin/sh ## prevent DHCP server on wlan0 from forcing a default route on us case "${reason}.${interface}" in RENEW.wlan0|BOUND.wlan0) ip route delete default via $new_routers #new_routers = "" ;; *) ;; esac

chmod 0644 /etc/dhcp/dhclient-enter-hooks.d/s400w


Problem 2: if somebody fakes being the scanner, the system will happily connect to it and make it vulnerable. If you don't have a firewall already, you can use:

iptables -o wlan0 -A OUTPUT -p all -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT iptables -i wlan0 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT iptables -i wlan0 -A INPUT -m conntrack --ctstate INVALID -j DROP iptables -i wlan0 -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -i wlan0 -A INPUT -p tcp -j REJECT --reject-with tcp-reset iptables -i wlan0 -A INPUT -j REJECT --reject-with icmp-proto-unreachable

Save it: iptables-save >/etc/iptables.s400w.rules

edit /etc/rc.local and add

/sbin/iptables-restore < /etc/iptables.s400w.rules

Old stuff

We assume our wlan is wlan0.

edit /etc/network/interfaces, add and edit the ssid to match your DIRECT-<6 digits>-<AirCopy|iScanAir|etc>:

auto wlan0 allow-hotplug wlan0 iface wlan0 inet static address network netmask broadcast wpa-ssid DIRECT-ABCDEF_AirCopy wpa-psk "12345678"

Those static values are dummies, but dhcp will not be able to overwrite them, so they must match dhcp response (should, if no other client is connected to the scanner, sometimes will appear, then we are in trouble)

Protect it: chmod 600 /etc/network/interfaces

Now we need to start dhclient for wlan0 on connect and kill it on disconnect.

Create file /etc/dhcp/ #!/bin/bash PID=/var/run/dhclient.$ LEASES=/var/lib/dhcp/dhclient.$1.leases logger -s -p -t $1 $2 case "$1.$2" in wlan0.CONNECTED ) if [ -f $PID ]; then kill `cat $PID`; fi rm $LEASES dhclient -v -pf $PID -lf $LEASES $1 ;; wlan0.DISCONNECTED ) if [ -f $PID ]; then kill `cat $PID`; fi rm $LEASES ;; * ) echo called with $1.$2 ;; esac

Make it executable? chmod 755 /etc/dhcp/

Edit your /etc/rc.local and add near the end before exit 0: wpa_cli -B -a /etc/dhcp/

Now wpa_supplicant will start / kill dhclient for wlan0


wpa_supplicant will exit if you ifdown wlan0. Don't down it. Or wrap the supplicant call into a loop.

You might want to install iptables and block any incomming traffic from wlan0 that is not a response to outgoing traffic. This will block attacks with spoofed AP using the SSID and well known password!