Linux Terminal

Making a Homepass out of a Cisco WAP4410n

My kids got Nintendo 3DS’s for Christmas last year.  It’s a fun little game unit.  One of the features on it is called Streetpass.  Essentially (once you turn it on) you put it in your pocket and if you pass by someone on the street with a 3DS you swap character information.  Nintendo calls them Miis.  You get to play a few mini games with the miis you collect. Other games as well use the streetpass feature to build extra playability into their games.

Certain businesses around the world take part in what’s called Spotpass, (CORRECTION: This is a streetpass relay, spotpass gives you a blue light rather than green) which for my purpose is a stationary streetpass, it stores the Miis of the the last ten or so passers by and when you come along shares them with you, adding yours to the que as it does so.

But I’m rural – which means aside from a trip to the not so huge city 1/2 hour north of me the chances of a street/spotpass are almost nil.  I’m not about to drive an hour round trip just to get a signal, but I do like to play with computer hardware. This presented itself to me as a mountain to climb.

Enter the homepass. 

I stumbled onto the idea of the homepass on Reddit. That thread pointed to two other threads on GBAtemp which I quickly devoured the essence of.

Using a list of known hardware MAC addresses you could script out a rotation on your own computer or if you have the right kind of router and make your own streetpass/spotpass at home = homepass.

One guy even went so far as to design one using a raspberry pi. He dubbed it the Spillpass-pi. But I’m not about to do that when I can use my existing equipment.

What to do?   Well over in the corner sits an underused Cisco WAP4410n.

I logged onto the web interface and found that it had SSH connectivity. This definitely makes hacking around easier.  Then I started poking around in the config files to find out what is happening. I eventually came up with a shell script that will rotate between about fifty different MAC addresses in various time increments.

Technical difficulties. 

Along the way I had to solve several difficulties. This is part of what makes poking around on these kinds of projects fun for me, every puzzle seems insurmountable until you carefully figure out a solution.  Sometimes the solutions are elegant, sometimes they are brute force.  My final solution is a bit of each.


Limited commands of embedded Linux

Building the script was difficult because of the limitations of an embedded linux. Several of the commands I wanted, didn’t exist in the limited busybox they installed. On top of that the wifi is virtualized, running as a layer on top of the single wifi card, that enables mutiple SSID’s (and vlan isolation) on a single cheap unit but it also made me scratch my head for quite some time.

I finally figured out the problem. If I brought down just the wifi0 interface it was destabilizing the WIFI card and terminating the signal.  I had to go a layer deeper – down to the bridge level. Then I could bring the bridge down, change the mac, bring the bridge back up and restart the wifi signal.

The end result looks like this: Note that comments are preceded by the octothorp (#)

# First bring down the wireless lan
# This closes down the virtual wifi (wifi0) and the actual wireless card (ath00)
rc wlan stop
# Then bring down the bridge interface (br0)
ifconfig br0 down
#Then reassign the MAC address, more on this below.
ifconfig br0 hw ether 4E:53:50:4F:4F:40
#bring the bridge back up and restart the wireless lan.
ifconfig br0 up
rc wlan start
# Now you want a delay between the next cycle.
# The timeout command doesn't exist on this embedded linux
# so sleep for N seconds because that is the only integer recognized on this limited sleep command.
sleep 1200 # twenty minutes

Weird math

Something about the WAP’s internals puzzled me for a long time, I can’t just bring down wifi0 (the virtual wifi), I can’t just bring down ath00 (the actual card). I have to bring them both down, and then write the new MAC.  But I can’t write the new MAC to ath00, I have to write it to the bridge. When i do that both ath00 and wifi0 come back with the same MAC +1 octet.  In the example above I reset the MAC to 4E:53:50:4F:4F:40  That brings wifi0 and ath00 to 4E:53:50:4F:4F:41 (note the last numbers.)

So if I want to assign wifi0 with 40 I have to back up one.  Since this is hexadecimal, the number just before 40 is not 39, it’s 3F.  That means I had to take the list of MAC addresses and subtract 1 from each one I wanted to use, hence my example above becomes 4E:53:50:4F:4F:3F in order to bring the wifi MAC to 4E:53:50:4F:4F:40.


The WAP mounts the /var or /tmp directories in ram as read/write.  The flash is of course read only.

That means every time the power goes out (I did mention I was rural) the WAP gets reset and the script is lost.  So I have to keep a copy on my desktop for repeated applications.  I may try to recompile the firmare another time in order to make it permanent, but for now I’m just happy it works.

No wget

The wap only has an ftpget agent from a very limited busybox install. I would love to recompile with a complete and current busybox, but I’m not going to investigate space limitations for now.  I suppose you can use ftpget to snag the file if you want, but I just copy and paste into an SSH term to make it happen.

My own limitations

I’m not a programmer.  My linux foo is not amazing. I write poor bash scripts.  In the example I’ll attach you’ll see that I literally wrote the command fifty+ times. A good programmer would write it once with a variable and shove all the MAC’s into a pool from which it would draw. I am not a good programmer. Feel free to improve my script and teach me a lesson, my feelings won’t be hurt!


All of that said, I did it.  I got the script working and right now It’s pulling in streetpasses from all over the world. It was a fun little project and helped to pull me out of a blue funk, I suspect by flexing a different set of mental muscles than normal.

So how can you benefit? If you have the same wap you can use the attached script to make it happen.

Here are your steps:

  1. SSH into the WAP
  2. cd /tmp
  3. cat >
  4. Now, paste the contents of the entire shell script into the shell.
  5. Close and save the file with CTRL+d
  6. chmod +x /tmp/
  7. /tmp/ &
  8. Now close your session.

The & at the end of the command line instructs the script to fork into the background, this enables you to close the terminal and let it keep running.


Have fun.


Nzone Homepass Script
Nzone Homepass Script
Version: 1
9 KiB